]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.19-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 26 Feb 2020 10:47:38 +0000 (11:47 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 26 Feb 2020 10:47:38 +0000 (11:47 +0100)
added patches:
genirq-irqdomain-make-sure-all-irq-domain-flags-are-distinct.patch
jbd2-fix-ocfs2-corrupt-when-clearing-block-group-bits.patch
maintainers-update-drm-i915-bug-filing-url.patch
mm-memcontrol.c-lost-css_put-in-memcg_expand_shrinker_maps.patch
nvme-multipath-fix-memory-leak-with-ana_log_buf.patch
powerpc-tm-fix-clearing-msr-in-current-when-reclaiming-on-signal-delivery.patch
revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch
serdev-ttyport-restore-client-ops-on-deregistration.patch
serial-8250-check-upf_irq_shared-in-advance.patch
tty-serial-atmel-manage-shutdown-in-case-of-rs485-or-iso7816-mode.patch
tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch
x86-cpu-amd-enable-the-fixed-instructions-retired-counter-irperf.patch
x86-mce-amd-fix-kobject-lifetime.patch
x86-mce-amd-publish-the-bank-pointer-only-after-setup-has-succeeded.patch

15 files changed:
queue-4.19/genirq-irqdomain-make-sure-all-irq-domain-flags-are-distinct.patch [new file with mode: 0644]
queue-4.19/jbd2-fix-ocfs2-corrupt-when-clearing-block-group-bits.patch [new file with mode: 0644]
queue-4.19/maintainers-update-drm-i915-bug-filing-url.patch [new file with mode: 0644]
queue-4.19/mm-memcontrol.c-lost-css_put-in-memcg_expand_shrinker_maps.patch [new file with mode: 0644]
queue-4.19/nvme-multipath-fix-memory-leak-with-ana_log_buf.patch [new file with mode: 0644]
queue-4.19/powerpc-tm-fix-clearing-msr-in-current-when-reclaiming-on-signal-delivery.patch [new file with mode: 0644]
queue-4.19/revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch [new file with mode: 0644]
queue-4.19/serdev-ttyport-restore-client-ops-on-deregistration.patch [new file with mode: 0644]
queue-4.19/serial-8250-check-upf_irq_shared-in-advance.patch [new file with mode: 0644]
queue-4.19/series
queue-4.19/tty-serial-atmel-manage-shutdown-in-case-of-rs485-or-iso7816-mode.patch [new file with mode: 0644]
queue-4.19/tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch [new file with mode: 0644]
queue-4.19/x86-cpu-amd-enable-the-fixed-instructions-retired-counter-irperf.patch [new file with mode: 0644]
queue-4.19/x86-mce-amd-fix-kobject-lifetime.patch [new file with mode: 0644]
queue-4.19/x86-mce-amd-publish-the-bank-pointer-only-after-setup-has-succeeded.patch [new file with mode: 0644]

diff --git a/queue-4.19/genirq-irqdomain-make-sure-all-irq-domain-flags-are-distinct.patch b/queue-4.19/genirq-irqdomain-make-sure-all-irq-domain-flags-are-distinct.patch
new file mode 100644 (file)
index 0000000..b5b8215
--- /dev/null
@@ -0,0 +1,40 @@
+From 2546287c5fb363a0165933ae2181c92f03e701d0 Mon Sep 17 00:00:00 2001
+From: Zenghui Yu <yuzenghui@huawei.com>
+Date: Fri, 21 Feb 2020 10:07:25 +0800
+Subject: genirq/irqdomain: Make sure all irq domain flags are distinct
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+commit 2546287c5fb363a0165933ae2181c92f03e701d0 upstream.
+
+This was noticed when printing debugfs for MSIs on my ARM64 server.  The
+new dstate IRQD_MSI_NOMASK_QUIRK came out surprisingly while it should only
+be the x86 stuff for the time being...
+
+The new MSI quirk flag uses the same bit as IRQ_DOMAIN_NAME_ALLOCATED which
+is oddly defined as bit 6 for no good reason.
+
+Switch it to the non used bit 1.
+
+Fixes: 6f1a4891a592 ("x86/apic/msi: Plug non-maskable MSI affinity race")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20200221020725.2038-1-yuzenghui@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/irqdomain.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/irqdomain.h
++++ b/include/linux/irqdomain.h
+@@ -188,7 +188,7 @@ enum {
+       IRQ_DOMAIN_FLAG_HIERARCHY       = (1 << 0),
+       /* Irq domain name was allocated in __irq_domain_add() */
+-      IRQ_DOMAIN_NAME_ALLOCATED       = (1 << 6),
++      IRQ_DOMAIN_NAME_ALLOCATED       = (1 << 1),
+       /* Irq domain is an IPI domain with virq per cpu */
+       IRQ_DOMAIN_FLAG_IPI_PER_CPU     = (1 << 2),
diff --git a/queue-4.19/jbd2-fix-ocfs2-corrupt-when-clearing-block-group-bits.patch b/queue-4.19/jbd2-fix-ocfs2-corrupt-when-clearing-block-group-bits.patch
new file mode 100644 (file)
index 0000000..95744ce
--- /dev/null
@@ -0,0 +1,180 @@
+From 8eedabfd66b68a4623beec0789eac54b8c9d0fb6 Mon Sep 17 00:00:00 2001
+From: wangyan <wangyan122@huawei.com>
+Date: Thu, 20 Feb 2020 21:46:14 +0800
+Subject: jbd2: fix ocfs2 corrupt when clearing block group bits
+
+From: wangyan <wangyan122@huawei.com>
+
+commit 8eedabfd66b68a4623beec0789eac54b8c9d0fb6 upstream.
+
+I found a NULL pointer dereference in ocfs2_block_group_clear_bits().
+The running environment:
+       kernel version: 4.19
+       A cluster with two nodes, 5 luns mounted on two nodes, and do some
+       file operations like dd/fallocate/truncate/rm on every lun with storage
+       network disconnection.
+
+The fallocate operation on dm-23-45 caused an null pointer dereference.
+
+The information of NULL pointer dereference as follows:
+       [577992.878282] JBD2: Error -5 detected when updating journal superblock for dm-23-45.
+       [577992.878290] Aborting journal on device dm-23-45.
+       ...
+       [577992.890778] JBD2: Error -5 detected when updating journal superblock for dm-24-46.
+       [577992.890908] __journal_remove_journal_head: freeing b_committed_data
+       [577992.890916] (fallocate,88392,52):ocfs2_extend_trans:474 ERROR: status = -30
+       [577992.890918] __journal_remove_journal_head: freeing b_committed_data
+       [577992.890920] (fallocate,88392,52):ocfs2_rotate_tree_right:2500 ERROR: status = -30
+       [577992.890922] __journal_remove_journal_head: freeing b_committed_data
+       [577992.890924] (fallocate,88392,52):ocfs2_do_insert_extent:4382 ERROR: status = -30
+       [577992.890928] (fallocate,88392,52):ocfs2_insert_extent:4842 ERROR: status = -30
+       [577992.890928] __journal_remove_journal_head: freeing b_committed_data
+       [577992.890930] (fallocate,88392,52):ocfs2_add_clusters_in_btree:4947 ERROR: status = -30
+       [577992.890933] __journal_remove_journal_head: freeing b_committed_data
+       [577992.890939] __journal_remove_journal_head: freeing b_committed_data
+       [577992.890949] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
+       [577992.890950] Mem abort info:
+       [577992.890951]   ESR = 0x96000004
+       [577992.890952]   Exception class = DABT (current EL), IL = 32 bits
+       [577992.890952]   SET = 0, FnV = 0
+       [577992.890953]   EA = 0, S1PTW = 0
+       [577992.890954] Data abort info:
+       [577992.890955]   ISV = 0, ISS = 0x00000004
+       [577992.890956]   CM = 0, WnR = 0
+       [577992.890958] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000f8da07a9
+       [577992.890960] [0000000000000020] pgd=0000000000000000
+       [577992.890964] Internal error: Oops: 96000004 [#1] SMP
+       [577992.890965] Process fallocate (pid: 88392, stack limit = 0x00000000013db2fd)
+       [577992.890968] CPU: 52 PID: 88392 Comm: fallocate Kdump: loaded Tainted: G        W  OE     4.19.36 #1
+       [577992.890969] Hardware name: Huawei TaiShan 2280 V2/BC82AMDD, BIOS 0.98 08/25/2019
+       [577992.890971] pstate: 60400009 (nZCv daif +PAN -UAO)
+       [577992.891054] pc : _ocfs2_free_suballoc_bits+0x63c/0x968 [ocfs2]
+       [577992.891082] lr : _ocfs2_free_suballoc_bits+0x618/0x968 [ocfs2]
+       [577992.891084] sp : ffff0000c8e2b810
+       [577992.891085] x29: ffff0000c8e2b820 x28: 0000000000000000
+       [577992.891087] x27: 00000000000006f3 x26: ffffa07957b02e70
+       [577992.891089] x25: ffff807c59d50000 x24: 00000000000006f2
+       [577992.891091] x23: 0000000000000001 x22: ffff807bd39abc30
+       [577992.891093] x21: ffff0000811d9000 x20: ffffa07535d6a000
+       [577992.891097] x19: ffff000001681638 x18: ffffffffffffffff
+       [577992.891098] x17: 0000000000000000 x16: ffff000080a03df0
+       [577992.891100] x15: ffff0000811d9708 x14: 203d207375746174
+       [577992.891101] x13: 73203a524f525245 x12: 20373439343a6565
+       [577992.891103] x11: 0000000000000038 x10: 0101010101010101
+       [577992.891106] x9 : ffffa07c68a85d70 x8 : 7f7f7f7f7f7f7f7f
+       [577992.891109] x7 : 0000000000000000 x6 : 0000000000000080
+       [577992.891110] x5 : 0000000000000000 x4 : 0000000000000002
+       [577992.891112] x3 : ffff000001713390 x2 : 2ff90f88b1c22f00
+       [577992.891114] x1 : ffff807bd39abc30 x0 : 0000000000000000
+       [577992.891116] Call trace:
+       [577992.891139]  _ocfs2_free_suballoc_bits+0x63c/0x968 [ocfs2]
+       [577992.891162]  _ocfs2_free_clusters+0x100/0x290 [ocfs2]
+       [577992.891185]  ocfs2_free_clusters+0x50/0x68 [ocfs2]
+       [577992.891206]  ocfs2_add_clusters_in_btree+0x198/0x5e0 [ocfs2]
+       [577992.891227]  ocfs2_add_inode_data+0x94/0xc8 [ocfs2]
+       [577992.891248]  ocfs2_extend_allocation+0x1bc/0x7a8 [ocfs2]
+       [577992.891269]  ocfs2_allocate_extents+0x14c/0x338 [ocfs2]
+       [577992.891290]  __ocfs2_change_file_space+0x3f8/0x610 [ocfs2]
+       [577992.891309]  ocfs2_fallocate+0xe4/0x128 [ocfs2]
+       [577992.891316]  vfs_fallocate+0x11c/0x250
+       [577992.891317]  ksys_fallocate+0x54/0x88
+       [577992.891319]  __arm64_sys_fallocate+0x28/0x38
+       [577992.891323]  el0_svc_common+0x78/0x130
+       [577992.891325]  el0_svc_handler+0x38/0x78
+       [577992.891327]  el0_svc+0x8/0xc
+
+My analysis process as follows:
+ocfs2_fallocate
+  __ocfs2_change_file_space
+    ocfs2_allocate_extents
+      ocfs2_extend_allocation
+        ocfs2_add_inode_data
+          ocfs2_add_clusters_in_btree
+            ocfs2_insert_extent
+              ocfs2_do_insert_extent
+                ocfs2_rotate_tree_right
+                  ocfs2_extend_rotate_transaction
+                    ocfs2_extend_trans
+                      jbd2_journal_restart
+                        jbd2__journal_restart
+                          /* handle->h_transaction is NULL,
+                           * is_handle_aborted(handle) is true
+                           */
+                          handle->h_transaction = NULL;
+                          start_this_handle
+                            return -EROFS;
+            ocfs2_free_clusters
+              _ocfs2_free_clusters
+                _ocfs2_free_suballoc_bits
+                  ocfs2_block_group_clear_bits
+                    ocfs2_journal_access_gd
+                      __ocfs2_journal_access
+                        jbd2_journal_get_undo_access
+                          /* I think jbd2_write_access_granted() will
+                           * return true, because do_get_write_access()
+                           * will return -EROFS.
+                           */
+                          if (jbd2_write_access_granted(...)) return 0;
+                          do_get_write_access
+                            /* handle->h_transaction is NULL, it will
+                             * return -EROFS here, so do_get_write_access()
+                             * was not called.
+                             */
+                            if (is_handle_aborted(handle)) return -EROFS;
+                    /* bh2jh(group_bh) is NULL, caused NULL
+                       pointer dereference */
+                    undo_bg = (struct ocfs2_group_desc *)
+                                bh2jh(group_bh)->b_committed_data;
+
+If handle->h_transaction == NULL, then jbd2_write_access_granted()
+does not really guarantee that journal_head will stay around,
+not even speaking of its b_committed_data. The bh2jh(group_bh)
+can be removed after ocfs2_journal_access_gd() and before call
+"bh2jh(group_bh)->b_committed_data". So, we should move
+is_handle_aborted() check from do_get_write_access() into
+jbd2_journal_get_undo_access() and jbd2_journal_get_write_access()
+before the call to jbd2_write_access_granted().
+
+Link: https://lore.kernel.org/r/f72a623f-b3f1-381a-d91d-d22a1c83a336@huawei.com
+Signed-off-by: Yan Wang <wangyan122@huawei.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jun Piao <piaojun@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/transaction.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -831,8 +831,6 @@ do_get_write_access(handle_t *handle, st
+       char *frozen_buffer = NULL;
+       unsigned long start_lock, time_lock;
+-      if (is_handle_aborted(handle))
+-              return -EROFS;
+       journal = transaction->t_journal;
+       jbd_debug(5, "journal_head %p, force_copy %d\n", jh, force_copy);
+@@ -1084,6 +1082,9 @@ int jbd2_journal_get_write_access(handle
+       struct journal_head *jh;
+       int rc;
++      if (is_handle_aborted(handle))
++              return -EROFS;
++
+       if (jbd2_write_access_granted(handle, bh, false))
+               return 0;
+@@ -1221,6 +1222,9 @@ int jbd2_journal_get_undo_access(handle_
+       struct journal_head *jh;
+       char *committed_data = NULL;
++      if (is_handle_aborted(handle))
++              return -EROFS;
++
+       if (jbd2_write_access_granted(handle, bh, true))
+               return 0;
diff --git a/queue-4.19/maintainers-update-drm-i915-bug-filing-url.patch b/queue-4.19/maintainers-update-drm-i915-bug-filing-url.patch
new file mode 100644 (file)
index 0000000..0d98eb9
--- /dev/null
@@ -0,0 +1,34 @@
+From 96228b7df33f8eb9006f8ae96949400aed9bd303 Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Wed, 12 Feb 2020 18:04:33 +0200
+Subject: MAINTAINERS: Update drm/i915 bug filing URL
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit 96228b7df33f8eb9006f8ae96949400aed9bd303 upstream.
+
+We've moved from bugzilla to gitlab.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200212160434.6437-1-jani.nikula@intel.com
+(cherry picked from commit 3a6a4f0810c8ade6f1ff63c34aa9834176b9d88b)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ MAINTAINERS |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -7340,7 +7340,7 @@ M:       Joonas Lahtinen <joonas.lahtinen@linu
+ M:    Rodrigo Vivi <rodrigo.vivi@intel.com>
+ L:    intel-gfx@lists.freedesktop.org
+ W:    https://01.org/linuxgraphics/
+-B:    https://01.org/linuxgraphics/documentation/how-report-bugs
++B:    https://gitlab.freedesktop.org/drm/intel/-/wikis/How-to-file-i915-bugs
+ C:    irc://chat.freenode.net/intel-gfx
+ Q:    http://patchwork.freedesktop.org/project/intel-gfx/
+ T:    git git://anongit.freedesktop.org/drm-intel
diff --git a/queue-4.19/mm-memcontrol.c-lost-css_put-in-memcg_expand_shrinker_maps.patch b/queue-4.19/mm-memcontrol.c-lost-css_put-in-memcg_expand_shrinker_maps.patch
new file mode 100644 (file)
index 0000000..93f8521
--- /dev/null
@@ -0,0 +1,43 @@
+From 75866af62b439859d5146b7093ceb6b482852683 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 20 Feb 2020 20:04:18 -0800
+Subject: mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 75866af62b439859d5146b7093ceb6b482852683 upstream.
+
+for_each_mem_cgroup() increases css reference counter for memory cgroup
+and requires to use mem_cgroup_iter_break() if the walk is cancelled.
+
+Link: http://lkml.kernel.org/r/c98414fb-7e1f-da0f-867a-9340ec4bd30b@virtuozzo.com
+Fixes: 0a4465d34028 ("mm, memcg: assign memcg-aware shrinkers bitmap to memcg")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Acked-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Roman Gushchin <guro@fb.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memcontrol.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -419,8 +419,10 @@ int memcg_expand_shrinker_maps(int new_i
+               if (mem_cgroup_is_root(memcg))
+                       continue;
+               ret = memcg_expand_one_shrinker_map(memcg, size, old_size);
+-              if (ret)
++              if (ret) {
++                      mem_cgroup_iter_break(NULL, memcg);
+                       goto unlock;
++              }
+       }
+ unlock:
+       if (!ret)
diff --git a/queue-4.19/nvme-multipath-fix-memory-leak-with-ana_log_buf.patch b/queue-4.19/nvme-multipath-fix-memory-leak-with-ana_log_buf.patch
new file mode 100644 (file)
index 0000000..8dcfd69
--- /dev/null
@@ -0,0 +1,66 @@
+From 3b7830904e17202524bad1974505a9bfc718d31f Mon Sep 17 00:00:00 2001
+From: Logan Gunthorpe <logang@deltatee.com>
+Date: Thu, 20 Feb 2020 13:29:53 -0700
+Subject: nvme-multipath: Fix memory leak with ana_log_buf
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+commit 3b7830904e17202524bad1974505a9bfc718d31f upstream.
+
+kmemleak reports a memory leak with the ana_log_buf allocated by
+nvme_mpath_init():
+
+unreferenced object 0xffff888120e94000 (size 8208):
+  comm "nvme", pid 6884, jiffies 4295020435 (age 78786.312s)
+    hex dump (first 32 bytes):
+      00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
+      01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
+    backtrace:
+      [<00000000e2360188>] kmalloc_order+0x97/0xc0
+      [<0000000079b18dd4>] kmalloc_order_trace+0x24/0x100
+      [<00000000f50c0406>] __kmalloc+0x24c/0x2d0
+      [<00000000f31a10b9>] nvme_mpath_init+0x23c/0x2b0
+      [<000000005802589e>] nvme_init_identify+0x75f/0x1600
+      [<0000000058ef911b>] nvme_loop_configure_admin_queue+0x26d/0x280
+      [<00000000673774b9>] nvme_loop_create_ctrl+0x2a7/0x710
+      [<00000000f1c7a233>] nvmf_dev_write+0xc66/0x10b9
+      [<000000004199f8d0>] __vfs_write+0x50/0xa0
+      [<0000000065466fef>] vfs_write+0xf3/0x280
+      [<00000000b0db9a8b>] ksys_write+0xc6/0x160
+      [<0000000082156b91>] __x64_sys_write+0x43/0x50
+      [<00000000c34fbb6d>] do_syscall_64+0x77/0x2f0
+      [<00000000bbc574c9>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+nvme_mpath_init() is called by nvme_init_identify() which is called in
+multiple places (nvme_reset_work(), nvme_passthru_end(), etc). This
+means nvme_mpath_init() may be called multiple times before
+nvme_mpath_uninit() (which is only called on nvme_free_ctrl()).
+
+When nvme_mpath_init() is called multiple times, it overwrites the
+ana_log_buf pointer with a new allocation, thus leaking the previous
+allocation.
+
+To fix this, free ana_log_buf before allocating a new one.
+
+Fixes: 0d0b660f214dc490 ("nvme: add ANA support")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvme/host/multipath.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -569,6 +569,7 @@ int nvme_mpath_init(struct nvme_ctrl *ct
+       }
+       INIT_WORK(&ctrl->ana_work, nvme_ana_work);
++      kfree(ctrl->ana_log_buf);
+       ctrl->ana_log_buf = kmalloc(ctrl->ana_log_size, GFP_KERNEL);
+       if (!ctrl->ana_log_buf) {
+               error = -ENOMEM;
diff --git a/queue-4.19/powerpc-tm-fix-clearing-msr-in-current-when-reclaiming-on-signal-delivery.patch b/queue-4.19/powerpc-tm-fix-clearing-msr-in-current-when-reclaiming-on-signal-delivery.patch
new file mode 100644 (file)
index 0000000..45fc739
--- /dev/null
@@ -0,0 +1,282 @@
+From 2464cc4c345699adea52c7aef75707207cb8a2f6 Mon Sep 17 00:00:00 2001
+From: Gustavo Luiz Duarte <gustavold@linux.ibm.com>
+Date: Tue, 11 Feb 2020 00:38:29 -0300
+Subject: powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery
+
+From: Gustavo Luiz Duarte <gustavold@linux.ibm.com>
+
+commit 2464cc4c345699adea52c7aef75707207cb8a2f6 upstream.
+
+After a treclaim, we expect to be in non-transactional state. If we
+don't clear the current thread's MSR[TS] before we get preempted, then
+tm_recheckpoint_new_task() will recheckpoint and we get rescheduled in
+suspended transaction state.
+
+When handling a signal caught in transactional state,
+handle_rt_signal64() calls get_tm_stackpointer() that treclaims the
+transaction using tm_reclaim_current() but without clearing the
+thread's MSR[TS]. This can cause the TM Bad Thing exception below if
+later we pagefault and get preempted trying to access the user's
+sigframe, using __put_user(). Afterwards, when we are rescheduled back
+into do_page_fault() (but now in suspended state since the thread's
+MSR[TS] was not cleared), upon executing 'rfid' after completion of
+the page fault handling, the exception is raised because a transition
+from suspended to non-transactional state is invalid.
+
+  Unexpected TM Bad Thing exception at c00000000000de44 (msr 0x8000000302a03031) tm_scratch=800000010280b033
+  Oops: Unrecoverable exception, sig: 6 [#1]
+  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
+  CPU: 25 PID: 15547 Comm: a.out Not tainted 5.4.0-rc2 #32
+  NIP:  c00000000000de44 LR: c000000000034728 CTR: 0000000000000000
+  REGS: c00000003fe7bd70 TRAP: 0700   Not tainted  (5.4.0-rc2)
+  MSR:  8000000302a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[SE]>  CR: 44000884  XER: 00000000
+  CFAR: c00000000000dda4 IRQMASK: 0
+  PACATMSCRATCH: 800000010280b033
+  GPR00: c000000000034728 c000000f65a17c80 c000000001662800 00007fffacf3fd78
+  GPR04: 0000000000001000 0000000000001000 0000000000000000 c000000f611f8af0
+  GPR08: 0000000000000000 0000000078006001 0000000000000000 000c000000000000
+  GPR12: c000000f611f84b0 c00000003ffcb200 0000000000000000 0000000000000000
+  GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+  GPR20: 0000000000000000 0000000000000000 0000000000000000 c000000f611f8140
+  GPR24: 0000000000000000 00007fffacf3fd68 c000000f65a17d90 c000000f611f7800
+  GPR28: c000000f65a17e90 c000000f65a17e90 c000000001685e18 00007fffacf3f000
+  NIP [c00000000000de44] fast_exception_return+0xf4/0x1b0
+  LR [c000000000034728] handle_rt_signal64+0x78/0xc50
+  Call Trace:
+  [c000000f65a17c80] [c000000000034710] handle_rt_signal64+0x60/0xc50 (unreliable)
+  [c000000f65a17d30] [c000000000023640] do_notify_resume+0x330/0x460
+  [c000000f65a17e20] [c00000000000dcc4] ret_from_except_lite+0x70/0x74
+  Instruction dump:
+  7c4ff120 e8410170 7c5a03a6 38400000 f8410060 e8010070 e8410080 e8610088
+  60000000 60000000 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed0989
+  ---[ end trace 93094aa44b442f87 ]---
+
+The simplified sequence of events that triggers the above exception is:
+
+  ...                          # userspace in NON-TRANSACTIONAL state
+  tbegin                       # userspace in TRANSACTIONAL state
+  signal delivery              # kernelspace in SUSPENDED state
+  handle_rt_signal64()
+    get_tm_stackpointer()
+      treclaim                 # kernelspace in NON-TRANSACTIONAL state
+    __put_user()
+      page fault happens. We will never get back here because of the TM Bad Thing exception.
+
+  page fault handling kicks in and we voluntarily preempt ourselves
+  do_page_fault()
+    __schedule()
+      __switch_to(other_task)
+
+  our task is rescheduled and we recheckpoint because the thread's MSR[TS] was not cleared
+  __switch_to(our_task)
+    switch_to_tm()
+      tm_recheckpoint_new_task()
+        trechkpt                       # kernelspace in SUSPENDED state
+
+  The page fault handling resumes, but now we are in suspended transaction state
+  do_page_fault()    completes
+  rfid     <----- trying to get back where the page fault happened (we were non-transactional back then)
+  TM Bad Thing                 # illegal transition from suspended to non-transactional
+
+This patch fixes that issue by clearing the current thread's MSR[TS]
+just after treclaim in get_tm_stackpointer() so that we stay in
+non-transactional state in case we are preempted. In order to make
+treclaim and clearing the thread's MSR[TS] atomic from a preemption
+perspective when CONFIG_PREEMPT is set, preempt_disable/enable() is
+used. It's also necessary to save the previous value of the thread's
+MSR before get_tm_stackpointer() is called so that it can be exposed
+to the signal handler later in setup_tm_sigcontexts() to inform the
+userspace MSR at the moment of the signal delivery.
+
+Found with tm-signal-context-force-tm kernel selftest.
+
+Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
+Cc: stable@vger.kernel.org # v3.9
+Signed-off-by: Gustavo Luiz Duarte <gustavold@linux.ibm.com>
+Acked-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200211033831.11165-1-gustavold@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/signal.c    |   17 +++++++++++++++--
+ arch/powerpc/kernel/signal_32.c |   28 ++++++++++++++--------------
+ arch/powerpc/kernel/signal_64.c |   22 ++++++++++------------
+ 3 files changed, 39 insertions(+), 28 deletions(-)
+
+--- a/arch/powerpc/kernel/signal.c
++++ b/arch/powerpc/kernel/signal.c
+@@ -200,14 +200,27 @@ unsigned long get_tm_stackpointer(struct
+        * normal/non-checkpointed stack pointer.
+        */
++      unsigned long ret = tsk->thread.regs->gpr[1];
++
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+       BUG_ON(tsk != current);
+       if (MSR_TM_ACTIVE(tsk->thread.regs->msr)) {
++              preempt_disable();
+               tm_reclaim_current(TM_CAUSE_SIGNAL);
+               if (MSR_TM_TRANSACTIONAL(tsk->thread.regs->msr))
+-                      return tsk->thread.ckpt_regs.gpr[1];
++                      ret = tsk->thread.ckpt_regs.gpr[1];
++
++              /*
++               * If we treclaim, we must clear the current thread's TM bits
++               * before re-enabling preemption. Otherwise we might be
++               * preempted and have the live MSR[TS] changed behind our back
++               * (tm_recheckpoint_new_task() would recheckpoint). Besides, we
++               * enter the signal handler in non-transactional state.
++               */
++              tsk->thread.regs->msr &= ~MSR_TS_MASK;
++              preempt_enable();
+       }
+ #endif
+-      return tsk->thread.regs->gpr[1];
++      return ret;
+ }
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -493,19 +493,11 @@ static int save_user_regs(struct pt_regs
+  */
+ static int save_tm_user_regs(struct pt_regs *regs,
+                            struct mcontext __user *frame,
+-                           struct mcontext __user *tm_frame, int sigret)
++                           struct mcontext __user *tm_frame, int sigret,
++                           unsigned long msr)
+ {
+-      unsigned long msr = regs->msr;
+-
+       WARN_ON(tm_suspend_disabled);
+-      /* Remove TM bits from thread's MSR.  The MSR in the sigcontext
+-       * just indicates to userland that we were doing a transaction, but we
+-       * don't want to return in transactional state.  This also ensures
+-       * that flush_fp_to_thread won't set TIF_RESTORE_TM again.
+-       */
+-      regs->msr &= ~MSR_TS_MASK;
+-
+       /* Save both sets of general registers */
+       if (save_general_regs(&current->thread.ckpt_regs, frame)
+           || save_general_regs(regs, tm_frame))
+@@ -916,6 +908,10 @@ int handle_rt_signal32(struct ksignal *k
+       int sigret;
+       unsigned long tramp;
+       struct pt_regs *regs = tsk->thread.regs;
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++      /* Save the thread's msr before get_tm_stackpointer() changes it */
++      unsigned long msr = regs->msr;
++#endif
+       BUG_ON(tsk != current);
+@@ -948,13 +944,13 @@ int handle_rt_signal32(struct ksignal *k
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+       tm_frame = &rt_sf->uc_transact.uc_mcontext;
+-      if (MSR_TM_ACTIVE(regs->msr)) {
++      if (MSR_TM_ACTIVE(msr)) {
+               if (__put_user((unsigned long)&rt_sf->uc_transact,
+                              &rt_sf->uc.uc_link) ||
+                   __put_user((unsigned long)tm_frame,
+                              &rt_sf->uc_transact.uc_regs))
+                       goto badframe;
+-              if (save_tm_user_regs(regs, frame, tm_frame, sigret))
++              if (save_tm_user_regs(regs, frame, tm_frame, sigret, msr))
+                       goto badframe;
+       }
+       else
+@@ -1365,6 +1361,10 @@ int handle_signal32(struct ksignal *ksig
+       int sigret;
+       unsigned long tramp;
+       struct pt_regs *regs = tsk->thread.regs;
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++      /* Save the thread's msr before get_tm_stackpointer() changes it */
++      unsigned long msr = regs->msr;
++#endif
+       BUG_ON(tsk != current);
+@@ -1398,9 +1398,9 @@ int handle_signal32(struct ksignal *ksig
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+       tm_mctx = &frame->mctx_transact;
+-      if (MSR_TM_ACTIVE(regs->msr)) {
++      if (MSR_TM_ACTIVE(msr)) {
+               if (save_tm_user_regs(regs, &frame->mctx, &frame->mctx_transact,
+-                                    sigret))
++                                    sigret, msr))
+                       goto badframe;
+       }
+       else
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -196,7 +196,8 @@ static long setup_sigcontext(struct sigc
+ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+                                struct sigcontext __user *tm_sc,
+                                struct task_struct *tsk,
+-                               int signr, sigset_t *set, unsigned long handler)
++                               int signr, sigset_t *set, unsigned long handler,
++                               unsigned long msr)
+ {
+       /* When CONFIG_ALTIVEC is set, we _always_ setup v_regs even if the
+        * process never used altivec yet (MSR_VEC is zero in pt_regs of
+@@ -211,12 +212,11 @@ static long setup_tm_sigcontexts(struct
+       elf_vrreg_t __user *tm_v_regs = sigcontext_vmx_regs(tm_sc);
+ #endif
+       struct pt_regs *regs = tsk->thread.regs;
+-      unsigned long msr = tsk->thread.regs->msr;
+       long err = 0;
+       BUG_ON(tsk != current);
+-      BUG_ON(!MSR_TM_ACTIVE(regs->msr));
++      BUG_ON(!MSR_TM_ACTIVE(msr));
+       WARN_ON(tm_suspend_disabled);
+@@ -226,13 +226,6 @@ static long setup_tm_sigcontexts(struct
+        */
+       msr |= tsk->thread.ckpt_regs.msr & (MSR_FP | MSR_VEC | MSR_VSX);
+-      /* Remove TM bits from thread's MSR.  The MSR in the sigcontext
+-       * just indicates to userland that we were doing a transaction, but we
+-       * don't want to return in transactional state.  This also ensures
+-       * that flush_fp_to_thread won't set TIF_RESTORE_TM again.
+-       */
+-      regs->msr &= ~MSR_TS_MASK;
+-
+ #ifdef CONFIG_ALTIVEC
+       err |= __put_user(v_regs, &sc->v_regs);
+       err |= __put_user(tm_v_regs, &tm_sc->v_regs);
+@@ -803,6 +796,10 @@ int handle_rt_signal64(struct ksignal *k
+       unsigned long newsp = 0;
+       long err = 0;
+       struct pt_regs *regs = tsk->thread.regs;
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++      /* Save the thread's msr before get_tm_stackpointer() changes it */
++      unsigned long msr = regs->msr;
++#endif
+       BUG_ON(tsk != current);
+@@ -820,7 +817,7 @@ int handle_rt_signal64(struct ksignal *k
+       err |= __put_user(0, &frame->uc.uc_flags);
+       err |= __save_altstack(&frame->uc.uc_stack, regs->gpr[1]);
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+-      if (MSR_TM_ACTIVE(regs->msr)) {
++      if (MSR_TM_ACTIVE(msr)) {
+               /* The ucontext_t passed to userland points to the second
+                * ucontext_t (for transactional state) with its uc_link ptr.
+                */
+@@ -828,7 +825,8 @@ int handle_rt_signal64(struct ksignal *k
+               err |= setup_tm_sigcontexts(&frame->uc.uc_mcontext,
+                                           &frame->uc_transact.uc_mcontext,
+                                           tsk, ksig->sig, NULL,
+-                                          (unsigned long)ksig->ka.sa.sa_handler);
++                                          (unsigned long)ksig->ka.sa.sa_handler,
++                                          msr);
+       } else
+ #endif
+       {
diff --git a/queue-4.19/revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch b/queue-4.19/revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch
new file mode 100644 (file)
index 0000000..e48d996
--- /dev/null
@@ -0,0 +1,135 @@
+From edf28f4061afe4c2d9eb1c3323d90e882c1d6800 Mon Sep 17 00:00:00 2001
+From: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+Date: Thu, 20 Feb 2020 20:04:00 -0800
+Subject: Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()"
+
+From: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+
+commit edf28f4061afe4c2d9eb1c3323d90e882c1d6800 upstream.
+
+This reverts commit a97955844807e327df11aa33869009d14d6b7de0.
+
+Commit a97955844807 ("ipc,sem: remove uneeded sem_undo_list lock usage
+in exit_sem()") removes a lock that is needed.  This leads to a process
+looping infinitely in exit_sem() and can also lead to a crash.  There is
+a reproducer available in [1] and with the commit reverted the issue
+does not reproduce anymore.
+
+Using the reproducer found in [1] is fairly easy to reach a point where
+one of the child processes is looping infinitely in exit_sem between
+for(;;) and if (semid == -1) block, while it's trying to free its last
+sem_undo structure which has already been freed by freeary().
+
+Each sem_undo struct is on two lists: one per semaphore set (list_id)
+and one per process (list_proc).  The list_id list tracks undos by
+semaphore set, and the list_proc by process.
+
+Undo structures are removed either by freeary() or by exit_sem().  The
+freeary function is invoked when the user invokes a syscall to remove a
+semaphore set.  During this operation freeary() traverses the list_id
+associated with the semaphore set and removes the undo structures from
+both the list_id and list_proc lists.
+
+For this case, exit_sem() is called at process exit.  Each process
+contains a struct sem_undo_list (referred to as "ulp") which contains
+the head for the list_proc list.  When the process exits, exit_sem()
+traverses this list to remove each sem_undo struct.  As in freeary(),
+whenever a sem_undo struct is removed from list_proc, it is also removed
+from the list_id list.
+
+Removing elements from list_id is safe for both exit_sem() and freeary()
+due to sem_lock().  Removing elements from list_proc is not safe;
+freeary() locks &un->ulp->lock when it performs
+list_del_rcu(&un->list_proc) but exit_sem() does not (locking was
+removed by commit a97955844807 ("ipc,sem: remove uneeded sem_undo_list
+lock usage in exit_sem()").
+
+This can result in the following situation while executing the
+reproducer [1] : Consider a child process in exit_sem() and the parent
+in freeary() (because of semctl(sid[i], NSEM, IPC_RMID)).
+
+ - The list_proc for the child contains the last two undo structs A and
+   B (the rest have been removed either by exit_sem() or freeary()).
+
+ - The semid for A is 1 and semid for B is 2.
+
+ - exit_sem() removes A and at the same time freeary() removes B.
+
+ - Since A and B have different semid sem_lock() will acquire different
+   locks for each process and both can proceed.
+
+The bug is that they remove A and B from the same list_proc at the same
+time because only freeary() acquires the ulp lock. When exit_sem()
+removes A it makes ulp->list_proc.next to point at B and at the same
+time freeary() removes B setting B->semid=-1.
+
+At the next iteration of for(;;) loop exit_sem() will try to remove B.
+
+The only way to break from for(;;) is for (&un->list_proc ==
+&ulp->list_proc) to be true which is not. Then exit_sem() will check if
+B->semid=-1 which is and will continue looping in for(;;) until the
+memory for B is reallocated and the value at B->semid is changed.
+
+At that point, exit_sem() will crash attempting to unlink B from the
+lists (this can be easily triggered by running the reproducer [1] a
+second time).
+
+To prove this scenario instrumentation was added to keep information
+about each sem_undo (un) struct that is removed per process and per
+semaphore set (sma).
+
+          CPU0                                CPU1
+  [caller holds sem_lock(sma for A)]      ...
+  freeary()                               exit_sem()
+  ...                                     ...
+  ...                                     sem_lock(sma for B)
+  spin_lock(A->ulp->lock)                 ...
+  list_del_rcu(un_A->list_proc)           list_del_rcu(un_B->list_proc)
+
+Undo structures A and B have different semid and sem_lock() operations
+proceed.  However they belong to the same list_proc list and they are
+removed at the same time.  This results into ulp->list_proc.next
+pointing to the address of B which is already removed.
+
+After reverting commit a97955844807 ("ipc,sem: remove uneeded
+sem_undo_list lock usage in exit_sem()") the issue was no longer
+reproducible.
+
+[1] https://bugzilla.redhat.com/show_bug.cgi?id=1694779
+
+Link: http://lkml.kernel.org/r/20191211191318.11860-1-ioanna-maria.alifieraki@canonical.com
+Fixes: a97955844807 ("ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()")
+Signed-off-by: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+Acked-by: Manfred Spraul <manfred@colorfullife.com>
+Acked-by: Herton R. Krzesinski <herton@redhat.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: <malat@debian.org>
+Cc: Joel Fernandes (Google) <joel@joelfernandes.org>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Jay Vosburgh <jay.vosburgh@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/sem.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -2345,11 +2345,9 @@ void exit_sem(struct task_struct *tsk)
+               ipc_assert_locked_object(&sma->sem_perm);
+               list_del(&un->list_id);
+-              /* we are the last process using this ulp, acquiring ulp->lock
+-               * isn't required. Besides that, we are also protected against
+-               * IPC_RMID as we hold sma->sem_perm lock now
+-               */
++              spin_lock(&ulp->lock);
+               list_del_rcu(&un->list_proc);
++              spin_unlock(&ulp->lock);
+               /* perform adjustments registered in un */
+               for (i = 0; i < sma->sem_nsems; i++) {
diff --git a/queue-4.19/serdev-ttyport-restore-client-ops-on-deregistration.patch b/queue-4.19/serdev-ttyport-restore-client-ops-on-deregistration.patch
new file mode 100644 (file)
index 0000000..2cdf81e
--- /dev/null
@@ -0,0 +1,107 @@
+From 0c5aae59270fb1f827acce182786094c9ccf598e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 10 Feb 2020 15:57:30 +0100
+Subject: serdev: ttyport: restore client ops on deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0c5aae59270fb1f827acce182786094c9ccf598e upstream.
+
+The serdev tty-port controller driver should reset the tty-port client
+operations also on deregistration to avoid a NULL-pointer dereference in
+case the port is later re-registered as a normal tty device.
+
+Note that this can only happen with tty drivers such as 8250 which have
+statically allocated port structures that can end up being reused and
+where a later registration would not register a serdev controller (e.g.
+due to registration errors or if the devicetree has been changed in
+between).
+
+Specifically, this can be an issue for any statically defined ports that
+would be registered by 8250 core when an 8250 driver is being unbound.
+
+Fixes: bed35c6dfa6a ("serdev: add a tty port controller driver")
+Cc: stable <stable@vger.kernel.org>     # 4.11
+Reported-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20200210145730.22762-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serdev/serdev-ttyport.c |    6 ++----
+ drivers/tty/tty_port.c              |    5 +++--
+ include/linux/tty.h                 |    2 ++
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/serdev/serdev-ttyport.c
++++ b/drivers/tty/serdev/serdev-ttyport.c
+@@ -265,7 +265,6 @@ struct device *serdev_tty_port_register(
+                                       struct device *parent,
+                                       struct tty_driver *drv, int idx)
+ {
+-      const struct tty_port_client_operations *old_ops;
+       struct serdev_controller *ctrl;
+       struct serport *serport;
+       int ret;
+@@ -284,7 +283,6 @@ struct device *serdev_tty_port_register(
+       ctrl->ops = &ctrl_ops;
+-      old_ops = port->client_ops;
+       port->client_ops = &client_ops;
+       port->client_data = ctrl;
+@@ -297,7 +295,7 @@ struct device *serdev_tty_port_register(
+ err_reset_data:
+       port->client_data = NULL;
+-      port->client_ops = old_ops;
++      port->client_ops = &tty_port_default_client_ops;
+       serdev_controller_put(ctrl);
+       return ERR_PTR(ret);
+@@ -312,8 +310,8 @@ int serdev_tty_port_unregister(struct tt
+               return -ENODEV;
+       serdev_controller_remove(ctrl);
+-      port->client_ops = NULL;
+       port->client_data = NULL;
++      port->client_ops = &tty_port_default_client_ops;
+       serdev_controller_put(ctrl);
+       return 0;
+--- a/drivers/tty/tty_port.c
++++ b/drivers/tty/tty_port.c
+@@ -52,10 +52,11 @@ static void tty_port_default_wakeup(stru
+       }
+ }
+-static const struct tty_port_client_operations default_client_ops = {
++const struct tty_port_client_operations tty_port_default_client_ops = {
+       .receive_buf = tty_port_default_receive_buf,
+       .write_wakeup = tty_port_default_wakeup,
+ };
++EXPORT_SYMBOL_GPL(tty_port_default_client_ops);
+ void tty_port_init(struct tty_port *port)
+ {
+@@ -68,7 +69,7 @@ void tty_port_init(struct tty_port *port
+       spin_lock_init(&port->lock);
+       port->close_delay = (50 * HZ) / 100;
+       port->closing_wait = (3000 * HZ) / 100;
+-      port->client_ops = &default_client_ops;
++      port->client_ops = &tty_port_default_client_ops;
+       kref_init(&port->kref);
+ }
+ EXPORT_SYMBOL(tty_port_init);
+--- a/include/linux/tty.h
++++ b/include/linux/tty.h
+@@ -225,6 +225,8 @@ struct tty_port_client_operations {
+       void (*write_wakeup)(struct tty_port *port);
+ };
++extern const struct tty_port_client_operations tty_port_default_client_ops;
++
+ struct tty_port {
+       struct tty_bufhead      buf;            /* Locked internally */
+       struct tty_struct       *tty;           /* Back pointer */
diff --git a/queue-4.19/serial-8250-check-upf_irq_shared-in-advance.patch b/queue-4.19/serial-8250-check-upf_irq_shared-in-advance.patch
new file mode 100644 (file)
index 0000000..9debf59
--- /dev/null
@@ -0,0 +1,128 @@
+From 7febbcbc48fc92e3f33863b32ed715ba4aff18c4 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Tue, 11 Feb 2020 15:55:59 +0200
+Subject: serial: 8250: Check UPF_IRQ_SHARED in advance
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 7febbcbc48fc92e3f33863b32ed715ba4aff18c4 upstream.
+
+The commit 54e53b2e8081
+  ("tty: serial: 8250: pass IRQ shared flag to UART ports")
+nicely explained the problem:
+
+---8<---8<---
+
+On some systems IRQ lines between multiple UARTs might be shared. If so, the
+irqflags have to be configured accordingly. The reason is: The 8250 port startup
+code performs IRQ tests *before* the IRQ handler for that particular port is
+registered. This is performed in serial8250_do_startup(). This function checks
+whether IRQF_SHARED is configured and only then disables the IRQ line while
+testing.
+
+This test is performed upon each open() of the UART device. Imagine two UARTs
+share the same IRQ line: On is already opened and the IRQ is active. When the
+second UART is opened, the IRQ line has to be disabled while performing IRQ
+tests. Otherwise an IRQ might handler might be invoked, but the IRQ itself
+cannot be handled, because the corresponding handler isn't registered,
+yet. That's because the 8250 code uses a chain-handler and invokes the
+corresponding port's IRQ handling routines himself.
+
+Unfortunately this IRQF_SHARED flag isn't configured for UARTs probed via device
+tree even if the IRQs are shared. This way, the actual and shared IRQ line isn't
+disabled while performing tests and the kernel correctly detects a spurious
+IRQ. So, adding this flag to the DT probe solves the issue.
+
+Note: The UPF_SHARE_IRQ flag is configured unconditionally. Therefore, the
+IRQF_SHARED flag can be set unconditionally as well.
+
+Example stack trace by performing `echo 1 > /dev/ttyS2` on a non-patched system:
+
+|irq 85: nobody cared (try booting with the "irqpoll" option)
+| [...]
+|handlers:
+|[<ffff0000080fc628>] irq_default_primary_handler threaded [<ffff00000855fbb8>] serial8250_interrupt
+|Disabling IRQ #85
+
+---8<---8<---
+
+But unfortunately didn't fix the root cause. Let's try again here by moving
+IRQ flag assignment from serial_link_irq_chain() to serial8250_do_startup().
+
+This should fix the similar issue reported for 8250_pnp case.
+
+Since this change we don't need to have custom solutions in 8250_aspeed_vuart
+and 8250_of drivers, thus, drop them.
+
+Fixes: 1c2f04937b3e ("serial: 8250: add IRQ trigger support")
+Reported-by: Li RongQing <lirongqing@baidu.com>
+Cc: Kurt Kanzenbach <kurt@linutronix.de>
+Cc: Vikram Pandita <vikram.pandita@ti.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Kurt Kanzenbach <kurt@linutronix.de>
+Link: https://lore.kernel.org/r/20200211135559.85960-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_aspeed_vuart.c |    1 -
+ drivers/tty/serial/8250/8250_core.c         |    5 ++---
+ drivers/tty/serial/8250/8250_of.c           |    1 -
+ drivers/tty/serial/8250/8250_port.c         |    4 ++++
+ 4 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_aspeed_vuart.c
++++ b/drivers/tty/serial/8250/8250_aspeed_vuart.c
+@@ -375,7 +375,6 @@ static int aspeed_vuart_probe(struct pla
+               port.port.line = rc;
+       port.port.irq = irq_of_parse_and_map(np, 0);
+-      port.port.irqflags = IRQF_SHARED;
+       port.port.handle_irq = aspeed_vuart_handle_irq;
+       port.port.iotype = UPIO_MEM;
+       port.port.type = PORT_16550A;
+--- a/drivers/tty/serial/8250/8250_core.c
++++ b/drivers/tty/serial/8250/8250_core.c
+@@ -177,7 +177,7 @@ static int serial_link_irq_chain(struct
+       struct hlist_head *h;
+       struct hlist_node *n;
+       struct irq_info *i;
+-      int ret, irq_flags = up->port.flags & UPF_SHARE_IRQ ? IRQF_SHARED : 0;
++      int ret;
+       mutex_lock(&hash_mutex);
+@@ -212,9 +212,8 @@ static int serial_link_irq_chain(struct
+               INIT_LIST_HEAD(&up->list);
+               i->head = &up->list;
+               spin_unlock_irq(&i->lock);
+-              irq_flags |= up->port.irqflags;
+               ret = request_irq(up->port.irq, serial8250_interrupt,
+-                                irq_flags, up->port.name, i);
++                                up->port.irqflags, up->port.name, i);
+               if (ret < 0)
+                       serial_do_unlink(i, up);
+       }
+--- a/drivers/tty/serial/8250/8250_of.c
++++ b/drivers/tty/serial/8250/8250_of.c
+@@ -171,7 +171,6 @@ static int of_platform_serial_setup(stru
+       port->type = type;
+       port->uartclk = clk;
+-      port->irqflags |= IRQF_SHARED;
+       if (of_property_read_bool(np, "no-loopback-test"))
+               port->flags |= UPF_SKIP_TEST;
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -2253,6 +2253,10 @@ int serial8250_do_startup(struct uart_po
+               }
+       }
++      /* Check if we need to have shared IRQs */
++      if (port->irq && (up->port.flags & UPF_SHARE_IRQ))
++              up->port.irqflags |= IRQF_SHARED;
++
+       if (port->irq && !(up->port.flags & UPF_NO_THRE_TEST)) {
+               unsigned char iir1;
+               /*
index 2be647efcebc17ee0a845dc20ff70fb6e419dfaf..4620e80df43c9b25a84ee626f891554a4dec9036 100644 (file)
@@ -32,3 +32,17 @@ staging-rtl8188eu-fix-potential-security-hole.patch
 staging-rtl8188eu-fix-potential-overuse-of-kernel-memory.patch
 staging-rtl8723bs-fix-potential-security-hole.patch
 staging-rtl8723bs-fix-potential-overuse-of-kernel-memory.patch
+powerpc-tm-fix-clearing-msr-in-current-when-reclaiming-on-signal-delivery.patch
+jbd2-fix-ocfs2-corrupt-when-clearing-block-group-bits.patch
+x86-mce-amd-publish-the-bank-pointer-only-after-setup-has-succeeded.patch
+x86-mce-amd-fix-kobject-lifetime.patch
+x86-cpu-amd-enable-the-fixed-instructions-retired-counter-irperf.patch
+serial-8250-check-upf_irq_shared-in-advance.patch
+tty-serial-atmel-manage-shutdown-in-case-of-rs485-or-iso7816-mode.patch
+tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch
+serdev-ttyport-restore-client-ops-on-deregistration.patch
+maintainers-update-drm-i915-bug-filing-url.patch
+revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch
+mm-memcontrol.c-lost-css_put-in-memcg_expand_shrinker_maps.patch
+nvme-multipath-fix-memory-leak-with-ana_log_buf.patch
+genirq-irqdomain-make-sure-all-irq-domain-flags-are-distinct.patch
diff --git a/queue-4.19/tty-serial-atmel-manage-shutdown-in-case-of-rs485-or-iso7816-mode.patch b/queue-4.19/tty-serial-atmel-manage-shutdown-in-case-of-rs485-or-iso7816-mode.patch
new file mode 100644 (file)
index 0000000..da5f964
--- /dev/null
@@ -0,0 +1,36 @@
+From 04b5bfe3dc94e64d0590c54045815cb5183fb095 Mon Sep 17 00:00:00 2001
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+Date: Mon, 10 Feb 2020 16:20:53 +0100
+Subject: tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode
+
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+
+commit 04b5bfe3dc94e64d0590c54045815cb5183fb095 upstream.
+
+In atmel_shutdown() we call atmel_stop_rx() and atmel_stop_tx() functions.
+Prevent the rx restart that is implemented in RS485 or ISO7816 modes when
+calling atmel_stop_tx() by using the atomic information tasklet_shutdown
+that is already in place for this purpose.
+
+Fixes: 98f2082c3ac4 ("tty/serial: atmel: enforce tasklet init and termination sequences")
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200210152053.8289-1-nicolas.ferre@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -490,7 +490,8 @@ static void atmel_stop_tx(struct uart_po
+       atmel_uart_writel(port, ATMEL_US_IDR, atmel_port->tx_done_mask);
+       if (atmel_uart_is_half_duplex(port))
+-              atmel_start_rx(port);
++              if (!atomic_read(&atmel_port->tasklet_shutdown))
++                      atmel_start_rx(port);
+ }
diff --git a/queue-4.19/tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch b/queue-4.19/tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch
new file mode 100644 (file)
index 0000000..47b85de
--- /dev/null
@@ -0,0 +1,110 @@
+From f76707831829530ffdd3888bebc108aecefccaa0 Mon Sep 17 00:00:00 2001
+From: Fugang Duan <fugang.duan@nxp.com>
+Date: Tue, 11 Feb 2020 14:16:01 +0800
+Subject: tty: serial: imx: setup the correct sg entry for tx dma
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fugang Duan <fugang.duan@nxp.com>
+
+commit f76707831829530ffdd3888bebc108aecefccaa0 upstream.
+
+There has oops as below happen on i.MX8MP EVK platform that has
+6G bytes DDR memory.
+
+when (xmit->tail < xmit->head) && (xmit->head == 0),
+it setups one sg entry with sg->length is zero:
+       sg_set_buf(sgl + 1, xmit->buf, xmit->head);
+
+if xmit->buf is allocated from >4G address space, and SDMA only
+support <4G address space, then dma_map_sg() will call swiotlb_map()
+to do bounce buffer copying and mapping.
+
+But swiotlb_map() don't allow sg entry's length is zero, otherwise
+report BUG_ON().
+
+So the patch is to correct the tx DMA scatter list.
+
+Oops:
+[  287.675715] kernel BUG at kernel/dma/swiotlb.c:497!
+[  287.680592] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+[  287.686075] Modules linked in:
+[  287.689133] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.3-00016-g3fdc4e0-dirty #10
+[  287.696872] Hardware name: FSL i.MX8MP EVK (DT)
+[  287.701402] pstate: 80000085 (Nzcv daIf -PAN -UAO)
+[  287.706199] pc : swiotlb_tbl_map_single+0x1fc/0x310
+[  287.711076] lr : swiotlb_map+0x60/0x148
+[  287.714909] sp : ffff800010003c00
+[  287.718221] x29: ffff800010003c00 x28: 0000000000000000
+[  287.723533] x27: 0000000000000040 x26: ffff800011ae0000
+[  287.728844] x25: ffff800011ae09f8 x24: 0000000000000000
+[  287.734155] x23: 00000001b7af9000 x22: 0000000000000000
+[  287.739465] x21: ffff000176409c10 x20: 00000000001f7ffe
+[  287.744776] x19: ffff000176409c10 x18: 000000000000002e
+[  287.750087] x17: 0000000000000000 x16: 0000000000000000
+[  287.755397] x15: 0000000000000000 x14: 0000000000000000
+[  287.760707] x13: ffff00017f334000 x12: 0000000000000001
+[  287.766018] x11: 00000000001fffff x10: 0000000000000000
+[  287.771328] x9 : 0000000000000003 x8 : 0000000000000000
+[  287.776638] x7 : 0000000000000000 x6 : 0000000000000000
+[  287.781949] x5 : 0000000000200000 x4 : 0000000000000000
+[  287.787259] x3 : 0000000000000001 x2 : 00000001b7af9000
+[  287.792570] x1 : 00000000fbfff000 x0 : 0000000000000000
+[  287.797881] Call trace:
+[  287.800328]  swiotlb_tbl_map_single+0x1fc/0x310
+[  287.804859]  swiotlb_map+0x60/0x148
+[  287.808347]  dma_direct_map_page+0xf0/0x130
+[  287.812530]  dma_direct_map_sg+0x78/0xe0
+[  287.816453]  imx_uart_dma_tx+0x134/0x2f8
+[  287.820374]  imx_uart_dma_tx_callback+0xd8/0x168
+[  287.824992]  vchan_complete+0x194/0x200
+[  287.828828]  tasklet_action_common.isra.0+0x154/0x1a0
+[  287.833879]  tasklet_action+0x24/0x30
+[  287.837540]  __do_softirq+0x120/0x23c
+[  287.841202]  irq_exit+0xb8/0xd8
+[  287.844343]  __handle_domain_irq+0x64/0xb8
+[  287.848438]  gic_handle_irq+0x5c/0x148
+[  287.852185]  el1_irq+0xb8/0x180
+[  287.855327]  cpuidle_enter_state+0x84/0x360
+[  287.859508]  cpuidle_enter+0x34/0x48
+[  287.863083]  call_cpuidle+0x18/0x38
+[  287.866571]  do_idle+0x1e0/0x280
+[  287.869798]  cpu_startup_entry+0x20/0x40
+[  287.873721]  rest_init+0xd4/0xe0
+[  287.876949]  arch_call_rest_init+0xc/0x14
+[  287.880958]  start_kernel+0x420/0x44c
+[  287.884622] Code: 9124c021 9417aff8 a94363f7 17ffffd5 (d4210000)
+[  287.890718] ---[ end trace 5bc44c4ab6b009ce ]---
+[  287.895334] Kernel panic - not syncing: Fatal exception in interrupt
+[  287.901686] SMP: stopping secondary CPUs
+[  288.905607] SMP: failed to stop secondary CPUs 0-1
+[  288.910395] Kernel Offset: disabled
+[  288.913882] CPU features: 0x0002,2000200c
+[  288.917888] Memory Limit: none
+[  288.920944] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
+
+Reported-by: Eagle Zhou <eagle.zhou@nxp.com>
+Tested-by: Eagle Zhou <eagle.zhou@nxp.com>
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Cc: stable <stable@vger.kernel.org>
+Fixes: 7942f8577f2a ("serial: imx: TX DMA: clean up sg initialization")
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/1581401761-6378-1-git-send-email-fugang.duan@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/imx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -608,7 +608,7 @@ static void imx_uart_dma_tx(struct imx_p
+       sport->tx_bytes = uart_circ_chars_pending(xmit);
+-      if (xmit->tail < xmit->head) {
++      if (xmit->tail < xmit->head || xmit->head == 0) {
+               sport->dma_tx_nents = 1;
+               sg_init_one(sgl, xmit->buf + xmit->tail, sport->tx_bytes);
+       } else {
diff --git a/queue-4.19/x86-cpu-amd-enable-the-fixed-instructions-retired-counter-irperf.patch b/queue-4.19/x86-cpu-amd-enable-the-fixed-instructions-retired-counter-irperf.patch
new file mode 100644 (file)
index 0000000..209b1f3
--- /dev/null
@@ -0,0 +1,113 @@
+From 21b5ee59ef18e27d85810584caf1f7ddc705ea83 Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@amd.com>
+Date: Wed, 19 Feb 2020 18:52:43 +0100
+Subject: x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+commit 21b5ee59ef18e27d85810584caf1f7ddc705ea83 upstream.
+
+Commit
+
+  aaf248848db50 ("perf/x86/msr: Add AMD IRPERF (Instructions Retired)
+                 performance counter")
+
+added support for access to the free-running counter via 'perf -e
+msr/irperf/', but when exercised, it always returns a 0 count:
+
+BEFORE:
+
+  $ perf stat -e instructions,msr/irperf/ true
+
+   Performance counter stats for 'true':
+
+             624,833      instructions
+                   0      msr/irperf/
+
+Simply set its enable bit - HWCR bit 30 - to make it start counting.
+
+Enablement is restricted to all machines advertising IRPERF capability,
+except those susceptible to an erratum that makes the IRPERF return
+bad values.
+
+That erratum occurs in Family 17h models 00-1fh [1], but not in F17h
+models 20h and above [2].
+
+AFTER (on a family 17h model 31h machine):
+
+  $ perf stat -e instructions,msr/irperf/ true
+
+   Performance counter stats for 'true':
+
+             621,690      instructions
+             622,490      msr/irperf/
+
+[1] Revision Guide for AMD Family 17h Models 00h-0Fh Processors
+[2] Revision Guide for AMD Family 17h Models 30h-3Fh Processors
+
+The revision guides are available from the bugzilla Link below.
+
+ [ bp: Massage commit message. ]
+
+Fixes: aaf248848db50 ("perf/x86/msr: Add AMD IRPERF (Instructions Retired) performance counter")
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537
+Link: http://lkml.kernel.org/r/20200214201805.13830-1-kim.phillips@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/msr-index.h |    2 ++
+ arch/x86/kernel/cpu/amd.c        |   14 ++++++++++++++
+ 2 files changed, 16 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -455,6 +455,8 @@
+ #define MSR_K7_HWCR                   0xc0010015
+ #define MSR_K7_HWCR_SMMLOCK_BIT               0
+ #define MSR_K7_HWCR_SMMLOCK           BIT_ULL(MSR_K7_HWCR_SMMLOCK_BIT)
++#define MSR_K7_HWCR_IRPERF_EN_BIT     30
++#define MSR_K7_HWCR_IRPERF_EN         BIT_ULL(MSR_K7_HWCR_IRPERF_EN_BIT)
+ #define MSR_K7_FID_VID_CTL            0xc0010041
+ #define MSR_K7_FID_VID_STATUS         0xc0010042
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -25,6 +25,7 @@
+ static const int amd_erratum_383[];
+ static const int amd_erratum_400[];
++static const int amd_erratum_1054[];
+ static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum);
+ /*
+@@ -983,6 +984,15 @@ static void init_amd(struct cpuinfo_x86
+       /* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */
+       if (!cpu_has(c, X86_FEATURE_XENPV))
+               set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
++
++      /*
++       * Turn on the Instructions Retired free counter on machines not
++       * susceptible to erratum #1054 "Instructions Retired Performance
++       * Counter May Be Inaccurate".
++       */
++      if (cpu_has(c, X86_FEATURE_IRPERF) &&
++          !cpu_has_amd_erratum(c, amd_erratum_1054))
++              msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT);
+ }
+ #ifdef CONFIG_X86_32
+@@ -1110,6 +1120,10 @@ static const int amd_erratum_400[] =
+ static const int amd_erratum_383[] =
+       AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf));
++/* #1054: Instructions Retired Performance Counter May Be Inaccurate */
++static const int amd_erratum_1054[] =
++      AMD_OSVW_ERRATUM(0, AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf));
++
+ static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum)
+ {
diff --git a/queue-4.19/x86-mce-amd-fix-kobject-lifetime.patch b/queue-4.19/x86-mce-amd-fix-kobject-lifetime.patch
new file mode 100644 (file)
index 0000000..25698e0
--- /dev/null
@@ -0,0 +1,87 @@
+From 51dede9c05df2b78acd6dcf6a17d21f0877d2d7b Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Thu, 13 Feb 2020 19:01:34 +0100
+Subject: x86/mce/amd: Fix kobject lifetime
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 51dede9c05df2b78acd6dcf6a17d21f0877d2d7b upstream.
+
+Accessing the MCA thresholding controls in sysfs concurrently with CPU
+hotplug can lead to a couple of KASAN-reported issues:
+
+  BUG: KASAN: use-after-free in sysfs_file_ops+0x155/0x180
+  Read of size 8 at addr ffff888367578940 by task grep/4019
+
+and
+
+  BUG: KASAN: use-after-free in show_error_count+0x15c/0x180
+  Read of size 2 at addr ffff888368a05514 by task grep/4454
+
+for example. Both result from the fact that the threshold block
+creation/teardown code frees the descriptor memory itself instead of
+defining proper ->release function and leaving it to the driver core to
+take care of that, after all sysfs accesses have completed.
+
+Do that and get rid of the custom freeing code, fixing the above UAFs in
+the process.
+
+  [ bp: write commit message. ]
+
+Fixes: 95268664390b ("[PATCH] x86_64: mce_amd support for family 0x10 processors")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20200214082801.13836-1-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce_amd.c |   17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
+@@ -1117,9 +1117,12 @@ static const struct sysfs_ops threshold_
+       .store                  = store,
+ };
++static void threshold_block_release(struct kobject *kobj);
++
+ static struct kobj_type threshold_ktype = {
+       .sysfs_ops              = &threshold_ops,
+       .default_attrs          = default_attrs,
++      .release                = threshold_block_release,
+ };
+ static const char *get_name(unsigned int bank, struct threshold_block *b)
+@@ -1321,8 +1324,12 @@ static int threshold_create_bank(unsigne
+       return err;
+ }
+-static void deallocate_threshold_block(unsigned int cpu,
+-                                               unsigned int bank)
++static void threshold_block_release(struct kobject *kobj)
++{
++      kfree(to_block(kobj));
++}
++
++static void deallocate_threshold_block(unsigned int cpu, unsigned int bank)
+ {
+       struct threshold_block *pos = NULL;
+       struct threshold_block *tmp = NULL;
+@@ -1332,13 +1339,11 @@ static void deallocate_threshold_block(u
+               return;
+       list_for_each_entry_safe(pos, tmp, &head->blocks->miscj, miscj) {
+-              kobject_put(&pos->kobj);
+               list_del(&pos->miscj);
+-              kfree(pos);
++              kobject_put(&pos->kobj);
+       }
+-      kfree(per_cpu(threshold_banks, cpu)[bank]->blocks);
+-      per_cpu(threshold_banks, cpu)[bank]->blocks = NULL;
++      kobject_put(&head->blocks->kobj);
+ }
+ static void __threshold_remove_blocks(struct threshold_bank *b)
diff --git a/queue-4.19/x86-mce-amd-publish-the-bank-pointer-only-after-setup-has-succeeded.patch b/queue-4.19/x86-mce-amd-publish-the-bank-pointer-only-after-setup-has-succeeded.patch
new file mode 100644 (file)
index 0000000..9a20937
--- /dev/null
@@ -0,0 +1,104 @@
+From 6e5cf31fbe651bed7ba1df768f2e123531132417 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Tue, 4 Feb 2020 13:28:41 +0100
+Subject: x86/mce/amd: Publish the bank pointer only after setup has succeeded
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 6e5cf31fbe651bed7ba1df768f2e123531132417 upstream.
+
+threshold_create_bank() creates a bank descriptor per MCA error
+thresholding counter which can be controlled over sysfs. It publishes
+the pointer to that bank in a per-CPU variable and then goes on to
+create additional thresholding blocks if the bank has such.
+
+However, that creation of additional blocks in
+allocate_threshold_blocks() can fail, leading to a use-after-free
+through the per-CPU pointer.
+
+Therefore, publish that pointer only after all blocks have been setup
+successfully.
+
+Fixes: 019f34fccfd5 ("x86, MCE, AMD: Move shared bank to node descriptor")
+Reported-by: Saar Amar <Saar.Amar@microsoft.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200128140846.phctkvx5btiexvbx@kili.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce_amd.c |   33 ++++++++++++++++-----------------
+ 1 file changed, 16 insertions(+), 17 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
+@@ -1152,8 +1152,9 @@ static const char *get_name(unsigned int
+       return buf_mcatype;
+ }
+-static int allocate_threshold_blocks(unsigned int cpu, unsigned int bank,
+-                                   unsigned int block, u32 address)
++static int allocate_threshold_blocks(unsigned int cpu, struct threshold_bank *tb,
++                                   unsigned int bank, unsigned int block,
++                                   u32 address)
+ {
+       struct threshold_block *b = NULL;
+       u32 low, high;
+@@ -1197,16 +1198,12 @@ static int allocate_threshold_blocks(uns
+       INIT_LIST_HEAD(&b->miscj);
+-      if (per_cpu(threshold_banks, cpu)[bank]->blocks) {
+-              list_add(&b->miscj,
+-                       &per_cpu(threshold_banks, cpu)[bank]->blocks->miscj);
+-      } else {
+-              per_cpu(threshold_banks, cpu)[bank]->blocks = b;
+-      }
++      if (tb->blocks)
++              list_add(&b->miscj, &tb->blocks->miscj);
++      else
++              tb->blocks = b;
+-      err = kobject_init_and_add(&b->kobj, &threshold_ktype,
+-                                 per_cpu(threshold_banks, cpu)[bank]->kobj,
+-                                 get_name(bank, b));
++      err = kobject_init_and_add(&b->kobj, &threshold_ktype, tb->kobj, get_name(bank, b));
+       if (err)
+               goto out_free;
+ recurse:
+@@ -1214,7 +1211,7 @@ recurse:
+       if (!address)
+               return 0;
+-      err = allocate_threshold_blocks(cpu, bank, block, address);
++      err = allocate_threshold_blocks(cpu, tb, bank, block, address);
+       if (err)
+               goto out_free;
+@@ -1299,8 +1296,6 @@ static int threshold_create_bank(unsigne
+               goto out_free;
+       }
+-      per_cpu(threshold_banks, cpu)[bank] = b;
+-
+       if (is_shared_bank(bank)) {
+               refcount_set(&b->cpus, 1);
+@@ -1311,9 +1306,13 @@ static int threshold_create_bank(unsigne
+               }
+       }
+-      err = allocate_threshold_blocks(cpu, bank, 0, msr_ops.misc(bank));
+-      if (!err)
+-              goto out;
++      err = allocate_threshold_blocks(cpu, b, bank, 0, msr_ops.misc(bank));
++      if (err)
++              goto out_free;
++
++      per_cpu(threshold_banks, cpu)[bank] = b;
++
++      return 0;
+  out_free:
+       kfree(b);