From: Sasha Levin Date: Mon, 11 Mar 2019 19:14:11 +0000 (-0400) Subject: autosel patches for 4.4 X-Git-Tag: v5.0.2~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1981af9d50a4b51c72df1f4bf746322b6452574f;p=thirdparty%2Fkernel%2Fstable-queue.git autosel patches for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch b/queue-4.4/arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch new file mode 100644 index 00000000000..402cb4792aa --- /dev/null +++ b/queue-4.4/arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch @@ -0,0 +1,43 @@ +From d0ba80d77e6359d4b3f5bf2f7285db474650b4ce Mon Sep 17 00:00:00 2001 +From: Peng Hao +Date: Sat, 29 Dec 2018 13:10:06 +0800 +Subject: ARM: pxa: ssp: unneeded to free devm_ allocated data + +[ Upstream commit ba16adeb346387eb2d1ada69003588be96f098fa ] + +devm_ allocated data will be automatically freed. The free +of devm_ allocated data is invalid. + +Fixes: 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions") +Signed-off-by: Peng Hao +[title's prefix changed] +Signed-off-by: Robert Jarzmik +Signed-off-by: Sasha Levin +--- + arch/arm/plat-pxa/ssp.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/arch/arm/plat-pxa/ssp.c b/arch/arm/plat-pxa/ssp.c +index daa1a65f2eb7..6748827c2ec8 100644 +--- a/arch/arm/plat-pxa/ssp.c ++++ b/arch/arm/plat-pxa/ssp.c +@@ -238,8 +238,6 @@ static int pxa_ssp_remove(struct platform_device *pdev) + if (ssp == NULL) + return -ENODEV; + +- iounmap(ssp->mmio_base); +- + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + release_mem_region(res->start, resource_size(res)); + +@@ -249,7 +247,6 @@ static int pxa_ssp_remove(struct platform_device *pdev) + list_del(&ssp->node); + mutex_unlock(&ssp_lock); + +- kfree(ssp); + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.4/autofs-drop-dentry-reference-only-when-it-is-never-u.patch b/queue-4.4/autofs-drop-dentry-reference-only-when-it-is-never-u.patch new file mode 100644 index 00000000000..706fe053df3 --- /dev/null +++ b/queue-4.4/autofs-drop-dentry-reference-only-when-it-is-never-u.patch @@ -0,0 +1,46 @@ +From baefe25c3c47559cfca0782102ccc0029decf850 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 1 Feb 2019 14:21:26 -0800 +Subject: autofs: drop dentry reference only when it is never used + +[ Upstream commit 63ce5f552beb9bdb41546b3a26c4374758b21815 ] + +autofs_expire_run() calls dput(dentry) to drop the reference count of +dentry. However, dentry is read via autofs_dentry_ino(dentry) after +that. This may result in a use-free-bug. The patch drops the reference +count of dentry only when it is never used. + +Link: http://lkml.kernel.org/r/154725122396.11260.16053424107144453867.stgit@pluto-themaw-net +Signed-off-by: Pan Bian +Signed-off-by: Ian Kent +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/autofs4/expire.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c +index 7a5a598a2d94..0d8b9c4f27f2 100644 +--- a/fs/autofs4/expire.c ++++ b/fs/autofs4/expire.c +@@ -560,7 +560,6 @@ int autofs4_expire_run(struct super_block *sb, + pkt.len = dentry->d_name.len; + memcpy(pkt.name, dentry->d_name.name, pkt.len); + pkt.name[pkt.len] = '\0'; +- dput(dentry); + + if ( copy_to_user(pkt_p, &pkt, sizeof(struct autofs_packet_expire)) ) + ret = -EFAULT; +@@ -573,6 +572,8 @@ int autofs4_expire_run(struct super_block *sb, + complete_all(&ino->expire_complete); + spin_unlock(&sbi->fs_lock); + ++ dput(dentry); ++ + return ret; + } + +-- +2.19.1 + diff --git a/queue-4.4/autofs-fix-error-return-in-autofs_fill_super.patch b/queue-4.4/autofs-fix-error-return-in-autofs_fill_super.patch new file mode 100644 index 00000000000..a18cbae779e --- /dev/null +++ b/queue-4.4/autofs-fix-error-return-in-autofs_fill_super.patch @@ -0,0 +1,39 @@ +From 773dfaca9936fa6ae0298f244bffb1c3c7448314 Mon Sep 17 00:00:00 2001 +From: Ian Kent +Date: Fri, 1 Feb 2019 14:21:29 -0800 +Subject: autofs: fix error return in autofs_fill_super() + +[ Upstream commit f585b283e3f025754c45bbe7533fc6e5c4643700 ] + +In autofs_fill_super() on error of get inode/make root dentry the return +should be ENOMEM as this is the only failure case of the called +functions. + +Link: http://lkml.kernel.org/r/154725123240.11260.796773942606871359.stgit@pluto-themaw-net +Signed-off-by: Ian Kent +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/autofs4/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c +index 1132fe71b312..0fd472d67029 100644 +--- a/fs/autofs4/inode.c ++++ b/fs/autofs4/inode.c +@@ -255,8 +255,10 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent) + } + root_inode = autofs4_get_inode(s, S_IFDIR | 0755); + root = d_make_root(root_inode); +- if (!root) ++ if (!root) { ++ ret = -ENOMEM; + goto fail_ino; ++ } + pipe = NULL; + + root->d_fsdata = ino; +-- +2.19.1 + diff --git a/queue-4.4/cifs-fix-computation-for-max_smb2_hdr_size.patch b/queue-4.4/cifs-fix-computation-for-max_smb2_hdr_size.patch new file mode 100644 index 00000000000..dc4b3a5fae4 --- /dev/null +++ b/queue-4.4/cifs-fix-computation-for-max_smb2_hdr_size.patch @@ -0,0 +1,35 @@ +From 31fe3bc744857c762f5467a13bbff165afa9a6d4 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Tue, 29 Jan 2019 12:46:16 +1000 +Subject: cifs: fix computation for MAX_SMB2_HDR_SIZE + +[ Upstream commit 58d15ed1203f4d858c339ea4d7dafa94bd2a56d3 ] + +The size of the fixed part of the create response is 88 bytes not 56. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h +index aacb15bd56fe..f087158c5555 100644 +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -82,8 +82,8 @@ + + #define NUMBER_OF_SMB2_COMMANDS 0x0013 + +-/* 4 len + 52 transform hdr + 64 hdr + 56 create rsp */ +-#define MAX_SMB2_HDR_SIZE 0x00b0 ++/* 52 transform hdr + 64 hdr + 88 create rsp */ ++#define MAX_SMB2_HDR_SIZE 204 + + #define SMB2_PROTO_NUMBER cpu_to_le32(0x424d53fe) + +-- +2.19.1 + diff --git a/queue-4.4/dmaengine-at_xdmac-fix-wrongfull-report-of-a-channel.patch b/queue-4.4/dmaengine-at_xdmac-fix-wrongfull-report-of-a-channel.patch new file mode 100644 index 00000000000..0ed80e1fbbb --- /dev/null +++ b/queue-4.4/dmaengine-at_xdmac-fix-wrongfull-report-of-a-channel.patch @@ -0,0 +1,100 @@ +From 6ee0b2d89a3e17e4f545ca6515f62b5f81870090 Mon Sep 17 00:00:00 2001 +From: Codrin Ciubotariu +Date: Wed, 23 Jan 2019 16:33:47 +0000 +Subject: dmaengine: at_xdmac: Fix wrongfull report of a channel as in use + +[ Upstream commit dc3f595b6617ebc0307e0ce151e8f2f2b2489b95 ] + +atchan->status variable is used to store two different information: + - pass channel interrupts status from interrupt handler to tasklet; + - channel information like whether it is cyclic or paused; + +This causes a bug when device_terminate_all() is called, +(AT_XDMAC_CHAN_IS_CYCLIC cleared on atchan->status) and then a late End +of Block interrupt arrives (AT_XDMAC_CIS_BIS), which sets bit 0 of +atchan->status. Bit 0 is also used for AT_XDMAC_CHAN_IS_CYCLIC, so when +a new descriptor for a cyclic transfer is created, the driver reports +the channel as in use: + +if (test_and_set_bit(AT_XDMAC_CHAN_IS_CYCLIC, &atchan->status)) { + dev_err(chan2dev(chan), "channel currently used\n"); + return NULL; +} + +This patch fixes the bug by adding a different struct member to keep +the interrupts status separated from the channel status bits. + +Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") +Signed-off-by: Codrin Ciubotariu +Acked-by: Ludovic Desroches +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/at_xdmac.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index 82a7c89caae2..af24c5bf32d6 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -203,6 +203,7 @@ struct at_xdmac_chan { + u32 save_cim; + u32 save_cnda; + u32 save_cndc; ++ u32 irq_status; + unsigned long status; + struct tasklet_struct tasklet; + struct dma_slave_config sconfig; +@@ -1582,8 +1583,8 @@ static void at_xdmac_tasklet(unsigned long data) + struct at_xdmac_desc *desc; + u32 error_mask; + +- dev_dbg(chan2dev(&atchan->chan), "%s: status=0x%08lx\n", +- __func__, atchan->status); ++ dev_dbg(chan2dev(&atchan->chan), "%s: status=0x%08x\n", ++ __func__, atchan->irq_status); + + error_mask = AT_XDMAC_CIS_RBEIS + | AT_XDMAC_CIS_WBEIS +@@ -1591,15 +1592,15 @@ static void at_xdmac_tasklet(unsigned long data) + + if (at_xdmac_chan_is_cyclic(atchan)) { + at_xdmac_handle_cyclic(atchan); +- } else if ((atchan->status & AT_XDMAC_CIS_LIS) +- || (atchan->status & error_mask)) { ++ } else if ((atchan->irq_status & AT_XDMAC_CIS_LIS) ++ || (atchan->irq_status & error_mask)) { + struct dma_async_tx_descriptor *txd; + +- if (atchan->status & AT_XDMAC_CIS_RBEIS) ++ if (atchan->irq_status & AT_XDMAC_CIS_RBEIS) + dev_err(chan2dev(&atchan->chan), "read bus error!!!"); +- if (atchan->status & AT_XDMAC_CIS_WBEIS) ++ if (atchan->irq_status & AT_XDMAC_CIS_WBEIS) + dev_err(chan2dev(&atchan->chan), "write bus error!!!"); +- if (atchan->status & AT_XDMAC_CIS_ROIS) ++ if (atchan->irq_status & AT_XDMAC_CIS_ROIS) + dev_err(chan2dev(&atchan->chan), "request overflow error!!!"); + + spin_lock_bh(&atchan->lock); +@@ -1654,7 +1655,7 @@ static irqreturn_t at_xdmac_interrupt(int irq, void *dev_id) + atchan = &atxdmac->chan[i]; + chan_imr = at_xdmac_chan_read(atchan, AT_XDMAC_CIM); + chan_status = at_xdmac_chan_read(atchan, AT_XDMAC_CIS); +- atchan->status = chan_status & chan_imr; ++ atchan->irq_status = chan_status & chan_imr; + dev_vdbg(atxdmac->dma.dev, + "%s: chan%d: imr=0x%x, status=0x%x\n", + __func__, i, chan_imr, chan_status); +@@ -1668,7 +1669,7 @@ static irqreturn_t at_xdmac_interrupt(int irq, void *dev_id) + at_xdmac_chan_read(atchan, AT_XDMAC_CDA), + at_xdmac_chan_read(atchan, AT_XDMAC_CUBC)); + +- if (atchan->status & (AT_XDMAC_CIS_RBEIS | AT_XDMAC_CIS_WBEIS)) ++ if (atchan->irq_status & (AT_XDMAC_CIS_RBEIS | AT_XDMAC_CIS_WBEIS)) + at_xdmac_write(atxdmac, AT_XDMAC_GD, atchan->mask); + + tasklet_schedule(&atchan->tasklet); +-- +2.19.1 + diff --git a/queue-4.4/dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch b/queue-4.4/dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch new file mode 100644 index 00000000000..e1ed8324926 --- /dev/null +++ b/queue-4.4/dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch @@ -0,0 +1,121 @@ +From 7caea3afe8d8d99ff3fed6e9f4131460b690b025 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 30 Jan 2019 21:48:44 +0200 +Subject: dmaengine: dmatest: Abort test in case of mapping error + +[ Upstream commit 6454368a804c4955ccd116236037536f81e5b1f1 ] + +In case of mapping error the DMA addresses are invalid and continuing +will screw system memory or potentially something else. + +[ 222.480310] dmatest: dma0chan7-copy0: summary 1 tests, 3 failures 6 iops 349 KB/s (0) +... +[ 240.912725] check: Corrupted low memory at 00000000c7c75ac9 (2940 phys) = 5656000000000000 +[ 240.921998] check: Corrupted low memory at 000000005715a1cd (2948 phys) = 279f2aca5595ab2b +[ 240.931280] check: Corrupted low memory at 000000002f4024c0 (2950 phys) = 5e5624f349e793cf +... + +Abort any test if mapping failed. + +Fixes: 4076e755dbec ("dmatest: convert to dmaengine_unmap_data") +Cc: Dan Williams +Signed-off-by: Andy Shevchenko +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmatest.c | 28 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 16 deletions(-) + +diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c +index 6796eb1a8a4c..884aecebb249 100644 +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -563,11 +563,9 @@ static int dmatest_func(void *data) + srcs[i] = um->addr[i] + src_off; + ret = dma_mapping_error(dev->dev, um->addr[i]); + if (ret) { +- dmaengine_unmap_put(um); + result("src mapping error", total_tests, + src_off, dst_off, len, ret); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + um->to_cnt++; + } +@@ -582,11 +580,9 @@ static int dmatest_func(void *data) + DMA_BIDIRECTIONAL); + ret = dma_mapping_error(dev->dev, dsts[i]); + if (ret) { +- dmaengine_unmap_put(um); + result("dst mapping error", total_tests, + src_off, dst_off, len, ret); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + um->bidi_cnt++; + } +@@ -611,12 +607,10 @@ static int dmatest_func(void *data) + } + + if (!tx) { +- dmaengine_unmap_put(um); + result("prep error", total_tests, src_off, + dst_off, len, ret); + msleep(100); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + + done->done = false; +@@ -625,12 +619,10 @@ static int dmatest_func(void *data) + cookie = tx->tx_submit(tx); + + if (dma_submit_error(cookie)) { +- dmaengine_unmap_put(um); + result("submit error", total_tests, src_off, + dst_off, len, ret); + msleep(100); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + dma_async_issue_pending(chan); + +@@ -643,16 +635,14 @@ static int dmatest_func(void *data) + dmaengine_unmap_put(um); + result("test timed out", total_tests, src_off, dst_off, + len, 0); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } else if (status != DMA_COMPLETE) { + dmaengine_unmap_put(um); + result(status == DMA_ERROR ? + "completion error status" : + "completion busy status", total_tests, src_off, + dst_off, len, ret); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + + dmaengine_unmap_put(um); +@@ -691,6 +681,12 @@ static int dmatest_func(void *data) + verbose_result("test passed", total_tests, src_off, + dst_off, len, 0); + } ++ ++ continue; ++ ++error_unmap_continue: ++ dmaengine_unmap_put(um); ++ failed_tests++; + } + runtime = ktime_us_delta(ktime_get(), ktime); + +-- +2.19.1 + diff --git a/queue-4.4/fs-drop_caches.c-avoid-softlockups-in-drop_pagecache.patch b/queue-4.4/fs-drop_caches.c-avoid-softlockups-in-drop_pagecache.patch new file mode 100644 index 00000000000..051a9f0d184 --- /dev/null +++ b/queue-4.4/fs-drop_caches.c-avoid-softlockups-in-drop_pagecache.patch @@ -0,0 +1,57 @@ +From 7199a084b3fdb6d98f52130f4eaf9f3f7985fdd2 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 1 Feb 2019 14:21:23 -0800 +Subject: fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() + +[ Upstream commit c27d82f52f75fc9d8d9d40d120d2a96fdeeada5e ] + +When superblock has lots of inodes without any pagecache (like is the +case for /proc), drop_pagecache_sb() will iterate through all of them +without dropping sb->s_inode_list_lock which can lead to softlockups +(one of our customers hit this). + +Fix the problem by going to the slow path and doing cond_resched() in +case the process needs rescheduling. + +Link: http://lkml.kernel.org/r/20190114085343.15011-1-jack@suse.cz +Signed-off-by: Jan Kara +Acked-by: Michal Hocko +Reviewed-by: Andrew Morton +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/drop_caches.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/drop_caches.c b/fs/drop_caches.c +index d72d52b90433..280460fef066 100644 +--- a/fs/drop_caches.c ++++ b/fs/drop_caches.c +@@ -20,8 +20,13 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused) + spin_lock(&sb->s_inode_list_lock); + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { + spin_lock(&inode->i_lock); ++ /* ++ * We must skip inodes in unusual state. We may also skip ++ * inodes without pages but we deliberately won't in case ++ * we need to reschedule to avoid softlockups. ++ */ + if ((inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW)) || +- (inode->i_mapping->nrpages == 0)) { ++ (inode->i_mapping->nrpages == 0 && !need_resched())) { + spin_unlock(&inode->i_lock); + continue; + } +@@ -29,6 +34,7 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused) + spin_unlock(&inode->i_lock); + spin_unlock(&sb->s_inode_list_lock); + ++ cond_resched(); + invalidate_mapping_pages(inode->i_mapping, 0, -1); + iput(toput_inode); + toput_inode = inode; +-- +2.19.1 + diff --git a/queue-4.4/gpio-vf610-mask-all-gpio-interrupts.patch b/queue-4.4/gpio-vf610-mask-all-gpio-interrupts.patch new file mode 100644 index 00000000000..419efd4d76d --- /dev/null +++ b/queue-4.4/gpio-vf610-mask-all-gpio-interrupts.patch @@ -0,0 +1,52 @@ +From b284e294b9c2f78c4fbdf8878eb8664979f9f5f1 Mon Sep 17 00:00:00 2001 +From: Andrew Lunn +Date: Sun, 27 Jan 2019 22:58:00 +0100 +Subject: gpio: vf610: Mask all GPIO interrupts + +[ Upstream commit 7ae710f9f8b2cf95297e7bbfe1c09789a7dc43d4 ] + +On SoC reset all GPIO interrupts are disable. However, if kexec is +used to boot into a new kernel, the SoC does not experience a +reset. Hence GPIO interrupts can be left enabled from the previous +kernel. It is then possible for the interrupt to fire before an +interrupt handler is registered, resulting in the kernel complaining +of an "unexpected IRQ trap", the interrupt is never cleared, and so +fires again, resulting in an interrupt storm. + +Disable all GPIO interrupts before registering the GPIO IRQ chip. + +Fixes: 7f2691a19627 ("gpio: vf610: add gpiolib/IRQ chip driver for Vybrid") +Signed-off-by: Andrew Lunn +Acked-by: Stefan Agner +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-vf610.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c +index 87b950cec6ec..db95c4b99a74 100644 +--- a/drivers/gpio/gpio-vf610.c ++++ b/drivers/gpio/gpio-vf610.c +@@ -227,6 +227,7 @@ static int vf610_gpio_probe(struct platform_device *pdev) + struct vf610_gpio_port *port; + struct resource *iores; + struct gpio_chip *gc; ++ int i; + int ret; + + port = devm_kzalloc(&pdev->dev, sizeof(*port), GFP_KERNEL); +@@ -265,6 +266,10 @@ static int vf610_gpio_probe(struct platform_device *pdev) + if (ret < 0) + return ret; + ++ /* Mask all GPIO interrupts */ ++ for (i = 0; i < gc->ngpio; i++) ++ vf610_gpio_writel(0, port->base + PORT_PCR(i)); ++ + /* Clear the interrupt status register for all GPIO's */ + vf610_gpio_writel(~0, port->base + PORT_ISFR); + +-- +2.19.1 + diff --git a/queue-4.4/ib-hfi1-qib-fix-wc.byte_len-calculation-for-ud_send_.patch b/queue-4.4/ib-hfi1-qib-fix-wc.byte_len-calculation-for-ud_send_.patch new file mode 100644 index 00000000000..3ab69b44245 --- /dev/null +++ b/queue-4.4/ib-hfi1-qib-fix-wc.byte_len-calculation-for-ud_send_.patch @@ -0,0 +1,57 @@ +From e3a2df6cfc85b1156274ebe4640917fec3bd0417 Mon Sep 17 00:00:00 2001 +From: Brian Welty +Date: Thu, 17 Jan 2019 12:41:32 -0800 +Subject: IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM + +[ Upstream commit 904bba211acc2112fdf866e5a2bc6cd9ecd0de1b ] + +The work completion length for a receiving a UD send with immediate is +short by 4 bytes causing application using this opcode to fail. + +The UD receive logic incorrectly subtracts 4 bytes for immediate +value. These bytes are already included in header length and are used to +calculate header/payload split, so the result is these 4 bytes are +subtracted twice, once when the header length subtracted from the overall +length and once again in the UD opcode specific path. + +Remove the extra subtraction when handling the opcode. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Reviewed-by: Michael J. Ruhl +Signed-off-by: Brian Welty +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qib/qib_ud.c | 1 - + drivers/staging/rdma/hfi1/ud.c | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/drivers/infiniband/hw/qib/qib_ud.c b/drivers/infiniband/hw/qib/qib_ud.c +index 59193f67ea78..56bd59bc08b5 100644 +--- a/drivers/infiniband/hw/qib/qib_ud.c ++++ b/drivers/infiniband/hw/qib/qib_ud.c +@@ -515,7 +515,6 @@ void qib_ud_rcv(struct qib_ibport *ibp, struct qib_ib_header *hdr, + opcode == IB_OPCODE_UD_SEND_ONLY_WITH_IMMEDIATE) { + wc.ex.imm_data = ohdr->u.ud.imm_data; + wc.wc_flags = IB_WC_WITH_IMM; +- tlen -= sizeof(u32); + } else if (opcode == IB_OPCODE_UD_SEND_ONLY) { + wc.ex.imm_data = 0; + wc.wc_flags = 0; +diff --git a/drivers/staging/rdma/hfi1/ud.c b/drivers/staging/rdma/hfi1/ud.c +index 5a9c784bec04..a88e37444be0 100644 +--- a/drivers/staging/rdma/hfi1/ud.c ++++ b/drivers/staging/rdma/hfi1/ud.c +@@ -793,7 +793,6 @@ void hfi1_ud_rcv(struct hfi1_packet *packet) + opcode == IB_OPCODE_UD_SEND_ONLY_WITH_IMMEDIATE) { + wc.ex.imm_data = ohdr->u.ud.imm_data; + wc.wc_flags = IB_WC_WITH_IMM; +- tlen -= sizeof(u32); + } else if (opcode == IB_OPCODE_UD_SEND_ONLY) { + wc.ex.imm_data = 0; + wc.wc_flags = 0; +-- +2.19.1 + diff --git a/queue-4.4/iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch b/queue-4.4/iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch new file mode 100644 index 00000000000..65ff4c6d2fe --- /dev/null +++ b/queue-4.4/iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch @@ -0,0 +1,81 @@ +From 9c3f293ec55c14bf779d3988235a16462c56e122 Mon Sep 17 00:00:00 2001 +From: Suravee Suthikulpanit +Date: Thu, 24 Jan 2019 04:16:45 +0000 +Subject: iommu/amd: Fix IOMMU page flush when detach device from a domain + +[ Upstream commit 9825bd94e3a2baae1f4874767ae3a7d4c049720e ] + +When a VM is terminated, the VFIO driver detaches all pass-through +devices from VFIO domain by clearing domain id and page table root +pointer from each device table entry (DTE), and then invalidates +the DTE. Then, the VFIO driver unmap pages and invalidate IOMMU pages. + +Currently, the IOMMU driver keeps track of which IOMMU and how many +devices are attached to the domain. When invalidate IOMMU pages, +the driver checks if the IOMMU is still attached to the domain before +issuing the invalidate page command. + +However, since VFIO has already detached all devices from the domain, +the subsequent INVALIDATE_IOMMU_PAGES commands are being skipped as +there is no IOMMU attached to the domain. This results in data +corruption and could cause the PCI device to end up in indeterministic +state. + +Fix this by invalidate IOMMU pages when detach a device, and +before decrementing the per-domain device reference counts. + +Cc: Boris Ostrovsky +Suggested-by: Joerg Roedel +Co-developed-by: Brijesh Singh +Signed-off-by: Brijesh Singh +Signed-off-by: Suravee Suthikulpanit +Fixes: 6de8ad9b9ee0 ('x86/amd-iommu: Make iommu_flush_pages aware of multiple IOMMUs') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index 52c36394dba5..0ad8b7c78a43 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -1982,6 +1982,7 @@ static void do_attach(struct iommu_dev_data *dev_data, + + static void do_detach(struct iommu_dev_data *dev_data) + { ++ struct protection_domain *domain = dev_data->domain; + struct amd_iommu *iommu; + u16 alias; + +@@ -1997,10 +1998,6 @@ static void do_detach(struct iommu_dev_data *dev_data) + iommu = amd_iommu_rlookup_table[dev_data->devid]; + alias = dev_data->alias; + +- /* decrease reference counters */ +- dev_data->domain->dev_iommu[iommu->index] -= 1; +- dev_data->domain->dev_cnt -= 1; +- + /* Update data structures */ + dev_data->domain = NULL; + list_del(&dev_data->list); +@@ -2010,6 +2007,16 @@ static void do_detach(struct iommu_dev_data *dev_data) + + /* Flush the DTE entry */ + device_flush_dte(dev_data); ++ ++ /* Flush IOTLB */ ++ domain_flush_tlb_pde(domain); ++ ++ /* Wait for the flushes to finish */ ++ domain_flush_complete(domain); ++ ++ /* decrease reference counters - needs to happen after the flushes */ ++ domain->dev_iommu[iommu->index] -= 1; ++ domain->dev_cnt -= 1; + } + + /* +-- +2.19.1 + diff --git a/queue-4.4/ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch b/queue-4.4/ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch new file mode 100644 index 00000000000..7d213a69c43 --- /dev/null +++ b/queue-4.4/ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch @@ -0,0 +1,91 @@ +From 8ec2305bb0e0b598e7b20e680f3ee55286e7ecd2 Mon Sep 17 00:00:00 2001 +From: ZhangXiaoxu +Date: Thu, 10 Jan 2019 16:39:06 +0800 +Subject: ipvs: Fix signed integer overflow when setsockopt timeout + +[ Upstream commit 53ab60baa1ac4f20b080a22c13b77b6373922fd7 ] + +There is a UBSAN bug report as below: +UBSAN: Undefined behaviour in net/netfilter/ipvs/ip_vs_ctl.c:2227:21 +signed integer overflow: +-2147483647 * 1000 cannot be represented in type 'int' + +Reproduce program: + #include + #include + #include + + #define IPPROTO_IP 0 + #define IPPROTO_RAW 255 + + #define IP_VS_BASE_CTL (64+1024+64) + #define IP_VS_SO_SET_TIMEOUT (IP_VS_BASE_CTL+10) + + /* The argument to IP_VS_SO_GET_TIMEOUT */ + struct ipvs_timeout_t { + int tcp_timeout; + int tcp_fin_timeout; + int udp_timeout; + }; + + int main() { + int ret = -1; + int sockfd = -1; + struct ipvs_timeout_t to; + + sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + if (sockfd == -1) { + printf("socket init error\n"); + return -1; + } + + to.tcp_timeout = -2147483647; + to.tcp_fin_timeout = -2147483647; + to.udp_timeout = -2147483647; + + ret = setsockopt(sockfd, + IPPROTO_IP, + IP_VS_SO_SET_TIMEOUT, + (char *)(&to), + sizeof(to)); + + printf("setsockopt return %d\n", ret); + return ret; + } + +Return -EINVAL if the timeout value is negative or max than 'INT_MAX / HZ'. + +Signed-off-by: ZhangXiaoxu +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 3167ec76903a..56c62b65923f 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2217,6 +2217,18 @@ static int ip_vs_set_timeout(struct netns_ipvs *ipvs, struct ip_vs_timeout_user + u->tcp_fin_timeout, + u->udp_timeout); + ++#ifdef CONFIG_IP_VS_PROTO_TCP ++ if (u->tcp_timeout < 0 || u->tcp_timeout > (INT_MAX / HZ) || ++ u->tcp_fin_timeout < 0 || u->tcp_fin_timeout > (INT_MAX / HZ)) { ++ return -EINVAL; ++ } ++#endif ++ ++#ifdef CONFIG_IP_VS_PROTO_UDP ++ if (u->udp_timeout < 0 || u->udp_timeout > (INT_MAX / HZ)) ++ return -EINVAL; ++#endif ++ + #ifdef CONFIG_IP_VS_PROTO_TCP + if (u->tcp_timeout) { + pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP); +-- +2.19.1 + diff --git a/queue-4.4/irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch b/queue-4.4/irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch new file mode 100644 index 00000000000..db5e15385c6 --- /dev/null +++ b/queue-4.4/irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch @@ -0,0 +1,55 @@ +From 7d5d23ca00fb8354f93c8ae2cc8854323ef626bb Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Mon, 28 Jan 2019 16:59:35 +0100 +Subject: irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable + +[ Upstream commit 2380a22b60ce6f995eac806e69c66e397b59d045 ] + +Resetting bit 4 disables the interrupt delivery to the "secure +processor" core. This breaks the keyboard on a OLPC XO 1.75 laptop, +where the firmware running on the "secure processor" bit-bangs the +PS/2 protocol over the GPIO lines. + +It is not clear what the rest of the bits are and Marvell was unhelpful +when asked for documentation. Aside from the SP bit, there are probably +priority bits. + +Leaving the unknown bits as the firmware set them up seems to be a wiser +course of action compared to just turning them off. + +Signed-off-by: Lubomir Rintel +Acked-by: Pavel Machek +[maz: fixed-up subject and commit message] +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mmp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-mmp.c b/drivers/irqchip/irq-mmp.c +index 013fc9659a84..2fe2bcb63a71 100644 +--- a/drivers/irqchip/irq-mmp.c ++++ b/drivers/irqchip/irq-mmp.c +@@ -34,6 +34,9 @@ + #define SEL_INT_PENDING (1 << 6) + #define SEL_INT_NUM_MASK 0x3f + ++#define MMP2_ICU_INT_ROUTE_PJ4_IRQ (1 << 5) ++#define MMP2_ICU_INT_ROUTE_PJ4_FIQ (1 << 6) ++ + struct icu_chip_data { + int nr_irqs; + unsigned int virq_base; +@@ -190,7 +193,8 @@ static struct mmp_intc_conf mmp_conf = { + static struct mmp_intc_conf mmp2_conf = { + .conf_enable = 0x20, + .conf_disable = 0x0, +- .conf_mask = 0x7f, ++ .conf_mask = MMP2_ICU_INT_ROUTE_PJ4_IRQ | ++ MMP2_ICU_INT_ROUTE_PJ4_FIQ, + }; + + static void __exception_irq_entry mmp_handle_irq(struct pt_regs *regs) +-- +2.19.1 + diff --git a/queue-4.4/mips-remove-function-size-check-in-get_frame_info.patch b/queue-4.4/mips-remove-function-size-check-in-get_frame_info.patch new file mode 100644 index 00000000000..816a20263ab --- /dev/null +++ b/queue-4.4/mips-remove-function-size-check-in-get_frame_info.patch @@ -0,0 +1,64 @@ +From 6e9b2517b306c477922026c071c600c39b8df923 Mon Sep 17 00:00:00 2001 +From: Jun-Ru Chang +Date: Tue, 29 Jan 2019 11:56:07 +0800 +Subject: MIPS: Remove function size check in get_frame_info() + +[ Upstream commit 2b424cfc69728224fcb5fad138ea7260728e0901 ] + +Patch (b6c7a324df37b "MIPS: Fix get_frame_info() handling of +microMIPS function size.") introduces additional function size +check for microMIPS by only checking insn between ip and ip + func_size. +However, func_size in get_frame_info() is always 0 if KALLSYMS is not +enabled. This causes get_frame_info() to return immediately without +calculating correct frame_size, which in turn causes "Can't analyze +schedule() prologue" warning messages at boot time. + +This patch removes func_size check, and let the frame_size check run +up to 128 insns for both MIPS and microMIPS. + +Signed-off-by: Jun-Ru Chang +Signed-off-by: Tony Wu +Signed-off-by: Paul Burton +Fixes: b6c7a324df37b ("MIPS: Fix get_frame_info() handling of microMIPS function size.") +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/process.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index ebd8a715fe38..e6102775892d 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -339,7 +339,7 @@ static inline int is_sp_move_ins(union mips_instruction *ip) + static int get_frame_info(struct mips_frame_info *info) + { + bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS); +- union mips_instruction insn, *ip, *ip_end; ++ union mips_instruction insn, *ip; + const unsigned int max_insns = 128; + unsigned int last_insn_size = 0; + unsigned int i; +@@ -351,10 +351,9 @@ static int get_frame_info(struct mips_frame_info *info) + if (!ip) + goto err; + +- ip_end = (void *)ip + info->func_size; +- +- for (i = 0; i < max_insns && ip < ip_end; i++) { ++ for (i = 0; i < max_insns; i++) { + ip = (void *)ip + last_insn_size; ++ + if (is_mmips && mm_insn_16bit(ip->halfword[0])) { + insn.halfword[0] = 0; + insn.halfword[1] = ip->halfword[0]; +-- +2.19.1 + diff --git a/queue-4.4/mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch b/queue-4.4/mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch new file mode 100644 index 00000000000..b74f66908cb --- /dev/null +++ b/queue-4.4/mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch @@ -0,0 +1,90 @@ +From e6ee702b4560633744a47f45900713f1367cb959 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Fri, 1 Feb 2019 14:20:34 -0800 +Subject: mm, memory_hotplug: is_mem_section_removable do not pass the end of a + zone + +[ Upstream commit efad4e475c312456edb3c789d0996d12ed744c13 ] + +Patch series "mm, memory_hotplug: fix uninitialized pages fallouts", v2. + +Mikhail Zaslonko has posted fixes for the two bugs quite some time ago +[1]. I have pushed back on those fixes because I believed that it is +much better to plug the problem at the initialization time rather than +play whack-a-mole all over the hotplug code and find all the places +which expect the full memory section to be initialized. + +We have ended up with commit 2830bf6f05fb ("mm, memory_hotplug: +initialize struct pages for the full memory section") merged and cause a +regression [2][3]. The reason is that there might be memory layouts +when two NUMA nodes share the same memory section so the merged fix is +simply incorrect. + +In order to plug this hole we really have to be zone range aware in +those handlers. I have split up the original patch into two. One is +unchanged (patch 2) and I took a different approach for `removable' +crash. + +[1] http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com +[2] https://bugzilla.redhat.com/show_bug.cgi?id=1666948 +[3] http://lkml.kernel.org/r/20190125163938.GA20411@dhcp22.suse.cz + +This patch (of 2): + +Mikhail has reported the following VM_BUG_ON triggered when reading sysfs +removable state of a memory block: + + page:000003d08300c000 is uninitialized and poisoned + page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p)) + Call Trace: + is_mem_section_removable+0xb4/0x190 + show_mem_removable+0x9a/0xd8 + dev_attr_show+0x34/0x70 + sysfs_kf_seq_show+0xc8/0x148 + seq_read+0x204/0x480 + __vfs_read+0x32/0x178 + vfs_read+0x82/0x138 + ksys_read+0x5a/0xb0 + system_call+0xdc/0x2d8 + Last Breaking-Event-Address: + is_mem_section_removable+0xb4/0x190 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +The reason is that the memory block spans the zone boundary and we are +stumbling over an unitialized struct page. Fix this by enforcing zone +range in is_mem_section_removable so that we never run away from a zone. + +Link: http://lkml.kernel.org/r/20190128144506.15603-2-mhocko@kernel.org +Signed-off-by: Michal Hocko +Reported-by: Mikhail Zaslonko +Debugged-by: Mikhail Zaslonko +Tested-by: Gerald Schaefer +Tested-by: Mikhail Gavrilov +Reviewed-by: Oscar Salvador +Cc: Pavel Tatashin +Cc: Heiko Carstens +Cc: Martin Schwidefsky +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory_hotplug.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index 0addef5f8aa3..153acbf5f83d 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1358,7 +1358,8 @@ static struct page *next_active_pageblock(struct page *page) + int is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages) + { + struct page *page = pfn_to_page(start_pfn); +- struct page *end_page = page + nr_pages; ++ unsigned long end_pfn = min(start_pfn + nr_pages, zone_end_pfn(page_zone(page))); ++ struct page *end_page = pfn_to_page(end_pfn); + + /* Check the starting page of each pageblock within the range */ + for (; page < end_page; page = next_active_pageblock(page)) { +-- +2.19.1 + diff --git a/queue-4.4/mm-memory_hotplug-test_pages_in_a_zone-do-not-pass-t.patch b/queue-4.4/mm-memory_hotplug-test_pages_in_a_zone-do-not-pass-t.patch new file mode 100644 index 00000000000..5ec1ddf15c1 --- /dev/null +++ b/queue-4.4/mm-memory_hotplug-test_pages_in_a_zone-do-not-pass-t.patch @@ -0,0 +1,73 @@ +From 4c24e5201755042e82eb412bfee188aabb7c78c8 Mon Sep 17 00:00:00 2001 +From: Mikhail Zaslonko +Date: Fri, 1 Feb 2019 14:20:38 -0800 +Subject: mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone + +[ Upstream commit 24feb47c5fa5b825efb0151f28906dfdad027e61 ] + +If memory end is not aligned with the sparse memory section boundary, +the mapping of such a section is only partly initialized. This may lead +to VM_BUG_ON due to uninitialized struct pages access from +test_pages_in_a_zone() function triggered by memory_hotplug sysfs +handlers. + +Here are the the panic examples: + CONFIG_DEBUG_VM_PGFLAGS=y + kernel parameter mem=2050M + -------------------------- + page:000003d082008000 is uninitialized and poisoned + page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p)) + Call Trace: + test_pages_in_a_zone+0xde/0x160 + show_valid_zones+0x5c/0x190 + dev_attr_show+0x34/0x70 + sysfs_kf_seq_show+0xc8/0x148 + seq_read+0x204/0x480 + __vfs_read+0x32/0x178 + vfs_read+0x82/0x138 + ksys_read+0x5a/0xb0 + system_call+0xdc/0x2d8 + Last Breaking-Event-Address: + test_pages_in_a_zone+0xde/0x160 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +Fix this by checking whether the pfn to check is within the zone. + +[mhocko@suse.com: separated this change from http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com] +Link: http://lkml.kernel.org/r/20190128144506.15603-3-mhocko@kernel.org + +[mhocko@suse.com: separated this change from +http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com] +Signed-off-by: Michal Hocko +Signed-off-by: Mikhail Zaslonko +Tested-by: Mikhail Gavrilov +Reviewed-by: Oscar Salvador +Tested-by: Gerald Schaefer +Cc: Heiko Carstens +Cc: Martin Schwidefsky +Cc: Mikhail Gavrilov +Cc: Pavel Tatashin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory_hotplug.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index 153acbf5f83d..804cbfe9132d 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1399,6 +1399,9 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn, + i++; + if (i == MAX_ORDER_NR_PAGES) + continue; ++ /* Check if we got outside of the zone */ ++ if (zone && !zone_spans_pfn(zone, pfn + i)) ++ return 0; + page = pfn_to_page(pfn + i); + if (zone && page_zone(page) != zone) + return 0; +-- +2.19.1 + diff --git a/queue-4.4/net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch b/queue-4.4/net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch new file mode 100644 index 00000000000..d572fd465c4 --- /dev/null +++ b/queue-4.4/net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch @@ -0,0 +1,40 @@ +From 1b419fbd0f68ef74841a9cb61b8dee5b2e1994a7 Mon Sep 17 00:00:00 2001 +From: Tomonori Sakita +Date: Fri, 25 Jan 2019 11:02:22 +0900 +Subject: net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case + +[ Upstream commit 6571ebce112a21ec9be68ef2f53b96fcd41fd81b ] + +If fill_level was not zero and status was not BUSY, +result of "tx_prod - tx_cons - inuse" might be zero. +Subtracting 1 unconditionally results invalid negative return value +on this case. +Make sure not to return an negative value. + +Signed-off-by: Tomonori Sakita +Signed-off-by: Atsushi Nemoto +Reviewed-by: Dalon L Westergreen +Acked-by: Thor Thayer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/altera/altera_msgdma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/altera/altera_msgdma.c b/drivers/net/ethernet/altera/altera_msgdma.c +index 0fb986ba3290..0ae723f75341 100644 +--- a/drivers/net/ethernet/altera/altera_msgdma.c ++++ b/drivers/net/ethernet/altera/altera_msgdma.c +@@ -145,7 +145,8 @@ u32 msgdma_tx_completions(struct altera_tse_private *priv) + & 0xffff; + + if (inuse) { /* Tx FIFO is not empty */ +- ready = priv->tx_prod - priv->tx_cons - inuse - 1; ++ ready = max_t(int, ++ priv->tx_prod - priv->tx_cons - inuse - 1, 0); + } else { + /* Check for buffered last packet */ + status = csrrd32(priv->tx_dma_csr, msgdma_csroffs(status)); +-- +2.19.1 + diff --git a/queue-4.4/net-hns-fix-wrong-read-accesses-via-clause-45-mdio-p.patch b/queue-4.4/net-hns-fix-wrong-read-accesses-via-clause-45-mdio-p.patch new file mode 100644 index 00000000000..5a1da6b2b35 --- /dev/null +++ b/queue-4.4/net-hns-fix-wrong-read-accesses-via-clause-45-mdio-p.patch @@ -0,0 +1,35 @@ +From 10994799d4fe63e3b45d596bebc2c1df6965e42c Mon Sep 17 00:00:00 2001 +From: Yonglong Liu +Date: Sat, 26 Jan 2019 17:18:27 +0800 +Subject: net: hns: Fix wrong read accesses via Clause 45 MDIO protocol + +[ Upstream commit cec8abba13e6a26729dfed41019720068eeeff2b ] + +When reading phy registers via Clause 45 MDIO protocol, after write +address operation, the driver use another write address operation, so +can not read the right value of any phy registers. This patch fixes it. + +Signed-off-by: Yonglong Liu +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns_mdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns_mdio.c b/drivers/net/ethernet/hisilicon/hns_mdio.c +index 37491c85bc42..6ff13c559e52 100644 +--- a/drivers/net/ethernet/hisilicon/hns_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns_mdio.c +@@ -319,7 +319,7 @@ static int hns_mdio_read(struct mii_bus *bus, int phy_id, int regnum) + } + + hns_mdio_cmd_write(mdio_dev, is_c45, +- MDIO_C45_WRITE_ADDR, phy_id, devad); ++ MDIO_C45_READ, phy_id, devad); + } + + /* Step 5: waitting for MDIO_COMMAND_REG 's mdio_start==0,*/ +-- +2.19.1 + diff --git a/queue-4.4/net-stmmac-dwmac-rk-fix-error-handling-in-rk_gmac_po.patch b/queue-4.4/net-stmmac-dwmac-rk-fix-error-handling-in-rk_gmac_po.patch new file mode 100644 index 00000000000..299876fde49 --- /dev/null +++ b/queue-4.4/net-stmmac-dwmac-rk-fix-error-handling-in-rk_gmac_po.patch @@ -0,0 +1,37 @@ +From c19e9e10f5fe7c8c9f6f48757471ffb3941eeea5 Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Sat, 26 Jan 2019 22:48:57 +0300 +Subject: net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() + +[ Upstream commit c69c29a1a0a8f68cd87e98ba4a5a79fb8ef2a58c ] + +If phy_power_on() fails in rk_gmac_powerup(), clocks are left enabled. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c +index 0cd3ecff768b..398b08e07149 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c +@@ -535,8 +535,10 @@ static int rk_gmac_init(struct platform_device *pdev, void *priv) + int ret; + + ret = phy_power_on(bsp_priv, true); +- if (ret) ++ if (ret) { ++ gmac_clk_enable(bsp_priv, false); + return ret; ++ } + + ret = gmac_clk_enable(bsp_priv, true); + if (ret) +-- +2.19.1 + diff --git a/queue-4.4/nfs-fix-null-pointer-dereference-of-dev_name.patch b/queue-4.4/nfs-fix-null-pointer-dereference-of-dev_name.patch new file mode 100644 index 00000000000..1b83e1e0818 --- /dev/null +++ b/queue-4.4/nfs-fix-null-pointer-dereference-of-dev_name.patch @@ -0,0 +1,56 @@ +From 48aff3e8e33a6b8dcf6b585070bdd5a12e915851 Mon Sep 17 00:00:00 2001 +From: Yao Liu +Date: Mon, 28 Jan 2019 19:44:14 +0800 +Subject: nfs: Fix NULL pointer dereference of dev_name + +[ Upstream commit 80ff00172407e0aad4b10b94ef0816fc3e7813cb ] + +There is a NULL pointer dereference of dev_name in nfs_parse_devname() + +The oops looks something like: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + ... + RIP: 0010:nfs_fs_mount+0x3b6/0xc20 [nfs] + ... + Call Trace: + ? ida_alloc_range+0x34b/0x3d0 + ? nfs_clone_super+0x80/0x80 [nfs] + ? nfs_free_parsed_mount_data+0x60/0x60 [nfs] + mount_fs+0x52/0x170 + ? __init_waitqueue_head+0x3b/0x50 + vfs_kern_mount+0x6b/0x170 + do_mount+0x216/0xdc0 + ksys_mount+0x83/0xd0 + __x64_sys_mount+0x25/0x30 + do_syscall_64+0x65/0x220 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fix this by adding a NULL check on dev_name + +Signed-off-by: Yao Liu +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 412fcfbc50e2..9b42139a479b 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1877,6 +1877,11 @@ static int nfs_parse_devname(const char *dev_name, + size_t len; + char *end; + ++ if (unlikely(!dev_name || !*dev_name)) { ++ dfprintk(MOUNT, "NFS: device name not specified\n"); ++ return -EINVAL; ++ } ++ + /* Is the host name protected with square brakcets? */ + if (*dev_name == '[') { + end = strchr(++dev_name, ']'); +-- +2.19.1 + diff --git a/queue-4.4/perf-symbols-filter-out-hidden-symbols-from-labels.patch b/queue-4.4/perf-symbols-filter-out-hidden-symbols-from-labels.patch new file mode 100644 index 00000000000..a266b107eee --- /dev/null +++ b/queue-4.4/perf-symbols-filter-out-hidden-symbols-from-labels.patch @@ -0,0 +1,94 @@ +From 53be15f10c4778730bb0199657cb51aa0324e43b Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Mon, 28 Jan 2019 14:35:26 +0100 +Subject: perf symbols: Filter out hidden symbols from labels + +[ Upstream commit 59a17706915fe5ea6f711e1f92d4fb706bce07fe ] + +When perf is built with the annobin plugin (RHEL8 build) extra symbols +are added to its binary: + + # nm perf | grep annobin | head -10 + 0000000000241100 t .annobin_annotate.c + 0000000000326490 t .annobin_annotate.c + 0000000000249255 t .annobin_annotate.c_end + 00000000003283a8 t .annobin_annotate.c_end + 00000000001bce18 t .annobin_annotate.c_end.hot + 00000000001bce18 t .annobin_annotate.c_end.hot + 00000000001bc3e2 t .annobin_annotate.c_end.unlikely + 00000000001bc400 t .annobin_annotate.c_end.unlikely + 00000000001bce18 t .annobin_annotate.c.hot + 00000000001bce18 t .annobin_annotate.c.hot + ... + +Those symbols have no use for report or annotation and should be +skipped. Moreover they interfere with the DWARF unwind test on the PPC +arch, where they are mixed with checked symbols and then the test fails: + + # perf test dwarf -v + 59: Test dwarf unwind : + --- start --- + test child forked, pid 8515 + unwind: .annobin_dwarf_unwind.c:ip = 0x10dba40dc (0x2740dc) + ... + got: .annobin_dwarf_unwind.c 0x10dba40dc, expecting test__arch_unwind_sample + unwind: failed with 'no error' + +The annobin symbols are defined as NOTYPE/LOCAL/HIDDEN: + + # readelf -s ./perf | grep annobin | head -1 + 40: 00000000001bce4f 0 NOTYPE LOCAL HIDDEN 13 .annobin_init.c + +They can still pass the check for the label symbol. Adding check for +HIDDEN and INTERNAL (as suggested by Nick below) visibility and filter +out such symbols. + +> Just to be awkward, if you are going to ignore STV_HIDDEN +> symbols then you should probably also ignore STV_INTERNAL ones +> as well... Annobin does not generate them, but you never know, +> one day some other tool might create some. + +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Masami Hiramatsu +Cc: Michael Petlan +Cc: Namhyung Kim +Cc: Nick Clifton +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20190128133526.GD15461@krava +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol-elf.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c +index 7c97ecaeae48..2070c02de3af 100644 +--- a/tools/perf/util/symbol-elf.c ++++ b/tools/perf/util/symbol-elf.c +@@ -74,6 +74,11 @@ static inline uint8_t elf_sym__type(const GElf_Sym *sym) + return GELF_ST_TYPE(sym->st_info); + } + ++static inline uint8_t elf_sym__visibility(const GElf_Sym *sym) ++{ ++ return GELF_ST_VISIBILITY(sym->st_other); ++} ++ + #ifndef STT_GNU_IFUNC + #define STT_GNU_IFUNC 10 + #endif +@@ -98,7 +103,9 @@ static inline int elf_sym__is_label(const GElf_Sym *sym) + return elf_sym__type(sym) == STT_NOTYPE && + sym->st_name != 0 && + sym->st_shndx != SHN_UNDEF && +- sym->st_shndx != SHN_ABS; ++ sym->st_shndx != SHN_ABS && ++ elf_sym__visibility(sym) != STV_HIDDEN && ++ elf_sym__visibility(sym) != STV_INTERNAL; + } + + static bool elf_sym__is_a(GElf_Sym *sym, enum map_type type) +-- +2.19.1 + diff --git a/queue-4.4/perf-tools-handle-topology-headers-with-no-cpu.patch b/queue-4.4/perf-tools-handle-topology-headers-with-no-cpu.patch new file mode 100644 index 00000000000..ca9bd6edfcb --- /dev/null +++ b/queue-4.4/perf-tools-handle-topology-headers-with-no-cpu.patch @@ -0,0 +1,67 @@ +From 00bca002797d0a110230da37655c168667e4e3ec Mon Sep 17 00:00:00 2001 +From: Stephane Eranian +Date: Sat, 19 Jan 2019 00:12:39 -0800 +Subject: perf tools: Handle TOPOLOGY headers with no CPU + +[ Upstream commit 1497e804d1a6e2bd9107ddf64b0310449f4673eb ] + +This patch fixes an issue in cpumap.c when used with the TOPOLOGY +header. In some configurations, some NUMA nodes may have no CPU (empty +cpulist). Yet a cpumap map must be created otherwise perf abort with an +error. This patch handles this case by creating a dummy map. + + Before: + + $ perf record -o - -e cycles noploop 2 | perf script -i - + 0x6e8 [0x6c]: failed to process type: 80 + + After: + + $ perf record -o - -e cycles noploop 2 | perf script -i - + noploop for 2 seconds + +Signed-off-by: Stephane Eranian +Acked-by: Jiri Olsa +Cc: Andi Kleen +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1547885559-1657-1-git-send-email-eranian@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/cpumap.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c +index 10af1e7524fb..f1aae86f7f6c 100644 +--- a/tools/perf/util/cpumap.c ++++ b/tools/perf/util/cpumap.c +@@ -124,7 +124,12 @@ struct cpu_map *cpu_map__new(const char *cpu_list) + if (!cpu_list) + return cpu_map__read_all_cpu_map(); + +- if (!isdigit(*cpu_list)) ++ /* ++ * must handle the case of empty cpumap to cover ++ * TOPOLOGY header for NUMA nodes with no CPU ++ * ( e.g., because of CPU hotplug) ++ */ ++ if (!isdigit(*cpu_list) && *cpu_list != '\0') + goto out; + + while (isdigit(*cpu_list)) { +@@ -171,8 +176,10 @@ struct cpu_map *cpu_map__new(const char *cpu_list) + + if (nr_cpus > 0) + cpus = cpu_map__trim_new(nr_cpus, tmp_cpus); +- else ++ else if (*cpu_list != '\0') + cpus = cpu_map__default_new(); ++ else ++ cpus = cpu_map__dummy_new(); + invalid: + free(tmp_cpus); + out: +-- +2.19.1 + diff --git a/queue-4.4/perf-trace-support-multiple-vfs_getname-probes.patch b/queue-4.4/perf-trace-support-multiple-vfs_getname-probes.patch new file mode 100644 index 00000000000..d703a2f6491 --- /dev/null +++ b/queue-4.4/perf-trace-support-multiple-vfs_getname-probes.patch @@ -0,0 +1,101 @@ +From 2c5947ff54f89f7b46d25d6d73476037af4a9256 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Tue, 29 Jan 2019 15:12:34 +0100 +Subject: perf trace: Support multiple "vfs_getname" probes + +[ Upstream commit 6ab3bc240ade47a0f52bc16d97edd9accbe0024e ] + +With a suitably defined "probe:vfs_getname" probe, 'perf trace' can +"beautify" its output, so syscalls like open() or openat() can print the +"filename" argument instead of just its hex address, like: + + $ perf trace -e open -- touch /dev/null + [...] + 0.590 ( 0.014 ms): touch/18063 open(filename: /dev/null, flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: IRUGO|IWUGO) = 3 + [...] + +The output without such beautifier looks like: + + 0.529 ( 0.011 ms): touch/18075 open(filename: 0xc78cf288, flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: IRUGO|IWUGO) = 3 + +However, when the vfs_getname probe expands to multiple probes and it is +not the first one that is hit, the beautifier fails, as following: + + 0.326 ( 0.010 ms): touch/18072 open(filename: , flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: IRUGO|IWUGO) = 3 + +Fix it by hooking into all the expanded probes (inlines), now, for instance: + + [root@quaco ~]# perf probe -l + probe:vfs_getname (on getname_flags:73@fs/namei.c with pathname) + probe:vfs_getname_1 (on getname_flags:73@fs/namei.c with pathname) + [root@quaco ~]# perf trace -e open* sleep 1 + 0.010 ( 0.005 ms): sleep/5588 openat(dfd: CWD, filename: /etc/ld.so.cache, flags: RDONLY|CLOEXEC) = 3 + 0.029 ( 0.006 ms): sleep/5588 openat(dfd: CWD, filename: /lib64/libc.so.6, flags: RDONLY|CLOEXEC) = 3 + 0.194 ( 0.008 ms): sleep/5588 openat(dfd: CWD, filename: /usr/lib/locale/locale-archive, flags: RDONLY|CLOEXEC) = 3 + [root@quaco ~]# + +Works, further verified with: + + [root@quaco ~]# perf test vfs + 65: Use vfs_getname probe to get syscall args filenames : Ok + 66: Add vfs_getname probe to get syscall args filenames : Ok + 67: Check open filename arg using perf trace + vfs_getname: Ok + [root@quaco ~]# + +Reported-by: Michael Petlan +Tested-by: Michael Petlan +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-mv8kolk17xla1smvmp3qabv1@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index da8afc121118..039517c61c75 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -2403,19 +2403,30 @@ static size_t trace__fprintf_thread_summary(struct trace *trace, FILE *fp); + + static bool perf_evlist__add_vfs_getname(struct perf_evlist *evlist) + { +- struct perf_evsel *evsel = perf_evsel__newtp("probe", "vfs_getname"); ++ bool found = false; ++ struct perf_evsel *evsel, *tmp; ++ struct parse_events_error err = { .idx = 0, }; ++ int ret = parse_events(evlist, "probe:vfs_getname*", &err); + +- if (IS_ERR(evsel)) ++ if (ret) + return false; + +- if (perf_evsel__field(evsel, "pathname") == NULL) { ++ evlist__for_each_entry_safe(evlist, evsel, tmp) { ++ if (!strstarts(perf_evsel__name(evsel), "probe:vfs_getname")) ++ continue; ++ ++ if (perf_evsel__field(evsel, "pathname")) { ++ evsel->handler = trace__vfs_getname; ++ found = true; ++ continue; ++ } ++ ++ list_del_init(&evsel->node); ++ evsel->evlist = NULL; + perf_evsel__delete(evsel); +- return false; + } + +- evsel->handler = trace__vfs_getname; +- perf_evlist__add(evlist, evsel); +- return true; ++ return found; + } + + static int perf_evlist__add_pgfault(struct perf_evlist *evlist, +-- +2.19.1 + diff --git a/queue-4.4/platform-x86-fix-unmet-dependency-warning-for-samsun.patch b/queue-4.4/platform-x86-fix-unmet-dependency-warning-for-samsun.patch new file mode 100644 index 00000000000..da421f12ba9 --- /dev/null +++ b/queue-4.4/platform-x86-fix-unmet-dependency-warning-for-samsun.patch @@ -0,0 +1,43 @@ +From f95077deb31e0ba0934ef8332ce623dfb307ddb7 Mon Sep 17 00:00:00 2001 +From: Sinan Kaya +Date: Thu, 24 Jan 2019 19:31:01 +0000 +Subject: platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 + +[ Upstream commit 0ee4b5f801b73b83a9fb3921d725f2162fd4a2e5 ] + +Add BACKLIGHT_LCD_SUPPORT for SAMSUNG_Q10 to fix the +warning: unmet direct dependencies detected for BACKLIGHT_CLASS_DEVICE. + +SAMSUNG_Q10 selects BACKLIGHT_CLASS_DEVICE but BACKLIGHT_CLASS_DEVICE +depends on BACKLIGHT_LCD_SUPPORT. + +Copy BACKLIGHT_LCD_SUPPORT dependency into SAMSUNG_Q10 to fix: + +WARNING: unmet direct dependencies detected for BACKLIGHT_CLASS_DEVICE + Depends on [n]: HAS_IOMEM [=y] && BACKLIGHT_LCD_SUPPORT [=n] + Selected by [y]: + - SAMSUNG_Q10 [=y] && X86 [=y] && X86_PLATFORM_DEVICES [=y] && ACPI [=y] + +Signed-off-by: Sinan Kaya +Acked-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index 988ebe9a6b90..953974b5a9a9 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -881,6 +881,7 @@ config INTEL_OAKTRAIL + config SAMSUNG_Q10 + tristate "Samsung Q10 Extras" + depends on ACPI ++ depends on BACKLIGHT_LCD_SUPPORT + select BACKLIGHT_CLASS_DEVICE + ---help--- + This driver provides support for backlight control on Samsung Q10 +-- +2.19.1 + diff --git a/queue-4.4/s390-qeth-fix-use-after-free-in-error-path.patch b/queue-4.4/s390-qeth-fix-use-after-free-in-error-path.patch new file mode 100644 index 00000000000..b15c43238c9 --- /dev/null +++ b/queue-4.4/s390-qeth-fix-use-after-free-in-error-path.patch @@ -0,0 +1,70 @@ +From 7a52d6ee03c768885b211035c04a1de160575705 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Mon, 4 Feb 2019 17:40:07 +0100 +Subject: s390/qeth: fix use-after-free in error path + +[ Upstream commit afa0c5904ba16d59b0454f7ee4c807dae350f432 ] + +The error path in qeth_alloc_qdio_buffers() that takes care of +cleaning up the Output Queues is buggy. It first frees the queue, but +then calls qeth_clear_outq_buffers() with that very queue struct. + +Make the call to qeth_clear_outq_buffers() part of the free action +(in the correct order), and while at it fix the naming of the helper. + +Fixes: 0da9581ddb0f ("qeth: exploit asynchronous delivery of storage blocks") +Signed-off-by: Julian Wiedmann +Reviewed-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_core_main.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 533bd2467910..b40604d0126f 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -2452,11 +2452,12 @@ static int qeth_init_qdio_out_buf(struct qeth_qdio_out_q *q, int bidx) + return rc; + } + +-static void qeth_free_qdio_out_buf(struct qeth_qdio_out_q *q) ++static void qeth_free_output_queue(struct qeth_qdio_out_q *q) + { + if (!q) + return; + ++ qeth_clear_outq_buffers(q, 1); + qdio_free_buffers(q->qdio_bufs, QDIO_MAX_BUFFERS_PER_Q); + kfree(q); + } +@@ -2529,10 +2530,8 @@ static int qeth_alloc_qdio_buffers(struct qeth_card *card) + card->qdio.out_qs[i]->bufs[j] = NULL; + } + out_freeoutq: +- while (i > 0) { +- qeth_free_qdio_out_buf(card->qdio.out_qs[--i]); +- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1); +- } ++ while (i > 0) ++ qeth_free_output_queue(card->qdio.out_qs[--i]); + kfree(card->qdio.out_qs); + card->qdio.out_qs = NULL; + out_freepool: +@@ -2565,10 +2564,8 @@ static void qeth_free_qdio_buffers(struct qeth_card *card) + qeth_free_buffer_pool(card); + /* free outbound qdio_qs */ + if (card->qdio.out_qs) { +- for (i = 0; i < card->qdio.no_out_queues; ++i) { +- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1); +- qeth_free_qdio_out_buf(card->qdio.out_qs[i]); +- } ++ for (i = 0; i < card->qdio.no_out_queues; i++) ++ qeth_free_output_queue(card->qdio.out_qs[i]); + kfree(card->qdio.out_qs); + card->qdio.out_qs = NULL; + } +-- +2.19.1 + diff --git a/queue-4.4/scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch b/queue-4.4/scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch new file mode 100644 index 00000000000..baf7f413f19 --- /dev/null +++ b/queue-4.4/scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch @@ -0,0 +1,56 @@ +From d9173cb303b1d2a59d161abeabea5771acb60304 Mon Sep 17 00:00:00 2001 +From: Ming Lu +Date: Thu, 24 Jan 2019 13:25:42 +0800 +Subject: scsi: libfc: free skb when receiving invalid flogi resp + +[ Upstream commit 5d8fc4a9f0eec20b6c07895022a6bea3fb6dfb38 ] + +The issue to be fixed in this commit is when libfc found it received a +invalid FLOGI response from FC switch, it would return without freeing the +fc frame, which is just the skb data. This would cause memory leak if FC +switch keeps sending invalid FLOGI responses. + +This fix is just to make it execute `fc_frame_free(fp)` before returning +from function `fc_lport_flogi_resp`. + +Signed-off-by: Ming Lu +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_lport.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c +index e01a29863c38..867fc036d6ef 100644 +--- a/drivers/scsi/libfc/fc_lport.c ++++ b/drivers/scsi/libfc/fc_lport.c +@@ -1739,14 +1739,14 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp, + fc_frame_payload_op(fp) != ELS_LS_ACC) { + FC_LPORT_DBG(lport, "FLOGI not accepted or bad response\n"); + fc_lport_error(lport, fp); +- goto err; ++ goto out; + } + + flp = fc_frame_payload_get(fp, sizeof(*flp)); + if (!flp) { + FC_LPORT_DBG(lport, "FLOGI bad response\n"); + fc_lport_error(lport, fp); +- goto err; ++ goto out; + } + + mfs = ntohs(flp->fl_csp.sp_bb_data) & +@@ -1756,7 +1756,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp, + FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, " + "lport->mfs:%hu\n", mfs, lport->mfs); + fc_lport_error(lport, fp); +- goto err; ++ goto out; + } + + if (mfs <= lport->mfs) { +-- +2.19.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 6a8c2930850..efa02f6c2b6 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -78,3 +78,36 @@ netlabel-fix-out-of-bounds-memory-accesses.patch net-dsa-mv88e6xxx-fix-u64-statistics.patch ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch media-uvcvideo-fix-type-check-leading-to-overflow.patch +vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch +perf-tools-handle-topology-headers-with-no-cpu.patch +ib-hfi1-qib-fix-wc.byte_len-calculation-for-ud_send_.patch +ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch +iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch +xtensa-smp-fix-ccount_timer_shutdown.patch +xtensa-smp-fix-secondary-cpu-initialization.patch +xtensa-smp_lx200_defconfig-fix-vectors-clash.patch +xtensa-smp-mark-each-possible-cpu-as-present.patch +xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch +net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch +net-hns-fix-wrong-read-accesses-via-clause-45-mdio-p.patch +net-stmmac-dwmac-rk-fix-error-handling-in-rk_gmac_po.patch +gpio-vf610-mask-all-gpio-interrupts.patch +nfs-fix-null-pointer-dereference-of-dev_name.patch +scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch +platform-x86-fix-unmet-dependency-warning-for-samsun.patch +cifs-fix-computation-for-max_smb2_hdr_size.patch +x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch +x86_64-increase-stack-size-for-kasan_extra.patch +mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch +mm-memory_hotplug-test_pages_in_a_zone-do-not-pass-t.patch +fs-drop_caches.c-avoid-softlockups-in-drop_pagecache.patch +autofs-drop-dentry-reference-only-when-it-is-never-u.patch +autofs-fix-error-return-in-autofs_fill_super.patch +arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch +irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch +dmaengine-at_xdmac-fix-wrongfull-report-of-a-channel.patch +dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch +s390-qeth-fix-use-after-free-in-error-path.patch +perf-symbols-filter-out-hidden-symbols-from-labels.patch +perf-trace-support-multiple-vfs_getname-probes.patch +mips-remove-function-size-check-in-get_frame_info.patch diff --git a/queue-4.4/vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch b/queue-4.4/vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch new file mode 100644 index 00000000000..6abd156a1bd --- /dev/null +++ b/queue-4.4/vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch @@ -0,0 +1,119 @@ +From 182a40a7c83ce759eca4b56c46ade449f74b9eb2 Mon Sep 17 00:00:00 2001 +From: Su Yanjun +Date: Sun, 6 Jan 2019 21:31:20 -0500 +Subject: vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel + +[ Upstream commit dd9ee3444014e8f28c0eefc9fffc9ac9c5248c12 ] + +Recently we run a network test over ipcomp virtual tunnel.We find that +if a ipv4 packet needs fragment, then the peer can't receive +it. + +We deep into the code and find that when packet need fragment the smaller +fragment will be encapsulated by ipip not ipcomp. So when the ipip packet +goes into xfrm, it's skb->dev is not properly set. The ipv4 reassembly code +always set skb'dev to the last fragment's dev. After ipv4 defrag processing, +when the kernel rp_filter parameter is set, the skb will be drop by -EXDEV +error. + +This patch adds compatible support for the ipip process in ipcomp virtual tunnel. + +Signed-off-by: Su Yanjun +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_vti.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 50 insertions(+) + +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index 4b7c81f88abf..fcf327ebd134 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -75,6 +75,33 @@ static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi, + return 0; + } + ++static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi, ++ int encap_type) ++{ ++ struct ip_tunnel *tunnel; ++ const struct iphdr *iph = ip_hdr(skb); ++ struct net *net = dev_net(skb->dev); ++ struct ip_tunnel_net *itn = net_generic(net, vti_net_id); ++ ++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, ++ iph->saddr, iph->daddr, 0); ++ if (tunnel) { ++ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) ++ goto drop; ++ ++ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel; ++ ++ skb->dev = tunnel->dev; ++ ++ return xfrm_input(skb, nexthdr, spi, encap_type); ++ } ++ ++ return -EINVAL; ++drop: ++ kfree_skb(skb); ++ return 0; ++} ++ + static int vti_rcv(struct sk_buff *skb) + { + XFRM_SPI_SKB_CB(skb)->family = AF_INET; +@@ -83,6 +110,14 @@ static int vti_rcv(struct sk_buff *skb) + return vti_input(skb, ip_hdr(skb)->protocol, 0, 0); + } + ++static int vti_rcv_ipip(struct sk_buff *skb) ++{ ++ XFRM_SPI_SKB_CB(skb)->family = AF_INET; ++ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); ++ ++ return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0); ++} ++ + static int vti_rcv_cb(struct sk_buff *skb, int err) + { + unsigned short family; +@@ -409,6 +444,12 @@ static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = { + .priority = 100, + }; + ++static struct xfrm_tunnel ipip_handler __read_mostly = { ++ .handler = vti_rcv_ipip, ++ .err_handler = vti4_err, ++ .priority = 0, ++}; ++ + static int __net_init vti_init_net(struct net *net) + { + int err; +@@ -592,6 +633,13 @@ static int __init vti_init(void) + if (err < 0) + goto xfrm_proto_comp_failed; + ++ msg = "ipip tunnel"; ++ err = xfrm4_tunnel_register(&ipip_handler, AF_INET); ++ if (err < 0) { ++ pr_info("%s: cant't register tunnel\n",__func__); ++ goto xfrm_tunnel_failed; ++ } ++ + msg = "netlink interface"; + err = rtnl_link_register(&vti_link_ops); + if (err < 0) +@@ -601,6 +649,8 @@ static int __init vti_init(void) + + rtnl_link_failed: + xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); ++xfrm_tunnel_failed: ++ xfrm4_tunnel_deregister(&ipip_handler, AF_INET); + xfrm_proto_comp_failed: + xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH); + xfrm_proto_ah_failed: +-- +2.19.1 + diff --git a/queue-4.4/x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch b/queue-4.4/x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch new file mode 100644 index 00000000000..0a907adff6d --- /dev/null +++ b/queue-4.4/x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch @@ -0,0 +1,70 @@ +From 7723102b76ee6c60a2bd50eab3c68e0f40479a44 Mon Sep 17 00:00:00 2001 +From: Kairui Song +Date: Fri, 18 Jan 2019 19:13:08 +0800 +Subject: x86/kexec: Don't setup EFI info if EFI runtime is not enabled + +[ Upstream commit 2aa958c99c7fd3162b089a1a56a34a0cdb778de1 ] + +Kexec-ing a kernel with "efi=noruntime" on the first kernel's command +line causes the following null pointer dereference: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + #PF error: [normal kernel read fault] + Call Trace: + efi_runtime_map_copy+0x28/0x30 + bzImage64_load+0x688/0x872 + arch_kexec_kernel_image_load+0x6d/0x70 + kimage_file_alloc_init+0x13e/0x220 + __x64_sys_kexec_file_load+0x144/0x290 + do_syscall_64+0x55/0x1a0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Just skip the EFI info setup if EFI runtime services are not enabled. + + [ bp: Massage commit message. ] + +Suggested-by: Dave Young +Signed-off-by: Kairui Song +Signed-off-by: Borislav Petkov +Acked-by: Dave Young +Cc: AKASHI Takahiro +Cc: Andrew Morton +Cc: Ard Biesheuvel +Cc: bhe@redhat.com +Cc: David Howells +Cc: erik.schmauss@intel.com +Cc: fanc.fnst@cn.fujitsu.com +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: kexec@lists.infradead.org +Cc: lenb@kernel.org +Cc: linux-acpi@vger.kernel.org +Cc: Philipp Rudo +Cc: rafael.j.wysocki@intel.com +Cc: robert.moore@intel.com +Cc: Thomas Gleixner +Cc: x86-ml +Cc: Yannik Sembritzki +Link: https://lkml.kernel.org/r/20190118111310.29589-2-kasong@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/kexec-bzimage64.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c +index 0f8a6bbaaa44..0bf17576dd2a 100644 +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -168,6 +168,9 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, + struct efi_info *current_ei = &boot_params.efi_info; + struct efi_info *ei = ¶ms->efi_info; + ++ if (!efi_enabled(EFI_RUNTIME_SERVICES)) ++ return 0; ++ + if (!current_ei->efi_memmap_size) + return 0; + +-- +2.19.1 + diff --git a/queue-4.4/x86_64-increase-stack-size-for-kasan_extra.patch b/queue-4.4/x86_64-increase-stack-size-for-kasan_extra.patch new file mode 100644 index 00000000000..7dd3ab82962 --- /dev/null +++ b/queue-4.4/x86_64-increase-stack-size-for-kasan_extra.patch @@ -0,0 +1,82 @@ +From a718030c59b48e22a044ec5fbdd3db0bb3a4d941 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Fri, 1 Feb 2019 14:20:20 -0800 +Subject: x86_64: increase stack size for KASAN_EXTRA + +[ Upstream commit a8e911d13540487942d53137c156bd7707f66e5d ] + +If the kernel is configured with KASAN_EXTRA, the stack size is +increasted significantly because this option sets "-fstack-reuse" to +"none" in GCC [1]. As a result, it triggers stack overrun quite often +with 32k stack size compiled using GCC 8. For example, this reproducer + + https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/madvise/madvise06.c + +triggers a "corrupted stack end detected inside scheduler" very reliably +with CONFIG_SCHED_STACK_END_CHECK enabled. + +There are just too many functions that could have a large stack with +KASAN_EXTRA due to large local variables that have been called over and +over again without being able to reuse the stacks. Some noticiable ones +are + + size + 7648 shrink_page_list + 3584 xfs_rmap_convert + 3312 migrate_page_move_mapping + 3312 dev_ethtool + 3200 migrate_misplaced_transhuge_page + 3168 copy_process + +There are other 49 functions are over 2k in size while compiling kernel +with "-Wframe-larger-than=" even with a related minimal config on this +machine. Hence, it is too much work to change Makefiles for each object +to compile without "-fsanitize-address-use-after-scope" individually. + +[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715#c23 + +Although there is a patch in GCC 9 to help the situation, GCC 9 probably +won't be released in a few months and then it probably take another +6-month to 1-year for all major distros to include it as a default. +Hence, the stack usage with KASAN_EXTRA can be revisited again in 2020 +when GCC 9 is everywhere. Until then, this patch will help users avoid +stack overrun. + +This has already been fixed for arm64 for the same reason via +6e8830674ea ("arm64: kasan: Increase stack size for KASAN_EXTRA"). + +Link: http://lkml.kernel.org/r/20190109215209.2903-1-cai@lca.pw +Signed-off-by: Qian Cai +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/page_64_types.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h +index 4928cf0d5af0..fb1251946b45 100644 +--- a/arch/x86/include/asm/page_64_types.h ++++ b/arch/x86/include/asm/page_64_types.h +@@ -2,7 +2,11 @@ + #define _ASM_X86_PAGE_64_DEFS_H + + #ifdef CONFIG_KASAN ++#ifdef CONFIG_KASAN_EXTRA ++#define KASAN_STACK_ORDER 2 ++#else + #define KASAN_STACK_ORDER 1 ++#endif + #else + #define KASAN_STACK_ORDER 0 + #endif +-- +2.19.1 + diff --git a/queue-4.4/xtensa-smp-fix-ccount_timer_shutdown.patch b/queue-4.4/xtensa-smp-fix-ccount_timer_shutdown.patch new file mode 100644 index 00000000000..bcb3d0755e0 --- /dev/null +++ b/queue-4.4/xtensa-smp-fix-ccount_timer_shutdown.patch @@ -0,0 +1,55 @@ +From 04ea0be0a3ed8372dbc41be1b5f119a38792801d Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Mon, 29 Jan 2018 09:09:41 -0800 +Subject: xtensa: SMP: fix ccount_timer_shutdown + +[ Upstream commit 4fe8713b873fc881284722ce4ac47995de7cf62c ] + +ccount_timer_shutdown is called from the atomic context in the +secondary_start_kernel, resulting in the following BUG: + +BUG: sleeping function called from invalid context +in_atomic(): 1, irqs_disabled(): 1, pid: 0, name: swapper/1 +Preemption disabled at: + secondary_start_kernel+0xa1/0x130 +Call Trace: + ___might_sleep+0xe7/0xfc + __might_sleep+0x41/0x44 + synchronize_irq+0x24/0x64 + disable_irq+0x11/0x14 + ccount_timer_shutdown+0x12/0x20 + clockevents_switch_state+0x82/0xb4 + clockevents_exchange_device+0x54/0x60 + tick_check_new_device+0x46/0x70 + clockevents_register_device+0x8c/0xc8 + clockevents_config_and_register+0x1d/0x2c + local_timer_setup+0x75/0x7c + secondary_start_kernel+0xb4/0x130 + should_never_return+0x32/0x35 + +Use disable_irq_nosync instead of disable_irq to avoid it. +This is safe because the ccount timer IRQ is per-CPU, and once IRQ is +masked the ISR will not be called. + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/xtensa/kernel/time.c b/arch/xtensa/kernel/time.c +index b9ad9feadc2d..a992cb6a47db 100644 +--- a/arch/xtensa/kernel/time.c ++++ b/arch/xtensa/kernel/time.c +@@ -87,7 +87,7 @@ static int ccount_timer_shutdown(struct clock_event_device *evt) + container_of(evt, struct ccount_timer, evt); + + if (timer->irq_enabled) { +- disable_irq(evt->irq); ++ disable_irq_nosync(evt->irq); + timer->irq_enabled = 0; + } + return 0; +-- +2.19.1 + diff --git a/queue-4.4/xtensa-smp-fix-secondary-cpu-initialization.patch b/queue-4.4/xtensa-smp-fix-secondary-cpu-initialization.patch new file mode 100644 index 00000000000..08cf6bf03db --- /dev/null +++ b/queue-4.4/xtensa-smp-fix-secondary-cpu-initialization.patch @@ -0,0 +1,128 @@ +From 98b38d2cd82d185a179365f284a493a848628893 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Fri, 21 Dec 2018 08:26:20 -0800 +Subject: xtensa: SMP: fix secondary CPU initialization + +[ Upstream commit 32a7726c4f4aadfabdb82440d84f88a5a2c8fe13 ] + +- add missing memory barriers to the secondary CPU synchronization spin + loops; add comment to the matching memory barrier in the boot_secondary + and __cpu_die functions; +- use READ_ONCE/WRITE_ONCE to access cpu_start_id/cpu_start_ccount + instead of reading/writing them directly; +- re-initialize cpu_running every time before starting secondary CPU to + flush possible previous CPU startup results. + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/kernel/head.S | 5 ++++- + arch/xtensa/kernel/smp.c | 34 +++++++++++++++++++++------------- + 2 files changed, 25 insertions(+), 14 deletions(-) + +diff --git a/arch/xtensa/kernel/head.S b/arch/xtensa/kernel/head.S +index c7b3bedbfffe..e3823b4f9d08 100644 +--- a/arch/xtensa/kernel/head.S ++++ b/arch/xtensa/kernel/head.S +@@ -286,12 +286,13 @@ should_never_return: + + movi a2, cpu_start_ccount + 1: ++ memw + l32i a3, a2, 0 + beqi a3, 0, 1b + movi a3, 0 + s32i a3, a2, 0 +- memw + 1: ++ memw + l32i a3, a2, 0 + beqi a3, 0, 1b + wsr a3, ccount +@@ -328,11 +329,13 @@ ENTRY(cpu_restart) + rsr a0, prid + neg a2, a0 + movi a3, cpu_start_id ++ memw + s32i a2, a3, 0 + #if XCHAL_DCACHE_IS_WRITEBACK + dhwbi a3, 0 + #endif + 1: ++ memw + l32i a2, a3, 0 + dhi a3, 0 + bne a2, a0, 1b +diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c +index 4d02e38514f5..545144d1431d 100644 +--- a/arch/xtensa/kernel/smp.c ++++ b/arch/xtensa/kernel/smp.c +@@ -192,9 +192,11 @@ static int boot_secondary(unsigned int cpu, struct task_struct *ts) + int i; + + #ifdef CONFIG_HOTPLUG_CPU +- cpu_start_id = cpu; +- system_flush_invalidate_dcache_range( +- (unsigned long)&cpu_start_id, sizeof(cpu_start_id)); ++ WRITE_ONCE(cpu_start_id, cpu); ++ /* Pairs with the third memw in the cpu_restart */ ++ mb(); ++ system_flush_invalidate_dcache_range((unsigned long)&cpu_start_id, ++ sizeof(cpu_start_id)); + #endif + smp_call_function_single(0, mx_cpu_start, (void *)cpu, 1); + +@@ -203,18 +205,21 @@ static int boot_secondary(unsigned int cpu, struct task_struct *ts) + ccount = get_ccount(); + while (!ccount); + +- cpu_start_ccount = ccount; ++ WRITE_ONCE(cpu_start_ccount, ccount); + +- while (time_before(jiffies, timeout)) { ++ do { ++ /* ++ * Pairs with the first two memws in the ++ * .Lboot_secondary. ++ */ + mb(); +- if (!cpu_start_ccount) +- break; +- } ++ ccount = READ_ONCE(cpu_start_ccount); ++ } while (ccount && time_before(jiffies, timeout)); + +- if (cpu_start_ccount) { ++ if (ccount) { + smp_call_function_single(0, mx_cpu_stop, +- (void *)cpu, 1); +- cpu_start_ccount = 0; ++ (void *)cpu, 1); ++ WRITE_ONCE(cpu_start_ccount, 0); + return -EIO; + } + } +@@ -234,6 +239,7 @@ int __cpu_up(unsigned int cpu, struct task_struct *idle) + pr_debug("%s: Calling wakeup_secondary(cpu:%d, idle:%p, sp: %08lx)\n", + __func__, cpu, idle, start_info.stack); + ++ init_completion(&cpu_running); + ret = boot_secondary(cpu, idle); + if (ret == 0) { + wait_for_completion_timeout(&cpu_running, +@@ -295,8 +301,10 @@ void __cpu_die(unsigned int cpu) + unsigned long timeout = jiffies + msecs_to_jiffies(1000); + while (time_before(jiffies, timeout)) { + system_invalidate_dcache_range((unsigned long)&cpu_start_id, +- sizeof(cpu_start_id)); +- if (cpu_start_id == -cpu) { ++ sizeof(cpu_start_id)); ++ /* Pairs with the second memw in the cpu_restart */ ++ mb(); ++ if (READ_ONCE(cpu_start_id) == -cpu) { + platform_cpu_kill(cpu); + return; + } +-- +2.19.1 + diff --git a/queue-4.4/xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch b/queue-4.4/xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch new file mode 100644 index 00000000000..6923bb77725 --- /dev/null +++ b/queue-4.4/xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch @@ -0,0 +1,49 @@ +From cd7c9b84490abf6f7e1040a7cb6b17f2b60b18b4 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Sat, 26 Jan 2019 20:35:18 -0800 +Subject: xtensa: SMP: limit number of possible CPUs by NR_CPUS + +[ Upstream commit 25384ce5f9530def39421597b1457d9462df6455 ] + +This fixes the following warning at boot when the kernel is booted on a +board with more CPU cores than was configured in NR_CPUS: + + smp_init_cpus: Core Count = 8 + smp_init_cpus: Core Id = 0 + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at include/linux/cpumask.h:121 smp_init_cpus+0x54/0x74 + Modules linked in: + CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc3-00015-g1459333f88a0 #124 + Call Trace: + __warn$part$3+0x6a/0x7c + warn_slowpath_null+0x35/0x3c + smp_init_cpus+0x54/0x74 + setup_arch+0x1c0/0x1d0 + start_kernel+0x44/0x310 + _startup+0x107/0x107 + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/kernel/smp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c +index 0e34c1ed4aa8..54bb8e0473a0 100644 +--- a/arch/xtensa/kernel/smp.c ++++ b/arch/xtensa/kernel/smp.c +@@ -93,6 +93,11 @@ void __init smp_init_cpus(void) + pr_info("%s: Core Count = %d\n", __func__, ncpus); + pr_info("%s: Core Id = %d\n", __func__, core_id); + ++ if (ncpus > NR_CPUS) { ++ ncpus = NR_CPUS; ++ pr_info("%s: limiting core count by %d\n", __func__, ncpus); ++ } ++ + for (i = 0; i < ncpus; ++i) + set_cpu_possible(i, true); + } +-- +2.19.1 + diff --git a/queue-4.4/xtensa-smp-mark-each-possible-cpu-as-present.patch b/queue-4.4/xtensa-smp-mark-each-possible-cpu-as-present.patch new file mode 100644 index 00000000000..835d0e9968d --- /dev/null +++ b/queue-4.4/xtensa-smp-mark-each-possible-cpu-as-present.patch @@ -0,0 +1,32 @@ +From 4ddd1118c527ed190f71dc19440545dd8e9438dc Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Sat, 19 Jan 2019 00:26:48 -0800 +Subject: xtensa: SMP: mark each possible CPU as present + +[ Upstream commit 8b1c42cdd7181200dc1fff39dcb6ac1a3fac2c25 ] + +Otherwise it is impossible to enable CPUs after booting with 'maxcpus' +parameter. + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c +index 545144d1431d..0e34c1ed4aa8 100644 +--- a/arch/xtensa/kernel/smp.c ++++ b/arch/xtensa/kernel/smp.c +@@ -80,7 +80,7 @@ void __init smp_prepare_cpus(unsigned int max_cpus) + { + unsigned i; + +- for (i = 0; i < max_cpus; ++i) ++ for_each_possible_cpu(i) + set_cpu_present(i, true); + } + +-- +2.19.1 + diff --git a/queue-4.4/xtensa-smp_lx200_defconfig-fix-vectors-clash.patch b/queue-4.4/xtensa-smp_lx200_defconfig-fix-vectors-clash.patch new file mode 100644 index 00000000000..5517136d61f --- /dev/null +++ b/queue-4.4/xtensa-smp_lx200_defconfig-fix-vectors-clash.patch @@ -0,0 +1,33 @@ +From b20e832c65b5febf24bb3ae84f5dbe219376a4b7 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Thu, 24 Jan 2019 17:16:11 -0800 +Subject: xtensa: smp_lx200_defconfig: fix vectors clash + +[ Upstream commit 306b38305c0f86de7f17c5b091a95451dcc93d7d ] + +Secondary CPU reset vector overlaps part of the double exception handler +code, resulting in weird crashes and hangups when running user code. +Move exception vectors one page up so that they don't clash with the +secondary CPU reset vector. + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/configs/smp_lx200_defconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/xtensa/configs/smp_lx200_defconfig b/arch/xtensa/configs/smp_lx200_defconfig +index 22eeacba37cc..199e05f85e89 100644 +--- a/arch/xtensa/configs/smp_lx200_defconfig ++++ b/arch/xtensa/configs/smp_lx200_defconfig +@@ -35,6 +35,7 @@ CONFIG_SMP=y + CONFIG_HOTPLUG_CPU=y + # CONFIG_INITIALIZE_XTENSA_MMU_INSIDE_VMLINUX is not set + # CONFIG_PCI is not set ++CONFIG_VECTORS_OFFSET=0x00002000 + CONFIG_XTENSA_PLATFORM_XTFPGA=y + CONFIG_CMDLINE_BOOL=y + CONFIG_CMDLINE="earlycon=uart8250,mmio32,0xfd050020,115200n8 console=ttyS0,115200n8 ip=dhcp root=/dev/nfs rw debug" +-- +2.19.1 +