hulk inclusion
category: feature
bugzilla: 5507
CVE: NA

---------------------------

We have completed the livepatch without ftrace for x86_64,
we can now enable it.

Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 5507/31358
CVE: NA
---------------------------

When doing consistency stack checking, if we try to patch a
function which has been patched already. We should check the
new function(not the origin func) that is activeness currently,
it's always the first entry in list func_node->func_stack.

Example :
	module : origin			livepatch v1		livepatch v2
	func   : old func A -[enable]=> new func A' -[enable]=> new func A''
	check  :		A			A'

when we try to patch function A to new function A'' by livepatch
v2, but the func A has already patched to function A' by livepatch
v1, so function A' which provided in livepatch v1 is active in the
stack instead of origin function A. Even if the long jump method is
used, we jump to the new function A' using a call without LR, the
origin function A will not appear in the stack. We must check the
active function A' in consistency stack checking.

Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 5507/31358
CVE: NA
---------------------------

When doing consistency stack checking, if we try to patch a
function which has been patched already. We should check the
new function(not the origin func) that is activeness currently,
it's always the first entry in list func_node->func_stack.

Example :
	module : origin			livepatch v1		livepatch v2
	func   : old func A -[enable]=> new func A' -[enable]=> new func A''
	check  :		A			A'

when we try to patch function A to new function A'' by livepatch
v2, but the func A has already patched to function A' by livepatch
v1, so function A' which provided in livepatch v1 is active in the
stack instead of origin function A. Even if the long jump method is
used, we jump to the new function A' using a call without LR, the
origin function A will not appear in the stack. We must check the
active function A' in consistency stack checking.

Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: feature
bugzilla: 5507
CVE: NA

----------------------------------------

support livepatch without ftrace for x86_64

supported now:
        livepatch relocation when init_patch after load_module;
        instruction patched when enable;
	activeness function check;
	enforcing the patch stacking principle;

x86_64 use variable length instruction, so there's no need to consider
extra implementation for long jumps.

Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
Signed-off-by: Li Bin <huawei.libin@huawei.com>
Tested-by: Yang ZuoTing <yangzuoting@huawei.com>
Tested-by: Cheng Jian <cj.chengjian@huawei.com>
Reviewed-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

commit 35a57134 upstream.

Consult the 'unconditional IO exiting' and 'use IO bitmaps' VM-execution
controls when checking instruction interception. If the 'use IO bitmaps'
VM-execution control is 1, check the instruction access against the IO
bitmaps to determine if the instruction causes a VM-exit.

Signed-off-by: Oliver Upton <oupton@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

commit e71237d3 upstream.

Checks against the IO bitmap are useful for both instruction emulation
and VM-exit reflection. Refactor the IO bitmap checks into a helper
function.

Signed-off-by: Oliver Upton <oupton@google.com>
Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

commit 07721fee upstream.

vmx_check_intercept is not yet fully implemented. To avoid emulating
instructions disallowed by the L1 hypervisor, refuse to emulate
instructions by default.

Cc: stable@vger.kernel.org
[Made commit, added commit msg - Oliver]
Signed-off-by: Oliver Upton <oupton@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

commit 2e90ca68 upstream.

Jordy Zomer reported a KASAN out-of-bounds read in the floppy driver in
wait_til_ready().

Which on the face of it can't happen, since as Willy Tarreau points out,
the function does no particular memory access.  Except through the FDCS
macro, which just indexes a static allocation through teh current fdc,
which is always checked against N_FDC.

Except the checking happens after we've already assigned the value.

The floppy driver is a disgrace (a lot of it going back to my original
horrd "design"), and has no real maintainer.  Nobody has the hardware,
and nobody really cares.  But it still gets used in virtual environment
because it's one of those things that everybody supports.

The whole thing should be re-written, or at least parts of it should be
seriously cleaned up.  The 'current fdc' index, which is used by the
FDCS macro, and which is often shadowed by a local 'fdc' variable, is a
prime example of how not to write code.

But because nobody has the hardware or the motivation, let's just fix up
the immediate problem with a nasty band-aid: test the fdc index before
actually assigning it to the static 'fdc' variable.

Reported-by: Jordy Zomer <jordy@simplyhacker.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

mainline inclusion
from mainline-v5.6-rc3
commit 9424ef56
category: bugfix
bugzilla: 31127
CVE: NA

-------------------------------------------------
We tested a soft lockup problem in linux 4.19 which could also
be found in linux 5.x.

When dir inode takes up a large number of blocks, and if the
directory is growing when we are searching, it's possible the
restart branch could be called many times, and the do while loop
could hold cpu a long time.

Here is the call trace in linux 4.19.

[  473.756186] Call trace:
[  473.756196]  dump_backtrace+0x0/0x198
[  473.756199]  show_stack+0x24/0x30
[  473.756205]  dump_stack+0xa4/0xcc
[  473.756210]  watchdog_timer_fn+0x300/0x3e8
[  473.756215]  __hrtimer_run_queues+0x114/0x358
[  473.756217]  hrtimer_interrupt+0x104/0x2d8
[  473.756222]  arch_timer_handler_virt+0x38/0x58
[  473.756226]  handle_percpu_devid_irq+0x90/0x248
[  473.756231]  generic_handle_irq+0x34/0x50
[  473.756234]  __handle_domain_irq+0x68/0xc0
[  473.756236]  gic_handle_irq+0x6c/0x150
[  473.756238]  el1_irq+0xb8/0x140
[  473.756286]  ext4_es_lookup_extent+0xdc/0x258 [ext4]
[  473.756310]  ext4_map_blocks+0x64/0x5c0 [ext4]
[  473.756333]  ext4_getblk+0x6c/0x1d0 [ext4]
[  473.756356]  ext4_bread_batch+0x7c/0x1f8 [ext4]
[  473.756379]  ext4_find_entry+0x124/0x3f8 [ext4]
[  473.756402]  ext4_lookup+0x8c/0x258 [ext4]
[  473.756407]  __lookup_hash+0x8c/0xe8
[  473.756411]  filename_create+0xa0/0x170
[  473.756413]  do_mkdirat+0x6c/0x140
[  473.756415]  __arm64_sys_mkdirat+0x28/0x38
[  473.756419]  el0_svc_common+0x78/0x130
[  473.756421]  el0_svc_handler+0x38/0x78
[  473.756423]  el0_svc+0x8/0xc
[  485.755156] watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [tmp:5149]

Add cond_resched() to avoid soft lockup and to provide a better
system responding.

Link: https://lore.kernel.org/r/20200215080206.13293-1-luoshijie1@huawei.com


Signed-off-by: Shijie Luo <luoshijie1@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: stable@kernel.org
Reviewed-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: config
bugzilla: 31089
CVE: NA

-----------------------------

Add openeuler_defconfig for openeuler itself.

Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 31087
CVE: NA

---------------------

There is a soft lockup call trace as below:
  CPU: 0 PID: 1360 Comm: imapsvcd Kdump: loaded Tainted: G           OE
  task: ffff8a7296e1eeb0 ti: ffff8a7296aa0000 task.ti: ffff8a7296aa0000
  RIP: 0010:[<ffffffffb691ecb4>]  [<ffffffffb691ecb4>]
  __css_tryget+0x24/0x50
  RSP: 0018:ffff8a7296aa3db8  EFLAGS: 00000a87
  RAX: 0000000080000000 RBX: ffff8a7296aa3df8 RCX: ffff8a72820d9a08
  RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8a72820d9a00
  RBP: ffff8a7296aa3db8 R08: 000000000001c360 R09: ffffffffb6a478f4
  R10: ffffffffb6935e83 R11: ffffffffffffffd0 R12: 0000000057d35cd8
  R13: 000000d000000002 R14: ffffffffb6892fbe R15: 000000d000000002
  FS:  0000000000000000(0000) GS:ffff8a72fec00000(0063)
  knlGS:00000000c6e65b40
  CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
  CR2: 0000000057d35cd8 CR3: 00000007e8008000 CR4: 00000000003607f0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   [<ffffffffb6a93578>] files_cgroup_assign+0x48/0x60
   [<ffffffffb6a47972>] dup_fd+0xb2/0x2f0
   [<ffffffffb6935e83>] ? audit_alloc+0xe3/0x180
   [<ffffffffb6893a03>] copy_process+0xbd3/0x1a40
   [<ffffffffb6894a21>] do_fork+0x91/0x320
   [<ffffffffb6f329e6>] ? trace_do_page_fault+0x56/0x150
   [<ffffffffb6894d36>] SyS_clone+0x16/0x20
   [<ffffffffb6f3bf8c>] ia32_ptregs_common+0x4c/0xfc
   code: 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8d 4f 08 48 89 e5 8b
         47 08 8d 90 00 00 00 80 85 c0 0f 49 d0 8d 72 01 89 d0 f0 0f b1

When the child process exit, we doesn't call dec refcnt, so, the refcnt
maybe overflow. Then the 'task_get_css' will dead loop because the
'css_refcnt' will return an unbias refcnt, if the refcnt is negitave,
'__css_tryget' always return false, then 'task_get_css' dead looped.

The child process always call 'close_files' when exit, add dec refcnt in
it.

Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Reviewed-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

mainline inclusion
from mainline-v5.6-rc2
commit 07e6124a
category: bugfix
bugzilla: 13690
CVE: CVE-2020-8648

-------------------------------------------------

syzkaller reported this UAF:
BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184

CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
...
 kasan_report+0xe/0x20 mm/kasan/common.c:634
 n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
 tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461
 paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372
 tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044
 vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364
 tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657
 vfs_ioctl fs/ioctl.c:47 [inline]

It is due to a race between parallel paste_selection (TIOCL_PASTESEL)
and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer,
while the other frees it and reallocates a new one for another
selection. Add a mutex to close this race.

The mutex takes care properly of sel_buffer and sel_buffer_lth only. The
other selection global variables (like sel_start, sel_end, and sel_cons)
are protected only in set_selection_user. The other functions need quite
some more work to close the races of the variables there. This is going
to happen later.

This likely fixes (I am unsure as there is no reproducer provided) bug
206361 too. It was marked as CVE-2020-8648.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by:  <syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com>
References: https://bugzilla.kernel.org/show_bug.cgi?id=206361
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

mainline inclusion
from mainline-v5.6-rc2
commit 687bff0c
category: bugfix
bugzilla: 13690
CVE: CVE-2020-8648

-------------------------------------------------

When pasting a selection to a vt, the task is set as INTERRUPTIBLE while
waiting for a tty to unthrottle. But signals are not handled at all.
Normally, this is not a problem as tty_ldisc_receive_buf receives all
the goods and a user has no reason to interrupt the task.

There are two scenarios where this matters:
1) when the tty is throttled and a signal is sent to the process, it
   spins on a CPU until the tty is unthrottled. schedule() does not
   really echedule, but returns immediately, of course.
2) when the sel_buffer becomes invalid, KASAN prevents any reads from it
   and the loop simply does not proceed and spins forever (causing the
   tty to throttle, but the code never sleeps, the same as above). This
   sometimes happens as there is a race in the sel_buffer handling code.

So add signal handling to this ioctl (TIOCL_PASTESEL) and return -EINTR
in case a signal is pending.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200210081131.23572-1-jslaby@suse.cz


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

driver inclusion
category: Bugfix
bugzilla: NA
CVE: NA

We updated dfx module related conditional compilation layout to
ensure proper compilation when we turnoff dfx in .config file.

Signed-off-by: Gao Xun <gaoxun3@huawei.com>
Reviewed-by: Hu Chunzhi <huchunzhi@huawei.com>
Reviewed-by: Wang Lin <wanglin137@huawei.com>
Reviewed-by: Zhao Weibo <zhaoweibo3@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit c96dceea ]

Commit 904cdbd4 ("jbd2: clear dirty flag when revoking a buffer from
an older transaction") set the BH_Freed flag when forgetting a metadata
buffer which belongs to the committing transaction, it indicate the
committing process clear dirty bits when it is done with the buffer. But
it also clear the BH_Mapped flag at the same time, which may trigger
below NULL pointer oops when block_size < PAGE_SIZE.

rmdir 1             kjournald2                 mkdir 2
                    jbd2_journal_commit_transaction
		    commit transaction N
jbd2_journal_forget
set_buffer_freed(bh1)
                    jbd2_journal_commit_transaction
                     commit transaction N+1
                     ...
                     clear_buffer_mapped(bh1)
                                               ext4_getblk(bh2 ummapped)
                                               ...
                                               grow_dev_page
                                                init_page_buffers
                                                 bh1->b_private=NULL
                                                 bh2->b_private=NULL
                     jbd2_journal_put_journal_head(jh1)
                      __journal_remove_journal_head(hb1)
		       jh1 is NULL and trigger oops

*) Dir entry block bh1 and bh2 belongs to one page, and the bh2 has
   already been unmapped.

For the metadata buffer we forgetting, we should always keep the mapped
flag and clear the dirty flags is enough, so this patch pick out the
these buffers and keep their BH_Mapped flag.

Link: https://lore.kernel.org/r/20200213063821.30455-3-yi.zhang@huawei.com


Fixes: 904cdbd4 ("jbd2: clear dirty flag when revoking a buffer from an older transaction")
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit 6a66a7de ]

There is no need to delay the clearing of b_modified flag to the
transaction committing time when unmapping the journalled buffer, so
just move it to the journal_unmap_buffer().

Link: https://lore.kernel.org/r/20200213063821.30455-2-yi.zhang@huawei.com


Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

euleros inclusion
category: feature
feature: Implement NUMA affinity for order workqueue

-------------------------------------------------

On aarch64 NUMA machines, the kworker of iscsi created always jump
around across node boundaries. If it work on the different node even
different cpu package with the softirq of network interface, memcpy
with in iscsi_tcp_segment_recv will be slow down, and iscsi got an
terrible performance.

In this patch, we trace the cpu of softirq, and tell queue_work_on
to execute iscsi_xmitworker on the same NUMA node.

The performance data as below:
fio cmd:
fio -filename=/dev/disk/by-id/wwn-0x6883fd3100a2ad260036281700000000
-direct=1 -iodepth=32 -rw=read -bs=64k -size=30G -ioengine=libaio
-numjobs=1 -group_reporting -name=mytest -time_based -ramp_time=60
-runtime=60

before patch:
Jobs: 1 (f=1): [R] [52.5% done] [852.3MB/0KB/0KB /s] [13.7K/0/0 iops] [eta 00m:57s]
Jobs: 1 (f=1): [R] [53.3% done] [861.4MB/0KB/0KB /s] [13.8K/0/0 iops] [eta 00m:56s]
Jobs: 1 (f=1): [R] [54.2% done] [868.2MB/0KB/0KB /s] [13.9K/0/0 iops] [eta 00m:55s]

after pactch:
Jobs: 1 (f=1): [R] [53.3% done] [1070MB/0KB/0KB /s] [17.2K/0/0 iops] [eta 00m:56s]
Jobs: 1 (f=1): [R] [55.0% done] [1064MB/0KB/0KB /s] [17.3K/0/0 iops] [eta 00m:54s]
Jobs: 1 (f=1): [R] [56.7% done] [1069MB/0KB/0KB /s] [17.1K/0/0 iops] [eta 00m:52s]

cpu info:
Architecture:          aarch64
Byte Order:            Little Endian
CPU(s):                128
On-line CPU(s) list:   0-127
Thread(s) per core:    1
Core(s) per socket:    64
Socket(s):             2
NUMA node(s):          4
Model:                 0
CPU max MHz:           2600.0000
CPU min MHz:           200.0000
BogoMIPS:              200.00
L1d cache:             64K
L1i cache:             64K
L2 cache:              512K
L3 cache:              32768K
NUMA node0 CPU(s):     0-31
NUMA node1 CPU(s):     32-63
NUMA node2 CPU(s):     64-95
NUMA node3 CPU(s):     96-127

Signed-off-by: Biaoxiang Ye <yebiaoxiang@huawei.com>
Acked-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

euleros inclusion
category: feature
feature: Implement NUMA affinity for order workqueue

-------------------------------------------------

Currently, single thread workqueue only have single pwq, all of
works are queued the same workerpool. This is not optimal on
NUMA machines, will cause workers jump around across node.

This patch add a new wq flags __WQ_DYNAMIC,  this new kind of
single thread workqueue creates a separate pwq covering the
intersecting CPUS for each NUMA node which has online CPUS
in @attrs->cpumask instead of mapping all entries of numa_pwq_tbl[]
to the same pwq. After this, we can specify the @cpu of
queue_work_on, so the work can be executed on the same NUMA
node of the specified @cpu.
This kind of wq only support single work, multi works can't guarantee
the work's order.

Signed-off-by: Biaoxiang Ye <yebiaoxiang@huawei.com>
Acked-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

euleros inclusion
category: feature
feature: Implement NUMA affinity for order workqueue

-------------------------------------------------

Add member to struct iscsi_conn.

Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 30939
CVE: NA

---------------------------

The kabi can be broken before official release.

This reverts commit ce620c1a6783b2341a376ef948484b5314ed064e.

Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 30939
CVE: NA
---------------------------

The kabi can be broken before official release.

This reverts commit f8589079659b51222d86a1cb8fd9129752b0d97c.

Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 30939
CVE: NA

-------------------------------------------------

The kabi can be broken before official release.

This reverts commit f316812150a4fbb52720fe7fb7702c5a52c37602.

Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 30939
CVE: NA

---------------------------

The kabi can be broken before official release.

This reverts commit 8664b79edac95322379eee025763ba0840d458d1.

Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: NA
CVE: NA

---------------------------

When fix CVE-2018-12207, the kvm_vm_worker_thread will attach all
cgroup subsystem. But the files cgroup doesn't support kernel thread.

Because the init_files doesn't init the files cgroup, when kernel thread
'kvm_vm_worker_thread' attach the files cgroup, the files_cgroup
get from 'init_files' is an error pointer. It lead the kernel panic
as below:
  [  724.842302]  page_counter_uncharge+0x1d/0x30
  [  724.842431]  files_cgroup_attach+0x7c/0x130
  [  724.842564]  ? css_set_move_task+0x12e/0x230
  [  724.842694]  cgroup_migrate_execute+0x2f9/0x3b0
  [  724.842833]  cgroup_attach_task+0x156/0x200
  [  724.843010]  ? kvm_mmu_pte_write+0x490/0x490 [kvm]
  [  724.843153]  cgroup_attach_task_all+0x81/0xd0
  [  724.843289]  ? __schedule+0x294/0x910
  [  724.843419]  kvm_vm_worker_thread+0x4a/0xc0 [kvm]
  [  724.843579]  ? kvm_exit+0x80/0x80 [kvm]
  [  724.843690]  kthread+0x112/0x130
  [  724.843792]  ?kthread_create_worker_on_cpu+0x70/0x70
  [  724.843948]  ret_from_fork+0x35/0x40

So, we add some check, if the task is kernel thread (files is
'init_files'), we doesn't do the more operation about the
files cgroup.

Fixes: baa10bc24e1e ("kvm: Add helper function for creating VM ...")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Reviewed-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 30109
CVE: NA
---------------------------

bdi->dev may be set as "NULL" or freed by bdi_unregister().
To avoid causing "NULL" pointer reference or use-after-free
in user, we add a common function bdi_get_dev_name(), in which
dev is protected by RCU lock. Then, the caller can get device
name safely.

Fixes: 5ca4579ae59b ("bdi: fix use-after-free for the bdi device")
Signed-off-by: Yufen Yu <yuyufen@huawei.com>
Reviewed-by: Hou Tao <houao1@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

commit 8c6de56a upstream.

kvm_steal_time_set_preempted() may accidentally clear KVM_VCPU_FLUSH_TLB
bit if it is called more than once while VCPU is preempted.

This is part of CVE-2019-3016.

(This bug was also independently discovered by Jim Mattson
<jmattson@google.com>)

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: NA
CVE: NA

---------------------------

If system has many cpus (e.g. 128), it will spend a lot of time to
print message to the console when execute echo q > /proc/sysrq-trigger.
When /proc/sys/kernel/numa_balancing is enabled, if the migration threads
is woke up, the thread cannot continue until the print finish, it will
trigger a soft lockup.

PID: 619    TASK: ffffa02fdd8bec80  CPU: 121  COMMAND: "migration/121"
  #0 [ffff00000a103b10] __crash_kexec at ffff0000081bf200
  #1 [ffff00000a103ca0] panic at ffff0000080ec93c
  #2 [ffff00000a103d80] watchdog_timer_fn at ffff0000081f8a14
  #3 [ffff00000a103e00] __run_hrtimer at ffff00000819701c
  #4 [ffff00000a103e40] __hrtimer_run_queues at ffff000008197420
  #5 [ffff00000a103ea0] hrtimer_interrupt at ffff00000819831c
  #6 [ffff00000a103f10] arch_timer_dying_cpu at ffff000008b53144
  #7 [ffff00000a103f30] handle_percpu_devid_irq at ffff000008174e34
  #8 [ffff00000a103f70] generic_handle_irq at ffff00000816c5e8
  #9 [ffff00000a103f90] __handle_domain_irq at ffff00000816d1f4
 #10 [ffff00000a103fd0] gic_handle_irq at ffff000008081860
 --- <IRQ stack> ---
 #11 [ffff00000d6e3d50] el1_irq at ffff0000080834c8
 #12 [ffff00000d6e3d60] multi_cpu_stop at ffff0000081d9964
 #13 [ffff00000d6e3db0] cpu_stopper_thread at ffff0000081d9cfc
 #14 [ffff00000d6e3e10] smpboot_thread_fn at ffff00000811e0a8
 #15 [ffff00000d6e3e70] kthread at ffff000008118988

To avoid this soft lockup, add touch_all_softlockup_watchdogs()
in sysrq_timer_list_show()

Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 30212
CVE: NA

---------------------------

When we print system information by echo 't' into 'sysrq-trigger' on
several cores at the same time, we got the following calltrace.

[ 1352.854632] NMI watchdog: Watchdog detected hard LOCKUP on cpu 6
[ 1352.854633] Modules linked in: nf_log_arp nf_log_ipv6 nf_log_ipv4 nf_log_common binfmt_misc salsa20_generic camellia_generic cast6_generic cast_common rfkill serpent_generic twofish_generic twofish_common xts lrw tgr192 wp512 rmd320 rmd256 rmd160 rmd128 md4 sha512_generic loop jprob(OE) ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ip6table_nat nf_nat_ipv6 ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat_ipv4 nf_nat iptable_mangle iptable_raw iptable_security nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter vfat fat hns_roce_hw_v2 hns_roce ib_core aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce sha2_ce ipmi_ssif ofpart sha256_arm64 sha1_ce cmdlinepart
[ 1352.854649]  hi_sfc ses enclosure mtd sg sbsa_gwdt ipmi_si ipmi_devintf ipmi_msghandler spi_dw_mmio sch_fq_codel ip_tables ext4 mbcache jbd2 sr_mod cdrom sd_mod realtek hclge hisi_sas_v3_hw hisi_sas_main ahci libsas libahci hns3 hinic libata usb_storage hnae3 megaraid_sas scsi_transport_sas i2c_designware_platform i2c_designware_core dm_multipath dm_mirror dm_region_hash dm_log dm_mod [last unloaded: ip_vs]
[ 1352.854658] CPU: 6 PID: 220569 Comm: sh Kdump: loaded Tainted: G           OEL    4.19.90-vhulk2001.1.0.0026.aarch64 #1
[ 1352.854659] Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDDA, BIOS 1.06 10/29/2019
[ 1352.854659] pstate: 80400089 (Nzcv daIf +PAN -UAO)
[ 1352.854660] pc : queued_spin_lock_slowpath+0x1d8/0x2e0
[ 1352.854660] lr : print_cpu+0x414/0x690
[ 1352.854660] sp : ffff0001743afb80
[ 1352.854661] x29: ffff0001743afb80 x28: ffff805fcef6e880
[ 1352.854662] x27: 0000000000000000 x26: 0000000000000000
[ 1352.854662] x25: ffff000008cab000 x24: ffff000008cab000
[ 1352.854663] x23: 0000000000000000 x22: 0000000000000000
[ 1352.854664] x21: ffff000009478000 x20: 0000000000900001
[ 1352.854664] x19: ffff000009478d20 x18: ffffffffffffffff
[ 1352.854665] x17: 0000000000000000 x16: 0000000000000000
[ 1352.854666] x15: ffff000009273708 x14: ffff00000947af60
[ 1352.854667] x13: ffff00000947abab x12: ffff00000929d000
[ 1352.854668] x11: 0000000000006fc8 x10: ffff00000947a1c0
[ 1352.854668] x9 : 0000000000000001 x8 : 0000000000000000
[ 1352.854669] x7 : ffff0000092737c8 x6 : ffff803fffc9e1c0
[ 1352.854670] x5 : 0000000000000000 x4 : ffff803fffc9e1c0
[ 1352.854671] x3 : ffff000008f5e000 x2 : 00000000001c0000
[ 1352.854671] x1 : 0000000000000000 x0 : ffff803fffc9e1c8
[ 1352.854672] Call trace:
[ 1352.854673]  queued_spin_lock_slowpath+0x1d8/0x2e0
[ 1352.854673]  print_cpu+0x414/0x690
[ 1352.854673]  sysrq_sched_debug_show+0x50/0x80
[ 1352.854674]  show_state_filter+0xc0/0xd0
[ 1352.854674]  sysrq_handle_showstate+0x18/0x28
[ 1352.854674]  __handle_sysrq+0xa0/0x190
[ 1352.854675]  write_sysrq_trigger+0x70/0x88
[ 1352.854675]  proc_reg_write+0x80/0xd8
[ 1352.854675]  __vfs_write+0x60/0x190
[ 1352.854676]  vfs_write+0xac/0x1c0
[ 1352.854676]  ksys_write+0x74/0xf0
[ 1352.854676]  __arm64_sys_write+0x24/0x30
[ 1352.854677]  el0_svc_common+0x78/0x130
[ 1352.854677]  el0_svc_handler+0x38/0x78
[ 1352.854677]  el0_svc+0x8/0xc
[ 1352.854678] Kernel panic - not syncing: Hard LOCKUP
[ 1352.854679] CPU: 6 PID: 220569 Comm: sh Kdump: loaded Tainted: G           OEL    4.19.90-vhulk2001.1.0.0026.aarch64 #1
[ 1352.854679] Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDDA, BIOS 1.06 10/29/2019
[ 1352.854679] Call trace:
[ 1352.854680]  dump_backtrace+0x0/0x198
[ 1352.854680]  show_stack+0x24/0x30
[ 1352.854681]  dump_stack+0xa4/0xc4
[ 1352.854681]  panic+0x130/0x304
[ 1352.854681]  __stack_chk_fail+0x0/0x28
[ 1352.854682]  watchdog_hardlockup_check+0x138/0x140
[ 1352.854682]  sdei_watchdog_callback+0x20/0x30
[ 1352.854682]  sdei_event_handler+0x50/0xf0
[ 1352.854683]  __sdei_handler+0xd8/0x228
[ 1352.854683]  __sdei_asm_handler+0xbc/0x134
[ 1352.854683]  queued_spin_lock_slowpath+0x1d8/0x2e0
[ 1352.854684]  print_cpu+0x414/0x690
[ 1352.854684]  sysrq_sched_debug_show+0x50/0x80
[ 1352.854684]  show_state_filter+0xc0/0xd0
[ 1352.854685]  sysrq_handle_showstate+0x18/0x28
[ 1352.854685]  __handle_sysrq+0xa0/0x190
[ 1352.854685]  write_sysrq_trigger+0x70/0x88
[ 1352.854686]  proc_reg_write+0x80/0xd8
[ 1352.854686]  __vfs_write+0x60/0x190
[ 1352.854686]  vfs_write+0xac/0x1c0
[ 1352.854687]  ksys_write+0x74/0xf0
[ 1352.854687]  __arm64_sys_write+0x24/0x30
[ 1352.854687]  el0_svc_common+0x78/0x130
[ 1352.854688]  el0_svc_handler+0x38/0x78
[ 1352.854688]  el0_svc+0x8/0xc

It is because there are many processes in the system. 'print_cpu()'
aquires 'sched_debug_lock', print some information, and releases
'sched_debug_lock'. This procedure takes about 4 seconds in our
testcase. When four cores concurrently print system info by sysrq, it
will takes the last core 12 seconds to get the spinlock. This will
cause a hardlockup.

Signed-off-by: Kai Shen <shenkai8@huawei.com>
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 30109
CVE: NA
---------------------------

When device_add() fail, we just free rcu_dev and
forget kobj->name. Using put_devcie to free both
of rcu_dev and kobj->name.

Fixes: 5ca4579ae59b ("bdi: fix use-after-free for the bdi device")
Signed-off-by: Yufen Yu <yuyufen@huawei.com>
Reviewed-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 30859
CVE: NA

---------------------------

There is softlockup under fio pressure test with smmu enabled:
watchdog: BUG: soft lockup - CPU#81 stuck for 22s!  [swapper/81:0]
...
Call trace:
 fq_flush_timeout+0xc0/0x110
 call_timer_fn+0x34/0x178
 expire_timers+0xec/0x158
 run_timer_softirq+0xc0/0x1f8
 __do_softirq+0x120/0x324
 irq_exit+0x11c/0x140
 __handle_domain_irq+0x6c/0xc0
 gic_handle_irq+0x6c/0x170
 el1_irq+0xb8/0x140
 arch_cpu_idle+0x38/0x1c0
 default_idle_call+0x24/0x44
 do_idle+0x1f4/0x2d8
 cpu_startup_entry+0x2c/0x30
 secondary_start_kernel+0x17c/0x1c8

This is because the timer callback fq_flush_timeout may run more than
10ms, and timer may be processed continuously in the softirq so trigger
softlockup. We can use work to deal with fq_ring_free for each cpu which
may take long time, that to avoid triggering softlockup.

Signed-off-by: Li Bin <huawei.libin@huawei.com>
Reviewed-By: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

driver inclusion
category: bugfix
bugzilla: NA
CVE: NA

In this patch, we try to fix the way judge whether q stop in user
space.
The driver judge whether device stop by parameter qp_status.used,
but this parameter only used in kernel. So we compare sqc and cqc
tail to judge finish status of tasks for user space.

Signed-off-by: Yu'an Wang <wangyuan46@huawei.com>
Reviewed-by: Cheng Hu <hucheng.hu@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

driver inclusion
category: cleanup
bugzilla: NA
CVE: NA

----------------------------------

This patch clears devil numbers for hns3_cae_dfx, and change version
to 1.9.37.0.

Signed-off-by: Junxin Chen <chenjunxin1@huawei.com>
Reviewed-by: Zhong Zhaohui <zhongzhaohui@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

driver inclusion
category: bugfix
bugzilla: NA
CVE: NA

----------------------------------

Currently, CONFIG_HNS3_DCB is configed as y default, but in some
cases, it may not be set.

This patch fixes an compile error when CONFIG_HNS3_DCB is not set.

Signed-off-by: Junxin Chen <chenjunxin1@huawei.com>
Reviewed-by: Zhong Zhaohui <zhongzhaohui@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

driver inclusion
category: bugfix
bugzilla: NA
CVE: NA

In this patch, we try to fixup compilation problem of __hisi_qm_start,
when we close CONFIG_CRYPTO_QM_UACCE.If we have not defined this macro,
we do not use para qm->reserve and qm->reserve_dma.

Signed-off-by: Yu'an Wang <wangyuan46@huawei.com>
Reviewed-by: Cheng Hu <hucheng.hu@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

driver inclusion
category: bugfix
bugzilla: NA
CVE: NA

In this patch, we try to optimize debug regs clear logic.
We add hisi_rde_debug_regs_clear interface and this interface
will be called only in probe and remove, which can keep value
of debug regs.
Otherwise, we optimize print interface of hpre_probe and add
qp_num print of hisi_qm_create_qp_nolock.

Signed-off-by: Yu'an Wang <wangyuan46@huawei.com>
Reviewed-by: Cheng Hu <hucheng.hu@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

driver inclusion
category: bugfix
bugzilla: NA
CVE: NA

In this patch, we try to change sec_control reg config:
We delete sec clock gate to keep default config. Then
we should use sec base addr, instead of qm io_base, to
config sec_control reg.

Signed-off-by: Yu'an Wang <wangyuan46@huawei.com>
Reviewed-by: Mingqiang Ling <lingmingqiang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

driver inclusion
category: bugfix
bugzilla: NA
CVE: NA

In this patch ,we try to integrate some optimization points:
1.We add likely and unlikely in result judgement to improve
performance.
2.Follow hpre module, we remove device judgement of sec/rde
module.
3.We remove invalid blank line and replace print interface.

Signed-off-by: Yu'an Wang <wangyuan46@huawei.com>
Reviewed-by: Mingqiang Ling <lingmingqiang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

driver inclusion
category: bugfix
bugzilla: NA
CVE: NA

In this patch, we try to optimize key process before free of hpre
module.
1、for DH algorithm, we use para g to compute public key, para g is
public, so we need not clear it before free.
2、for RSA algorithm, we should use memzero_explicit to clear prikey.
It will be optimized, when memset follows free.
3、For standard RSA algorithm, we use one buf to store public and
prikey, to consider performance, we just clear prikey buf.

Signed-off-by: Yu'an Wang <wangyuan46@huawei.com>
Reviewed-by: Cheng Hu <hucheng.hu@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

driver inclusion
category: bugfix
bugzilla: NA
CVE: NA

----------------------------------

When we check arrays, we both check its value and its size,
this patch fixes a bug when getting size of type.

Signed-off-by: Junxin Chen <chenjunxin1@huawei.com>
Reviewed-by: Zhong Zhaohui <zhongzhaohui@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

driver inclusion
category: Bugfix
bugzilla: NA
CVE: NA

1. the variable : sysctl_subctrl_tdh_priv[chip_id] add legitimacy check.
2. the param of sysctl_tdh_mem_access_open: chip_id add legitimacy check.

Signed-off-by: fengsheng <fengsheng5@huawei.com>
Reviewed-by: zhangmu <zhangmu1@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>