--- /dev/null
+From e9f2a856e102fa27715b94bcc2240f686536d29b Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Sat, 6 Jul 2019 11:37:20 +0800
+Subject: can: flexcan: fix an use-after-free in flexcan_setup_stop_mode()
+
+From: Wen Yang <wen.yang99@zte.com.cn>
+
+commit e9f2a856e102fa27715b94bcc2240f686536d29b upstream.
+
+The gpr_np variable is still being used in dev_dbg() after the
+of_node_put() call, which may result in use-after-free.
+
+Fixes: de3578c198c6 ("can: flexcan: add self wakeup support")
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: linux-stable <stable@vger.kernel.org> # >= v5.0
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/flexcan.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1455,10 +1455,10 @@ static int flexcan_setup_stop_mode(struc
+
+ priv = netdev_priv(dev);
+ priv->stm.gpr = syscon_node_to_regmap(gpr_np);
+- of_node_put(gpr_np);
+ if (IS_ERR(priv->stm.gpr)) {
+ dev_dbg(&pdev->dev, "could not find gpr regmap\n");
+- return PTR_ERR(priv->stm.gpr);
++ ret = PTR_ERR(priv->stm.gpr);
++ goto out_put_node;
+ }
+
+ priv->stm.req_gpr = out_val[1];
+@@ -1473,7 +1473,9 @@ static int flexcan_setup_stop_mode(struc
+
+ device_set_wakeup_capable(&pdev->dev, true);
+
+- return 0;
++out_put_node:
++ of_node_put(gpr_np);
++ return ret;
+ }
+
+ static const struct of_device_id flexcan_of_match[] = {
--- /dev/null
+From 5f186c257fa4808bb7f14e643b9fba3e11f08a30 Mon Sep 17 00:00:00 2001
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+Date: Tue, 2 Jul 2019 01:45:41 +0000
+Subject: can: flexcan: fix stop mode acknowledgment
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+commit 5f186c257fa4808bb7f14e643b9fba3e11f08a30 upstream.
+
+To enter stop mode, the CPU should manually assert a global Stop Mode
+request and check the acknowledgment asserted by FlexCAN. The CPU must
+only consider the FlexCAN in stop mode when both request and
+acknowledgment conditions are satisfied.
+
+Fixes: de3578c198c6 ("can: flexcan: add self wakeup support")
+Reported-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Cc: linux-stable <stable@vger.kernel.org> # >= v5.0
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/flexcan.c | 31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -400,9 +400,10 @@ static void flexcan_enable_wakeup_irq(st
+ priv->write(reg_mcr, ®s->mcr);
+ }
+
+-static inline void flexcan_enter_stop_mode(struct flexcan_priv *priv)
++static inline int flexcan_enter_stop_mode(struct flexcan_priv *priv)
+ {
+ struct flexcan_regs __iomem *regs = priv->regs;
++ unsigned int ackval;
+ u32 reg_mcr;
+
+ reg_mcr = priv->read(®s->mcr);
+@@ -412,20 +413,37 @@ static inline void flexcan_enter_stop_mo
+ /* enable stop request */
+ regmap_update_bits(priv->stm.gpr, priv->stm.req_gpr,
+ 1 << priv->stm.req_bit, 1 << priv->stm.req_bit);
++
++ /* get stop acknowledgment */
++ if (regmap_read_poll_timeout(priv->stm.gpr, priv->stm.ack_gpr,
++ ackval, ackval & (1 << priv->stm.ack_bit),
++ 0, FLEXCAN_TIMEOUT_US))
++ return -ETIMEDOUT;
++
++ return 0;
+ }
+
+-static inline void flexcan_exit_stop_mode(struct flexcan_priv *priv)
++static inline int flexcan_exit_stop_mode(struct flexcan_priv *priv)
+ {
+ struct flexcan_regs __iomem *regs = priv->regs;
++ unsigned int ackval;
+ u32 reg_mcr;
+
+ /* remove stop request */
+ regmap_update_bits(priv->stm.gpr, priv->stm.req_gpr,
+ 1 << priv->stm.req_bit, 0);
+
++ /* get stop acknowledgment */
++ if (regmap_read_poll_timeout(priv->stm.gpr, priv->stm.ack_gpr,
++ ackval, !(ackval & (1 << priv->stm.ack_bit)),
++ 0, FLEXCAN_TIMEOUT_US))
++ return -ETIMEDOUT;
++
+ reg_mcr = priv->read(®s->mcr);
+ reg_mcr &= ~FLEXCAN_MCR_SLF_WAK;
+ priv->write(reg_mcr, ®s->mcr);
++
++ return 0;
+ }
+
+ static inline void flexcan_error_irq_enable(const struct flexcan_priv *priv)
+@@ -1612,7 +1630,9 @@ static int __maybe_unused flexcan_suspen
+ */
+ if (device_may_wakeup(device)) {
+ enable_irq_wake(dev->irq);
+- flexcan_enter_stop_mode(priv);
++ err = flexcan_enter_stop_mode(priv);
++ if (err)
++ return err;
+ } else {
+ err = flexcan_chip_disable(priv);
+ if (err)
+@@ -1662,10 +1682,13 @@ static int __maybe_unused flexcan_noirq_
+ {
+ struct net_device *dev = dev_get_drvdata(device);
+ struct flexcan_priv *priv = netdev_priv(dev);
++ int err;
+
+ if (netif_running(dev) && device_may_wakeup(device)) {
+ flexcan_enable_wakeup_irq(priv, false);
+- flexcan_exit_stop_mode(priv);
++ err = flexcan_exit_stop_mode(priv);
++ if (err)
++ return err;
+ }
+
+ return 0;
--- /dev/null
+From fee6a8923ae0d318a7f7950c6c6c28a96cea099b Mon Sep 17 00:00:00 2001
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+Date: Fri, 5 Jul 2019 15:32:16 +0200
+Subject: can: peak_usb: fix potential double kfree_skb()
+
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+
+commit fee6a8923ae0d318a7f7950c6c6c28a96cea099b upstream.
+
+When closing the CAN device while tx skbs are inflight, echo skb could
+be released twice. By calling close_candev() before unlinking all
+pending tx urbs, then the internal echo_skb[] array is fully and
+correctly cleared before the USB write callback and, therefore,
+can_get_echo_skb() are called, for each aborted URB.
+
+Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
+Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -568,16 +568,16 @@ static int peak_usb_ndo_stop(struct net_
+ dev->state &= ~PCAN_USB_STATE_STARTED;
+ netif_stop_queue(netdev);
+
++ close_candev(netdev);
++
++ dev->can.state = CAN_STATE_STOPPED;
++
+ /* unlink all pending urbs and free used memory */
+ peak_usb_unlink_all_urbs(dev);
+
+ if (dev->adapter->dev_stop)
+ dev->adapter->dev_stop(dev);
+
+- close_candev(netdev);
+-
+- dev->can.state = CAN_STATE_STOPPED;
+-
+ /* can set bus off now */
+ if (dev->adapter->dev_set_bus) {
+ int err = dev->adapter->dev_set_bus(dev, 0);
--- /dev/null
+From d4b890aec4bea7334ca2ca56fd3b12fb48a00cd1 Mon Sep 17 00:00:00 2001
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Date: Wed, 26 Jun 2019 16:08:48 +0300
+Subject: can: rcar_canfd: fix possible IRQ storm on high load
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+commit d4b890aec4bea7334ca2ca56fd3b12fb48a00cd1 upstream.
+
+We have observed rcar_canfd driver entering IRQ storm under high load,
+with following scenario:
+- rcar_canfd_global_interrupt() in entered due to Rx available,
+- napi_schedule_prep() is called, and sets NAPIF_STATE_SCHED in state
+- Rx fifo interrupts are masked,
+- rcar_canfd_global_interrupt() is entered again, this time due to
+ error interrupt (e.g. due to overflow),
+- since scheduled napi poller has not yet executed, condition for calling
+ napi_schedule_prep() from rcar_canfd_global_interrupt() remains true,
+ thus napi_schedule_prep() gets called and sets NAPIF_STATE_MISSED flag
+ in state,
+- later, napi poller function rcar_canfd_rx_poll() gets executed, and
+ calls napi_complete_done(),
+- due to NAPIF_STATE_MISSED flag in state, this call does not clear
+ NAPIF_STATE_SCHED flag from state,
+- on return from napi_complete_done(), rcar_canfd_rx_poll() unmasks Rx
+ interrutps,
+- Rx interrupt happens, rcar_canfd_global_interrupt() gets called
+ and calls napi_schedule_prep(),
+- since NAPIF_STATE_SCHED is set in state at this time, this call
+ returns false,
+- due to that false return, rcar_canfd_global_interrupt() returns
+ without masking Rx interrupt
+- and this results into IRQ storm: unmasked Rx interrupt happens again
+ and again is misprocessed in the same way.
+
+This patch fixes that scenario by unmasking Rx interrupts only when
+napi_complete_done() returns true, which means it has cleared
+NAPIF_STATE_SCHED in state.
+
+Fixes: dd3bd23eb438 ("can: rcar_canfd: Add Renesas R-Car CAN FD driver")
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/rcar/rcar_canfd.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/can/rcar/rcar_canfd.c
++++ b/drivers/net/can/rcar/rcar_canfd.c
+@@ -1508,10 +1508,11 @@ static int rcar_canfd_rx_poll(struct nap
+
+ /* All packets processed */
+ if (num_pkts < quota) {
+- napi_complete_done(napi, num_pkts);
+- /* Enable Rx FIFO interrupts */
+- rcar_canfd_set_bit(priv->base, RCANFD_RFCC(ridx),
+- RCANFD_RFCC_RFIE);
++ if (napi_complete_done(napi, num_pkts)) {
++ /* Enable Rx FIFO interrupts */
++ rcar_canfd_set_bit(priv->base, RCANFD_RFCC(ridx),
++ RCANFD_RFCC_RFIE);
++ }
+ }
+ return num_pkts;
+ }
--- /dev/null
+From 5511c0c309db4c526a6e9f8b2b8a1483771574bc Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 1 Aug 2019 11:23:23 -0600
+Subject: coresight: Fix DEBUG_LOCKS_WARN_ON for uninitialized attribute
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit 5511c0c309db4c526a6e9f8b2b8a1483771574bc upstream.
+
+While running the linux-next with CONFIG_DEBUG_LOCKS_ALLOC enabled,
+I get the following splat.
+
+ BUG: key ffffcb5636929298 has not been registered!
+ ------------[ cut here ]------------
+ DEBUG_LOCKS_WARN_ON(1)
+ WARNING: CPU: 1 PID: 53 at kernel/locking/lockdep.c:3669 lockdep_init_map+0x164/0x1f0
+ CPU: 1 PID: 53 Comm: kworker/1:1 Tainted: G W 5.2.0-next-20190712-00015-g00ad4634222e-dirty #603
+ Workqueue: events amba_deferred_retry_func
+ pstate: 60c00005 (nZCv daif +PAN +UAO)
+ pc : lockdep_init_map+0x164/0x1f0
+ lr : lockdep_init_map+0x164/0x1f0
+
+ [ trimmed ]
+
+ Call trace:
+ lockdep_init_map+0x164/0x1f0
+ __kernfs_create_file+0x9c/0x158
+ sysfs_add_file_mode_ns+0xa8/0x1d0
+ sysfs_add_file_to_group+0x88/0xd8
+ etm_perf_add_symlink_sink+0xcc/0x138
+ coresight_register+0x110/0x280
+ tmc_probe+0x160/0x420
+
+ [ trimmed ]
+
+ ---[ end trace ab4cc669615ba1b0 ]---
+
+Fix this by initialising the dynamically allocated attribute properly.
+
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Fixes: bb8e370bdc14 ("coresight: perf: Add "sinks" group to PMU directory")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+[Fixed a typograhic error in the changelog]
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20190801172323.18359-2-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/hwtracing/coresight/coresight-etm-perf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hwtracing/coresight/coresight-etm-perf.c
++++ b/drivers/hwtracing/coresight/coresight-etm-perf.c
+@@ -544,6 +544,7 @@ int etm_perf_add_symlink_sink(struct cor
+ /* See function coresight_get_sink_by_id() to know where this is used */
+ hash = hashlen_hash(hashlen_string(NULL, name));
+
++ sysfs_attr_init(&ea->attr.attr);
+ ea->attr.attr.name = devm_kstrdup(pdev, name, GFP_KERNEL);
+ if (!ea->attr.attr.name)
+ return -ENOMEM;
--- /dev/null
+From 491beed3b102b6e6c0e7734200661242226e3933 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 5 Aug 2019 09:19:06 +0800
+Subject: genirq/affinity: Create affinity mask for single vector
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 491beed3b102b6e6c0e7734200661242226e3933 upstream.
+
+Since commit c66d4bd110a1f8 ("genirq/affinity: Add new callback for
+(re)calculating interrupt sets"), irq_create_affinity_masks() returns
+NULL in case of single vector. This change has caused regression on some
+drivers, such as lpfc.
+
+The problem is that single vector requests can happen in some generic cases:
+
+ 1) kdump kernel
+
+ 2) irq vectors resource is close to exhaustion.
+
+If in that situation the affinity mask for a single vector is not created,
+every caller has to handle the special case.
+
+There is no reason why the mask cannot be created, so remove the check for
+a single vector and create the mask.
+
+Fixes: c66d4bd110a1f8 ("genirq/affinity: Add new callback for (re)calculating interrupt sets")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190805011906.5020-1-ming.lei@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/affinity.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/kernel/irq/affinity.c
++++ b/kernel/irq/affinity.c
+@@ -253,11 +253,9 @@ irq_create_affinity_masks(unsigned int n
+ * Determine the number of vectors which need interrupt affinities
+ * assigned. If the pre/post request exhausts the available vectors
+ * then nothing to do here except for invoking the calc_sets()
+- * callback so the device driver can adjust to the situation. If there
+- * is only a single vector, then managing the queue is pointless as
+- * well.
++ * callback so the device driver can adjust to the situation.
+ */
+- if (nvecs > 1 && nvecs > affd->pre_vectors + affd->post_vectors)
++ if (nvecs > affd->pre_vectors + affd->post_vectors)
+ affvecs = nvecs - affd->pre_vectors - affd->post_vectors;
+ else
+ affvecs = 0;
--- /dev/null
+From a27a0c9b6a208722016c8ec5ad31ec96082b91ec Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 5 Aug 2019 12:22:03 +0100
+Subject: gfs2: gfs2_walk_metadata fix
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit a27a0c9b6a208722016c8ec5ad31ec96082b91ec upstream.
+
+It turns out that the current version of gfs2_metadata_walker suffers
+from multiple problems that can cause gfs2_hole_size to report an
+incorrect size. This will confuse fiemap as well as lseek with the
+SEEK_DATA flag.
+
+Fix that by changing gfs2_hole_walker to compute the metapath to the
+first data block after the hole (if any), and compute the hole size
+based on that.
+
+Fixes xfstest generic/490.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Reviewed-by: Bob Peterson <rpeterso@redhat.com>
+Cc: stable@vger.kernel.org # v4.18+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/bmap.c | 168 ++++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 103 insertions(+), 65 deletions(-)
+
+--- a/fs/gfs2/bmap.c
++++ b/fs/gfs2/bmap.c
+@@ -390,6 +390,19 @@ static int fillup_metapath(struct gfs2_i
+ return mp->mp_aheight - x - 1;
+ }
+
++static sector_t metapath_to_block(struct gfs2_sbd *sdp, struct metapath *mp)
++{
++ sector_t factor = 1, block = 0;
++ int hgt;
++
++ for (hgt = mp->mp_fheight - 1; hgt >= 0; hgt--) {
++ if (hgt < mp->mp_aheight)
++ block += mp->mp_list[hgt] * factor;
++ factor *= sdp->sd_inptrs;
++ }
++ return block;
++}
++
+ static void release_metapath(struct metapath *mp)
+ {
+ int i;
+@@ -430,60 +443,84 @@ static inline unsigned int gfs2_extent_l
+ return ptr - first;
+ }
+
+-typedef const __be64 *(*gfs2_metadata_walker)(
+- struct metapath *mp,
+- const __be64 *start, const __be64 *end,
+- u64 factor, void *data);
+-
+-#define WALK_STOP ((__be64 *)0)
+-#define WALK_NEXT ((__be64 *)1)
+-
+-static int gfs2_walk_metadata(struct inode *inode, sector_t lblock,
+- u64 len, struct metapath *mp, gfs2_metadata_walker walker,
+- void *data)
++enum walker_status { WALK_STOP, WALK_FOLLOW, WALK_CONTINUE };
++
++/*
++ * gfs2_metadata_walker - walk an indirect block
++ * @mp: Metapath to indirect block
++ * @ptrs: Number of pointers to look at
++ *
++ * When returning WALK_FOLLOW, the walker must update @mp to point at the right
++ * indirect block to follow.
++ */
++typedef enum walker_status (*gfs2_metadata_walker)(struct metapath *mp,
++ unsigned int ptrs);
++
++/*
++ * gfs2_walk_metadata - walk a tree of indirect blocks
++ * @inode: The inode
++ * @mp: Starting point of walk
++ * @max_len: Maximum number of blocks to walk
++ * @walker: Called during the walk
++ *
++ * Returns 1 if the walk was stopped by @walker, 0 if we went past @max_len or
++ * past the end of metadata, and a negative error code otherwise.
++ */
++
++static int gfs2_walk_metadata(struct inode *inode, struct metapath *mp,
++ u64 max_len, gfs2_metadata_walker walker)
+ {
+- struct metapath clone;
+ struct gfs2_inode *ip = GFS2_I(inode);
+ struct gfs2_sbd *sdp = GFS2_SB(inode);
+- const __be64 *start, *end, *ptr;
+ u64 factor = 1;
+ unsigned int hgt;
+- int ret = 0;
++ int ret;
+
+- for (hgt = ip->i_height - 1; hgt >= mp->mp_aheight; hgt--)
++ /*
++ * The walk starts in the lowest allocated indirect block, which may be
++ * before the position indicated by @mp. Adjust @max_len accordingly
++ * to avoid a short walk.
++ */
++ for (hgt = mp->mp_fheight - 1; hgt >= mp->mp_aheight; hgt--) {
++ max_len += mp->mp_list[hgt] * factor;
++ mp->mp_list[hgt] = 0;
+ factor *= sdp->sd_inptrs;
++ }
+
+ for (;;) {
+- u64 step;
++ u16 start = mp->mp_list[hgt];
++ enum walker_status status;
++ unsigned int ptrs;
++ u64 len;
+
+ /* Walk indirect block. */
+- start = metapointer(hgt, mp);
+- end = metaend(hgt, mp);
+-
+- step = (end - start) * factor;
+- if (step > len)
+- end = start + DIV_ROUND_UP_ULL(len, factor);
+-
+- ptr = walker(mp, start, end, factor, data);
+- if (ptr == WALK_STOP)
++ ptrs = (hgt >= 1 ? sdp->sd_inptrs : sdp->sd_diptrs) - start;
++ len = ptrs * factor;
++ if (len > max_len)
++ ptrs = DIV_ROUND_UP_ULL(max_len, factor);
++ status = walker(mp, ptrs);
++ switch (status) {
++ case WALK_STOP:
++ return 1;
++ case WALK_FOLLOW:
++ BUG_ON(mp->mp_aheight == mp->mp_fheight);
++ ptrs = mp->mp_list[hgt] - start;
++ len = ptrs * factor;
+ break;
+- if (step >= len)
++ case WALK_CONTINUE:
+ break;
+- len -= step;
+- if (ptr != WALK_NEXT) {
+- BUG_ON(!*ptr);
+- mp->mp_list[hgt] += ptr - start;
+- goto fill_up_metapath;
+ }
++ if (len >= max_len)
++ break;
++ max_len -= len;
++ if (status == WALK_FOLLOW)
++ goto fill_up_metapath;
+
+ lower_metapath:
+ /* Decrease height of metapath. */
+- if (mp != &clone) {
+- clone_metapath(&clone, mp);
+- mp = &clone;
+- }
+ brelse(mp->mp_bh[hgt]);
+ mp->mp_bh[hgt] = NULL;
++ mp->mp_list[hgt] = 0;
+ if (!hgt)
+ break;
+ hgt--;
+@@ -491,10 +528,7 @@ lower_metapath:
+
+ /* Advance in metadata tree. */
+ (mp->mp_list[hgt])++;
+- start = metapointer(hgt, mp);
+- end = metaend(hgt, mp);
+- if (start >= end) {
+- mp->mp_list[hgt] = 0;
++ if (mp->mp_list[hgt] >= sdp->sd_inptrs) {
+ if (!hgt)
+ break;
+ goto lower_metapath;
+@@ -502,44 +536,36 @@ lower_metapath:
+
+ fill_up_metapath:
+ /* Increase height of metapath. */
+- if (mp != &clone) {
+- clone_metapath(&clone, mp);
+- mp = &clone;
+- }
+ ret = fillup_metapath(ip, mp, ip->i_height - 1);
+ if (ret < 0)
+- break;
++ return ret;
+ hgt += ret;
+ for (; ret; ret--)
+ do_div(factor, sdp->sd_inptrs);
+ mp->mp_aheight = hgt + 1;
+ }
+- if (mp == &clone)
+- release_metapath(mp);
+- return ret;
++ return 0;
+ }
+
+-struct gfs2_hole_walker_args {
+- u64 blocks;
+-};
+-
+-static const __be64 *gfs2_hole_walker(struct metapath *mp,
+- const __be64 *start, const __be64 *end,
+- u64 factor, void *data)
++static enum walker_status gfs2_hole_walker(struct metapath *mp,
++ unsigned int ptrs)
+ {
+- struct gfs2_hole_walker_args *args = data;
+- const __be64 *ptr;
++ const __be64 *start, *ptr, *end;
++ unsigned int hgt;
++
++ hgt = mp->mp_aheight - 1;
++ start = metapointer(hgt, mp);
++ end = start + ptrs;
+
+ for (ptr = start; ptr < end; ptr++) {
+ if (*ptr) {
+- args->blocks += (ptr - start) * factor;
++ mp->mp_list[hgt] += ptr - start;
+ if (mp->mp_aheight == mp->mp_fheight)
+ return WALK_STOP;
+- return ptr; /* increase height */
++ return WALK_FOLLOW;
+ }
+ }
+- args->blocks += (end - start) * factor;
+- return WALK_NEXT;
++ return WALK_CONTINUE;
+ }
+
+ /**
+@@ -557,12 +583,24 @@ static const __be64 *gfs2_hole_walker(st
+ static int gfs2_hole_size(struct inode *inode, sector_t lblock, u64 len,
+ struct metapath *mp, struct iomap *iomap)
+ {
+- struct gfs2_hole_walker_args args = { };
+- int ret = 0;
++ struct metapath clone;
++ u64 hole_size;
++ int ret;
++
++ clone_metapath(&clone, mp);
++ ret = gfs2_walk_metadata(inode, &clone, len, gfs2_hole_walker);
++ if (ret < 0)
++ goto out;
++
++ if (ret == 1)
++ hole_size = metapath_to_block(GFS2_SB(inode), &clone) - lblock;
++ else
++ hole_size = len;
++ iomap->length = hole_size << inode->i_blkbits;
++ ret = 0;
+
+- ret = gfs2_walk_metadata(inode, lblock, len, mp, gfs2_hole_walker, &args);
+- if (!ret)
+- iomap->length = args.blocks << inode->i_blkbits;
++out:
++ release_metapath(&clone);
+ return ret;
+ }
+
--- /dev/null
+From 3f8fd02b1bf1d7ba964485a56f2f4b53ae88c167 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Fri, 19 Jul 2019 20:46:52 +0200
+Subject: mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy()
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit 3f8fd02b1bf1d7ba964485a56f2f4b53ae88c167 upstream.
+
+On x86-32 with PTI enabled, parts of the kernel page-tables are not shared
+between processes. This can cause mappings in the vmalloc/ioremap area to
+persist in some page-tables after the region is unmapped and released.
+
+When the region is re-used the processes with the old mappings do not fault
+in the new mappings but still access the old ones.
+
+This causes undefined behavior, in reality often data corruption, kernel
+oopses and panics and even spontaneous reboots.
+
+Fix this problem by activly syncing unmaps in the vmalloc/ioremap area to
+all page-tables in the system before the regions can be re-used.
+
+References: https://bugzilla.suse.com/show_bug.cgi?id=1118689
+Fixes: 5d72b4fba40ef ('x86, mm: support huge I/O mapping capability I/F')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
+Link: https://lkml.kernel.org/r/20190719184652.11391-4-joro@8bytes.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/vmalloc.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/mm/vmalloc.c
++++ b/mm/vmalloc.c
+@@ -1214,6 +1214,12 @@ static bool __purge_vmap_area_lazy(unsig
+ return false;
+
+ /*
++ * First make sure the mappings are removed from all page-tables
++ * before they are freed.
++ */
++ vmalloc_sync_all();
++
++ /*
+ * TODO: to calculate a flush range without looping.
+ * The list can be up to lazy_max_pages() elements.
+ */
+@@ -3001,6 +3007,9 @@ EXPORT_SYMBOL(remap_vmalloc_range);
+ /*
+ * Implement a stub for vmalloc_sync_all() if the architecture chose not to
+ * have one.
++ *
++ * The purpose of this function is to make sure the vmalloc area
++ * mappings are identical in all page-tables in the system.
+ */
+ void __weak vmalloc_sync_all(void)
+ {
--- /dev/null
+From b9c0a64901d5bdec6eafd38d1dc8fa0e2974fccb Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Wed, 24 Jul 2019 14:27:03 +0200
+Subject: perf annotate: Fix s390 gap between kernel end and module start
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+commit b9c0a64901d5bdec6eafd38d1dc8fa0e2974fccb upstream.
+
+During execution of command 'perf top' the error message:
+
+ Not enough memory for annotating '__irf_end' symbol!)
+
+is emitted from this call sequence:
+ __cmd_top
+ perf_top__mmap_read
+ perf_top__mmap_read_idx
+ perf_event__process_sample
+ hist_entry_iter__add
+ hist_iter__top_callback
+ perf_top__record_precise_ip
+ hist_entry__inc_addr_samples
+ symbol__inc_addr_samples
+ symbol__get_annotation
+ symbol__alloc_hist
+
+In this function the size of symbol __irf_end is calculated. The size of
+a symbol is the difference between its start and end address.
+
+When the symbol was read the first time, its start and end was set to:
+
+ symbol__new: __irf_end 0xe954d0-0xe954d0
+
+which is correct and maps with /proc/kallsyms:
+
+ root@s8360046:~/linux-4.15.0/tools/perf# fgrep _irf_end /proc/kallsyms
+ 0000000000e954d0 t __irf_end
+ root@s8360046:~/linux-4.15.0/tools/perf#
+
+In function symbol__alloc_hist() the end of symbol __irf_end is
+
+ symbol__alloc_hist sym:__irf_end start:0xe954d0 end:0x3ff80045a8
+
+which is identical with the first module entry in /proc/kallsyms
+
+This results in a symbol size of __irf_req for histogram analyses of
+70334140059072 bytes and a malloc() for this requested size fails.
+
+The root cause of this is function
+ __dso__load_kallsyms()
+ +-> symbols__fixup_end()
+
+Function symbols__fixup_end() enlarges the last symbol in the kallsyms
+map:
+
+ # fgrep __irf_end /proc/kallsyms
+ 0000000000e954d0 t __irf_end
+ #
+
+to the start address of the first module:
+ # cat /proc/kallsyms | sort | egrep ' [tT] '
+ ....
+ 0000000000e952d0 T __security_initcall_end
+ 0000000000e954d0 T __initramfs_size
+ 0000000000e954d0 t __irf_end
+ 000003ff800045a8 T fc_get_event_number [scsi_transport_fc]
+ 000003ff800045d0 t store_fc_vport_disable [scsi_transport_fc]
+ 000003ff800046a8 T scsi_is_fc_rport [scsi_transport_fc]
+ 000003ff800046d0 t fc_target_setup [scsi_transport_fc]
+
+On s390 the kernel is located around memory address 0x200, 0x10000 or
+0x100000, depending on linux version. Modules however start some- where
+around 0x3ff xxxx xxxx.
+
+This is different than x86 and produces a large gap for which histogram
+allocation fails.
+
+Fix this by detecting the kernel's last symbol and do no adjustment for
+it. Introduce a weak function and handle s390 specifics.
+
+Reported-by: Klaus Theurich <klaus.theurich@de.ibm.com>
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20190724122703.3996-2-tmricht@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/arch/s390/util/machine.c | 17 +++++++++++++++++
+ tools/perf/util/symbol.c | 7 ++++++-
+ tools/perf/util/symbol.h | 1 +
+ 3 files changed, 24 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/arch/s390/util/machine.c
++++ b/tools/perf/arch/s390/util/machine.c
+@@ -6,6 +6,7 @@
+ #include "machine.h"
+ #include "api/fs/fs.h"
+ #include "debug.h"
++#include "symbol.h"
+
+ int arch__fix_module_text_start(u64 *start, const char *name)
+ {
+@@ -21,3 +22,19 @@ int arch__fix_module_text_start(u64 *sta
+
+ return 0;
+ }
++
++/* On s390 kernel text segment start is located at very low memory addresses,
++ * for example 0x10000. Modules are located at very high memory addresses,
++ * for example 0x3ff xxxx xxxx. The gap between end of kernel text segment
++ * and beginning of first module's text segment is very big.
++ * Therefore do not fill this gap and do not assign it to the kernel dso map.
++ */
++void arch__symbols__fixup_end(struct symbol *p, struct symbol *c)
++{
++ if (strchr(p->name, '[') == NULL && strchr(c->name, '['))
++ /* Last kernel symbol mapped to end of page */
++ p->end = roundup(p->end, page_size);
++ else
++ p->end = c->start;
++ pr_debug4("%s sym:%s end:%#lx\n", __func__, p->name, p->end);
++}
+--- a/tools/perf/util/symbol.c
++++ b/tools/perf/util/symbol.c
+@@ -91,6 +91,11 @@ static int prefix_underscores_count(cons
+ return tail - str;
+ }
+
++void __weak arch__symbols__fixup_end(struct symbol *p, struct symbol *c)
++{
++ p->end = c->start;
++}
++
+ const char * __weak arch__normalize_symbol_name(const char *name)
+ {
+ return name;
+@@ -217,7 +222,7 @@ void symbols__fixup_end(struct rb_root_c
+ curr = rb_entry(nd, struct symbol, rb_node);
+
+ if (prev->end == prev->start && prev->end != curr->start)
+- prev->end = curr->start;
++ arch__symbols__fixup_end(prev, curr);
+ }
+
+ /* Last entry */
+--- a/tools/perf/util/symbol.h
++++ b/tools/perf/util/symbol.h
+@@ -277,6 +277,7 @@ const char *arch__normalize_symbol_name(
+ #define SYMBOL_A 0
+ #define SYMBOL_B 1
+
++void arch__symbols__fixup_end(struct symbol *p, struct symbol *c);
+ int arch__compare_symbol_names(const char *namea, const char *nameb);
+ int arch__compare_symbol_names_n(const char *namea, const char *nameb,
+ unsigned int n);
--- /dev/null
+From 3de7ae0b2a1d86dbb23d0cb135150534fdb2e836 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 8 Aug 2019 09:48:23 +0300
+Subject: perf db-export: Fix thread__exec_comm()
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 3de7ae0b2a1d86dbb23d0cb135150534fdb2e836 upstream.
+
+Threads synthesized from /proc have comms with a start time of zero, and
+not marked as "exec". Currently, there can be 2 such comms. The first is
+created by processing a synthesized fork event and is set to the
+parent's comm string, and the second by processing a synthesized comm
+event set to the thread's current comm string.
+
+In the absence of an "exec" comm, thread__exec_comm() picks the last
+(oldest) comm, which, in the case above, is the parent's comm string.
+For a main thread, that is very probably wrong. Use the second-to-last
+in that case.
+
+This affects only db-export because it is the only user of
+thread__exec_comm().
+
+Example:
+
+ $ sudo perf record -a -o pt-a-sleep-1 -e intel_pt//u -- sleep 1
+ $ sudo chown ahunter pt-a-sleep-1
+
+Before:
+
+ $ perf script -i pt-a-sleep-1 --itrace=bep -s tools/perf/scripts/python/export-to-sqlite.py pt-a-sleep-1.db branches calls
+ $ sqlite3 -header -column pt-a-sleep-1.db 'select * from comm_threads_view'
+ comm_id command thread_id pid tid
+ ---------- ---------- ---------- ---------- ----------
+ 1 swapper 1 0 0
+ 2 rcu_sched 2 10 10
+ 3 kthreadd 3 78 78
+ 5 sudo 4 15180 15180
+ 5 sudo 5 15180 15182
+ 7 kworker/4: 6 10335 10335
+ 8 kthreadd 7 55 55
+ 10 systemd 8 865 865
+ 10 systemd 9 865 875
+ 13 perf 10 15181 15181
+ 15 sleep 10 15181 15181
+ 16 kworker/3: 11 14179 14179
+ 17 kthreadd 12 29376 29376
+ 19 systemd 13 746 746
+ 21 systemd 14 401 401
+ 23 systemd 15 879 879
+ 23 systemd 16 879 945
+ 25 kthreadd 17 556 556
+ 27 kworker/u1 18 14136 14136
+ 28 kworker/u1 19 15021 15021
+ 29 kthreadd 20 509 509
+ 31 systemd 21 836 836
+ 31 systemd 22 836 967
+ 33 systemd 23 1148 1148
+ 33 systemd 24 1148 1163
+ 35 kworker/2: 25 17988 17988
+ 36 kworker/0: 26 13478 13478
+
+After:
+
+ $ perf script -i pt-a-sleep-1 --itrace=bep -s tools/perf/scripts/python/export-to-sqlite.py pt-a-sleep-1b.db branches calls
+ $ sqlite3 -header -column pt-a-sleep-1b.db 'select * from comm_threads_view'
+ comm_id command thread_id pid tid
+ ---------- ---------- ---------- ---------- ----------
+ 1 swapper 1 0 0
+ 2 rcu_sched 2 10 10
+ 3 kswapd0 3 78 78
+ 4 perf 4 15180 15180
+ 4 perf 5 15180 15182
+ 6 kworker/4: 6 10335 10335
+ 7 kcompactd0 7 55 55
+ 8 accounts-d 8 865 865
+ 8 accounts-d 9 865 875
+ 10 perf 10 15181 15181
+ 12 sleep 10 15181 15181
+ 13 kworker/3: 11 14179 14179
+ 14 kworker/1: 12 29376 29376
+ 15 haveged 13 746 746
+ 16 systemd-jo 14 401 401
+ 17 NetworkMan 15 879 879
+ 17 NetworkMan 16 879 945
+ 19 irq/131-iw 17 556 556
+ 20 kworker/u1 18 14136 14136
+ 21 kworker/u1 19 15021 15021
+ 22 kworker/u1 20 509 509
+ 23 thermald 21 836 836
+ 23 thermald 22 836 967
+ 25 unity-sett 23 1148 1148
+ 25 unity-sett 24 1148 1163
+ 27 kworker/2: 25 17988 17988
+ 28 kworker/0: 26 13478 13478
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 65de51f93ebf ("perf tools: Identify which comms are from exec")
+Link: http://lkml.kernel.org/r/20190808064823.14846-1-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/thread.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/thread.c
++++ b/tools/perf/util/thread.c
+@@ -197,14 +197,24 @@ struct comm *thread__comm(const struct t
+
+ struct comm *thread__exec_comm(const struct thread *thread)
+ {
+- struct comm *comm, *last = NULL;
++ struct comm *comm, *last = NULL, *second_last = NULL;
+
+ list_for_each_entry(comm, &thread->comm_list, list) {
+ if (comm->exec)
+ return comm;
++ second_last = last;
+ last = comm;
+ }
+
++ /*
++ * 'last' with no start time might be the parent's comm of a synthesized
++ * thread (created by processing a synthesized fork event). For a main
++ * thread, that is very probably wrong. Prefer a later comm to avoid
++ * that case.
++ */
++ if (second_last && !last->start && thread->pid_ == thread->tid)
++ return second_last;
++
+ return last;
+ }
+
--- /dev/null
+From 12a6d2940b5f02b4b9f71ce098e3bb02bc24a9ea Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Wed, 24 Jul 2019 14:27:02 +0200
+Subject: perf record: Fix module size on s390
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+commit 12a6d2940b5f02b4b9f71ce098e3bb02bc24a9ea upstream.
+
+On s390 the modules loaded in memory have the text segment located after
+the GOT and Relocation table. This can be seen with this output:
+
+ [root@m35lp76 perf]# fgrep qeth /proc/modules
+ qeth 151552 1 qeth_l2, Live 0x000003ff800b2000
+ ...
+ [root@m35lp76 perf]# cat /sys/module/qeth/sections/.text
+ 0x000003ff800b3990
+ [root@m35lp76 perf]#
+
+There is an offset of 0x1990 bytes. The size of the qeth module is
+151552 bytes (0x25000 in hex).
+
+The location of the GOT/relocation table at the beginning of a module is
+unique to s390.
+
+commit 203d8a4aa6ed ("perf s390: Fix 'start' address of module's map")
+adjusts the start address of a module in the map structures, but does
+not adjust the size of the modules. This leads to overlapping of module
+maps as this example shows:
+
+[root@m35lp76 perf] # ./perf report -D
+ 0 0 0xfb0 [0xa0]: PERF_RECORD_MMAP -1/0: [0x3ff800b3990(0x25000)
+ @ 0]: x /lib/modules/.../qeth.ko.xz
+ 0 0 0x1050 [0xb0]: PERF_RECORD_MMAP -1/0: [0x3ff800d85a0(0x8000)
+ @ 0]: x /lib/modules/.../ip6_tables.ko.xz
+
+The module qeth.ko has an adjusted start address modified to b3990, but
+its size is unchanged and the module ends at 0x3ff800d8990. This end
+address overlaps with the next modules start address of 0x3ff800d85a0.
+
+When the size of the leading GOT/Relocation table stored in the
+beginning of the text segment (0x1990 bytes) is subtracted from module
+qeth end address, there are no overlaps anymore:
+
+ 0x3ff800d8990 - 0x1990 = 0x0x3ff800d7000
+
+which is the same as
+
+ 0x3ff800b2000 + 0x25000 = 0x0x3ff800d7000.
+
+To fix this issue, also adjust the modules size in function
+arch__fix_module_text_start(). Add another function parameter named size
+and reduce the size of the module when the text segment start address is
+changed.
+
+Output after:
+ 0 0 0xfb0 [0xa0]: PERF_RECORD_MMAP -1/0: [0x3ff800b3990(0x23670)
+ @ 0]: x /lib/modules/.../qeth.ko.xz
+ 0 0 0x1050 [0xb0]: PERF_RECORD_MMAP -1/0: [0x3ff800d85a0(0x7a60)
+ @ 0]: x /lib/modules/.../ip6_tables.ko.xz
+
+Reported-by: Stefan Liebler <stli@linux.ibm.com>
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: stable@vger.kernel.org
+Fixes: 203d8a4aa6ed ("perf s390: Fix 'start' address of module's map")
+Link: http://lkml.kernel.org/r/20190724122703.3996-1-tmricht@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/arch/s390/util/machine.c | 14 +++++++++++++-
+ tools/perf/util/machine.c | 3 ++-
+ tools/perf/util/machine.h | 2 +-
+ 3 files changed, 16 insertions(+), 3 deletions(-)
+
+--- a/tools/perf/arch/s390/util/machine.c
++++ b/tools/perf/arch/s390/util/machine.c
+@@ -8,7 +8,7 @@
+ #include "debug.h"
+ #include "symbol.h"
+
+-int arch__fix_module_text_start(u64 *start, const char *name)
++int arch__fix_module_text_start(u64 *start, u64 *size, const char *name)
+ {
+ u64 m_start = *start;
+ char path[PATH_MAX];
+@@ -18,6 +18,18 @@ int arch__fix_module_text_start(u64 *sta
+ if (sysfs__read_ull(path, (unsigned long long *)start) < 0) {
+ pr_debug2("Using module %s start:%#lx\n", path, m_start);
+ *start = m_start;
++ } else {
++ /* Successful read of the modules segment text start address.
++ * Calculate difference between module start address
++ * in memory and module text segment start address.
++ * For example module load address is 0x3ff8011b000
++ * (from /proc/modules) and module text segment start
++ * address is 0x3ff8011b870 (from file above).
++ *
++ * Adjust the module size and subtract the GOT table
++ * size located at the beginning of the module.
++ */
++ *size -= (*start - m_start);
+ }
+
+ return 0;
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -1365,6 +1365,7 @@ static int machine__set_modules_path(str
+ return map_groups__set_modules_path_dir(&machine->kmaps, modules_path, 0);
+ }
+ int __weak arch__fix_module_text_start(u64 *start __maybe_unused,
++ u64 *size __maybe_unused,
+ const char *name __maybe_unused)
+ {
+ return 0;
+@@ -1376,7 +1377,7 @@ static int machine__create_module(void *
+ struct machine *machine = arg;
+ struct map *map;
+
+- if (arch__fix_module_text_start(&start, name) < 0)
++ if (arch__fix_module_text_start(&start, &size, name) < 0)
+ return -1;
+
+ map = machine__findnew_module_map(machine, start, name);
+--- a/tools/perf/util/machine.h
++++ b/tools/perf/util/machine.h
+@@ -222,7 +222,7 @@ struct symbol *machine__find_kernel_symb
+
+ struct map *machine__findnew_module_map(struct machine *machine, u64 start,
+ const char *filename);
+-int arch__fix_module_text_start(u64 *start, const char *name);
++int arch__fix_module_text_start(u64 *start, u64 *size, const char *name);
+
+ int machine__load_kallsyms(struct machine *machine, const char *filename);
+
input-usbtouchscreen-initialize-pm-mutex-before-using-it.patch
input-elantech-enable-smbus-on-new-2018-systems.patch
input-synaptics-enable-rmi-mode-for-hp-spectre-x360.patch
+x86-mm-check-for-pfn-instead-of-page-in-vmalloc_sync_one.patch
+x86-mm-sync-also-unmappings-in-vmalloc_sync_all.patch
+mm-vmalloc-sync-unmappings-in-__purge_vmap_area_lazy.patch
+coresight-fix-debug_locks_warn_on-for-uninitialized-attribute.patch
+perf-annotate-fix-s390-gap-between-kernel-end-and-module-start.patch
+perf-db-export-fix-thread__exec_comm.patch
+perf-record-fix-module-size-on-s390.patch
+x86-purgatory-do-not-use-__builtin_memcpy-and-__builtin_memset.patch
+x86-purgatory-use-cflags_remove-rather-than-reset-kbuild_cflags.patch
+genirq-affinity-create-affinity-mask-for-single-vector.patch
+gfs2-gfs2_walk_metadata-fix.patch
+usb-host-xhci-rcar-fix-timeout-in-xhci_suspend.patch
+usb-yurex-fix-use-after-free-in-yurex_delete.patch
+usb-typec-ucsi-ccg-fix-uninitilized-symbol-error.patch
+usb-typec-tcpm-free-log-buf-memory-when-remove-debug-file.patch
+usb-typec-tcpm-remove-tcpm-dir-if-no-children.patch
+usb-typec-tcpm-add-null-check-before-dereferencing-config.patch
+usb-typec-tcpm-ignore-unsupported-unknown-alternate-mode-requests.patch
+can-rcar_canfd-fix-possible-irq-storm-on-high-load.patch
+can-flexcan-fix-stop-mode-acknowledgment.patch
+can-flexcan-fix-an-use-after-free-in-flexcan_setup_stop_mode.patch
+can-peak_usb-fix-potential-double-kfree_skb.patch
--- /dev/null
+From 783bda5e41acc71f98336e1a402c180f9748e5dc Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Fri, 2 Aug 2019 17:33:35 +0900
+Subject: usb: host: xhci-rcar: Fix timeout in xhci_suspend()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 783bda5e41acc71f98336e1a402c180f9748e5dc upstream.
+
+When a USB device is connected to the host controller and
+the system enters suspend, the following error happens
+in xhci_suspend():
+
+ xhci-hcd ee000000.usb: WARN: xHC CMD_RUN timeout
+
+Since the firmware/internal CPU control the USBSTS.STS_HALT
+and the process speed is down when the roothub port enters U3,
+long delay for the handshake of STS_HALT is neeed in xhci_suspend().
+So, this patch adds to set the XHCI_SLOW_SUSPEND.
+
+Fixes: 435cc1138ec9 ("usb: host: xhci-plat: set resume_quirk() for R-Car controllers")
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/1564734815-17964-1-git-send-email-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-rcar.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-rcar.c
++++ b/drivers/usb/host/xhci-rcar.c
+@@ -238,10 +238,15 @@ int xhci_rcar_init_quirk(struct usb_hcd
+ * pointers. So, this driver clears the AC64 bit of xhci->hcc_params
+ * to call dma_set_coherent_mask(dev, DMA_BIT_MASK(32)) in
+ * xhci_gen_setup().
++ *
++ * And, since the firmware/internal CPU control the USBSTS.STS_HALT
++ * and the process speed is down when the roothub port enters U3,
++ * long delay for the handshake of STS_HALT is neeed in xhci_suspend().
+ */
+ if (xhci_rcar_is_gen2(hcd->self.controller) ||
+- xhci_rcar_is_gen3(hcd->self.controller))
+- xhci->quirks |= XHCI_NO_64BIT_SUPPORT;
++ xhci_rcar_is_gen3(hcd->self.controller)) {
++ xhci->quirks |= XHCI_NO_64BIT_SUPPORT | XHCI_SLOW_SUSPEND;
++ }
+
+ if (!xhci_rcar_wait_for_pll_active(hcd))
+ return -ETIMEDOUT;
--- /dev/null
+From 1957de95d425d1c06560069dc7277a73a8b28683 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Wed, 24 Jul 2019 07:38:32 -0700
+Subject: usb: typec: tcpm: Add NULL check before dereferencing config
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 1957de95d425d1c06560069dc7277a73a8b28683 upstream.
+
+When instantiating tcpm on an NXP OM 13588 board with NXP PTN5110,
+the following crash is seen when writing into the 'preferred_role'
+sysfs attribute.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000028
+pgd = f69149ad
+[00000028] *pgd=00000000
+Internal error: Oops: 5 [#1] THUMB2
+Modules linked in: tcpci tcpm
+CPU: 0 PID: 1882 Comm: bash Not tainted 5.1.18-sama5-armv7-r2 #4
+Hardware name: Atmel SAMA5
+PC is at tcpm_try_role+0x3a/0x4c [tcpm]
+LR is at tcpm_try_role+0x15/0x4c [tcpm]
+pc : [<bf8000e2>] lr : [<bf8000bd>] psr: 60030033
+sp : dc1a1e88 ip : c03fb47d fp : 00000000
+r10: dc216190 r9 : dc1a1f78 r8 : 00000001
+r7 : df4ae044 r6 : dd032e90 r5 : dd1ce340 r4 : df4ae054
+r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : df4ae044
+Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment none
+Control: 50c53c7d Table: 3efec059 DAC: 00000051
+Process bash (pid: 1882, stack limit = 0x6a6d4aa5)
+Stack: (0xdc1a1e88 to 0xdc1a2000)
+1e80: dd05d808 dd1ce340 00000001 00000007 dd1ce340 c03fb4a7
+1ea0: 00000007 00000007 dc216180 00000000 00000000 c01e1e03 00000000 00000000
+1ec0: c0907008 dee98b40 c01e1d5d c06106c4 00000000 00000000 00000007 c0194e8b
+1ee0: 0000000a 00000400 00000000 c01a97db dc22bf00 ffffe000 df4b6a00 df745900
+1f00: 00000001 00000001 000000dd c01a9c2f 7aeab3be c0907008 00000000 dc22bf00
+1f20: c0907008 00000000 00000000 00000000 00000000 7aeab3be 00000007 dee98b40
+1f40: 005dc318 dc1a1f78 00000000 00000000 00000007 c01969f7 0000000a c01a20cb
+1f60: dee98b40 c0907008 dee98b40 005dc318 00000000 c0196b9b 00000000 00000000
+1f80: dee98b40 7aeab3be 00000074 005dc318 b6f3bdb0 00000004 c0101224 dc1a0000
+1fa0: 00000004 c0101001 00000074 005dc318 00000001 005dc318 00000007 00000000
+1fc0: 00000074 005dc318 b6f3bdb0 00000004 00000007 00000007 00000000 00000000
+1fe0: 00000004 be800880 b6ed35b3 b6e5c746 60030030 00000001 00000000 00000000
+[<bf8000e2>] (tcpm_try_role [tcpm]) from [<c03fb4a7>] (preferred_role_store+0x2b/0x5c)
+[<c03fb4a7>] (preferred_role_store) from [<c01e1e03>] (kernfs_fop_write+0xa7/0x150)
+[<c01e1e03>] (kernfs_fop_write) from [<c0194e8b>] (__vfs_write+0x1f/0x104)
+[<c0194e8b>] (__vfs_write) from [<c01969f7>] (vfs_write+0x6b/0x104)
+[<c01969f7>] (vfs_write) from [<c0196b9b>] (ksys_write+0x43/0x94)
+[<c0196b9b>] (ksys_write) from [<c0101001>] (ret_fast_syscall+0x1/0x62)
+
+Since commit 96232cbc6c994 ("usb: typec: tcpm: support get typec and pd
+config from device properties"), the 'config' pointer in struct tcpc_dev
+is optional when registering a Type-C port. Since it is optional, we have
+to check if it is NULL before dereferencing it.
+
+Reported-by: Douglas Gilbert <dgilbert@interlog.com>
+Cc: Douglas Gilbert <dgilbert@interlog.com>
+Fixes: 96232cbc6c994 ("usb: typec: tcpm: support get typec and pd config from device properties")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Jun Li <jun.li@nxp.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/1563979112-22483-1-git-send-email-linux@roeck-us.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tcpm/tcpm.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -379,7 +379,8 @@ static enum tcpm_state tcpm_default_stat
+ return SNK_UNATTACHED;
+ else if (port->try_role == TYPEC_SOURCE)
+ return SRC_UNATTACHED;
+- else if (port->tcpc->config->default_role == TYPEC_SINK)
++ else if (port->tcpc->config &&
++ port->tcpc->config->default_role == TYPEC_SINK)
+ return SNK_UNATTACHED;
+ /* Fall through to return SRC_UNATTACHED */
+ } else if (port->port_type == TYPEC_PORT_SNK) {
+@@ -4127,7 +4128,7 @@ static int tcpm_try_role(const struct ty
+ mutex_lock(&port->lock);
+ if (tcpc->try_role)
+ ret = tcpc->try_role(tcpc, role);
+- if (!ret && !tcpc->config->try_role_hw)
++ if (!ret && (!tcpc->config || !tcpc->config->try_role_hw))
+ port->try_role = role;
+ port->try_src_count = 0;
+ port->try_snk_count = 0;
+@@ -4714,7 +4715,7 @@ static int tcpm_copy_caps(struct tcpm_po
+ port->typec_caps.prefer_role = tcfg->default_role;
+ port->typec_caps.type = tcfg->type;
+ port->typec_caps.data = tcfg->data;
+- port->self_powered = port->tcpc->config->self_powered;
++ port->self_powered = tcfg->self_powered;
+
+ return 0;
+ }
--- /dev/null
+From fd5da3e2cc61b4a7c877172fdc9348c82cf6ccfc Mon Sep 17 00:00:00 2001
+From: Li Jun <jun.li@nxp.com>
+Date: Wed, 17 Jul 2019 16:06:45 +0800
+Subject: usb: typec: tcpm: free log buf memory when remove debug file
+
+From: Li Jun <jun.li@nxp.com>
+
+commit fd5da3e2cc61b4a7c877172fdc9348c82cf6ccfc upstream.
+
+The logbuffer memory should be freed when remove debug file.
+
+Cc: stable@vger.kernel.org # v4.15+
+Fixes: 4b4e02c83167 ("typec: tcpm: Move out of staging")
+Signed-off-by: Li Jun <jun.li@nxp.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20190717080646.30421-1-jun.li@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tcpm/tcpm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -586,6 +586,15 @@ static void tcpm_debugfs_init(struct tcp
+
+ static void tcpm_debugfs_exit(struct tcpm_port *port)
+ {
++ int i;
++
++ mutex_lock(&port->logbuffer_lock);
++ for (i = 0; i < LOG_BUFFER_ENTRIES; i++) {
++ kfree(port->logbuffer[i]);
++ port->logbuffer[i] = NULL;
++ }
++ mutex_unlock(&port->logbuffer_lock);
++
+ debugfs_remove(port->dentry);
+ }
+
--- /dev/null
+From 88d02c9ba2e83fc22d37ccb1f11c62ea6fc9ae50 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 2 Aug 2019 09:03:42 -0700
+Subject: usb: typec: tcpm: Ignore unsupported/unknown alternate mode requests
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 88d02c9ba2e83fc22d37ccb1f11c62ea6fc9ae50 upstream.
+
+TCPM may receive PD messages associated with unknown or unsupported
+alternate modes. If that happens, calls to typec_match_altmode()
+will return NULL. The tcpm code does not currently take this into
+account. This results in crashes.
+
+Unable to handle kernel NULL pointer dereference at virtual address 000001f0
+pgd = 41dad9a1
+[000001f0] *pgd=00000000
+Internal error: Oops: 5 [#1] THUMB2
+Modules linked in: tcpci tcpm
+CPU: 0 PID: 2338 Comm: kworker/u2:0 Not tainted 5.1.18-sama5-armv7-r2 #6
+Hardware name: Atmel SAMA5
+Workqueue: 2-0050 tcpm_pd_rx_handler [tcpm]
+PC is at typec_altmode_attention+0x0/0x14
+LR is at tcpm_pd_rx_handler+0xa3b/0xda0 [tcpm]
+...
+[<c03fbee8>] (typec_altmode_attention) from [<bf8030fb>]
+ (tcpm_pd_rx_handler+0xa3b/0xda0 [tcpm])
+[<bf8030fb>] (tcpm_pd_rx_handler [tcpm]) from [<c012082b>]
+ (process_one_work+0x123/0x2a8)
+[<c012082b>] (process_one_work) from [<c0120a6d>]
+ (worker_thread+0xbd/0x3b0)
+[<c0120a6d>] (worker_thread) from [<c012431f>] (kthread+0xcf/0xf4)
+[<c012431f>] (kthread) from [<c01010f9>] (ret_from_fork+0x11/0x38)
+
+Ignore PD messages if the associated alternate mode is not supported.
+
+Fixes: e9576fe8e605c ("usb: typec: tcpm: Support for Alternate Modes")
+Cc: stable <stable@vger.kernel.org>
+Reported-by: Douglas Gilbert <dgilbert@interlog.com>
+Cc: Douglas Gilbert <dgilbert@interlog.com>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Tested-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/1564761822-13984-1-git-send-email-linux@roeck-us.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tcpm/tcpm.c | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -1109,7 +1109,8 @@ static int tcpm_pd_svdm(struct tcpm_port
+ break;
+ case CMD_ATTENTION:
+ /* Attention command does not have response */
+- typec_altmode_attention(adev, p[1]);
++ if (adev)
++ typec_altmode_attention(adev, p[1]);
+ return 0;
+ default:
+ break;
+@@ -1161,20 +1162,26 @@ static int tcpm_pd_svdm(struct tcpm_port
+ }
+ break;
+ case CMD_ENTER_MODE:
+- typec_altmode_update_active(pdev, true);
++ if (adev && pdev) {
++ typec_altmode_update_active(pdev, true);
+
+- if (typec_altmode_vdm(adev, p[0], &p[1], cnt)) {
+- response[0] = VDO(adev->svid, 1, CMD_EXIT_MODE);
+- response[0] |= VDO_OPOS(adev->mode);
+- return 1;
++ if (typec_altmode_vdm(adev, p[0], &p[1], cnt)) {
++ response[0] = VDO(adev->svid, 1,
++ CMD_EXIT_MODE);
++ response[0] |= VDO_OPOS(adev->mode);
++ return 1;
++ }
+ }
+ return 0;
+ case CMD_EXIT_MODE:
+- typec_altmode_update_active(pdev, false);
++ if (adev && pdev) {
++ typec_altmode_update_active(pdev, false);
+
+- /* Back to USB Operation */
+- WARN_ON(typec_altmode_notify(adev, TYPEC_STATE_USB,
+- NULL));
++ /* Back to USB Operation */
++ WARN_ON(typec_altmode_notify(adev,
++ TYPEC_STATE_USB,
++ NULL));
++ }
+ break;
+ default:
+ break;
+@@ -1184,8 +1191,10 @@ static int tcpm_pd_svdm(struct tcpm_port
+ switch (cmd) {
+ case CMD_ENTER_MODE:
+ /* Back to USB Operation */
+- WARN_ON(typec_altmode_notify(adev, TYPEC_STATE_USB,
+- NULL));
++ if (adev)
++ WARN_ON(typec_altmode_notify(adev,
++ TYPEC_STATE_USB,
++ NULL));
+ break;
+ default:
+ break;
+@@ -1196,7 +1205,8 @@ static int tcpm_pd_svdm(struct tcpm_port
+ }
+
+ /* Informing the alternate mode drivers about everything */
+- typec_altmode_vdm(adev, p[0], &p[1], cnt);
++ if (adev)
++ typec_altmode_vdm(adev, p[0], &p[1], cnt);
+
+ return rlen;
+ }
--- /dev/null
+From 12ca7297b8855c0af1848503d37196159b24e6b9 Mon Sep 17 00:00:00 2001
+From: Li Jun <jun.li@nxp.com>
+Date: Wed, 17 Jul 2019 16:06:46 +0800
+Subject: usb: typec: tcpm: remove tcpm dir if no children
+
+From: Li Jun <jun.li@nxp.com>
+
+commit 12ca7297b8855c0af1848503d37196159b24e6b9 upstream.
+
+If config tcpm as module, module unload will not remove tcpm dir,
+then the next module load will have problem: the rootdir is NULL
+but tcpm dir is still there, so tcpm_debugfs_init() will create
+tcpm dir again with failure, fix it by remove the tcpm dir if no
+children.
+
+Cc: stable@vger.kernel.org # v4.15+
+Fixes: 4b4e02c83167 ("typec: tcpm: Move out of staging")
+Signed-off-by: Li Jun <jun.li@nxp.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20190717080646.30421-2-jun.li@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tcpm/tcpm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -596,6 +596,10 @@ static void tcpm_debugfs_exit(struct tcp
+ mutex_unlock(&port->logbuffer_lock);
+
+ debugfs_remove(port->dentry);
++ if (list_empty(&rootdir->d_subdirs)) {
++ debugfs_remove(rootdir);
++ rootdir = NULL;
++ }
+ }
+
+ #else
--- /dev/null
+From a29d56c2ed24ad33062bfdafdec9e34149715320 Mon Sep 17 00:00:00 2001
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Thu, 1 Aug 2019 10:55:12 +0300
+Subject: usb: typec: ucsi: ccg: Fix uninitilized symbol error
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+commit a29d56c2ed24ad33062bfdafdec9e34149715320 upstream.
+
+Fix smatch error:
+drivers/usb/typec/ucsi/ucsi_ccg.c:975 ccg_fw_update() error: uninitialized symbol 'err'.
+
+Fixes: 5c9ae5a87573 ("usb: typec: ucsi: ccg: add firmware flashing support")
+Cc: stable@vger.kernel.org
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20190801075512.24354-1-heikki.krogerus@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/ucsi/ucsi_ccg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/ucsi/ucsi_ccg.c
++++ b/drivers/usb/typec/ucsi/ucsi_ccg.c
+@@ -963,7 +963,7 @@ release_fw:
+ ******************************************************************************/
+ static int ccg_fw_update(struct ucsi_ccg *uc, enum enum_flash_mode flash_mode)
+ {
+- int err;
++ int err = 0;
+
+ while (flash_mode != FLASH_NOT_NEEDED) {
+ err = do_flash(uc, flash_mode);
--- /dev/null
+From fc05481b2fcabaaeccf63e32ac1baab54e5b6963 Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Mon, 5 Aug 2019 12:15:28 +0100
+Subject: usb: yurex: Fix use-after-free in yurex_delete
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit fc05481b2fcabaaeccf63e32ac1baab54e5b6963 upstream.
+
+syzbot reported the following crash [0]:
+
+BUG: KASAN: use-after-free in usb_free_coherent+0x79/0x80
+drivers/usb/core/usb.c:928
+Read of size 8 at addr ffff8881b18599c8 by task syz-executor.4/16007
+
+CPU: 0 PID: 16007 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #23
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xca/0x13e lib/dump_stack.c:113
+ print_address_description+0x6a/0x32c mm/kasan/report.c:351
+ __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
+ kasan_report+0xe/0x12 mm/kasan/common.c:612
+ usb_free_coherent+0x79/0x80 drivers/usb/core/usb.c:928
+ yurex_delete+0x138/0x330 drivers/usb/misc/yurex.c:100
+ kref_put include/linux/kref.h:65 [inline]
+ yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
+ __fput+0x2d7/0x840 fs/file_table.c:280
+ task_work_run+0x13f/0x1c0 kernel/task_work.c:113
+ tracehook_notify_resume include/linux/tracehook.h:188 [inline]
+ exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
+ prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
+ do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x413511
+Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48
+83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
+89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
+RSP: 002b:00007ffc424ea2e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
+RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000413511
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
+RBP: 0000000000000001 R08: 0000000029a2fc22 R09: 0000000029a2fc26
+R10: 00007ffc424ea3c0 R11: 0000000000000293 R12: 000000000075c9a0
+R13: 000000000075c9a0 R14: 0000000000761938 R15: ffffffffffffffff
+
+Allocated by task 2776:
+ save_stack+0x1b/0x80 mm/kasan/common.c:69
+ set_track mm/kasan/common.c:77 [inline]
+ __kasan_kmalloc mm/kasan/common.c:487 [inline]
+ __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
+ kmalloc include/linux/slab.h:552 [inline]
+ kzalloc include/linux/slab.h:748 [inline]
+ usb_alloc_dev+0x51/0xf95 drivers/usb/core/usb.c:583
+ hub_port_connect drivers/usb/core/hub.c:5004 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
+ port_event drivers/usb/core/hub.c:5359 [inline]
+ hub_event+0x15c0/0x3640 drivers/usb/core/hub.c:5441
+ process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
+ worker_thread+0x96/0xe20 kernel/workqueue.c:2415
+ kthread+0x318/0x420 kernel/kthread.c:255
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
+
+Freed by task 16007:
+ save_stack+0x1b/0x80 mm/kasan/common.c:69
+ set_track mm/kasan/common.c:77 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
+ slab_free_hook mm/slub.c:1423 [inline]
+ slab_free_freelist_hook mm/slub.c:1470 [inline]
+ slab_free mm/slub.c:3012 [inline]
+ kfree+0xe4/0x2f0 mm/slub.c:3953
+ device_release+0x71/0x200 drivers/base/core.c:1064
+ kobject_cleanup lib/kobject.c:693 [inline]
+ kobject_release lib/kobject.c:722 [inline]
+ kref_put include/linux/kref.h:65 [inline]
+ kobject_put+0x171/0x280 lib/kobject.c:739
+ put_device+0x1b/0x30 drivers/base/core.c:2213
+ usb_put_dev+0x1f/0x30 drivers/usb/core/usb.c:725
+ yurex_delete+0x40/0x330 drivers/usb/misc/yurex.c:95
+ kref_put include/linux/kref.h:65 [inline]
+ yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
+ __fput+0x2d7/0x840 fs/file_table.c:280
+ task_work_run+0x13f/0x1c0 kernel/task_work.c:113
+ tracehook_notify_resume include/linux/tracehook.h:188 [inline]
+ exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
+ prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
+ do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881b1859980
+ which belongs to the cache kmalloc-2k of size 2048
+The buggy address is located 72 bytes inside of
+ 2048-byte region [ffff8881b1859980, ffff8881b185a180)
+The buggy address belongs to the page:
+page:ffffea0006c61600 refcount:1 mapcount:0 mapping:ffff8881da00c000
+index:0x0 compound_mapcount: 0
+flags: 0x200000000010200(slab|head)
+raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da00c000
+raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881b1859880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8881b1859900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+> ffff8881b1859980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8881b1859a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8881b1859a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+A quick look at the yurex_delete() shows that we drop the reference
+to the usb_device before releasing any buffers associated with the
+device. Delay the reference drop until we have finished the cleanup.
+
+[0] https://lore.kernel.org/lkml/0000000000003f86d8058f0bd671@google.com/
+
+Fixes: 6bc235a2e24a5e ("USB: add driver for Meywa-Denki & Kayac YUREX")
+Cc: Jiri Kosina <jkosina@suse.cz>
+Cc: Tomoki Sekiyama <tomoki.sekiyama@gmail.com>
+Cc: Oliver Neukum <oneukum@suse.com>
+Cc: andreyknvl@google.com
+Cc: gregkh@linuxfoundation.org
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Cc: syzkaller-bugs@googlegroups.com
+Cc: dtor@chromium.org
+Reported-by: syzbot+d1fedb1c1fdb07fca507@syzkaller.appspotmail.com
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190805111528.6758-1-suzuki.poulose@arm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/yurex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/yurex.c
++++ b/drivers/usb/misc/yurex.c
+@@ -92,7 +92,6 @@ static void yurex_delete(struct kref *kr
+
+ dev_dbg(&dev->interface->dev, "%s\n", __func__);
+
+- usb_put_dev(dev->udev);
+ if (dev->cntl_urb) {
+ usb_kill_urb(dev->cntl_urb);
+ kfree(dev->cntl_req);
+@@ -108,6 +107,7 @@ static void yurex_delete(struct kref *kr
+ dev->int_buffer, dev->urb->transfer_dma);
+ usb_free_urb(dev->urb);
+ }
++ usb_put_dev(dev->udev);
+ kfree(dev);
+ }
+
--- /dev/null
+From 51b75b5b563a2637f9d8dc5bd02a31b2ff9e5ea0 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Fri, 19 Jul 2019 20:46:50 +0200
+Subject: x86/mm: Check for pfn instead of page in vmalloc_sync_one()
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit 51b75b5b563a2637f9d8dc5bd02a31b2ff9e5ea0 upstream.
+
+Do not require a struct page for the mapped memory location because it
+might not exist. This can happen when an ioremapped region is mapped with
+2MB pages.
+
+Fixes: 5d72b4fba40ef ('x86, mm: support huge I/O mapping capability I/F')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
+Link: https://lkml.kernel.org/r/20190719184652.11391-2-joro@8bytes.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/fault.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -200,7 +200,7 @@ static inline pmd_t *vmalloc_sync_one(pg
+ if (!pmd_present(*pmd))
+ set_pmd(pmd, *pmd_k);
+ else
+- BUG_ON(pmd_page(*pmd) != pmd_page(*pmd_k));
++ BUG_ON(pmd_pfn(*pmd) != pmd_pfn(*pmd_k));
+
+ return pmd_k;
+ }
--- /dev/null
+From 8e998fc24de47c55b47a887f6c95ab91acd4a720 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Fri, 19 Jul 2019 20:46:51 +0200
+Subject: x86/mm: Sync also unmappings in vmalloc_sync_all()
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit 8e998fc24de47c55b47a887f6c95ab91acd4a720 upstream.
+
+With huge-page ioremap areas the unmappings also need to be synced between
+all page-tables. Otherwise it can cause data corruption when a region is
+unmapped and later re-used.
+
+Make the vmalloc_sync_one() function ready to sync unmappings and make sure
+vmalloc_sync_all() iterates over all page-tables even when an unmapped PMD
+is found.
+
+Fixes: 5d72b4fba40ef ('x86, mm: support huge I/O mapping capability I/F')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
+Link: https://lkml.kernel.org/r/20190719184652.11391-3-joro@8bytes.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/fault.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -194,11 +194,12 @@ static inline pmd_t *vmalloc_sync_one(pg
+
+ pmd = pmd_offset(pud, address);
+ pmd_k = pmd_offset(pud_k, address);
+- if (!pmd_present(*pmd_k))
+- return NULL;
+
+- if (!pmd_present(*pmd))
++ if (pmd_present(*pmd) != pmd_present(*pmd_k))
+ set_pmd(pmd, *pmd_k);
++
++ if (!pmd_present(*pmd_k))
++ return NULL;
+ else
+ BUG_ON(pmd_pfn(*pmd) != pmd_pfn(*pmd_k));
+
+@@ -220,17 +221,13 @@ void vmalloc_sync_all(void)
+ spin_lock(&pgd_lock);
+ list_for_each_entry(page, &pgd_list, lru) {
+ spinlock_t *pgt_lock;
+- pmd_t *ret;
+
+ /* the pgt_lock only for Xen */
+ pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
+
+ spin_lock(pgt_lock);
+- ret = vmalloc_sync_one(page_address(page), address);
++ vmalloc_sync_one(page_address(page), address);
+ spin_unlock(pgt_lock);
+-
+- if (!ret)
+- break;
+ }
+ spin_unlock(&pgd_lock);
+ }
--- /dev/null
+From 4ce97317f41d38584fb93578e922fcd19e535f5b Mon Sep 17 00:00:00 2001
+From: Nick Desaulniers <ndesaulniers@google.com>
+Date: Wed, 7 Aug 2019 15:15:32 -0700
+Subject: x86/purgatory: Do not use __builtin_memcpy and __builtin_memset
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+commit 4ce97317f41d38584fb93578e922fcd19e535f5b upstream.
+
+Implementing memcpy and memset in terms of __builtin_memcpy and
+__builtin_memset is problematic.
+
+GCC at -O2 will replace calls to the builtins with calls to memcpy and
+memset (but will generate an inline implementation at -Os). Clang will
+replace the builtins with these calls regardless of optimization level.
+$ llvm-objdump -dr arch/x86/purgatory/string.o | tail
+
+0000000000000339 memcpy:
+ 339: 48 b8 00 00 00 00 00 00 00 00 movabsq $0, %rax
+ 000000000000033b: R_X86_64_64 memcpy
+ 343: ff e0 jmpq *%rax
+
+0000000000000345 memset:
+ 345: 48 b8 00 00 00 00 00 00 00 00 movabsq $0, %rax
+ 0000000000000347: R_X86_64_64 memset
+ 34f: ff e0
+
+Such code results in infinite recursion at runtime. This is observed
+when doing kexec.
+
+Instead, reuse an implementation from arch/x86/boot/compressed/string.c.
+This requires to implement a stub function for warn(). Also, Clang may
+lower memcmp's that compare against 0 to bcmp's, so add a small definition,
+too. See also: commit 5f074f3e192f ("lib/string.c: implement a basic bcmp")
+
+Fixes: 8fc5b4d4121c ("purgatory: core purgatory functionality")
+Reported-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
+Debugged-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
+Debugged-by: Manoj Gupta <manojgupta@google.com>
+Suggested-by: Alistair Delva <adelva@google.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
+Cc: stable@vger.kernel.org
+Link: https://bugs.chromium.org/p/chromium/issues/detail?id=984056
+Link: https://lkml.kernel.org/r/20190807221539.94583-1-ndesaulniers@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/boot/string.c | 8 ++++++++
+ arch/x86/purgatory/Makefile | 3 +++
+ arch/x86/purgatory/purgatory.c | 6 ++++++
+ arch/x86/purgatory/string.c | 23 -----------------------
+ 4 files changed, 17 insertions(+), 23 deletions(-)
+
+--- a/arch/x86/boot/string.c
++++ b/arch/x86/boot/string.c
+@@ -37,6 +37,14 @@ int memcmp(const void *s1, const void *s
+ return diff;
+ }
+
++/*
++ * Clang may lower `memcmp == 0` to `bcmp == 0`.
++ */
++int bcmp(const void *s1, const void *s2, size_t len)
++{
++ return memcmp(s1, s2, len);
++}
++
+ int strcmp(const char *str1, const char *str2)
+ {
+ const unsigned char *s1 = (const unsigned char *)str1;
+--- a/arch/x86/purgatory/Makefile
++++ b/arch/x86/purgatory/Makefile
+@@ -6,6 +6,9 @@ purgatory-y := purgatory.o stack.o setup
+ targets += $(purgatory-y)
+ PURGATORY_OBJS = $(addprefix $(obj)/,$(purgatory-y))
+
++$(obj)/string.o: $(srctree)/arch/x86/boot/compressed/string.c FORCE
++ $(call if_changed_rule,cc_o_c)
++
+ $(obj)/sha256.o: $(srctree)/lib/sha256.c FORCE
+ $(call if_changed_rule,cc_o_c)
+
+--- a/arch/x86/purgatory/purgatory.c
++++ b/arch/x86/purgatory/purgatory.c
+@@ -68,3 +68,9 @@ void purgatory(void)
+ }
+ copy_backup_region();
+ }
++
++/*
++ * Defined in order to reuse memcpy() and memset() from
++ * arch/x86/boot/compressed/string.c
++ */
++void warn(const char *msg) {}
+--- a/arch/x86/purgatory/string.c
++++ /dev/null
+@@ -1,23 +0,0 @@
+-// SPDX-License-Identifier: GPL-2.0-only
+-/*
+- * Simple string functions.
+- *
+- * Copyright (C) 2014 Red Hat Inc.
+- *
+- * Author:
+- * Vivek Goyal <vgoyal@redhat.com>
+- */
+-
+-#include <linux/types.h>
+-
+-#include "../boot/string.c"
+-
+-void *memcpy(void *dst, const void *src, size_t len)
+-{
+- return __builtin_memcpy(dst, src, len);
+-}
+-
+-void *memset(void *dst, int c, size_t len)
+-{
+- return __builtin_memset(dst, c, len);
+-}
--- /dev/null
+From b059f801a937d164e03b33c1848bb3dca67c0b04 Mon Sep 17 00:00:00 2001
+From: Nick Desaulniers <ndesaulniers@google.com>
+Date: Wed, 7 Aug 2019 15:15:33 -0700
+Subject: x86/purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+commit b059f801a937d164e03b33c1848bb3dca67c0b04 upstream.
+
+KBUILD_CFLAGS is very carefully built up in the top level Makefile,
+particularly when cross compiling or using different build tools.
+Resetting KBUILD_CFLAGS via := assignment is an antipattern.
+
+The comment above the reset mentions that -pg is problematic. Other
+Makefiles use `CFLAGS_REMOVE_file.o = $(CC_FLAGS_FTRACE)` when
+CONFIG_FUNCTION_TRACER is set. Prefer that pattern to wiping out all of
+the important KBUILD_CFLAGS then manually having to re-add them. Seems
+also that __stack_chk_fail references are generated when using
+CONFIG_STACKPROTECTOR or CONFIG_STACKPROTECTOR_STRONG.
+
+Fixes: 8fc5b4d4121c ("purgatory: core purgatory functionality")
+Reported-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190807221539.94583-2-ndesaulniers@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/purgatory/Makefile | 31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/purgatory/Makefile
++++ b/arch/x86/purgatory/Makefile
+@@ -20,11 +20,34 @@ KCOV_INSTRUMENT := n
+
+ # Default KBUILD_CFLAGS can have -pg option set when FTRACE is enabled. That
+ # in turn leaves some undefined symbols like __fentry__ in purgatory and not
+-# sure how to relocate those. Like kexec-tools, use custom flags.
++# sure how to relocate those.
++ifdef CONFIG_FUNCTION_TRACER
++CFLAGS_REMOVE_sha256.o += $(CC_FLAGS_FTRACE)
++CFLAGS_REMOVE_purgatory.o += $(CC_FLAGS_FTRACE)
++CFLAGS_REMOVE_string.o += $(CC_FLAGS_FTRACE)
++CFLAGS_REMOVE_kexec-purgatory.o += $(CC_FLAGS_FTRACE)
++endif
+
+-KBUILD_CFLAGS := -fno-strict-aliasing -Wall -Wstrict-prototypes -fno-zero-initialized-in-bss -fno-builtin -ffreestanding -c -Os -mcmodel=large
+-KBUILD_CFLAGS += -m$(BITS)
+-KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
++ifdef CONFIG_STACKPROTECTOR
++CFLAGS_REMOVE_sha256.o += -fstack-protector
++CFLAGS_REMOVE_purgatory.o += -fstack-protector
++CFLAGS_REMOVE_string.o += -fstack-protector
++CFLAGS_REMOVE_kexec-purgatory.o += -fstack-protector
++endif
++
++ifdef CONFIG_STACKPROTECTOR_STRONG
++CFLAGS_REMOVE_sha256.o += -fstack-protector-strong
++CFLAGS_REMOVE_purgatory.o += -fstack-protector-strong
++CFLAGS_REMOVE_string.o += -fstack-protector-strong
++CFLAGS_REMOVE_kexec-purgatory.o += -fstack-protector-strong
++endif
++
++ifdef CONFIG_RETPOLINE
++CFLAGS_REMOVE_sha256.o += $(RETPOLINE_CFLAGS)
++CFLAGS_REMOVE_purgatory.o += $(RETPOLINE_CFLAGS)
++CFLAGS_REMOVE_string.o += $(RETPOLINE_CFLAGS)
++CFLAGS_REMOVE_kexec-purgatory.o += $(RETPOLINE_CFLAGS)
++endif
+
+ $(obj)/purgatory.ro: $(PURGATORY_OBJS) FORCE
+ $(call if_changed,ld)
projects / thirdparty / kernel / stable-queue.git / commitdiff
