From: Sasha Levin Date: Thu, 4 Apr 2019 03:43:25 +0000 (-0400) Subject: fixes for 4.14 X-Git-Tag: v4.9.168~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=04fd09d45ee729cdc9c6607eaddbde2530805dbf;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpi-video-extend-chassis-type-detection-with-a-lunc.patch b/queue-4.14/acpi-video-extend-chassis-type-detection-with-a-lunc.patch new file mode 100644 index 00000000000..e42c02cc63c --- /dev/null +++ b/queue-4.14/acpi-video-extend-chassis-type-detection-with-a-lunc.patch @@ -0,0 +1,47 @@ +From a4e4dcaa9b54241e1641f4ce06703a337ee9ba08 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 7 Jan 2019 17:08:21 +0100 +Subject: ACPI / video: Extend chassis-type detection with a "Lunch Box" check + +[ Upstream commit d693c008e3ca04db5916ff72e68ce661888a913b ] + +Commit 53fa1f6e8a59 ("ACPI / video: Only default only_lcd to true on +Win8-ready _desktops_") introduced chassis type detection, limiting the +lcd_only check for the backlight to devices where the chassis-type +indicates their is no builtin LCD panel. + +The purpose of the lcd_only check is to avoid advertising a backlight +interface on desktops, since skylake and newer machines seem to always +have a backlight interface even if there is no LCD panel. The limiting +of this check to desktops only was done to avoid breaking backlight +support on some laptops which do not have the lcd flag set. + +The Fujitsu ESPRIMO Q910 which is a compact (NUC like) desktop machine +has a chassis type of 0x10 aka "Lunch Box". Without the lcd_only check +we end up falsely advertising backlight/brightness control on this +device. This commit extend the dmi_is_desktop check to return true +for type 0x10 to fix this. + +Fixes: 53fa1f6e8a59 ("ACPI / video: Only default only_lcd to true ...") +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_video.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index 9f56c066227c..e39a1489cc72 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -2142,6 +2142,7 @@ static bool dmi_is_desktop(void) + case 0x05: /* Pizza Box */ + case 0x06: /* Mini Tower */ + case 0x07: /* Tower */ ++ case 0x10: /* Lunch Box */ + case 0x11: /* Main Server Chassis */ + return true; + } +-- +2.19.1 + diff --git a/queue-4.14/acpi-video-refactor-and-fix-dmi_is_desktop.patch b/queue-4.14/acpi-video-refactor-and-fix-dmi_is_desktop.patch new file mode 100644 index 00000000000..e0e30b6e223 --- /dev/null +++ b/queue-4.14/acpi-video-refactor-and-fix-dmi_is_desktop.patch @@ -0,0 +1,72 @@ +From 0983dfeddf3ee80c655c1254533a66fae89cf945 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 7 Jan 2019 17:08:20 +0100 +Subject: ACPI / video: Refactor and fix dmi_is_desktop() + +[ Upstream commit cecf3e3e0803462335e25d083345682518097334 ] + +This commit refactors the chassis-type detection introduced by +commit 53fa1f6e8a59 ("ACPI / video: Only default only_lcd to true on +Win8-ready _desktops_") (where desktop means anything without a builtin +screen). + +The DMI chassis_type is an unsigned integer, so rather then doing a +whole bunch of string-compares on it, convert it to an int and feed +the result to a switch case. + +Note the switch case uses hex values, this is done because the spec +uses hex values too. This changes the check for "Main Server Chassis" +from checking for 11 decimal to 11 hexadecimal, this is a bug fix, +the original check for 11 decimal was wrong. + +Fixes: 53fa1f6e8a59 ("ACPI / video: Only default only_lcd to true ...") +Signed-off-by: Hans de Goede +[ rjw: Drop redundant return statements ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_video.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index dbdd460a9958..9f56c066227c 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -2123,21 +2123,28 @@ static int __init intel_opregion_present(void) + return opregion; + } + ++/* Check if the chassis-type indicates there is no builtin LCD panel */ + static bool dmi_is_desktop(void) + { + const char *chassis_type; ++ unsigned long type; + + chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE); + if (!chassis_type) + return false; + +- if (!strcmp(chassis_type, "3") || /* 3: Desktop */ +- !strcmp(chassis_type, "4") || /* 4: Low Profile Desktop */ +- !strcmp(chassis_type, "5") || /* 5: Pizza Box */ +- !strcmp(chassis_type, "6") || /* 6: Mini Tower */ +- !strcmp(chassis_type, "7") || /* 7: Tower */ +- !strcmp(chassis_type, "11")) /* 11: Main Server Chassis */ ++ if (kstrtoul(chassis_type, 10, &type) != 0) ++ return false; ++ ++ switch (type) { ++ case 0x03: /* Desktop */ ++ case 0x04: /* Low Profile Desktop */ ++ case 0x05: /* Pizza Box */ ++ case 0x06: /* Mini Tower */ ++ case 0x07: /* Tower */ ++ case 0x11: /* Main Server Chassis */ + return true; ++ } + + return false; + } +-- +2.19.1 + diff --git a/queue-4.14/alsa-pcm-check-if-ops-are-defined-before-suspending-.patch b/queue-4.14/alsa-pcm-check-if-ops-are-defined-before-suspending-.patch new file mode 100644 index 00000000000..2d197b87848 --- /dev/null +++ b/queue-4.14/alsa-pcm-check-if-ops-are-defined-before-suspending-.patch @@ -0,0 +1,49 @@ +From f471c1f0eee7ff112d7d6a37dc988045aeec7116 Mon Sep 17 00:00:00 2001 +From: Ranjani Sridharan +Date: Fri, 8 Feb 2019 17:29:53 -0600 +Subject: ALSA: PCM: check if ops are defined before suspending PCM + +[ Upstream commit d9c0b2afe820fa3b3f8258a659daee2cc71ca3ef ] + +BE dai links only have internal PCM's and their substream ops may +not be set. Suspending these PCM's will result in their + ops->trigger() being invoked and cause a kernel oops. +So skip suspending PCM's if their ops are NULL. + +[ NOTE: this change is required now for following the recent PCM core + change to get rid of snd_pcm_suspend() call. Since DPCM BE takes + the runtime carried from FE while keeping NULL ops, it can hit this + bug. See details at: + https://github.com/thesofproject/linux/pull/582 + -- tiwai ] + +Signed-off-by: Ranjani Sridharan +Signed-off-by: Pierre-Louis Bossart +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_native.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 1a63d456a3dc..182e4afd21eb 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1482,6 +1482,14 @@ int snd_pcm_suspend_all(struct snd_pcm *pcm) + /* FIXME: the open/close code should lock this as well */ + if (substream->runtime == NULL) + continue; ++ ++ /* ++ * Skip BE dai link PCM's that are internal and may ++ * not have their substream ops set. ++ */ ++ if (!substream->ops) ++ continue; ++ + err = snd_pcm_suspend(substream); + if (err < 0 && err != -EBUSY) + return err; +-- +2.19.1 + diff --git a/queue-4.14/arm-8830-1-nommu-toggle-only-bits-in-exc_return-we-a.patch b/queue-4.14/arm-8830-1-nommu-toggle-only-bits-in-exc_return-we-a.patch new file mode 100644 index 00000000000..4b2cc6ee352 --- /dev/null +++ b/queue-4.14/arm-8830-1-nommu-toggle-only-bits-in-exc_return-we-a.patch @@ -0,0 +1,98 @@ +From 642c8aee3bae0caa0e0ec839402f024a292c63a4 Mon Sep 17 00:00:00 2001 +From: Vladimir Murzin +Date: Fri, 25 Jan 2019 15:18:37 +0100 +Subject: ARM: 8830/1: NOMMU: Toggle only bits in EXC_RETURN we are really care + of + +[ Upstream commit 72cd4064fccaae15ab84d40d4be23667402df4ed ] + +ARMv8M introduces support for Security extension to M class, among +other things it affects exception handling, especially, encoding of +EXC_RETURN. + +The new bits have been added: + +Bit [6] Secure or Non-secure stack +Bit [5] Default callee register stacking +Bit [0] Exception Secure + +which conflicts with hard-coded value of EXC_RETURN: + +In fact, we only care of few bits: + +Bit [3] Mode (0 - Handler, 1 - Thread) +Bit [2] Stack pointer selection (0 - Main, 1 - Process) + +We can toggle only those bits and left other bits as they were on +exception entry. + +It is basically, what patch does - saves EXC_RETURN when we do +transition form Thread to Handler mode (it is first svc), so later +saved value is used instead of EXC_RET_THREADMODE_PROCESSSTACK. + +Signed-off-by: Vladimir Murzin +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/v7m.h | 2 +- + arch/arm/kernel/entry-header.S | 3 ++- + arch/arm/kernel/entry-v7m.S | 4 ++++ + arch/arm/mm/proc-v7m.S | 3 +++ + 4 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/include/asm/v7m.h b/arch/arm/include/asm/v7m.h +index e6d9e29fcae4..6416fd3a3894 100644 +--- a/arch/arm/include/asm/v7m.h ++++ b/arch/arm/include/asm/v7m.h +@@ -49,7 +49,7 @@ + * (0 -> msp; 1 -> psp). Bits [1:0] are fixed to 0b01. + */ + #define EXC_RET_STACK_MASK 0x00000004 +-#define EXC_RET_THREADMODE_PROCESSSTACK 0xfffffffd ++#define EXC_RET_THREADMODE_PROCESSSTACK (3 << 2) + + /* Cache related definitions */ + +diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S +index 773424843d6e..62db1c9746cb 100644 +--- a/arch/arm/kernel/entry-header.S ++++ b/arch/arm/kernel/entry-header.S +@@ -127,7 +127,8 @@ + */ + .macro v7m_exception_slow_exit ret_r0 + cpsid i +- ldr lr, =EXC_RET_THREADMODE_PROCESSSTACK ++ ldr lr, =exc_ret ++ ldr lr, [lr] + + @ read original r12, sp, lr, pc and xPSR + add r12, sp, #S_IP +diff --git a/arch/arm/kernel/entry-v7m.S b/arch/arm/kernel/entry-v7m.S +index abcf47848525..19d2dcd6530d 100644 +--- a/arch/arm/kernel/entry-v7m.S ++++ b/arch/arm/kernel/entry-v7m.S +@@ -146,3 +146,7 @@ ENTRY(vector_table) + .rept CONFIG_CPU_V7M_NUM_IRQ + .long __irq_entry @ External Interrupts + .endr ++ .align 2 ++ .globl exc_ret ++exc_ret: ++ .space 4 +diff --git a/arch/arm/mm/proc-v7m.S b/arch/arm/mm/proc-v7m.S +index 47a5acc64433..92e84181933a 100644 +--- a/arch/arm/mm/proc-v7m.S ++++ b/arch/arm/mm/proc-v7m.S +@@ -139,6 +139,9 @@ __v7m_setup_cont: + cpsie i + svc #0 + 1: cpsid i ++ ldr r0, =exc_ret ++ orr lr, lr, #EXC_RET_THREADMODE_PROCESSSTACK ++ str lr, [r0] + ldmia sp, {r0-r3, r12} + str r5, [r12, #11 * 4] @ restore the original SVC vector entry + mov lr, r6 @ restore LR +-- +2.19.1 + diff --git a/queue-4.14/arm-8833-1-ensure-that-neon-code-always-compiles-wit.patch b/queue-4.14/arm-8833-1-ensure-that-neon-code-always-compiles-wit.patch new file mode 100644 index 00000000000..96c7f86bac2 --- /dev/null +++ b/queue-4.14/arm-8833-1-ensure-that-neon-code-always-compiles-wit.patch @@ -0,0 +1,122 @@ +From d6f0e6e6811fd3971069ce2bdc581b489694859a Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Sat, 2 Feb 2019 03:34:36 +0100 +Subject: ARM: 8833/1: Ensure that NEON code always compiles with Clang + +[ Upstream commit de9c0d49d85dc563549972edc5589d195cd5e859 ] + +While building arm32 allyesconfig, I ran into the following errors: + + arch/arm/lib/xor-neon.c:17:2: error: You should compile this file with + '-mfloat-abi=softfp -mfpu=neon' + + In file included from lib/raid6/neon1.c:27: + /home/nathan/cbl/prebuilt/lib/clang/8.0.0/include/arm_neon.h:28:2: + error: "NEON support not enabled" + +Building V=1 showed NEON_FLAGS getting passed along to Clang but +__ARM_NEON__ was not getting defined. Ultimately, it boils down to Clang +only defining __ARM_NEON__ when targeting armv7, rather than armv6k, +which is the '-march' value for allyesconfig. + +>From lib/Basic/Targets/ARM.cpp in the Clang source: + + // This only gets set when Neon instructions are actually available, unlike + // the VFP define, hence the soft float and arch check. This is subtly + // different from gcc, we follow the intent which was that it should be set + // when Neon instructions are actually available. + if ((FPU & NeonFPU) && !SoftFloat && ArchVersion >= 7) { + Builder.defineMacro("__ARM_NEON", "1"); + Builder.defineMacro("__ARM_NEON__"); + // current AArch32 NEON implementations do not support double-precision + // floating-point even when it is present in VFP. + Builder.defineMacro("__ARM_NEON_FP", + "0x" + Twine::utohexstr(HW_FP & ~HW_FP_DP)); + } + +Ard Biesheuvel recommended explicitly adding '-march=armv7-a' at the +beginning of the NEON_FLAGS definitions so that __ARM_NEON__ always gets +definined by Clang. This doesn't functionally change anything because +that code will only run where NEON is supported, which is implicitly +armv7. + +Link: https://github.com/ClangBuiltLinux/linux/issues/287 + +Suggested-by: Ard Biesheuvel +Signed-off-by: Nathan Chancellor +Acked-by: Nicolas Pitre +Reviewed-by: Nick Desaulniers +Reviewed-by: Stefan Agner +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + Documentation/arm/kernel_mode_neon.txt | 4 ++-- + arch/arm/lib/Makefile | 2 +- + arch/arm/lib/xor-neon.c | 2 +- + lib/raid6/Makefile | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Documentation/arm/kernel_mode_neon.txt b/Documentation/arm/kernel_mode_neon.txt +index 525452726d31..b9e060c5b61e 100644 +--- a/Documentation/arm/kernel_mode_neon.txt ++++ b/Documentation/arm/kernel_mode_neon.txt +@@ -6,7 +6,7 @@ TL;DR summary + * Use only NEON instructions, or VFP instructions that don't rely on support + code + * Isolate your NEON code in a separate compilation unit, and compile it with +- '-mfpu=neon -mfloat-abi=softfp' ++ '-march=armv7-a -mfpu=neon -mfloat-abi=softfp' + * Put kernel_neon_begin() and kernel_neon_end() calls around the calls into your + NEON code + * Don't sleep in your NEON code, and be aware that it will be executed with +@@ -87,7 +87,7 @@ instructions appearing in unexpected places if no special care is taken. + Therefore, the recommended and only supported way of using NEON/VFP in the + kernel is by adhering to the following rules: + * isolate the NEON code in a separate compilation unit and compile it with +- '-mfpu=neon -mfloat-abi=softfp'; ++ '-march=armv7-a -mfpu=neon -mfloat-abi=softfp'; + * issue the calls to kernel_neon_begin(), kernel_neon_end() as well as the calls + into the unit containing the NEON code from a compilation unit which is *not* + built with the GCC flag '-mfpu=neon' set. +diff --git a/arch/arm/lib/Makefile b/arch/arm/lib/Makefile +index 4cb0b9624d8f..4cf026f3f00d 100644 +--- a/arch/arm/lib/Makefile ++++ b/arch/arm/lib/Makefile +@@ -39,7 +39,7 @@ $(obj)/csumpartialcopy.o: $(obj)/csumpartialcopygeneric.S + $(obj)/csumpartialcopyuser.o: $(obj)/csumpartialcopygeneric.S + + ifeq ($(CONFIG_KERNEL_MODE_NEON),y) +- NEON_FLAGS := -mfloat-abi=softfp -mfpu=neon ++ NEON_FLAGS := -march=armv7-a -mfloat-abi=softfp -mfpu=neon + CFLAGS_xor-neon.o += $(NEON_FLAGS) + obj-$(CONFIG_XOR_BLOCKS) += xor-neon.o + endif +diff --git a/arch/arm/lib/xor-neon.c b/arch/arm/lib/xor-neon.c +index 2c40aeab3eaa..c691b901092f 100644 +--- a/arch/arm/lib/xor-neon.c ++++ b/arch/arm/lib/xor-neon.c +@@ -14,7 +14,7 @@ + MODULE_LICENSE("GPL"); + + #ifndef __ARM_NEON__ +-#error You should compile this file with '-mfloat-abi=softfp -mfpu=neon' ++#error You should compile this file with '-march=armv7-a -mfloat-abi=softfp -mfpu=neon' + #endif + + /* +diff --git a/lib/raid6/Makefile b/lib/raid6/Makefile +index ad523be0313b..e0f3b38d6dcb 100644 +--- a/lib/raid6/Makefile ++++ b/lib/raid6/Makefile +@@ -40,7 +40,7 @@ endif + ifeq ($(CONFIG_KERNEL_MODE_NEON),y) + NEON_FLAGS := -ffreestanding + ifeq ($(ARCH),arm) +-NEON_FLAGS += -mfloat-abi=softfp -mfpu=neon ++NEON_FLAGS += -march=armv7-a -mfloat-abi=softfp -mfpu=neon + endif + CFLAGS_recov_neon_inner.o += $(NEON_FLAGS) + ifeq ($(ARCH),arm64) +-- +2.19.1 + diff --git a/queue-4.14/arm-8840-1-use-a-raw_spinlock_t-in-unwind.patch b/queue-4.14/arm-8840-1-use-a-raw_spinlock_t-in-unwind.patch new file mode 100644 index 00000000000..bc2a5da094c --- /dev/null +++ b/queue-4.14/arm-8840-1-use-a-raw_spinlock_t-in-unwind.patch @@ -0,0 +1,92 @@ +From dea216e616ece75a0ec4d5f5cd130e4c72320286 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Wed, 13 Feb 2019 17:14:42 +0100 +Subject: ARM: 8840/1: use a raw_spinlock_t in unwind + +[ Upstream commit 74ffe79ae538283bbf7c155e62339f1e5c87b55a ] + +Mostly unwind is done with irqs enabled however SLUB may call it with +irqs disabled while creating a new SLUB cache. + +I had system freeze while loading a module which called +kmem_cache_create() on init. That means SLUB's __slab_alloc() disabled +interrupts and then + +->new_slab_objects() + ->new_slab() + ->setup_object() + ->setup_object_debug() + ->init_tracking() + ->set_track() + ->save_stack_trace() + ->save_stack_trace_tsk() + ->walk_stackframe() + ->unwind_frame() + ->unwind_find_idx() + =>spin_lock_irqsave(&unwind_lock); + +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/unwind.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c +index 0bee233fef9a..314cfb232a63 100644 +--- a/arch/arm/kernel/unwind.c ++++ b/arch/arm/kernel/unwind.c +@@ -93,7 +93,7 @@ extern const struct unwind_idx __start_unwind_idx[]; + static const struct unwind_idx *__origin_unwind_idx; + extern const struct unwind_idx __stop_unwind_idx[]; + +-static DEFINE_SPINLOCK(unwind_lock); ++static DEFINE_RAW_SPINLOCK(unwind_lock); + static LIST_HEAD(unwind_tables); + + /* Convert a prel31 symbol to an absolute address */ +@@ -201,7 +201,7 @@ static const struct unwind_idx *unwind_find_idx(unsigned long addr) + /* module unwind tables */ + struct unwind_table *table; + +- spin_lock_irqsave(&unwind_lock, flags); ++ raw_spin_lock_irqsave(&unwind_lock, flags); + list_for_each_entry(table, &unwind_tables, list) { + if (addr >= table->begin_addr && + addr < table->end_addr) { +@@ -213,7 +213,7 @@ static const struct unwind_idx *unwind_find_idx(unsigned long addr) + break; + } + } +- spin_unlock_irqrestore(&unwind_lock, flags); ++ raw_spin_unlock_irqrestore(&unwind_lock, flags); + } + + pr_debug("%s: idx = %p\n", __func__, idx); +@@ -529,9 +529,9 @@ struct unwind_table *unwind_table_add(unsigned long start, unsigned long size, + tab->begin_addr = text_addr; + tab->end_addr = text_addr + text_size; + +- spin_lock_irqsave(&unwind_lock, flags); ++ raw_spin_lock_irqsave(&unwind_lock, flags); + list_add_tail(&tab->list, &unwind_tables); +- spin_unlock_irqrestore(&unwind_lock, flags); ++ raw_spin_unlock_irqrestore(&unwind_lock, flags); + + return tab; + } +@@ -543,9 +543,9 @@ void unwind_table_del(struct unwind_table *tab) + if (!tab) + return; + +- spin_lock_irqsave(&unwind_lock, flags); ++ raw_spin_lock_irqsave(&unwind_lock, flags); + list_del(&tab->list); +- spin_unlock_irqrestore(&unwind_lock, flags); ++ raw_spin_unlock_irqrestore(&unwind_lock, flags); + + kfree(tab); + } +-- +2.19.1 + diff --git a/queue-4.14/arm-avoid-cortex-a9-livelock-on-tight-dmb-loops.patch b/queue-4.14/arm-avoid-cortex-a9-livelock-on-tight-dmb-loops.patch new file mode 100644 index 00000000000..e8733d96c40 --- /dev/null +++ b/queue-4.14/arm-avoid-cortex-a9-livelock-on-tight-dmb-loops.patch @@ -0,0 +1,209 @@ +From 5371efcb8439047783bcaa0d57698dbefb68e8a2 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 10 Apr 2018 11:35:36 +0100 +Subject: ARM: avoid Cortex-A9 livelock on tight dmb loops + +[ Upstream commit 5388a5b82199facacd3d7ac0d05aca6e8f902fed ] + +machine_crash_nonpanic_core() does this: + + while (1) + cpu_relax(); + +because the kernel has crashed, and we have no known safe way to deal +with the CPU. So, we place the CPU into an infinite loop which we +expect it to never exit - at least not until the system as a whole is +reset by some method. + +In the absence of erratum 754327, this code assembles to: + + b . + +In other words, an infinite loop. When erratum 754327 is enabled, +this becomes: + +1: dmb + b 1b + +It has been observed that on some systems (eg, OMAP4) where, if a +crash is triggered, the system tries to kexec into the panic kernel, +but fails after taking the secondary CPU down - placing it into one +of these loops. This causes the system to livelock, and the most +noticable effect is the system stops after issuing: + + Loading crashdump kernel... + +to the system console. + +The tested as working solution I came up with was to add wfe() to +these infinite loops thusly: + + while (1) { + cpu_relax(); + wfe(); + } + +which, without 754327 builds to: + +1: wfe + b 1b + +or with 754327 is enabled: + +1: dmb + wfe + b 1b + +Adding "wfe" does two things depending on the environment we're running +under: +- where we're running on bare metal, and the processor implements + "wfe", it stops us spinning endlessly in a loop where we're never + going to do any useful work. +- if we're running in a VM, it allows the CPU to be given back to the + hypervisor and rescheduled for other purposes (maybe a different VM) + rather than wasting CPU cycles inside a crashed VM. + +However, in light of erratum 794072, Will Deacon wanted to see 10 nops +as well - which is reasonable to cover the case where we have erratum +754327 enabled _and_ we have a processor that doesn't implement the +wfe hint. + +So, we now end up with: + +1: wfe + b 1b + +when erratum 754327 is disabled, or: + +1: dmb + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + wfe + b 1b + +when erratum 754327 is enabled. We also get the dmb + 10 nop +sequence elsewhere in the kernel, in terminating loops. + +This is reasonable - it means we get the workaround for erratum +794072 when erratum 754327 is enabled, but still relinquish the dead +processor - either by placing it in a lower power mode when wfe is +implemented as such or by returning it to the hypervisior, or in the +case where wfe is a no-op, we use the workaround specified in erratum +794072 to avoid the problem. + +These as two entirely orthogonal problems - the 10 nops addresses +erratum 794072, and the wfe is an optimisation that makes the system +more efficient when crashed either in terms of power consumption or +by allowing the host/other VMs to make use of the CPU. + +I don't see any reason not to use kexec() inside a VM - it has the +potential to provide automated recovery from a failure of the VMs +kernel with the opportunity for saving a crashdump of the failure. +A panic() with a reboot timeout won't do that, and reading the +libvirt documentation, setting on_reboot to "preserve" won't either +(the documentation states "The preserve action for an on_reboot event +is treated as a destroy".) Surely it has to be a good thing to +avoiding having CPUs spinning inside a VM that is doing no useful +work. + +Acked-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/barrier.h | 2 ++ + arch/arm/include/asm/processor.h | 6 +++++- + arch/arm/kernel/machine_kexec.c | 5 ++++- + arch/arm/kernel/smp.c | 4 +++- + arch/arm/mach-omap2/prm_common.c | 4 +++- + 5 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/include/asm/barrier.h b/arch/arm/include/asm/barrier.h +index 69772e742a0a..83ae97c049d9 100644 +--- a/arch/arm/include/asm/barrier.h ++++ b/arch/arm/include/asm/barrier.h +@@ -11,6 +11,8 @@ + #define sev() __asm__ __volatile__ ("sev" : : : "memory") + #define wfe() __asm__ __volatile__ ("wfe" : : : "memory") + #define wfi() __asm__ __volatile__ ("wfi" : : : "memory") ++#else ++#define wfe() do { } while (0) + #endif + + #if __LINUX_ARM_ARCH__ >= 7 +diff --git a/arch/arm/include/asm/processor.h b/arch/arm/include/asm/processor.h +index c3d5fc124a05..768b6fe7640e 100644 +--- a/arch/arm/include/asm/processor.h ++++ b/arch/arm/include/asm/processor.h +@@ -77,7 +77,11 @@ extern void release_thread(struct task_struct *); + unsigned long get_wchan(struct task_struct *p); + + #if __LINUX_ARM_ARCH__ == 6 || defined(CONFIG_ARM_ERRATA_754327) +-#define cpu_relax() smp_mb() ++#define cpu_relax() \ ++ do { \ ++ smp_mb(); \ ++ __asm__ __volatile__("nop; nop; nop; nop; nop; nop; nop; nop; nop; nop;"); \ ++ } while (0) + #else + #define cpu_relax() barrier() + #endif +diff --git a/arch/arm/kernel/machine_kexec.c b/arch/arm/kernel/machine_kexec.c +index c15318431986..6f77f52baf02 100644 +--- a/arch/arm/kernel/machine_kexec.c ++++ b/arch/arm/kernel/machine_kexec.c +@@ -91,8 +91,11 @@ void machine_crash_nonpanic_core(void *unused) + + set_cpu_online(smp_processor_id(), false); + atomic_dec(&waiting_for_crash_ipi); +- while (1) ++ ++ while (1) { + cpu_relax(); ++ wfe(); ++ } + } + + void crash_smp_send_stop(void) +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index 65f85737c6a2..844bb2f1ddef 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -602,8 +602,10 @@ static void ipi_cpu_stop(unsigned int cpu) + local_fiq_disable(); + local_irq_disable(); + +- while (1) ++ while (1) { + cpu_relax(); ++ wfe(); ++ } + } + + static DEFINE_PER_CPU(struct completion *, cpu_completion); +diff --git a/arch/arm/mach-omap2/prm_common.c b/arch/arm/mach-omap2/prm_common.c +index 09180a59b1c9..2f215facba10 100644 +--- a/arch/arm/mach-omap2/prm_common.c ++++ b/arch/arm/mach-omap2/prm_common.c +@@ -528,8 +528,10 @@ void omap_prm_reset_system(void) + + prm_ll_data->reset_system(); + +- while (1) ++ while (1) { + cpu_relax(); ++ wfe(); ++ } + } + + /** +-- +2.19.1 + diff --git a/queue-4.14/arm-dts-lpc32xx-remove-leading-0x-and-0s-from-bindin.patch b/queue-4.14/arm-dts-lpc32xx-remove-leading-0x-and-0s-from-bindin.patch new file mode 100644 index 00000000000..7620059224f --- /dev/null +++ b/queue-4.14/arm-dts-lpc32xx-remove-leading-0x-and-0s-from-bindin.patch @@ -0,0 +1,133 @@ +From 0c735dd4456ff9d7a6fcbeb3c95bd27d75ae3130 Mon Sep 17 00:00:00 2001 +From: Mathieu Malaterre +Date: Fri, 15 Dec 2017 13:46:39 +0100 +Subject: ARM: dts: lpc32xx: Remove leading 0x and 0s from bindings notation + +[ Upstream commit 3e3380d0675d5e20b0af067d60cb947a4348bf9b ] + +Improve the DTS files by removing all the leading "0x" and zeros to fix +the following dtc warnings: + +Warning (unit_address_format): Node /XXX unit name should not have leading "0x" + +and + +Warning (unit_address_format): Node /XXX unit name should not have leading 0s + +Converted using the following command: + +find . -type f \( -iname *.dts -o -iname *.dtsi \) -exec sed -i -e "s/@\([0-9a-fA-FxX\.;:#]+\)\s*{/@\L\1 {/g" -e "s/@0x\(.*\) {/@\1 {/g" -e "s/@0+\(.*\) {/@\1 {/g" {} + + +For simplicity, two sed expressions were used to solve each warnings +separately. + +To make the regex expression more robust a few other issues were resolved, +namely setting unit-address to lower case, and adding a whitespace before +the opening curly brace: + +https://elinux.org/Device_Tree_Linux#Linux_conventions + +This will solve as a side effect warning: + +Warning (simple_bus_reg): Node /XXX@ simple-bus unit address format error, expected "" + +This is a follow up to commit 4c9847b7375a ("dt-bindings: Remove leading 0x from bindings notation") + +Reported-by: David Daney +Suggested-by: Rob Herring +Signed-off-by: Mathieu Malaterre +[vzapolskiy: fixed commit message to pass checkpatch.pl test] +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/lpc32xx.dtsi | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/arch/arm/boot/dts/lpc32xx.dtsi b/arch/arm/boot/dts/lpc32xx.dtsi +index d81fe433e3c8..f22a33a01819 100644 +--- a/arch/arm/boot/dts/lpc32xx.dtsi ++++ b/arch/arm/boot/dts/lpc32xx.dtsi +@@ -230,7 +230,7 @@ + status = "disabled"; + }; + +- i2s1: i2s@2009C000 { ++ i2s1: i2s@2009c000 { + compatible = "nxp,lpc3220-i2s"; + reg = <0x2009C000 0x1000>; + }; +@@ -273,7 +273,7 @@ + status = "disabled"; + }; + +- i2c1: i2c@400A0000 { ++ i2c1: i2c@400a0000 { + compatible = "nxp,pnx-i2c"; + reg = <0x400A0000 0x100>; + interrupt-parent = <&sic1>; +@@ -284,7 +284,7 @@ + clocks = <&clk LPC32XX_CLK_I2C1>; + }; + +- i2c2: i2c@400A8000 { ++ i2c2: i2c@400a8000 { + compatible = "nxp,pnx-i2c"; + reg = <0x400A8000 0x100>; + interrupt-parent = <&sic1>; +@@ -295,7 +295,7 @@ + clocks = <&clk LPC32XX_CLK_I2C2>; + }; + +- mpwm: mpwm@400E8000 { ++ mpwm: mpwm@400e8000 { + compatible = "nxp,lpc3220-motor-pwm"; + reg = <0x400E8000 0x78>; + status = "disabled"; +@@ -394,7 +394,7 @@ + #gpio-cells = <3>; /* bank, pin, flags */ + }; + +- timer4: timer@4002C000 { ++ timer4: timer@4002c000 { + compatible = "nxp,lpc3220-timer"; + reg = <0x4002C000 0x1000>; + interrupts = <3 IRQ_TYPE_LEVEL_LOW>; +@@ -412,7 +412,7 @@ + status = "disabled"; + }; + +- watchdog: watchdog@4003C000 { ++ watchdog: watchdog@4003c000 { + compatible = "nxp,pnx4008-wdt"; + reg = <0x4003C000 0x1000>; + clocks = <&clk LPC32XX_CLK_WDOG>; +@@ -451,7 +451,7 @@ + status = "disabled"; + }; + +- timer1: timer@4004C000 { ++ timer1: timer@4004c000 { + compatible = "nxp,lpc3220-timer"; + reg = <0x4004C000 0x1000>; + interrupts = <17 IRQ_TYPE_LEVEL_LOW>; +@@ -475,7 +475,7 @@ + status = "disabled"; + }; + +- pwm1: pwm@4005C000 { ++ pwm1: pwm@4005c000 { + compatible = "nxp,lpc3220-pwm"; + reg = <0x4005C000 0x4>; + clocks = <&clk LPC32XX_CLK_PWM1>; +@@ -484,7 +484,7 @@ + status = "disabled"; + }; + +- pwm2: pwm@4005C004 { ++ pwm2: pwm@4005c004 { + compatible = "nxp,lpc3220-pwm"; + reg = <0x4005C004 0x4>; + clocks = <&clk LPC32XX_CLK_PWM2>; +-- +2.19.1 + diff --git a/queue-4.14/asoc-fsl-asoc-card-fix-object-reference-leaks-in-fsl.patch b/queue-4.14/asoc-fsl-asoc-card-fix-object-reference-leaks-in-fsl.patch new file mode 100644 index 00000000000..a794af062d6 --- /dev/null +++ b/queue-4.14/asoc-fsl-asoc-card-fix-object-reference-leaks-in-fsl.patch @@ -0,0 +1,44 @@ +From 148a958eb2d66e78824602794ad439aa13230f1e Mon Sep 17 00:00:00 2001 +From: wen yang +Date: Sat, 2 Feb 2019 14:53:16 +0000 +Subject: ASoC: fsl-asoc-card: fix object reference leaks in + fsl_asoc_card_probe + +[ Upstream commit 11907e9d3533648615db08140e3045b829d2c141 ] + +The of_find_device_by_node() takes a reference to the underlying device +structure, we should release that reference. + +Signed-off-by: Wen Yang +Cc: Timur Tabi +Cc: Nicolin Chen +Cc: Xiubo Li +Cc: Fabio Estevam +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: alsa-devel@alsa-project.org +Cc: linuxppc-dev@lists.ozlabs.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl-asoc-card.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c +index 2db4d0c80d33..393100edd5fd 100644 +--- a/sound/soc/fsl/fsl-asoc-card.c ++++ b/sound/soc/fsl/fsl-asoc-card.c +@@ -689,6 +689,7 @@ static int fsl_asoc_card_probe(struct platform_device *pdev) + asrc_fail: + of_node_put(asrc_np); + of_node_put(codec_np); ++ put_device(&cpu_pdev->dev); + fail: + of_node_put(cpu_np); + +-- +2.19.1 + diff --git a/queue-4.14/backlight-pwm_bl-use-gpiod_get_value_cansleep-to-get.patch b/queue-4.14/backlight-pwm_bl-use-gpiod_get_value_cansleep-to-get.patch new file mode 100644 index 00000000000..7c2abd74481 --- /dev/null +++ b/queue-4.14/backlight-pwm_bl-use-gpiod_get_value_cansleep-to-get.patch @@ -0,0 +1,67 @@ +From 151300a366023767c43bacd994b0209b1dd23089 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Sun, 27 Jan 2019 22:50:54 +0800 +Subject: backlight: pwm_bl: Use gpiod_get_value_cansleep() to get initial + state + +[ Upstream commit cec2b18832e26bc866bef2be22eff4e25bbc4034 ] + +gpiod_get_value() gives out a warning if access to the underlying gpiochip +requires sleeping, which is common for I2C based chips: + + WARNING: CPU: 0 PID: 77 at drivers/gpio/gpiolib.c:2500 gpiod_get_value+0xd0/0x100 + Modules linked in: + CPU: 0 PID: 77 Comm: kworker/0:2 Not tainted 4.14.0-rc3-00589-gf32897915d48-dirty #90 + Hardware name: Allwinner sun4i/sun5i Families + Workqueue: events deferred_probe_work_func + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (dump_stack+0x88/0x9c) + [] (dump_stack) from [] (__warn+0xe8/0x100) + [] (__warn) from [] (warn_slowpath_null+0x20/0x28) + [] (warn_slowpath_null) from [] (gpiod_get_value+0xd0/0x100) + [] (gpiod_get_value) from [] (pwm_backlight_probe+0x238/0x508) + [] (pwm_backlight_probe) from [] (platform_drv_probe+0x50/0xac) + [] (platform_drv_probe) from [] (driver_probe_device+0x238/0x2e8) + [] (driver_probe_device) from [] (bus_for_each_drv+0x44/0x94) + [] (bus_for_each_drv) from [] (__device_attach+0xb0/0x114) + [] (__device_attach) from [] (bus_probe_device+0x84/0x8c) + [] (bus_probe_device) from [] (deferred_probe_work_func+0x50/0x14c) + [] (deferred_probe_work_func) from [] (process_one_work+0x1ec/0x414) + [] (process_one_work) from [] (worker_thread+0x2b0/0x5a0) + [] (worker_thread) from [] (kthread+0x14c/0x154) + [] (kthread) from [] (ret_from_fork+0x14/0x24) + +This was missed in commit 0c9501f823a4 ("backlight: pwm_bl: Handle gpio +that can sleep"). The code was then moved to a separate function in +commit 7613c922315e ("backlight: pwm_bl: Move the checks for initial power +state to a separate function"). + +The only usage of gpiod_get_value() is during the probe stage, which is +safe to sleep in. Switch to gpiod_get_value_cansleep(). + +Fixes: 0c9501f823a4 ("backlight: pwm_bl: Handle gpio that can sleep") +Signed-off-by: Chen-Yu Tsai +Acked-by: Maxime Ripard +Acked-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/pwm_bl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/backlight/pwm_bl.c b/drivers/video/backlight/pwm_bl.c +index 155153ecb894..2a0ce0c68302 100644 +--- a/drivers/video/backlight/pwm_bl.c ++++ b/drivers/video/backlight/pwm_bl.c +@@ -212,7 +212,7 @@ static int pwm_backlight_initial_power_state(const struct pwm_bl_data *pb) + */ + + /* if the enable GPIO is disabled, do not enable the backlight */ +- if (pb->enable_gpio && gpiod_get_value(pb->enable_gpio) == 0) ++ if (pb->enable_gpio && gpiod_get_value_cansleep(pb->enable_gpio) == 0) + return FB_BLANK_POWERDOWN; + + /* The regulator is disabled, do not enable the backlight */ +-- +2.19.1 + diff --git a/queue-4.14/bcache-fix-input-overflow-to-cache-set-sysfs-file-io.patch b/queue-4.14/bcache-fix-input-overflow-to-cache-set-sysfs-file-io.patch new file mode 100644 index 00000000000..b253855d458 --- /dev/null +++ b/queue-4.14/bcache-fix-input-overflow-to-cache-set-sysfs-file-io.patch @@ -0,0 +1,50 @@ +From 8df0a6c1b443294005e9c23d76d38ed7472ebd0e Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 9 Feb 2019 12:53:10 +0800 +Subject: bcache: fix input overflow to cache set sysfs file io_error_halflife + +[ Upstream commit a91fbda49f746119828f7e8ad0f0aa2ab0578f65 ] + +Cache set sysfs entry io_error_halflife is used to set c->error_decay. +c->error_decay is in type unsigned int, and it is converted by +strtoul_or_return(), therefore overflow to c->error_decay is possible +for a large input value. + +This patch fixes the overflow by using strtoul_safe_clamp() to convert +input string to an unsigned long value in range [0, UINT_MAX], then +divides by 88 and set it to c->error_decay. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/sysfs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index 5d81cd06af00..43ff7fbcbc7c 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -660,8 +660,17 @@ STORE(__bch_cache_set) + c->error_limit = strtoul_or_return(buf) << IO_ERROR_SHIFT; + + /* See count_io_errors() for why 88 */ +- if (attr == &sysfs_io_error_halflife) +- c->error_decay = strtoul_or_return(buf) / 88; ++ if (attr == &sysfs_io_error_halflife) { ++ unsigned long v = 0; ++ ssize_t ret; ++ ++ ret = strtoul_safe_clamp(buf, v, 0, UINT_MAX); ++ if (!ret) { ++ c->error_decay = v / 88; ++ return size; ++ } ++ return ret; ++ } + + sysfs_strtoul(journal_delay_ms, c->journal_delay_ms); + sysfs_strtoul(verify, c->verify); +-- +2.19.1 + diff --git a/queue-4.14/bcache-fix-input-overflow-to-sequential_cutoff.patch b/queue-4.14/bcache-fix-input-overflow-to-sequential_cutoff.patch new file mode 100644 index 00000000000..6d97aaaf362 --- /dev/null +++ b/queue-4.14/bcache-fix-input-overflow-to-sequential_cutoff.patch @@ -0,0 +1,42 @@ +From 322c20d857dbffea47081acfd5745508689c60da Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 9 Feb 2019 12:53:01 +0800 +Subject: bcache: fix input overflow to sequential_cutoff + +[ Upstream commit 8c27a3953e92eb0b22dbb03d599f543a05f9574e ] + +People may set sequential_cutoff of a cached device via sysfs file, +but current code does not check input value overflow. E.g. if value +4294967295 (UINT_MAX) is written to file sequential_cutoff, its value +is 4GB, but if 4294967296 (UINT_MAX + 1) is written into, its value +will be 0. This is an unexpected behavior. + +This patch replaces d_strtoi_h() by sysfs_strtoul_clamp() to convert +input string to unsigned integer value, and limit its range in +[0, UINT_MAX]. Then the input overflow can be fixed. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/sysfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index 43ff7fbcbc7c..def9c3478b89 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -217,7 +217,9 @@ STORE(__cached_dev) + d_strtoul(writeback_rate_d_term); + d_strtoul_nonzero(writeback_rate_p_term_inverse); + +- d_strtoi_h(sequential_cutoff); ++ sysfs_strtoul_clamp(sequential_cutoff, ++ dc->sequential_cutoff, ++ 0, UINT_MAX); + d_strtoi_h(readahead); + + if (attr == &sysfs_clear_stats) +-- +2.19.1 + diff --git a/queue-4.14/bcache-improve-sysfs_strtoul_clamp.patch b/queue-4.14/bcache-improve-sysfs_strtoul_clamp.patch new file mode 100644 index 00000000000..5517d4d1abd --- /dev/null +++ b/queue-4.14/bcache-improve-sysfs_strtoul_clamp.patch @@ -0,0 +1,64 @@ +From add93f84a66fd6c4f28374d54b862f56a6ba7bbf Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 9 Feb 2019 12:52:59 +0800 +Subject: bcache: improve sysfs_strtoul_clamp() + +[ Upstream commit 596b5a5dd1bc2fa019fdaaae522ef331deef927f ] + +Currently sysfs_strtoul_clamp() is defined as, + 82 #define sysfs_strtoul_clamp(file, var, min, max) \ + 83 do { \ + 84 if (attr == &sysfs_ ## file) \ + 85 return strtoul_safe_clamp(buf, var, min, max) \ + 86 ?: (ssize_t) size; \ + 87 } while (0) + +The problem is, if bit width of var is less then unsigned long, min and +max may not protect var from integer overflow, because overflow happens +in strtoul_safe_clamp() before checking min and max. + +To fix such overflow in sysfs_strtoul_clamp(), to make min and max take +effect, this patch adds an unsigned long variable, and uses it to macro +strtoul_safe_clamp() to convert an unsigned long value in range defined +by [min, max]. Then assign this value to var. By this method, if bit +width of var is less than unsigned long, integer overflow won't happen +before min and max are checking. + +Now sysfs_strtoul_clamp() can properly handle smaller data type like +unsigned int, of cause min and max should be defined in range of +unsigned int too. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/sysfs.h | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/bcache/sysfs.h b/drivers/md/bcache/sysfs.h +index b54fe9602529..e6e258f897ca 100644 +--- a/drivers/md/bcache/sysfs.h ++++ b/drivers/md/bcache/sysfs.h +@@ -81,9 +81,16 @@ do { \ + + #define sysfs_strtoul_clamp(file, var, min, max) \ + do { \ +- if (attr == &sysfs_ ## file) \ +- return strtoul_safe_clamp(buf, var, min, max) \ +- ?: (ssize_t) size; \ ++ if (attr == &sysfs_ ## file) { \ ++ unsigned long v = 0; \ ++ ssize_t ret; \ ++ ret = strtoul_safe_clamp(buf, v, min, max); \ ++ if (!ret) { \ ++ var = v; \ ++ return size; \ ++ } \ ++ return ret; \ ++ } \ + } while (0) + + #define strtoul_or_return(cp) \ +-- +2.19.1 + diff --git a/queue-4.14/bpf-fix-missing-prototype-warnings.patch b/queue-4.14/bpf-fix-missing-prototype-warnings.patch new file mode 100644 index 00000000000..97789b3c037 --- /dev/null +++ b/queue-4.14/bpf-fix-missing-prototype-warnings.patch @@ -0,0 +1,49 @@ +From aafcf2f05b511a2166d738cec7b27cd90b8cc49b Mon Sep 17 00:00:00 2001 +From: Valdis Kletnieks +Date: Tue, 29 Jan 2019 01:04:25 -0500 +Subject: bpf: fix missing prototype warnings + +[ Upstream commit 116bfa96a255123ed209da6544f74a4f2eaca5da ] + +Compiling with W=1 generates warnings: + + CC kernel/bpf/core.o +kernel/bpf/core.c:721:12: warning: no previous prototype for ?bpf_jit_alloc_exec_limit? [-Wmissing-prototypes] + 721 | u64 __weak bpf_jit_alloc_exec_limit(void) + | ^~~~~~~~~~~~~~~~~~~~~~~~ +kernel/bpf/core.c:757:14: warning: no previous prototype for ?bpf_jit_alloc_exec? [-Wmissing-prototypes] + 757 | void *__weak bpf_jit_alloc_exec(unsigned long size) + | ^~~~~~~~~~~~~~~~~~ +kernel/bpf/core.c:762:13: warning: no previous prototype for ?bpf_jit_free_exec? [-Wmissing-prototypes] + 762 | void __weak bpf_jit_free_exec(void *addr) + | ^~~~~~~~~~~~~~~~~ + +All three are weak functions that archs can override, provide +proper prototypes for when a new arch provides their own. + +Signed-off-by: Valdis Kletnieks +Acked-by: Song Liu +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index 42197b16dd78..56d2cda9931b 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -741,7 +741,9 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr, + unsigned int alignment, + bpf_jit_fill_hole_t bpf_fill_ill_insns); + void bpf_jit_binary_free(struct bpf_binary_header *hdr); +- ++u64 bpf_jit_alloc_exec_limit(void); ++void *bpf_jit_alloc_exec(unsigned long size); ++void bpf_jit_free_exec(void *addr); + void bpf_jit_free(struct bpf_prog *fp); + + struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *fp); +-- +2.19.1 + diff --git a/queue-4.14/cdrom-fix-race-condition-in-cdrom_sysctl_register.patch b/queue-4.14/cdrom-fix-race-condition-in-cdrom_sysctl_register.patch new file mode 100644 index 00000000000..ef11f68b191 --- /dev/null +++ b/queue-4.14/cdrom-fix-race-condition-in-cdrom_sysctl_register.patch @@ -0,0 +1,99 @@ +From 8737b6e883ba9693d6fad2ec753df0922facd171 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 6 Feb 2019 21:13:49 -0800 +Subject: cdrom: Fix race condition in cdrom_sysctl_register + +[ Upstream commit f25191bb322dec8fa2979ecb8235643aa42470e1 ] + +The following traceback is sometimes seen when booting an image in qemu: + +[ 54.608293] cdrom: Uniform CD-ROM driver Revision: 3.20 +[ 54.611085] Fusion MPT base driver 3.04.20 +[ 54.611877] Copyright (c) 1999-2008 LSI Corporation +[ 54.616234] Fusion MPT SAS Host driver 3.04.20 +[ 54.635139] sysctl duplicate entry: /dev/cdrom//info +[ 54.639578] CPU: 0 PID: 266 Comm: kworker/u4:5 Not tainted 5.0.0-rc5 #1 +[ 54.639578] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +[ 54.641273] Workqueue: events_unbound async_run_entry_fn +[ 54.641273] Call Trace: +[ 54.641273] dump_stack+0x67/0x90 +[ 54.641273] __register_sysctl_table+0x50b/0x570 +[ 54.641273] ? rcu_read_lock_sched_held+0x6f/0x80 +[ 54.641273] ? kmem_cache_alloc_trace+0x1c7/0x1f0 +[ 54.646814] __register_sysctl_paths+0x1c8/0x1f0 +[ 54.646814] cdrom_sysctl_register.part.7+0xc/0x5f +[ 54.646814] register_cdrom.cold.24+0x2a/0x33 +[ 54.646814] sr_probe+0x4bd/0x580 +[ 54.646814] ? __driver_attach+0xd0/0xd0 +[ 54.646814] really_probe+0xd6/0x260 +[ 54.646814] ? __driver_attach+0xd0/0xd0 +[ 54.646814] driver_probe_device+0x4a/0xb0 +[ 54.646814] ? __driver_attach+0xd0/0xd0 +[ 54.646814] bus_for_each_drv+0x73/0xc0 +[ 54.646814] __device_attach+0xd6/0x130 +[ 54.646814] bus_probe_device+0x9a/0xb0 +[ 54.646814] device_add+0x40c/0x670 +[ 54.646814] ? __pm_runtime_resume+0x4f/0x80 +[ 54.646814] scsi_sysfs_add_sdev+0x81/0x290 +[ 54.646814] scsi_probe_and_add_lun+0x888/0xc00 +[ 54.646814] ? scsi_autopm_get_host+0x21/0x40 +[ 54.646814] __scsi_add_device+0x116/0x130 +[ 54.646814] ata_scsi_scan_host+0x93/0x1c0 +[ 54.646814] async_run_entry_fn+0x34/0x100 +[ 54.646814] process_one_work+0x237/0x5e0 +[ 54.646814] worker_thread+0x37/0x380 +[ 54.646814] ? rescuer_thread+0x360/0x360 +[ 54.646814] kthread+0x118/0x130 +[ 54.646814] ? kthread_create_on_node+0x60/0x60 +[ 54.646814] ret_from_fork+0x3a/0x50 + +The only sensible explanation is that cdrom_sysctl_register() is called +twice, once from the module init function and once from register_cdrom(). +cdrom_sysctl_register() is not mutex protected and may happily execute +twice if the second call is made before the first call is complete. + +Use a static atomic to ensure that the function is executed exactly once. + +Signed-off-by: Guenter Roeck +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/cdrom/cdrom.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index 930b49606a8c..ea6558d4864c 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -265,6 +265,7 @@ + /* #define ERRLOGMASK (CD_WARNING|CD_OPEN|CD_COUNT_TRACKS|CD_CLOSE) */ + /* #define ERRLOGMASK (CD_WARNING|CD_REG_UNREG|CD_DO_IOCTL|CD_OPEN|CD_CLOSE|CD_COUNT_TRACKS) */ + ++#include + #include + #include + #include +@@ -3689,9 +3690,9 @@ static struct ctl_table_header *cdrom_sysctl_header; + + static void cdrom_sysctl_register(void) + { +- static int initialized; ++ static atomic_t initialized = ATOMIC_INIT(0); + +- if (initialized == 1) ++ if (!atomic_add_unless(&initialized, 1, 1)) + return; + + cdrom_sysctl_header = register_sysctl_table(cdrom_root_table); +@@ -3702,8 +3703,6 @@ static void cdrom_sysctl_register(void) + cdrom_sysctl_settings.debug = debug; + cdrom_sysctl_settings.lock = lockdoor; + cdrom_sysctl_settings.check = check_media_type; +- +- initialized = 1; + } + + static void cdrom_sysctl_unregister(void) +-- +2.19.1 + diff --git a/queue-4.14/cgroup-pids-turn-cgroup_subsys-free-into-cgroup_subs.patch b/queue-4.14/cgroup-pids-turn-cgroup_subsys-free-into-cgroup_subs.patch new file mode 100644 index 00000000000..b39a240fa20 --- /dev/null +++ b/queue-4.14/cgroup-pids-turn-cgroup_subsys-free-into-cgroup_subs.patch @@ -0,0 +1,173 @@ +From a2bad25b25a1f0976656cfe6498007717f336c10 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Mon, 28 Jan 2019 17:00:13 +0100 +Subject: cgroup/pids: turn cgroup_subsys->free() into cgroup_subsys->release() + to fix the accounting + +[ Upstream commit 51bee5abeab2058ea5813c5615d6197a23dbf041 ] + +The only user of cgroup_subsys->free() callback is pids_cgrp_subsys which +needs pids_free() to uncharge the pid. + +However, ->free() is called from __put_task_struct()->cgroup_free() and this +is too late. Even the trivial program which does + + for (;;) { + int pid = fork(); + assert(pid >= 0); + if (pid) + wait(NULL); + else + exit(0); + } + +can run out of limits because release_task()->call_rcu(delayed_put_task_struct) +implies an RCU gp after the task/pid goes away and before the final put(). + +Test-case: + + mkdir -p /tmp/CG + mount -t cgroup2 none /tmp/CG + echo '+pids' > /tmp/CG/cgroup.subtree_control + + mkdir /tmp/CG/PID + echo 2 > /tmp/CG/PID/pids.max + + perl -e 'while ($p = fork) { wait; } $p // die "fork failed: $!\n"' & + echo $! > /tmp/CG/PID/cgroup.procs + +Without this patch the forking process fails soon after migration. + +Rename cgroup_subsys->free() to cgroup_subsys->release() and move the callsite +into the new helper, cgroup_release(), called by release_task() which actually +frees the pid(s). + +Reported-by: Herton R. Krzesinski +Reported-by: Jan Stancek +Signed-off-by: Oleg Nesterov +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + include/linux/cgroup-defs.h | 2 +- + include/linux/cgroup.h | 2 ++ + kernel/cgroup/cgroup.c | 15 +++++++++------ + kernel/cgroup/pids.c | 4 ++-- + kernel/exit.c | 1 + + 5 files changed, 15 insertions(+), 9 deletions(-) + +diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h +index e7905d9353e8..93a2469a9130 100644 +--- a/include/linux/cgroup-defs.h ++++ b/include/linux/cgroup-defs.h +@@ -523,7 +523,7 @@ struct cgroup_subsys { + void (*cancel_fork)(struct task_struct *task); + void (*fork)(struct task_struct *task); + void (*exit)(struct task_struct *task); +- void (*free)(struct task_struct *task); ++ void (*release)(struct task_struct *task); + void (*bind)(struct cgroup_subsys_state *root_css); + + bool early_init:1; +diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h +index dddbc29e2009..8e83c9055ccb 100644 +--- a/include/linux/cgroup.h ++++ b/include/linux/cgroup.h +@@ -118,6 +118,7 @@ extern int cgroup_can_fork(struct task_struct *p); + extern void cgroup_cancel_fork(struct task_struct *p); + extern void cgroup_post_fork(struct task_struct *p); + void cgroup_exit(struct task_struct *p); ++void cgroup_release(struct task_struct *p); + void cgroup_free(struct task_struct *p); + + int cgroup_init_early(void); +@@ -668,6 +669,7 @@ static inline int cgroup_can_fork(struct task_struct *p) { return 0; } + static inline void cgroup_cancel_fork(struct task_struct *p) {} + static inline void cgroup_post_fork(struct task_struct *p) {} + static inline void cgroup_exit(struct task_struct *p) {} ++static inline void cgroup_release(struct task_struct *p) {} + static inline void cgroup_free(struct task_struct *p) {} + + static inline int cgroup_init_early(void) { return 0; } +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 7e79358b4473..694b1cc8d144 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -187,7 +187,7 @@ static u64 css_serial_nr_next = 1; + */ + static u16 have_fork_callback __read_mostly; + static u16 have_exit_callback __read_mostly; +-static u16 have_free_callback __read_mostly; ++static u16 have_release_callback __read_mostly; + static u16 have_canfork_callback __read_mostly; + + /* cgroup namespace for init task */ +@@ -5112,7 +5112,7 @@ static void __init cgroup_init_subsys(struct cgroup_subsys *ss, bool early) + + have_fork_callback |= (bool)ss->fork << ss->id; + have_exit_callback |= (bool)ss->exit << ss->id; +- have_free_callback |= (bool)ss->free << ss->id; ++ have_release_callback |= (bool)ss->release << ss->id; + have_canfork_callback |= (bool)ss->can_fork << ss->id; + + /* At system boot, before all subsystems have been +@@ -5546,16 +5546,19 @@ void cgroup_exit(struct task_struct *tsk) + } while_each_subsys_mask(); + } + +-void cgroup_free(struct task_struct *task) ++void cgroup_release(struct task_struct *task) + { +- struct css_set *cset = task_css_set(task); + struct cgroup_subsys *ss; + int ssid; + +- do_each_subsys_mask(ss, ssid, have_free_callback) { +- ss->free(task); ++ do_each_subsys_mask(ss, ssid, have_release_callback) { ++ ss->release(task); + } while_each_subsys_mask(); ++} + ++void cgroup_free(struct task_struct *task) ++{ ++ struct css_set *cset = task_css_set(task); + put_css_set(cset); + } + +diff --git a/kernel/cgroup/pids.c b/kernel/cgroup/pids.c +index 9829c67ebc0a..c9960baaa14f 100644 +--- a/kernel/cgroup/pids.c ++++ b/kernel/cgroup/pids.c +@@ -247,7 +247,7 @@ static void pids_cancel_fork(struct task_struct *task) + pids_uncharge(pids, 1); + } + +-static void pids_free(struct task_struct *task) ++static void pids_release(struct task_struct *task) + { + struct pids_cgroup *pids = css_pids(task_css(task, pids_cgrp_id)); + +@@ -342,7 +342,7 @@ struct cgroup_subsys pids_cgrp_subsys = { + .cancel_attach = pids_cancel_attach, + .can_fork = pids_can_fork, + .cancel_fork = pids_cancel_fork, +- .free = pids_free, ++ .release = pids_release, + .legacy_cftypes = pids_files, + .dfl_cftypes = pids_files, + .threaded = true, +diff --git a/kernel/exit.c b/kernel/exit.c +index 5523fb0c20c8..95ce231ff5e2 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -218,6 +218,7 @@ repeat: + } + + write_unlock_irq(&tasklist_lock); ++ cgroup_release(p); + release_thread(p); + call_rcu(&p->rcu, delayed_put_task_struct); + +-- +2.19.1 + diff --git a/queue-4.14/cifs-fix-null-pointer-dereference-of-devname.patch b/queue-4.14/cifs-fix-null-pointer-dereference-of-devname.patch new file mode 100644 index 00000000000..5211e19f00b --- /dev/null +++ b/queue-4.14/cifs-fix-null-pointer-dereference-of-devname.patch @@ -0,0 +1,60 @@ +From 34e86237547d403b7ddb00e0ceae0591bb11547d Mon Sep 17 00:00:00 2001 +From: Yao Liu +Date: Mon, 28 Jan 2019 19:47:28 +0800 +Subject: cifs: Fix NULL pointer dereference of devname + +[ Upstream commit 68e2672f8fbd1e04982b8d2798dd318bf2515dd2 ] + +There is a NULL pointer dereference of devname in strspn() + +The oops looks something like: + + CIFS: Attempting to mount (null) + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + ... + RIP: 0010:strspn+0x0/0x50 + ... + Call Trace: + ? cifs_parse_mount_options+0x222/0x1710 [cifs] + ? cifs_get_volume_info+0x2f/0x80 [cifs] + cifs_setup_volume_info+0x20/0x190 [cifs] + cifs_get_volume_info+0x50/0x80 [cifs] + cifs_smb3_do_mount+0x59/0x630 [cifs] + ? ida_alloc_range+0x34b/0x3d0 + cifs_do_mount+0x11/0x20 [cifs] + mount_fs+0x52/0x170 + vfs_kern_mount+0x6b/0x170 + do_mount+0x216/0xdc0 + ksys_mount+0x83/0xd0 + __x64_sys_mount+0x25/0x30 + do_syscall_64+0x65/0x220 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fix this by adding a NULL check on devname in cifs_parse_devname() + +Signed-off-by: Yao Liu +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 48aa854c564a..33cd844579ae 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1265,6 +1265,11 @@ cifs_parse_devname(const char *devname, struct smb_vol *vol) + const char *delims = "/\\"; + size_t len; + ++ if (unlikely(!devname || !*devname)) { ++ cifs_dbg(VFS, "Device name not specified.\n"); ++ return -EINVAL; ++ } ++ + /* make sure we have a valid UNC double delimiter prefix */ + len = strspn(devname, delims); + if (len != 2) +-- +2.19.1 + diff --git a/queue-4.14/cifs-fix-posix-lock-leak-and-invalid-ptr-deref.patch b/queue-4.14/cifs-fix-posix-lock-leak-and-invalid-ptr-deref.patch new file mode 100644 index 00000000000..d13344ed57c --- /dev/null +++ b/queue-4.14/cifs-fix-posix-lock-leak-and-invalid-ptr-deref.patch @@ -0,0 +1,147 @@ +From afdd1ea659684e70a9b24f1a04ba2983b3e31be5 Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Thu, 14 Mar 2019 18:44:16 +0100 +Subject: CIFS: fix POSIX lock leak and invalid ptr deref + +[ Upstream commit bc31d0cdcfbadb6258b45db97e93b1c83822ba33 ] + +We have a customer reporting crashes in lock_get_status() with many +"Leaked POSIX lock" messages preceeding the crash. + + Leaked POSIX lock on dev=0x0:0x56 ... + Leaked POSIX lock on dev=0x0:0x56 ... + Leaked POSIX lock on dev=0x0:0x56 ... + Leaked POSIX lock on dev=0x0:0x53 ... + Leaked POSIX lock on dev=0x0:0x53 ... + Leaked POSIX lock on dev=0x0:0x53 ... + Leaked POSIX lock on dev=0x0:0x53 ... + POSIX: fl_owner=ffff8900e7b79380 fl_flags=0x1 fl_type=0x1 fl_pid=20709 + Leaked POSIX lock on dev=0x0:0x4b ino... + Leaked locks on dev=0x0:0x4b ino=0xf911400000029: + POSIX: fl_owner=ffff89f41c870e00 fl_flags=0x1 fl_type=0x1 fl_pid=19592 + stack segment: 0000 [#1] SMP + Modules linked in: binfmt_misc msr tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag rpcsec_gss_krb5 arc4 ecb auth_rpcgss nfsv4 md4 nfs nls_utf8 lockd grace cifs sunrpc ccm dns_resolver fscache af_packet iscsi_ibft iscsi_boot_sysfs vmw_vsock_vmci_transport vsock xfs libcrc32c sb_edac edac_core crct10dif_pclmul crc32_pclmul ghash_clmulni_intel drbg ansi_cprng vmw_balloon aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd joydev pcspkr vmxnet3 i2c_piix4 vmw_vmci shpchp fjes processor button ac btrfs xor raid6_pq sr_mod cdrom ata_generic sd_mod ata_piix vmwgfx crc32c_intel drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm serio_raw ahci libahci drm libata vmw_pvscsi sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4 + + Supported: Yes + CPU: 6 PID: 28250 Comm: lsof Not tainted 4.4.156-94.64-default #1 + Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 + task: ffff88a345f28740 ti: ffff88c74005c000 task.ti: ffff88c74005c000 + RIP: 0010:[] [] lock_get_status+0x9b/0x3b0 + RSP: 0018:ffff88c74005fd90 EFLAGS: 00010202 + RAX: ffff89bde83e20ae RBX: ffff89e870003d18 RCX: 0000000049534f50 + RDX: ffffffff81a3541f RSI: ffffffff81a3544e RDI: ffff89bde83e20ae + RBP: 0026252423222120 R08: 0000000020584953 R09: 000000000000ffff + R10: 0000000000000000 R11: ffff88c74005fc70 R12: ffff89e5ca7b1340 + R13: 00000000000050e5 R14: ffff89e870003d30 R15: ffff89e5ca7b1340 + FS: 00007fafd64be800(0000) GS:ffff89f41fd00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000001c80018 CR3: 000000a522048000 CR4: 0000000000360670 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Stack: + 0000000000000208 ffffffff81a3d6b6 ffff89e870003d30 ffff89e870003d18 + ffff89e5ca7b1340 ffff89f41738d7c0 ffff89e870003d30 ffff89e5ca7b1340 + ffffffff8125e08f 0000000000000000 ffff89bc22b67d00 ffff88c74005ff28 + Call Trace: + [] locks_show+0x2f/0x70 + [] seq_read+0x251/0x3a0 + [] proc_reg_read+0x3c/0x70 + [] __vfs_read+0x26/0x140 + [] vfs_read+0x7a/0x120 + [] SyS_read+0x42/0xa0 + [] entry_SYSCALL_64_fastpath+0x1e/0xb7 + +When Linux closes a FD (close(), close-on-exec, dup2(), ...) it calls +filp_close() which also removes all posix locks. + +The lock struct is initialized like so in filp_close() and passed +down to cifs + + ... + lock.fl_type = F_UNLCK; + lock.fl_flags = FL_POSIX | FL_CLOSE; + lock.fl_start = 0; + lock.fl_end = OFFSET_MAX; + ... + +Note the FL_CLOSE flag, which hints the VFS code that this unlocking +is done for closing the fd. + +filp_close() + locks_remove_posix(filp, id); + vfs_lock_file(filp, F_SETLK, &lock, NULL); + return filp->f_op->lock(filp, cmd, fl) => cifs_lock() + rc = cifs_setlk(file, flock, type, wait_flag, posix_lck, lock, unlock, xid); + rc = server->ops->mand_unlock_range(cfile, flock, xid); + if (flock->fl_flags & FL_POSIX && !rc) + rc = locks_lock_file_wait(file, flock) + +Notice how we don't call locks_lock_file_wait() which does the +generic VFS lock/unlock/wait work on the inode if rc != 0. + +If we are closing the handle, the SMB server is supposed to remove any +locks associated with it. Similarly, cifs.ko frees and wakes up any +lock and lock waiter when closing the file: + +cifs_close() + cifsFileInfo_put(file->private_data) + /* + * Delete any outstanding lock records. We'll lose them when the file + * is closed anyway. + */ + down_write(&cifsi->lock_sem); + list_for_each_entry_safe(li, tmp, &cifs_file->llist->locks, llist) { + list_del(&li->llist); + cifs_del_lock_waiters(li); + kfree(li); + } + list_del(&cifs_file->llist->llist); + kfree(cifs_file->llist); + up_write(&cifsi->lock_sem); + +So we can safely ignore unlocking failures in cifs_lock() if they +happen with the FL_CLOSE flag hint set as both the server and the +client take care of it during the actual closing. + +This is not a proper fix for the unlocking failure but it's safe and +it seems to prevent the lock leakages and crashes the customer +experiences. + +Signed-off-by: Aurelien Aptel +Signed-off-by: NeilBrown +Signed-off-by: Steve French +Acked-by: Pavel Shilovsky +Signed-off-by: Sasha Levin +--- + fs/cifs/file.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 72d6f4db9bdc..cd69c1e9750f 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -1631,8 +1631,20 @@ cifs_setlk(struct file *file, struct file_lock *flock, __u32 type, + rc = server->ops->mand_unlock_range(cfile, flock, xid); + + out: +- if (flock->fl_flags & FL_POSIX && !rc) ++ if (flock->fl_flags & FL_POSIX) { ++ /* ++ * If this is a request to remove all locks because we ++ * are closing the file, it doesn't matter if the ++ * unlocking failed as both cifs.ko and the SMB server ++ * remove the lock on file close ++ */ ++ if (rc) { ++ cifs_dbg(VFS, "%s failed rc=%d\n", __func__, rc); ++ if (!(flock->fl_flags & FL_CLOSE)) ++ return rc; ++ } + rc = locks_lock_file_wait(file, flock); ++ } + return rc; + } + +-- +2.19.1 + diff --git a/queue-4.14/cifs-use-correct-format-characters.patch b/queue-4.14/cifs-use-correct-format-characters.patch new file mode 100644 index 00000000000..577754fa17a --- /dev/null +++ b/queue-4.14/cifs-use-correct-format-characters.patch @@ -0,0 +1,80 @@ +From ff782d97289be6bdbb0f3a59c9243432b830271b Mon Sep 17 00:00:00 2001 +From: Louis Taylor +Date: Wed, 27 Feb 2019 22:25:15 +0000 +Subject: cifs: use correct format characters + +[ Upstream commit 259594bea574e515a148171b5cd84ce5cbdc028a ] + +When compiling with -Wformat, clang emits the following warnings: + +fs/cifs/smb1ops.c:312:20: warning: format specifies type 'unsigned +short' but the argument has type 'unsigned int' [-Wformat] + tgt_total_cnt, total_in_tgt); + ^~~~~~~~~~~~ + +fs/cifs/cifs_dfs_ref.c:289:4: warning: format specifies type 'short' +but the argument has type 'int' [-Wformat] + ref->flags, ref->server_type); + ^~~~~~~~~~ + +fs/cifs/cifs_dfs_ref.c:289:16: warning: format specifies type 'short' +but the argument has type 'int' [-Wformat] + ref->flags, ref->server_type); + ^~~~~~~~~~~~~~~~ + +fs/cifs/cifs_dfs_ref.c:291:4: warning: format specifies type 'short' +but the argument has type 'int' [-Wformat] + ref->ref_flag, ref->path_consumed); + ^~~~~~~~~~~~~ + +fs/cifs/cifs_dfs_ref.c:291:19: warning: format specifies type 'short' +but the argument has type 'int' [-Wformat] + ref->ref_flag, ref->path_consumed); + ^~~~~~~~~~~~~~~~~~ +The types of these arguments are unconditionally defined, so this patch +updates the format character to the correct ones for ints and unsigned +ints. + +Link: https://github.com/ClangBuiltLinux/linux/issues/378 + +Signed-off-by: Louis Taylor +Signed-off-by: Steve French +Reviewed-by: Nick Desaulniers +Signed-off-by: Sasha Levin +--- + fs/cifs/cifs_dfs_ref.c | 4 ++-- + fs/cifs/smb1ops.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c +index 6b61df117fd4..563e2f6268c3 100644 +--- a/fs/cifs/cifs_dfs_ref.c ++++ b/fs/cifs/cifs_dfs_ref.c +@@ -271,9 +271,9 @@ static void dump_referral(const struct dfs_info3_param *ref) + { + cifs_dbg(FYI, "DFS: ref path: %s\n", ref->path_name); + cifs_dbg(FYI, "DFS: node path: %s\n", ref->node_name); +- cifs_dbg(FYI, "DFS: fl: %hd, srv_type: %hd\n", ++ cifs_dbg(FYI, "DFS: fl: %d, srv_type: %d\n", + ref->flags, ref->server_type); +- cifs_dbg(FYI, "DFS: ref_flags: %hd, path_consumed: %hd\n", ++ cifs_dbg(FYI, "DFS: ref_flags: %d, path_consumed: %d\n", + ref->ref_flag, ref->path_consumed); + } + +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c +index d8cd82001c1c..f50d3d0b9b87 100644 +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -306,7 +306,7 @@ coalesce_t2(char *second_buf, struct smb_hdr *target_hdr) + remaining = tgt_total_cnt - total_in_tgt; + + if (remaining < 0) { +- cifs_dbg(FYI, "Server sent too much data. tgt_total_cnt=%hu total_in_tgt=%hu\n", ++ cifs_dbg(FYI, "Server sent too much data. tgt_total_cnt=%hu total_in_tgt=%u\n", + tgt_total_cnt, total_in_tgt); + return -EPROTO; + } +-- +2.19.1 + diff --git a/queue-4.14/clk-fractional-divider-check-parent-rate-only-if-fla.patch b/queue-4.14/clk-fractional-divider-check-parent-rate-only-if-fla.patch new file mode 100644 index 00000000000..2749dd0cfb9 --- /dev/null +++ b/queue-4.14/clk-fractional-divider-check-parent-rate-only-if-fla.patch @@ -0,0 +1,104 @@ +From 987810fdd237206e07c8df6a183a0f874a0cec63 Mon Sep 17 00:00:00 2001 +From: Katsuhiro Suzuki +Date: Mon, 11 Feb 2019 00:38:06 +0900 +Subject: clk: fractional-divider: check parent rate only if flag is set + +[ Upstream commit d13501a2bedfbea0983cc868d3f1dc692627f60d ] + +Custom approximation of fractional-divider may not need parent clock +rate checking. For example Rockchip SoCs work fine using grand parent +clock rate even if target rate is greater than parent. + +This patch checks parent clock rate only if CLK_SET_RATE_PARENT flag +is set. + +For detailed example, clock tree of Rockchip I2S audio hardware. + - Clock rate of CPLL is 1.2GHz, GPLL is 491.52MHz. + - i2s1_div is integer divider can divide N (N is 1~128). + Input clock is CPLL or GPLL. Initial divider value is N = 1. + Ex) PLL = CPLL, N = 10, i2s1_div output rate is + CPLL / 10 = 1.2GHz / 10 = 120MHz + - i2s1_frac is fractional divider can divide input to x/y, x and + y are 16bit integer. + +CPLL --> | selector | ---> i2s1_div -+--> | selector | --> I2S1 MCLK +GPLL --> | | ,--------------' | | + `--> i2s1_frac ---> | | + +Clock mux system try to choose suitable one from i2s1_div and +i2s1_frac for master clock (MCLK) of I2S1. + +Bad scenario as follows: + - Try to set MCLK to 8.192MHz (32kHz audio replay) + Candidate setting is + - i2s1_div: GPLL / 60 = 8.192MHz + i2s1_div candidate is exactly same as target clock rate, so mux + choose this clock source. i2s1_div output rate is changed + 491.52MHz -> 8.192MHz + + - After that try to set to 11.2896MHz (44.1kHz audio replay) + Candidate settings are + - i2s1_div : CPLL / 107 = 11.214945MHz + - i2s1_frac: i2s1_div = 8.192MHz + This is because clk_fd_round_rate() thinks target rate + (11.2896MHz) is higher than parent rate (i2s1_div = 8.192MHz) + and returns parent clock rate. + +Above is current upstreamed behavior. Clock mux system choose +i2s1_div, but this clock rate is not acceptable for I2S driver, so +users cannot replay audio. + +Expected behavior is: + - Try to set master clock to 11.2896MHz (44.1kHz audio replay) + Candidate settings are + - i2s1_div : CPLL / 107 = 11.214945MHz + - i2s1_frac: i2s1_div * 147/6400 = 11.2896MHz + Change i2s1_div to GPLL / 1 = 491.52MHz at same + time. + +If apply this commit, clk_fd_round_rate() calls custom approximate +function of Rockchip even if target rate is higher than parent. +Custom function changes both grand parent (i2s1_div) and parent +(i2s_frac) settings at same time. Clock mux system can choose +i2s1_frac and audio works fine. + +Signed-off-by: Katsuhiro Suzuki +Reviewed-by: Heiko Stuebner +[sboyd@kernel.org: Make function into a macro instead] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-fractional-divider.c | 2 +- + include/linux/clk-provider.h | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-fractional-divider.c b/drivers/clk/clk-fractional-divider.c +index fdf625fb10fa..083daa293280 100644 +--- a/drivers/clk/clk-fractional-divider.c ++++ b/drivers/clk/clk-fractional-divider.c +@@ -77,7 +77,7 @@ static long clk_fd_round_rate(struct clk_hw *hw, unsigned long rate, + unsigned long m, n; + u64 ret; + +- if (!rate || rate >= *parent_rate) ++ if (!rate || (!clk_hw_can_set_rate_parent(hw) && rate >= *parent_rate)) + return *parent_rate; + + if (fd->approximation) +diff --git a/include/linux/clk-provider.h b/include/linux/clk-provider.h +index 2f4e79fe7b86..3eb3376f1cc8 100644 +--- a/include/linux/clk-provider.h ++++ b/include/linux/clk-provider.h +@@ -743,6 +743,9 @@ unsigned int __clk_get_enable_count(struct clk *clk); + unsigned long clk_hw_get_rate(const struct clk_hw *hw); + unsigned long __clk_get_flags(struct clk *clk); + unsigned long clk_hw_get_flags(const struct clk_hw *hw); ++#define clk_hw_can_set_rate_parent(hw) \ ++ (clk_hw_get_flags((hw)) & CLK_SET_RATE_PARENT) ++ + bool clk_hw_is_prepared(const struct clk_hw *hw); + bool clk_hw_is_enabled(const struct clk_hw *hw); + bool __clk_is_enabled(struct clk *clk); +-- +2.19.1 + diff --git a/queue-4.14/clk-rockchip-fix-frac-settings-of-gpll-clock-for-rk3.patch b/queue-4.14/clk-rockchip-fix-frac-settings-of-gpll-clock-for-rk3.patch new file mode 100644 index 00000000000..695c959b37b --- /dev/null +++ b/queue-4.14/clk-rockchip-fix-frac-settings-of-gpll-clock-for-rk3.patch @@ -0,0 +1,65 @@ +From 1a85da412d03f4a8e2ede01c68985cb35019fea7 Mon Sep 17 00:00:00 2001 +From: Katsuhiro Suzuki +Date: Sun, 23 Dec 2018 01:42:49 +0900 +Subject: clk: rockchip: fix frac settings of GPLL clock for rk3328 + +[ Upstream commit a0e447b0c50240a90ab84b7126b3c06b0bab4adc ] + +This patch fixes settings of GPLL frequency in fractional mode for +rk3328. In this mode, FOUTVCO is calcurated by following formula: + FOUTVCO = FREF * FBDIV / REFDIV + ((FREF * FRAC / REFDIV) >> 24) + +The problem is in FREF * FRAC >> 24 term. This result always lacks +one from target value is specified by rate member. For example first +itme of rk3328_pll_frac_rate originally has + - rate : 1016064000 + - refdiv: 3 + - fbdiv : 127 + - frac : 134217 + - FREF * FBDIV / REFDIV = 1016000000 + - (FREF * FRAC / REFDIV) >> 24 = 63999 +Thus calculated rate is 1016063999. It seems wrong. + +If frac has 134218 (it is increased 1 from original value), second +term is 64000. All other items have same situation. So this patch +adds 1 to frac member in all items of rk3328_pll_frac_rate. + +Signed-off-by: Katsuhiro Suzuki +Acked-by: Elaine Zhang +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3328.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/rockchip/clk-rk3328.c b/drivers/clk/rockchip/clk-rk3328.c +index b04f29774ee7..559abf76891e 100644 +--- a/drivers/clk/rockchip/clk-rk3328.c ++++ b/drivers/clk/rockchip/clk-rk3328.c +@@ -78,17 +78,17 @@ static struct rockchip_pll_rate_table rk3328_pll_rates[] = { + + static struct rockchip_pll_rate_table rk3328_pll_frac_rates[] = { + /* _mhz, _refdiv, _fbdiv, _postdiv1, _postdiv2, _dsmpd, _frac */ +- RK3036_PLL_RATE(1016064000, 3, 127, 1, 1, 0, 134217), ++ RK3036_PLL_RATE(1016064000, 3, 127, 1, 1, 0, 134218), + /* vco = 1016064000 */ +- RK3036_PLL_RATE(983040000, 24, 983, 1, 1, 0, 671088), ++ RK3036_PLL_RATE(983040000, 24, 983, 1, 1, 0, 671089), + /* vco = 983040000 */ +- RK3036_PLL_RATE(491520000, 24, 983, 2, 1, 0, 671088), ++ RK3036_PLL_RATE(491520000, 24, 983, 2, 1, 0, 671089), + /* vco = 983040000 */ +- RK3036_PLL_RATE(61440000, 6, 215, 7, 2, 0, 671088), ++ RK3036_PLL_RATE(61440000, 6, 215, 7, 2, 0, 671089), + /* vco = 860156000 */ +- RK3036_PLL_RATE(56448000, 12, 451, 4, 4, 0, 9797894), ++ RK3036_PLL_RATE(56448000, 12, 451, 4, 4, 0, 9797895), + /* vco = 903168000 */ +- RK3036_PLL_RATE(40960000, 12, 409, 4, 5, 0, 10066329), ++ RK3036_PLL_RATE(40960000, 12, 409, 4, 5, 0, 10066330), + /* vco = 819200000 */ + { /* sentinel */ }, + }; +-- +2.19.1 + diff --git a/queue-4.14/coresight-etm4x-add-support-to-enable-etmv4.2.patch b/queue-4.14/coresight-etm4x-add-support-to-enable-etmv4.2.patch new file mode 100644 index 00000000000..a6849591099 --- /dev/null +++ b/queue-4.14/coresight-etm4x-add-support-to-enable-etmv4.2.patch @@ -0,0 +1,64 @@ +From 87e35b85d6f861616e46cc4bc31ed4b057c5c68c Mon Sep 17 00:00:00 2001 +From: Sai Prakash Ranjan +Date: Mon, 25 Feb 2019 10:54:01 -0700 +Subject: coresight: etm4x: Add support to enable ETMv4.2 + +[ Upstream commit 5666dfd1d8a45a167f0d8b4ef47ea7f780b1f24a ] + +SDM845 has ETMv4.2 and can use the existing etm4x driver. +But the current etm driver checks only for ETMv4.0 and +errors out for other etm4x versions. This patch adds this +missing support to enable SoC's with ETMv4x to use same +driver by checking only the ETM architecture major version +number. + +Without this change, we get below error during etm probe: + +/ # dmesg | grep etm +[ 6.660093] coresight-etm4x: probe of 7040000.etm failed with error -22 +[ 6.666902] coresight-etm4x: probe of 7140000.etm failed with error -22 +[ 6.673708] coresight-etm4x: probe of 7240000.etm failed with error -22 +[ 6.680511] coresight-etm4x: probe of 7340000.etm failed with error -22 +[ 6.687313] coresight-etm4x: probe of 7440000.etm failed with error -22 +[ 6.694113] coresight-etm4x: probe of 7540000.etm failed with error -22 +[ 6.700914] coresight-etm4x: probe of 7640000.etm failed with error -22 +[ 6.707717] coresight-etm4x: probe of 7740000.etm failed with error -22 + +With this change, etm probe is successful: + +/ # dmesg | grep etm +[ 6.659198] coresight-etm4x 7040000.etm: CPU0: ETM v4.2 initialized +[ 6.665848] coresight-etm4x 7140000.etm: CPU1: ETM v4.2 initialized +[ 6.672493] coresight-etm4x 7240000.etm: CPU2: ETM v4.2 initialized +[ 6.679129] coresight-etm4x 7340000.etm: CPU3: ETM v4.2 initialized +[ 6.685770] coresight-etm4x 7440000.etm: CPU4: ETM v4.2 initialized +[ 6.692403] coresight-etm4x 7540000.etm: CPU5: ETM v4.2 initialized +[ 6.699024] coresight-etm4x 7640000.etm: CPU6: ETM v4.2 initialized +[ 6.705646] coresight-etm4x 7740000.etm: CPU7: ETM v4.2 initialized + +Signed-off-by: Sai Prakash Ranjan +Reviewed-by: Suzuki K Poulose +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etm4x.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c +index 5a1a14bcae72..78cb3b8881fa 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x.c +@@ -61,7 +61,8 @@ static void etm4_os_unlock(struct etmv4_drvdata *drvdata) + + static bool etm4_arch_supported(u8 arch) + { +- switch (arch) { ++ /* Mask out the minor version number */ ++ switch (arch & 0xf0) { + case ETM_ARCH_V4: + break; + default: +-- +2.19.1 + diff --git a/queue-4.14/cpu-hotplug-mute-hotplug-lockdep-during-init.patch b/queue-4.14/cpu-hotplug-mute-hotplug-lockdep-during-init.patch new file mode 100644 index 00000000000..c7015437035 --- /dev/null +++ b/queue-4.14/cpu-hotplug-mute-hotplug-lockdep-during-init.patch @@ -0,0 +1,101 @@ +From d8cf7203188eb47a72219598e0f3a1940d39c71b Mon Sep 17 00:00:00 2001 +From: Valentin Schneider +Date: Wed, 19 Dec 2018 18:23:15 +0000 +Subject: cpu/hotplug: Mute hotplug lockdep during init + +[ Upstream commit ce48c457b95316b9a01b5aa9d4456ce820df94b4 ] + +Since we've had: + + commit cb538267ea1e ("jump_label/lockdep: Assert we hold the hotplug lock for _cpuslocked() operations") + +we've been getting some lockdep warnings during init, such as on HiKey960: + +[ 0.820495] WARNING: CPU: 4 PID: 0 at kernel/cpu.c:316 lockdep_assert_cpus_held+0x3c/0x48 +[ 0.820498] Modules linked in: +[ 0.820509] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G S 4.20.0-rc5-00051-g4cae42a #34 +[ 0.820511] Hardware name: HiKey960 (DT) +[ 0.820516] pstate: 600001c5 (nZCv dAIF -PAN -UAO) +[ 0.820520] pc : lockdep_assert_cpus_held+0x3c/0x48 +[ 0.820523] lr : lockdep_assert_cpus_held+0x38/0x48 +[ 0.820526] sp : ffff00000a9cbe50 +[ 0.820528] x29: ffff00000a9cbe50 x28: 0000000000000000 +[ 0.820533] x27: 00008000b69e5000 x26: ffff8000bff4cfe0 +[ 0.820537] x25: ffff000008ba69e0 x24: 0000000000000001 +[ 0.820541] x23: ffff000008fce000 x22: ffff000008ba70c8 +[ 0.820545] x21: 0000000000000001 x20: 0000000000000003 +[ 0.820548] x19: ffff00000a35d628 x18: ffffffffffffffff +[ 0.820552] x17: 0000000000000000 x16: 0000000000000000 +[ 0.820556] x15: ffff00000958f848 x14: 455f3052464d4d34 +[ 0.820559] x13: 00000000769dde98 x12: ffff8000bf3f65a8 +[ 0.820564] x11: 0000000000000000 x10: ffff00000958f848 +[ 0.820567] x9 : ffff000009592000 x8 : ffff00000958f848 +[ 0.820571] x7 : ffff00000818ffa0 x6 : 0000000000000000 +[ 0.820574] x5 : 0000000000000000 x4 : 0000000000000001 +[ 0.820578] x3 : 0000000000000000 x2 : 0000000000000001 +[ 0.820582] x1 : 00000000ffffffff x0 : 0000000000000000 +[ 0.820587] Call trace: +[ 0.820591] lockdep_assert_cpus_held+0x3c/0x48 +[ 0.820598] static_key_enable_cpuslocked+0x28/0xd0 +[ 0.820606] arch_timer_check_ool_workaround+0xe8/0x228 +[ 0.820610] arch_timer_starting_cpu+0xe4/0x2d8 +[ 0.820615] cpuhp_invoke_callback+0xe8/0xd08 +[ 0.820619] notify_cpu_starting+0x80/0xb8 +[ 0.820625] secondary_start_kernel+0x118/0x1d0 + +We've also had a similar warning in sched_init_smp() for every +asymmetric system that would enable the sched_asym_cpucapacity static +key, although that was singled out in: + + commit 40fa3780bac2 ("sched/core: Take the hotplug lock in sched_init_smp()") + +Those warnings are actually harmless, since we cannot have hotplug +operations at the time they appear. Instead of starting to sprinkle +useless hotplug lock operations in the init codepaths, mute the +warnings until they start warning about real problems. + +Suggested-by: Peter Zijlstra +Signed-off-by: Valentin Schneider +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: cai@gmx.us +Cc: daniel.lezcano@linaro.org +Cc: dietmar.eggemann@arm.com +Cc: linux-arm-kernel@lists.infradead.org +Cc: longman@redhat.com +Cc: marc.zyngier@arm.com +Cc: mark.rutland@arm.com +Link: https://lkml.kernel.org/r/1545243796-23224-2-git-send-email-valentin.schneider@arm.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/cpu.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/kernel/cpu.c b/kernel/cpu.c +index 32f0432f0c26..8c350dd81581 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -314,6 +314,15 @@ void cpus_write_unlock(void) + + void lockdep_assert_cpus_held(void) + { ++ /* ++ * We can't have hotplug operations before userspace starts running, ++ * and some init codepaths will knowingly not take the hotplug lock. ++ * This is all valid, so mute lockdep until it makes sense to report ++ * unheld locks. ++ */ ++ if (system_state < SYSTEM_RUNNING) ++ return; ++ + percpu_rwsem_assert_held(&cpu_hotplug_lock); + } + +-- +2.19.1 + diff --git a/queue-4.14/cpufreq-acpi-cpufreq-report-if-cpu-doesn-t-support-b.patch b/queue-4.14/cpufreq-acpi-cpufreq-report-if-cpu-doesn-t-support-b.patch new file mode 100644 index 00000000000..d558c93b753 --- /dev/null +++ b/queue-4.14/cpufreq-acpi-cpufreq-report-if-cpu-doesn-t-support-b.patch @@ -0,0 +1,49 @@ +From e4e3f7ee547a6e38f3a89816e14011724f04bb1c Mon Sep 17 00:00:00 2001 +From: Erwan Velu +Date: Wed, 20 Feb 2019 11:10:17 +0100 +Subject: cpufreq: acpi-cpufreq: Report if CPU doesn't support boost + technologies + +[ Upstream commit 1222d527f314c86a3b59a522115d62facc5a7965 ] + +There is some rare cases where CPB (and possibly IDA) are missing on +processors. + +This is the case fixed by commit f7f3dc00f612 ("x86/cpu/AMD: Fix +erratum 1076 (CPB bit)") and following. + +In such context, the boost status isn't reported by +/sys/devices/system/cpu/cpufreq/boost. + +This commit is about printing a message to report that the CPU +doesn't expose the boost capabilities. + +This message could help debugging platforms hit by this phenomena. + +Signed-off-by: Erwan Velu +[ rjw: Change the message text somewhat ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/acpi-cpufreq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c +index d0c34df0529c..51a3c15ace09 100644 +--- a/drivers/cpufreq/acpi-cpufreq.c ++++ b/drivers/cpufreq/acpi-cpufreq.c +@@ -909,8 +909,10 @@ static void __init acpi_cpufreq_boost_init(void) + { + int ret; + +- if (!(boot_cpu_has(X86_FEATURE_CPB) || boot_cpu_has(X86_FEATURE_IDA))) ++ if (!(boot_cpu_has(X86_FEATURE_CPB) || boot_cpu_has(X86_FEATURE_IDA))) { ++ pr_debug("Boost capabilities not present in the processor\n"); + return; ++ } + + acpi_cpufreq_driver.set_boost = set_boost; + acpi_cpufreq_driver.boost_enabled = boost_state(0); +-- +2.19.1 + diff --git a/queue-4.14/crypto-cavium-zip-fix-collision-with-generic-cra_dri.patch b/queue-4.14/crypto-cavium-zip-fix-collision-with-generic-cra_dri.patch new file mode 100644 index 00000000000..1dff6acaa1d --- /dev/null +++ b/queue-4.14/crypto-cavium-zip-fix-collision-with-generic-cra_dri.patch @@ -0,0 +1,68 @@ +From ee704ef85b33be27f4c590c8bdc966c07d873ab7 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 23 Feb 2019 00:23:23 -0800 +Subject: crypto: cavium/zip - fix collision with generic cra_driver_name + +[ Upstream commit 41798036430015ad45137db2d4c213cd77fd0251 ] + +The cavium/zip implementation of the deflate compression algorithm is +incorrectly being registered under the generic driver name, which +prevents the generic implementation from being registered with the +crypto API when CONFIG_CRYPTO_DEV_CAVIUM_ZIP=y. Similarly the lzs +algorithm (which does not currently have a generic implementation...) +is incorrectly being registered as lzs-generic. + +Fix the naming collision by adding a suffix "-cavium" to the +cra_driver_name of the cavium/zip algorithms. + +Fixes: 640035a2dc55 ("crypto: zip - Add ThunderX ZIP driver core") +Cc: Mahipal Challa +Cc: Jan Glauber +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/cavium/zip/zip_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/cavium/zip/zip_main.c b/drivers/crypto/cavium/zip/zip_main.c +index 1cd8aa488185..a6425a7afa7b 100644 +--- a/drivers/crypto/cavium/zip/zip_main.c ++++ b/drivers/crypto/cavium/zip/zip_main.c +@@ -351,6 +351,7 @@ static struct pci_driver zip_driver = { + + static struct crypto_alg zip_comp_deflate = { + .cra_name = "deflate", ++ .cra_driver_name = "deflate-cavium", + .cra_flags = CRYPTO_ALG_TYPE_COMPRESS, + .cra_ctxsize = sizeof(struct zip_kernel_ctx), + .cra_priority = 300, +@@ -365,6 +366,7 @@ static struct crypto_alg zip_comp_deflate = { + + static struct crypto_alg zip_comp_lzs = { + .cra_name = "lzs", ++ .cra_driver_name = "lzs-cavium", + .cra_flags = CRYPTO_ALG_TYPE_COMPRESS, + .cra_ctxsize = sizeof(struct zip_kernel_ctx), + .cra_priority = 300, +@@ -384,7 +386,7 @@ static struct scomp_alg zip_scomp_deflate = { + .decompress = zip_scomp_decompress, + .base = { + .cra_name = "deflate", +- .cra_driver_name = "deflate-scomp", ++ .cra_driver_name = "deflate-scomp-cavium", + .cra_module = THIS_MODULE, + .cra_priority = 300, + } +@@ -397,7 +399,7 @@ static struct scomp_alg zip_scomp_lzs = { + .decompress = zip_scomp_decompress, + .base = { + .cra_name = "lzs", +- .cra_driver_name = "lzs-scomp", ++ .cra_driver_name = "lzs-scomp-cavium", + .cra_module = THIS_MODULE, + .cra_priority = 300, + } +-- +2.19.1 + diff --git a/queue-4.14/crypto-crypto4xx-add-missing-of_node_put-after-of_de.patch b/queue-4.14/crypto-crypto4xx-add-missing-of_node_put-after-of_de.patch new file mode 100644 index 00000000000..b1849a63be6 --- /dev/null +++ b/queue-4.14/crypto-crypto4xx-add-missing-of_node_put-after-of_de.patch @@ -0,0 +1,63 @@ +From d4fd7535d0d5d181e52a5f61f063d4c07a080357 Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Sat, 23 Feb 2019 14:20:39 +0100 +Subject: crypto: crypto4xx - add missing of_node_put after + of_device_is_available + +[ Upstream commit 8c2b43d2d85b48a97d2f8279278a4aac5b45f925 ] + +Add an of_node_put when a tested device node is not available. + +The semantic patch that fixes this problem is as follows +(http://coccinelle.lip6.fr): + +// +@@ +identifier f; +local idexpression e; +expression x; +@@ + +e = f(...); +... when != of_node_put(e) + when != x = e + when != e = x + when any +if (<+...of_device_is_available(e)...+>) { + ... when != of_node_put(e) +( + return e; +| ++ of_node_put(e); + return ...; +) +} +// + +Fixes: 5343e674f32fb ("crypto4xx: integrate ppc4xx-rng into crypto4xx") +Signed-off-by: Julia Lawall +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/amcc/crypto4xx_trng.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/amcc/crypto4xx_trng.c b/drivers/crypto/amcc/crypto4xx_trng.c +index 677ca17fd223..368c5599515e 100644 +--- a/drivers/crypto/amcc/crypto4xx_trng.c ++++ b/drivers/crypto/amcc/crypto4xx_trng.c +@@ -80,8 +80,10 @@ void ppc4xx_trng_probe(struct crypto4xx_core_device *core_dev) + + /* Find the TRNG device node and map it */ + trng = of_find_matching_node(NULL, ppc4xx_trng_match); +- if (!trng || !of_device_is_available(trng)) ++ if (!trng || !of_device_is_available(trng)) { ++ of_node_put(trng); + return; ++ } + + dev->trng_base = of_iomap(trng, 0); + of_node_put(trng); +-- +2.19.1 + diff --git a/queue-4.14/dm-thin-add-sanity-checks-to-thin-pool-and-external-.patch b/queue-4.14/dm-thin-add-sanity-checks-to-thin-pool-and-external-.patch new file mode 100644 index 00000000000..384da341b38 --- /dev/null +++ b/queue-4.14/dm-thin-add-sanity-checks-to-thin-pool-and-external-.patch @@ -0,0 +1,111 @@ +From 89b794eb452cfe6b3b14054e0628257d07bb4afa Mon Sep 17 00:00:00 2001 +From: "Jason Cai (Xiang Feng)" +Date: Sun, 20 Jan 2019 22:39:13 +0800 +Subject: dm thin: add sanity checks to thin-pool and external snapshot + creation + +[ Upstream commit 70de2cbda8a5d788284469e755f8b097d339c240 ] + +Invoking dm_get_device() twice on the same device path with different +modes is dangerous. Because in that case, upgrade_mode() will alloc a +new 'dm_dev' and free the old one, which may be referenced by a previous +caller. Dereferencing the dangling pointer will trigger kernel NULL +pointer dereference. + +The following two cases can reproduce this issue. Actually, they are +invalid setups that must be disallowed, e.g.: + +1. Creating a thin-pool with read_only mode, and the same device as +both metadata and data. + +dmsetup create thinp --table \ + "0 41943040 thin-pool /dev/vdb /dev/vdb 128 0 1 read_only" + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000080 +... +Call Trace: + new_read+0xfb/0x110 [dm_bufio] + dm_bm_read_lock+0x43/0x190 [dm_persistent_data] + ? kmem_cache_alloc_trace+0x15c/0x1e0 + __create_persistent_data_objects+0x65/0x3e0 [dm_thin_pool] + dm_pool_metadata_open+0x8c/0xf0 [dm_thin_pool] + pool_ctr.cold.79+0x213/0x913 [dm_thin_pool] + ? realloc_argv+0x50/0x70 [dm_mod] + dm_table_add_target+0x14e/0x330 [dm_mod] + table_load+0x122/0x2e0 [dm_mod] + ? dev_status+0x40/0x40 [dm_mod] + ctl_ioctl+0x1aa/0x3e0 [dm_mod] + dm_ctl_ioctl+0xa/0x10 [dm_mod] + do_vfs_ioctl+0xa2/0x600 + ? handle_mm_fault+0xda/0x200 + ? __do_page_fault+0x26c/0x4f0 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x55/0x150 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +2. Creating a external snapshot using the same thin-pool device. + +dmsetup create thinp --table \ + "0 41943040 thin-pool /dev/vdc /dev/vdb 128 0 2 ignore_discard" +dmsetup message /dev/mapper/thinp 0 "create_thin 0" +dmsetup create snap --table \ + "0 204800 thin /dev/mapper/thinp 0 /dev/mapper/thinp" + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +... +Call Trace: +? __alloc_pages_nodemask+0x13c/0x2e0 +retrieve_status+0xa5/0x1f0 [dm_mod] +? dm_get_live_or_inactive_table.isra.7+0x20/0x20 [dm_mod] + table_status+0x61/0xa0 [dm_mod] + ctl_ioctl+0x1aa/0x3e0 [dm_mod] + dm_ctl_ioctl+0xa/0x10 [dm_mod] + do_vfs_ioctl+0xa2/0x600 + ksys_ioctl+0x60/0x90 + ? ksys_write+0x4f/0xb0 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x55/0x150 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Jason Cai (Xiang Feng) +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-thin.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index 18d6a8a10d5d..aa7795990989 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -3292,6 +3292,13 @@ static int pool_ctr(struct dm_target *ti, unsigned argc, char **argv) + as.argc = argc; + as.argv = argv; + ++ /* make sure metadata and data are different devices */ ++ if (!strcmp(argv[0], argv[1])) { ++ ti->error = "Error setting metadata or data device"; ++ r = -EINVAL; ++ goto out_unlock; ++ } ++ + /* + * Set default pool features. + */ +@@ -4173,6 +4180,12 @@ static int thin_ctr(struct dm_target *ti, unsigned argc, char **argv) + tc->sort_bio_list = RB_ROOT; + + if (argc == 3) { ++ if (!strcmp(argv[0], argv[2])) { ++ ti->error = "Error setting origin device"; ++ r = -EINVAL; ++ goto bad_origin_dev; ++ } ++ + r = dm_get_device(ti, argv[2], FMODE_READ, &origin_dev); + if (r) { + ti->error = "Error opening origin device"; +-- +2.19.1 + diff --git a/queue-4.14/dmaengine-imx-dma-fix-warning-comparison-of-distinct.patch b/queue-4.14/dmaengine-imx-dma-fix-warning-comparison-of-distinct.patch new file mode 100644 index 00000000000..7371c097ea3 --- /dev/null +++ b/queue-4.14/dmaengine-imx-dma-fix-warning-comparison-of-distinct.patch @@ -0,0 +1,60 @@ +From e840b32e4d094d7d2d5fb6f16c278355bce36a12 Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Thu, 10 Jan 2019 12:15:35 +0100 +Subject: dmaengine: imx-dma: fix warning comparison of distinct pointer types +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 9227ab5643cb8350449502dd9e3168a873ab0e3b ] + +The warning got introduced by commit 930507c18304 ("arm64: add basic +Kconfig symbols for i.MX8"). Since it got enabled for arm64. The warning +haven't been seen before since size_t was 'unsigned int' when built on +arm32. + +../drivers/dma/imx-dma.c: In function ‘imxdma_sg_next’: +../include/linux/kernel.h:846:29: warning: comparison of distinct pointer types lacks a cast + (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) + ^~ +../include/linux/kernel.h:860:4: note: in expansion of macro ‘__typecheck’ + (__typecheck(x, y) && __no_side_effects(x, y)) + ^~~~~~~~~~~ +../include/linux/kernel.h:870:24: note: in expansion of macro ‘__safe_cmp’ + __builtin_choose_expr(__safe_cmp(x, y), \ + ^~~~~~~~~~ +../include/linux/kernel.h:879:19: note: in expansion of macro ‘__careful_cmp’ + #define min(x, y) __careful_cmp(x, y, <) + ^~~~~~~~~~~~~ +../drivers/dma/imx-dma.c:288:8: note: in expansion of macro ‘min’ + now = min(d->len, sg_dma_len(sg)); + ^~~ + +Rework so that we use min_t and pass in the size_t that returns the +minimum of two values, using the specified type. + +Signed-off-by: Anders Roxell +Acked-by: Olof Johansson +Reviewed-by: Fabio Estevam +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/imx-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/imx-dma.c b/drivers/dma/imx-dma.c +index cb37730f9272..6eb1f05f7c3c 100644 +--- a/drivers/dma/imx-dma.c ++++ b/drivers/dma/imx-dma.c +@@ -290,7 +290,7 @@ static inline int imxdma_sg_next(struct imxdma_desc *d) + struct scatterlist *sg = d->sg; + unsigned long now; + +- now = min(d->len, sg_dma_len(sg)); ++ now = min_t(size_t, d->len, sg_dma_len(sg)); + if (d->len != IMX_DMA_LENGTH_LOOP) + d->len -= now; + +-- +2.19.1 + diff --git a/queue-4.14/dmaengine-qcom_hidma-assign-channel-cookie-correctly.patch b/queue-4.14/dmaengine-qcom_hidma-assign-channel-cookie-correctly.patch new file mode 100644 index 00000000000..433dfb97a86 --- /dev/null +++ b/queue-4.14/dmaengine-qcom_hidma-assign-channel-cookie-correctly.patch @@ -0,0 +1,86 @@ +From d364dd955fcf14a5adcda6362beb68973f9868dd Mon Sep 17 00:00:00 2001 +From: Shunyong Yang +Date: Mon, 7 Jan 2019 09:34:02 +0800 +Subject: dmaengine: qcom_hidma: assign channel cookie correctly + +[ Upstream commit 546c0547555efca8ba8c120716c325435e29df1b ] + +When dma_cookie_complete() is called in hidma_process_completed(), +dma_cookie_status() will return DMA_COMPLETE in hidma_tx_status(). Then, +hidma_txn_is_success() will be called to use channel cookie +mchan->last_success to do additional DMA status check. Current code +assigns mchan->last_success after dma_cookie_complete(). This causes +a race condition of dma_cookie_status() returns DMA_COMPLETE before +mchan->last_success is assigned correctly. The race will cause +hidma_tx_status() return DMA_ERROR but the transaction is actually a +success. Moreover, in async_tx case, it will cause a timeout panic +in async_tx_quiesce(). + + Kernel panic - not syncing: async_tx_quiesce: DMA error waiting for + transaction + ... + Call trace: + [] dump_backtrace+0x0/0x1f4 + [] show_stack+0x24/0x2c + [] dump_stack+0x84/0xa8 + [] panic+0x12c/0x29c + [] async_tx_quiesce+0xa4/0xc8 [async_tx] + [] async_trigger_callback+0x70/0x1c0 [async_tx] + [] raid_run_ops+0x86c/0x1540 [raid456] + [] handle_stripe+0x5e8/0x1c7c [raid456] + [] handle_active_stripes.isra.45+0x2d4/0x550 [raid456] + [] raid5d+0x38c/0x5d0 [raid456] + [] md_thread+0x108/0x168 + [] kthread+0x10c/0x138 + [] ret_from_fork+0x10/0x18 + +Cc: Joey Zheng +Reviewed-by: Sinan Kaya +Signed-off-by: Shunyong Yang +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/qcom/hidma.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/dma/qcom/hidma.c b/drivers/dma/qcom/hidma.c +index e3669850aef4..177d7a24dd39 100644 +--- a/drivers/dma/qcom/hidma.c ++++ b/drivers/dma/qcom/hidma.c +@@ -133,24 +133,25 @@ static void hidma_process_completed(struct hidma_chan *mchan) + desc = &mdesc->desc; + last_cookie = desc->cookie; + ++ llstat = hidma_ll_status(mdma->lldev, mdesc->tre_ch); ++ + spin_lock_irqsave(&mchan->lock, irqflags); ++ if (llstat == DMA_COMPLETE) { ++ mchan->last_success = last_cookie; ++ result.result = DMA_TRANS_NOERROR; ++ } else { ++ result.result = DMA_TRANS_ABORTED; ++ } ++ + dma_cookie_complete(desc); + spin_unlock_irqrestore(&mchan->lock, irqflags); + +- llstat = hidma_ll_status(mdma->lldev, mdesc->tre_ch); + dmaengine_desc_get_callback(desc, &cb); + + dma_run_dependencies(desc); + + spin_lock_irqsave(&mchan->lock, irqflags); + list_move(&mdesc->node, &mchan->free); +- +- if (llstat == DMA_COMPLETE) { +- mchan->last_success = last_cookie; +- result.result = DMA_TRANS_NOERROR; +- } else +- result.result = DMA_TRANS_ABORTED; +- + spin_unlock_irqrestore(&mchan->lock, irqflags); + + dmaengine_desc_callback_invoke(&cb, &result); +-- +2.19.1 + diff --git a/queue-4.14/dmaengine-qcom_hidma-initialize-tx-flags-in-hidma_pr.patch b/queue-4.14/dmaengine-qcom_hidma-initialize-tx-flags-in-hidma_pr.patch new file mode 100644 index 00000000000..41606ac45db --- /dev/null +++ b/queue-4.14/dmaengine-qcom_hidma-initialize-tx-flags-in-hidma_pr.patch @@ -0,0 +1,55 @@ +From 570f1da4bca19a1b425b512a884722184268048b Mon Sep 17 00:00:00 2001 +From: Shunyong Yang +Date: Mon, 7 Jan 2019 09:32:14 +0800 +Subject: dmaengine: qcom_hidma: initialize tx flags in hidma_prep_dma_* + +[ Upstream commit 875aac8a46424e5b73a9ff7f40b83311b609e407 ] + +In async_tx_test_ack(), it uses flags in struct dma_async_tx_descriptor +to check the ACK status. As hidma reuses the descriptor in a free list +when hidma_prep_dma_*(memcpy/memset) is called, the flag will keep ACKed +if the descriptor has been used before. This will cause a BUG_ON in +async_tx_quiesce(). + + kernel BUG at crypto/async_tx/async_tx.c:282! + Internal error: Oops - BUG: 0 1 SMP + ... + task: ffff8017dd3ec000 task.stack: ffff8017dd3e8000 + PC is at async_tx_quiesce+0x54/0x78 [async_tx] + LR is at async_trigger_callback+0x98/0x110 [async_tx] + +This patch initializes flags in dma_async_tx_descriptor by the flags +passed from the caller when hidma_prep_dma_*(memcpy/memset) is called. + +Cc: Joey Zheng +Reviewed-by: Sinan Kaya +Signed-off-by: Shunyong Yang +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/qcom/hidma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/dma/qcom/hidma.c b/drivers/dma/qcom/hidma.c +index 177d7a24dd39..dd15a829e792 100644 +--- a/drivers/dma/qcom/hidma.c ++++ b/drivers/dma/qcom/hidma.c +@@ -411,6 +411,7 @@ hidma_prep_dma_memcpy(struct dma_chan *dmach, dma_addr_t dest, dma_addr_t src, + if (!mdesc) + return NULL; + ++ mdesc->desc.flags = flags; + hidma_ll_set_transfer_params(mdma->lldev, mdesc->tre_ch, + src, dest, len, flags, + HIDMA_TRE_MEMCPY); +@@ -443,6 +444,7 @@ hidma_prep_dma_memset(struct dma_chan *dmach, dma_addr_t dest, int value, + if (!mdesc) + return NULL; + ++ mdesc->desc.flags = flags; + hidma_ll_set_transfer_params(mdma->lldev, mdesc->tre_ch, + value, dest, len, flags, + HIDMA_TRE_MEMSET); +-- +2.19.1 + diff --git a/queue-4.14/dmaengine-tegra-avoid-overflow-of-byte-tracking.patch b/queue-4.14/dmaengine-tegra-avoid-overflow-of-byte-tracking.patch new file mode 100644 index 00000000000..4386dfb3f39 --- /dev/null +++ b/queue-4.14/dmaengine-tegra-avoid-overflow-of-byte-tracking.patch @@ -0,0 +1,55 @@ +From fdec0ac5e8f3bf2a5ccb0cca2e4326eacb70ee02 Mon Sep 17 00:00:00 2001 +From: Ben Dooks +Date: Wed, 21 Nov 2018 16:13:19 +0000 +Subject: dmaengine: tegra: avoid overflow of byte tracking + +[ Upstream commit e486df39305864604b7e25f2a95d51039517ac57 ] + +The dma_desc->bytes_transferred counter tracks the number of bytes +moved by the DMA channel. This is then used to calculate the information +passed back in the in the tegra_dma_tx_status callback, which is usually +fine. + +When the DMA channel is configured as continous, then the bytes_transferred +counter will increase over time and eventually overflow to become negative +so the residue count will become invalid and the ALSA sound-dma code will +report invalid hardware pointer values to the application. This results in +some users becoming confused about the playout position and putting audio +data in the wrong place. + +To fix this issue, always ensure the bytes_transferred field is modulo the +size of the request. We only do this for the case of the cyclic transfer +done ISR as anyone attempting to move 2GiB of DMA data in one transfer +is unlikely. + +Note, we don't fix the issue that we should /never/ transfer a negative +number of bytes so we could make those fields unsigned. + +Reviewed-by: Dmitry Osipenko +Signed-off-by: Ben Dooks +Acked-by: Jon Hunter +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra20-apb-dma.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c +index b9d75a54c896..7db2766b5fe9 100644 +--- a/drivers/dma/tegra20-apb-dma.c ++++ b/drivers/dma/tegra20-apb-dma.c +@@ -635,7 +635,10 @@ static void handle_cont_sngl_cycle_dma_done(struct tegra_dma_channel *tdc, + + sgreq = list_first_entry(&tdc->pending_sg_req, typeof(*sgreq), node); + dma_desc = sgreq->dma_desc; +- dma_desc->bytes_transferred += sgreq->req_len; ++ /* if we dma for long enough the transfer count will wrap */ ++ dma_desc->bytes_transferred = ++ (dma_desc->bytes_transferred + sgreq->req_len) % ++ dma_desc->bytes_requested; + + /* Callback need to be call */ + if (!dma_desc->cb_count) +-- +2.19.1 + diff --git a/queue-4.14/drm-auto-set-allow_fb_modifiers-when-given-modifiers.patch b/queue-4.14/drm-auto-set-allow_fb_modifiers-when-given-modifiers.patch new file mode 100644 index 00000000000..90accfe06d7 --- /dev/null +++ b/queue-4.14/drm-auto-set-allow_fb_modifiers-when-given-modifiers.patch @@ -0,0 +1,46 @@ +From b85154ab4be7c2eda3117ffafc1393e5ed0db820 Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Fri, 4 Jan 2019 09:56:10 +0100 +Subject: drm: Auto-set allow_fb_modifiers when given modifiers at plane init + +[ Upstream commit 890880ddfdbe256083170866e49c87618b706ac7 ] + +When drivers pass non-empty lists of modifiers for initializing their +planes, we can infer that they allow framebuffer modifiers and set the +driver's allow_fb_modifiers mode config element. + +In case the allow_fb_modifiers element was not set (some drivers tend +to set them after registering planes), the modifiers will still be +registered but won't be available to userspace unless the flag is set +later. However in that case, the IN_FORMATS blob won't be created. + +In order to avoid this case and generally reduce the trouble associated +with the flag, always set allow_fb_modifiers when a non-empty list of +format modifiers is passed at plane init. + +Reviewed-by: Daniel Vetter +Signed-off-by: Paul Kocialkowski +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20190104085610.5829-1-paul.kocialkowski@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_plane.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c +index 7a00351d5b5d..71186bf90760 100644 +--- a/drivers/gpu/drm/drm_plane.c ++++ b/drivers/gpu/drm/drm_plane.c +@@ -203,6 +203,9 @@ int drm_universal_plane_init(struct drm_device *dev, struct drm_plane *plane, + format_modifier_count++; + } + ++ if (format_modifier_count) ++ config->allow_fb_modifiers = true; ++ + plane->modifier_count = format_modifier_count; + plane->modifiers = kmalloc_array(format_modifier_count, + sizeof(format_modifiers[0]), +-- +2.19.1 + diff --git a/queue-4.14/drm-dp-mst-configure-no_stop_bit-correctly-for-remot.patch b/queue-4.14/drm-dp-mst-configure-no_stop_bit-correctly-for-remot.patch new file mode 100644 index 00000000000..910e2ca71a4 --- /dev/null +++ b/queue-4.14/drm-dp-mst-configure-no_stop_bit-correctly-for-remot.patch @@ -0,0 +1,48 @@ +From ccce3187be850a2d563aadade41ac1c5d9b6f578 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 28 Sep 2018 21:03:59 +0300 +Subject: drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit c978ae9bde582e82a04c63a4071701691dd8b35c ] + +We aren't supposed to force a stop+start between every i2c msg +when performing multi message transfers. This should eg. cause +the DDC segment address to be reset back to 0 between writing +the segment address and reading the actual EDID extension block. + +To quote the E-DDC spec: +"... this standard requires that the segment pointer be + reset to 00h when a NO ACK or a STOP condition is received." + +Since we're going to touch this might as well consult the +I2C_M_STOP flag to determine whether we want to force the stop +or not. + +Cc: Brian Vincent +References: https://bugs.freedesktop.org/show_bug.cgi?id=108081 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20180928180403.22499-1-ville.syrjala@linux.intel.com +Reviewed-by: Dhinakaran Pandiyan +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c +index 2a4cf6837324..bb9a9852ec22 100644 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -3199,6 +3199,7 @@ static int drm_dp_mst_i2c_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs + msg.u.i2c_read.transactions[i].i2c_dev_id = msgs[i].addr; + msg.u.i2c_read.transactions[i].num_bytes = msgs[i].len; + msg.u.i2c_read.transactions[i].bytes = msgs[i].buf; ++ msg.u.i2c_read.transactions[i].no_stop_bit = !(msgs[i].flags & I2C_M_STOP); + } + msg.u.i2c_read.read_i2c_device_id = msgs[num - 1].addr; + msg.u.i2c_read.num_bytes_read = msgs[num - 1].len; +-- +2.19.1 + diff --git a/queue-4.14/drm-nouveau-stop-using-drm_crtc_force_disable.patch b/queue-4.14/drm-nouveau-stop-using-drm_crtc_force_disable.patch new file mode 100644 index 00000000000..ea17989932d --- /dev/null +++ b/queue-4.14/drm-nouveau-stop-using-drm_crtc_force_disable.patch @@ -0,0 +1,48 @@ +From 21fe7f4c411842d45dff838571652a770a1f2e0e Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Mon, 17 Dec 2018 20:42:58 +0100 +Subject: drm/nouveau: Stop using drm_crtc_force_disable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 934c5b32a5e43d8de2ab4f1566f91d7c3bf8cb64 ] + +The correct way for legacy drivers to update properties that need to +do a full modeset, is to do a full modeset. + +Note that we don't need to call the drm_mode_config_internal helper +because we're not changing any of the refcounted paramters. + +v2: Fixup error handling (Ville). Since the old code didn't bother +I decided to just delete it instead of adding even more code for just +error handling. + +Cc: Ville Syrjälä +Reviewed-by: Alex Deucher (v1) +Cc: Sean Paul +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20181217194303.14397-2-daniel.vetter@ffwll.ch +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c +index 6d99f11fee4e..4bc8e9fe3095 100644 +--- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c ++++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c +@@ -750,7 +750,9 @@ static int nv17_tv_set_property(struct drm_encoder *encoder, + /* Disable the crtc to ensure a full modeset is + * performed whenever it's turned on again. */ + if (crtc) +- drm_crtc_force_disable(crtc); ++ drm_crtc_helper_set_mode(crtc, &crtc->mode, ++ crtc->x, crtc->y, ++ crtc->primary->fb); + } + + return 0; +-- +2.19.1 + diff --git a/queue-4.14/e1000e-fix-cyclic-resets-at-link-up-with-active-tx.patch b/queue-4.14/e1000e-fix-cyclic-resets-at-link-up-with-active-tx.patch new file mode 100644 index 00000000000..c93d21e11bf --- /dev/null +++ b/queue-4.14/e1000e-fix-cyclic-resets-at-link-up-with-active-tx.patch @@ -0,0 +1,91 @@ +From 9546d1ed3947145dc50a32b8e2e7874018e06527 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Mon, 14 Jan 2019 16:29:30 +0300 +Subject: e1000e: fix cyclic resets at link up with active tx + +[ Upstream commit 0f9e980bf5ee1a97e2e401c846b2af989eb21c61 ] + +I'm seeing series of e1000e resets (sometimes endless) at system boot +if something generates tx traffic at this time. In my case this is +netconsole who sends message "e1000e 0000:02:00.0: Some CPU C-states +have been disabled in order to enable jumbo frames" from e1000e itself. +As result e1000_watchdog_task sees used tx buffer while carrier is off +and start this reset cycle again. + +[ 17.794359] e1000e: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None +[ 17.794714] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready +[ 22.936455] e1000e 0000:02:00.0 eth1: changing MTU from 1500 to 9000 +[ 23.033336] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 26.102364] e1000e: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None +[ 27.174495] 8021q: 802.1Q VLAN Support v1.8 +[ 27.174513] 8021q: adding VLAN 0 to HW filter on device eth1 +[ 30.671724] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation +[ 30.898564] netpoll: netconsole: local port 6666 +[ 30.898566] netpoll: netconsole: local IPv6 address 2a02:6b8:0:80b:beae:c5ff:fe28:23f8 +[ 30.898567] netpoll: netconsole: interface 'eth1' +[ 30.898568] netpoll: netconsole: remote port 6666 +[ 30.898568] netpoll: netconsole: remote IPv6 address 2a02:6b8:b000:605c:e61d:2dff:fe03:3790 +[ 30.898569] netpoll: netconsole: remote ethernet address b0:a8:6e:f4:ff:c0 +[ 30.917747] console [netcon0] enabled +[ 30.917749] netconsole: network logging started +[ 31.453353] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 34.185730] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 34.321840] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 34.465822] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 34.597423] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 34.745417] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 34.877356] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 35.005441] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 35.157376] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 35.289362] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 35.417441] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 37.790342] e1000e: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None + +This patch flushes tx buffers only once when carrier is off +rather than at each watchdog iteration. + +Signed-off-by: Konstantin Khlebnikov +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 5c364321d3c6..3c214a47c1c4 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5306,8 +5306,13 @@ static void e1000_watchdog_task(struct work_struct *work) + /* 8000ES2LAN requires a Rx packet buffer work-around + * on link down event; reset the controller to flush + * the Rx packet buffer. ++ * ++ * If the link is lost the controller stops DMA, but ++ * if there is queued Tx work it cannot be done. So ++ * reset the controller to flush the Tx packet buffers. + */ +- if (adapter->flags & FLAG_RX_NEEDS_RESTART) ++ if ((adapter->flags & FLAG_RX_NEEDS_RESTART) || ++ e1000_desc_unused(tx_ring) + 1 < tx_ring->count) + adapter->flags |= FLAG_RESTART_NOW; + else + pm_schedule_suspend(netdev->dev.parent, +@@ -5330,14 +5335,6 @@ link_up: + adapter->gotc_old = adapter->stats.gotc; + spin_unlock(&adapter->stats64_lock); + +- /* If the link is lost the controller stops DMA, but +- * if there is queued Tx work it cannot be done. So +- * reset the controller to flush the Tx packet buffers. +- */ +- if (!netif_carrier_ok(netdev) && +- (e1000_desc_unused(tx_ring) + 1 < tx_ring->count)) +- adapter->flags |= FLAG_RESTART_NOW; +- + /* If reset is necessary, do it outside of interrupt context. */ + if (adapter->flags & FLAG_RESTART_NOW) { + schedule_work(&adapter->reset_task); +-- +2.19.1 + diff --git a/queue-4.14/e1000e-fix-wformat-truncation-warnings.patch b/queue-4.14/e1000e-fix-wformat-truncation-warnings.patch new file mode 100644 index 00000000000..7718db1d826 --- /dev/null +++ b/queue-4.14/e1000e-fix-wformat-truncation-warnings.patch @@ -0,0 +1,72 @@ +From 1be2574251c4e20cabf7ff0a62a70ee1b6f5e0c4 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 21 Feb 2019 20:09:28 -0800 +Subject: e1000e: Fix -Wformat-truncation warnings + +[ Upstream commit 135e7245479addc6b1f5d031e3d7e2ddb3d2b109 ] + +Provide precision hints to snprintf() since we know the destination +buffer size of the RX/TX ring names are IFNAMSIZ + 5 - 1. This fixes the +following warnings: + +drivers/net/ethernet/intel/e1000e/netdev.c: In function +'e1000_request_msix': +drivers/net/ethernet/intel/e1000e/netdev.c:2109:13: warning: 'snprintf' +output may be truncated before the last format character +[-Wformat-truncation=] + "%s-rx-0", netdev->name); + ^ +drivers/net/ethernet/intel/e1000e/netdev.c:2107:3: note: 'snprintf' +output between 6 and 21 bytes into a destination of size 20 + snprintf(adapter->rx_ring->name, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + sizeof(adapter->rx_ring->name) - 1, + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + "%s-rx-0", netdev->name); + ~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/net/ethernet/intel/e1000e/netdev.c:2125:13: warning: 'snprintf' +output may be truncated before the last format character +[-Wformat-truncation=] + "%s-tx-0", netdev->name); + ^ +drivers/net/ethernet/intel/e1000e/netdev.c:2123:3: note: 'snprintf' +output between 6 and 21 bytes into a destination of size 20 + snprintf(adapter->tx_ring->name, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + sizeof(adapter->tx_ring->name) - 1, + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + "%s-tx-0", netdev->name); + ~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index a25dc581a903..5c364321d3c6 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -2120,7 +2120,7 @@ static int e1000_request_msix(struct e1000_adapter *adapter) + if (strlen(netdev->name) < (IFNAMSIZ - 5)) + snprintf(adapter->rx_ring->name, + sizeof(adapter->rx_ring->name) - 1, +- "%s-rx-0", netdev->name); ++ "%.14s-rx-0", netdev->name); + else + memcpy(adapter->rx_ring->name, netdev->name, IFNAMSIZ); + err = request_irq(adapter->msix_entries[vector].vector, +@@ -2136,7 +2136,7 @@ static int e1000_request_msix(struct e1000_adapter *adapter) + if (strlen(netdev->name) < (IFNAMSIZ - 5)) + snprintf(adapter->tx_ring->name, + sizeof(adapter->tx_ring->name) - 1, +- "%s-tx-0", netdev->name); ++ "%.14s-tx-0", netdev->name); + else + memcpy(adapter->tx_ring->name, netdev->name, IFNAMSIZ); + err = request_irq(adapter->msix_entries[vector].vector, +-- +2.19.1 + diff --git a/queue-4.14/efi-arm-arm64-allow-setvirtualaddressmap-to-be-omitt.patch b/queue-4.14/efi-arm-arm64-allow-setvirtualaddressmap-to-be-omitt.patch new file mode 100644 index 00000000000..2d6233d615a --- /dev/null +++ b/queue-4.14/efi-arm-arm64-allow-setvirtualaddressmap-to-be-omitt.patch @@ -0,0 +1,153 @@ +From 41ea27e60da9276c229954ddcda8a11ab11a518d Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sat, 2 Feb 2019 10:41:16 +0100 +Subject: efi/arm/arm64: Allow SetVirtualAddressMap() to be omitted + +[ Upstream commit 4e46c2a956215482418d7b315749fb1b6c6bc224 ] + +The UEFI spec revision 2.7 errata A section 8.4 has the following to +say about the virtual memory runtime services: + + "This section contains function definitions for the virtual memory + support that may be optionally used by an operating system at runtime. + If an operating system chooses to make EFI runtime service calls in a + virtual addressing mode instead of the flat physical mode, then the + operating system must use the services in this section to switch the + EFI runtime services from flat physical addressing to virtual + addressing." + +So it is pretty clear that calling SetVirtualAddressMap() is entirely +optional, and so there is no point in doing so unless it achieves +anything useful for us. + +This is not the case for 64-bit ARM. The identity mapping used by the +firmware is arbitrarily converted into another permutation of userland +addresses (i.e., bits [63:48] cleared), and the runtime code could easily +deal with the original layout in exactly the same way as it deals with +the converted layout. However, due to constraints related to page size +differences if the OS is not running with 4k pages, and related to +systems that may expose the individual sections of PE/COFF runtime +modules as different memory regions, creating the virtual layout is a +bit fiddly, and requires us to sort the memory map and reason about +adjacent regions with identical memory types etc etc. + +So the obvious fix is to stop calling SetVirtualAddressMap() altogether +on arm64 systems. However, to avoid surprises, which are notoriously +hard to diagnose when it comes to OS<->firmware interactions, let's +start by making it an opt-out feature, and implement support for the +'efi=novamap' kernel command line parameter on ARM and arm64 systems. + +( Note that 32-bit ARM generally does require SetVirtualAddressMap() to be + used, given that the physical memory map and the kernel virtual address + map are not guaranteed to be non-overlapping like on arm64. However, + having support for efi=novamap,noruntime on 32-bit ARM, combined with + the recently proposed support for earlycon=efifb, is likely to be useful + to diagnose boot issues on such systems if they have no accessible serial + port. ) + +Tested-by: Jeffrey Hugo +Tested-by: Bjorn Andersson +Tested-by: Lee Jones +Signed-off-by: Ard Biesheuvel +Cc: AKASHI Takahiro +Cc: Alexander Graf +Cc: Borislav Petkov +Cc: Heinrich Schuchardt +Cc: Leif Lindholm +Cc: Linus Torvalds +Cc: Matt Fleming +Cc: Peter Jones +Cc: Peter Zijlstra +Cc: Sai Praneeth Prakhya +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20190202094119.13230-8-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/arm-stub.c | 5 +++++ + drivers/firmware/efi/libstub/efi-stub-helper.c | 10 ++++++++++ + drivers/firmware/efi/libstub/efistub.h | 1 + + drivers/firmware/efi/libstub/fdt.c | 3 +++ + 4 files changed, 19 insertions(+) + +diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c +index 01a9d78ee415..3b1e1dc3fb46 100644 +--- a/drivers/firmware/efi/libstub/arm-stub.c ++++ b/drivers/firmware/efi/libstub/arm-stub.c +@@ -364,6 +364,11 @@ void efi_get_virtmap(efi_memory_desc_t *memory_map, unsigned long map_size, + paddr = in->phys_addr; + size = in->num_pages * EFI_PAGE_SIZE; + ++ if (novamap()) { ++ in->virt_addr = in->phys_addr; ++ continue; ++ } ++ + /* + * Make the mapping compatible with 64k pages: this allows + * a 4k page size kernel to kexec a 64k page size kernel and +diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c +index 50a9cab5a834..39f87e6dac5c 100644 +--- a/drivers/firmware/efi/libstub/efi-stub-helper.c ++++ b/drivers/firmware/efi/libstub/efi-stub-helper.c +@@ -34,6 +34,7 @@ static unsigned long __chunk_size = EFI_READ_CHUNK_SIZE; + + static int __section(.data) __nokaslr; + static int __section(.data) __quiet; ++static int __section(.data) __novamap; + + int __pure nokaslr(void) + { +@@ -43,6 +44,10 @@ int __pure is_quiet(void) + { + return __quiet; + } ++int __pure novamap(void) ++{ ++ return __novamap; ++} + + #define EFI_MMAP_NR_SLACK_SLOTS 8 + +@@ -454,6 +459,11 @@ efi_status_t efi_parse_options(char const *cmdline) + __chunk_size = -1UL; + } + ++ if (!strncmp(str, "novamap", 7)) { ++ str += strlen("novamap"); ++ __novamap = 1; ++ } ++ + /* Group words together, delimited by "," */ + while (*str && *str != ' ' && *str != ',') + str++; +diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h +index f59564b72ddc..2adde22b4a9f 100644 +--- a/drivers/firmware/efi/libstub/efistub.h ++++ b/drivers/firmware/efi/libstub/efistub.h +@@ -27,6 +27,7 @@ + + extern int __pure nokaslr(void); + extern int __pure is_quiet(void); ++extern int __pure novamap(void); + + #define pr_efi(sys_table, msg) do { \ + if (!is_quiet()) efi_printk(sys_table, "EFI stub: "msg); \ +diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c +index 0c0d2312f4a8..dba296a44f4e 100644 +--- a/drivers/firmware/efi/libstub/fdt.c ++++ b/drivers/firmware/efi/libstub/fdt.c +@@ -327,6 +327,9 @@ efi_status_t allocate_new_fdt_and_exit_boot(efi_system_table_t *sys_table, + if (status == EFI_SUCCESS) { + efi_set_virtual_address_map_t *svam; + ++ if (novamap()) ++ return EFI_SUCCESS; ++ + /* Install the new virtual address map */ + svam = sys_table->runtime->set_virtual_address_map; + status = svam(runtime_entry_count * desc_size, desc_size, +-- +2.19.1 + diff --git a/queue-4.14/efi-cper-fix-possible-out-of-bounds-access.patch b/queue-4.14/efi-cper-fix-possible-out-of-bounds-access.patch new file mode 100644 index 00000000000..0a29e1d8ea5 --- /dev/null +++ b/queue-4.14/efi-cper-fix-possible-out-of-bounds-access.patch @@ -0,0 +1,65 @@ +From 4762198f67971267219148d22af61719cd9110fe Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Mon, 28 Jan 2019 10:04:24 +0000 +Subject: efi: cper: Fix possible out-of-bounds access + +[ Upstream commit 45b14a4ffcc1e0b5caa246638f942cbe7eaea7ad ] + +When checking a generic status block, we iterate over all the generic +data blocks. The loop condition only checks that the start of the +generic data block is valid (within estatus->data_length) but not the +whole block. Because the size of data blocks (excluding error data) may +vary depending on the revision and the revision is contained within the +data block, ensure that enough of the current data block is valid before +dereferencing any members otherwise an out-of-bounds access may occur if +estatus->data_length is invalid. + +This relies on the fact that struct acpi_hest_generic_data_v300 is a +superset of the earlier version. Also rework the other checks to avoid +potential underflow. + +Signed-off-by: Ross Lagerwall +Acked-by: Borislav Petkov +Tested-by: Tyler Baicar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index d2fcafcea07e..ce23d5402bd6 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -641,19 +641,24 @@ EXPORT_SYMBOL_GPL(cper_estatus_check_header); + int cper_estatus_check(const struct acpi_hest_generic_status *estatus) + { + struct acpi_hest_generic_data *gdata; +- unsigned int data_len, gedata_len; ++ unsigned int data_len, record_size; + int rc; + + rc = cper_estatus_check_header(estatus); + if (rc) + return rc; ++ + data_len = estatus->data_length; + + apei_estatus_for_each_section(estatus, gdata) { +- gedata_len = acpi_hest_get_error_length(gdata); +- if (gedata_len > data_len - acpi_hest_get_size(gdata)) ++ if (sizeof(struct acpi_hest_generic_data) > data_len) ++ return -EINVAL; ++ ++ record_size = acpi_hest_get_record_size(gdata); ++ if (record_size > data_len) + return -EINVAL; +- data_len -= acpi_hest_get_record_size(gdata); ++ ++ data_len -= record_size; + } + if (data_len) + return -EINVAL; +-- +2.19.1 + diff --git a/queue-4.14/efi-memattr-don-t-bail-on-zero-va-if-it-equals-the-r.patch b/queue-4.14/efi-memattr-don-t-bail-on-zero-va-if-it-equals-the-r.patch new file mode 100644 index 00000000000..6d160dbb07d --- /dev/null +++ b/queue-4.14/efi-memattr-don-t-bail-on-zero-va-if-it-equals-the-r.patch @@ -0,0 +1,68 @@ +From cca8a0fb1d272e23db5dcead5958d9acac0e8472 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sat, 2 Feb 2019 10:41:12 +0100 +Subject: efi/memattr: Don't bail on zero VA if it equals the region's PA + +[ Upstream commit 5de0fef0230f3c8d75cff450a71740a7bf2db866 ] + +The EFI memory attributes code cross-references the EFI memory map with +the more granular EFI memory attributes table to ensure that they are in +sync before applying the strict permissions to the regions it describes. + +Since we always install virtual mappings for the EFI runtime regions to +which these strict permissions apply, we currently perform a sanity check +on the EFI memory descriptor, and ensure that the EFI_MEMORY_RUNTIME bit +is set, and that the virtual address has been assigned. + +However, in cases where a runtime region exists at physical address 0x0, +and the virtual mapping equals the physical mapping, e.g., when running +in mixed mode on x86, we encounter a memory descriptor with the runtime +attribute and virtual address 0x0, and incorrectly draw the conclusion +that a runtime region exists for which no virtual mapping was installed, +and give up altogether. The consequence of this is that firmware mappings +retain their read-write-execute permissions, making the system more +vulnerable to attacks. + +So let's only bail if the virtual address of 0x0 has been assigned to a +physical region that does not reside at address 0x0. + +Signed-off-by: Ard Biesheuvel +Acked-by: Sai Praneeth Prakhya +Cc: AKASHI Takahiro +Cc: Alexander Graf +Cc: Bjorn Andersson +Cc: Borislav Petkov +Cc: Heinrich Schuchardt +Cc: Jeffrey Hugo +Cc: Lee Jones +Cc: Leif Lindholm +Cc: Linus Torvalds +Cc: Matt Fleming +Cc: Peter Jones +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Fixes: 10f0d2f577053 ("efi: Implement generic support for the Memory ...") +Link: http://lkml.kernel.org/r/20190202094119.13230-4-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/memattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/memattr.c b/drivers/firmware/efi/memattr.c +index 8986757eafaf..aac972b056d9 100644 +--- a/drivers/firmware/efi/memattr.c ++++ b/drivers/firmware/efi/memattr.c +@@ -94,7 +94,7 @@ static bool entry_is_valid(const efi_memory_desc_t *in, efi_memory_desc_t *out) + + if (!(md->attribute & EFI_MEMORY_RUNTIME)) + continue; +- if (md->virt_addr == 0) { ++ if (md->virt_addr == 0 && md->phys_addr != 0) { + /* no virtual mapping has been installed by the stub */ + break; + } +-- +2.19.1 + diff --git a/queue-4.14/enic-fix-build-warning-without-config_cpumask_offsta.patch b/queue-4.14/enic-fix-build-warning-without-config_cpumask_offsta.patch new file mode 100644 index 00000000000..683bfad6ae5 --- /dev/null +++ b/queue-4.14/enic-fix-build-warning-without-config_cpumask_offsta.patch @@ -0,0 +1,64 @@ +From 9680b6eea68fdead145acb393227069fad9d0c09 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 7 Mar 2019 16:52:24 +0100 +Subject: enic: fix build warning without CONFIG_CPUMASK_OFFSTACK + +[ Upstream commit 43d281662fdb46750d49417559b71069f435298d ] + +The enic driver relies on the CONFIG_CPUMASK_OFFSTACK feature to +dynamically allocate a struct member, but this is normally intended for +local variables. + +Building with clang, I get a warning for a few locations that check the +address of the cpumask_var_t: + +drivers/net/ethernet/cisco/enic/enic_main.c:122:22: error: address of array 'enic->msix[i].affinity_mask' will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion] + +As far as I can tell, the code is still correct, as the truth value of +the pointer is what we need in this configuration. To get rid of +the warning, use cpumask_available() instead of checking the +pointer directly. + +Fixes: 322cf7e3a4e8 ("enic: assign affinity hint to interrupts") +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index ced348e15a63..19f374b180fc 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -119,7 +119,7 @@ static void enic_init_affinity_hint(struct enic *enic) + + for (i = 0; i < enic->intr_count; i++) { + if (enic_is_err_intr(enic, i) || enic_is_notify_intr(enic, i) || +- (enic->msix[i].affinity_mask && ++ (cpumask_available(enic->msix[i].affinity_mask) && + !cpumask_empty(enic->msix[i].affinity_mask))) + continue; + if (zalloc_cpumask_var(&enic->msix[i].affinity_mask, +@@ -148,7 +148,7 @@ static void enic_set_affinity_hint(struct enic *enic) + for (i = 0; i < enic->intr_count; i++) { + if (enic_is_err_intr(enic, i) || + enic_is_notify_intr(enic, i) || +- !enic->msix[i].affinity_mask || ++ !cpumask_available(enic->msix[i].affinity_mask) || + cpumask_empty(enic->msix[i].affinity_mask)) + continue; + err = irq_set_affinity_hint(enic->msix_entry[i].vector, +@@ -161,7 +161,7 @@ static void enic_set_affinity_hint(struct enic *enic) + for (i = 0; i < enic->wq_count; i++) { + int wq_intr = enic_msix_wq_intr(enic, i); + +- if (enic->msix[wq_intr].affinity_mask && ++ if (cpumask_available(enic->msix[wq_intr].affinity_mask) && + !cpumask_empty(enic->msix[wq_intr].affinity_mask)) + netif_set_xps_queue(enic->netdev, + enic->msix[wq_intr].affinity_mask, +-- +2.19.1 + diff --git a/queue-4.14/f2fs-do-not-use-mutex-lock-in-atomic-context.patch b/queue-4.14/f2fs-do-not-use-mutex-lock-in-atomic-context.patch new file mode 100644 index 00000000000..8180e7d0ff3 --- /dev/null +++ b/queue-4.14/f2fs-do-not-use-mutex-lock-in-atomic-context.patch @@ -0,0 +1,62 @@ +From 1c23af219569799b7ceed0536ca605a5acd31c88 Mon Sep 17 00:00:00 2001 +From: Sahitya Tummala +Date: Mon, 4 Feb 2019 13:36:53 +0530 +Subject: f2fs: do not use mutex lock in atomic context + +[ Upstream commit 9083977dabf3833298ddcd40dee28687f1e6b483 ] + +Fix below warning coming because of using mutex lock in atomic context. + +BUG: sleeping function called from invalid context at kernel/locking/mutex.c:98 +in_atomic(): 1, irqs_disabled(): 0, pid: 585, name: sh +Preemption disabled at: __radix_tree_preload+0x28/0x130 +Call trace: + dump_backtrace+0x0/0x2b4 + show_stack+0x20/0x28 + dump_stack+0xa8/0xe0 + ___might_sleep+0x144/0x194 + __might_sleep+0x58/0x8c + mutex_lock+0x2c/0x48 + f2fs_trace_pid+0x88/0x14c + f2fs_set_node_page_dirty+0xd0/0x184 + +Do not use f2fs_radix_tree_insert() to avoid doing cond_resched() with +spin_lock() acquired. + +Signed-off-by: Sahitya Tummala +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/trace.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/trace.c b/fs/f2fs/trace.c +index bccbbf2616d2..8ac1851a21c0 100644 +--- a/fs/f2fs/trace.c ++++ b/fs/f2fs/trace.c +@@ -61,6 +61,7 @@ void f2fs_trace_pid(struct page *page) + + set_page_private(page, (unsigned long)pid); + ++retry: + if (radix_tree_preload(GFP_NOFS)) + return; + +@@ -71,7 +72,12 @@ void f2fs_trace_pid(struct page *page) + if (p) + radix_tree_delete(&pids, pid); + +- f2fs_radix_tree_insert(&pids, pid, current); ++ if (radix_tree_insert(&pids, pid, current)) { ++ spin_unlock(&pids_lock); ++ radix_tree_preload_end(); ++ cond_resched(); ++ goto retry; ++ } + + trace_printk("%3x:%3x %4x %-16s\n", + MAJOR(inode->i_sb->s_dev), MINOR(inode->i_sb->s_dev), +-- +2.19.1 + diff --git a/queue-4.14/f2fs-fix-to-avoid-deadlock-in-f2fs_read_inline_dir.patch b/queue-4.14/f2fs-fix-to-avoid-deadlock-in-f2fs_read_inline_dir.patch new file mode 100644 index 00000000000..3f0a5cf9191 --- /dev/null +++ b/queue-4.14/f2fs-fix-to-avoid-deadlock-in-f2fs_read_inline_dir.patch @@ -0,0 +1,121 @@ +From 7a97f0374d5f8245d9e3aeee7e6687a36948bb5a Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 12 Mar 2019 15:44:27 +0800 +Subject: f2fs: fix to avoid deadlock in f2fs_read_inline_dir() + +[ Upstream commit aadcef64b22f668c1a107b86d3521d9cac915c24 ] + +As Jiqun Li reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=202883 + +sometimes, dead lock when make system call SYS_getdents64 with fsync() is +called by another process. + +monkey running on android9.0 + +1. task 9785 held sbi->cp_rwsem and waiting lock_page() +2. task 10349 held mm_sem and waiting sbi->cp_rwsem +3. task 9709 held lock_page() and waiting mm_sem + +so this is a dead lock scenario. + +task stack is show by crash tools as following + +crash_arm64> bt ffffffc03c354080 +PID: 9785 TASK: ffffffc03c354080 CPU: 1 COMMAND: "RxIoScheduler-3" +>> #7 [ffffffc01b50fac0] __lock_page at ffffff80081b11e8 + +crash-arm64> bt 10349 +PID: 10349 TASK: ffffffc018b83080 CPU: 1 COMMAND: "BUGLY_ASYNC_UPL" +>> #3 [ffffffc01f8cfa40] rwsem_down_read_failed at ffffff8008a93afc + PC: 00000033 LR: 00000000 SP: 00000000 PSTATE: ffffffffffffffff + +crash-arm64> bt 9709 +PID: 9709 TASK: ffffffc03e7f3080 CPU: 1 COMMAND: "IntentService[A" +>> #3 [ffffffc001e67850] rwsem_down_read_failed at ffffff8008a93afc +>> #8 [ffffffc001e67b80] el1_ia at ffffff8008084fc4 + PC: ffffff8008274114 [compat_filldir64+120] + LR: ffffff80083584d4 [f2fs_fill_dentries+448] + SP: ffffffc001e67b80 PSTATE: 80400145 + X29: ffffffc001e67b80 X28: 0000000000000000 X27: 000000000000001a + X26: 00000000000093d7 X25: ffffffc070d52480 X24: 0000000000000008 + X23: 0000000000000028 X22: 00000000d43dfd60 X21: ffffffc001e67e90 + X20: 0000000000000011 X19: ffffff80093a4000 X18: 0000000000000000 + X17: 0000000000000000 X16: 0000000000000000 X15: 0000000000000000 + X14: ffffffffffffffff X13: 0000000000000008 X12: 0101010101010101 + X11: 7f7f7f7f7f7f7f7f X10: 6a6a6a6a6a6a6a6a X9: 7f7f7f7f7f7f7f7f + X8: 0000000080808000 X7: ffffff800827409c X6: 0000000080808000 + X5: 0000000000000008 X4: 00000000000093d7 X3: 000000000000001a + X2: 0000000000000011 X1: ffffffc070d52480 X0: 0000000000800238 +>> #9 [ffffffc001e67be0] f2fs_fill_dentries at ffffff80083584d0 + PC: 0000003c LR: 00000000 SP: 00000000 PSTATE: 000000d9 + X12: f48a02ff X11: d4678960 X10: d43dfc00 X9: d4678ae4 + X8: 00000058 X7: d4678994 X6: d43de800 X5: 000000d9 + X4: d43dfc0c X3: d43dfc10 X2: d46799c8 X1: 00000000 + X0: 00001068 + +Below potential deadlock will happen between three threads: +Thread A Thread B Thread C +- f2fs_do_sync_file + - f2fs_write_checkpoint + - down_write(&sbi->node_change) -- 1) + - do_page_fault + - down_write(&mm->mmap_sem) -- 2) + - do_wp_page + - f2fs_vm_page_mkwrite + - getdents64 + - f2fs_read_inline_dir + - lock_page -- 3) + - f2fs_sync_node_pages + - lock_page -- 3) + - __do_map_lock + - down_read(&sbi->node_change) -- 1) + - f2fs_fill_dentries + - dir_emit + - compat_filldir64 + - do_page_fault + - down_read(&mm->mmap_sem) -- 2) + +Since f2fs_readdir is protected by inode.i_rwsem, there should not be +any updates in inode page, we're safe to lookup dents in inode page +without its lock held, so taking off the lock to improve concurrency +of readdir and avoid potential deadlock. + +Reported-by: Jiqun Li +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inline.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c +index 888a9dc13677..506e365cf903 100644 +--- a/fs/f2fs/inline.c ++++ b/fs/f2fs/inline.c +@@ -656,6 +656,12 @@ int f2fs_read_inline_dir(struct file *file, struct dir_context *ctx, + if (IS_ERR(ipage)) + return PTR_ERR(ipage); + ++ /* ++ * f2fs_readdir was protected by inode.i_rwsem, it is safe to access ++ * ipage without page's lock held. ++ */ ++ unlock_page(ipage); ++ + inline_dentry = inline_data_addr(inode, ipage); + + make_dentry_ptr_inline(inode, &d, inline_dentry); +@@ -664,7 +670,7 @@ int f2fs_read_inline_dir(struct file *file, struct dir_context *ctx, + if (!err) + ctx->pos = d.max; + +- f2fs_put_page(ipage, 1); ++ f2fs_put_page(ipage, 0); + return err < 0 ? err : 0; + } + +-- +2.19.1 + diff --git a/queue-4.14/fbdev-fbmem-fix-memory-access-if-logo-is-bigger-than.patch b/queue-4.14/fbdev-fbmem-fix-memory-access-if-logo-is-bigger-than.patch new file mode 100644 index 00000000000..5399e02ba50 --- /dev/null +++ b/queue-4.14/fbdev-fbmem-fix-memory-access-if-logo-is-bigger-than.patch @@ -0,0 +1,52 @@ +From 1d48d7dc0b7def07dc307ab4ead7b059a8f5f680 Mon Sep 17 00:00:00 2001 +From: Manfred Schlaegl +Date: Fri, 8 Feb 2019 19:24:47 +0100 +Subject: fbdev: fbmem: fix memory access if logo is bigger than the screen + +[ Upstream commit a5399db139cb3ad9b8502d8b1bd02da9ce0b9df0 ] + +There is no clipping on the x or y axis for logos larger that the framebuffer +size. Therefore: a logo bigger than screen size leads to invalid memory access: + +[ 1.254664] Backtrace: +[ 1.254728] [] (cfb_imageblit) from [] (fb_show_logo+0x620/0x684) +[ 1.254763] r10:00000003 r9:00027fd8 r8:c6a40000 r7:c6a36e50 r6:00000000 r5:c06b81e4 +[ 1.254774] r4:c6a3e800 +[ 1.254810] [] (fb_show_logo) from [] (fbcon_switch+0x3fc/0x46c) +[ 1.254842] r10:c6a3e824 r9:c6a3e800 r8:00000000 r7:c6a0c000 r6:c070b014 r5:c6a3e800 +[ 1.254852] r4:c6808c00 +[ 1.254889] [] (fbcon_switch) from [] (redraw_screen+0xf0/0x1e8) +[ 1.254918] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:c070d5a0 r5:00000080 +[ 1.254928] r4:c6808c00 +[ 1.254961] [] (redraw_screen) from [] (do_bind_con_driver+0x194/0x2e4) +[ 1.254991] r9:00000000 r8:00000000 r7:00000014 r6:c070d5a0 r5:c070d5a0 r4:c070d5a0 + +So prevent displaying a logo bigger than screen size and avoid invalid +memory access. + +Signed-off-by: Manfred Schlaegl +Signed-off-by: Martin Kepplinger +Cc: Daniel Vetter +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbmem.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c +index 302cce7185e3..83961a22bef1 100644 +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -427,6 +427,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, + { + unsigned int x; + ++ if (image->width > info->var.xres || image->height > info->var.yres) ++ return; ++ + if (rotate == FB_ROTATE_UR) { + for (x = 0; + x < num && image->dx + image->width <= info->var.xres; +-- +2.19.1 + diff --git a/queue-4.14/fs-file.c-initialize-init_files.resize_wait.patch b/queue-4.14/fs-file.c-initialize-init_files.resize_wait.patch new file mode 100644 index 00000000000..bdf8ab942a6 --- /dev/null +++ b/queue-4.14/fs-file.c-initialize-init_files.resize_wait.patch @@ -0,0 +1,80 @@ +From b02c7a7cbc0e8eb47c6a2959d9200351c0c1a975 Mon Sep 17 00:00:00 2001 +From: Shuriyc Chu +Date: Tue, 5 Mar 2019 15:41:56 -0800 +Subject: fs/file.c: initialize init_files.resize_wait + +[ Upstream commit 5704a06810682683355624923547b41540e2801a ] + +(Taken from https://bugzilla.kernel.org/show_bug.cgi?id=200647) + +'get_unused_fd_flags' in kthread cause kernel crash. It works fine on +4.1, but causes crash after get 64 fds. It also cause crash on +ubuntu1404/1604/1804, centos7.5, and the crash messages are almost the +same. + +The crash message on centos7.5 shows below: + + start fd 61 + start fd 62 + start fd 63 + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: __wake_up_common+0x2e/0x90 + PGD 0 + Oops: 0000 [#1] SMP + Modules linked in: test(OE) xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter devlink sunrpc kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd sg ppdev pcspkr virtio_balloon parport_pc parport i2c_piix4 joydev ip_tables xfs libcrc32c sr_mod cdrom sd_mod crc_t10dif crct10dif_generic ata_generic pata_acpi virtio_scsi virtio_console virtio_net cirrus drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crct10dif_pclmul crct10dif_common crc32c_intel drm ata_piix serio_raw libata virtio_pci virtio_ring i2c_core + virtio floppy dm_mirror dm_region_hash dm_log dm_mod + CPU: 2 PID: 1820 Comm: test_fd Kdump: loaded Tainted: G OE ------------ 3.10.0-862.3.3.el7.x86_64 #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014 + task: ffff8e92b9431fa0 ti: ffff8e94247a0000 task.ti: ffff8e94247a0000 + RIP: 0010:__wake_up_common+0x2e/0x90 + RSP: 0018:ffff8e94247a2d18 EFLAGS: 00010086 + RAX: 0000000000000000 RBX: ffffffff9d09daa0 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffffff9d09daa0 + RBP: ffff8e94247a2d50 R08: 0000000000000000 R09: ffff8e92b95dfda8 + R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff9d09daa8 + R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000003 + FS: 0000000000000000(0000) GS:ffff8e9434e80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 000000017c686000 CR4: 00000000000207e0 + Call Trace: + __wake_up+0x39/0x50 + expand_files+0x131/0x250 + __alloc_fd+0x47/0x170 + get_unused_fd_flags+0x30/0x40 + test_fd+0x12a/0x1c0 [test] + kthread+0xd1/0xe0 + ret_from_fork_nospec_begin+0x21/0x21 + Code: 66 90 55 48 89 e5 41 57 41 89 f7 41 56 41 89 ce 41 55 41 54 49 89 fc 49 83 c4 08 53 48 83 ec 10 48 8b 47 08 89 55 cc 4c 89 45 d0 <48> 8b 08 49 39 c4 48 8d 78 e8 4c 8d 69 e8 75 08 eb 3b 4c 89 ef + RIP __wake_up_common+0x2e/0x90 + RSP + CR2: 0000000000000000 + +This issue exists since CentOS 7.5 3.10.0-862 and CentOS 7.4 +(3.10.0-693.21.1 ) is ok. Root cause: the item 'resize_wait' is not +initialized before being used. + +Reported-by: Richard Zhang +Reviewed-by: Andrew Morton +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/file.c b/fs/file.c +index 4eecbf4244a5..0c25b980affe 100644 +--- a/fs/file.c ++++ b/fs/file.c +@@ -462,6 +462,7 @@ struct files_struct init_files = { + .full_fds_bits = init_files.full_fds_bits_init, + }, + .file_lock = __SPIN_LOCK_UNLOCKED(init_files.file_lock), ++ .resize_wait = __WAIT_QUEUE_HEAD_INITIALIZER(init_files.resize_wait), + }; + + static unsigned int find_next_fd(struct fdtable *fdt, unsigned int start) +-- +2.19.1 + diff --git a/queue-4.14/fs-fix-guard_bio_eod-to-check-for-real-eod-errors.patch b/queue-4.14/fs-fix-guard_bio_eod-to-check-for-real-eod-errors.patch new file mode 100644 index 00000000000..5dbeca04769 --- /dev/null +++ b/queue-4.14/fs-fix-guard_bio_eod-to-check-for-real-eod-errors.patch @@ -0,0 +1,79 @@ +From 995746ac5343088f6dcf2e38fd031ee55be59391 Mon Sep 17 00:00:00 2001 +From: Carlos Maiolino +Date: Tue, 26 Feb 2019 11:51:50 +0100 +Subject: fs: fix guard_bio_eod to check for real EOD errors + +[ Upstream commit dce30ca9e3b676fb288c33c1f4725a0621361185 ] + +guard_bio_eod() can truncate a segment in bio to allow it to do IO on +odd last sectors of a device. + +It already checks if the IO starts past EOD, but it does not consider +the possibility of an IO request starting within device boundaries can +contain more than one segment past EOD. + +In such cases, truncated_bytes can be bigger than PAGE_SIZE, and will +underflow bvec->bv_len. + +Fix this by checking if truncated_bytes is lower than PAGE_SIZE. + +This situation has been found on filesystems such as isofs and vfat, +which doesn't check the device size before mount, if the device is +smaller than the filesystem itself, a readahead on such filesystem, +which spans EOD, can trigger this situation, leading a call to +zero_user() with a wrong size possibly corrupting memory. + +I didn't see any crash, or didn't let the system run long enough to +check if memory corruption will be hit somewhere, but adding +instrumentation to guard_bio_end() to check truncated_bytes size, was +enough to see the error. + +The following script can trigger the error. + +MNT=/mnt +IMG=./DISK.img +DEV=/dev/loop0 + +mkfs.vfat $IMG +mount $IMG $MNT +cp -R /etc $MNT &> /dev/null +umount $MNT + +losetup -D + +losetup --find --show --sizelimit 16247280 $IMG +mount $DEV $MNT + +find $MNT -type f -exec cat {} + >/dev/null + +Kudos to Eric Sandeen for coming up with the reproducer above + +Reviewed-by: Ming Lei +Signed-off-by: Carlos Maiolino +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/buffer.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/buffer.c b/fs/buffer.c +index 8086cc8ff0bc..bdca7b10e239 100644 +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -3084,6 +3084,13 @@ void guard_bio_eod(int op, struct bio *bio) + /* Uhhuh. We've got a bio that straddles the device size! */ + truncated_bytes = bio->bi_iter.bi_size - (maxsector << 9); + ++ /* ++ * The bio contains more than one segment which spans EOD, just return ++ * and let IO layer turn it into an EIO ++ */ ++ if (truncated_bytes > bvec->bv_len) ++ return; ++ + /* Truncate the bio.. */ + bio->bi_iter.bi_size -= truncated_bytes; + bvec->bv_len -= truncated_bytes; +-- +2.19.1 + diff --git a/queue-4.14/fs-make-splice-and-tee-take-into-account-o_nonblock-.patch b/queue-4.14/fs-make-splice-and-tee-take-into-account-o_nonblock-.patch new file mode 100644 index 00000000000..01c52d1c39a --- /dev/null +++ b/queue-4.14/fs-make-splice-and-tee-take-into-account-o_nonblock-.patch @@ -0,0 +1,99 @@ +From 27644b87ea4c14f403d569be9cb41227018b6ac8 Mon Sep 17 00:00:00 2001 +From: Slavomir Kaslev +Date: Thu, 7 Feb 2019 17:45:19 +0200 +Subject: fs: Make splice() and tee() take into account O_NONBLOCK flag on + pipes + +[ Upstream commit ee5e001196d1345b8fee25925ff5f1d67936081e ] + +The current implementation of splice() and tee() ignores O_NONBLOCK set +on pipe file descriptors and checks only the SPLICE_F_NONBLOCK flag for +blocking on pipe arguments. This is inconsistent since splice()-ing +from/to non-pipe file descriptors does take O_NONBLOCK into +consideration. + +Fix this by promoting O_NONBLOCK, when set on a pipe, to +SPLICE_F_NONBLOCK. + +Some context for how the current implementation of splice() leads to +inconsistent behavior. In the ongoing work[1] to add VM tracing +capability to trace-cmd we stream tracing data over named FIFOs or +vsockets from guests back to the host. + +When we receive SIGINT from user to stop tracing, we set O_NONBLOCK on +the input file descriptor and set SPLICE_F_NONBLOCK for the next call to +splice(). If splice() was blocked waiting on data from the input FIFO, +after SIGINT splice() restarts with the same arguments (no +SPLICE_F_NONBLOCK) and blocks again instead of returning -EAGAIN when no +data is available. + +This differs from the splice() behavior when reading from a vsocket or +when we're doing a traditional read()/write() loop (trace-cmd's +--nosplice argument). + +With this patch applied we get the same behavior in all situations after +setting O_NONBLOCK which also matches the behavior of doing a +read()/write() loop instead of splice(). + +This change does have potential of breaking users who don't expect +EAGAIN from splice() when SPLICE_F_NONBLOCK is not set. OTOH programs +that set O_NONBLOCK and don't anticipate EAGAIN are arguably buggy[2]. + + [1] https://github.com/skaslev/trace-cmd/tree/vsock + [2] https://github.com/torvalds/linux/blob/d47e3da1759230e394096fd742aad423c291ba48/fs/read_write.c#L1425 + +Signed-off-by: Slavomir Kaslev +Reviewed-by: Steven Rostedt (VMware) +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/splice.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/fs/splice.c b/fs/splice.c +index 00d2f142dcf9..3ff3e7fb3b5a 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -1118,6 +1118,9 @@ static long do_splice(struct file *in, loff_t __user *off_in, + if (ipipe == opipe) + return -EINVAL; + ++ if ((in->f_flags | out->f_flags) & O_NONBLOCK) ++ flags |= SPLICE_F_NONBLOCK; ++ + return splice_pipe_to_pipe(ipipe, opipe, len, flags); + } + +@@ -1143,6 +1146,9 @@ static long do_splice(struct file *in, loff_t __user *off_in, + if (unlikely(ret < 0)) + return ret; + ++ if (in->f_flags & O_NONBLOCK) ++ flags |= SPLICE_F_NONBLOCK; ++ + file_start_write(out); + ret = do_splice_from(ipipe, out, &offset, len, flags); + file_end_write(out); +@@ -1167,6 +1173,9 @@ static long do_splice(struct file *in, loff_t __user *off_in, + offset = in->f_pos; + } + ++ if (out->f_flags & O_NONBLOCK) ++ flags |= SPLICE_F_NONBLOCK; ++ + pipe_lock(opipe); + ret = wait_for_space(opipe, flags); + if (!ret) +@@ -1704,6 +1713,9 @@ static long do_tee(struct file *in, struct file *out, size_t len, + * copying the data. + */ + if (ipipe && opipe && ipipe != opipe) { ++ if ((in->f_flags | out->f_flags) & O_NONBLOCK) ++ flags |= SPLICE_F_NONBLOCK; ++ + /* + * Keep going, unless we encounter an error. The ipipe/opipe + * ordering doesn't really matter. +-- +2.19.1 + diff --git a/queue-4.14/genirq-avoid-summation-loops-for-proc-stat.patch b/queue-4.14/genirq-avoid-summation-loops-for-proc-stat.patch new file mode 100644 index 00000000000..6498abc18d9 --- /dev/null +++ b/queue-4.14/genirq-avoid-summation-loops-for-proc-stat.patch @@ -0,0 +1,156 @@ +From 2138f03997aaf3f7e3b2ebd90a26ac0e076c1ed3 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Fri, 8 Feb 2019 14:48:03 +0100 +Subject: genirq: Avoid summation loops for /proc/stat + +[ Upstream commit 1136b0728969901a091f0471968b2b76ed14d9ad ] + +Waiman reported that on large systems with a large amount of interrupts the +readout of /proc/stat takes a long time to sum up the interrupt +statistics. In principle this is not a problem. but for unknown reasons +some enterprise quality software reads /proc/stat with a high frequency. + +The reason for this is that interrupt statistics are accounted per cpu. So +the /proc/stat logic has to sum up the interrupt stats for each interrupt. + +This can be largely avoided for interrupts which are not marked as +'PER_CPU' interrupts by simply adding a per interrupt summation counter +which is incremented along with the per interrupt per cpu counter. + +The PER_CPU interrupts need to avoid that and use only per cpu accounting +because they share the interrupt number and the interrupt descriptor and +concurrent updates would conflict or require unwanted synchronization. + +Reported-by: Waiman Long +Signed-off-by: Thomas Gleixner +Reviewed-by: Waiman Long +Reviewed-by: Marc Zyngier +Reviewed-by: Davidlohr Bueso +Cc: Matthew Wilcox +Cc: Andrew Morton +Cc: Alexey Dobriyan +Cc: Kees Cook +Cc: linux-fsdevel@vger.kernel.org +Cc: Davidlohr Bueso +Cc: Miklos Szeredi +Cc: Daniel Colascione +Cc: Dave Chinner +Cc: Randy Dunlap +Link: https://lkml.kernel.org/r/20190208135020.925487496@linutronix.de + +8<------------- + +v2: Undo the unintentional layout change of struct irq_desc. + + include/linux/irqdesc.h | 1 + + kernel/irq/chip.c | 12 ++++++++++-- + kernel/irq/internals.h | 8 +++++++- + kernel/irq/irqdesc.c | 7 ++++++- + 4 files changed, 24 insertions(+), 4 deletions(-) + +Signed-off-by: Sasha Levin +--- + include/linux/irqdesc.h | 1 + + kernel/irq/chip.c | 12 ++++++++++-- + kernel/irq/internals.h | 8 +++++++- + kernel/irq/irqdesc.c | 7 ++++++- + 4 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/include/linux/irqdesc.h b/include/linux/irqdesc.h +index b6084898d330..234f0d1f8dca 100644 +--- a/include/linux/irqdesc.h ++++ b/include/linux/irqdesc.h +@@ -65,6 +65,7 @@ struct irq_desc { + unsigned int core_internal_state__do_not_mess_with_it; + unsigned int depth; /* nested irq disables */ + unsigned int wake_depth; /* nested wake enables */ ++ unsigned int tot_count; + unsigned int irq_count; /* For detecting broken IRQs */ + unsigned long last_unhandled; /* Aging timer for unhandled count */ + unsigned int irqs_unhandled; +diff --git a/kernel/irq/chip.c b/kernel/irq/chip.c +index 5a2ef92c2782..0fa7ef74303b 100644 +--- a/kernel/irq/chip.c ++++ b/kernel/irq/chip.c +@@ -834,7 +834,11 @@ void handle_percpu_irq(struct irq_desc *desc) + { + struct irq_chip *chip = irq_desc_get_chip(desc); + +- kstat_incr_irqs_this_cpu(desc); ++ /* ++ * PER CPU interrupts are not serialized. Do not touch ++ * desc->tot_count. ++ */ ++ __kstat_incr_irqs_this_cpu(desc); + + if (chip->irq_ack) + chip->irq_ack(&desc->irq_data); +@@ -863,7 +867,11 @@ void handle_percpu_devid_irq(struct irq_desc *desc) + unsigned int irq = irq_desc_get_irq(desc); + irqreturn_t res; + +- kstat_incr_irqs_this_cpu(desc); ++ /* ++ * PER CPU interrupts are not serialized. Do not touch ++ * desc->tot_count. ++ */ ++ __kstat_incr_irqs_this_cpu(desc); + + if (chip->irq_ack) + chip->irq_ack(&desc->irq_data); +diff --git a/kernel/irq/internals.h b/kernel/irq/internals.h +index 44ed5f8c8759..4ef7f3b820ce 100644 +--- a/kernel/irq/internals.h ++++ b/kernel/irq/internals.h +@@ -240,12 +240,18 @@ static inline void irq_state_set_masked(struct irq_desc *desc) + + #undef __irqd_to_state + +-static inline void kstat_incr_irqs_this_cpu(struct irq_desc *desc) ++static inline void __kstat_incr_irqs_this_cpu(struct irq_desc *desc) + { + __this_cpu_inc(*desc->kstat_irqs); + __this_cpu_inc(kstat.irqs_sum); + } + ++static inline void kstat_incr_irqs_this_cpu(struct irq_desc *desc) ++{ ++ __kstat_incr_irqs_this_cpu(desc); ++ desc->tot_count++; ++} ++ + static inline int irq_desc_get_node(struct irq_desc *desc) + { + return irq_common_data_get_node(&desc->irq_common_data); +diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c +index e97bbae947f0..c2bfb11a9d05 100644 +--- a/kernel/irq/irqdesc.c ++++ b/kernel/irq/irqdesc.c +@@ -119,6 +119,7 @@ static void desc_set_defaults(unsigned int irq, struct irq_desc *desc, int node, + desc->depth = 1; + desc->irq_count = 0; + desc->irqs_unhandled = 0; ++ desc->tot_count = 0; + desc->name = NULL; + desc->owner = owner; + for_each_possible_cpu(cpu) +@@ -895,11 +896,15 @@ unsigned int kstat_irqs_cpu(unsigned int irq, int cpu) + unsigned int kstat_irqs(unsigned int irq) + { + struct irq_desc *desc = irq_to_desc(irq); +- int cpu; + unsigned int sum = 0; ++ int cpu; + + if (!desc || !desc->kstat_irqs) + return 0; ++ if (!irq_settings_is_per_cpu_devid(desc) && ++ !irq_settings_is_per_cpu(desc)) ++ return desc->tot_count; ++ + for_each_possible_cpu(cpu) + sum += *per_cpu_ptr(desc->kstat_irqs, cpu); + return sum; +-- +2.19.1 + diff --git a/queue-4.14/gpio-gpio-omap-fix-level-interrupt-idling.patch b/queue-4.14/gpio-gpio-omap-fix-level-interrupt-idling.patch new file mode 100644 index 00000000000..eac20e1b4bf --- /dev/null +++ b/queue-4.14/gpio-gpio-omap-fix-level-interrupt-idling.patch @@ -0,0 +1,87 @@ +From df00b683ca2133ac6889f58d6c4a1d3c24f13939 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 1 Mar 2019 11:02:52 -0800 +Subject: gpio: gpio-omap: fix level interrupt idling + +[ Upstream commit d01849f7deba81f4959fd9e51bf20dbf46987d1c ] + +Tony notes that the GPIO module does not idle when level interrupts are +in use, as the wakeup appears to get stuck. + +After extensive investigation, it appears that the wakeup will only be +cleared if the interrupt status register is cleared while the interrupt +is enabled. However, we are currently clearing it with the interrupt +disabled for level-based interrupts. + +It is acknowledged that this observed behaviour conflicts with a +statement in the TRM: + +CAUTION + After servicing the interrupt, the status bit in the interrupt status + register (GPIOi.GPIO_IRQSTATUS_0 or GPIOi.GPIO_IRQSTATUS_1) must be + reset and the interrupt line released (by setting the corresponding + bit of the interrupt status register to 1) before enabling an + interrupt for the GPIO channel in the interrupt-enable register + (GPIOi.GPIO_IRQSTATUS_SET_0 or GPIOi.GPIO_IRQSTATUS_SET_1) to prevent + the occurrence of unexpected interrupts when enabling an interrupt + for the GPIO channel. + +However, this does not appear to be a practical problem. + +Further, as reported by Grygorii Strashko , +the TI Android kernel tree has an earlier similar patch as "GPIO: OMAP: +Fix the sequence to clear the IRQ status" saying: + + if the status is cleared after disabling the IRQ then sWAKEUP will not + be cleared and gates the module transition + +When we unmask the level interrupt after the interrupt has been handled, +enable the interrupt and only then clear the interrupt. If the interrupt +is still pending, the hardware will re-assert the interrupt status. + +Should the caution note in the TRM prove to be a problem, we could +use a clear-enable-clear sequence instead. + +Cc: Aaro Koskinen +Cc: Keerthy +Cc: Peter Ujfalusi +Signed-off-by: Russell King +[tony@atomide.com: updated comments based on an earlier TI patch] +Signed-off-by: Tony Lindgren +Acked-by: Grygorii Strashko +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-omap.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index 3233b72b6828..148e81eea35a 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -841,14 +841,16 @@ static void omap_gpio_unmask_irq(struct irq_data *d) + if (trigger) + omap_set_gpio_triggering(bank, offset, trigger); + +- /* For level-triggered GPIOs, the clearing must be done after +- * the HW source is cleared, thus after the handler has run */ +- if (bank->level_mask & BIT(offset)) { +- omap_set_gpio_irqenable(bank, offset, 0); ++ omap_set_gpio_irqenable(bank, offset, 1); ++ ++ /* ++ * For level-triggered GPIOs, clearing must be done after the source ++ * is cleared, thus after the handler has run. OMAP4 needs this done ++ * after enabing the interrupt to clear the wakeup status. ++ */ ++ if (bank->level_mask & BIT(offset)) + omap_clear_gpio_irqstatus(bank, offset); +- } + +- omap_set_gpio_irqenable(bank, offset, 1); + raw_spin_unlock_irqrestore(&bank->lock, flags); + } + +-- +2.19.1 + diff --git a/queue-4.14/h8300-use-cc-cross-prefix-instead-of-hardcoding-h830.patch b/queue-4.14/h8300-use-cc-cross-prefix-instead-of-hardcoding-h830.patch new file mode 100644 index 00000000000..7248f10d178 --- /dev/null +++ b/queue-4.14/h8300-use-cc-cross-prefix-instead-of-hardcoding-h830.patch @@ -0,0 +1,61 @@ +From 419d53935ba421921c5a7f22ff30ff6d9caf8b17 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Fri, 15 Feb 2019 13:04:26 +0900 +Subject: h8300: use cc-cross-prefix instead of hardcoding h8300-unknown-linux- + +[ Upstream commit fc2b47b55f17fd996f7a01975ce1c33c2f2513f6 ] + +It believe it is a bad idea to hardcode a specific compiler prefix +that may or may not be installed on a user's system. It is annoying +when testing features that should not require compilers at all. + +For example, mrproper, headers_install, etc. should work without +any compiler. + +They look like follows on my machine. + +$ make ARCH=h8300 mrproper +./scripts/gcc-version.sh: line 26: h8300-unknown-linux-gcc: command not found +./scripts/gcc-version.sh: line 27: h8300-unknown-linux-gcc: command not found +make: h8300-unknown-linux-gcc: Command not found +make: h8300-unknown-linux-gcc: Command not found + [ a bunch of the same error messages continue ] + +$ make ARCH=h8300 headers_install +./scripts/gcc-version.sh: line 26: h8300-unknown-linux-gcc: command not found +./scripts/gcc-version.sh: line 27: h8300-unknown-linux-gcc: command not found +make: h8300-unknown-linux-gcc: Command not found + HOSTCC scripts/basic/fixdep +make: h8300-unknown-linux-gcc: Command not found + WRAP arch/h8300/include/generated/uapi/asm/kvm_para.h + [ snip ] + +The solution is to delete this line, or to use cc-cross-prefix like +some architectures do. I chose the latter as a moderate fixup. + +I added an alternative 'h8300-linux-' because it is available at: + +https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/x86_64/8.1.0/ + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + arch/h8300/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/h8300/Makefile b/arch/h8300/Makefile +index e1c02ca230cb..073bba6f9f60 100644 +--- a/arch/h8300/Makefile ++++ b/arch/h8300/Makefile +@@ -23,7 +23,7 @@ KBUILD_AFLAGS += $(aflags-y) + LDFLAGS += $(ldflags-y) + + ifeq ($(CROSS_COMPILE),) +-CROSS_COMPILE := h8300-unknown-linux- ++CROSS_COMPILE := $(call cc-cross-prefix, h8300-unknown-linux- h8300-linux-) + endif + + core-y += arch/$(ARCH)/kernel/ arch/$(ARCH)/mm/ +-- +2.19.1 + diff --git a/queue-4.14/hid-intel-ish-hid-avoid-binding-wrong-ishtp_cl_devic.patch b/queue-4.14/hid-intel-ish-hid-avoid-binding-wrong-ishtp_cl_devic.patch new file mode 100644 index 00000000000..6d8dadf8189 --- /dev/null +++ b/queue-4.14/hid-intel-ish-hid-avoid-binding-wrong-ishtp_cl_devic.patch @@ -0,0 +1,53 @@ +From 016e05071277498ac923d2ae2fed9d1e48ba9ae9 Mon Sep 17 00:00:00 2001 +From: Hong Liu +Date: Tue, 12 Feb 2019 20:05:20 +0800 +Subject: HID: intel-ish-hid: avoid binding wrong ishtp_cl_device + +[ Upstream commit 0d28f49412405d87d3aae83da255070a46e67627 ] + +When performing a warm reset in ishtp bus driver, the ishtp_cl_device +will not be removed, its fw_client still points to the already freed +ishtp_device.fw_clients array. + +Later after driver finishing ishtp client enumeration, this dangling +pointer may cause driver to bind the wrong ishtp_cl_device to the new +client, causing wrong callback to be called for messages intended for +the new client. + +This helps in development of firmware where frequent switching of +firmwares is required without Linux reboot. + +Signed-off-by: Hong Liu +Tested-by: Hongyan Song +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp/bus.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c +index 2623a567ffba..f546635e9ac9 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/bus.c ++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c +@@ -623,7 +623,8 @@ int ishtp_cl_device_bind(struct ishtp_cl *cl) + spin_lock_irqsave(&cl->dev->device_list_lock, flags); + list_for_each_entry(cl_device, &cl->dev->device_list, + device_link) { +- if (cl_device->fw_client->client_id == cl->fw_client_id) { ++ if (cl_device->fw_client && ++ cl_device->fw_client->client_id == cl->fw_client_id) { + cl->device = cl_device; + rv = 0; + break; +@@ -683,6 +684,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev, + spin_lock_irqsave(&ishtp_dev->device_list_lock, flags); + list_for_each_entry_safe(cl_device, n, &ishtp_dev->device_list, + device_link) { ++ cl_device->fw_client = NULL; + if (warm_reset && cl_device->reference_count) + continue; + +-- +2.19.1 + diff --git a/queue-4.14/hid-intel-ish-ipc-handle-pimr-before-ish_wakeup-also.patch b/queue-4.14/hid-intel-ish-ipc-handle-pimr-before-ish_wakeup-also.patch new file mode 100644 index 00000000000..f8eb1895349 --- /dev/null +++ b/queue-4.14/hid-intel-ish-ipc-handle-pimr-before-ish_wakeup-also.patch @@ -0,0 +1,64 @@ +From b9584c34237a208a3e779991c0cb40104bd9e5c2 Mon Sep 17 00:00:00 2001 +From: Song Hongyan +Date: Tue, 22 Jan 2019 09:06:26 +0800 +Subject: HID: intel-ish: ipc: handle PIMR before ish_wakeup also clear PISR + busy_clear bit + +[ Upstream commit 2edefc056e4f0e6ec9508dd1aca2c18fa320efef ] + +Host driver should handle interrupt mask register earlier than wake up ish FW +else there will be conditions when FW interrupt comes, host PIMR register still +not set ready, so move the interrupt mask setting before ish_wakeup. + +Clear PISR busy_clear bit in ish_irq_handler. If not clear, there will be +conditions host driver received a busy_clear interrupt (before the busy_clear +mask bit is ready), it will return IRQ_NONE after check_generated_interrupt, +the interrupt will never be cleared, causing the DEVICE not sending following +IRQ. + +Since PISR clear should not be called for the CHV device we do this change. +After the change, both ISH2HOST interrupt and busy_clear interrupt will be +considered as interrupt from ISH, busy_clear interrupt will return IRQ_HANDLED +from IPC_IS_BUSY check. + +Signed-off-by: Song Hongyan +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ipc/ipc.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/intel-ish-hid/ipc/ipc.c b/drivers/hid/intel-ish-hid/ipc/ipc.c +index 9a60ec13cb10..a3106fcc2253 100644 +--- a/drivers/hid/intel-ish-hid/ipc/ipc.c ++++ b/drivers/hid/intel-ish-hid/ipc/ipc.c +@@ -91,7 +91,10 @@ static bool check_generated_interrupt(struct ishtp_device *dev) + IPC_INT_FROM_ISH_TO_HOST_CHV_AB(pisr_val); + } else { + pisr_val = ish_reg_read(dev, IPC_REG_PISR_BXT); +- interrupt_generated = IPC_INT_FROM_ISH_TO_HOST_BXT(pisr_val); ++ interrupt_generated = !!pisr_val; ++ /* only busy-clear bit is RW, others are RO */ ++ if (pisr_val) ++ ish_reg_write(dev, IPC_REG_PISR_BXT, pisr_val); + } + + return interrupt_generated; +@@ -843,11 +846,11 @@ int ish_hw_start(struct ishtp_device *dev) + { + ish_set_host_rdy(dev); + ++ set_host_ready(dev); ++ + /* After that we can enable ISH DMA operation and wakeup ISHFW */ + ish_wakeup(dev); + +- set_host_ready(dev); +- + /* wait for FW-initiated reset flow */ + if (!dev->recvd_hw_ready) + wait_event_interruptible_timeout(dev->wait_hw_ready, +-- +2.19.1 + diff --git a/queue-4.14/hpet-fix-missing-character-in-the-__setup-code-of-hp.patch b/queue-4.14/hpet-fix-missing-character-in-the-__setup-code-of-hp.patch new file mode 100644 index 00000000000..270959ad002 --- /dev/null +++ b/queue-4.14/hpet-fix-missing-character-in-the-__setup-code-of-hp.patch @@ -0,0 +1,59 @@ +From 799adb2c20be04602db4a40969a71ebe6a2ddaf4 Mon Sep 17 00:00:00 2001 +From: Buland Singh +Date: Thu, 20 Dec 2018 17:35:24 +0530 +Subject: hpet: Fix missing '=' character in the __setup() code of + hpet_mmap_enable + +[ Upstream commit 24d48a61f2666630da130cc2ec2e526eacf229e3 ] + +Commit '3d035f580699 ("drivers/char/hpet.c: allow user controlled mmap for +user processes")' introduced a new kernel command line parameter hpet_mmap, +that is required to expose the memory map of the HPET registers to +user-space. Unfortunately the kernel command line parameter 'hpet_mmap' is +broken and never takes effect due to missing '=' character in the __setup() +code of hpet_mmap_enable. + +Before this patch: + +dmesg output with the kernel command line parameter hpet_mmap=1 + +[ 0.204152] HPET mmap disabled + +dmesg output with the kernel command line parameter hpet_mmap=0 + +[ 0.204192] HPET mmap disabled + +After this patch: + +dmesg output with the kernel command line parameter hpet_mmap=1 + +[ 0.203945] HPET mmap enabled + +dmesg output with the kernel command line parameter hpet_mmap=0 + +[ 0.204652] HPET mmap disabled + +Fixes: 3d035f580699 ("drivers/char/hpet.c: allow user controlled mmap for user processes") +Signed-off-by: Buland Singh +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/char/hpet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c +index b941e6d59fd6..9dfb28b04559 100644 +--- a/drivers/char/hpet.c ++++ b/drivers/char/hpet.c +@@ -377,7 +377,7 @@ static __init int hpet_mmap_enable(char *str) + pr_info("HPET mmap %s\n", hpet_mmap_enabled ? "enabled" : "disabled"); + return 1; + } +-__setup("hpet_mmap", hpet_mmap_enable); ++__setup("hpet_mmap=", hpet_mmap_enable); + + static int hpet_mmap(struct file *file, struct vm_area_struct *vma) + { +-- +2.19.1 + diff --git a/queue-4.14/hwrng-virtio-avoid-repeated-init-of-completion.patch b/queue-4.14/hwrng-virtio-avoid-repeated-init-of-completion.patch new file mode 100644 index 00000000000..feb7ceb3551 --- /dev/null +++ b/queue-4.14/hwrng-virtio-avoid-repeated-init-of-completion.patch @@ -0,0 +1,57 @@ +From 9dc0cd5d2e630d9701e157fbfc939727514be3a4 Mon Sep 17 00:00:00 2001 +From: David Tolnay +Date: Mon, 7 Jan 2019 14:36:11 -0800 +Subject: hwrng: virtio - Avoid repeated init of completion + +[ Upstream commit aef027db48da56b6f25d0e54c07c8401ada6ce21 ] + +The virtio-rng driver uses a completion called have_data to wait for a +virtio read to be fulfilled by the hypervisor. The completion is reset +before placing a buffer on the virtio queue and completed by the virtio +callback once data has been written into the buffer. + +Prior to this commit, the driver called init_completion on this +completion both during probe as well as when registering virtio buffers +as part of a hwrng read operation. The second of these init_completion +calls should instead be reinit_completion because the have_data +completion has already been inited by probe. As described in +Documentation/scheduler/completion.txt, "Calling init_completion() twice +on the same completion object is most likely a bug". + +This bug was present in the initial implementation of virtio-rng in +f7f510ec1957 ("virtio: An entropy device, as suggested by hpa"). Back +then the have_data completion was a single static completion rather than +a member of one of potentially multiple virtrng_info structs as +implemented later by 08e53fbdb85c ("virtio-rng: support multiple +virtio-rng devices"). The original driver incorrectly used +init_completion rather than INIT_COMPLETION to reset have_data during +read. + +Tested by running `head -c48 /dev/random | hexdump` within crosvm, the +Chrome OS virtual machine monitor, and confirming that the virtio-rng +driver successfully produces random bytes from the host. + +Signed-off-by: David Tolnay +Tested-by: David Tolnay +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 3fa2f8a009b3..1c5c4314c6b5 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -73,7 +73,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + + if (!vi->busy) { + vi->busy = true; +- init_completion(&vi->have_data); ++ reinit_completion(&vi->have_data); + register_buffer(vi, buf, size); + } + +-- +2.19.1 + diff --git a/queue-4.14/ib-mlx4-increase-the-timeout-for-cm-cache.patch b/queue-4.14/ib-mlx4-increase-the-timeout-for-cm-cache.patch new file mode 100644 index 00000000000..92b086dbbab --- /dev/null +++ b/queue-4.14/ib-mlx4-increase-the-timeout-for-cm-cache.patch @@ -0,0 +1,106 @@ +From 9ab807b63d4a76c4cd97d733d3c58a83fcbc1d45 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Sun, 17 Feb 2019 15:45:12 +0100 +Subject: IB/mlx4: Increase the timeout for CM cache +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 2612d723aadcf8281f9bf8305657129bd9f3cd57 ] + +Using CX-3 virtual functions, either from a bare-metal machine or +pass-through from a VM, MAD packets are proxied through the PF driver. + +Since the VF drivers have separate name spaces for MAD Transaction Ids +(TIDs), the PF driver has to re-map the TIDs and keep the book keeping +in a cache. + +Following the RDMA Connection Manager (CM) protocol, it is clear when +an entry has to evicted form the cache. But life is not perfect, +remote peers may die or be rebooted. Hence, it's a timeout to wipe out +a cache entry, when the PF driver assumes the remote peer has gone. + +During workloads where a high number of QPs are destroyed concurrently, +excessive amount of CM DREQ retries has been observed + +The problem can be demonstrated in a bare-metal environment, where two +nodes have instantiated 8 VFs each. This using dual ported HCAs, so we +have 16 vPorts per physical server. + +64 processes are associated with each vPort and creates and destroys +one QP for each of the remote 64 processes. That is, 1024 QPs per +vPort, all in all 16K QPs. The QPs are created/destroyed using the +CM. + +When tearing down these 16K QPs, excessive CM DREQ retries (and +duplicates) are observed. With some cat/paste/awk wizardry on the +infiniband_cm sysfs, we observe as sum of the 16 vPorts on one of the +nodes: + +cm_rx_duplicates: + dreq 2102 +cm_rx_msgs: + drep 1989 + dreq 6195 + rep 3968 + req 4224 + rtu 4224 +cm_tx_msgs: + drep 4093 + dreq 27568 + rep 4224 + req 3968 + rtu 3968 +cm_tx_retries: + dreq 23469 + +Note that the active/passive side is equally distributed between the +two nodes. + +Enabling pr_debug in cm.c gives tons of: + +[171778.814239] mlx4_ib_multiplex_cm_handler: id{slave: +1,sl_cm_id: 0xd393089f} is NULL! + +By increasing the CM_CLEANUP_CACHE_TIMEOUT from 5 to 30 seconds, the +tear-down phase of the application is reduced from approximately 90 to +50 seconds. Retries/duplicates are also significantly reduced: + +cm_rx_duplicates: + dreq 2460 +[] +cm_tx_retries: + dreq 3010 + req 47 + +Increasing the timeout further didn't help, as these duplicates and +retries stems from a too short CMA timeout, which was 20 (~4 seconds) +on the systems. By increasing the CMA timeout to 22 (~17 seconds), the +numbers fell down to about 10 for both of them. + +Adjustment of the CMA timeout is not part of this commit. + +Signed-off-by: HÃ¥kon Bugge +Acked-by: Jack Morgenstein +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx4/cm.c b/drivers/infiniband/hw/mlx4/cm.c +index fedaf8260105..8c79a480f2b7 100644 +--- a/drivers/infiniband/hw/mlx4/cm.c ++++ b/drivers/infiniband/hw/mlx4/cm.c +@@ -39,7 +39,7 @@ + + #include "mlx4_ib.h" + +-#define CM_CLEANUP_CACHE_TIMEOUT (5 * HZ) ++#define CM_CLEANUP_CACHE_TIMEOUT (30 * HZ) + + struct id_map_entry { + struct rb_node node; +-- +2.19.1 + diff --git a/queue-4.14/iio-adc-fix-warning-in-qualcomm-pm8xxx-hk-xoadc-driv.patch b/queue-4.14/iio-adc-fix-warning-in-qualcomm-pm8xxx-hk-xoadc-driv.patch new file mode 100644 index 00000000000..e52951125c7 --- /dev/null +++ b/queue-4.14/iio-adc-fix-warning-in-qualcomm-pm8xxx-hk-xoadc-driv.patch @@ -0,0 +1,79 @@ +From c0f68ddd6dd37351490e451431bf1567ce7e8944 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 6 Mar 2019 15:41:29 -0800 +Subject: iio: adc: fix warning in Qualcomm PM8xxx HK/XOADC driver +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit e0f0ae838a25464179d37f355d763f9ec139fc15 ] + +The pm8xxx_get_channel() implementation is unclear, and causes gcc to +suddenly generate odd warnings. The trigger for the warning (at least +for me) was the entirely unrelated commit 79a4e91d1bb2 ("device.h: Add +__cold to dev_ logging functions"), which apparently changes gcc +code generation in the caller function enough to cause this: + + drivers/iio/adc/qcom-pm8xxx-xoadc.c: In function ‘pm8xxx_xoadc_probe’: + drivers/iio/adc/qcom-pm8xxx-xoadc.c:633:8: warning: ‘ch’ may be used uninitialized in this function [-Wmaybe-uninitialized] + ret = pm8xxx_read_channel_rsv(adc, ch, AMUX_RSV4, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + &read_nomux_rsv4, true); + ~~~~~~~~~~~~~~~~~~~~~~~ + drivers/iio/adc/qcom-pm8xxx-xoadc.c:426:27: note: ‘ch’ was declared here + struct pm8xxx_chan_info *ch; + ^~ + +because gcc for some reason then isn't able to see that the termination +condition for the "for( )" loop in that function is also the condition +for returning NULL. + +So it's not _actually_ uninitialized, but the function is admittedly +just unnecessarily oddly written. + +Simplify and clarify the function, making gcc also see that it always +returns a valid initialized value. + +Cc: Joe Perches +Cc: Greg Kroah-Hartman +Cc: Andy Gross +Cc: David Brown +Cc: Jonathan Cameron +Cc: Hartmut Knaack +Cc: Lars-Peter Clausen +Cc: Peter Meerwald-Stadler +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/qcom-pm8xxx-xoadc.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/iio/adc/qcom-pm8xxx-xoadc.c b/drivers/iio/adc/qcom-pm8xxx-xoadc.c +index cea8f1fb444a..7e8da418a7b7 100644 +--- a/drivers/iio/adc/qcom-pm8xxx-xoadc.c ++++ b/drivers/iio/adc/qcom-pm8xxx-xoadc.c +@@ -423,18 +423,14 @@ static irqreturn_t pm8xxx_eoc_irq(int irq, void *d) + static struct pm8xxx_chan_info * + pm8xxx_get_channel(struct pm8xxx_xoadc *adc, u8 chan) + { +- struct pm8xxx_chan_info *ch; + int i; + + for (i = 0; i < adc->nchans; i++) { +- ch = &adc->chans[i]; ++ struct pm8xxx_chan_info *ch = &adc->chans[i]; + if (ch->hwchan->amux_channel == chan) +- break; ++ return ch; + } +- if (i == adc->nchans) +- return NULL; +- +- return ch; ++ return NULL; + } + + static int pm8xxx_read_channel_rsv(struct pm8xxx_xoadc *adc, +-- +2.19.1 + diff --git a/queue-4.14/include-linux-relay.h-fix-percpu-annotation-in-struc.patch b/queue-4.14/include-linux-relay.h-fix-percpu-annotation-in-struc.patch new file mode 100644 index 00000000000..788ffb3360c --- /dev/null +++ b/queue-4.14/include-linux-relay.h-fix-percpu-annotation-in-struc.patch @@ -0,0 +1,53 @@ +From 592d600c530cdc8c16ef13b20dca7b767efe3258 Mon Sep 17 00:00:00 2001 +From: Luc Van Oostenryck +Date: Thu, 7 Mar 2019 16:31:28 -0800 +Subject: include/linux/relay.h: fix percpu annotation in struct rchan + +[ Upstream commit 62461ac2e5b6520b6d65fc6d7d7b4b8df4b848d8 ] + +The percpu member of this structure is declared as: + struct ... ** __percpu member; +So its type is: + __percpu pointer to pointer to struct ... + +But looking at how it's used, its type should be: + pointer to __percpu pointer to struct ... +and it should thus be declared as: + struct ... * __percpu *member; + +So fix the placement of '__percpu' in the definition of this +structures. + +This silents a few Sparse's warnings like: + warning: incorrect type in initializer (different address spaces) + expected void const [noderef] *__vpp_verify + got struct sched_domain ** + +Link: http://lkml.kernel.org/r/20190118144902.79065-1-luc.vanoostenryck@gmail.com +Fixes: 017c59c042d01 ("relay: Use per CPU constructs for the relay channel buffer pointers") +Signed-off-by: Luc Van Oostenryck +Cc: Jens Axboe +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/relay.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/relay.h b/include/linux/relay.h +index e1bdf01a86e2..c759f96e39c1 100644 +--- a/include/linux/relay.h ++++ b/include/linux/relay.h +@@ -66,7 +66,7 @@ struct rchan + struct kref kref; /* channel refcount */ + void *private_data; /* for user-defined data */ + size_t last_toobig; /* tried to log event > subbuf size */ +- struct rchan_buf ** __percpu buf; /* per-cpu channel buffers */ ++ struct rchan_buf * __percpu *buf; /* per-cpu channel buffers */ + int is_global; /* One global buffer ? */ + struct list_head list; /* for channel list */ + struct dentry *parent; /* parent dentry passed to open */ +-- +2.19.1 + diff --git a/queue-4.14/iommu-io-pgtable-arm-v7s-only-kmemleak_ignore-l2-tab.patch b/queue-4.14/iommu-io-pgtable-arm-v7s-only-kmemleak_ignore-l2-tab.patch new file mode 100644 index 00000000000..20805dade24 --- /dev/null +++ b/queue-4.14/iommu-io-pgtable-arm-v7s-only-kmemleak_ignore-l2-tab.patch @@ -0,0 +1,51 @@ +From 16af174f32b4075355d2635175a36ab11dc7b2f7 Mon Sep 17 00:00:00 2001 +From: Nicolas Boichat +Date: Mon, 28 Jan 2019 17:43:01 +0800 +Subject: iommu/io-pgtable-arm-v7s: Only kmemleak_ignore L2 tables + +[ Upstream commit 032ebd8548c9d05e8d2bdc7a7ec2fe29454b0ad0 ] + +L1 tables are allocated with __get_dma_pages, and therefore already +ignored by kmemleak. + +Without this, the kernel would print this error message on boot, +when the first L1 table is allocated: + +[ 2.810533] kmemleak: Trying to color unknown object at 0xffffffd652388000 as Black +[ 2.818190] CPU: 5 PID: 39 Comm: kworker/5:0 Tainted: G S 4.19.16 #8 +[ 2.831227] Workqueue: events deferred_probe_work_func +[ 2.836353] Call trace: +... +[ 2.852532] paint_ptr+0xa0/0xa8 +[ 2.855750] kmemleak_ignore+0x38/0x6c +[ 2.859490] __arm_v7s_alloc_table+0x168/0x1f4 +[ 2.863922] arm_v7s_alloc_pgtable+0x114/0x17c +[ 2.868354] alloc_io_pgtable_ops+0x3c/0x78 +... + +Fixes: e5fc9753b1a8314 ("iommu/io-pgtable: Add ARMv7 short descriptor support") +Signed-off-by: Nicolas Boichat +Acked-by: Will Deacon +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/io-pgtable-arm-v7s.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/io-pgtable-arm-v7s.c b/drivers/iommu/io-pgtable-arm-v7s.c +index 29b7a6755fcd..56368c8bd791 100644 +--- a/drivers/iommu/io-pgtable-arm-v7s.c ++++ b/drivers/iommu/io-pgtable-arm-v7s.c +@@ -217,7 +217,8 @@ static void *__arm_v7s_alloc_table(int lvl, gfp_t gfp, + if (dma != phys) + goto out_unmap; + } +- kmemleak_ignore(table); ++ if (lvl == 2) ++ kmemleak_ignore(table); + return table; + + out_unmap: +-- +2.19.1 + diff --git a/queue-4.14/iw_cxgb4-fix-srqidx-leak-during-connection-abort.patch b/queue-4.14/iw_cxgb4-fix-srqidx-leak-during-connection-abort.patch new file mode 100644 index 00000000000..0a21344ada4 --- /dev/null +++ b/queue-4.14/iw_cxgb4-fix-srqidx-leak-during-connection-abort.patch @@ -0,0 +1,60 @@ +From 0d34d9820cf1469b11f18ca9578fd8a42756125e Mon Sep 17 00:00:00 2001 +From: Raju Rangoju +Date: Wed, 6 Feb 2019 22:54:44 +0530 +Subject: iw_cxgb4: fix srqidx leak during connection abort + +[ Upstream commit f368ff188ae4b3ef6f740a15999ea0373261b619 ] + +When an application aborts the connection by moving QP from RTS to ERROR, +then iw_cxgb4's modify_rc_qp() RTS->ERROR logic sets the +*srqidxp to 0 via t4_set_wq_in_error(&qhp->wq, 0), and aborts the +connection by calling c4iw_ep_disconnect(). + +c4iw_ep_disconnect() does the following: + 1. sends up a close_complete_upcall(ep, -ECONNRESET) to libcxgb4. + 2. sends abort request CPL to hw. + +But, since the close_complete_upcall() is sent before sending the +ABORT_REQ to hw, libcxgb4 would fail to release the srqidx if the +connection holds one. Because, the srqidx is passed up to libcxgb4 only +after corresponding ABORT_RPL is processed by kernel in abort_rpl(). + +This patch handle the corner-case by moving the call to +close_complete_upcall() from c4iw_ep_disconnect() to abort_rpl(). So that +libcxgb4 is notified about the -ECONNRESET only after abort_rpl(), and +libcxgb4 can relinquish the srqidx properly. + +Signed-off-by: Raju Rangoju +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index daf7a56e5d7e..e17f11782821 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -1884,8 +1884,10 @@ static int abort_rpl(struct c4iw_dev *dev, struct sk_buff *skb) + } + mutex_unlock(&ep->com.mutex); + +- if (release) ++ if (release) { ++ close_complete_upcall(ep, -ECONNRESET); + release_ep_resources(ep); ++ } + c4iw_put_ep(&ep->com); + return 0; + } +@@ -3584,7 +3586,6 @@ int c4iw_ep_disconnect(struct c4iw_ep *ep, int abrupt, gfp_t gfp) + if (close) { + if (abrupt) { + set_bit(EP_DISC_ABORT, &ep->com.history); +- close_complete_upcall(ep, -ECONNRESET); + ret = send_abort(ep); + } else { + set_bit(EP_DISC_CLOSE, &ep->com.history); +-- +2.19.1 + diff --git a/queue-4.14/iwlwifi-pcie-fix-emergency-path.patch b/queue-4.14/iwlwifi-pcie-fix-emergency-path.patch new file mode 100644 index 00000000000..689b40e5015 --- /dev/null +++ b/queue-4.14/iwlwifi-pcie-fix-emergency-path.patch @@ -0,0 +1,73 @@ +From 8dcd09dc4927a2b36b4e4d9af2e602ef297f8480 Mon Sep 17 00:00:00 2001 +From: Sara Sharon +Date: Thu, 13 Dec 2018 14:47:40 +0200 +Subject: iwlwifi: pcie: fix emergency path + +[ Upstream commit c6ac9f9fb98851f47b978a9476594fc3c477a34d ] + +Allocator swaps the pending requests with 0 when it starts +working. This means that relying on it n RX path to decide if +to move to emergency is not always a good idea, since it may +be zero, but there are still a lot of unallocated RBs in the +system. Change allocator to decrement the pending requests on +real time. It is more expensive since it accesses the atomic +variable more times, but it gives the RX path a better idea +of the system's status. + +Reported-by: Ilan Peer +Signed-off-by: Sara Sharon +Fixes: 868a1e863f95 ("iwlwifi: pcie: avoid empty free RB queue") +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +index 5a15362ef671..a40ad4675e19 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +@@ -475,7 +475,7 @@ static void iwl_pcie_rx_allocator(struct iwl_trans *trans) + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); + struct iwl_rb_allocator *rba = &trans_pcie->rba; + struct list_head local_empty; +- int pending = atomic_xchg(&rba->req_pending, 0); ++ int pending = atomic_read(&rba->req_pending); + + IWL_DEBUG_RX(trans, "Pending allocation requests = %d\n", pending); + +@@ -530,11 +530,13 @@ static void iwl_pcie_rx_allocator(struct iwl_trans *trans) + i++; + } + ++ atomic_dec(&rba->req_pending); + pending--; ++ + if (!pending) { +- pending = atomic_xchg(&rba->req_pending, 0); ++ pending = atomic_read(&rba->req_pending); + IWL_DEBUG_RX(trans, +- "Pending allocation requests = %d\n", ++ "Got more pending allocation requests = %d\n", + pending); + } + +@@ -546,12 +548,15 @@ static void iwl_pcie_rx_allocator(struct iwl_trans *trans) + spin_unlock(&rba->lock); + + atomic_inc(&rba->req_ready); ++ + } + + spin_lock(&rba->lock); + /* return unused rbds to the allocator empty list */ + list_splice_tail(&local_empty, &rba->rbd_empty); + spin_unlock(&rba->lock); ++ ++ IWL_DEBUG_RX(trans, "%s, exit.\n", __func__); + } + + /* +-- +2.19.1 + diff --git a/queue-4.14/jbd2-fix-invalid-descriptor-block-checksum.patch b/queue-4.14/jbd2-fix-invalid-descriptor-block-checksum.patch new file mode 100644 index 00000000000..0eb945f7613 --- /dev/null +++ b/queue-4.14/jbd2-fix-invalid-descriptor-block-checksum.patch @@ -0,0 +1,52 @@ +From f6def3127cce224cc44b63dbf4e3e09c9fc348df Mon Sep 17 00:00:00 2001 +From: luojiajun +Date: Fri, 1 Mar 2019 00:30:00 -0500 +Subject: jbd2: fix invalid descriptor block checksum + +[ Upstream commit 6e876c3dd205d30b0db6850e97a03d75457df007 ] + +In jbd2_journal_commit_transaction(), if we are in abort mode, +we may flush the buffer without setting descriptor block checksum +by goto start_journal_io. Then fs is mounted, +jbd2_descriptor_block_csum_verify() failed. + +[ 271.379811] EXT4-fs (vdd): shut down requested (2) +[ 271.381827] Aborting journal on device vdd-8. +[ 271.597136] JBD2: Invalid checksum recovering block 22199 in log +[ 271.598023] JBD2: recovery failed +[ 271.598484] EXT4-fs (vdd): error loading journal + +Fix this problem by keep setting descriptor block checksum if the +descriptor buffer is not NULL. + +This checksum problem can be reproduced by xfstests generic/388. + +Signed-off-by: luojiajun +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/jbd2/commit.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index 3c1c31321d9b..d11401afd52f 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -693,9 +693,11 @@ void jbd2_journal_commit_transaction(journal_t *journal) + the last tag we set up. */ + + tag->t_flags |= cpu_to_be16(JBD2_FLAG_LAST_TAG); +- +- jbd2_descriptor_block_csum_set(journal, descriptor); + start_journal_io: ++ if (descriptor) ++ jbd2_descriptor_block_csum_set(journal, ++ descriptor); ++ + for (i = 0; i < bufs; i++) { + struct buffer_head *bh = wbuf[i]; + /* +-- +2.19.1 + diff --git a/queue-4.14/jbd2-fix-race-when-writing-superblock.patch b/queue-4.14/jbd2-fix-race-when-writing-superblock.patch new file mode 100644 index 00000000000..01ed629a847 --- /dev/null +++ b/queue-4.14/jbd2-fix-race-when-writing-superblock.patch @@ -0,0 +1,157 @@ +From 318b76fb931301f0dbc07ee98edf8342768246df Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 14 Feb 2019 16:27:14 -0500 +Subject: jbd2: fix race when writing superblock + +[ Upstream commit 538bcaa6261b77e71d37f5596c33127c1a3ec3f7 ] + +The jbd2 superblock is lockless now, so there is probably a race +condition between writing it so disk and modifing contents of it, which +may lead to checksum error. The following race is the one case that we +have captured. + +jbd2 fsstress +jbd2_journal_commit_transaction + jbd2_journal_update_sb_log_tail + jbd2_write_superblock + jbd2_superblock_csum_set jbd2_journal_revoke + jbd2_journal_set_features(revork) + modify superblock + submit_bh(checksum incorrect) + +Fix this by locking the buffer head before modifing it. We always +write the jbd2 superblock after we modify it, so this just means +calling the lock_buffer() a little earlier. + +This checksum corruption problem can be reproduced by xfstests +generic/475. + +Reported-by: zhangyi (F) +Suggested-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/journal.c | 52 ++++++++++++++++++++++++----------------------- + 1 file changed, 27 insertions(+), 25 deletions(-) + +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 61d48f0c41a1..0c8f77db60e2 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1343,6 +1343,10 @@ static int journal_reset(journal_t *journal) + return jbd2_journal_start_thread(journal); + } + ++/* ++ * This function expects that the caller will have locked the journal ++ * buffer head, and will return with it unlocked ++ */ + static int jbd2_write_superblock(journal_t *journal, int write_flags) + { + struct buffer_head *bh = journal->j_sb_buffer; +@@ -1352,7 +1356,6 @@ static int jbd2_write_superblock(journal_t *journal, int write_flags) + trace_jbd2_write_superblock(journal, write_flags); + if (!(journal->j_flags & JBD2_BARRIER)) + write_flags &= ~(REQ_FUA | REQ_PREFLUSH); +- lock_buffer(bh); + if (buffer_write_io_error(bh)) { + /* + * Oh, dear. A previous attempt to write the journal +@@ -1411,6 +1414,7 @@ int jbd2_journal_update_sb_log_tail(journal_t *journal, tid_t tail_tid, + jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n", + tail_block, tail_tid); + ++ lock_buffer(journal->j_sb_buffer); + sb->s_sequence = cpu_to_be32(tail_tid); + sb->s_start = cpu_to_be32(tail_block); + +@@ -1441,18 +1445,17 @@ static void jbd2_mark_journal_empty(journal_t *journal, int write_op) + journal_superblock_t *sb = journal->j_superblock; + + BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex)); +- read_lock(&journal->j_state_lock); +- /* Is it already empty? */ +- if (sb->s_start == 0) { +- read_unlock(&journal->j_state_lock); ++ lock_buffer(journal->j_sb_buffer); ++ if (sb->s_start == 0) { /* Is it already empty? */ ++ unlock_buffer(journal->j_sb_buffer); + return; + } ++ + jbd_debug(1, "JBD2: Marking journal as empty (seq %d)\n", + journal->j_tail_sequence); + + sb->s_sequence = cpu_to_be32(journal->j_tail_sequence); + sb->s_start = cpu_to_be32(0); +- read_unlock(&journal->j_state_lock); + + jbd2_write_superblock(journal, write_op); + +@@ -1475,9 +1478,8 @@ void jbd2_journal_update_sb_errno(journal_t *journal) + journal_superblock_t *sb = journal->j_superblock; + int errcode; + +- read_lock(&journal->j_state_lock); ++ lock_buffer(journal->j_sb_buffer); + errcode = journal->j_errno; +- read_unlock(&journal->j_state_lock); + if (errcode == -ESHUTDOWN) + errcode = 0; + jbd_debug(1, "JBD2: updating superblock error (errno %d)\n", errcode); +@@ -1881,28 +1883,27 @@ int jbd2_journal_set_features (journal_t *journal, unsigned long compat, + + sb = journal->j_superblock; + ++ /* Load the checksum driver if necessary */ ++ if ((journal->j_chksum_driver == NULL) && ++ INCOMPAT_FEATURE_ON(JBD2_FEATURE_INCOMPAT_CSUM_V3)) { ++ journal->j_chksum_driver = crypto_alloc_shash("crc32c", 0, 0); ++ if (IS_ERR(journal->j_chksum_driver)) { ++ printk(KERN_ERR "JBD2: Cannot load crc32c driver.\n"); ++ journal->j_chksum_driver = NULL; ++ return 0; ++ } ++ /* Precompute checksum seed for all metadata */ ++ journal->j_csum_seed = jbd2_chksum(journal, ~0, sb->s_uuid, ++ sizeof(sb->s_uuid)); ++ } ++ ++ lock_buffer(journal->j_sb_buffer); ++ + /* If enabling v3 checksums, update superblock */ + if (INCOMPAT_FEATURE_ON(JBD2_FEATURE_INCOMPAT_CSUM_V3)) { + sb->s_checksum_type = JBD2_CRC32C_CHKSUM; + sb->s_feature_compat &= + ~cpu_to_be32(JBD2_FEATURE_COMPAT_CHECKSUM); +- +- /* Load the checksum driver */ +- if (journal->j_chksum_driver == NULL) { +- journal->j_chksum_driver = crypto_alloc_shash("crc32c", +- 0, 0); +- if (IS_ERR(journal->j_chksum_driver)) { +- printk(KERN_ERR "JBD2: Cannot load crc32c " +- "driver.\n"); +- journal->j_chksum_driver = NULL; +- return 0; +- } +- +- /* Precompute checksum seed for all metadata */ +- journal->j_csum_seed = jbd2_chksum(journal, ~0, +- sb->s_uuid, +- sizeof(sb->s_uuid)); +- } + } + + /* If enabling v1 checksums, downgrade superblock */ +@@ -1914,6 +1915,7 @@ int jbd2_journal_set_features (journal_t *journal, unsigned long compat, + sb->s_feature_compat |= cpu_to_be32(compat); + sb->s_feature_ro_compat |= cpu_to_be32(ro); + sb->s_feature_incompat |= cpu_to_be32(incompat); ++ unlock_buffer(journal->j_sb_buffer); + + return 1; + #undef COMPAT_FEATURE_ON +-- +2.19.1 + diff --git a/queue-4.14/kprobes-prohibit-probing-on-bsearch.patch b/queue-4.14/kprobes-prohibit-probing-on-bsearch.patch new file mode 100644 index 00000000000..ecf234f65c3 --- /dev/null +++ b/queue-4.14/kprobes-prohibit-probing-on-bsearch.patch @@ -0,0 +1,56 @@ +From 04a1546a3312f0ef81d94c7290abb586a6882244 Mon Sep 17 00:00:00 2001 +From: Andrea Righi +Date: Wed, 13 Feb 2019 01:15:34 +0900 +Subject: kprobes: Prohibit probing on bsearch() + +[ Upstream commit 02106f883cd745523f7766d90a739f983f19e650 ] + +Since kprobe breakpoing handler is using bsearch(), probing on this +routine can cause recursive breakpoint problem. + +int3 + ->do_int3() + ->ftrace_int3_handler() + ->ftrace_location() + ->ftrace_location_range() + ->bsearch() -> int3 + +Prohibit probing on bsearch(). + +Signed-off-by: Andrea Righi +Acked-by: Masami Hiramatsu +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/154998813406.31052.8791425358974650922.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + lib/bsearch.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/bsearch.c b/lib/bsearch.c +index 18b445b010c3..82512fe7b33c 100644 +--- a/lib/bsearch.c ++++ b/lib/bsearch.c +@@ -11,6 +11,7 @@ + + #include + #include ++#include + + /* + * bsearch - binary search an array of elements +@@ -53,3 +54,4 @@ void *bsearch(const void *key, const void *base, size_t num, size_t size, + return NULL; + } + EXPORT_SYMBOL(bsearch); ++NOKPROBE_SYMBOL(bsearch); +-- +2.19.1 + diff --git a/queue-4.14/leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch b/queue-4.14/leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch new file mode 100644 index 00000000000..5e35272d3f3 --- /dev/null +++ b/queue-4.14/leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch @@ -0,0 +1,58 @@ +From 5f13e1609e1623f0fda6b5a68bf0dc72529a89ce Mon Sep 17 00:00:00 2001 +From: Michal Kazior +Date: Mon, 11 Feb 2019 10:29:27 +0100 +Subject: leds: lp55xx: fix null deref on firmware load failure + +[ Upstream commit 5ddb0869bfc1bca6cfc592c74c64a026f936638c ] + +I've stumbled upon a kernel crash and the logs +pointed me towards the lp5562 driver: + +> <4>[306013.841294] lp5562 0-0030: Direct firmware load for lp5562 failed with error -2 +> <4>[306013.894990] lp5562 0-0030: Falling back to user helper +> ... +> <3>[306073.924886] lp5562 0-0030: firmware request failed +> <1>[306073.939456] Unable to handle kernel NULL pointer dereference at virtual address 00000000 +> <4>[306074.251011] PC is at _raw_spin_lock+0x1c/0x58 +> <4>[306074.255539] LR is at release_firmware+0x6c/0x138 +> ... + +After taking a look I noticed firmware_release() +could be called with either NULL or a dangling +pointer. + +Fixes: 10c06d178df11 ("leds-lp55xx: support firmware interface") +Signed-off-by: Michal Kazior +Signed-off-by: Jacek Anaszewski +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-lp55xx-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/leds/leds-lp55xx-common.c b/drivers/leds/leds-lp55xx-common.c +index 5377f22ff994..e2655953667c 100644 +--- a/drivers/leds/leds-lp55xx-common.c ++++ b/drivers/leds/leds-lp55xx-common.c +@@ -201,7 +201,7 @@ static void lp55xx_firmware_loaded(const struct firmware *fw, void *context) + + if (!fw) { + dev_err(dev, "firmware request failed\n"); +- goto out; ++ return; + } + + /* handling firmware data is chip dependent */ +@@ -214,9 +214,9 @@ static void lp55xx_firmware_loaded(const struct firmware *fw, void *context) + + mutex_unlock(&chip->lock); + +-out: + /* firmware should be released for other channel use */ + release_firmware(chip->fw); ++ chip->fw = NULL; + } + + static int lp55xx_request_firmware(struct lp55xx_chip *chip) +-- +2.19.1 + diff --git a/queue-4.14/media-mt9m111-set-initial-frame-size-other-than-0x0.patch b/queue-4.14/media-mt9m111-set-initial-frame-size-other-than-0x0.patch new file mode 100644 index 00000000000..e7075da7337 --- /dev/null +++ b/queue-4.14/media-mt9m111-set-initial-frame-size-other-than-0x0.patch @@ -0,0 +1,39 @@ +From ec9d3bea8febf3d8d278939b11021deb1fedef60 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Tue, 15 Jan 2019 12:05:41 -0200 +Subject: media: mt9m111: set initial frame size other than 0x0 + +[ Upstream commit 29856308137de1c21eda89411695f4fc6e9780ff ] + +This driver sets initial frame width and height to 0x0, which is invalid. +So set it to selection rectangle bounds instead. + +This is detected by v4l2-compliance detected. + +Cc: Enrico Scholz +Cc: Michael Grzeschik +Cc: Marco Felsch +Signed-off-by: Akinobu Mita +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/mt9m111.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/i2c/mt9m111.c b/drivers/media/i2c/mt9m111.c +index 99b992e46702..5b10f74fcc32 100644 +--- a/drivers/media/i2c/mt9m111.c ++++ b/drivers/media/i2c/mt9m111.c +@@ -974,6 +974,8 @@ static int mt9m111_probe(struct i2c_client *client, + mt9m111->rect.top = MT9M111_MIN_DARK_ROWS; + mt9m111->rect.width = MT9M111_MAX_WIDTH; + mt9m111->rect.height = MT9M111_MAX_HEIGHT; ++ mt9m111->width = mt9m111->rect.width; ++ mt9m111->height = mt9m111->rect.height; + mt9m111->fmt = &mt9m111_colour_fmts[0]; + mt9m111->lastpage = -1; + mutex_init(&mt9m111->power_lock); +-- +2.19.1 + diff --git a/queue-4.14/media-mtk-jpeg-correct-return-type-for-mem2mem-buffe.patch b/queue-4.14/media-mtk-jpeg-correct-return-type-for-mem2mem-buffe.patch new file mode 100644 index 00000000000..af1f478dd1f --- /dev/null +++ b/queue-4.14/media-mtk-jpeg-correct-return-type-for-mem2mem-buffe.patch @@ -0,0 +1,178 @@ +From cff0f9918e2ae6fa53582e6c929c01aafb209ddc Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Fri, 8 Feb 2019 11:17:39 -0500 +Subject: media: mtk-jpeg: Correct return type for mem2mem buffer helpers + +[ Upstream commit 1b275e4e8b70dbff9850874b30831c1bd8d3c504 ] + +Fix the assigned type of mem2mem buffer handling API. +Namely, these functions: + + v4l2_m2m_next_buf + v4l2_m2m_last_buf + v4l2_m2m_buf_remove + v4l2_m2m_next_src_buf + v4l2_m2m_next_dst_buf + v4l2_m2m_last_src_buf + v4l2_m2m_last_dst_buf + v4l2_m2m_src_buf_remove + v4l2_m2m_dst_buf_remove + +return a struct vb2_v4l2_buffer, and not a struct vb2_buffer. + +Fixing this is necessary to fix the mem2mem buffer handling API, +changing the return to the correct struct vb2_v4l2_buffer instead +of a void pointer. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../media/platform/mtk-jpeg/mtk_jpeg_core.c | 40 +++++++++---------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +index 226f90886484..46c996936798 100644 +--- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c ++++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +@@ -702,7 +702,7 @@ end: + v4l2_m2m_buf_queue(ctx->fh.m2m_ctx, to_vb2_v4l2_buffer(vb)); + } + +-static void *mtk_jpeg_buf_remove(struct mtk_jpeg_ctx *ctx, ++static struct vb2_v4l2_buffer *mtk_jpeg_buf_remove(struct mtk_jpeg_ctx *ctx, + enum v4l2_buf_type type) + { + if (V4L2_TYPE_IS_OUTPUT(type)) +@@ -714,7 +714,7 @@ static void *mtk_jpeg_buf_remove(struct mtk_jpeg_ctx *ctx, + static int mtk_jpeg_start_streaming(struct vb2_queue *q, unsigned int count) + { + struct mtk_jpeg_ctx *ctx = vb2_get_drv_priv(q); +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + int ret = 0; + + ret = pm_runtime_get_sync(ctx->jpeg->dev); +@@ -724,14 +724,14 @@ static int mtk_jpeg_start_streaming(struct vb2_queue *q, unsigned int count) + return 0; + err: + while ((vb = mtk_jpeg_buf_remove(ctx, q->type))) +- v4l2_m2m_buf_done(to_vb2_v4l2_buffer(vb), VB2_BUF_STATE_QUEUED); ++ v4l2_m2m_buf_done(vb, VB2_BUF_STATE_QUEUED); + return ret; + } + + static void mtk_jpeg_stop_streaming(struct vb2_queue *q) + { + struct mtk_jpeg_ctx *ctx = vb2_get_drv_priv(q); +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + + /* + * STREAMOFF is an acknowledgment for source change event. +@@ -743,7 +743,7 @@ static void mtk_jpeg_stop_streaming(struct vb2_queue *q) + struct mtk_jpeg_src_buf *src_buf; + + vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); +- src_buf = mtk_jpeg_vb2_to_srcbuf(vb); ++ src_buf = mtk_jpeg_vb2_to_srcbuf(&vb->vb2_buf); + mtk_jpeg_set_queue_data(ctx, &src_buf->dec_param); + ctx->state = MTK_JPEG_RUNNING; + } else if (V4L2_TYPE_IS_OUTPUT(q->type)) { +@@ -751,7 +751,7 @@ static void mtk_jpeg_stop_streaming(struct vb2_queue *q) + } + + while ((vb = mtk_jpeg_buf_remove(ctx, q->type))) +- v4l2_m2m_buf_done(to_vb2_v4l2_buffer(vb), VB2_BUF_STATE_ERROR); ++ v4l2_m2m_buf_done(vb, VB2_BUF_STATE_ERROR); + + pm_runtime_put_sync(ctx->jpeg->dev); + } +@@ -807,7 +807,7 @@ static void mtk_jpeg_device_run(void *priv) + { + struct mtk_jpeg_ctx *ctx = priv; + struct mtk_jpeg_dev *jpeg = ctx->jpeg; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + enum vb2_buffer_state buf_state = VB2_BUF_STATE_ERROR; + unsigned long flags; + struct mtk_jpeg_src_buf *jpeg_src_buf; +@@ -817,11 +817,11 @@ static void mtk_jpeg_device_run(void *priv) + + src_buf = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + dst_buf = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); +- jpeg_src_buf = mtk_jpeg_vb2_to_srcbuf(src_buf); ++ jpeg_src_buf = mtk_jpeg_vb2_to_srcbuf(&src_buf->vb2_buf); + + if (jpeg_src_buf->flags & MTK_JPEG_BUF_FLAGS_LAST_FRAME) { +- for (i = 0; i < dst_buf->num_planes; i++) +- vb2_set_plane_payload(dst_buf, i, 0); ++ for (i = 0; i < dst_buf->vb2_buf.num_planes; i++) ++ vb2_set_plane_payload(&dst_buf->vb2_buf, i, 0); + buf_state = VB2_BUF_STATE_DONE; + goto dec_end; + } +@@ -833,8 +833,8 @@ static void mtk_jpeg_device_run(void *priv) + return; + } + +- mtk_jpeg_set_dec_src(ctx, src_buf, &bs); +- if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, dst_buf, &fb)) ++ mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); ++ if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb)) + goto dec_end; + + spin_lock_irqsave(&jpeg->hw_lock, flags); +@@ -849,8 +849,8 @@ static void mtk_jpeg_device_run(void *priv) + dec_end: + v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx); + v4l2_m2m_dst_buf_remove(ctx->fh.m2m_ctx); +- v4l2_m2m_buf_done(to_vb2_v4l2_buffer(src_buf), buf_state); +- v4l2_m2m_buf_done(to_vb2_v4l2_buffer(dst_buf), buf_state); ++ v4l2_m2m_buf_done(src_buf, buf_state); ++ v4l2_m2m_buf_done(dst_buf, buf_state); + v4l2_m2m_job_finish(jpeg->m2m_dev, ctx->fh.m2m_ctx); + } + +@@ -926,7 +926,7 @@ static irqreturn_t mtk_jpeg_dec_irq(int irq, void *priv) + { + struct mtk_jpeg_dev *jpeg = priv; + struct mtk_jpeg_ctx *ctx; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + struct mtk_jpeg_src_buf *jpeg_src_buf; + enum vb2_buffer_state buf_state = VB2_BUF_STATE_ERROR; + u32 dec_irq_ret; +@@ -943,7 +943,7 @@ static irqreturn_t mtk_jpeg_dec_irq(int irq, void *priv) + + src_buf = v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx); + dst_buf = v4l2_m2m_dst_buf_remove(ctx->fh.m2m_ctx); +- jpeg_src_buf = mtk_jpeg_vb2_to_srcbuf(src_buf); ++ jpeg_src_buf = mtk_jpeg_vb2_to_srcbuf(&src_buf->vb2_buf); + + if (dec_irq_ret >= MTK_JPEG_DEC_RESULT_UNDERFLOW) + mtk_jpeg_dec_reset(jpeg->dec_reg_base); +@@ -953,15 +953,15 @@ static irqreturn_t mtk_jpeg_dec_irq(int irq, void *priv) + goto dec_end; + } + +- for (i = 0; i < dst_buf->num_planes; i++) +- vb2_set_plane_payload(dst_buf, i, ++ for (i = 0; i < dst_buf->vb2_buf.num_planes; i++) ++ vb2_set_plane_payload(&dst_buf->vb2_buf, i, + jpeg_src_buf->dec_param.comp_size[i]); + + buf_state = VB2_BUF_STATE_DONE; + + dec_end: +- v4l2_m2m_buf_done(to_vb2_v4l2_buffer(src_buf), buf_state); +- v4l2_m2m_buf_done(to_vb2_v4l2_buffer(dst_buf), buf_state); ++ v4l2_m2m_buf_done(src_buf, buf_state); ++ v4l2_m2m_buf_done(dst_buf, buf_state); + v4l2_m2m_job_finish(jpeg->m2m_dev, ctx->fh.m2m_ctx); + return IRQ_HANDLED; + } +-- +2.19.1 + diff --git a/queue-4.14/media-mx2_emmaprp-correct-return-type-for-mem2mem-bu.patch b/queue-4.14/media-mx2_emmaprp-correct-return-type-for-mem2mem-bu.patch new file mode 100644 index 00000000000..6e10a22f8db --- /dev/null +++ b/queue-4.14/media-mx2_emmaprp-correct-return-type-for-mem2mem-bu.patch @@ -0,0 +1,61 @@ +From fecc5b57e641cac38fda0005eb5442fb8c4fe4c1 Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Fri, 8 Feb 2019 11:17:42 -0500 +Subject: media: mx2_emmaprp: Correct return type for mem2mem buffer helpers + +[ Upstream commit 8d20dcefe471763f23ad538369ec65b51993ffff ] + +Fix the assigned type of mem2mem buffer handling API. +Namely, these functions: + + v4l2_m2m_next_buf + v4l2_m2m_last_buf + v4l2_m2m_buf_remove + v4l2_m2m_next_src_buf + v4l2_m2m_next_dst_buf + v4l2_m2m_last_src_buf + v4l2_m2m_last_dst_buf + v4l2_m2m_src_buf_remove + v4l2_m2m_dst_buf_remove + +return a struct vb2_v4l2_buffer, and not a struct vb2_buffer. + +Fixing this is necessary to fix the mem2mem buffer handling API, +changing the return to the correct struct vb2_v4l2_buffer instead +of a void pointer. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mx2_emmaprp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/mx2_emmaprp.c b/drivers/media/platform/mx2_emmaprp.c +index 4a2b1afa19c4..951f2fd415b0 100644 +--- a/drivers/media/platform/mx2_emmaprp.c ++++ b/drivers/media/platform/mx2_emmaprp.c +@@ -288,7 +288,7 @@ static void emmaprp_device_run(void *priv) + { + struct emmaprp_ctx *ctx = priv; + struct emmaprp_q_data *s_q_data, *d_q_data; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + struct emmaprp_dev *pcdev = ctx->dev; + unsigned int s_width, s_height; + unsigned int d_width, d_height; +@@ -308,8 +308,8 @@ static void emmaprp_device_run(void *priv) + d_height = d_q_data->height; + d_size = d_width * d_height; + +- p_in = vb2_dma_contig_plane_dma_addr(src_buf, 0); +- p_out = vb2_dma_contig_plane_dma_addr(dst_buf, 0); ++ p_in = vb2_dma_contig_plane_dma_addr(&src_buf->vb2_buf, 0); ++ p_out = vb2_dma_contig_plane_dma_addr(&dst_buf->vb2_buf, 0); + if (!p_in || !p_out) { + v4l2_err(&pcdev->v4l2_dev, + "Acquiring kernel pointers to buffers failed\n"); +-- +2.19.1 + diff --git a/queue-4.14/media-s5p-g2d-correct-return-type-for-mem2mem-buffer.patch b/queue-4.14/media-s5p-g2d-correct-return-type-for-mem2mem-buffer.patch new file mode 100644 index 00000000000..0f418e8a0e8 --- /dev/null +++ b/queue-4.14/media-s5p-g2d-correct-return-type-for-mem2mem-buffer.patch @@ -0,0 +1,63 @@ +From 5315596d45b29c12dd5c52332d858f0e15a64802 Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Fri, 8 Feb 2019 11:17:44 -0500 +Subject: media: s5p-g2d: Correct return type for mem2mem buffer helpers + +[ Upstream commit 30fa627b32230737bc3f678067e2adfecf956987 ] + +Fix the assigned type of mem2mem buffer handling API. +Namely, these functions: + + v4l2_m2m_next_buf + v4l2_m2m_last_buf + v4l2_m2m_buf_remove + v4l2_m2m_next_src_buf + v4l2_m2m_next_dst_buf + v4l2_m2m_last_src_buf + v4l2_m2m_last_dst_buf + v4l2_m2m_src_buf_remove + v4l2_m2m_dst_buf_remove + +return a struct vb2_v4l2_buffer, and not a struct vb2_buffer. + +Fixing this is necessary to fix the mem2mem buffer handling API, +changing the return to the correct struct vb2_v4l2_buffer instead +of a void pointer. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-g2d/g2d.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/s5p-g2d/g2d.c b/drivers/media/platform/s5p-g2d/g2d.c +index 66aa8cf1d048..770100d40372 100644 +--- a/drivers/media/platform/s5p-g2d/g2d.c ++++ b/drivers/media/platform/s5p-g2d/g2d.c +@@ -498,7 +498,7 @@ static void device_run(void *prv) + { + struct g2d_ctx *ctx = prv; + struct g2d_dev *dev = ctx->dev; +- struct vb2_buffer *src, *dst; ++ struct vb2_v4l2_buffer *src, *dst; + unsigned long flags; + u32 cmd = 0; + +@@ -513,10 +513,10 @@ static void device_run(void *prv) + spin_lock_irqsave(&dev->ctrl_lock, flags); + + g2d_set_src_size(dev, &ctx->in); +- g2d_set_src_addr(dev, vb2_dma_contig_plane_dma_addr(src, 0)); ++ g2d_set_src_addr(dev, vb2_dma_contig_plane_dma_addr(&src->vb2_buf, 0)); + + g2d_set_dst_size(dev, &ctx->out); +- g2d_set_dst_addr(dev, vb2_dma_contig_plane_dma_addr(dst, 0)); ++ g2d_set_dst_addr(dev, vb2_dma_contig_plane_dma_addr(&dst->vb2_buf, 0)); + + g2d_set_rop4(dev, ctx->rop); + g2d_set_flip(dev, ctx->flip); +-- +2.19.1 + diff --git a/queue-4.14/media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt.patch b/queue-4.14/media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt.patch new file mode 100644 index 00000000000..259325c05d6 --- /dev/null +++ b/queue-4.14/media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt.patch @@ -0,0 +1,86 @@ +From 9cec4cd60dce0c1291e0af43a8b5363ab27f0949 Mon Sep 17 00:00:00 2001 +From: Pawe? Chmiel +Date: Sat, 29 Dec 2018 10:46:01 -0500 +Subject: media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration + +[ Upstream commit 49710c32cd9d6626a77c9f5f978a5f58cb536b35 ] + +Previously when doing format enumeration, it was returning all + formats supported by driver, even if they're not supported by hw. +Add missing check for fmt_ver_flag, so it'll be fixed and only those + supported by hw will be returned. Similar thing is already done + in s5p_jpeg_find_format. + +It was found by using v4l2-compliance tool and checking result + of VIDIOC_ENUM_FMT/FRAMESIZES/FRAMEINTERVALS test +and using v4l2-ctl to get list of all supported formats. + +Tested on s5pv210-galaxys (Samsung i9000 phone). + +Fixes: bb677f3ac434 ("[media] Exynos4 JPEG codec v4l2 driver") + +Signed-off-by: Pawe? Chmiel +Reviewed-by: Jacek Anaszewski +[hverkuil-cisco@xs4all.nl: fix a few alignment issues] +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-jpeg/jpeg-core.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c +index d7679e4585fd..4568e68e15fa 100644 +--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c ++++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c +@@ -1293,13 +1293,16 @@ static int s5p_jpeg_querycap(struct file *file, void *priv, + return 0; + } + +-static int enum_fmt(struct s5p_jpeg_fmt *sjpeg_formats, int n, ++static int enum_fmt(struct s5p_jpeg_ctx *ctx, ++ struct s5p_jpeg_fmt *sjpeg_formats, int n, + struct v4l2_fmtdesc *f, u32 type) + { + int i, num = 0; ++ unsigned int fmt_ver_flag = ctx->jpeg->variant->fmt_ver_flag; + + for (i = 0; i < n; ++i) { +- if (sjpeg_formats[i].flags & type) { ++ if (sjpeg_formats[i].flags & type && ++ sjpeg_formats[i].flags & fmt_ver_flag) { + /* index-th format of type type found ? */ + if (num == f->index) + break; +@@ -1326,11 +1329,11 @@ static int s5p_jpeg_enum_fmt_vid_cap(struct file *file, void *priv, + struct s5p_jpeg_ctx *ctx = fh_to_ctx(priv); + + if (ctx->mode == S5P_JPEG_ENCODE) +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, + SJPEG_FMT_FLAG_ENC_CAPTURE); + +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, +- SJPEG_FMT_FLAG_DEC_CAPTURE); ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ SJPEG_FMT_FLAG_DEC_CAPTURE); + } + + static int s5p_jpeg_enum_fmt_vid_out(struct file *file, void *priv, +@@ -1339,11 +1342,11 @@ static int s5p_jpeg_enum_fmt_vid_out(struct file *file, void *priv, + struct s5p_jpeg_ctx *ctx = fh_to_ctx(priv); + + if (ctx->mode == S5P_JPEG_ENCODE) +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, + SJPEG_FMT_FLAG_ENC_OUTPUT); + +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, +- SJPEG_FMT_FLAG_DEC_OUTPUT); ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ SJPEG_FMT_FLAG_DEC_OUTPUT); + } + + static struct s5p_jpeg_q_data *get_q_data(struct s5p_jpeg_ctx *ctx, +-- +2.19.1 + diff --git a/queue-4.14/media-s5p-jpeg-correct-return-type-for-mem2mem-buffe.patch b/queue-4.14/media-s5p-jpeg-correct-return-type-for-mem2mem-buffe.patch new file mode 100644 index 00000000000..d0640e78428 --- /dev/null +++ b/queue-4.14/media-s5p-jpeg-correct-return-type-for-mem2mem-buffe.patch @@ -0,0 +1,199 @@ +From a694a6aab0c7cd6ecdc9a1a949aa30afc725bc2c Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Fri, 8 Feb 2019 11:17:45 -0500 +Subject: media: s5p-jpeg: Correct return type for mem2mem buffer helpers + +[ Upstream commit 4a88f89885c7cf65c62793f385261a6e3315178a ] + +Fix the assigned type of mem2mem buffer handling API. +Namely, these functions: + + v4l2_m2m_next_buf + v4l2_m2m_last_buf + v4l2_m2m_buf_remove + v4l2_m2m_next_src_buf + v4l2_m2m_next_dst_buf + v4l2_m2m_last_src_buf + v4l2_m2m_last_dst_buf + v4l2_m2m_src_buf_remove + v4l2_m2m_dst_buf_remove + +return a struct vb2_v4l2_buffer, and not a struct vb2_buffer. + +Fixing this is necessary to fix the mem2mem buffer handling API, +changing the return to the correct struct vb2_v4l2_buffer instead +of a void pointer. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-jpeg/jpeg-core.c | 38 ++++++++++----------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c +index faac8161b683..d7679e4585fd 100644 +--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c ++++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c +@@ -793,14 +793,14 @@ static void skip(struct s5p_jpeg_buffer *buf, long len); + static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + unsigned int word; + int c, x, components; + + jpeg_buffer.size = 2; /* Ls */ + jpeg_buffer.data = +- (unsigned long)vb2_plane_vaddr(vb, 0) + ctx->out_q.sos + 2; ++ (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2; + jpeg_buffer.curr = 0; + + word = 0; +@@ -830,14 +830,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_parse_huff_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + unsigned int word; + int c, i, n, j; + + for (j = 0; j < ctx->out_q.dht.n; ++j) { + jpeg_buffer.size = ctx->out_q.dht.len[j]; +- jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(vb, 0) + ++ jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + + ctx->out_q.dht.marker[j]; + jpeg_buffer.curr = 0; + +@@ -889,13 +889,13 @@ static void exynos4_jpeg_parse_huff_tbl(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_parse_decode_q_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + int c, x, components; + + jpeg_buffer.size = ctx->out_q.sof_len; + jpeg_buffer.data = +- (unsigned long)vb2_plane_vaddr(vb, 0) + ctx->out_q.sof; ++ (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sof; + jpeg_buffer.curr = 0; + + skip(&jpeg_buffer, 5); /* P, Y, X */ +@@ -920,14 +920,14 @@ static void exynos4_jpeg_parse_decode_q_tbl(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_parse_q_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + unsigned int word; + int c, i, j; + + for (j = 0; j < ctx->out_q.dqt.n; ++j) { + jpeg_buffer.size = ctx->out_q.dqt.len[j]; +- jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(vb, 0) + ++ jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + + ctx->out_q.dqt.marker[j]; + jpeg_buffer.curr = 0; + +@@ -2072,15 +2072,15 @@ static void s5p_jpeg_device_run(void *priv) + { + struct s5p_jpeg_ctx *ctx = priv; + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + unsigned long src_addr, dst_addr, flags; + + spin_lock_irqsave(&ctx->jpeg->slock, flags); + + src_buf = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + dst_buf = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); +- src_addr = vb2_dma_contig_plane_dma_addr(src_buf, 0); +- dst_addr = vb2_dma_contig_plane_dma_addr(dst_buf, 0); ++ src_addr = vb2_dma_contig_plane_dma_addr(&src_buf->vb2_buf, 0); ++ dst_addr = vb2_dma_contig_plane_dma_addr(&dst_buf->vb2_buf, 0); + + s5p_jpeg_reset(jpeg->regs); + s5p_jpeg_poweron(jpeg->regs); +@@ -2153,7 +2153,7 @@ static void exynos4_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; + struct s5p_jpeg_fmt *fmt; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + struct s5p_jpeg_addr jpeg_addr = {}; + u32 pix_size, padding_bytes = 0; + +@@ -2172,7 +2172,7 @@ static void exynos4_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + vb = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); + } + +- jpeg_addr.y = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr.y = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + + if (fmt->colplanes == 2) { + jpeg_addr.cb = jpeg_addr.y + pix_size - padding_bytes; +@@ -2190,7 +2190,7 @@ static void exynos4_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + unsigned int jpeg_addr = 0; + + if (ctx->mode == S5P_JPEG_ENCODE) +@@ -2198,7 +2198,7 @@ static void exynos4_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + else + vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + +- jpeg_addr = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + if (jpeg->variant->version == SJPEG_EXYNOS5433 && + ctx->mode == S5P_JPEG_DECODE) + jpeg_addr += ctx->out_q.sos; +@@ -2314,7 +2314,7 @@ static void exynos3250_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; + struct s5p_jpeg_fmt *fmt; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + struct s5p_jpeg_addr jpeg_addr = {}; + u32 pix_size; + +@@ -2328,7 +2328,7 @@ static void exynos3250_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + fmt = ctx->cap_q.fmt; + } + +- jpeg_addr.y = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr.y = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + + if (fmt->colplanes == 2) { + jpeg_addr.cb = jpeg_addr.y + pix_size; +@@ -2346,7 +2346,7 @@ static void exynos3250_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + static void exynos3250_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + unsigned int jpeg_addr = 0; + + if (ctx->mode == S5P_JPEG_ENCODE) +@@ -2354,7 +2354,7 @@ static void exynos3250_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + else + vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + +- jpeg_addr = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + exynos3250_jpeg_jpgadr(jpeg->regs, jpeg_addr); + } + +-- +2.19.1 + diff --git a/queue-4.14/media-sh_veu-correct-return-type-for-mem2mem-buffer-.patch b/queue-4.14/media-sh_veu-correct-return-type-for-mem2mem-buffer-.patch new file mode 100644 index 00000000000..e0b193487a1 --- /dev/null +++ b/queue-4.14/media-sh_veu-correct-return-type-for-mem2mem-buffer-.patch @@ -0,0 +1,57 @@ +From ce68f5ef5deb02469b18b518d0e7d9c14c49fe07 Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Fri, 8 Feb 2019 11:17:46 -0500 +Subject: media: sh_veu: Correct return type for mem2mem buffer helpers + +[ Upstream commit 43c145195c7fc3025ee7ecfc67112ac1c82af7c2 ] + +Fix the assigned type of mem2mem buffer handling API. +Namely, these functions: + + v4l2_m2m_next_buf + v4l2_m2m_last_buf + v4l2_m2m_buf_remove + v4l2_m2m_next_src_buf + v4l2_m2m_next_dst_buf + v4l2_m2m_last_src_buf + v4l2_m2m_last_dst_buf + v4l2_m2m_src_buf_remove + v4l2_m2m_dst_buf_remove + +return a struct vb2_v4l2_buffer, and not a struct vb2_buffer. + +Fixing this is necessary to fix the mem2mem buffer handling API, +changing the return to the correct struct vb2_v4l2_buffer instead +of a void pointer. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sh_veu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/sh_veu.c b/drivers/media/platform/sh_veu.c +index 15a562af13c7..a4f593220ef0 100644 +--- a/drivers/media/platform/sh_veu.c ++++ b/drivers/media/platform/sh_veu.c +@@ -276,13 +276,13 @@ static void sh_veu_process(struct sh_veu_dev *veu, + static void sh_veu_device_run(void *priv) + { + struct sh_veu_dev *veu = priv; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + + src_buf = v4l2_m2m_next_src_buf(veu->m2m_ctx); + dst_buf = v4l2_m2m_next_dst_buf(veu->m2m_ctx); + + if (src_buf && dst_buf) +- sh_veu_process(veu, src_buf, dst_buf); ++ sh_veu_process(veu, &src_buf->vb2_buf, &dst_buf->vb2_buf); + } + + /* ========== video ioctls ========== */ +-- +2.19.1 + diff --git a/queue-4.14/mlxsw-spectrum-avoid-wformat-truncation-warnings.patch b/queue-4.14/mlxsw-spectrum-avoid-wformat-truncation-warnings.patch new file mode 100644 index 00000000000..99109c5cbc2 --- /dev/null +++ b/queue-4.14/mlxsw-spectrum-avoid-wformat-truncation-warnings.patch @@ -0,0 +1,70 @@ +From e27eb3038f0e6e94e9e40d51fdf127108c0dbf65 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 21 Feb 2019 20:09:26 -0800 +Subject: mlxsw: spectrum: Avoid -Wformat-truncation warnings + +[ Upstream commit ab2c4e2581ad32c28627235ff0ae8c5a5ea6899f ] + +Give precision identifiers to the two snprintf() formatting the priority +and TC strings to avoid producing these two warnings: + +drivers/net/ethernet/mellanox/mlxsw/spectrum.c: In function +'mlxsw_sp_port_get_prio_strings': +drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2132:37: warning: '%d' +directive output may be truncated writing between 1 and 3 bytes into a +region of size between 0 and 31 [-Wformat-truncation=] + snprintf(*p, ETH_GSTRING_LEN, "%s_%d", + ^~ +drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2132:3: note: 'snprintf' +output between 3 and 36 bytes into a destination of size 32 + snprintf(*p, ETH_GSTRING_LEN, "%s_%d", + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + mlxsw_sp_port_hw_prio_stats[i].str, prio); + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/net/ethernet/mellanox/mlxsw/spectrum.c: In function +'mlxsw_sp_port_get_tc_strings': +drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2143:37: warning: '%d' +directive output may be truncated writing between 1 and 11 bytes into a +region of size between 0 and 31 [-Wformat-truncation=] + snprintf(*p, ETH_GSTRING_LEN, "%s_%d", + ^~ +drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2143:3: note: 'snprintf' +output between 3 and 44 bytes into a destination of size 32 + snprintf(*p, ETH_GSTRING_LEN, "%s_%d", + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + mlxsw_sp_port_hw_tc_stats[i].str, tc); + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Florian Fainelli +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +index 8ff92649f9ce..29d37355d8c6 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -2019,7 +2019,7 @@ static void mlxsw_sp_port_get_prio_strings(u8 **p, int prio) + int i; + + for (i = 0; i < MLXSW_SP_PORT_HW_PRIO_STATS_LEN; i++) { +- snprintf(*p, ETH_GSTRING_LEN, "%s_%d", ++ snprintf(*p, ETH_GSTRING_LEN, "%.29s_%.1d", + mlxsw_sp_port_hw_prio_stats[i].str, prio); + *p += ETH_GSTRING_LEN; + } +@@ -2030,7 +2030,7 @@ static void mlxsw_sp_port_get_tc_strings(u8 **p, int tc) + int i; + + for (i = 0; i < MLXSW_SP_PORT_HW_TC_STATS_LEN; i++) { +- snprintf(*p, ETH_GSTRING_LEN, "%s_%d", ++ snprintf(*p, ETH_GSTRING_LEN, "%.29s_%.1d", + mlxsw_sp_port_hw_tc_stats[i].str, tc); + *p += ETH_GSTRING_LEN; + } +-- +2.19.1 + diff --git a/queue-4.14/mm-cma.c-cma_declare_contiguous-correct-err-handling.patch b/queue-4.14/mm-cma.c-cma_declare_contiguous-correct-err-handling.patch new file mode 100644 index 00000000000..f896786a0b3 --- /dev/null +++ b/queue-4.14/mm-cma.c-cma_declare_contiguous-correct-err-handling.patch @@ -0,0 +1,59 @@ +From 9ed7db52cdb67bdd7e2d128d7b213ceed7d9465f Mon Sep 17 00:00:00 2001 +From: Peng Fan +Date: Tue, 5 Mar 2019 15:49:50 -0800 +Subject: mm/cma.c: cma_declare_contiguous: correct err handling + +[ Upstream commit 0d3bd18a5efd66097ef58622b898d3139790aa9d ] + +In case cma_init_reserved_mem failed, need to free the memblock +allocated by memblock_reserve or memblock_alloc_range. + +Quote Catalin's comments: + https://lkml.org/lkml/2019/2/26/482 + +Kmemleak is supposed to work with the memblock_{alloc,free} pair and it +ignores the memblock_reserve() as a memblock_alloc() implementation +detail. It is, however, tolerant to memblock_free() being called on +a sub-range or just a different range from a previous memblock_alloc(). +So the original patch looks fine to me. FWIW: + +Link: http://lkml.kernel.org/r/20190227144631.16708-1-peng.fan@nxp.com +Signed-off-by: Peng Fan +Reviewed-by: Catalin Marinas +Reviewed-by: Mike Rapoport +Cc: Laura Abbott +Cc: Joonsoo Kim +Cc: Michal Hocko +Cc: Vlastimil Babka +Cc: Marek Szyprowski +Cc: Andrey Konovalov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/cma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/mm/cma.c b/mm/cma.c +index 022e52bd8370..5749c9b3b5d0 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -348,12 +348,14 @@ int __init cma_declare_contiguous(phys_addr_t base, + + ret = cma_init_reserved_mem(base, size, order_per_bit, name, res_cma); + if (ret) +- goto err; ++ goto free_mem; + + pr_info("Reserved %ld MiB at %pa\n", (unsigned long)size / SZ_1M, + &base); + return 0; + ++free_mem: ++ memblock_free(base, size); + err: + pr_err("Failed to reserve %ld MiB\n", (unsigned long)size / SZ_1M); + return ret; +-- +2.19.1 + diff --git a/queue-4.14/mm-mempolicy-fix-uninit-memory-access.patch b/queue-4.14/mm-mempolicy-fix-uninit-memory-access.patch new file mode 100644 index 00000000000..a8415914ba6 --- /dev/null +++ b/queue-4.14/mm-mempolicy-fix-uninit-memory-access.patch @@ -0,0 +1,95 @@ +From a6edfd2bddd3582d3ac886856ce894de48f35842 Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Tue, 5 Mar 2019 15:46:50 -0800 +Subject: mm, mempolicy: fix uninit memory access + +[ Upstream commit 2e25644e8da4ed3a27e7b8315aaae74660be72dc ] + +Syzbot with KMSAN reports (excerpt): + +================================================================== +BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:353 [inline] +BUG: KMSAN: uninit-value in mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384 +CPU: 1 PID: 17420 Comm: syz-executor4 Not tainted 4.20.0-rc7+ #15 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x173/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 + __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:295 + mpol_rebind_policy mm/mempolicy.c:353 [inline] + mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384 + update_tasks_nodemask+0x608/0xca0 kernel/cgroup/cpuset.c:1120 + update_nodemasks_hier kernel/cgroup/cpuset.c:1185 [inline] + update_nodemask kernel/cgroup/cpuset.c:1253 [inline] + cpuset_write_resmask+0x2a98/0x34b0 kernel/cgroup/cpuset.c:1728 + +... + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline] + kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158 + kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176 + kmem_cache_alloc+0x572/0xb90 mm/slub.c:2777 + mpol_new mm/mempolicy.c:276 [inline] + do_mbind mm/mempolicy.c:1180 [inline] + kernel_mbind+0x8a7/0x31a0 mm/mempolicy.c:1347 + __do_sys_mbind mm/mempolicy.c:1354 [inline] + +As it's difficult to report where exactly the uninit value resides in +the mempolicy object, we have to guess a bit. mm/mempolicy.c:353 +contains this part of mpol_rebind_policy(): + + if (!mpol_store_user_nodemask(pol) && + nodes_equal(pol->w.cpuset_mems_allowed, *newmask)) + +"mpol_store_user_nodemask(pol)" is testing pol->flags, which I couldn't +ever see being uninitialized after leaving mpol_new(). So I'll guess +it's actually about accessing pol->w.cpuset_mems_allowed on line 354, +but still part of statement starting on line 353. + +For w.cpuset_mems_allowed to be not initialized, and the nodes_equal() +reachable for a mempolicy where mpol_set_nodemask() is called in +do_mbind(), it seems the only possibility is a MPOL_PREFERRED policy +with empty set of nodes, i.e. MPOL_LOCAL equivalent, with MPOL_F_LOCAL +flag. Let's exclude such policies from the nodes_equal() check. Note +the uninit access should be benign anyway, as rebinding this kind of +policy is always a no-op. Therefore no actual need for stable +inclusion. + +Link: http://lkml.kernel.org/r/a71997c3-e8ae-a787-d5ce-3db05768b27c@suse.cz +Link: http://lkml.kernel.org/r/73da3e9c-cc84-509e-17d9-0c434bb9967d@suse.cz +Signed-off-by: Vlastimil Babka +Reported-by: syzbot+b19c2dc2c990ea657a71@syzkaller.appspotmail.com +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Andrea Arcangeli +Cc: "Kirill A. Shutemov" +Cc: Michal Hocko +Cc: David Rientjes +Cc: Yisheng Xie +Cc: zhong jiang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/mempolicy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index 1528c0b8d9bd..6ca0225335eb 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -349,7 +349,7 @@ static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *newmask) + { + if (!pol) + return; +- if (!mpol_store_user_nodemask(pol) && ++ if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) && + nodes_equal(pol->w.cpuset_mems_allowed, *newmask)) + return; + +-- +2.19.1 + diff --git a/queue-4.14/mm-page_ext.c-fix-an-imbalance-with-kmemleak.patch b/queue-4.14/mm-page_ext.c-fix-an-imbalance-with-kmemleak.patch new file mode 100644 index 00000000000..385468ac3d2 --- /dev/null +++ b/queue-4.14/mm-page_ext.c-fix-an-imbalance-with-kmemleak.patch @@ -0,0 +1,82 @@ +From 0160d2bef271b3ef4b0fcb567aedf424e18181a7 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 5 Mar 2019 15:49:46 -0800 +Subject: mm/page_ext.c: fix an imbalance with kmemleak + +[ Upstream commit 0c81585499601acd1d0e1cbf424cabfaee60628c ] + +After offlining a memory block, kmemleak scan will trigger a crash, as +it encounters a page ext address that has already been freed during +memory offlining. At the beginning in alloc_page_ext(), it calls +kmemleak_alloc(), but it does not call kmemleak_free() in +free_page_ext(). + + BUG: unable to handle kernel paging request at ffff888453d00000 + PGD 128a01067 P4D 128a01067 PUD 128a04067 PMD 47e09e067 PTE 800ffffbac2ff060 + Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI + CPU: 1 PID: 1594 Comm: bash Not tainted 5.0.0-rc8+ #15 + Hardware name: HP ProLiant DL180 Gen9/ProLiant DL180 Gen9, BIOS U20 10/25/2017 + RIP: 0010:scan_block+0xb5/0x290 + Code: 85 6e 01 00 00 48 b8 00 00 30 f5 81 88 ff ff 48 39 c3 0f 84 5b 01 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 0f 85 87 01 00 00 <4c> 8b 3b e8 f3 0c fa ff 4c 39 3d 0c 6b 4c 01 0f 87 08 01 00 00 4c + RSP: 0018:ffff8881ec57f8e0 EFLAGS: 00010082 + RAX: 0000000000000000 RBX: ffff888453d00000 RCX: ffffffffa61e5a54 + RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888453d00000 + RBP: ffff8881ec57f920 R08: fffffbfff4ed588d R09: fffffbfff4ed588c + R10: fffffbfff4ed588c R11: ffffffffa76ac463 R12: dffffc0000000000 + R13: ffff888453d00ff9 R14: ffff8881f80cef48 R15: ffff8881f80cef48 + FS: 00007f6c0e3f8740(0000) GS:ffff8881f7680000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffff888453d00000 CR3: 00000001c4244003 CR4: 00000000001606a0 + Call Trace: + scan_gray_list+0x269/0x430 + kmemleak_scan+0x5a8/0x10f0 + kmemleak_write+0x541/0x6ca + full_proxy_write+0xf8/0x190 + __vfs_write+0xeb/0x980 + vfs_write+0x15a/0x4f0 + ksys_write+0xd2/0x1b0 + __x64_sys_write+0x73/0xb0 + do_syscall_64+0xeb/0xaaa + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7f6c0dad73b8 + Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 65 63 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 + RSP: 002b:00007ffd5b863cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f6c0dad73b8 + RDX: 0000000000000005 RSI: 000055a9216e1710 RDI: 0000000000000001 + RBP: 000055a9216e1710 R08: 000000000000000a R09: 00007ffd5b863840 + R10: 000000000000000a R11: 0000000000000246 R12: 00007f6c0dda9780 + R13: 0000000000000005 R14: 00007f6c0dda4740 R15: 0000000000000005 + Modules linked in: nls_iso8859_1 nls_cp437 vfat fat kvm_intel kvm irqbypass efivars ip_tables x_tables xfs sd_mod ahci libahci igb i2c_algo_bit libata i2c_core dm_mirror dm_region_hash dm_log dm_mod efivarfs + CR2: ffff888453d00000 + ---[ end trace ccf646c7456717c5 ]--- + Kernel panic - not syncing: Fatal exception + Shutting down cpus with NMI + Kernel Offset: 0x24c00000 from 0xffffffff81000000 (relocation range: + 0xffffffff80000000-0xffffffffbfffffff) + ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Link: http://lkml.kernel.org/r/20190227173147.75650-1-cai@lca.pw +Signed-off-by: Qian Cai +Reviewed-by: Catalin Marinas +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/page_ext.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/page_ext.c b/mm/page_ext.c +index 2c44f5b78435..dece2bdf86fe 100644 +--- a/mm/page_ext.c ++++ b/mm/page_ext.c +@@ -271,6 +271,7 @@ static void free_page_ext(void *addr) + table_size = get_entry_size() * PAGES_PER_SECTION; + + BUG_ON(PageReserved(page)); ++ kmemleak_free(addr); + free_pages_exact(addr, table_size); + } + } +-- +2.19.1 + diff --git a/queue-4.14/mm-slab.c-kmemleak-no-scan-alien-caches.patch b/queue-4.14/mm-slab.c-kmemleak-no-scan-alien-caches.patch new file mode 100644 index 00000000000..d05328107eb --- /dev/null +++ b/queue-4.14/mm-slab.c-kmemleak-no-scan-alien-caches.patch @@ -0,0 +1,151 @@ +From 158cc58764359f2b91f5183fdd38244eea303c7a Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 5 Mar 2019 15:42:03 -0800 +Subject: mm/slab.c: kmemleak no scan alien caches + +[ Upstream commit 92d1d07daad65c300c7d0b68bbef8867e9895d54 ] + +Kmemleak throws endless warnings during boot due to in +__alloc_alien_cache(), + + alc = kmalloc_node(memsize, gfp, node); + init_arraycache(&alc->ac, entries, batch); + kmemleak_no_scan(ac); + +Kmemleak does not track the array cache (alc->ac) but the alien cache +(alc) instead, so let it track the latter by lifting kmemleak_no_scan() +out of init_arraycache(). + +There is another place that calls init_arraycache(), but +alloc_kmem_cache_cpus() uses the percpu allocation where will never be +considered as a leak. + + kmemleak: Found object by alias at 0xffff8007b9aa7e38 + CPU: 190 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc2+ #2 + Call trace: + dump_backtrace+0x0/0x168 + show_stack+0x24/0x30 + dump_stack+0x88/0xb0 + lookup_object+0x84/0xac + find_and_get_object+0x84/0xe4 + kmemleak_no_scan+0x74/0xf4 + setup_kmem_cache_node+0x2b4/0x35c + __do_tune_cpucache+0x250/0x2d4 + do_tune_cpucache+0x4c/0xe4 + enable_cpucache+0xc8/0x110 + setup_cpu_cache+0x40/0x1b8 + __kmem_cache_create+0x240/0x358 + create_cache+0xc0/0x198 + kmem_cache_create_usercopy+0x158/0x20c + kmem_cache_create+0x50/0x64 + fsnotify_init+0x58/0x6c + do_one_initcall+0x194/0x388 + kernel_init_freeable+0x668/0x688 + kernel_init+0x18/0x124 + ret_from_fork+0x10/0x18 + kmemleak: Object 0xffff8007b9aa7e00 (size 256): + kmemleak: comm "swapper/0", pid 1, jiffies 4294697137 + kmemleak: min_count = 1 + kmemleak: count = 0 + kmemleak: flags = 0x1 + kmemleak: checksum = 0 + kmemleak: backtrace: + kmemleak_alloc+0x84/0xb8 + kmem_cache_alloc_node_trace+0x31c/0x3a0 + __kmalloc_node+0x58/0x78 + setup_kmem_cache_node+0x26c/0x35c + __do_tune_cpucache+0x250/0x2d4 + do_tune_cpucache+0x4c/0xe4 + enable_cpucache+0xc8/0x110 + setup_cpu_cache+0x40/0x1b8 + __kmem_cache_create+0x240/0x358 + create_cache+0xc0/0x198 + kmem_cache_create_usercopy+0x158/0x20c + kmem_cache_create+0x50/0x64 + fsnotify_init+0x58/0x6c + do_one_initcall+0x194/0x388 + kernel_init_freeable+0x668/0x688 + kernel_init+0x18/0x124 + kmemleak: Not scanning unknown object at 0xffff8007b9aa7e38 + CPU: 190 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc2+ #2 + Call trace: + dump_backtrace+0x0/0x168 + show_stack+0x24/0x30 + dump_stack+0x88/0xb0 + kmemleak_no_scan+0x90/0xf4 + setup_kmem_cache_node+0x2b4/0x35c + __do_tune_cpucache+0x250/0x2d4 + do_tune_cpucache+0x4c/0xe4 + enable_cpucache+0xc8/0x110 + setup_cpu_cache+0x40/0x1b8 + __kmem_cache_create+0x240/0x358 + create_cache+0xc0/0x198 + kmem_cache_create_usercopy+0x158/0x20c + kmem_cache_create+0x50/0x64 + fsnotify_init+0x58/0x6c + do_one_initcall+0x194/0x388 + kernel_init_freeable+0x668/0x688 + kernel_init+0x18/0x124 + ret_from_fork+0x10/0x18 + +Link: http://lkml.kernel.org/r/20190129184518.39808-1-cai@lca.pw +Fixes: 1fe00d50a9e8 ("slab: factor out initialization of array cache") +Signed-off-by: Qian Cai +Reviewed-by: Andrew Morton +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Catalin Marinas +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/slab.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/mm/slab.c b/mm/slab.c +index 09df506ae830..f4658468b23e 100644 +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -563,14 +563,6 @@ static void start_cpu_timer(int cpu) + + static void init_arraycache(struct array_cache *ac, int limit, int batch) + { +- /* +- * The array_cache structures contain pointers to free object. +- * However, when such objects are allocated or transferred to another +- * cache the pointers are not cleared and they could be counted as +- * valid references during a kmemleak scan. Therefore, kmemleak must +- * not scan such objects. +- */ +- kmemleak_no_scan(ac); + if (ac) { + ac->avail = 0; + ac->limit = limit; +@@ -586,6 +578,14 @@ static struct array_cache *alloc_arraycache(int node, int entries, + struct array_cache *ac = NULL; + + ac = kmalloc_node(memsize, gfp, node); ++ /* ++ * The array_cache structures contain pointers to free object. ++ * However, when such objects are allocated or transferred to another ++ * cache the pointers are not cleared and they could be counted as ++ * valid references during a kmemleak scan. Therefore, kmemleak must ++ * not scan such objects. ++ */ ++ kmemleak_no_scan(ac); + init_arraycache(ac, entries, batchcount); + return ac; + } +@@ -680,6 +680,7 @@ static struct alien_cache *__alloc_alien_cache(int node, int entries, + + alc = kmalloc_node(memsize, gfp, node); + if (alc) { ++ kmemleak_no_scan(alc); + init_arraycache(&alc->ac, entries, batch); + spin_lock_init(&alc->lock); + } +-- +2.19.1 + diff --git a/queue-4.14/mm-vmalloc.c-fix-kernel-bug-at-mm-vmalloc.c-512.patch b/queue-4.14/mm-vmalloc.c-fix-kernel-bug-at-mm-vmalloc.c-512.patch new file mode 100644 index 00000000000..78db6997abb --- /dev/null +++ b/queue-4.14/mm-vmalloc.c-fix-kernel-bug-at-mm-vmalloc.c-512.patch @@ -0,0 +1,62 @@ +From 589573fb8ded5e111e86f71bbec495c47039a7a0 Mon Sep 17 00:00:00 2001 +From: "Uladzislau Rezki (Sony)" +Date: Tue, 5 Mar 2019 15:45:59 -0800 +Subject: mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! + +[ Upstream commit afd07389d3f4933c7f7817a92fb5e053d59a3182 ] + +One of the vmalloc stress test case triggers the kernel BUG(): + + + [60.562151] ------------[ cut here ]------------ + [60.562154] kernel BUG at mm/vmalloc.c:512! + [60.562206] invalid opcode: 0000 [#1] PREEMPT SMP PTI + [60.562247] CPU: 0 PID: 430 Comm: vmalloc_test/0 Not tainted 4.20.0+ #161 + [60.562293] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 + [60.562351] RIP: 0010:alloc_vmap_area+0x36f/0x390 + + +it can happen due to big align request resulting in overflowing of +calculated address, i.e. it becomes 0 after ALIGN()'s fixup. + +Fix it by checking if calculated address is within vstart/vend range. + +Link: http://lkml.kernel.org/r/20190124115648.9433-2-urezki@gmail.com +Signed-off-by: Uladzislau Rezki (Sony) +Reviewed-by: Andrew Morton +Cc: Ingo Molnar +Cc: Joel Fernandes +Cc: Matthew Wilcox +Cc: Michal Hocko +Cc: Oleksiy Avramchenko +Cc: Steven Rostedt +Cc: Tejun Heo +Cc: Thomas Garnier +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/vmalloc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/mm/vmalloc.c b/mm/vmalloc.c +index 8d9f636d0c98..6c906f6f16cc 100644 +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -498,7 +498,11 @@ nocache: + } + + found: +- if (addr + size > vend) ++ /* ++ * Check also calculated address against the vstart, ++ * because it can be 0 because of big align request. ++ */ ++ if (addr + size > vend || addr < vstart) + goto overflow; + + va->va_start = addr; +-- +2.19.1 + diff --git a/queue-4.14/mmc-omap-fix-the-maximum-timeout-setting.patch b/queue-4.14/mmc-omap-fix-the-maximum-timeout-setting.patch new file mode 100644 index 00000000000..69a541280e7 --- /dev/null +++ b/queue-4.14/mmc-omap-fix-the-maximum-timeout-setting.patch @@ -0,0 +1,51 @@ +From 43b3480a33711620b34c3dd284d597bfde338735 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 3 Feb 2019 00:14:33 +0200 +Subject: mmc: omap: fix the maximum timeout setting + +[ Upstream commit a6327b5e57fdc679c842588c3be046c0b39cc127 ] + +When running OMAP1 kernel on QEMU, MMC access is annoyingly noisy: + + MMC: CTO of 0xff and 0xfe cannot be used! + MMC: CTO of 0xff and 0xfe cannot be used! + MMC: CTO of 0xff and 0xfe cannot be used! + [ad inf.] + +Emulator warnings appear to be valid. The TI document SPRU680 [1] +("OMAP5910 Dual-Core Processor MultiMedia Card/Secure Data Memory Card +(MMC/SD) Reference Guide") page 36 states that the maximum timeout is 253 +cycles and "0xff and 0xfe cannot be used". + +Fix by using 0xfd as the maximum timeout. + +Tested using QEMU 2.5 (Siemens SX1 machine, OMAP310), and also checked on +real hardware using Palm TE (OMAP310), Nokia 770 (OMAP1710) and Nokia N810 +(OMAP2420) that MMC works as before. + +[1] http://www.ti.com/lit/ug/spru680/spru680.pdf + +Fixes: 730c9b7e6630f ("[MMC] Add OMAP MMC host driver") +Signed-off-by: Aaro Koskinen +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/omap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c +index c28c51ad650f..f11245a0521c 100644 +--- a/drivers/mmc/host/omap.c ++++ b/drivers/mmc/host/omap.c +@@ -920,7 +920,7 @@ static inline void set_cmd_timeout(struct mmc_omap_host *host, struct mmc_reques + reg &= ~(1 << 5); + OMAP_MMC_WRITE(host, SDIO, reg); + /* Set maximum timeout */ +- OMAP_MMC_WRITE(host, CTO, 0xff); ++ OMAP_MMC_WRITE(host, CTO, 0xfd); + } + + static inline void set_data_timeout(struct mmc_omap_host *host, struct mmc_request *req) +-- +2.19.1 + diff --git a/queue-4.14/mt7601u-bump-supported-eeprom-version.patch b/queue-4.14/mt7601u-bump-supported-eeprom-version.patch new file mode 100644 index 00000000000..2dc16d829fc --- /dev/null +++ b/queue-4.14/mt7601u-bump-supported-eeprom-version.patch @@ -0,0 +1,61 @@ +From 503a440200b2d65293895671ee0406bd806cee50 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Tue, 22 Jan 2019 13:47:54 +0100 +Subject: mt7601u: bump supported EEPROM version + +[ Upstream commit 3bd1505fed71d834f45e87b32ff07157fdda47e0 ] + +As reported by Michael eeprom 0d is supported and work with the driver. + +Dump of /sys/kernel/debug/ieee80211/phy1/mt7601u/eeprom_param +with 0d EEPORM looks like this: + +RSSI offset: 0 0 +Reference temp: f9 +LNA gain: 8 +Reg channels: 1-14 +Per rate power: + raw:05 bw20:05 bw40:05 + raw:05 bw20:05 bw40:05 + raw:03 bw20:03 bw40:03 + raw:03 bw20:03 bw40:03 + raw:04 bw20:04 bw40:04 + raw:00 bw20:00 bw40:00 + raw:00 bw20:00 bw40:00 + raw:00 bw20:00 bw40:00 + raw:02 bw20:02 bw40:02 + raw:00 bw20:00 bw40:00 +Per channel power: + tx_power ch1:09 ch2:09 + tx_power ch3:0a ch4:0a + tx_power ch5:0a ch6:0a + tx_power ch7:0b ch8:0b + tx_power ch9:0b ch10:0b + tx_power ch11:0b ch12:0b + tx_power ch13:0b ch14:0b + +Reported-and-tested-by: Michael +Signed-off-by: Stanislaw Gruszka +Acked-by: Jakub Kicinski +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt7601u/eeprom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt7601u/eeprom.h b/drivers/net/wireless/mediatek/mt7601u/eeprom.h +index 662d12703b69..57b503ae63f1 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/eeprom.h ++++ b/drivers/net/wireless/mediatek/mt7601u/eeprom.h +@@ -17,7 +17,7 @@ + + struct mt7601u_dev; + +-#define MT7601U_EE_MAX_VER 0x0c ++#define MT7601U_EE_MAX_VER 0x0d + #define MT7601U_EEPROM_SIZE 256 + + #define MT7601U_DEFAULT_TX_POWER 6 +-- +2.19.1 + diff --git a/queue-4.14/net-mlx5-avoid-panic-when-setting-vport-mac-getting-.patch b/queue-4.14/net-mlx5-avoid-panic-when-setting-vport-mac-getting-.patch new file mode 100644 index 00000000000..c43a6c457a3 --- /dev/null +++ b/queue-4.14/net-mlx5-avoid-panic-when-setting-vport-mac-getting-.patch @@ -0,0 +1,80 @@ +From 80592284322c3234de75720a8d82c671bf3d182d Mon Sep 17 00:00:00 2001 +From: Tonghao Zhang +Date: Mon, 4 Mar 2019 00:27:15 -0800 +Subject: net/mlx5: Avoid panic when setting vport mac, getting vport config + +[ Upstream commit 6e77c413e8e73d0f36b5358b601389d75ec4451c ] + +If we try to set VFs mac address on a VF (not PF) net device, +the kernel will be crash. The commands are show as below: + +$ echo 2 > /sys/class/net/$MLX_PF0/device/sriov_numvfs +$ ip link set $MLX_VF0 vf 0 mac 00:11:22:33:44:00 + +[exception RIP: mlx5_eswitch_set_vport_mac+41] +[ffffb8b7079e3688] do_setlink at ffffffff8f67f85b +[ffffb8b7079e37a8] __rtnl_newlink at ffffffff8f683778 +[ffffb8b7079e3b68] rtnl_newlink at ffffffff8f683a63 +[ffffb8b7079e3b90] rtnetlink_rcv_msg at ffffffff8f67d812 +[ffffb8b7079e3c10] netlink_rcv_skb at ffffffff8f6b88ab +[ffffb8b7079e3c60] netlink_unicast at ffffffff8f6b808f +[ffffb8b7079e3ca0] netlink_sendmsg at ffffffff8f6b8412 +[ffffb8b7079e3d18] sock_sendmsg at ffffffff8f6452f6 +[ffffb8b7079e3d30] ___sys_sendmsg at ffffffff8f645860 +[ffffb8b7079e3eb0] __sys_sendmsg at ffffffff8f647a38 +[ffffb8b7079e3f38] do_syscall_64 at ffffffff8f00401b +[ffffb8b7079e3f50] entry_SYSCALL_64_after_hwframe at ffffffff8f80008c + +and + +[exception RIP: mlx5_eswitch_get_vport_config+12] +[ffffa70607e57678] mlx5e_get_vf_config at ffffffffc03c7f8f [mlx5_core] +[ffffa70607e57688] do_setlink at ffffffffbc67fa59 +[ffffa70607e577a8] __rtnl_newlink at ffffffffbc683778 +[ffffa70607e57b68] rtnl_newlink at ffffffffbc683a63 +[ffffa70607e57b90] rtnetlink_rcv_msg at ffffffffbc67d812 +[ffffa70607e57c10] netlink_rcv_skb at ffffffffbc6b88ab +[ffffa70607e57c60] netlink_unicast at ffffffffbc6b808f +[ffffa70607e57ca0] netlink_sendmsg at ffffffffbc6b8412 +[ffffa70607e57d18] sock_sendmsg at ffffffffbc6452f6 +[ffffa70607e57d30] ___sys_sendmsg at ffffffffbc645860 +[ffffa70607e57eb0] __sys_sendmsg at ffffffffbc647a38 +[ffffa70607e57f38] do_syscall_64 at ffffffffbc00401b +[ffffa70607e57f50] entry_SYSCALL_64_after_hwframe at ffffffffbc80008c + +Fixes: a8d70a054a718 ("net/mlx5: E-Switch, Disallow vlan/spoofcheck setup if not being esw manager") +Cc: Eli Cohen +Signed-off-by: Tonghao Zhang +Reviewed-by: Roi Dayan +Acked-by: Saeed Mahameed +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 2aec0c021b6c..d2914116af8e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1719,7 +1719,7 @@ int mlx5_eswitch_set_vport_mac(struct mlx5_eswitch *esw, + u64 node_guid; + int err = 0; + +- if (!MLX5_CAP_GEN(esw->dev, vport_group_manager)) ++ if (!esw || !MLX5_CAP_GEN(esw->dev, vport_group_manager)) + return -EPERM; + if (!LEGAL_VPORT(esw, vport) || is_multicast_ether_addr(mac)) + return -EINVAL; +@@ -1793,7 +1793,7 @@ int mlx5_eswitch_get_vport_config(struct mlx5_eswitch *esw, + { + struct mlx5_vport *evport; + +- if (!MLX5_CAP_GEN(esw->dev, vport_group_manager)) ++ if (!esw || !MLX5_CAP_GEN(esw->dev, vport_group_manager)) + return -EPERM; + if (!LEGAL_VPORT(esw, vport)) + return -EINVAL; +-- +2.19.1 + diff --git a/queue-4.14/net-mlx5-avoid-panic-when-setting-vport-rate.patch b/queue-4.14/net-mlx5-avoid-panic-when-setting-vport-rate.patch new file mode 100644 index 00000000000..74f761fa288 --- /dev/null +++ b/queue-4.14/net-mlx5-avoid-panic-when-setting-vport-rate.patch @@ -0,0 +1,81 @@ +From e3b1977d1f982a3f07d2fcbde552b3a07ac94dbc Mon Sep 17 00:00:00 2001 +From: Tonghao Zhang +Date: Mon, 4 Mar 2019 00:27:16 -0800 +Subject: net/mlx5: Avoid panic when setting vport rate + +[ Upstream commit 24319258660a84dd77f4be026a55b10a12524919 ] + +If we try to set VFs rate on a VF (not PF) net device, the kernel +will be crash. The commands are show as below: + +$ echo 2 > /sys/class/net/$MLX_PF0/device/sriov_numvfs +$ ip link set $MLX_VF0 vf 0 max_tx_rate 2 min_tx_rate 1 + +If not applied the first patch ("net/mlx5: Avoid panic when setting +vport mac, getting vport config"), the command: + +$ ip link set $MLX_VF0 vf 0 rate 100 + +can also crash the kernel. + +[ 1650.006388] RIP: 0010:mlx5_eswitch_set_vport_rate+0x1f/0x260 [mlx5_core] +[ 1650.007092] do_setlink+0x982/0xd20 +[ 1650.007129] __rtnl_newlink+0x528/0x7d0 +[ 1650.007374] rtnl_newlink+0x43/0x60 +[ 1650.007407] rtnetlink_rcv_msg+0x2a2/0x320 +[ 1650.007484] netlink_rcv_skb+0xcb/0x100 +[ 1650.007519] netlink_unicast+0x17f/0x230 +[ 1650.007554] netlink_sendmsg+0x2d2/0x3d0 +[ 1650.007592] sock_sendmsg+0x36/0x50 +[ 1650.007625] ___sys_sendmsg+0x280/0x2a0 +[ 1650.007963] __sys_sendmsg+0x58/0xa0 +[ 1650.007998] do_syscall_64+0x5b/0x180 +[ 1650.009438] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: c9497c98901c ("net/mlx5: Add support for setting VF min rate") +Cc: Mohamad Haj Yahia +Signed-off-by: Tonghao Zhang +Reviewed-by: Roi Dayan +Acked-by: Saeed Mahameed +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 2f93e6e9dc9e..2aec0c021b6c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1966,19 +1966,24 @@ static int normalize_vports_min_rate(struct mlx5_eswitch *esw, u32 divider) + int mlx5_eswitch_set_vport_rate(struct mlx5_eswitch *esw, int vport, + u32 max_rate, u32 min_rate) + { +- u32 fw_max_bw_share = MLX5_CAP_QOS(esw->dev, max_tsar_bw_share); +- bool min_rate_supported = MLX5_CAP_QOS(esw->dev, esw_bw_share) && +- fw_max_bw_share >= MLX5_MIN_BW_SHARE; +- bool max_rate_supported = MLX5_CAP_QOS(esw->dev, esw_rate_limit); + struct mlx5_vport *evport; ++ u32 fw_max_bw_share; + u32 previous_min_rate; + u32 divider; ++ bool min_rate_supported; ++ bool max_rate_supported; + int err = 0; + + if (!ESW_ALLOWED(esw)) + return -EPERM; + if (!LEGAL_VPORT(esw, vport)) + return -EINVAL; ++ ++ fw_max_bw_share = MLX5_CAP_QOS(esw->dev, max_tsar_bw_share); ++ min_rate_supported = MLX5_CAP_QOS(esw->dev, esw_bw_share) && ++ fw_max_bw_share >= MLX5_MIN_BW_SHARE; ++ max_rate_supported = MLX5_CAP_QOS(esw->dev, esw_rate_limit); ++ + if ((min_rate && !min_rate_supported) || (max_rate && !max_rate_supported)) + return -EOPNOTSUPP; + +-- +2.19.1 + diff --git a/queue-4.14/netfilter-conntrack-fix-cloned-unconfirmed-skb-_nfct.patch b/queue-4.14/netfilter-conntrack-fix-cloned-unconfirmed-skb-_nfct.patch new file mode 100644 index 00000000000..1dc410f5b26 --- /dev/null +++ b/queue-4.14/netfilter-conntrack-fix-cloned-unconfirmed-skb-_nfct.patch @@ -0,0 +1,131 @@ +From a30e1f026b58ba33cc8e0984737396c4a0f321c7 Mon Sep 17 00:00:00 2001 +From: Chieh-Min Wang +Date: Tue, 12 Feb 2019 00:59:55 +0100 +Subject: netfilter: conntrack: fix cloned unconfirmed skb->_nfct race in + __nf_conntrack_confirm + +[ Upstream commit 13f5251fd17088170c18844534682d9cab5ff5aa ] + +For bridge(br_flood) or broadcast/multicast packets, they could clone +skb with unconfirmed conntrack which break the rule that unconfirmed +skb->_nfct is never shared. With nfqueue running on my system, the race +can be easily reproduced with following warning calltrace: + +[13257.707525] CPU: 0 PID: 12132 Comm: main Tainted: P W 4.4.60 #7744 +[13257.707568] Hardware name: Qualcomm (Flattened Device Tree) +[13257.714700] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[13257.720253] [] (show_stack) from [] (dump_stack+0x94/0xa8) +[13257.728240] [] (dump_stack) from [] (warn_slowpath_common+0x94/0xb0) +[13257.735268] [] (warn_slowpath_common) from [] (warn_slowpath_null+0x1c/0x24) +[13257.743519] [] (warn_slowpath_null) from [] (__nf_conntrack_confirm+0xa8/0x618) +[13257.752284] [] (__nf_conntrack_confirm) from [] (ipv4_confirm+0xb8/0xfc) +[13257.761049] [] (ipv4_confirm) from [] (nf_iterate+0x48/0xa8) +[13257.769725] [] (nf_iterate) from [] (nf_hook_slow+0x30/0xb0) +[13257.777108] [] (nf_hook_slow) from [] (br_nf_post_routing+0x274/0x31c) +[13257.784486] [] (br_nf_post_routing) from [] (nf_iterate+0x48/0xa8) +[13257.792556] [] (nf_iterate) from [] (nf_hook_slow+0x30/0xb0) +[13257.800458] [] (nf_hook_slow) from [] (br_forward_finish+0x94/0xa4) +[13257.808010] [] (br_forward_finish) from [] (br_nf_forward_finish+0x150/0x1ac) +[13257.815736] [] (br_nf_forward_finish) from [] (nf_reinject+0x108/0x170) +[13257.824762] [] (nf_reinject) from [] (nfqnl_recv_verdict+0x3d8/0x420) +[13257.832924] [] (nfqnl_recv_verdict) from [] (nfnetlink_rcv_msg+0x158/0x248) +[13257.841256] [] (nfnetlink_rcv_msg) from [] (netlink_rcv_skb+0x54/0xb0) +[13257.849762] [] (netlink_rcv_skb) from [] (netlink_unicast+0x148/0x23c) +[13257.858093] [] (netlink_unicast) from [] (netlink_sendmsg+0x2ec/0x368) +[13257.866348] [] (netlink_sendmsg) from [] (sock_sendmsg+0x34/0x44) +[13257.874590] [] (sock_sendmsg) from [] (___sys_sendmsg+0x1ec/0x200) +[13257.882489] [] (___sys_sendmsg) from [] (__sys_sendmsg+0x3c/0x64) +[13257.890300] [] (__sys_sendmsg) from [] (ret_fast_syscall+0x0/0x34) + +The original code just triggered the warning but do nothing. It will +caused the shared conntrack moves to the dying list and the packet be +droppped (nf_ct_resolve_clash returns NF_DROP for dying conntrack). + +- Reproduce steps: + ++----------------------------+ +| br0(bridge) | +| | ++-+---------+---------+------+ + | eth0| | eth1| | eth2| + | | | | | | + +--+--+ +--+--+ +---+-+ + | | | + | | | + +--+-+ +-+--+ +--+-+ + | PC1| | PC2| | PC3| + +----+ +----+ +----+ + +iptables -A FORWARD -m mark --mark 0x1000000/0x1000000 -j NFQUEUE --queue-num 100 --queue-bypass + +ps: Our nfq userspace program will set mark on packets whose connection +has already been processed. + +PC1 sends broadcast packets simulated by hping3: + +hping3 --rand-source --udp 192.168.1.255 -i u100 + +- Broadcast racing flow chart is as follow: + +br_handle_frame + BR_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, br_handle_frame_finish) + // skb->_nfct (unconfirmed conntrack) is constructed at PRE_ROUTING stage + br_handle_frame_finish + // check if this packet is broadcast + br_flood_forward + br_flood + list_for_each_entry_rcu(p, &br->port_list, list) // iterate through each port + maybe_deliver + deliver_clone + skb = skb_clone(skb) + __br_forward + BR_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD,...) + // queue in our nfq and received by our userspace program + // goto __nf_conntrack_confirm with process context on CPU 1 + br_pass_frame_up + BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,...) + // goto __nf_conntrack_confirm with softirq context on CPU 0 + +Because conntrack confirm can happen at both INPUT and POSTROUTING +stage. So with NFQUEUE running, skb->_nfct with the same unconfirmed +conntrack could race on different core. + +This patch fixes a repeating kernel splat, now it is only displayed +once. + +Signed-off-by: Chieh-Min Wang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index f07357ba9629..06520bf30f29 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -763,10 +763,18 @@ __nf_conntrack_confirm(struct sk_buff *skb) + * REJECT will give spurious warnings here. + */ + +- /* No external references means no one else could have +- * confirmed us. ++ /* Another skb with the same unconfirmed conntrack may ++ * win the race. This may happen for bridge(br_flood) ++ * or broadcast/multicast packets do skb_clone with ++ * unconfirmed conntrack. + */ +- WARN_ON(nf_ct_is_confirmed(ct)); ++ if (unlikely(nf_ct_is_confirmed(ct))) { ++ WARN_ON_ONCE(1); ++ nf_conntrack_double_unlock(hash, reply_hash); ++ local_bh_enable(); ++ return NF_DROP; ++ } ++ + pr_debug("Confirming conntrack %p\n", ct); + /* We have to check the DYING flag after unlink to prevent + * a race against nf_ct_get_next_corpse() possibly called from +-- +2.19.1 + diff --git a/queue-4.14/netfilter-physdev-relax-br_netfilter-dependency.patch b/queue-4.14/netfilter-physdev-relax-br_netfilter-dependency.patch new file mode 100644 index 00000000000..089a15057fc --- /dev/null +++ b/queue-4.14/netfilter-physdev-relax-br_netfilter-dependency.patch @@ -0,0 +1,95 @@ +From 8f3bef3abecb660cd64bb51dbf0d5fed6d196514 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 11 Jan 2019 14:46:15 +0100 +Subject: netfilter: physdev: relax br_netfilter dependency + +[ Upstream commit 8e2f311a68494a6677c1724bdcb10bada21af37c ] + +Following command: + iptables -D FORWARD -m physdev ... +causes connectivity loss in some setups. + +Reason is that iptables userspace will probe kernel for the module revision +of the physdev patch, and physdev has an artificial dependency on +br_netfilter (xt_physdev use makes no sense unless a br_netfilter module +is loaded). + +This causes the "phydev" module to be loaded, which in turn enables the +"call-iptables" infrastructure. + +bridged packets might then get dropped by the iptables ruleset. + +The better fix would be to change the "call-iptables" defaults to 0 and +enforce explicit setting to 1, but that breaks backwards compatibility. + +This does the next best thing: add a request_module call to checkentry. +This was a stray '-D ... -m physdev' won't activate br_netfilter +anymore. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/br_netfilter.h | 1 - + net/bridge/br_netfilter_hooks.c | 5 ----- + net/netfilter/xt_physdev.c | 9 +++++++-- + 3 files changed, 7 insertions(+), 8 deletions(-) + +diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h +index 74af19c3a8f7..a4ba601b5d04 100644 +--- a/include/net/netfilter/br_netfilter.h ++++ b/include/net/netfilter/br_netfilter.h +@@ -49,7 +49,6 @@ static inline struct rtable *bridge_parent_rtable(const struct net_device *dev) + } + + struct net_device *setup_pre_routing(struct sk_buff *skb); +-void br_netfilter_enable(void); + + #if IS_ENABLED(CONFIG_IPV6) + int br_validate_ipv6(struct net *net, struct sk_buff *skb); +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 3f3859b8d49f..5fd283d9929e 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -881,11 +881,6 @@ static const struct nf_br_ops br_ops = { + .br_dev_xmit_hook = br_nf_dev_xmit, + }; + +-void br_netfilter_enable(void) +-{ +-} +-EXPORT_SYMBOL_GPL(br_netfilter_enable); +- + /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because + * br_dev_queue_push_xmit is called afterwards */ + static const struct nf_hook_ops br_nf_ops[] = { +diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c +index bb33598e4530..ec247d8370e8 100644 +--- a/net/netfilter/xt_physdev.c ++++ b/net/netfilter/xt_physdev.c +@@ -96,8 +96,7 @@ match_outdev: + static int physdev_mt_check(const struct xt_mtchk_param *par) + { + const struct xt_physdev_info *info = par->matchinfo; +- +- br_netfilter_enable(); ++ static bool brnf_probed __read_mostly; + + if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || + info->bitmask & ~XT_PHYSDEV_OP_MASK) +@@ -113,6 +112,12 @@ static int physdev_mt_check(const struct xt_mtchk_param *par) + if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) + return -EINVAL; + } ++ ++ if (!brnf_probed) { ++ brnf_probed = true; ++ request_module("br_netfilter"); ++ } ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.14/ocfs2-fix-a-panic-problem-caused-by-o2cb_ctl.patch b/queue-4.14/ocfs2-fix-a-panic-problem-caused-by-o2cb_ctl.patch new file mode 100644 index 00000000000..7ab27c30cce --- /dev/null +++ b/queue-4.14/ocfs2-fix-a-panic-problem-caused-by-o2cb_ctl.patch @@ -0,0 +1,70 @@ +From e67a4c836165ca5ff1b698404b2bb677376e7c64 Mon Sep 17 00:00:00 2001 +From: Jia Guo +Date: Tue, 5 Mar 2019 15:41:41 -0800 +Subject: ocfs2: fix a panic problem caused by o2cb_ctl + +[ Upstream commit cc725ef3cb202ef2019a3c67c8913efa05c3cce6 ] + +In the process of creating a node, it will cause NULL pointer +dereference in kernel if o2cb_ctl failed in the interval (mkdir, +o2cb_set_node_attribute(node_num)] in function o2cb_add_node. + +The node num is initialized to 0 in function o2nm_node_group_make_item, +o2nm_node_group_drop_item will mistake the node number 0 for a valid +node number when we delete the node before the node number is set +correctly. If the local node number of the current host happens to be +0, cluster->cl_local_node will be set to O2NM_INVALID_NODE_NUM while +o2hb_thread still running. The panic stack is generated as follows: + + o2hb_thread + \-o2hb_do_disk_heartbeat + \-o2hb_check_own_slot + |-slot = ®->hr_slots[o2nm_this_node()]; + //o2nm_this_node() return O2NM_INVALID_NODE_NUM + +We need to check whether the node number is set when we delete the node. + +Link: http://lkml.kernel.org/r/133d8045-72cc-863e-8eae-5013f9f6bc51@huawei.com +Signed-off-by: Jia Guo +Reviewed-by: Joseph Qi +Acked-by: Jun Piao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/cluster/nodemanager.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c +index c204ac9b49e5..81a0d5d82757 100644 +--- a/fs/ocfs2/cluster/nodemanager.c ++++ b/fs/ocfs2/cluster/nodemanager.c +@@ -621,13 +621,15 @@ static void o2nm_node_group_drop_item(struct config_group *group, + struct o2nm_node *node = to_o2nm_node(item); + struct o2nm_cluster *cluster = to_o2nm_cluster(group->cg_item.ci_parent); + +- o2net_disconnect_node(node); ++ if (cluster->cl_nodes[node->nd_num] == node) { ++ o2net_disconnect_node(node); + +- if (cluster->cl_has_local && +- (cluster->cl_local_node == node->nd_num)) { +- cluster->cl_has_local = 0; +- cluster->cl_local_node = O2NM_INVALID_NODE_NUM; +- o2net_stop_listening(node); ++ if (cluster->cl_has_local && ++ (cluster->cl_local_node == node->nd_num)) { ++ cluster->cl_has_local = 0; ++ cluster->cl_local_node = O2NM_INVALID_NODE_NUM; ++ o2net_stop_listening(node); ++ } + } + + /* XXX call into net to stop this node from trading messages */ +-- +2.19.1 + diff --git a/queue-4.14/page_poison-play-nicely-with-kasan.patch b/queue-4.14/page_poison-play-nicely-with-kasan.patch new file mode 100644 index 00000000000..03f35078aa6 --- /dev/null +++ b/queue-4.14/page_poison-play-nicely-with-kasan.patch @@ -0,0 +1,93 @@ +From d34e9055c024414a624f5ab8a6bb86d369286b7b Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 5 Mar 2019 15:41:24 -0800 +Subject: page_poison: play nicely with KASAN + +[ Upstream commit 4117992df66a26fa33908b4969e04801534baab1 ] + +KASAN does not play well with the page poisoning (CONFIG_PAGE_POISONING). +It triggers false positives in the allocation path: + + BUG: KASAN: use-after-free in memchr_inv+0x2ea/0x330 + Read of size 8 at addr ffff88881f800000 by task swapper/0 + CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc1+ #54 + Call Trace: + dump_stack+0xe0/0x19a + print_address_description.cold.2+0x9/0x28b + kasan_report.cold.3+0x7a/0xb5 + __asan_report_load8_noabort+0x19/0x20 + memchr_inv+0x2ea/0x330 + kernel_poison_pages+0x103/0x3d5 + get_page_from_freelist+0x15e7/0x4d90 + +because KASAN has not yet unpoisoned the shadow page for allocation +before it checks memchr_inv() but only found a stale poison pattern. + +Also, false positives in free path, + + BUG: KASAN: slab-out-of-bounds in kernel_poison_pages+0x29e/0x3d5 + Write of size 4096 at addr ffff8888112cc000 by task swapper/0/1 + CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc1+ #55 + Call Trace: + dump_stack+0xe0/0x19a + print_address_description.cold.2+0x9/0x28b + kasan_report.cold.3+0x7a/0xb5 + check_memory_region+0x22d/0x250 + memset+0x28/0x40 + kernel_poison_pages+0x29e/0x3d5 + __free_pages_ok+0x75f/0x13e0 + +due to KASAN adds poisoned redzones around slab objects, but the page +poisoning needs to poison the whole page. + +Link: http://lkml.kernel.org/r/20190114233405.67843-1-cai@lca.pw +Signed-off-by: Qian Cai +Acked-by: Andrey Ryabinin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/page_alloc.c | 2 +- + mm/page_poison.c | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 40075c1946b3..923deb33bf34 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1764,8 +1764,8 @@ inline void post_alloc_hook(struct page *page, unsigned int order, + + arch_alloc_page(page, order); + kernel_map_pages(page, 1 << order, 1); +- kernel_poison_pages(page, 1 << order, 1); + kasan_alloc_pages(page, order); ++ kernel_poison_pages(page, 1 << order, 1); + set_page_owner(page, order, gfp_flags); + } + +diff --git a/mm/page_poison.c b/mm/page_poison.c +index e83fd44867de..a7ba9e315a12 100644 +--- a/mm/page_poison.c ++++ b/mm/page_poison.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + + static bool want_page_poisoning __read_mostly; + +@@ -34,7 +35,10 @@ static void poison_page(struct page *page) + { + void *addr = kmap_atomic(page); + ++ /* KASAN still think the page is in-use, so skip it. */ ++ kasan_disable_current(); + memset(addr, PAGE_POISON, PAGE_SIZE); ++ kasan_enable_current(); + kunmap_atomic(addr); + } + +-- +2.19.1 + diff --git a/queue-4.14/pci-pme-fix-hotplug-sysfs-remove-deadlock-in-pcie_pm.patch b/queue-4.14/pci-pme-fix-hotplug-sysfs-remove-deadlock-in-pcie_pm.patch new file mode 100644 index 00000000000..af3eec81f4f --- /dev/null +++ b/queue-4.14/pci-pme-fix-hotplug-sysfs-remove-deadlock-in-pcie_pm.patch @@ -0,0 +1,143 @@ +From 87a35aca6c761b392945d5f3b9d6fa94fbfa6527 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 28 Feb 2019 13:56:27 -0600 +Subject: PCI/PME: Fix hotplug/sysfs remove deadlock in pcie_pme_remove() + +[ Upstream commit 95c80bc6952b6a5badc7b702d23e5bf14d251e7c ] + +Dongdong reported a deadlock triggered by a hotplug event during a sysfs +"remove" operation: + + pciehp 0000:00:0c.0:pcie004: Slot(0-1): Link Up + # echo 1 > 0000:00:0c.0/remove + + PME and hotplug share an MSI/MSI-X vector. The sysfs "remove" side is: + + remove_store + pci_stop_and_remove_bus_device_locked + pci_lock_rescan_remove + pci_stop_and_remove_bus_device + ... + pcie_pme_remove + pcie_pme_suspend + synchronize_irq # wait for hotplug IRQ handler + pci_unlock_rescan_remove + + The hotplug side is: + + pciehp_ist + pciehp_handle_presence_or_link_change + pciehp_configure_device + pci_lock_rescan_remove # wait for pci_unlock_rescan_remove() + + INFO: task bash:10913 blocked for more than 120 seconds. + + # ps -ax |grep D + PID TTY STAT TIME COMMAND + 10913 ttyAMA0 Ds+ 0:00 -bash + 14022 ? D 0:00 [irq/745-pciehp] + + # cat /proc/14022/stack + __switch_to+0x94/0xd8 + pci_lock_rescan_remove+0x20/0x28 + pciehp_configure_device+0x30/0x140 + pciehp_handle_presence_or_link_change+0x324/0x458 + pciehp_ist+0x1dc/0x1e0 + + # cat /proc/10913/stack + __switch_to+0x94/0xd8 + synchronize_irq+0x8c/0xc0 + pcie_pme_suspend+0xa4/0x118 + pcie_pme_remove+0x20/0x40 + pcie_port_remove_service+0x3c/0x58 + ... + pcie_port_device_remove+0x2c/0x48 + pcie_portdrv_remove+0x68/0x78 + pci_device_remove+0x48/0x120 + ... + pci_stop_bus_device+0x84/0xc0 + pci_stop_and_remove_bus_device_locked+0x24/0x40 + remove_store+0xa4/0xb8 + dev_attr_store+0x44/0x60 + sysfs_kf_write+0x58/0x80 + +It is incorrect to call pcie_pme_suspend() from pcie_pme_remove() for two +reasons. + +First, pcie_pme_suspend() calls synchronize_irq(), which will wait for the +native hotplug interrupt handler as well as for the PME one, because they +share one IRQ (as per the spec). That may deadlock if hotplug is signaled +while pcie_pme_remove() is running and the latter calls +pci_lock_rescan_remove() before the former. + +Second, if pcie_pme_suspend() figures out that wakeup needs to be enabled +for the port, it will return without disabling the interrupt as expected by +pcie_pme_remove() which was overlooked by commit c7b5a4e6e8fb ("PCI / PM: +Fix native PME handling during system suspend/resume"). + +To fix that, rework pcie_pme_remove() to disable the PME interrupt, clear +its status and prevent the PME worker function from re-enabling it before +calling free_irq() on it, which should be sufficient. + +Fixes: c7b5a4e6e8fb ("PCI / PM: Fix native PME handling during system suspend/resume") +Link: https://lore.kernel.org/linux-pci/c7697e7c-e1af-13e4-8491-0a3996e6ab5d@huawei.com +Reported-by: Dongdong Liu +Signed-off-by: Rafael J. Wysocki +[bhelgaas: add URL and deadlock details from Dongdong] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/pme.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/drivers/pci/pcie/pme.c b/drivers/pci/pcie/pme.c +index df290aa58dce..c2e6e3d1073f 100644 +--- a/drivers/pci/pcie/pme.c ++++ b/drivers/pci/pcie/pme.c +@@ -367,6 +367,16 @@ static bool pcie_pme_check_wakeup(struct pci_bus *bus) + return false; + } + ++static void pcie_pme_disable_interrupt(struct pci_dev *port, ++ struct pcie_pme_service_data *data) ++{ ++ spin_lock_irq(&data->lock); ++ pcie_pme_interrupt_enable(port, false); ++ pcie_clear_root_pme_status(port); ++ data->noirq = true; ++ spin_unlock_irq(&data->lock); ++} ++ + /** + * pcie_pme_suspend - Suspend PCIe PME service device. + * @srv: PCIe service device to suspend. +@@ -391,11 +401,7 @@ static int pcie_pme_suspend(struct pcie_device *srv) + return 0; + } + +- spin_lock_irq(&data->lock); +- pcie_pme_interrupt_enable(port, false); +- pcie_clear_root_pme_status(port); +- data->noirq = true; +- spin_unlock_irq(&data->lock); ++ pcie_pme_disable_interrupt(port, data); + + synchronize_irq(srv->irq); + +@@ -431,9 +437,11 @@ static int pcie_pme_resume(struct pcie_device *srv) + */ + static void pcie_pme_remove(struct pcie_device *srv) + { +- pcie_pme_suspend(srv); ++ struct pcie_pme_service_data *data = get_service_data(srv); ++ ++ pcie_pme_disable_interrupt(srv->port, data); + free_irq(srv->irq, srv); +- kfree(get_service_data(srv)); ++ kfree(data); + } + + static struct pcie_port_service_driver pcie_pme_driver = { +-- +2.19.1 + diff --git a/queue-4.14/perf-c2c-fix-c2c-report-for-empty-numa-node.patch b/queue-4.14/perf-c2c-fix-c2c-report-for-empty-numa-node.patch new file mode 100644 index 00000000000..d2ccd3b6372 --- /dev/null +++ b/queue-4.14/perf-c2c-fix-c2c-report-for-empty-numa-node.patch @@ -0,0 +1,63 @@ +From a6fbaf3b3a8089ef20c449314a1adba1a25412ef Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Tue, 5 Mar 2019 16:25:29 +0100 +Subject: perf c2c: Fix c2c report for empty numa node + +[ Upstream commit e34c940245437f36d2c492edd1f8237eff391064 ] + +Ravi Bangoria reported that we fail with an empty NUMA node with the +following message: + + $ lscpu + NUMA node0 CPU(s): + NUMA node1 CPU(s): 0-4 + + $ sudo ./perf c2c report + node/cpu topology bugFailed setup nodes + +Fix this by detecting the empty node and keeping its CPU set empty. + +Reported-by: Nageswara R Sastry +Signed-off-by: Jiri Olsa +Tested-by: Ravi Bangoria +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jonas Rabenstein +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20190305152536.21035-2-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-c2c.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c +index fb76423022e8..32e64a8a6443 100644 +--- a/tools/perf/builtin-c2c.c ++++ b/tools/perf/builtin-c2c.c +@@ -1935,6 +1935,12 @@ static int setup_nodes(struct perf_session *session) + if (!set) + return -ENOMEM; + ++ nodes[node] = set; ++ ++ /* empty node, skip */ ++ if (cpu_map__empty(map)) ++ continue; ++ + for (cpu = 0; cpu < map->nr; cpu++) { + set_bit(map->map[cpu], set); + +@@ -1943,8 +1949,6 @@ static int setup_nodes(struct perf_session *session) + + cpu2node[map->map[cpu]] = node; + } +- +- nodes[node] = set; + } + + setup_nodes_header(); +-- +2.19.1 + diff --git a/queue-4.14/perf-test-fix-failure-of-evsel-tp-sched-test-on-s390.patch b/queue-4.14/perf-test-fix-failure-of-evsel-tp-sched-test-on-s390.patch new file mode 100644 index 00000000000..5a1bebc9d34 --- /dev/null +++ b/queue-4.14/perf-test-fix-failure-of-evsel-tp-sched-test-on-s390.patch @@ -0,0 +1,120 @@ +From 90cd9bdd343840190329a63aea1ea448a6a429e7 Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Tue, 19 Feb 2019 16:36:39 +0100 +Subject: perf test: Fix failure of 'evsel-tp-sched' test on s390 + +[ Upstream commit 03d309711d687460d1345de8a0363f45b1c8cd11 ] + +Commit 489338a717a0 ("perf tests evsel-tp-sched: Fix bitwise operator") +causes test case 14 "Parse sched tracepoints fields" to fail on s390. + +This test succeeds on x86. + +In fact this test now fails on all architectures with type char treated +as type unsigned char. + +The root cause is the signed-ness of character arrays in the tracepoints +sched_switch for structure members prev_comm and next_comm. + +On s390 the output of: + + [root@m35lp76 perf]# cat /sys/kernel/debug/tracing/events/sched/sched_switch/format + name: sched_switch + ID: 287 + format: + field:unsigned short common_type; offset:0; size:2; signed:0; + ... + field:char prev_comm[16]; offset:8; size:16; signed:0; + ... + field:char next_comm[16]; offset:40; size:16; signed:0; + +reveals the character arrays prev_comm and next_comm are per +default unsigned char and have values in the range of 0..255. + +On x86 both fields are signed as this output shows: + [root@f29]# cat /sys/kernel/debug/tracing/events/sched/sched_switch/format + name: sched_switch + ID: 287 + format: + field:unsigned short common_type; offset:0; size:2; signed:0; + ... + field:char prev_comm[16]; offset:8; size:16; signed:1; + ... + field:char next_comm[16]; offset:40; size:16; signed:1; + +and the character arrays prev_comm and next_comm are per default signed +char and have values in the range of -1..127. The implementation of +type char is architecture specific. + +Since the character arrays in both tracepoints sched_switch and +sched_wakeup should contain ascii characters, simply omit the check for +signedness in the test case. + +Output before: + + [root@m35lp76 perf]# ./perf test -F 14 + 14: Parse sched tracepoints fields : + --- start --- + sched:sched_switch: "prev_comm" signedness(0) is wrong, should be 1 + sched:sched_switch: "next_comm" signedness(0) is wrong, should be 1 + sched:sched_wakeup: "comm" signedness(0) is wrong, should be 1 + ---- end ---- + 14: Parse sched tracepoints fields : FAILED! + [root@m35lp76 perf]# + +Output after: + + [root@m35lp76 perf]# ./perf test -Fv 14 + 14: Parse sched tracepoints fields : + --- start --- + ---- end ---- + Parse sched tracepoints fields: Ok + [root@m35lp76 perf]# + +Fixes: 489338a717a0 ("perf tests evsel-tp-sched: Fix bitwise operator") + +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20190219153639.31267-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/evsel-tp-sched.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c +index 67bcbf876776..d0406116c905 100644 +--- a/tools/perf/tests/evsel-tp-sched.c ++++ b/tools/perf/tests/evsel-tp-sched.c +@@ -43,7 +43,7 @@ int test__perf_evsel__tp_sched_test(struct test *test __maybe_unused, int subtes + return -1; + } + +- if (perf_evsel__test_field(evsel, "prev_comm", 16, true)) ++ if (perf_evsel__test_field(evsel, "prev_comm", 16, false)) + ret = -1; + + if (perf_evsel__test_field(evsel, "prev_pid", 4, true)) +@@ -55,7 +55,7 @@ int test__perf_evsel__tp_sched_test(struct test *test __maybe_unused, int subtes + if (perf_evsel__test_field(evsel, "prev_state", sizeof(long), true)) + ret = -1; + +- if (perf_evsel__test_field(evsel, "next_comm", 16, true)) ++ if (perf_evsel__test_field(evsel, "next_comm", 16, false)) + ret = -1; + + if (perf_evsel__test_field(evsel, "next_pid", 4, true)) +@@ -73,7 +73,7 @@ int test__perf_evsel__tp_sched_test(struct test *test __maybe_unused, int subtes + return -1; + } + +- if (perf_evsel__test_field(evsel, "comm", 16, true)) ++ if (perf_evsel__test_field(evsel, "comm", 16, false)) + ret = -1; + + if (perf_evsel__test_field(evsel, "pid", 4, true)) +-- +2.19.1 + diff --git a/queue-4.14/platform-x86-intel_pmc_core-fix-pch-ip-sts-reading.patch b/queue-4.14/platform-x86-intel_pmc_core-fix-pch-ip-sts-reading.patch new file mode 100644 index 00000000000..f72f11ff438 --- /dev/null +++ b/queue-4.14/platform-x86-intel_pmc_core-fix-pch-ip-sts-reading.patch @@ -0,0 +1,63 @@ +From 133a62fff959672b761dab9f4b34139706ed9a62 Mon Sep 17 00:00:00 2001 +From: Rajneesh Bhardwaj +Date: Fri, 1 Feb 2019 13:02:26 +0530 +Subject: platform/x86: intel_pmc_core: Fix PCH IP sts reading + +[ Upstream commit 0e68eeea9894feeba2edf7ec63e4551b87f39621 ] + +A previous commit "platform/x86: intel_pmc_core: Make the driver PCH +family agnostic " provided +better abstraction to this driver but has some fundamental issues. + +e.g. the following condition + +for (index = 0; index < pmcdev->map->ppfear_buckets && + index < PPFEAR_MAX_NUM_ENTRIES; index++, iter++) + +is wrong because for CNL, PPFEAR_MAX_NUM_ENTRIES is hardcoded as 5 which +is _wrong_ and even though ppfear_buckets is 8, the loop fails to read +all eight registers needed for CNL PCH i.e. PPFEAR0 and PPFEAR1. This +patch refactors the pfear show logic to correctly read PCH IP power +gating status for Cannonlake and beyond. + +Cc: "David E. Box" +Cc: Srinivas Pandruvada +Fixes: c977b98bbef5 ("platform/x86: intel_pmc_core: Make the driver PCH family agnostic") +Signed-off-by: Rajneesh Bhardwaj +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_pmc_core.c | 3 ++- + drivers/platform/x86/intel_pmc_core.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c +index 17e08b42b0a9..aaeb0242a99d 100644 +--- a/drivers/platform/x86/intel_pmc_core.c ++++ b/drivers/platform/x86/intel_pmc_core.c +@@ -222,7 +222,8 @@ static int pmc_core_ppfear_sts_show(struct seq_file *s, void *unused) + index < PPFEAR_MAX_NUM_ENTRIES; index++, iter++) + pf_regs[index] = pmc_core_reg_read_byte(pmcdev, iter); + +- for (index = 0; map[index].name; index++) ++ for (index = 0; map[index].name && ++ index < pmcdev->map->ppfear_buckets * 8; index++) + pmc_core_display_map(s, index, pf_regs[index / 8], map); + + return 0; +diff --git a/drivers/platform/x86/intel_pmc_core.h b/drivers/platform/x86/intel_pmc_core.h +index 3d225a9cc09f..1f13426eb61a 100644 +--- a/drivers/platform/x86/intel_pmc_core.h ++++ b/drivers/platform/x86/intel_pmc_core.h +@@ -38,7 +38,7 @@ + #define SPT_PMC_SLP_S0_RES_COUNTER_STEP 0x64 + #define PMC_BASE_ADDR_MASK ~(SPT_PMC_MMIO_REG_LEN - 1) + #define MTPMC_MASK 0xffff0000 +-#define PPFEAR_MAX_NUM_ENTRIES 5 ++#define PPFEAR_MAX_NUM_ENTRIES 12 + #define SPT_PPFEAR_NUM_ENTRIES 5 + #define SPT_PMC_READ_DISABLE_BIT 0x16 + #define SPT_PMC_MSG_FULL_STS_BIT 0x18 +-- +2.19.1 + diff --git a/queue-4.14/powerpc-hugetlb-handle-mmap_min_addr-correctly-in-ge.patch b/queue-4.14/powerpc-hugetlb-handle-mmap_min_addr-correctly-in-ge.patch new file mode 100644 index 00000000000..420e49d007a --- /dev/null +++ b/queue-4.14/powerpc-hugetlb-handle-mmap_min_addr-correctly-in-ge.patch @@ -0,0 +1,70 @@ +From 3222dea8f71f15fc360b2057b284bcf3f448d67e Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Tue, 26 Feb 2019 10:09:34 +0530 +Subject: powerpc/hugetlb: Handle mmap_min_addr correctly in get_unmapped_area + callback + +[ Upstream commit 5330367fa300742a97e20e953b1f77f48392faae ] + +After we ALIGN up the address we need to make sure we didn't overflow +and resulted in zero address. In that case, we need to make sure that +the returned address is greater than mmap_min_addr. + +This fixes selftest va_128TBswitch --run-hugetlb reporting failures when +run as non root user for + +mmap(-1, MAP_HUGETLB) + +The bug is that a non-root user requesting address -1 will be given address 0 +which will then fail, whereas they should have been given something else that +would have succeeded. + +We also avoid the first mmap(-1, MAP_HUGETLB) returning NULL address as mmap address +with this change. So we think this is not a security issue, because it only affects +whether we choose an address below mmap_min_addr, not whether we +actually allow that address to be mapped. ie. there are existing capability +checks to prevent a user mapping below mmap_min_addr and those will still be +honoured even without this fix. + +Fixes: 484837601d4d ("powerpc/mm: Add radix support for hugetlb") +Reviewed-by: Laurent Dufour +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/hugetlbpage-radix.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/mm/hugetlbpage-radix.c b/arch/powerpc/mm/hugetlbpage-radix.c +index bd022d16745c..a31bad29b55d 100644 +--- a/arch/powerpc/mm/hugetlbpage-radix.c ++++ b/arch/powerpc/mm/hugetlbpage-radix.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + #include + #include ++#include + #include + #include + #include +@@ -79,7 +80,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + if (addr) { + addr = ALIGN(addr, huge_page_size(h)); + vma = find_vma(mm, addr); +- if (high_limit - len >= addr && ++ if (high_limit - len >= addr && addr >= mmap_min_addr && + (!vma || addr + len <= vm_start_gap(vma))) + return addr; + } +@@ -89,7 +90,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + */ + info.flags = VM_UNMAPPED_AREA_TOPDOWN; + info.length = len; +- info.low_limit = PAGE_SIZE; ++ info.low_limit = max(PAGE_SIZE, mmap_min_addr); + info.high_limit = mm->mmap_base + (high_limit - DEFAULT_MAP_WINDOW); + info.align_mask = PAGE_MASK & ~huge_page_mask(h); + info.align_offset = 0; +-- +2.19.1 + diff --git a/queue-4.14/powerpc-pseries-perform-full-re-add-of-cpu-for-topol.patch b/queue-4.14/powerpc-pseries-perform-full-re-add-of-cpu-for-topol.patch new file mode 100644 index 00000000000..e6d041a9190 --- /dev/null +++ b/queue-4.14/powerpc-pseries-perform-full-re-add-of-cpu-for-topol.patch @@ -0,0 +1,110 @@ +From aaf7322e6c38527d098e566665c888b2d0c0774f Mon Sep 17 00:00:00 2001 +From: Nathan Fontenot +Date: Mon, 29 Oct 2018 13:43:36 -0500 +Subject: powerpc/pseries: Perform full re-add of CPU for topology update + post-migration + +[ Upstream commit 81b61324922c67f73813d8a9c175f3c153f6a1c6 ] + +On pseries systems, performing a partition migration can result in +altering the nodes a CPU is assigned to on the destination system. For +exampl, pre-migration on the source system CPUs are in node 1 and 3, +post-migration on the destination system CPUs are in nodes 2 and 3. + +Handling the node change for a CPU can cause corruption in the slab +cache if we hit a timing where a CPUs node is changed while cache_reap() +is invoked. The corruption occurs because the slab cache code appears +to rely on the CPU and slab cache pages being on the same node. + +The current dynamic updating of a CPUs node done in arch/powerpc/mm/numa.c +does not prevent us from hitting this scenario. + +Changing the device tree property update notification handler that +recognizes an affinity change for a CPU to do a full DLPAR remove and +add of the CPU instead of dynamically changing its node resolves this +issue. + +Signed-off-by: Nathan Fontenot +Signed-off-by: Michael W. Bringmann +Tested-by: Michael W. Bringmann +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/topology.h | 2 ++ + arch/powerpc/mm/numa.c | 9 +-------- + arch/powerpc/platforms/pseries/hotplug-cpu.c | 19 +++++++++++++++++++ + 3 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/arch/powerpc/include/asm/topology.h b/arch/powerpc/include/asm/topology.h +index 66c72b356ac0..e6b185b4b3b1 100644 +--- a/arch/powerpc/include/asm/topology.h ++++ b/arch/powerpc/include/asm/topology.h +@@ -117,6 +117,8 @@ static inline int prrn_is_enabled(void) + #define topology_sibling_cpumask(cpu) (per_cpu(cpu_sibling_map, cpu)) + #define topology_core_cpumask(cpu) (per_cpu(cpu_core_map, cpu)) + #define topology_core_id(cpu) (cpu_to_core_id(cpu)) ++ ++int dlpar_cpu_readd(int cpu); + #endif + #endif + +diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c +index 40fb9a8835fe..0a02c73a27b3 100644 +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -1527,13 +1527,6 @@ static void reset_topology_timer(void) + + #ifdef CONFIG_SMP + +-static void stage_topology_update(int core_id) +-{ +- cpumask_or(&cpu_associativity_changes_mask, +- &cpu_associativity_changes_mask, cpu_sibling_mask(core_id)); +- reset_topology_timer(); +-} +- + static int dt_update_callback(struct notifier_block *nb, + unsigned long action, void *data) + { +@@ -1546,7 +1539,7 @@ static int dt_update_callback(struct notifier_block *nb, + !of_prop_cmp(update->prop->name, "ibm,associativity")) { + u32 core_id; + of_property_read_u32(update->dn, "reg", &core_id); +- stage_topology_update(core_id); ++ rc = dlpar_cpu_readd(core_id); + rc = NOTIFY_OK; + } + break; +diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c +index b1ac8ac38434..0baaaa6b0929 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c ++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c +@@ -799,6 +799,25 @@ static int dlpar_cpu_add_by_count(u32 cpus_to_add) + return rc; + } + ++int dlpar_cpu_readd(int cpu) ++{ ++ struct device_node *dn; ++ struct device *dev; ++ u32 drc_index; ++ int rc; ++ ++ dev = get_cpu_device(cpu); ++ dn = dev->of_node; ++ ++ rc = of_property_read_u32(dn, "ibm,my-drc-index", &drc_index); ++ ++ rc = dlpar_cpu_remove_by_index(drc_index); ++ if (!rc) ++ rc = dlpar_cpu_add(drc_index); ++ ++ return rc; ++} ++ + int dlpar_cpu(struct pseries_hp_errorlog *hp_elog) + { + u32 count, drc_index; +-- +2.19.1 + diff --git a/queue-4.14/powerpc-xmon-fix-opcode-being-uninitialized-in-print.patch b/queue-4.14/powerpc-xmon-fix-opcode-being-uninitialized-in-print.patch new file mode 100644 index 00000000000..caab74f2968 --- /dev/null +++ b/queue-4.14/powerpc-xmon-fix-opcode-being-uninitialized-in-print.patch @@ -0,0 +1,59 @@ +From 2cc6cc94ddc6e3f3cc22ab68021c1de1baaf9447 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 25 Feb 2019 22:38:55 -0700 +Subject: powerpc/xmon: Fix opcode being uninitialized in print_insn_powerpc + +[ Upstream commit e7140639b1de65bba435a6bd772d134901141f86 ] + +When building with -Wsometimes-uninitialized, Clang warns: + + arch/powerpc/xmon/ppc-dis.c:157:7: warning: variable 'opcode' is used + uninitialized whenever 'if' condition is false + [-Wsometimes-uninitialized] + if (cpu_has_feature(CPU_FTRS_POWER9)) + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + arch/powerpc/xmon/ppc-dis.c:167:7: note: uninitialized use occurs here + if (opcode == NULL) + ^~~~~~ + arch/powerpc/xmon/ppc-dis.c:157:3: note: remove the 'if' if its + condition is always true + if (cpu_has_feature(CPU_FTRS_POWER9)) + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + arch/powerpc/xmon/ppc-dis.c:132:38: note: initialize the variable + 'opcode' to silence this warning + const struct powerpc_opcode *opcode; + ^ + = NULL + 1 warning generated. + +This warning seems to make no sense on the surface because opcode is set +to NULL right below this statement. However, there is a comma instead of +semicolon to end the dialect assignment, meaning that the opcode +assignment only happens in the if statement. Properly terminate that +line so that Clang no longer warns. + +Fixes: 5b102782c7f4 ("powerpc/xmon: Enable disassembly files (compilation changes)") +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/xmon/ppc-dis.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/xmon/ppc-dis.c b/arch/powerpc/xmon/ppc-dis.c +index 31db8c072acd..006c7f864f65 100644 +--- a/arch/powerpc/xmon/ppc-dis.c ++++ b/arch/powerpc/xmon/ppc-dis.c +@@ -162,7 +162,7 @@ int print_insn_powerpc (unsigned long insn, unsigned long memaddr) + dialect |= (PPC_OPCODE_POWER5 | PPC_OPCODE_POWER6 | PPC_OPCODE_POWER7 + | PPC_OPCODE_POWER8 | PPC_OPCODE_POWER9 | PPC_OPCODE_HTM + | PPC_OPCODE_ALTIVEC | PPC_OPCODE_ALTIVEC2 +- | PPC_OPCODE_VSX | PPC_OPCODE_VSX3), ++ | PPC_OPCODE_VSX | PPC_OPCODE_VSX3); + + /* Get the major opcode of the insn. */ + opcode = NULL; +-- +2.19.1 + diff --git a/queue-4.14/regulator-act8865-fix-act8600_sudcdc_voltage_ranges-.patch b/queue-4.14/regulator-act8865-fix-act8600_sudcdc_voltage_ranges-.patch new file mode 100644 index 00000000000..74338a6deba --- /dev/null +++ b/queue-4.14/regulator-act8865-fix-act8600_sudcdc_voltage_ranges-.patch @@ -0,0 +1,55 @@ +From 5f783c45fda520b47f54ba2eff63fd63eb8ac47f Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Thu, 10 Jan 2019 17:26:16 +0800 +Subject: regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting + +[ Upstream commit f01a7beb6791f1c419424c1a6958b7d0a289c974 ] + +The act8600_sudcdc_voltage_ranges setting does not match the datasheet. + +The problems in below entry: + REGULATOR_LINEAR_RANGE(19000000, 191, 255, 400000), + +1. The off-by-one min_sel causes wrong volatage calculation. + The min_sel should be 192. +2. According to the datasheet[1] Table 7. (on page 43): + The selector 248 (0b11111000) ~ 255 (0b11111111) are 41.400V. + +Also fix off-by-one for ACT8600_SUDCDC_VOLTAGE_NUM. + +[1] https://active-semi.com/wp-content/uploads/ACT8600_Datasheet.pdf + +Fixes: df3a950e4e73 ("regulator: act8865: Add act8600 support") +Signed-off-by: Axel Lin +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/act8865-regulator.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/regulator/act8865-regulator.c b/drivers/regulator/act8865-regulator.c +index 7652477e6a9d..39e8d60df060 100644 +--- a/drivers/regulator/act8865-regulator.c ++++ b/drivers/regulator/act8865-regulator.c +@@ -131,7 +131,7 @@ + * ACT8865 voltage number + */ + #define ACT8865_VOLTAGE_NUM 64 +-#define ACT8600_SUDCDC_VOLTAGE_NUM 255 ++#define ACT8600_SUDCDC_VOLTAGE_NUM 256 + + struct act8865 { + struct regmap *regmap; +@@ -222,7 +222,8 @@ static const struct regulator_linear_range act8600_sudcdc_voltage_ranges[] = { + REGULATOR_LINEAR_RANGE(3000000, 0, 63, 0), + REGULATOR_LINEAR_RANGE(3000000, 64, 159, 100000), + REGULATOR_LINEAR_RANGE(12600000, 160, 191, 200000), +- REGULATOR_LINEAR_RANGE(19000000, 191, 255, 400000), ++ REGULATOR_LINEAR_RANGE(19000000, 192, 247, 400000), ++ REGULATOR_LINEAR_RANGE(41400000, 248, 255, 0), + }; + + static struct regulator_ops act8865_ops = { +-- +2.19.1 + diff --git a/queue-4.14/sched-debug-initialize-sd_sysctl_cpus-if-config_cpum.patch b/queue-4.14/sched-debug-initialize-sd_sysctl_cpus-if-config_cpum.patch new file mode 100644 index 00000000000..0e0e76bcce0 --- /dev/null +++ b/queue-4.14/sched-debug-initialize-sd_sysctl_cpus-if-config_cpum.patch @@ -0,0 +1,65 @@ +From 31442c240166277f25747d0330584adb36e0e47e Mon Sep 17 00:00:00 2001 +From: Hidetoshi Seto +Date: Tue, 29 Jan 2019 10:12:45 -0500 +Subject: sched/debug: Initialize sd_sysctl_cpus if !CONFIG_CPUMASK_OFFSTACK + +[ Upstream commit 1ca4fa3ab604734e38e2a3000c9abf788512ffa7 ] + +register_sched_domain_sysctl() copies the cpu_possible_mask into +sd_sysctl_cpus, but only if sd_sysctl_cpus hasn't already been +allocated (ie, CONFIG_CPUMASK_OFFSTACK is set). However, when +CONFIG_CPUMASK_OFFSTACK is not set, sd_sysctl_cpus is left +uninitialized (all zeroes) and the kernel may fail to initialize +sched_domain sysctl entries for all possible CPUs. + +This is visible to the user if the kernel is booted with maxcpus=n, or +if ACPI tables have been modified to leave CPUs offline, and then +checking for missing /proc/sys/kernel/sched_domain/cpu* entries. + +Fix this by separating the allocation and initialization, and adding a +flag to initialize the possible CPU entries while system booting only. + +Tested-by: Syuuichirou Ishii +Tested-by: Tarumizu, Kohei +Signed-off-by: Hidetoshi Seto +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Masayoshi Mizuma +Acked-by: Joe Lawrence +Cc: Linus Torvalds +Cc: Masayoshi Mizuma +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190129151245.5073-1-msys.mizuma@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/debug.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c +index 2f93e4a2d9f6..187c04a34ba1 100644 +--- a/kernel/sched/debug.c ++++ b/kernel/sched/debug.c +@@ -339,6 +339,7 @@ void register_sched_domain_sysctl(void) + { + static struct ctl_table *cpu_entries; + static struct ctl_table **cpu_idx; ++ static bool init_done = false; + char buf[32]; + int i; + +@@ -368,7 +369,10 @@ void register_sched_domain_sysctl(void) + if (!cpumask_available(sd_sysctl_cpus)) { + if (!alloc_cpumask_var(&sd_sysctl_cpus, GFP_KERNEL)) + return; ++ } + ++ if (!init_done) { ++ init_done = true; + /* init to possible to not have holes in @cpu_entries */ + cpumask_copy(sd_sysctl_cpus, cpu_possible_mask); + } +-- +2.19.1 + diff --git a/queue-4.14/sched-topology-fix-percpu-data-types-in-struct-sd_da.patch b/queue-4.14/sched-topology-fix-percpu-data-types-in-struct-sd_da.patch new file mode 100644 index 00000000000..9c64a80ab1e --- /dev/null +++ b/queue-4.14/sched-topology-fix-percpu-data-types-in-struct-sd_da.patch @@ -0,0 +1,81 @@ +From 7844d78ad19420833c68be340ce5c2e75cd599c1 Mon Sep 17 00:00:00 2001 +From: Luc Van Oostenryck +Date: Fri, 18 Jan 2019 15:49:36 +0100 +Subject: sched/topology: Fix percpu data types in struct sd_data & struct + s_data + +[ Upstream commit 99687cdbb3f6c8e32bcc7f37496e811f30460e48 ] + +The percpu members of struct sd_data and s_data are declared as: + + struct ... ** __percpu member; + +So their type is: + + __percpu pointer to pointer to struct ... + +But looking at how they're used, their type should be: + + pointer to __percpu pointer to struct ... + +and they should thus be declared as: + + struct ... * __percpu *member; + +So fix the placement of '__percpu' in the definition of these +structures. + +This addresses a bunch of Sparse's warnings like: + + warning: incorrect type in initializer (different address spaces) + expected void const [noderef] *__vpp_verify + got struct sched_domain ** + +Signed-off-by: Luc Van Oostenryck +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190118144936.79158-1-luc.vanoostenryck@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + include/linux/sched/topology.h | 8 ++++---- + kernel/sched/topology.c | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/linux/sched/topology.h b/include/linux/sched/topology.h +index cf257c2e728d..5a92baa91e0c 100644 +--- a/include/linux/sched/topology.h ++++ b/include/linux/sched/topology.h +@@ -177,10 +177,10 @@ typedef int (*sched_domain_flags_f)(void); + #define SDTL_OVERLAP 0x01 + + struct sd_data { +- struct sched_domain **__percpu sd; +- struct sched_domain_shared **__percpu sds; +- struct sched_group **__percpu sg; +- struct sched_group_capacity **__percpu sgc; ++ struct sched_domain *__percpu *sd; ++ struct sched_domain_shared *__percpu *sds; ++ struct sched_group *__percpu *sg; ++ struct sched_group_capacity *__percpu *sgc; + }; + + struct sched_domain_topology_level { +diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c +index 659e075ef70b..9dcd80ed9d4c 100644 +--- a/kernel/sched/topology.c ++++ b/kernel/sched/topology.c +@@ -499,7 +499,7 @@ static int __init isolated_cpu_setup(char *str) + __setup("isolcpus=", isolated_cpu_setup); + + struct s_data { +- struct sched_domain ** __percpu sd; ++ struct sched_domain * __percpu *sd; + struct root_domain *rd; + }; + +-- +2.19.1 + diff --git a/queue-4.14/scsi-core-replace-gfp_atomic-with-gfp_kernel-in-scsi.patch b/queue-4.14/scsi-core-replace-gfp_atomic-with-gfp_kernel-in-scsi.patch new file mode 100644 index 00000000000..439564a489f --- /dev/null +++ b/queue-4.14/scsi-core-replace-gfp_atomic-with-gfp_kernel-in-scsi.patch @@ -0,0 +1,114 @@ +From 7519cc3bd3213f285c0cde40a0694210666531db Mon Sep 17 00:00:00 2001 +From: Benjamin Block +Date: Thu, 21 Feb 2019 10:18:00 +0100 +Subject: scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c + +[ Upstream commit 1749ef00f7312679f76d5e9104c5d1e22a829038 ] + +We had a test-report where, under memory pressure, adding LUNs to the +systems would fail (the tests add LUNs strictly in sequence): + +[ 5525.853432] scsi 0:0:1:1088045124: Direct-Access IBM 2107900 .148 PQ: 0 ANSI: 5 +[ 5525.853826] scsi 0:0:1:1088045124: alua: supports implicit TPGS +[ 5525.853830] scsi 0:0:1:1088045124: alua: device naa.6005076303ffd32700000000000044da port group 0 rel port 43 +[ 5525.853931] sd 0:0:1:1088045124: Attached scsi generic sg10 type 0 +[ 5525.854075] sd 0:0:1:1088045124: [sdk] Disabling DIF Type 1 protection +[ 5525.855495] sd 0:0:1:1088045124: [sdk] 2097152 512-byte logical blocks: (1.07 GB/1.00 GiB) +[ 5525.855606] sd 0:0:1:1088045124: [sdk] Write Protect is off +[ 5525.855609] sd 0:0:1:1088045124: [sdk] Mode Sense: ed 00 00 08 +[ 5525.855795] sd 0:0:1:1088045124: [sdk] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA +[ 5525.857838] sdk: sdk1 +[ 5525.859468] sd 0:0:1:1088045124: [sdk] Attached SCSI disk +[ 5525.865073] sd 0:0:1:1088045124: alua: transition timeout set to 60 seconds +[ 5525.865078] sd 0:0:1:1088045124: alua: port group 00 state A preferred supports tolusnA +[ 5526.015070] sd 0:0:1:1088045124: alua: port group 00 state A preferred supports tolusnA +[ 5526.015213] sd 0:0:1:1088045124: alua: port group 00 state A preferred supports tolusnA +[ 5526.587439] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured +[ 5526.588562] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured + +Looking at the code of scsi_alloc_sdev(), and all the calling contexts, +there seems to be no reason to use GFP_ATMOIC here. All the different +call-contexts use a mutex at some point, and nothing in between that +requires no sleeping, as far as I could see. Additionally, the code that +later allocates the block queue for the device (scsi_mq_alloc_queue()) +already uses GFP_KERNEL. + +There are similar allocations in two other functions: +scsi_probe_and_add_lun(), and scsi_add_lun(),; that can also be done with +GFP_KERNEL. + +Here is the contexts for the three functions so far: + + scsi_alloc_sdev() + scsi_probe_and_add_lun() + scsi_sequential_lun_scan() + __scsi_scan_target() + scsi_scan_target() + mutex_lock() + scsi_scan_channel() + scsi_scan_host_selected() + mutex_lock() + scsi_report_lun_scan() + __scsi_scan_target() + ... + __scsi_add_device() + mutex_lock() + __scsi_scan_target() + ... + scsi_report_lun_scan() + ... + scsi_get_host_dev() + mutex_lock() + + scsi_probe_and_add_lun() + ... + + scsi_add_lun() + scsi_probe_and_add_lun() + ... + +So replace all these, and give them a bit of a better chance to succeed, +with more chances of reclaim. + +Signed-off-by: Benjamin Block +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_scan.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index 40124648a07b..0b11405bfd7e 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -220,7 +220,7 @@ static struct scsi_device *scsi_alloc_sdev(struct scsi_target *starget, + struct Scsi_Host *shost = dev_to_shost(starget->dev.parent); + + sdev = kzalloc(sizeof(*sdev) + shost->transportt->device_size, +- GFP_ATOMIC); ++ GFP_KERNEL); + if (!sdev) + goto out; + +@@ -796,7 +796,7 @@ static int scsi_add_lun(struct scsi_device *sdev, unsigned char *inq_result, + */ + sdev->inquiry = kmemdup(inq_result, + max_t(size_t, sdev->inquiry_len, 36), +- GFP_ATOMIC); ++ GFP_KERNEL); + if (sdev->inquiry == NULL) + return SCSI_SCAN_NO_RESPONSE; + +@@ -1085,7 +1085,7 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget, + if (!sdev) + goto out; + +- result = kmalloc(result_len, GFP_ATOMIC | ++ result = kmalloc(result_len, GFP_KERNEL | + ((shost->unchecked_isa_dma) ? __GFP_DMA : 0)); + if (!result) + goto out_free_sdev; +-- +2.19.1 + diff --git a/queue-4.14/scsi-fcoe-make-use-of-fip_mode-enum-complete.patch b/queue-4.14/scsi-fcoe-make-use-of-fip_mode-enum-complete.patch new file mode 100644 index 00000000000..c16d5b193c6 --- /dev/null +++ b/queue-4.14/scsi-fcoe-make-use-of-fip_mode-enum-complete.patch @@ -0,0 +1,149 @@ +From ec2c68579120748043b6d17449a28deda8a21852 Mon Sep 17 00:00:00 2001 +From: Sedat Dilek +Date: Fri, 15 Feb 2019 13:19:20 +0100 +Subject: scsi: fcoe: make use of fip_mode enum complete + +[ Upstream commit 8beb90aaf334a6efa3e924339926b5f93a234dbb ] + +commit 1917d42d14b7 ("fcoe: use enum for fip_mode") introduces a separate +enum for the fip_mode that shall be used during initialisation handling +until it is passed to fcoe_ctrl_link_up to set the initial fip_state. That +change was incomplete and gcc quietly converted in various places between +the fip_mode and the fip_state enum values with implicit enum conversions, +which fortunately cannot cause any issues in the actual code's execution. + +clang however warns about these implicit enum conversions in the scsi +drivers. This commit consolidates the use of the two enums, guided by +clang's enum-conversion warnings. + +This commit now completes the use of the fip_mode: It expects and uses +fip_mode in {bnx2fc,fcoe}_interface_create and fcoe_ctlr_init, and it calls +fcoe_ctrl_set_set() with the correct values in fcoe_ctlr_link_up(). It +also breaks the association between FIP_MODE_AUTO and FIP_ST_AUTO to +indicate these two enums are distinct. + +Link: https://github.com/ClangBuiltLinux/linux/issues/151 +Fixes: 1917d42d14b7 ("fcoe: use enum for fip_mode") +Reported-by: Dmitry Golovin +Original-by: Lukas Bulwahn +CC: Lukas Bulwahn +CC: Nick Desaulniers +CC: Nathan Chancellor +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Suggested-by: Johannes Thumshirn +Signed-off-by: Sedat Dilek +Signed-off-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 2 +- + drivers/scsi/fcoe/fcoe.c | 2 +- + drivers/scsi/fcoe/fcoe_ctlr.c | 7 +++++-- + drivers/scsi/fcoe/fcoe_transport.c | 2 +- + drivers/scsi/qedf/qedf_main.c | 2 +- + include/scsi/libfcoe.h | 4 ++-- + 6 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +index 89f09b122135..116a56f0af01 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +@@ -1445,7 +1445,7 @@ bind_err: + static struct bnx2fc_interface * + bnx2fc_interface_create(struct bnx2fc_hba *hba, + struct net_device *netdev, +- enum fip_state fip_mode) ++ enum fip_mode fip_mode) + { + struct fcoe_ctlr_device *ctlr_dev; + struct bnx2fc_interface *interface; +diff --git a/drivers/scsi/fcoe/fcoe.c b/drivers/scsi/fcoe/fcoe.c +index 85f9a3eba387..99b46dc87a37 100644 +--- a/drivers/scsi/fcoe/fcoe.c ++++ b/drivers/scsi/fcoe/fcoe.c +@@ -390,7 +390,7 @@ static int fcoe_interface_setup(struct fcoe_interface *fcoe, + * Returns: pointer to a struct fcoe_interface or NULL on error + */ + static struct fcoe_interface *fcoe_interface_create(struct net_device *netdev, +- enum fip_state fip_mode) ++ enum fip_mode fip_mode) + { + struct fcoe_ctlr_device *ctlr_dev; + struct fcoe_ctlr *ctlr; +diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c +index 03019e07abb9..bd61bf4e2da2 100644 +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -147,7 +147,7 @@ static void fcoe_ctlr_map_dest(struct fcoe_ctlr *fip) + * fcoe_ctlr_init() - Initialize the FCoE Controller instance + * @fip: The FCoE controller to initialize + */ +-void fcoe_ctlr_init(struct fcoe_ctlr *fip, enum fip_state mode) ++void fcoe_ctlr_init(struct fcoe_ctlr *fip, enum fip_mode mode) + { + fcoe_ctlr_set_state(fip, FIP_ST_LINK_WAIT); + fip->mode = mode; +@@ -454,7 +454,10 @@ void fcoe_ctlr_link_up(struct fcoe_ctlr *fip) + mutex_unlock(&fip->ctlr_mutex); + fc_linkup(fip->lp); + } else if (fip->state == FIP_ST_LINK_WAIT) { +- fcoe_ctlr_set_state(fip, fip->mode); ++ if (fip->mode == FIP_MODE_NON_FIP) ++ fcoe_ctlr_set_state(fip, FIP_ST_NON_FIP); ++ else ++ fcoe_ctlr_set_state(fip, FIP_ST_AUTO); + switch (fip->mode) { + default: + LIBFCOE_FIP_DBG(fip, "invalid mode %d\n", fip->mode); +diff --git a/drivers/scsi/fcoe/fcoe_transport.c b/drivers/scsi/fcoe/fcoe_transport.c +index 375c536cbc68..f5ed2d6cc70c 100644 +--- a/drivers/scsi/fcoe/fcoe_transport.c ++++ b/drivers/scsi/fcoe/fcoe_transport.c +@@ -870,7 +870,7 @@ static int fcoe_transport_create(const char *buffer, struct kernel_param *kp) + int rc = -ENODEV; + struct net_device *netdev = NULL; + struct fcoe_transport *ft = NULL; +- enum fip_state fip_mode = (enum fip_state)(long)kp->arg; ++ enum fip_mode fip_mode = (enum fip_mode)kp->arg; + + mutex_lock(&ft_mutex); + +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index 56bcdd412d26..7756901f99da 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -1382,7 +1382,7 @@ static struct libfc_function_template qedf_lport_template = { + + static void qedf_fcoe_ctlr_setup(struct qedf_ctx *qedf) + { +- fcoe_ctlr_init(&qedf->ctlr, FIP_ST_AUTO); ++ fcoe_ctlr_init(&qedf->ctlr, FIP_MODE_AUTO); + + qedf->ctlr.send = qedf_fip_send; + qedf->ctlr.get_src_addr = qedf_get_src_mac; +diff --git a/include/scsi/libfcoe.h b/include/scsi/libfcoe.h +index 722d3264d3bf..a4e41444f5fe 100644 +--- a/include/scsi/libfcoe.h ++++ b/include/scsi/libfcoe.h +@@ -79,7 +79,7 @@ enum fip_state { + * It must not change after fcoe_ctlr_init() sets it. + */ + enum fip_mode { +- FIP_MODE_AUTO = FIP_ST_AUTO, ++ FIP_MODE_AUTO, + FIP_MODE_NON_FIP, + FIP_MODE_FABRIC, + FIP_MODE_VN2VN, +@@ -250,7 +250,7 @@ struct fcoe_rport { + }; + + /* FIP API functions */ +-void fcoe_ctlr_init(struct fcoe_ctlr *, enum fip_state); ++void fcoe_ctlr_init(struct fcoe_ctlr *, enum fip_mode); + void fcoe_ctlr_destroy(struct fcoe_ctlr *); + void fcoe_ctlr_link_up(struct fcoe_ctlr *); + int fcoe_ctlr_link_down(struct fcoe_ctlr *); +-- +2.19.1 + diff --git a/queue-4.14/scsi-hisi_sas-set-phy-linkrate-when-disconnected.patch b/queue-4.14/scsi-hisi_sas-set-phy-linkrate-when-disconnected.patch new file mode 100644 index 00000000000..20647981f07 --- /dev/null +++ b/queue-4.14/scsi-hisi_sas-set-phy-linkrate-when-disconnected.patch @@ -0,0 +1,81 @@ +From 8fd3320cb345e1f3e3a67c1defe2f3903f28c883 Mon Sep 17 00:00:00 2001 +From: John Garry +Date: Thu, 28 Feb 2019 22:51:00 +0800 +Subject: scsi: hisi_sas: Set PHY linkrate when disconnected + +[ Upstream commit efdcad62e7b8a02fcccc5ccca57806dce1482ac8 ] + +When the PHY comes down, we currently do not set the negotiated linkrate: + +root@(none)$ pwd +/sys/class/sas_phy/phy-0:0 +root@(none)$ more enable +1 +root@(none)$ more negotiated_linkrate +12.0 Gbit +root@(none)$ echo 0 > enable +root@(none)$ more negotiated_linkrate +12.0 Gbit +root@(none)$ + +This patch fixes the driver code to set it properly when the PHY comes +down. + +If the PHY had been enabled, then set unknown; otherwise, flag as disabled. + +The logical place to set the negotiated linkrate for this scenario is PHY +down routine, which is called from the PHY down ISR. + +However, it is not possible to know if the PHY comes down due to PHY +disable or loss of link, as sas_phy.enabled member is not set until after +the transport disable routine is complete, which races with the PHY down +ISR. + +As an imperfect solution, use sas_phy_data.enable as the flag to know if +the PHY is down due to disable. It's imperfect, as sas_phy_data is internal +to libsas. + +I can't see another way without adding a new field to hisi_sas_phy and +managing it, or changing SCSI SAS transport. + +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index 8fa9bb336ad4..b167411580ba 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -10,6 +10,7 @@ + */ + + #include "hisi_sas.h" ++#include "../libsas/sas_internal.h" + #define DRV_NAME "hisi_sas" + + #define DEV_IS_GONE(dev) \ +@@ -1508,9 +1509,18 @@ static void hisi_sas_port_formed(struct asd_sas_phy *sas_phy) + + static void hisi_sas_phy_disconnected(struct hisi_sas_phy *phy) + { ++ struct asd_sas_phy *sas_phy = &phy->sas_phy; ++ struct sas_phy *sphy = sas_phy->phy; ++ struct sas_phy_data *d = sphy->hostdata; ++ + phy->phy_attached = 0; + phy->phy_type = 0; + phy->port = NULL; ++ ++ if (d->enable) ++ sphy->negotiated_linkrate = SAS_LINK_RATE_UNKNOWN; ++ else ++ sphy->negotiated_linkrate = SAS_PHY_DISABLED; + } + + void hisi_sas_phy_down(struct hisi_hba *hisi_hba, int phy_no, int rdy) +-- +2.19.1 + diff --git a/queue-4.14/scsi-megaraid_sas-return-error-when-create-dma-pool-.patch b/queue-4.14/scsi-megaraid_sas-return-error-when-create-dma-pool-.patch new file mode 100644 index 00000000000..09f4612f1fc --- /dev/null +++ b/queue-4.14/scsi-megaraid_sas-return-error-when-create-dma-pool-.patch @@ -0,0 +1,79 @@ +From 27125def08eb98cb966fc5529305e28a24b04d67 Mon Sep 17 00:00:00 2001 +From: Jason Yan +Date: Fri, 15 Feb 2019 19:50:27 +0800 +Subject: scsi: megaraid_sas: return error when create DMA pool failed + +[ Upstream commit bcf3b67d16a4c8ffae0aa79de5853435e683945c ] + +when create DMA pool for cmd frames failed, we should return -ENOMEM, +instead of 0. +In some case in: + + megasas_init_adapter_fusion() + + -->megasas_alloc_cmds() + -->megasas_create_frame_pool + create DMA pool failed, + --> megasas_free_cmds() [1] + + -->megasas_alloc_cmds_fusion() + failed, then goto fail_alloc_cmds. + -->megasas_free_cmds() [2] + +we will call megasas_free_cmds twice, [1] will kfree cmd_list, +[2] will use cmd_list.it will cause a problem: + +Unable to handle kernel NULL pointer dereference at virtual address +00000000 +pgd = ffffffc000f70000 +[00000000] *pgd=0000001fbf893003, *pud=0000001fbf893003, +*pmd=0000001fbf894003, *pte=006000006d000707 +Internal error: Oops: 96000005 [#1] SMP + Modules linked in: + CPU: 18 PID: 1 Comm: swapper/0 Not tainted + task: ffffffdfb9290000 ti: ffffffdfb923c000 task.ti: ffffffdfb923c000 + PC is at megasas_free_cmds+0x30/0x70 + LR is at megasas_free_cmds+0x24/0x70 + ... + Call trace: + [] megasas_free_cmds+0x30/0x70 + [] megasas_init_adapter_fusion+0x2f4/0x4d8 + [] megasas_init_fw+0x2dc/0x760 + [] megasas_probe_one+0x3c0/0xcd8 + [] local_pci_probe+0x4c/0xb4 + [] pci_device_probe+0x11c/0x14c + [] driver_probe_device+0x1ec/0x430 + [] __driver_attach+0xa8/0xb0 + [] bus_for_each_dev+0x74/0xc8 + [] driver_attach+0x28/0x34 + [] bus_add_driver+0x16c/0x248 + [] driver_register+0x6c/0x138 + [] __pci_register_driver+0x5c/0x6c + [] megasas_init+0xc0/0x1a8 + [] do_one_initcall+0xe8/0x1ec + [] kernel_init_freeable+0x1c8/0x284 + [] kernel_init+0x1c/0xe4 + +Signed-off-by: Jason Yan +Acked-by: Sumit Saxena +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index d0abee3e6ed9..7f1ecd264652 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -4087,6 +4087,7 @@ int megasas_alloc_cmds(struct megasas_instance *instance) + if (megasas_create_frame_pool(instance)) { + dev_printk(KERN_DEBUG, &instance->pdev->dev, "Error creating frame DMA pool\n"); + megasas_free_cmds(instance); ++ return -ENOMEM; + } + + return 0; +-- +2.19.1 + diff --git a/queue-4.14/selinux-do-not-override-context-on-context-mounts.patch b/queue-4.14/selinux-do-not-override-context-on-context-mounts.patch new file mode 100644 index 00000000000..cd60e2b34d2 --- /dev/null +++ b/queue-4.14/selinux-do-not-override-context-on-context-mounts.patch @@ -0,0 +1,100 @@ +From 849a49e6952a6f0eaf735f4e8ebeb178a228ad34 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Fri, 21 Dec 2018 21:18:53 +0100 +Subject: selinux: do not override context on context mounts + +[ Upstream commit 53e0c2aa9a59a48e3798ef193d573ade85aa80f5 ] + +Ignore all selinux_inode_notifysecctx() calls on mounts with SBLABEL_MNT +flag unset. This is achived by returning -EOPNOTSUPP for this case in +selinux_inode_setsecurtity() (because that function should not be called +in such case anyway) and translating this error to 0 in +selinux_inode_notifysecctx(). + +This fixes behavior of kernfs-based filesystems when mounted with the +'context=' option. Before this patch, if a node's context had been +explicitly set to a non-default value and later the filesystem has been +remounted with the 'context=' option, then this node would show up as +having the manually-set context and not the mount-specified one. + +Steps to reproduce: + # mount -t cgroup2 cgroup2 /sys/fs/cgroup/unified + # chcon unconfined_u:object_r:user_home_t:s0 /sys/fs/cgroup/unified/cgroup.stat + # ls -lZ /sys/fs/cgroup/unified + total 0 + -r--r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.controllers + -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.max.depth + -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.max.descendants + -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.procs + -r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat + -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.subtree_control + -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.threads + # umount /sys/fs/cgroup/unified + # mount -o context=system_u:object_r:tmpfs_t:s0 -t cgroup2 cgroup2 /sys/fs/cgroup/unified + +Result before: + # ls -lZ /sys/fs/cgroup/unified + total 0 + -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs + -r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads + +Result after: + # ls -lZ /sys/fs/cgroup/unified + total 0 + -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs + -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.stat + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads + +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/hooks.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index a5d9c0146ac3..b72aa48f6478 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3339,12 +3339,16 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, + const void *value, size_t size, int flags) + { + struct inode_security_struct *isec = inode_security_novalidate(inode); ++ struct superblock_security_struct *sbsec = inode->i_sb->s_security; + u32 newsid; + int rc; + + if (strcmp(name, XATTR_SELINUX_SUFFIX)) + return -EOPNOTSUPP; + ++ if (!(sbsec->flags & SBLABEL_MNT)) ++ return -EOPNOTSUPP; ++ + if (!value || !size) + return -EACCES; + +@@ -6103,7 +6107,10 @@ static void selinux_inode_invalidate_secctx(struct inode *inode) + */ + static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) + { +- return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); ++ int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ++ ctx, ctxlen, 0); ++ /* Do not return error when suppressing label (SBLABEL_MNT not set). */ ++ return rc == -EOPNOTSUPP ? 0 : rc; + } + + /* +-- +2.19.1 + diff --git a/queue-4.14/serial-8250_pxa-honor-the-port-number-from-devicetre.patch b/queue-4.14/serial-8250_pxa-honor-the-port-number-from-devicetre.patch new file mode 100644 index 00000000000..ed4309dac1f --- /dev/null +++ b/queue-4.14/serial-8250_pxa-honor-the-port-number-from-devicetre.patch @@ -0,0 +1,43 @@ +From 6cb39aa657aac56c018245d7c0457d4340a79c7f Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Sun, 24 Feb 2019 12:58:02 +0100 +Subject: serial: 8250_pxa: honor the port number from devicetree + +[ Upstream commit fe9ed6d2483fda55465f32924fb15bce0fac3fac ] + +Like the other OF-enabled drivers, use the port number from the firmware if +the devicetree specifies an alias: + + aliases { + ... + serial2 = &uart2; /* Should be ttyS2 */ + } + +This is how the deprecated pxa.c driver behaved, switching to 8250_pxa +messes up the numbering. + +Signed-off-by: Lubomir Rintel +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_pxa.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_pxa.c b/drivers/tty/serial/8250/8250_pxa.c +index 4d68731af534..de1372ba24b1 100644 +--- a/drivers/tty/serial/8250/8250_pxa.c ++++ b/drivers/tty/serial/8250/8250_pxa.c +@@ -118,6 +118,10 @@ static int serial_pxa_probe(struct platform_device *pdev) + if (ret) + return ret; + ++ ret = of_alias_get_id(pdev->dev.of_node, "serial"); ++ if (ret >= 0) ++ uart.port.line = ret; ++ + uart.port.type = PORT_XSCALE; + uart.port.iotype = UPIO_MEM32; + uart.port.mapbase = mmres->start; +-- +2.19.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 9f24c2567c6..1cc14d252f2 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -4,3 +4,118 @@ lib-int_sqrt-optimize-initial-value-compute.patch tty-serial-atmel-add-is_half_duplex-helper.patch tty-serial-atmel-rs485-hd-w-dma-enable-rx-after-tx-is-stopped.patch mm-mempolicy-make-mbind-return-eio-when-mpol_mf_strict-is-specified.patch +cifs-fix-posix-lock-leak-and-invalid-ptr-deref.patch +h8300-use-cc-cross-prefix-instead-of-hardcoding-h830.patch +f2fs-fix-to-avoid-deadlock-in-f2fs_read_inline_dir.patch +tracing-kdb-fix-ftdump-to-not-sleep.patch +net-mlx5-avoid-panic-when-setting-vport-rate.patch +net-mlx5-avoid-panic-when-setting-vport-mac-getting-.patch +gpio-gpio-omap-fix-level-interrupt-idling.patch +include-linux-relay.h-fix-percpu-annotation-in-struc.patch +sysctl-handle-overflow-for-file-max.patch +enic-fix-build-warning-without-config_cpumask_offsta.patch +scsi-hisi_sas-set-phy-linkrate-when-disconnected.patch +iio-adc-fix-warning-in-qualcomm-pm8xxx-hk-xoadc-driv.patch +perf-c2c-fix-c2c-report-for-empty-numa-node.patch +mm-cma.c-cma_declare_contiguous-correct-err-handling.patch +mm-page_ext.c-fix-an-imbalance-with-kmemleak.patch +mm-mempolicy-fix-uninit-memory-access.patch +mm-vmalloc.c-fix-kernel-bug-at-mm-vmalloc.c-512.patch +mm-slab.c-kmemleak-no-scan-alien-caches.patch +ocfs2-fix-a-panic-problem-caused-by-o2cb_ctl.patch +f2fs-do-not-use-mutex-lock-in-atomic-context.patch +fs-file.c-initialize-init_files.resize_wait.patch +page_poison-play-nicely-with-kasan.patch +cifs-use-correct-format-characters.patch +dm-thin-add-sanity-checks-to-thin-pool-and-external-.patch +cifs-fix-null-pointer-dereference-of-devname.patch +fs-make-splice-and-tee-take-into-account-o_nonblock-.patch +jbd2-fix-invalid-descriptor-block-checksum.patch +fs-fix-guard_bio_eod-to-check-for-real-eod-errors.patch +tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch +pci-pme-fix-hotplug-sysfs-remove-deadlock-in-pcie_pm.patch +wil6210-check-null-pointer-in-_wil_cfg80211_merge_ex.patch +crypto-crypto4xx-add-missing-of_node_put-after-of_de.patch +crypto-cavium-zip-fix-collision-with-generic-cra_dri.patch +usb-chipidea-grab-the-legacy-usb-phy-by-phandle-firs.patch +scsi-core-replace-gfp_atomic-with-gfp_kernel-in-scsi.patch +powerpc-xmon-fix-opcode-being-uninitialized-in-print.patch +coresight-etm4x-add-support-to-enable-etmv4.2.patch +serial-8250_pxa-honor-the-port-number-from-devicetre.patch +arm-8840-1-use-a-raw_spinlock_t-in-unwind.patch +iommu-io-pgtable-arm-v7s-only-kmemleak_ignore-l2-tab.patch +powerpc-hugetlb-handle-mmap_min_addr-correctly-in-ge.patch +mmc-omap-fix-the-maximum-timeout-setting.patch +e1000e-fix-wformat-truncation-warnings.patch +mlxsw-spectrum-avoid-wformat-truncation-warnings.patch +ib-mlx4-increase-the-timeout-for-cm-cache.patch +clk-fractional-divider-check-parent-rate-only-if-fla.patch +cpufreq-acpi-cpufreq-report-if-cpu-doesn-t-support-b.patch +efi-cper-fix-possible-out-of-bounds-access.patch +scsi-megaraid_sas-return-error-when-create-dma-pool-.patch +scsi-fcoe-make-use-of-fip_mode-enum-complete.patch +perf-test-fix-failure-of-evsel-tp-sched-test-on-s390.patch +soc-imx-sgtl5000-add-missing-put_device.patch +media-sh_veu-correct-return-type-for-mem2mem-buffer-.patch +media-s5p-jpeg-correct-return-type-for-mem2mem-buffe.patch +media-s5p-g2d-correct-return-type-for-mem2mem-buffer.patch +media-mx2_emmaprp-correct-return-type-for-mem2mem-bu.patch +media-mtk-jpeg-correct-return-type-for-mem2mem-buffe.patch +vfs-fix-preadv64v2-and-pwritev64v2-compat-syscalls-w.patch +hid-intel-ish-hid-avoid-binding-wrong-ishtp_cl_devic.patch +jbd2-fix-race-when-writing-superblock.patch +leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch +iwlwifi-pcie-fix-emergency-path.patch +acpi-video-refactor-and-fix-dmi_is_desktop.patch +kprobes-prohibit-probing-on-bsearch.patch +netfilter-conntrack-fix-cloned-unconfirmed-skb-_nfct.patch +arm-8833-1-ensure-that-neon-code-always-compiles-wit.patch +alsa-pcm-check-if-ops-are-defined-before-suspending-.patch +usb-f_fs-avoid-crash-due-to-out-of-scope-stack-ptr-a.patch +sched-topology-fix-percpu-data-types-in-struct-sd_da.patch +bcache-fix-input-overflow-to-cache-set-sysfs-file-io.patch +bcache-fix-input-overflow-to-sequential_cutoff.patch +bcache-improve-sysfs_strtoul_clamp.patch +genirq-avoid-summation-loops-for-proc-stat.patch +iw_cxgb4-fix-srqidx-leak-during-connection-abort.patch +fbdev-fbmem-fix-memory-access-if-logo-is-bigger-than.patch +cdrom-fix-race-condition-in-cdrom_sysctl_register.patch +e1000e-fix-cyclic-resets-at-link-up-with-active-tx.patch +platform-x86-intel_pmc_core-fix-pch-ip-sts-reading.patch +asoc-fsl-asoc-card-fix-object-reference-leaks-in-fsl.patch +sched-debug-initialize-sd_sysctl_cpus-if-config_cpum.patch +efi-memattr-don-t-bail-on-zero-va-if-it-equals-the-r.patch +arm-dts-lpc32xx-remove-leading-0x-and-0s-from-bindin.patch +efi-arm-arm64-allow-setvirtualaddressmap-to-be-omitt.patch +soc-qcom-gsbi-fix-error-handling-in-gsbi_probe.patch +mt7601u-bump-supported-eeprom-version.patch +arm-8830-1-nommu-toggle-only-bits-in-exc_return-we-a.patch +arm-avoid-cortex-a9-livelock-on-tight-dmb-loops.patch +bpf-fix-missing-prototype-warnings.patch +cgroup-pids-turn-cgroup_subsys-free-into-cgroup_subs.patch +backlight-pwm_bl-use-gpiod_get_value_cansleep-to-get.patch +tty-increase-the-default-flip-buffer-limit-to-2-640k.patch +powerpc-pseries-perform-full-re-add-of-cpu-for-topol.patch +usb-dwc3-gadget-fix-otg-events-when-gadget-driver-is.patch +media-mt9m111-set-initial-frame-size-other-than-0x0.patch +hwrng-virtio-avoid-repeated-init-of-completion.patch +soc-tegra-fuse-fix-illegal-free-of-io-base-address.patch +hid-intel-ish-ipc-handle-pimr-before-ish_wakeup-also.patch +hpet-fix-missing-character-in-the-__setup-code-of-hp.patch +cpu-hotplug-mute-hotplug-lockdep-during-init.patch +dmaengine-imx-dma-fix-warning-comparison-of-distinct.patch +dmaengine-qcom_hidma-assign-channel-cookie-correctly.patch +dmaengine-qcom_hidma-initialize-tx-flags-in-hidma_pr.patch +netfilter-physdev-relax-br_netfilter-dependency.patch +media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt.patch +regulator-act8865-fix-act8600_sudcdc_voltage_ranges-.patch +drm-auto-set-allow_fb_modifiers-when-given-modifiers.patch +drm-nouveau-stop-using-drm_crtc_force_disable.patch +x86-build-specify-elf_i386-linker-emulation-explicit.patch +selinux-do-not-override-context-on-context-mounts.patch +wlcore-fix-memory-leak-in-case-wl12xx_fetch_firmware.patch +x86-build-mark-per-cpu-symbols-as-absolute-explicitl.patch +clk-rockchip-fix-frac-settings-of-gpll-clock-for-rk3.patch +dmaengine-tegra-avoid-overflow-of-byte-tracking.patch +drm-dp-mst-configure-no_stop_bit-correctly-for-remot.patch +acpi-video-extend-chassis-type-detection-with-a-lunc.patch diff --git a/queue-4.14/soc-imx-sgtl5000-add-missing-put_device.patch b/queue-4.14/soc-imx-sgtl5000-add-missing-put_device.patch new file mode 100644 index 00000000000..41bb33552a6 --- /dev/null +++ b/queue-4.14/soc-imx-sgtl5000-add-missing-put_device.patch @@ -0,0 +1,56 @@ +From e281f3509501a2fc760a22df41987eaf455b696b Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Mon, 18 Feb 2019 15:13:47 +0000 +Subject: SoC: imx-sgtl5000: add missing put_device() + +[ Upstream commit 8fa857da9744f513036df1c43ab57f338941ae7d ] + +The of_find_device_by_node() takes a reference to the underlying device +structure, we should release that reference. + +Detected by coccinelle with the following warnings: +./sound/soc/fsl/imx-sgtl5000.c:169:1-7: ERROR: missing put_device; +call of_find_device_by_node on line 105, but without a corresponding +object release within this function. +./sound/soc/fsl/imx-sgtl5000.c:177:1-7: ERROR: missing put_device; +call of_find_device_by_node on line 105, but without a corresponding +object release within this function. + +Signed-off-by: Wen Yang +Cc: Timur Tabi +Cc: Nicolin Chen +Cc: Xiubo Li +Cc: Fabio Estevam +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: Shawn Guo +Cc: Sascha Hauer +Cc: Pengutronix Kernel Team +Cc: NXP Linux Team +Cc: alsa-devel@alsa-project.org +Cc: linuxppc-dev@lists.ozlabs.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-sgtl5000.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/fsl/imx-sgtl5000.c b/sound/soc/fsl/imx-sgtl5000.c +index b99e0b5e00e9..8e525f7ac08d 100644 +--- a/sound/soc/fsl/imx-sgtl5000.c ++++ b/sound/soc/fsl/imx-sgtl5000.c +@@ -115,6 +115,7 @@ static int imx_sgtl5000_probe(struct platform_device *pdev) + ret = -EPROBE_DEFER; + goto fail; + } ++ put_device(&ssi_pdev->dev); + codec_dev = of_find_i2c_device_by_node(codec_np); + if (!codec_dev) { + dev_err(&pdev->dev, "failed to find codec platform device\n"); +-- +2.19.1 + diff --git a/queue-4.14/soc-qcom-gsbi-fix-error-handling-in-gsbi_probe.patch b/queue-4.14/soc-qcom-gsbi-fix-error-handling-in-gsbi_probe.patch new file mode 100644 index 00000000000..92b1908e965 --- /dev/null +++ b/queue-4.14/soc-qcom-gsbi-fix-error-handling-in-gsbi_probe.patch @@ -0,0 +1,48 @@ +From 18cf238a1bf638f069e7cf31b4902a317e6289fa Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Sat, 8 Dec 2018 01:57:04 +0300 +Subject: soc: qcom: gsbi: Fix error handling in gsbi_probe() + +[ Upstream commit 8cd09a3dd3e176c62da67efcd477a44a8d87185e ] + +If of_platform_populate() fails in gsbi_probe(), +gsbi->hclk is left undisabled. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Bjorn Andersson +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/qcom_gsbi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/qcom/qcom_gsbi.c b/drivers/soc/qcom/qcom_gsbi.c +index 09c669e70d63..038abc377fdb 100644 +--- a/drivers/soc/qcom/qcom_gsbi.c ++++ b/drivers/soc/qcom/qcom_gsbi.c +@@ -138,7 +138,7 @@ static int gsbi_probe(struct platform_device *pdev) + struct resource *res; + void __iomem *base; + struct gsbi_info *gsbi; +- int i; ++ int i, ret; + u32 mask, gsbi_num; + const struct crci_config *config = NULL; + +@@ -221,7 +221,10 @@ static int gsbi_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, gsbi); + +- return of_platform_populate(node, NULL, NULL, &pdev->dev); ++ ret = of_platform_populate(node, NULL, NULL, &pdev->dev); ++ if (ret) ++ clk_disable_unprepare(gsbi->hclk); ++ return ret; + } + + static int gsbi_remove(struct platform_device *pdev) +-- +2.19.1 + diff --git a/queue-4.14/soc-tegra-fuse-fix-illegal-free-of-io-base-address.patch b/queue-4.14/soc-tegra-fuse-fix-illegal-free-of-io-base-address.patch new file mode 100644 index 00000000000..fdbdf9f432b --- /dev/null +++ b/queue-4.14/soc-tegra-fuse-fix-illegal-free-of-io-base-address.patch @@ -0,0 +1,108 @@ +From ea75258e0dd105a8bf1e1d0f1390e91dbd164f72 Mon Sep 17 00:00:00 2001 +From: Timo Alho +Date: Sun, 30 Dec 2018 17:58:08 +0200 +Subject: soc/tegra: fuse: Fix illegal free of IO base address + +[ Upstream commit 51294bf6b9e897d595466dcda5a3f2751906a200 ] + +On cases where device tree entries for fuse and clock provider are in +different order, fuse driver needs to defer probing. This leads to +freeing incorrect IO base address as the fuse->base variable gets +overwritten once during first probe invocation. This leads to the +following spew during boot: + +[ 3.082285] Trying to vfree() nonexistent vm area (00000000cfe8fd94) +[ 3.082308] WARNING: CPU: 5 PID: 126 at /hdd/l4t/kernel/stable/mm/vmalloc.c:1511 __vunmap+0xcc/0xd8 +[ 3.082318] Modules linked in: +[ 3.082330] CPU: 5 PID: 126 Comm: kworker/5:1 Tainted: G S 4.19.7-tegra-gce119d3 #1 +[ 3.082340] Hardware name: quill (DT) +[ 3.082353] Workqueue: events deferred_probe_work_func +[ 3.082364] pstate: 40000005 (nZcv daif -PAN -UAO) +[ 3.082372] pc : __vunmap+0xcc/0xd8 +[ 3.082379] lr : __vunmap+0xcc/0xd8 +[ 3.082385] sp : ffff00000a1d3b60 +[ 3.082391] x29: ffff00000a1d3b60 x28: 0000000000000000 +[ 3.082402] x27: 0000000000000000 x26: ffff000008e8b610 +[ 3.082413] x25: 0000000000000000 x24: 0000000000000009 +[ 3.082423] x23: ffff000009221a90 x22: ffff000009f6d000 +[ 3.082432] x21: 0000000000000000 x20: 0000000000000000 +[ 3.082442] x19: ffff000009f6d000 x18: ffffffffffffffff +[ 3.082452] x17: 0000000000000000 x16: 0000000000000000 +[ 3.082462] x15: ffff0000091396c8 x14: 0720072007200720 +[ 3.082471] x13: 0720072007200720 x12: 0720072907340739 +[ 3.082481] x11: 0764076607380765 x10: 0766076307300730 +[ 3.082491] x9 : 0730073007300730 x8 : 0730073007280720 +[ 3.082501] x7 : 0761076507720761 x6 : 0000000000000102 +[ 3.082510] x5 : 0000000000000000 x4 : 0000000000000000 +[ 3.082519] x3 : ffffffffffffffff x2 : ffff000009150ff8 +[ 3.082528] x1 : 3d95b1429fff5200 x0 : 0000000000000000 +[ 3.082538] Call trace: +[ 3.082545] __vunmap+0xcc/0xd8 +[ 3.082552] vunmap+0x24/0x30 +[ 3.082561] __iounmap+0x2c/0x38 +[ 3.082569] tegra_fuse_probe+0xc8/0x118 +[ 3.082577] platform_drv_probe+0x50/0xa0 +[ 3.082585] really_probe+0x1b0/0x288 +[ 3.082593] driver_probe_device+0x58/0x100 +[ 3.082601] __device_attach_driver+0x98/0xf0 +[ 3.082609] bus_for_each_drv+0x64/0xc8 +[ 3.082616] __device_attach+0xd8/0x130 +[ 3.082624] device_initial_probe+0x10/0x18 +[ 3.082631] bus_probe_device+0x90/0x98 +[ 3.082638] deferred_probe_work_func+0x74/0xb0 +[ 3.082649] process_one_work+0x1e0/0x318 +[ 3.082656] worker_thread+0x228/0x450 +[ 3.082664] kthread+0x128/0x130 +[ 3.082672] ret_from_fork+0x10/0x18 +[ 3.082678] ---[ end trace 0810fe6ba772c1c7 ]--- + +Fix this by retaining the value of fuse->base until driver has +successfully probed. + +Signed-off-by: Timo Alho +Acked-by: Jon Hunter +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/fuse/fuse-tegra.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c +index b7c552e3133c..37bde5c8268d 100644 +--- a/drivers/soc/tegra/fuse/fuse-tegra.c ++++ b/drivers/soc/tegra/fuse/fuse-tegra.c +@@ -133,13 +133,17 @@ static int tegra_fuse_probe(struct platform_device *pdev) + /* take over the memory region from the early initialization */ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + fuse->base = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(fuse->base)) +- return PTR_ERR(fuse->base); ++ if (IS_ERR(fuse->base)) { ++ err = PTR_ERR(fuse->base); ++ fuse->base = base; ++ return err; ++ } + + fuse->clk = devm_clk_get(&pdev->dev, "fuse"); + if (IS_ERR(fuse->clk)) { + dev_err(&pdev->dev, "failed to get FUSE clock: %ld", + PTR_ERR(fuse->clk)); ++ fuse->base = base; + return PTR_ERR(fuse->clk); + } + +@@ -148,8 +152,10 @@ static int tegra_fuse_probe(struct platform_device *pdev) + + if (fuse->soc->probe) { + err = fuse->soc->probe(fuse); +- if (err < 0) ++ if (err < 0) { ++ fuse->base = base; + return err; ++ } + } + + if (tegra_fuse_create_sysfs(&pdev->dev, fuse->soc->info->size, +-- +2.19.1 + diff --git a/queue-4.14/sysctl-handle-overflow-for-file-max.patch b/queue-4.14/sysctl-handle-overflow-for-file-max.patch new file mode 100644 index 00000000000..3f5e5c7ebbc --- /dev/null +++ b/queue-4.14/sysctl-handle-overflow-for-file-max.patch @@ -0,0 +1,70 @@ +From 0f1f3ec94e89af33a12c9b0728a6d1fca34129b4 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Thu, 7 Mar 2019 16:29:43 -0800 +Subject: sysctl: handle overflow for file-max + +[ Upstream commit 32a5ad9c22852e6bd9e74bdec5934ef9d1480bc5 ] + +Currently, when writing + + echo 18446744073709551616 > /proc/sys/fs/file-max + +/proc/sys/fs/file-max will overflow and be set to 0. That quickly +crashes the system. + +This commit sets the max and min value for file-max. The max value is +set to long int. Any higher value cannot currently be used as the +percpu counters are long ints and not unsigned integers. + +Note that the file-max value is ultimately parsed via +__do_proc_doulongvec_minmax(). This function does not report error when +min or max are exceeded. Which means if a value largen that long int is +written userspace will not receive an error instead the old value will be +kept. There is an argument to be made that this should be changed and +__do_proc_doulongvec_minmax() should return an error when a dedicated min +or max value are exceeded. However this has the potential to break +userspace so let's defer this to an RFC patch. + +Link: http://lkml.kernel.org/r/20190107222700.15954-3-christian@brauner.io +Signed-off-by: Christian Brauner +Acked-by: Kees Cook +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: Dominik Brodowski +Cc: "Eric W. Biederman" +Cc: Joe Lawrence +Cc: Luis Chamberlain +Cc: Waiman Long +[christian@brauner.io: v4] + Link: http://lkml.kernel.org/r/20190210203943.8227-3-christian@brauner.io +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sysctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index a7acb058b776..34a3b8a262a9 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -125,6 +125,7 @@ static int __maybe_unused one = 1; + static int __maybe_unused two = 2; + static int __maybe_unused four = 4; + static unsigned long one_ul = 1; ++static unsigned long long_max = LONG_MAX; + static int one_hundred = 100; + static int one_thousand = 1000; + #ifdef CONFIG_PRINTK +@@ -1681,6 +1682,8 @@ static struct ctl_table fs_table[] = { + .maxlen = sizeof(files_stat.max_files), + .mode = 0644, + .proc_handler = proc_doulongvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &long_max, + }, + { + .procname = "nr_open", +-- +2.19.1 + diff --git a/queue-4.14/tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch b/queue-4.14/tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch new file mode 100644 index 00000000000..9b663d503ac --- /dev/null +++ b/queue-4.14/tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch @@ -0,0 +1,47 @@ +From 5388db1c4679929f274b4dca081e66539e066567 Mon Sep 17 00:00:00 2001 +From: Tony Jones +Date: Wed, 27 Feb 2019 17:55:32 -0800 +Subject: tools lib traceevent: Fix buffer overflow in arg_eval + +[ Upstream commit 7c5b019e3a638a5a290b0ec020f6ca83d2ec2aaa ] + +Fix buffer overflow observed when running perf test. + +The overflow is when trying to evaluate "1ULL << (64 - 1)" which is +resulting in -9223372036854775808 which overflows the 20 character +buffer. + +If is possible this bug has been reported before but I still don't see +any fix checked in: + +See: https://www.spinics.net/lists/linux-perf-users/msg07714.html + +Reported-by: Michael Sartain +Reported-by: Mathias Krause +Signed-off-by: Tony Jones +Acked-by: Steven Rostedt (VMware) +Cc: Frederic Weisbecker +Fixes: f7d82350e597 ("tools/events: Add files to create libtraceevent.a") +Link: http://lkml.kernel.org/r/20190228015532.8941-1-tonyj@suse.de +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/traceevent/event-parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index 9a17bc27296e..3955ba9e6fcb 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -2430,7 +2430,7 @@ static int arg_num_eval(struct print_arg *arg, long long *val) + static char *arg_eval (struct print_arg *arg) + { + long long val; +- static char buf[20]; ++ static char buf[24]; + + switch (arg->type) { + case PRINT_ATOM: +-- +2.19.1 + diff --git a/queue-4.14/tracing-kdb-fix-ftdump-to-not-sleep.patch b/queue-4.14/tracing-kdb-fix-ftdump-to-not-sleep.patch new file mode 100644 index 00000000000..c2cd8f54917 --- /dev/null +++ b/queue-4.14/tracing-kdb-fix-ftdump-to-not-sleep.patch @@ -0,0 +1,143 @@ +From 00fbb23017bf136ccb1374c0d3e6e9f70bbf5985 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 8 Mar 2019 11:32:04 -0800 +Subject: tracing: kdb: Fix ftdump to not sleep + +[ Upstream commit 31b265b3baaf55f209229888b7ffea523ddab366 ] + +As reported back in 2016-11 [1], the "ftdump" kdb command triggers a +BUG for "sleeping function called from invalid context". + +kdb's "ftdump" command wants to call ring_buffer_read_prepare() in +atomic context. A very simple solution for this is to add allocation +flags to ring_buffer_read_prepare() so kdb can call it without +triggering the allocation error. This patch does that. + +Note that in the original email thread about this, it was suggested +that perhaps the solution for kdb was to either preallocate the buffer +ahead of time or create our own iterator. I'm hoping that this +alternative of adding allocation flags to ring_buffer_read_prepare() +can be considered since it means I don't need to duplicate more of the +core trace code into "trace_kdb.c" (for either creating my own +iterator or re-preparing a ring allocator whose memory was already +allocated). + +NOTE: another option for kdb is to actually figure out how to make it +reuse the existing ftrace_dump() function and totally eliminate the +duplication. This sounds very appealing and actually works (the "sr +z" command can be seen to properly dump the ftrace buffer). The +downside here is that ftrace_dump() fully consumes the trace buffer. +Unless that is changed I'd rather not use it because it means "ftdump +| grep xyz" won't be very useful to search the ftrace buffer since it +will throw away the whole trace on the first grep. A future patch to +dump only the last few lines of the buffer will also be hard to +implement. + +[1] https://lkml.kernel.org/r/20161117191605.GA21459@google.com + +Link: http://lkml.kernel.org/r/20190308193205.213659-1-dianders@chromium.org + +Reported-by: Brian Norris +Signed-off-by: Douglas Anderson +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + include/linux/ring_buffer.h | 2 +- + kernel/trace/ring_buffer.c | 5 +++-- + kernel/trace/trace.c | 6 ++++-- + kernel/trace/trace_kdb.c | 6 ++++-- + 4 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h +index 5caa062a02b2..ca52b82128df 100644 +--- a/include/linux/ring_buffer.h ++++ b/include/linux/ring_buffer.h +@@ -123,7 +123,7 @@ ring_buffer_consume(struct ring_buffer *buffer, int cpu, u64 *ts, + unsigned long *lost_events); + + struct ring_buffer_iter * +-ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu); ++ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu, gfp_t flags); + void ring_buffer_read_prepare_sync(void); + void ring_buffer_read_start(struct ring_buffer_iter *iter); + void ring_buffer_read_finish(struct ring_buffer_iter *iter); +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index a1d5e0949dcf..5f7f4f07499f 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -4010,6 +4010,7 @@ EXPORT_SYMBOL_GPL(ring_buffer_consume); + * ring_buffer_read_prepare - Prepare for a non consuming read of the buffer + * @buffer: The ring buffer to read from + * @cpu: The cpu buffer to iterate over ++ * @flags: gfp flags to use for memory allocation + * + * This performs the initial preparations necessary to iterate + * through the buffer. Memory is allocated, buffer recording +@@ -4027,7 +4028,7 @@ EXPORT_SYMBOL_GPL(ring_buffer_consume); + * This overall must be paired with ring_buffer_read_finish. + */ + struct ring_buffer_iter * +-ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu) ++ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu, gfp_t flags) + { + struct ring_buffer_per_cpu *cpu_buffer; + struct ring_buffer_iter *iter; +@@ -4035,7 +4036,7 @@ ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu) + if (!cpumask_test_cpu(cpu, buffer->cpumask)) + return NULL; + +- iter = kmalloc(sizeof(*iter), GFP_KERNEL); ++ iter = kmalloc(sizeof(*iter), flags); + if (!iter) + return NULL; + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 287e61aba57c..ffddb5ac255c 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -3901,7 +3901,8 @@ __tracing_open(struct inode *inode, struct file *file, bool snapshot) + if (iter->cpu_file == RING_BUFFER_ALL_CPUS) { + for_each_tracing_cpu(cpu) { + iter->buffer_iter[cpu] = +- ring_buffer_read_prepare(iter->trace_buffer->buffer, cpu); ++ ring_buffer_read_prepare(iter->trace_buffer->buffer, ++ cpu, GFP_KERNEL); + } + ring_buffer_read_prepare_sync(); + for_each_tracing_cpu(cpu) { +@@ -3911,7 +3912,8 @@ __tracing_open(struct inode *inode, struct file *file, bool snapshot) + } else { + cpu = iter->cpu_file; + iter->buffer_iter[cpu] = +- ring_buffer_read_prepare(iter->trace_buffer->buffer, cpu); ++ ring_buffer_read_prepare(iter->trace_buffer->buffer, ++ cpu, GFP_KERNEL); + ring_buffer_read_prepare_sync(); + ring_buffer_read_start(iter->buffer_iter[cpu]); + tracing_iter_reset(iter, cpu); +diff --git a/kernel/trace/trace_kdb.c b/kernel/trace/trace_kdb.c +index d953c163a079..810d78a8d14c 100644 +--- a/kernel/trace/trace_kdb.c ++++ b/kernel/trace/trace_kdb.c +@@ -51,14 +51,16 @@ static void ftrace_dump_buf(int skip_lines, long cpu_file) + if (cpu_file == RING_BUFFER_ALL_CPUS) { + for_each_tracing_cpu(cpu) { + iter.buffer_iter[cpu] = +- ring_buffer_read_prepare(iter.trace_buffer->buffer, cpu); ++ ring_buffer_read_prepare(iter.trace_buffer->buffer, ++ cpu, GFP_ATOMIC); + ring_buffer_read_start(iter.buffer_iter[cpu]); + tracing_iter_reset(&iter, cpu); + } + } else { + iter.cpu_file = cpu_file; + iter.buffer_iter[cpu_file] = +- ring_buffer_read_prepare(iter.trace_buffer->buffer, cpu_file); ++ ring_buffer_read_prepare(iter.trace_buffer->buffer, ++ cpu_file, GFP_ATOMIC); + ring_buffer_read_start(iter.buffer_iter[cpu_file]); + tracing_iter_reset(&iter, cpu_file); + } +-- +2.19.1 + diff --git a/queue-4.14/tty-increase-the-default-flip-buffer-limit-to-2-640k.patch b/queue-4.14/tty-increase-the-default-flip-buffer-limit-to-2-640k.patch new file mode 100644 index 00000000000..2ca68fd8210 --- /dev/null +++ b/queue-4.14/tty-increase-the-default-flip-buffer-limit-to-2-640k.patch @@ -0,0 +1,51 @@ +From ec2c61630594a2b7c0abde742e06113737db017c Mon Sep 17 00:00:00 2001 +From: Manfred Schlaegl +Date: Mon, 28 Jan 2019 19:01:10 +0100 +Subject: tty: increase the default flip buffer limit to 2*640K + +[ Upstream commit 7ab57b76ebf632bf2231ccabe26bea33868118c6 ] + +We increase the default limit for buffer memory allocation by a factor of +10 to 640K to prevent data loss when using fast serial interfaces. + +For example when using RS485 without flow-control at speeds of 1Mbit/s +an upwards we've run into problems such as applications being too slow +to read out this buffer (on embedded devices based on imx53 or imx6). + +If you want to write transmitted data to a slow SD card and thus have +realtime requirements, this limit can become a problem. + +That shouldn't be the case and 640K buffers fix such problems for us. + +This value is a maximum limit for allocation only. It has no effect +on systems that currently run fine. When transmission is slow enough +applications and hardware can keep up and increasing this limit +doesn't change anything. + +It only _allows_ to allocate more than 2*64K in cases we currently fail to +allocate memory despite having some. + +Signed-off-by: Manfred Schlaegl +Signed-off-by: Martin Kepplinger +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c +index 217114227f8d..cf11882d2602 100644 +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -25,7 +25,7 @@ + * Byte threshold to limit memory consumption for flip buffers. + * The actual memory limit is > 2x this amount. + */ +-#define TTYB_DEFAULT_MEM_LIMIT 65536 ++#define TTYB_DEFAULT_MEM_LIMIT (640 * 1024UL) + + /* + * We default to dicing tty buffer allocations to this many characters +-- +2.19.1 + diff --git a/queue-4.14/usb-chipidea-grab-the-legacy-usb-phy-by-phandle-firs.patch b/queue-4.14/usb-chipidea-grab-the-legacy-usb-phy-by-phandle-firs.patch new file mode 100644 index 00000000000..bd74b60f516 --- /dev/null +++ b/queue-4.14/usb-chipidea-grab-the-legacy-usb-phy-by-phandle-firs.patch @@ -0,0 +1,57 @@ +From 4bfb60133a24c2c3fc9332e1ae1c720e0e0448b5 Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Wed, 27 Feb 2019 06:51:36 +0000 +Subject: usb: chipidea: Grab the (legacy) USB PHY by phandle first + +[ Upstream commit 68ef236274793066b9ba3154b16c0acc1c891e5c ] + +According to the chipidea driver bindings, the USB PHY is specified via +the "phys" phandle node. However, this only takes effect for USB PHYs +that use the common PHY framework. For legacy USB PHYs, a simple lookup +based on the USB PHY type is done instead. + +This does not play out well when more than one USB PHY is registered, +since the first registered PHY matching the type will always be +returned regardless of what the driver was bound to. + +Fix this by looking up the PHY based on the "phys" phandle node. +Although generic PHYs are rather matched by their "phys-name" and not +the "phys" phandle directly, there is no helper for similar lookup on +legacy PHYs and it's probably not worth the effort to add it. + +When no legacy USB PHY is found by phandle, fallback to grabbing any +registered USB2 PHY. This ensures backward compatibility if some users +were actually relying on this mechanism. + +Signed-off-by: Paul Kocialkowski +Signed-off-by: Peter Chen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/chipidea/core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c +index 43ea5fb87b9a..70306ae039c0 100644 +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -938,8 +938,15 @@ static int ci_hdrc_probe(struct platform_device *pdev) + } else if (ci->platdata->usb_phy) { + ci->usb_phy = ci->platdata->usb_phy; + } else { ++ ci->usb_phy = devm_usb_get_phy_by_phandle(dev->parent, "phys", ++ 0); + ci->phy = devm_phy_get(dev->parent, "usb-phy"); +- ci->usb_phy = devm_usb_get_phy(dev->parent, USB_PHY_TYPE_USB2); ++ ++ /* Fallback to grabbing any registered USB2 PHY */ ++ if (IS_ERR(ci->usb_phy) && ++ PTR_ERR(ci->usb_phy) != -EPROBE_DEFER) ++ ci->usb_phy = devm_usb_get_phy(dev->parent, ++ USB_PHY_TYPE_USB2); + + /* if both generic PHY and USB PHY layers aren't enabled */ + if (PTR_ERR(ci->phy) == -ENOSYS && +-- +2.19.1 + diff --git a/queue-4.14/usb-dwc3-gadget-fix-otg-events-when-gadget-driver-is.patch b/queue-4.14/usb-dwc3-gadget-fix-otg-events-when-gadget-driver-is.patch new file mode 100644 index 00000000000..265c52218d9 --- /dev/null +++ b/queue-4.14/usb-dwc3-gadget-fix-otg-events-when-gadget-driver-is.patch @@ -0,0 +1,46 @@ +From 7b945193f11b36e19dce34269e9b55ece283eaf6 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Thu, 10 Jan 2019 17:04:28 +0200 +Subject: usb: dwc3: gadget: Fix OTG events when gadget driver isn't loaded + +[ Upstream commit 169e3b68cadb5775daca009ced4faf01ffd97dcf ] + +On v3.10a in dual-role mode, if port is in device mode +and gadget driver isn't loaded, the OTG event interrupts don't +come through. + +It seems that if the core is configured to be OTG2.0 only, +then we can't leave the DCFG.DEVSPD at Super-speed (default) +if we expect OTG to work properly. It must be set to High-speed. + +Fix this issue by configuring DCFG.DEVSPD to the supported +maximum speed at gadget init. Device tree still needs to provide +correct supported maximum speed for this to work. + +This issue wasn't present on v2.40a but is seen on v3.10a. +It doesn't cause any side effects on v2.40a. + +Signed-off-by: Roger Quadros +Signed-off-by: Sekhar Nori +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 32dd0d3462da..1b99d44e52b9 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3286,6 +3286,8 @@ int dwc3_gadget_init(struct dwc3 *dwc) + goto err4; + } + ++ dwc3_gadget_set_speed(&dwc->gadget, dwc->maximum_speed); ++ + return 0; + + err4: +-- +2.19.1 + diff --git a/queue-4.14/usb-f_fs-avoid-crash-due-to-out-of-scope-stack-ptr-a.patch b/queue-4.14/usb-f_fs-avoid-crash-due-to-out-of-scope-stack-ptr-a.patch new file mode 100644 index 00000000000..bde2c29b653 --- /dev/null +++ b/queue-4.14/usb-f_fs-avoid-crash-due-to-out-of-scope-stack-ptr-a.patch @@ -0,0 +1,101 @@ +From 0ad9f236a6d4bac2c8c12cbd5710b18646d3eca4 Mon Sep 17 00:00:00 2001 +From: John Stultz +Date: Tue, 5 Feb 2019 10:24:40 -0800 +Subject: usb: f_fs: Avoid crash due to out-of-scope stack ptr access + +[ Upstream commit 54f64d5c983f939901dacc8cfc0983727c5c742e ] + +Since the 5.0 merge window opened, I've been seeing frequent +crashes on suspend and reboot with the trace: + +[ 36.911170] Unable to handle kernel paging request at virtual address ffffff801153d660 +[ 36.912769] Unable to handle kernel paging request at virtual address ffffff800004b564 +... +[ 36.950666] Call trace: +[ 36.950670] queued_spin_lock_slowpath+0x1cc/0x2c8 +[ 36.950681] _raw_spin_lock_irqsave+0x64/0x78 +[ 36.950692] complete+0x28/0x70 +[ 36.950703] ffs_epfile_io_complete+0x3c/0x50 +[ 36.950713] usb_gadget_giveback_request+0x34/0x108 +[ 36.950721] dwc3_gadget_giveback+0x50/0x68 +[ 36.950723] dwc3_thread_interrupt+0x358/0x1488 +[ 36.950731] irq_thread_fn+0x30/0x88 +[ 36.950734] irq_thread+0x114/0x1b0 +[ 36.950739] kthread+0x104/0x130 +[ 36.950747] ret_from_fork+0x10/0x1c + +I isolated this down to in ffs_epfile_io(): +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/usb/gadget/function/f_fs.c#n1065 + +Where the completion done is setup on the stack: + DECLARE_COMPLETION_ONSTACK(done); + +Then later we setup a request and queue it, and wait for it: + if (unlikely(wait_for_completion_interruptible(&done))) { + /* + * To avoid race condition with ffs_epfile_io_complete, + * dequeue the request first then check + * status. usb_ep_dequeue API should guarantee no race + * condition with req->complete callback. + */ + usb_ep_dequeue(ep->ep, req); + interrupted = ep->status < 0; + } + +The problem is, that we end up being interrupted, dequeue the +request, and exit. + +But then the irq triggers and we try calling complete() on the +context pointer which points to now random stack space, which +results in the panic. + +Alan Stern pointed out there is a bug here, in that the snippet +above "assumes that usb_ep_dequeue() waits until the request has +been completed." And that: + + wait_for_completion(&done); + +Is needed right after the usb_ep_dequeue(). + +Thus this patch implements that change. With it I no longer see +the crashes on suspend or reboot. + +This issue seems to have been uncovered by behavioral changes in +the dwc3 driver in commit fec9095bdef4e ("usb: dwc3: gadget: +remove wait_end_transfer"). + +Cc: Alan Stern +Cc: Felipe Balbi +Cc: Zeng Tao +Cc: Jack Pham +Cc: Thinh Nguyen +Cc: Chen Yu +Cc: Jerry Zhang +Cc: Lars-Peter Clausen +Cc: Vincent Pelletier +Cc: Andrzej Pietrasiewicz +Cc: Greg Kroah-Hartman +Cc: Linux USB List +Suggested-by: Alan Stern +Signed-off-by: John Stultz +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 52e6897fa35a..79900c0b4f3a 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1009,6 +1009,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) + * condition with req->complete callback. + */ + usb_ep_dequeue(ep->ep, req); ++ wait_for_completion(&done); + interrupted = ep->status < 0; + } + +-- +2.19.1 + diff --git a/queue-4.14/vfs-fix-preadv64v2-and-pwritev64v2-compat-syscalls-w.patch b/queue-4.14/vfs-fix-preadv64v2-and-pwritev64v2-compat-syscalls-w.patch new file mode 100644 index 00000000000..835c06bf89e --- /dev/null +++ b/queue-4.14/vfs-fix-preadv64v2-and-pwritev64v2-compat-syscalls-w.patch @@ -0,0 +1,55 @@ +From 3e9ab5c01015b76d0c44ef0a2cb9821dff69746b Mon Sep 17 00:00:00 2001 +From: Aurelien Jarno +Date: Thu, 6 Dec 2018 20:05:34 +0100 +Subject: vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 + +[ Upstream commit cc4b1242d7e3b42eed73881fc749944146493e4f ] + +The preadv2 and pwritev2 syscalls are supposed to emulate the readv and +writev syscalls when offset == -1. Therefore the compat code should +check for offset before calling do_compat_preadv64 and +do_compat_pwritev64. This is the case for the preadv2 and pwritev2 +syscalls, but handling of offset == -1 is missing in their 64-bit +equivalent. + +This patch fixes that, calling do_compat_readv and do_compat_writev when +offset == -1. This fixes the following glibc tests on x32: + - misc/tst-preadvwritev2 + - misc/tst-preadvwritev64v2 + +Cc: Alexander Viro +Cc: H.J. Lu +Signed-off-by: Aurelien Jarno +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/read_write.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/read_write.c b/fs/read_write.c +index 57a00ef895b2..1c3eada2fe25 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -1235,6 +1235,9 @@ COMPAT_SYSCALL_DEFINE5(preadv64v2, unsigned long, fd, + const struct compat_iovec __user *,vec, + unsigned long, vlen, loff_t, pos, rwf_t, flags) + { ++ if (pos == -1) ++ return do_compat_readv(fd, vec, vlen, flags); ++ + return do_compat_preadv64(fd, vec, vlen, pos, flags); + } + #endif +@@ -1341,6 +1344,9 @@ COMPAT_SYSCALL_DEFINE5(pwritev64v2, unsigned long, fd, + const struct compat_iovec __user *,vec, + unsigned long, vlen, loff_t, pos, rwf_t, flags) + { ++ if (pos == -1) ++ return do_compat_writev(fd, vec, vlen, flags); ++ + return do_compat_pwritev64(fd, vec, vlen, pos, flags); + } + #endif +-- +2.19.1 + diff --git a/queue-4.14/wil6210-check-null-pointer-in-_wil_cfg80211_merge_ex.patch b/queue-4.14/wil6210-check-null-pointer-in-_wil_cfg80211_merge_ex.patch new file mode 100644 index 00000000000..9952e560289 --- /dev/null +++ b/queue-4.14/wil6210-check-null-pointer-in-_wil_cfg80211_merge_ex.patch @@ -0,0 +1,68 @@ +From 810df0616e26eafe1bc97699c5e659c0d23180a0 Mon Sep 17 00:00:00 2001 +From: Alexei Avshalom Lazar +Date: Fri, 22 Feb 2019 16:21:05 +0200 +Subject: wil6210: check null pointer in _wil_cfg80211_merge_extra_ies + +[ Upstream commit de77a53c2d1e8fb3621e63e8e1f0f0c9a1a99ff7 ] + +ies1 or ies2 might be null when code inside +_wil_cfg80211_merge_extra_ies access them. +Add explicit check for null and make sure ies1/ies2 are not +accessed in such a case. + +spos might be null and be accessed inside +_wil_cfg80211_merge_extra_ies. +Add explicit check for null in the while condition statement +and make sure spos is not accessed in such a case. + +Signed-off-by: Alexei Avshalom Lazar +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/cfg80211.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c +index 85d5c04618eb..c374ed311520 100644 +--- a/drivers/net/wireless/ath/wil6210/cfg80211.c ++++ b/drivers/net/wireless/ath/wil6210/cfg80211.c +@@ -1224,6 +1224,12 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len, + u8 *buf, *dpos; + const u8 *spos; + ++ if (!ies1) ++ ies1_len = 0; ++ ++ if (!ies2) ++ ies2_len = 0; ++ + if (ies1_len == 0 && ies2_len == 0) { + *merged_ies = NULL; + *merged_len = 0; +@@ -1233,17 +1239,19 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len, + buf = kmalloc(ies1_len + ies2_len, GFP_KERNEL); + if (!buf) + return -ENOMEM; +- memcpy(buf, ies1, ies1_len); ++ if (ies1) ++ memcpy(buf, ies1, ies1_len); + dpos = buf + ies1_len; + spos = ies2; +- while (spos + 1 < ies2 + ies2_len) { ++ while (spos && (spos + 1 < ies2 + ies2_len)) { + /* IE tag at offset 0, length at offset 1 */ + u16 ielen = 2 + spos[1]; + + if (spos + ielen > ies2 + ies2_len) + break; + if (spos[0] == WLAN_EID_VENDOR_SPECIFIC && +- !_wil_cfg80211_find_ie(ies1, ies1_len, spos, ielen)) { ++ (!ies1 || !_wil_cfg80211_find_ie(ies1, ies1_len, ++ spos, ielen))) { + memcpy(dpos, spos, ielen); + dpos += ielen; + } +-- +2.19.1 + diff --git a/queue-4.14/wlcore-fix-memory-leak-in-case-wl12xx_fetch_firmware.patch b/queue-4.14/wlcore-fix-memory-leak-in-case-wl12xx_fetch_firmware.patch new file mode 100644 index 00000000000..9eceda8226b --- /dev/null +++ b/queue-4.14/wlcore-fix-memory-leak-in-case-wl12xx_fetch_firmware.patch @@ -0,0 +1,59 @@ +From 38f62641308cf7aef25920f369cd6b93c36dbff6 Mon Sep 17 00:00:00 2001 +From: Zumeng Chen +Date: Wed, 19 Dec 2018 15:50:29 +0800 +Subject: wlcore: Fix memory leak in case wl12xx_fetch_firmware failure + +[ Upstream commit ba2ffc96321c8433606ceeb85c9e722b8113e5a7 ] + +Release fw_status, raw_fw_status, and tx_res_if when wl12xx_fetch_firmware +failed instead of meaningless goto out to avoid the following memory leak +reports(Only the last one listed): + +unreferenced object 0xc28a9a00 (size 512): + comm "kworker/0:4", pid 31298, jiffies 2783204 (age 203.290s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<6624adab>] kmemleak_alloc+0x40/0x74 + [<500ddb31>] kmem_cache_alloc_trace+0x1ac/0x270 + [] wl12xx_chip_wakeup+0xc4/0x1fc [wlcore] + [<76c5db53>] wl1271_op_add_interface+0x4a4/0x8f4 [wlcore] + [] drv_add_interface+0xa4/0x1a0 [mac80211] + [<65bac325>] ieee80211_reconfig+0x9c0/0x1644 [mac80211] + [<2817c80e>] ieee80211_restart_work+0x90/0xc8 [mac80211] + [<7e1d425a>] process_one_work+0x284/0x42c + [<55f9432e>] worker_thread+0x2fc/0x48c + [] kthread+0x148/0x160 + [<63144b13>] ret_from_fork+0x14/0x2c + [< (null)>] (null) + [<1f6e7715>] 0xffffffff + +Signed-off-by: Zumeng Chen +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c +index c346c021b999..eb3a7971c1d3 100644 +--- a/drivers/net/wireless/ti/wlcore/main.c ++++ b/drivers/net/wireless/ti/wlcore/main.c +@@ -1058,8 +1058,11 @@ static int wl12xx_chip_wakeup(struct wl1271 *wl, bool plt) + goto out; + + ret = wl12xx_fetch_firmware(wl, plt); +- if (ret < 0) +- goto out; ++ if (ret < 0) { ++ kfree(wl->fw_status); ++ kfree(wl->raw_fw_status); ++ kfree(wl->tx_res_if); ++ } + + out: + return ret; +-- +2.19.1 + diff --git a/queue-4.14/x86-build-mark-per-cpu-symbols-as-absolute-explicitl.patch b/queue-4.14/x86-build-mark-per-cpu-symbols-as-absolute-explicitl.patch new file mode 100644 index 00000000000..335601dc956 --- /dev/null +++ b/queue-4.14/x86-build-mark-per-cpu-symbols-as-absolute-explicitl.patch @@ -0,0 +1,80 @@ +From 17c382e6ce181ef4c269894cf0f76bc536f763ff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafael=20=C3=81vila=20de=20Esp=C3=ADndola?= + +Date: Wed, 19 Dec 2018 11:01:43 -0800 +Subject: x86/build: Mark per-CPU symbols as absolute explicitly for LLD +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit d071ae09a4a1414c1433d5ae9908959a7325b0ad ] + +Accessing per-CPU variables is done by finding the offset of the +variable in the per-CPU block and adding it to the address of the +respective CPU's block. + +Section 3.10.8 of ld.bfd's documentation states: + + For expressions involving numbers, relative addresses and absolute + addresses, ld follows these rules to evaluate terms: + + Other binary operations, that is, between two relative addresses + not in the same section, or between a relative address and an + absolute address, first convert any non-absolute term to an + absolute address before applying the operator." + +Note that LLVM's linker does not adhere to the GNU ld's implementation +and as such requires implicitly-absolute terms to be explicitly marked +as absolute in the linker script. If not, it fails currently with: + + ld.lld: error: ./arch/x86/kernel/vmlinux.lds:153: at least one side of the expression must be absolute + ld.lld: error: ./arch/x86/kernel/vmlinux.lds:154: at least one side of the expression must be absolute + Makefile:1040: recipe for target 'vmlinux' failed + +This is not a functional change for ld.bfd which converts the term to an +absolute symbol anyways as specified above. + +Based on a previous submission by Tri Vo . + +Reported-by: Dmitry Golovin +Signed-off-by: Rafael Ávila de Espíndola +[ Update commit message per Boris' and Michael's suggestions. ] +Signed-off-by: Nick Desaulniers +[ Massage commit message more, fix typos. ] +Signed-off-by: Borislav Petkov +Tested-by: Dmitry Golovin +Cc: "H. Peter Anvin" +Cc: Andy Lutomirski +Cc: Brijesh Singh +Cc: Cao Jin +Cc: Ingo Molnar +Cc: Joerg Roedel +Cc: Masahiro Yamada +Cc: Masami Hiramatsu +Cc: Thomas Gleixner +Cc: Tri Vo +Cc: dima@golovin.in +Cc: morbo@google.com +Cc: x86-ml +Link: https://lkml.kernel.org/r/20181219190145.252035-1-ndesaulniers@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/vmlinux.lds.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index b854ebf5851b..2384a2ae5ec3 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -390,7 +390,7 @@ SECTIONS + * Per-cpu symbols which need to be offset from __per_cpu_load + * for the boot processor. + */ +-#define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load ++#define INIT_PER_CPU(x) init_per_cpu__##x = ABSOLUTE(x) + __per_cpu_load + INIT_PER_CPU(gdt_page); + INIT_PER_CPU(irq_stack_union); + +-- +2.19.1 + diff --git a/queue-4.14/x86-build-specify-elf_i386-linker-emulation-explicit.patch b/queue-4.14/x86-build-specify-elf_i386-linker-emulation-explicit.patch new file mode 100644 index 00000000000..e35bc81ce01 --- /dev/null +++ b/queue-4.14/x86-build-specify-elf_i386-linker-emulation-explicit.patch @@ -0,0 +1,91 @@ +From 9d5bc0bab234a94fcef86994fd637d3f6ad2a7c2 Mon Sep 17 00:00:00 2001 +From: George Rimar +Date: Fri, 11 Jan 2019 12:10:12 -0800 +Subject: x86/build: Specify elf_i386 linker emulation explicitly for i386 + objects + +[ Upstream commit 927185c124d62a9a4d35878d7f6d432a166b74e3 ] + +The kernel uses the OUTPUT_FORMAT linker script command in it's linker +scripts. Most of the time, the -m option is passed to the linker with +correct architecture, but sometimes (at least for x86_64) the -m option +contradicts the OUTPUT_FORMAT directive. + +Specifically, arch/x86/boot and arch/x86/realmode/rm produce i386 object +files, but are linked with the -m elf_x86_64 linker flag when building +for x86_64. + +The GNU linker manpage doesn't explicitly state any tie-breakers between +-m and OUTPUT_FORMAT. But with BFD and Gold linkers, OUTPUT_FORMAT +overrides the emulation value specified with the -m option. + +LLVM lld has a different behavior, however. When supplied with +contradicting -m and OUTPUT_FORMAT values it fails with the following +error message: + + ld.lld: error: arch/x86/realmode/rm/header.o is incompatible with elf_x86_64 + +Therefore, just add the correct -m after the incorrect one (it overrides +it), so the linker invocation looks like this: + + ld -m elf_x86_64 -z max-page-size=0x200000 -m elf_i386 --emit-relocs -T \ + realmode.lds header.o trampoline_64.o stack.o reboot.o -o realmode.elf + +This is not a functional change for GNU ld, because (although not +explicitly documented) OUTPUT_FORMAT overrides -m EMULATION. + +Tested by building x86_64 kernel with GNU gcc/ld toolchain and booting +it in QEMU. + + [ bp: massage and clarify text. ] + +Suggested-by: Dmitry Golovin +Signed-off-by: George Rimar +Signed-off-by: Tri Vo +Signed-off-by: Borislav Petkov +Tested-by: Tri Vo +Tested-by: Nick Desaulniers +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Michael Matz +Cc: Thomas Gleixner +Cc: morbo@google.com +Cc: ndesaulniers@google.com +Cc: ruiu@google.com +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190111201012.71210-1-trong@android.com +Signed-off-by: Sasha Levin +--- + arch/x86/boot/Makefile | 2 +- + arch/x86/realmode/rm/Makefile | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile +index d88a2fddba8c..1c060748c813 100644 +--- a/arch/x86/boot/Makefile ++++ b/arch/x86/boot/Makefile +@@ -100,7 +100,7 @@ $(obj)/zoffset.h: $(obj)/compressed/vmlinux FORCE + AFLAGS_header.o += -I$(objtree)/$(obj) + $(obj)/header.o: $(obj)/zoffset.h + +-LDFLAGS_setup.elf := -T ++LDFLAGS_setup.elf := -m elf_i386 -T + $(obj)/setup.elf: $(src)/setup.ld $(SETUP_OBJS) FORCE + $(call if_changed,ld) + +diff --git a/arch/x86/realmode/rm/Makefile b/arch/x86/realmode/rm/Makefile +index 4463fa72db94..96cb20de08af 100644 +--- a/arch/x86/realmode/rm/Makefile ++++ b/arch/x86/realmode/rm/Makefile +@@ -47,7 +47,7 @@ $(obj)/pasyms.h: $(REALMODE_OBJS) FORCE + targets += realmode.lds + $(obj)/realmode.lds: $(obj)/pasyms.h + +-LDFLAGS_realmode.elf := --emit-relocs -T ++LDFLAGS_realmode.elf := -m elf_i386 --emit-relocs -T + CPPFLAGS_realmode.lds += -P -C -I$(objtree)/$(obj) + + targets += realmode.elf +-- +2.19.1 +