--- /dev/null
+From 9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Thu, 17 Nov 2016 11:24:20 -0800
+Subject: dm bufio: avoid sleeping while holding the dm_bufio lock
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc upstream.
+
+We've seen in-field reports showing _lots_ (18 in one case, 41 in
+another) of tasks all sitting there blocked on:
+
+ mutex_lock+0x4c/0x68
+ dm_bufio_shrink_count+0x38/0x78
+ shrink_slab.part.54.constprop.65+0x100/0x464
+ shrink_zone+0xa8/0x198
+
+In the two cases analyzed, we see one task that looks like this:
+
+ Workqueue: kverityd verity_prefetch_io
+
+ __switch_to+0x9c/0xa8
+ __schedule+0x440/0x6d8
+ schedule+0x94/0xb4
+ schedule_timeout+0x204/0x27c
+ schedule_timeout_uninterruptible+0x44/0x50
+ wait_iff_congested+0x9c/0x1f0
+ shrink_inactive_list+0x3a0/0x4cc
+ shrink_lruvec+0x418/0x5cc
+ shrink_zone+0x88/0x198
+ try_to_free_pages+0x51c/0x588
+ __alloc_pages_nodemask+0x648/0xa88
+ __get_free_pages+0x34/0x7c
+ alloc_buffer+0xa4/0x144
+ __bufio_new+0x84/0x278
+ dm_bufio_prefetch+0x9c/0x154
+ verity_prefetch_io+0xe8/0x10c
+ process_one_work+0x240/0x424
+ worker_thread+0x2fc/0x424
+ kthread+0x10c/0x114
+
+...and that looks to be the one holding the mutex.
+
+The problem has been reproduced on fairly easily:
+0. Be running Chrome OS w/ verity enabled on the root filesystem
+1. Pick test patch: http://crosreview.com/412360
+2. Install launchBalloons.sh and balloon.arm from
+ http://crbug.com/468342
+ ...that's just a memory stress test app.
+3. On a 4GB rk3399 machine, run
+ nice ./launchBalloons.sh 4 900 100000
+ ...that tries to eat 4 * 900 MB of memory and keep accessing.
+4. Login to the Chrome web browser and restore many tabs
+
+With that, I've seen printouts like:
+ DOUG: long bufio 90758 ms
+...and stack trace always show's we're in dm_bufio_prefetch().
+
+The problem is that we try to allocate memory with GFP_NOIO while
+we're holding the dm_bufio lock. Instead we should be using
+GFP_NOWAIT. Using GFP_NOIO can cause us to sleep while holding the
+lock and that causes the above problems.
+
+The current behavior explained by David Rientjes:
+
+ It will still try reclaim initially because __GFP_WAIT (or
+ __GFP_KSWAPD_RECLAIM) is set by GFP_NOIO. This is the cause of
+ contention on dm_bufio_lock() that the thread holds. You want to
+ pass GFP_NOWAIT instead of GFP_NOIO to alloc_buffer() when holding a
+ mutex that can be contended by a concurrent slab shrinker (if
+ count_objects didn't use a trylock, this pattern would trivially
+ deadlock).
+
+This change significantly increases responsiveness of the system while
+in this state. It makes a real difference because it unblocks kswapd.
+In the bug report analyzed, kswapd was hung:
+
+ kswapd0 D ffffffc000204fd8 0 72 2 0x00000000
+ Call trace:
+ [<ffffffc000204fd8>] __switch_to+0x9c/0xa8
+ [<ffffffc00090b794>] __schedule+0x440/0x6d8
+ [<ffffffc00090bac0>] schedule+0x94/0xb4
+ [<ffffffc00090be44>] schedule_preempt_disabled+0x28/0x44
+ [<ffffffc00090d900>] __mutex_lock_slowpath+0x120/0x1ac
+ [<ffffffc00090d9d8>] mutex_lock+0x4c/0x68
+ [<ffffffc000708e7c>] dm_bufio_shrink_count+0x38/0x78
+ [<ffffffc00030b268>] shrink_slab.part.54.constprop.65+0x100/0x464
+ [<ffffffc00030dbd8>] shrink_zone+0xa8/0x198
+ [<ffffffc00030e578>] balance_pgdat+0x328/0x508
+ [<ffffffc00030eb7c>] kswapd+0x424/0x51c
+ [<ffffffc00023f06c>] kthread+0x10c/0x114
+ [<ffffffc000203dd0>] ret_from_fork+0x10/0x40
+
+By unblocking kswapd memory pressure should be reduced.
+
+Suggested-by: David Rientjes <rientjes@google.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-bufio.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-bufio.c
++++ b/drivers/md/dm-bufio.c
+@@ -766,7 +766,8 @@ static struct dm_buffer *__alloc_buffer_
+ * dm-bufio is resistant to allocation failures (it just keeps
+ * one buffer reserved in cases all the allocations fail).
+ * So set flags to not try too hard:
+- * GFP_NOIO: don't recurse into the I/O layer
++ * GFP_NOWAIT: don't wait; if we need to sleep we'll release our
++ * mutex and wait ourselves.
+ * __GFP_NORETRY: don't retry and rather return failure
+ * __GFP_NOMEMALLOC: don't use emergency reserves
+ * __GFP_NOWARN: don't print a warning in case of failure
+@@ -776,7 +777,7 @@ static struct dm_buffer *__alloc_buffer_
+ */
+ while (1) {
+ if (dm_bufio_cache_size_latch != 1) {
+- b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
++ b = alloc_buffer(c, GFP_NOWAIT | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
+ if (b)
+ return b;
+ }
--- /dev/null
+From 41c73a49df31151f4ff868f28fe4f129f113fa2c Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 23 Nov 2016 17:04:00 -0500
+Subject: dm bufio: drop the lock when doing GFP_NOIO allocation
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 41c73a49df31151f4ff868f28fe4f129f113fa2c upstream.
+
+If the first allocation attempt using GFP_NOWAIT fails, drop the lock
+and retry using GFP_NOIO allocation (lock is dropped because the
+allocation can take some time).
+
+Note that we won't do GFP_NOIO allocation when we loop for the second
+time, because the lock shouldn't be dropped between __wait_for_free_buffer
+and __get_unclaimed_buffer.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-bufio.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/md/dm-bufio.c
++++ b/drivers/md/dm-bufio.c
+@@ -761,6 +761,7 @@ enum new_flag {
+ static struct dm_buffer *__alloc_buffer_wait_no_callback(struct dm_bufio_client *c, enum new_flag nf)
+ {
+ struct dm_buffer *b;
++ bool tried_noio_alloc = false;
+
+ /*
+ * dm-bufio is resistant to allocation failures (it just keeps
+@@ -785,6 +786,15 @@ static struct dm_buffer *__alloc_buffer_
+ if (nf == NF_PREFETCH)
+ return NULL;
+
++ if (dm_bufio_cache_size_latch != 1 && !tried_noio_alloc) {
++ dm_bufio_unlock(c);
++ b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
++ dm_bufio_lock(c);
++ if (b)
++ return b;
++ tried_noio_alloc = true;
++ }
++
+ if (!list_empty(&c->reserved_buffers)) {
+ b = list_entry(c->reserved_buffers.next,
+ struct dm_buffer, lru_list);
--- /dev/null
+From 717adfdaf14704fd3ec7fa2c04520c0723247eac Mon Sep 17 00:00:00 2001
+From: Daniel Rosenberg <drosen@google.com>
+Date: Mon, 2 Jul 2018 16:59:37 -0700
+Subject: HID: debug: check length before copy_to_user()
+
+From: Daniel Rosenberg <drosen@google.com>
+
+commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream.
+
+If our length is greater than the size of the buffer, we
+overflow the buffer
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Rosenberg <drosen@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-debug.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-debug.c
++++ b/drivers/hid/hid-debug.c
+@@ -1150,6 +1150,8 @@ copy_rest:
+ goto out;
+ if (list->tail > list->head) {
+ len = list->tail - list->head;
++ if (len > count)
++ len = count;
+
+ if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
+ ret = -EFAULT;
+@@ -1159,6 +1161,8 @@ copy_rest:
+ list->head += len;
+ } else {
+ len = HID_DEBUG_BUFSIZE - list->head;
++ if (len > count)
++ len = count;
+
+ if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
+ ret = -EFAULT;
+@@ -1166,7 +1170,9 @@ copy_rest:
+ }
+ list->head = 0;
+ ret += len;
+- goto copy_rest;
++ count -= len;
++ if (count > 0)
++ goto copy_rest;
+ }
+
+ }
--- /dev/null
+From ef6eaf27274c0351f7059163918f3795da13199c Mon Sep 17 00:00:00 2001
+From: Jason Andryuk <jandryuk@gmail.com>
+Date: Fri, 22 Jun 2018 12:25:49 -0400
+Subject: HID: i2c-hid: Fix "incomplete report" noise
+
+From: Jason Andryuk <jandryuk@gmail.com>
+
+commit ef6eaf27274c0351f7059163918f3795da13199c upstream.
+
+Commit ac75a041048b ("HID: i2c-hid: fix size check and type usage") started
+writing messages when the ret_size is <= 2 from i2c_master_recv. However, my
+device i2c-DLL07D1 returns 2 for a short period of time (~0.5s) after I stop
+moving the pointing stick or touchpad. It varies, but you get ~50 messages
+each time which spams the log hard.
+
+[ 95.925055] i2c_hid i2c-DLL07D1:01: i2c_hid_get_input: incomplete report (83/2)
+
+This has also been observed with a i2c-ALP0017.
+
+[ 1781.266353] i2c_hid i2c-ALP0017:00: i2c_hid_get_input: incomplete report (30/2)
+
+Only print the message when ret_size is totally invalid and less than 2 to cut
+down on the log spam.
+
+Fixes: ac75a041048b ("HID: i2c-hid: fix size check and type usage")
+Reported-by: John Smith <john-s-84@gmx.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -399,7 +399,7 @@ static void i2c_hid_get_input(struct i2c
+ return;
+ }
+
+- if ((ret_size > size) || (ret_size <= 2)) {
++ if ((ret_size > size) || (ret_size < 2)) {
+ dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n",
+ __func__, size, ret_size);
+ return;
--- /dev/null
+From 3ee9bc12342cf546313d300808ff47d7dbb8e7db Mon Sep 17 00:00:00 2001
+From: Brad Love <brad@nextdimension.cc>
+Date: Tue, 6 Mar 2018 14:15:34 -0500
+Subject: media: cx25840: Use subdev host data for PLL override
+
+From: Brad Love <brad@nextdimension.cc>
+
+commit 3ee9bc12342cf546313d300808ff47d7dbb8e7db upstream.
+
+The cx25840 driver currently configures 885, 887, and 888 using
+default divisors for each chip. This check to see if the cx23885
+driver has passed the cx25840 a non-default clock rate for a
+specific chip. If a cx23885 board has left clk_freq at 0, the
+clock default values will be used to configure the PLLs.
+
+This patch only has effect on 888 boards who set clk_freq to 25M.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/cx25840/cx25840-core.c | 28 ++++++++++++++++++++++------
+ 1 file changed, 22 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/i2c/cx25840/cx25840-core.c
++++ b/drivers/media/i2c/cx25840/cx25840-core.c
+@@ -467,8 +467,13 @@ static void cx23885_initialize(struct i2
+ {
+ DEFINE_WAIT(wait);
+ struct cx25840_state *state = to_state(i2c_get_clientdata(client));
++ u32 clk_freq = 0;
+ struct workqueue_struct *q;
+
++ /* cx23885 sets hostdata to clk_freq pointer */
++ if (v4l2_get_subdev_hostdata(&state->sd))
++ clk_freq = *((u32 *)v4l2_get_subdev_hostdata(&state->sd));
++
+ /*
+ * Come out of digital power down
+ * The CX23888, at least, needs this, otherwise registers aside from
+@@ -504,8 +509,13 @@ static void cx23885_initialize(struct i2
+ * 50.0 MHz * (0xb + 0xe8ba26/0x2000000)/4 = 5 * 28.636363 MHz
+ * 572.73 MHz before post divide
+ */
+- /* HVR1850 or 50MHz xtal */
+- cx25840_write(client, 0x2, 0x71);
++ if (clk_freq == 25000000) {
++ /* 888/ImpactVCBe or 25Mhz xtal */
++ ; /* nothing to do */
++ } else {
++ /* HVR1850 or 50MHz xtal */
++ cx25840_write(client, 0x2, 0x71);
++ }
+ cx25840_write4(client, 0x11c, 0x01d1744c);
+ cx25840_write4(client, 0x118, 0x00000416);
+ cx25840_write4(client, 0x404, 0x0010253e);
+@@ -548,9 +558,15 @@ static void cx23885_initialize(struct i2
+ /* HVR1850 */
+ switch (state->id) {
+ case CX23888_AV:
+- /* 888/HVR1250 specific */
+- cx25840_write4(client, 0x10c, 0x13333333);
+- cx25840_write4(client, 0x108, 0x00000515);
++ if (clk_freq == 25000000) {
++ /* 888/ImpactVCBe or 25MHz xtal */
++ cx25840_write4(client, 0x10c, 0x01b6db7b);
++ cx25840_write4(client, 0x108, 0x00000512);
++ } else {
++ /* 888/HVR1250 or 50MHz xtal */
++ cx25840_write4(client, 0x10c, 0x13333333);
++ cx25840_write4(client, 0x108, 0x00000515);
++ }
+ break;
+ default:
+ cx25840_write4(client, 0x10c, 0x002be2c9);
+@@ -577,7 +593,7 @@ static void cx23885_initialize(struct i2
+ * 368.64 MHz before post divide
+ * 122.88 MHz / 0xa = 12.288 MHz
+ */
+- /* HVR1850 or 50MHz xtal */
++ /* HVR1850 or 50MHz xtal or 25MHz xtal */
+ cx25840_write4(client, 0x114, 0x017dbf48);
+ cx25840_write4(client, 0x110, 0x000a030e);
+ break;
--- /dev/null
+From 3f77f244d8ec28e3a0a81240ffac7d626390060c Mon Sep 17 00:00:00 2001
+From: Martin Kaiser <martin@kaiser.cx>
+Date: Mon, 18 Jun 2018 22:41:03 +0200
+Subject: mtd: rawnand: mxc: set spare area size register explicitly
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+commit 3f77f244d8ec28e3a0a81240ffac7d626390060c upstream.
+
+The v21 version of the NAND flash controller contains a Spare Area Size
+Register (SPAS) at offset 0x10. Its setting defaults to the maximum
+spare area size of 218 bytes. The size that is set in this register is
+used by the controller when it calculates the ECC bytes internally in
+hardware.
+
+Usually, this register is updated from settings in the IIM fuses when
+the system is booting from NAND flash. For other boot media, however,
+the SPAS register remains at the default setting, which may not work for
+the particular flash chip on the board. The same goes for flash chips
+whose configuration cannot be set in the IIM fuses (e.g. chips with 2k
+sector size and 128 bytes spare area size can't be configured in the IIM
+fuses on imx25 systems).
+
+Set the SPAS register explicitly during the preset operation. Derive the
+register value from mtd->oobsize that was detected during probe by
+decoding the flash chip's ID bytes.
+
+While at it, rename the define for the spare area register's offset to
+NFC_V21_RSLTSPARE_AREA. The register at offset 0x10 on v1 controllers is
+different from the register on v21 controllers.
+
+Fixes: d484018 ("mtd: mxc_nand: set NFC registers after reset")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/mtd/nand/mxc_nand.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/mxc_nand.c
++++ b/drivers/mtd/nand/mxc_nand.c
+@@ -49,7 +49,7 @@
+ #define NFC_V1_V2_CONFIG (host->regs + 0x0a)
+ #define NFC_V1_V2_ECC_STATUS_RESULT (host->regs + 0x0c)
+ #define NFC_V1_V2_RSLTMAIN_AREA (host->regs + 0x0e)
+-#define NFC_V1_V2_RSLTSPARE_AREA (host->regs + 0x10)
++#define NFC_V21_RSLTSPARE_AREA (host->regs + 0x10)
+ #define NFC_V1_V2_WRPROT (host->regs + 0x12)
+ #define NFC_V1_UNLOCKSTART_BLKADDR (host->regs + 0x14)
+ #define NFC_V1_UNLOCKEND_BLKADDR (host->regs + 0x16)
+@@ -958,6 +958,9 @@ static void preset_v2(struct mtd_info *m
+ writew(config1, NFC_V1_V2_CONFIG1);
+ /* preset operation */
+
++ /* spare area size in 16-bit half-words */
++ writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA);
++
+ /* Unlock the internal RAM Buffer */
+ writew(0x2, NFC_V1_V2_CONFIG);
+
ext4-make-sure-bitmaps-and-the-inode-table-don-t-overlap-with-bg-descriptors.patch
ext4-clear-i_data-in-ext4_inode_info-when-removing-inline-data.patch
ext4-add-more-mount-time-checks-of-the-superblock.patch
+hid-i2c-hid-fix-incomplete-report-noise.patch
+hid-debug-check-length-before-copy_to_user.patch
+media-cx25840-use-subdev-host-data-for-pll-override.patch
+dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch
+dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch
+mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
