--- /dev/null
+From e26cc08265dda37d2acc8394604f220ef412299d Mon Sep 17 00:00:00 2001
+From: zhengbin <zhengbin13@huawei.com>
+Date: Mon, 12 Aug 2019 20:36:55 +0800
+Subject: blk-mq: move cancel of requeue_work to the front of blk_exit_queue
+
+From: zhengbin <zhengbin13@huawei.com>
+
+commit e26cc08265dda37d2acc8394604f220ef412299d upstream.
+
+blk_exit_queue will free elevator_data, while blk_mq_requeue_work
+will access it. Move cancel of requeue_work to the front of
+blk_exit_queue to avoid use-after-free.
+
+blk_exit_queue blk_mq_requeue_work
+ __elevator_exit blk_mq_run_hw_queues
+ blk_mq_exit_sched blk_mq_run_hw_queue
+ dd_exit_queue blk_mq_hctx_has_pending
+ kfree(elevator_data) blk_mq_sched_has_work
+ dd_has_work
+
+Fixes: fbc2a15e3433 ("blk-mq: move cancel of requeue_work into blk_mq_release")
+Cc: stable@vger.kernel.org
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: zhengbin <zhengbin13@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq.c | 2 --
+ block/blk-sysfs.c | 3 +++
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2674,8 +2674,6 @@ void blk_mq_release(struct request_queue
+ struct blk_mq_hw_ctx *hctx, *next;
+ int i;
+
+- cancel_delayed_work_sync(&q->requeue_work);
+-
+ queue_for_each_hw_ctx(q, hctx, i)
+ WARN_ON_ONCE(hctx && list_empty(&hctx->hctx_list));
+
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -892,6 +892,9 @@ static void __blk_release_queue(struct w
+
+ blk_free_queue_stats(q->stats);
+
++ if (queue_is_mq(q))
++ cancel_delayed_work_sync(&q->requeue_work);
++
+ blk_exit_queue(q);
+
+ blk_queue_free_zone_bitmaps(q);
--- /dev/null
+From 99c79f6692ccdc42e04deea8a36e22bb48168a62 Mon Sep 17 00:00:00 2001
+From: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
+Date: Thu, 15 Aug 2019 14:03:22 +0200
+Subject: io_uring: fix manual setup of iov_iter for fixed buffers
+
+From: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
+
+commit 99c79f6692ccdc42e04deea8a36e22bb48168a62 upstream.
+
+Commit bd11b3a391e3 ("io_uring: don't use iov_iter_advance() for fixed
+buffers") introduced an optimization to avoid using the slow
+iov_iter_advance by manually populating the iov_iter iterator in some
+cases.
+
+However, the computation of the iterator count field was erroneous: The
+first bvec was always accounted for an extent of page size even if the
+bvec length was smaller.
+
+In consequence, some I/O operations on fixed buffers were unable to
+operate on the full extent of the buffer, consistently skipping some
+bytes at the end of it.
+
+Fixes: bd11b3a391e3 ("io_uring: don't use iov_iter_advance() for fixed buffers")
+Cc: stable@vger.kernel.org
+Signed-off-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/io_uring.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -1032,10 +1032,8 @@ static int io_import_fixed(struct io_rin
+
+ iter->bvec = bvec + seg_skip;
+ iter->nr_segs -= seg_skip;
+- iter->count -= (seg_skip << PAGE_SHIFT);
++ iter->count -= bvec->bv_len + offset;
+ iter->iov_offset = offset & ~PAGE_MASK;
+- if (iter->iov_offset)
+- iter->count -= iter->iov_offset;
+ }
+ }
+
--- /dev/null
+From e8c220fac415d9f4a994b0c2871b835feac1eb4e Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 8 Aug 2019 18:01:36 -0300
+Subject: Revert "i2c: imx: improve the error handling in i2c_imx_dma_request()"
+
+From: Fabio Estevam <festevam@gmail.com>
+
+commit e8c220fac415d9f4a994b0c2871b835feac1eb4e upstream.
+
+Since commit e1ab9a468e3b ("i2c: imx: improve the error handling in
+i2c_imx_dma_request()") when booting with the DMA driver as module (such
+as CONFIG_FSL_EDMA=m) the following endless clk warnings are seen:
+
+[ 153.077831] ------------[ cut here ]------------
+[ 153.082528] WARNING: CPU: 0 PID: 15 at drivers/clk/clk.c:924 clk_core_disable_lock+0x18/0x24
+[ 153.093077] i2c0 already disabled
+[ 153.096416] Modules linked in:
+[ 153.099521] CPU: 0 PID: 15 Comm: kworker/0:1 Tainted: G W 5.2.0+ #321
+[ 153.107290] Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree)
+[ 153.113772] Workqueue: events deferred_probe_work_func
+[ 153.118979] [<c0019560>] (unwind_backtrace) from [<c0014734>] (show_stack+0x10/0x14)
+[ 153.126778] [<c0014734>] (show_stack) from [<c083f8dc>] (dump_stack+0x9c/0xd4)
+[ 153.134051] [<c083f8dc>] (dump_stack) from [<c0031154>] (__warn+0xf8/0x124)
+[ 153.141056] [<c0031154>] (__warn) from [<c0031248>] (warn_slowpath_fmt+0x38/0x48)
+[ 153.148580] [<c0031248>] (warn_slowpath_fmt) from [<c040fde0>] (clk_core_disable_lock+0x18/0x24)
+[ 153.157413] [<c040fde0>] (clk_core_disable_lock) from [<c058f520>] (i2c_imx_probe+0x554/0x6ec)
+[ 153.166076] [<c058f520>] (i2c_imx_probe) from [<c04b9178>] (platform_drv_probe+0x48/0x98)
+[ 153.174297] [<c04b9178>] (platform_drv_probe) from [<c04b7298>] (really_probe+0x1d8/0x2c0)
+[ 153.182605] [<c04b7298>] (really_probe) from [<c04b7554>] (driver_probe_device+0x5c/0x174)
+[ 153.190909] [<c04b7554>] (driver_probe_device) from [<c04b58c8>] (bus_for_each_drv+0x44/0x8c)
+[ 153.199480] [<c04b58c8>] (bus_for_each_drv) from [<c04b746c>] (__device_attach+0xa0/0x108)
+[ 153.207782] [<c04b746c>] (__device_attach) from [<c04b65a4>] (bus_probe_device+0x88/0x90)
+[ 153.215999] [<c04b65a4>] (bus_probe_device) from [<c04b6a04>] (deferred_probe_work_func+0x60/0x90)
+[ 153.225003] [<c04b6a04>] (deferred_probe_work_func) from [<c004f190>] (process_one_work+0x204/0x634)
+[ 153.234178] [<c004f190>] (process_one_work) from [<c004f618>] (worker_thread+0x20/0x484)
+[ 153.242315] [<c004f618>] (worker_thread) from [<c0055c2c>] (kthread+0x118/0x150)
+[ 153.249758] [<c0055c2c>] (kthread) from [<c00090b4>] (ret_from_fork+0x14/0x20)
+[ 153.257006] Exception stack(0xdde43fb0 to 0xdde43ff8)
+[ 153.262095] 3fa0: 00000000 00000000 00000000 00000000
+[ 153.270306] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 153.278520] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+[ 153.285159] irq event stamp: 3323022
+[ 153.288787] hardirqs last enabled at (3323021): [<c0861c4c>] _raw_spin_unlock_irq+0x24/0x2c
+[ 153.297261] hardirqs last disabled at (3323022): [<c040d7a0>] clk_enable_lock+0x10/0x124
+[ 153.305392] softirqs last enabled at (3322092): [<c000a504>] __do_softirq+0x344/0x540
+[ 153.313352] softirqs last disabled at (3322081): [<c00385c0>] irq_exit+0x10c/0x128
+[ 153.320946] ---[ end trace a506731ccd9bd703 ]---
+
+This endless clk warnings behaviour is well explained by Andrey Smirnov:
+
+"Allocating DMA after registering I2C adapter can lead to infinite
+probing loop, for example, consider the following scenario:
+
+ 1. i2c_imx_probe() is called and successfully registers an I2C
+ adapter via i2c_add_numbered_adapter()
+
+ 2. As a part of i2c_add_numbered_adapter() new I2C slave devices
+ are added from DT which results in a call to
+ driver_deferred_probe_trigger()
+
+ 3. i2c_imx_probe() continues and calls i2c_imx_dma_request() which
+ due to lack of proper DMA driver returns -EPROBE_DEFER
+
+ 4. i2c_imx_probe() fails, removes I2C adapter and returns
+ -EPROBE_DEFER, which places it into deferred probe list
+
+ 5. Deferred probe work triggered in #2 above kicks in and calls
+ i2c_imx_probe() again thus bringing us to step #1"
+
+So revert commit e1ab9a468e3b ("i2c: imx: improve the error handling in
+i2c_imx_dma_request()") and restore the old behaviour, in order to
+avoid regressions on existing setups.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+Reported-by: Russell King <linux@armlinux.org.uk>
+Fixes: e1ab9a468e3b ("i2c: imx: improve the error handling in i2c_imx_dma_request()")
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-imx.c | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-imx.c
++++ b/drivers/i2c/busses/i2c-imx.c
+@@ -273,8 +273,8 @@ static inline unsigned char imx_i2c_read
+ }
+
+ /* Functions for DMA support */
+-static int i2c_imx_dma_request(struct imx_i2c_struct *i2c_imx,
+- dma_addr_t phy_addr)
++static void i2c_imx_dma_request(struct imx_i2c_struct *i2c_imx,
++ dma_addr_t phy_addr)
+ {
+ struct imx_i2c_dma *dma;
+ struct dma_slave_config dma_sconfig;
+@@ -283,7 +283,7 @@ static int i2c_imx_dma_request(struct im
+
+ dma = devm_kzalloc(dev, sizeof(*dma), GFP_KERNEL);
+ if (!dma)
+- return -ENOMEM;
++ return;
+
+ dma->chan_tx = dma_request_chan(dev, "tx");
+ if (IS_ERR(dma->chan_tx)) {
+@@ -328,7 +328,7 @@ static int i2c_imx_dma_request(struct im
+ dev_info(dev, "using %s (tx) and %s (rx) for DMA transfers\n",
+ dma_chan_name(dma->chan_tx), dma_chan_name(dma->chan_rx));
+
+- return 0;
++ return;
+
+ fail_rx:
+ dma_release_channel(dma->chan_rx);
+@@ -336,8 +336,6 @@ fail_tx:
+ dma_release_channel(dma->chan_tx);
+ fail_al:
+ devm_kfree(dev, dma);
+- /* return successfully if there is no dma support */
+- return ret == -ENODEV ? 0 : ret;
+ }
+
+ static void i2c_imx_dma_callback(void *arg)
+@@ -1165,17 +1163,13 @@ static int i2c_imx_probe(struct platform
+ dev_dbg(&i2c_imx->adapter.dev, "device resources: %pR\n", res);
+ dev_dbg(&i2c_imx->adapter.dev, "adapter name: \"%s\"\n",
+ i2c_imx->adapter.name);
++ dev_info(&i2c_imx->adapter.dev, "IMX I2C adapter registered\n");
+
+ /* Init DMA config if supported */
+- ret = i2c_imx_dma_request(i2c_imx, phy_addr);
+- if (ret < 0)
+- goto del_adapter;
++ i2c_imx_dma_request(i2c_imx, phy_addr);
+
+- dev_info(&i2c_imx->adapter.dev, "IMX I2C adapter registered\n");
+ return 0; /* Return OK */
+
+-del_adapter:
+- i2c_del_adapter(&i2c_imx->adapter);
+ clk_notifier_unregister:
+ clk_notifier_unregister(i2c_imx->clk, &i2c_imx->clk_change_nb);
+ rpm_disable:
--- /dev/null
+From 8ac71d7e46b94a4fc8ffc6f1c88004cdf24459e8 Mon Sep 17 00:00:00 2001
+From: Vincent Chen <vincent.chen@sifive.com>
+Date: Wed, 14 Aug 2019 16:23:52 +0800
+Subject: riscv: Correct the initialized flow of FP register
+
+From: Vincent Chen <vincent.chen@sifive.com>
+
+commit 8ac71d7e46b94a4fc8ffc6f1c88004cdf24459e8 upstream.
+
+ The following two reasons cause FP registers are sometimes not
+initialized before starting the user program.
+1. Currently, the FP context is initialized in flush_thread() function
+ and we expect these initial values to be restored to FP register when
+ doing FP context switch. However, the FP context switch only occurs in
+ switch_to function. Hence, if this process does not be scheduled out
+ and scheduled in before entering the user space, the FP registers
+ have no chance to initialize.
+2. In flush_thread(), the state of reg->sstatus.FS inherits from the
+ parent. Hence, the state of reg->sstatus.FS may be dirty. If this
+ process is scheduled out during flush_thread() and initializing the
+ FP register, the fstate_save() in switch_to will corrupt the FP context
+ which has been initialized until flush_thread().
+
+ To solve the 1st case, the initialization of the FP register will be
+completed in start_thread(). It makes sure all FP registers are initialized
+before starting the user program. For the 2nd case, the state of
+reg->sstatus.FS in start_thread will be set to SR_FS_OFF to prevent this
+process from corrupting FP context in doing context save. The FP state is
+set to SR_FS_INITIAL in start_trhead().
+
+Signed-off-by: Vincent Chen <vincent.chen@sifive.com>
+Reviewed-by: Anup Patel <anup@brainfault.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Fixes: 7db91e57a0acd ("RISC-V: Task implementation")
+Cc: stable@vger.kernel.org
+[paul.walmsley@sifive.com: fixed brace alignment issue reported by
+ checkpatch]
+Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/riscv/include/asm/switch_to.h | 6 ++++++
+ arch/riscv/kernel/process.c | 11 +++++++++--
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/arch/riscv/include/asm/switch_to.h
++++ b/arch/riscv/include/asm/switch_to.h
+@@ -19,6 +19,12 @@ static inline void __fstate_clean(struct
+ regs->sstatus |= (regs->sstatus & ~(SR_FS)) | SR_FS_CLEAN;
+ }
+
++static inline void fstate_off(struct task_struct *task,
++ struct pt_regs *regs)
++{
++ regs->sstatus = (regs->sstatus & ~SR_FS) | SR_FS_OFF;
++}
++
+ static inline void fstate_save(struct task_struct *task,
+ struct pt_regs *regs)
+ {
+--- a/arch/riscv/kernel/process.c
++++ b/arch/riscv/kernel/process.c
+@@ -64,8 +64,14 @@ void start_thread(struct pt_regs *regs,
+ unsigned long sp)
+ {
+ regs->sstatus = SR_SPIE;
+- if (has_fpu)
++ if (has_fpu) {
+ regs->sstatus |= SR_FS_INITIAL;
++ /*
++ * Restore the initial value to the FP register
++ * before starting the user program.
++ */
++ fstate_restore(current, regs);
++ }
+ regs->sepc = pc;
+ regs->sp = sp;
+ set_fs(USER_DS);
+@@ -75,10 +81,11 @@ void flush_thread(void)
+ {
+ #ifdef CONFIG_FPU
+ /*
+- * Reset FPU context
++ * Reset FPU state and context
+ * frm: round to nearest, ties to even (IEEE default)
+ * fflags: accrued exceptions cleared
+ */
++ fstate_off(current, task_pt_regs(current));
+ memset(¤t->thread.fstate, 0, sizeof(current->thread.fstate));
+ #endif
+ }
--- /dev/null
+From 69703eb9a8ae28a46cd5bce7d69ceeef6273a104 Mon Sep 17 00:00:00 2001
+From: Vincent Chen <vincent.chen@sifive.com>
+Date: Wed, 14 Aug 2019 16:23:53 +0800
+Subject: riscv: Make __fstate_clean() work correctly.
+
+From: Vincent Chen <vincent.chen@sifive.com>
+
+commit 69703eb9a8ae28a46cd5bce7d69ceeef6273a104 upstream.
+
+Make the __fstate_clean() function correctly set the
+state of sstatus.FS in pt_regs to SR_FS_CLEAN.
+
+Fixes: 7db91e57a0acd ("RISC-V: Task implementation")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Vincent Chen <vincent.chen@sifive.com>
+Reviewed-by: Anup Patel <anup@brainfault.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+[paul.walmsley@sifive.com: expanded "Fixes" commit ID]
+Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/riscv/include/asm/switch_to.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/riscv/include/asm/switch_to.h
++++ b/arch/riscv/include/asm/switch_to.h
+@@ -16,7 +16,7 @@ extern void __fstate_restore(struct task
+
+ static inline void __fstate_clean(struct pt_regs *regs)
+ {
+- regs->sstatus |= (regs->sstatus & ~(SR_FS)) | SR_FS_CLEAN;
++ regs->sstatus = (regs->sstatus & ~SR_FS) | SR_FS_CLEAN;
+ }
+
+ static inline void fstate_off(struct task_struct *task,
net-usb-pegasus-fix-improper-read-if-get_registers-fail.patch
bpf-fix-access-to-skb_shared_info-gso_segs.patch
netfilter-ebtables-also-count-base-chain-policies.patch
+riscv-correct-the-initialized-flow-of-fp-register.patch
+riscv-make-__fstate_clean-work-correctly.patch
+revert-i2c-imx-improve-the-error-handling-in-i2c_imx_dma_request.patch
+blk-mq-move-cancel-of-requeue_work-to-the-front-of-blk_exit_queue.patch
+io_uring-fix-manual-setup-of-iov_iter-for-fixed-buffers.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
