From: Sasha Levin Date: Wed, 23 Jan 2019 15:53:11 +0000 (-0500) Subject: autosel patches for 4.19 X-Git-Tag: v4.20.5~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1ac1f24ee94528824edc90af17bba0d07022713b;p=thirdparty%2Fkernel%2Fstable-queue.git autosel patches for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/alsa-bebob-fix-model-id-of-unit-for-apogee-ensemble.patch b/queue-4.19/alsa-bebob-fix-model-id-of-unit-for-apogee-ensemble.patch new file mode 100644 index 00000000000..e259d1a41d7 --- /dev/null +++ b/queue-4.19/alsa-bebob-fix-model-id-of-unit-for-apogee-ensemble.patch @@ -0,0 +1,93 @@ +From abff7e9bff0d98dac99fe8d9ff008e11d3fc4919 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Wed, 19 Dec 2018 20:00:42 +0900 +Subject: ALSA: bebob: fix model-id of unit for Apogee Ensemble + +[ Upstream commit 644b2e97405b0b74845e1d3c2b4fe4c34858062b ] + +This commit fixes hard-coded model-id for an unit of Apogee Ensemble with +a correct value. This unit uses DM1500 ASIC produced ArchWave AG (formerly +known as BridgeCo AG). + +I note that this model supports three modes in the number of data channels +in tx/rx streams; 8 ch pairs, 10 ch pairs, 18 ch pairs. The mode is +switched by Vendor-dependent AV/C command, like: + +$ cd linux-firewire-utils +$ ./firewire-request /dev/fw1 fcp 0x00ff000003dbeb0600000000 (8ch pairs) +$ ./firewire-request /dev/fw1 fcp 0x00ff000003dbeb0601000000 (10ch pairs) +$ ./firewire-request /dev/fw1 fcp 0x00ff000003dbeb0602000000 (18ch pairs) + +When switching between different mode, the unit disappears from IEEE 1394 +bus, then appears on the bus with different combination of stream formats. +In a mode of 18 ch pairs, available sampling rate is up to 96.0 kHz, else +up to 192.0 kHz. + +$ ./hinawa-config-rom-printer /dev/fw1 +{ 'bus-info': { 'adj': False, + 'bmc': True, + 'chip_ID': 21474898341, + 'cmc': True, + 'cyc_clk_acc': 100, + 'generation': 2, + 'imc': True, + 'isc': True, + 'link_spd': 2, + 'max_ROM': 1, + 'max_rec': 512, + 'name': '1394', + 'node_vendor_ID': 987, + 'pmc': False}, + 'root-directory': [ ['HARDWARE_VERSION', 19], + [ 'NODE_CAPABILITIES', + { 'addressing': {'64': True, 'fix': True, 'prv': False}, + 'misc': {'int': False, 'ms': False, 'spt': True}, + 'state': { 'atn': False, + 'ded': False, + 'drq': True, + 'elo': False, + 'init': False, + 'lst': True, + 'off': False}, + 'testing': {'bas': False, 'ext': False}}], + ['VENDOR', 987], + ['DESCRIPTOR', 'Apogee Electronics'], + ['MODEL', 126702], + ['DESCRIPTOR', 'Ensemble'], + ['VERSION', 5297], + [ 'UNIT', + [ ['SPECIFIER_ID', 41005], + ['VERSION', 65537], + ['MODEL', 126702], + ['DESCRIPTOR', 'Ensemble']]], + [ 'DEPENDENT_INFO', + [ ['SPECIFIER_ID', 2037], + ['VERSION', 1], + [(58, 'IMMEDIATE'), 16777159], + [(59, 'IMMEDIATE'), 1048576], + [(60, 'IMMEDIATE'), 16777159], + [(61, 'IMMEDIATE'), 6291456]]]]} + +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/bebob/bebob.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/bebob/bebob.c b/sound/firewire/bebob/bebob.c +index 93676354f87f..de4af8a41ff0 100644 +--- a/sound/firewire/bebob/bebob.c ++++ b/sound/firewire/bebob/bebob.c +@@ -434,7 +434,7 @@ static const struct ieee1394_device_id bebob_id_table[] = { + /* Apogee Electronics, DA/AD/DD-16X (X-FireWire card) */ + SND_BEBOB_DEV_ENTRY(VEN_APOGEE, 0x00010048, &spec_normal), + /* Apogee Electronics, Ensemble */ +- SND_BEBOB_DEV_ENTRY(VEN_APOGEE, 0x00001eee, &spec_normal), ++ SND_BEBOB_DEV_ENTRY(VEN_APOGEE, 0x01eeee, &spec_normal), + /* ESI, Quatafire610 */ + SND_BEBOB_DEV_ENTRY(VEN_ESI, 0x00010064, &spec_normal), + /* AcousticReality, eARMasterOne */ +-- +2.19.1 + diff --git a/queue-4.19/alsa-oxfw-add-support-for-apogee-duet-firewire.patch b/queue-4.19/alsa-oxfw-add-support-for-apogee-duet-firewire.patch new file mode 100644 index 00000000000..dc962b35f5c --- /dev/null +++ b/queue-4.19/alsa-oxfw-add-support-for-apogee-duet-firewire.patch @@ -0,0 +1,98 @@ +From c804ce2d813af3e3a03420b46f6fe2ba8ec299ee Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Tue, 13 Nov 2018 12:01:30 +0900 +Subject: ALSA: oxfw: add support for APOGEE duet FireWire + +[ Upstream commit fba43f454cdf9caa3185219d116bd2a6e6354552 ] + +This commit adds support for APOGEE duet FireWire, launched 2007, already +discontinued. This model uses Oxford Semiconductor FW971 as its +communication engine. Below is information on Configuration ROM of this +unit. The unit supports some AV/C commands defined by Audio subunit +specification and vendor dependent commands. + +$ ./hinawa-config-rom-printer /dev/fw1 +{ 'bus-info': { 'adj': False, + 'bmc': False, + 'chip_ID': 42949742248, + 'cmc': False, + 'cyc_clk_acc': 255, + 'generation': 0, + 'imc': False, + 'isc': True, + 'link_spd': 3, + 'max_ROM': 0, + 'max_rec': 64, + 'name': '1394', + 'node_vendor_ID': 987, + 'pmc': False}, + 'root-directory': [ ['VENDOR', 987], + ['DESCRIPTOR', 'Apogee Electronics'], + ['MODEL', 122333], + ['DESCRIPTOR', 'Duet'], + [ 'NODE_CAPABILITIES', + { 'addressing': {'64': True, 'fix': True, 'prv': False}, + 'misc': {'int': False, 'ms': False, 'spt': True}, + 'state': { 'atn': False, + 'ded': False, + 'drq': True, + 'elo': False, + 'init': False, + 'lst': True, + 'off': False}, + 'testing': {'bas': False, 'ext': False}}], + [ 'UNIT', + [ ['SPECIFIER_ID', 41005], + ['VERSION', 65537], + ['MODEL', 122333], + ['DESCRIPTOR', 'Duet']]]]} + +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/Kconfig | 1 + + sound/firewire/oxfw/oxfw.c | 8 ++++++++ + 2 files changed, 9 insertions(+) + +diff --git a/sound/firewire/Kconfig b/sound/firewire/Kconfig +index 529d9f405fa9..0cb65d0864cc 100644 +--- a/sound/firewire/Kconfig ++++ b/sound/firewire/Kconfig +@@ -41,6 +41,7 @@ config SND_OXFW + * Mackie(Loud) U.420/U.420d + * TASCAM FireOne + * Stanton Controllers & Systems 1 Deck/Mixer ++ * APOGEE duet FireWire + + To compile this driver as a module, choose M here: the module + will be called snd-oxfw. +diff --git a/sound/firewire/oxfw/oxfw.c b/sound/firewire/oxfw/oxfw.c +index 2ea8be6c8584..5f82a375725a 100644 +--- a/sound/firewire/oxfw/oxfw.c ++++ b/sound/firewire/oxfw/oxfw.c +@@ -20,6 +20,7 @@ + #define VENDOR_LACIE 0x00d04b + #define VENDOR_TASCAM 0x00022e + #define OUI_STANTON 0x001260 ++#define OUI_APOGEE 0x0003db + + #define MODEL_SATELLITE 0x00200f + +@@ -436,6 +437,13 @@ static const struct ieee1394_device_id oxfw_id_table[] = { + .vendor_id = OUI_STANTON, + .model_id = 0x002000, + }, ++ // APOGEE, duet FireWire ++ { ++ .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_MODEL_ID, ++ .vendor_id = OUI_APOGEE, ++ .model_id = 0x01dddd, ++ }, + { } + }; + MODULE_DEVICE_TABLE(ieee1394, oxfw_id_table); +-- +2.19.1 + diff --git a/queue-4.19/arm64-fix-minor-issues-with-the-dcache_by_line_op-ma.patch b/queue-4.19/arm64-fix-minor-issues-with-the-dcache_by_line_op-ma.patch new file mode 100644 index 00000000000..a9177fb947f --- /dev/null +++ b/queue-4.19/arm64-fix-minor-issues-with-the-dcache_by_line_op-ma.patch @@ -0,0 +1,114 @@ +From 06faae7846d3390de9f0a6ae6816d83fda195576 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 10 Dec 2018 13:39:48 +0000 +Subject: arm64: Fix minor issues with the dcache_by_line_op macro + +[ Upstream commit 33309ecda0070506c49182530abe7728850ebe78 ] + +The dcache_by_line_op macro suffers from a couple of small problems: + +First, the GAS directives that are currently being used rely on +assembler behavior that is not documented, and probably not guaranteed +to produce the correct behavior going forward. As a result, we end up +with some undefined symbols in cache.o: + +$ nm arch/arm64/mm/cache.o + ... + U civac + ... + U cvac + U cvap + U cvau + +This is due to the fact that the comparisons used to select the +operation type in the dcache_by_line_op macro are comparing symbols +not strings, and even though it seems that GAS is doing the right +thing here (undefined symbols by the same name are equal to each +other), it seems unwise to rely on this. + +Second, when patching in a DC CVAP instruction on CPUs that support it, +the fallback path consists of a DC CVAU instruction which may be +affected by CPU errata that require ARM64_WORKAROUND_CLEAN_CACHE. + +Solve these issues by unrolling the various maintenance routines and +using the conditional directives that are documented as operating on +strings. To avoid the complexity of nested alternatives, we move the +DC CVAP patching to __clean_dcache_area_pop, falling back to a branch +to __clean_dcache_area_poc if DCPOP is not supported by the CPU. + +Reported-by: Ard Biesheuvel +Suggested-by: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/assembler.h | 30 ++++++++++++++++++------------ + arch/arm64/mm/cache.S | 3 +++ + 2 files changed, 21 insertions(+), 12 deletions(-) + +diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h +index 0bcc98dbba56..f90f5d83b228 100644 +--- a/arch/arm64/include/asm/assembler.h ++++ b/arch/arm64/include/asm/assembler.h +@@ -378,27 +378,33 @@ alternative_endif + * size: size of the region + * Corrupts: kaddr, size, tmp1, tmp2 + */ ++ .macro __dcache_op_workaround_clean_cache, op, kaddr ++alternative_if_not ARM64_WORKAROUND_CLEAN_CACHE ++ dc \op, \kaddr ++alternative_else ++ dc civac, \kaddr ++alternative_endif ++ .endm ++ + .macro dcache_by_line_op op, domain, kaddr, size, tmp1, tmp2 + dcache_line_size \tmp1, \tmp2 + add \size, \kaddr, \size + sub \tmp2, \tmp1, #1 + bic \kaddr, \kaddr, \tmp2 + 9998: +- .if (\op == cvau || \op == cvac) +-alternative_if_not ARM64_WORKAROUND_CLEAN_CACHE +- dc \op, \kaddr +-alternative_else +- dc civac, \kaddr +-alternative_endif +- .elseif (\op == cvap) +-alternative_if ARM64_HAS_DCPOP +- sys 3, c7, c12, 1, \kaddr // dc cvap +-alternative_else +- dc cvac, \kaddr +-alternative_endif ++ .ifc \op, cvau ++ __dcache_op_workaround_clean_cache \op, \kaddr ++ .else ++ .ifc \op, cvac ++ __dcache_op_workaround_clean_cache \op, \kaddr ++ .else ++ .ifc \op, cvap ++ sys 3, c7, c12, 1, \kaddr // dc cvap + .else + dc \op, \kaddr + .endif ++ .endif ++ .endif + add \kaddr, \kaddr, \tmp1 + cmp \kaddr, \size + b.lo 9998b +diff --git a/arch/arm64/mm/cache.S b/arch/arm64/mm/cache.S +index 0c22ede52f90..a194fd0e837f 100644 +--- a/arch/arm64/mm/cache.S ++++ b/arch/arm64/mm/cache.S +@@ -212,6 +212,9 @@ ENDPROC(__dma_clean_area) + * - size - size in question + */ + ENTRY(__clean_dcache_area_pop) ++ alternative_if_not ARM64_HAS_DCPOP ++ b __clean_dcache_area_poc ++ alternative_else_nop_endif + dcache_by_line_op cvap, sy, x0, x1, x2, x3 + ret + ENDPIPROC(__clean_dcache_area_pop) +-- +2.19.1 + diff --git a/queue-4.19/arm64-kasan-increase-stack-size-for-kasan_extra.patch b/queue-4.19/arm64-kasan-increase-stack-size-for-kasan_extra.patch new file mode 100644 index 00000000000..28ab91c310c --- /dev/null +++ b/queue-4.19/arm64-kasan-increase-stack-size-for-kasan_extra.patch @@ -0,0 +1,78 @@ +From ba9b2b839624a1cc6765c26298d33b9baa5e489e Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Fri, 7 Dec 2018 17:34:49 -0500 +Subject: arm64: kasan: Increase stack size for KASAN_EXTRA + +[ Upstream commit 6e8830674ea77f57d57a33cca09083b117a71f41 ] + +If the kernel is configured with KASAN_EXTRA, the stack size is +increased significantly due to setting the GCC -fstack-reuse option to +"none" [1]. As a result, it can trigger a stack overrun quite often with +32k stack size compiled using GCC 8. For example, this reproducer + + https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/madvise/madvise06.c + +can trigger a "corrupted stack end detected inside scheduler" very +reliably with CONFIG_SCHED_STACK_END_CHECK enabled. There are other +reports at: + + https://lore.kernel.org/lkml/1542144497.12945.29.camel@gmx.us/ + https://lore.kernel.org/lkml/721E7B42-2D55-4866-9C1A-3E8D64F33F9C@gmx.us/ + +There are just too many functions that could have a large stack with +KASAN_EXTRA due to large local variables that have been called over and +over again without being able to reuse the stacks. Some noticiable ones +are, + +size +7536 shrink_inactive_list +7440 shrink_page_list +6560 fscache_stats_show +3920 jbd2_journal_commit_transaction +3216 try_to_unmap_one +3072 migrate_page_move_mapping +3584 migrate_misplaced_transhuge_page +3920 ip_vs_lblcr_schedule +4304 lpfc_nvme_info_show +3888 lpfc_debugfs_nvmestat_data.constprop + +There are other 49 functions over 2k in size while compiling kernel with +"-Wframe-larger-than=" on this machine. Hence, it is too much work to +change Makefiles for each object to compile without +-fsanitize-address-use-after-scope individually. + +[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715#c23 + +Signed-off-by: Qian Cai +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/memory.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h +index b96442960aea..56562ff01076 100644 +--- a/arch/arm64/include/asm/memory.h ++++ b/arch/arm64/include/asm/memory.h +@@ -76,12 +76,17 @@ + /* + * KASAN requires 1/8th of the kernel virtual address space for the shadow + * region. KASAN can bloat the stack significantly, so double the (minimum) +- * stack size when KASAN is in use. ++ * stack size when KASAN is in use, and then double it again if KASAN_EXTRA is ++ * on. + */ + #ifdef CONFIG_KASAN + #define KASAN_SHADOW_SCALE_SHIFT 3 + #define KASAN_SHADOW_SIZE (UL(1) << (VA_BITS - KASAN_SHADOW_SCALE_SHIFT)) ++#ifdef CONFIG_KASAN_EXTRA ++#define KASAN_THREAD_SHIFT 2 ++#else + #define KASAN_THREAD_SHIFT 1 ++#endif /* CONFIG_KASAN_EXTRA */ + #else + #define KASAN_SHADOW_SIZE (0) + #define KASAN_THREAD_SHIFT 0 +-- +2.19.1 + diff --git a/queue-4.19/arm64-perf-set-suppress_bind_attrs-flag-to-true.patch b/queue-4.19/arm64-perf-set-suppress_bind_attrs-flag-to-true.patch new file mode 100644 index 00000000000..b31baee7001 --- /dev/null +++ b/queue-4.19/arm64-perf-set-suppress_bind_attrs-flag-to-true.patch @@ -0,0 +1,71 @@ +From 390cb45bfd98cd978d438d4776b2b35c54091142 Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Wed, 17 Oct 2018 17:26:22 +0200 +Subject: arm64: perf: set suppress_bind_attrs flag to true + +[ Upstream commit 81e9fa8bab381f8b6eb04df7cdf0f71994099bd4 ] + +The armv8_pmuv3 driver doesn't have a remove function, and when the test +'CONFIG_DEBUG_TEST_DRIVER_REMOVE=y' is enabled, the following Call trace +can be seen. + +[ 1.424287] Failed to register pmu: armv8_pmuv3, reason -17 +[ 1.424870] WARNING: CPU: 0 PID: 1 at ../kernel/events/core.c:11771 perf_event_sysfs_init+0x98/0xdc +[ 1.425220] Modules linked in: +[ 1.425531] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.19.0-rc7-next-20181012-00003-ge7a97b1ad77b-dirty #35 +[ 1.425951] Hardware name: linux,dummy-virt (DT) +[ 1.426212] pstate: 80000005 (Nzcv daif -PAN -UAO) +[ 1.426458] pc : perf_event_sysfs_init+0x98/0xdc +[ 1.426720] lr : perf_event_sysfs_init+0x98/0xdc +[ 1.426908] sp : ffff00000804bd50 +[ 1.427077] x29: ffff00000804bd50 x28: ffff00000934e078 +[ 1.427429] x27: ffff000009546000 x26: 0000000000000007 +[ 1.427757] x25: ffff000009280710 x24: 00000000ffffffef +[ 1.428086] x23: ffff000009408000 x22: 0000000000000000 +[ 1.428415] x21: ffff000009136008 x20: ffff000009408730 +[ 1.428744] x19: ffff80007b20b400 x18: 000000000000000a +[ 1.429075] x17: 0000000000000000 x16: 0000000000000000 +[ 1.429418] x15: 0000000000000400 x14: 2e79726f74636572 +[ 1.429748] x13: 696420656d617320 x12: 656874206e692065 +[ 1.430060] x11: 6d616e20656d6173 x10: 2065687420687469 +[ 1.430335] x9 : ffff00000804bd50 x8 : 206e6f7361657220 +[ 1.430610] x7 : 2c3376756d705f38 x6 : ffff00000954d7ce +[ 1.430880] x5 : 0000000000000000 x4 : 0000000000000000 +[ 1.431226] x3 : 0000000000000000 x2 : ffffffffffffffff +[ 1.431554] x1 : 4d151327adc50b00 x0 : 0000000000000000 +[ 1.431868] Call trace: +[ 1.432102] perf_event_sysfs_init+0x98/0xdc +[ 1.432382] do_one_initcall+0x6c/0x1a8 +[ 1.432637] kernel_init_freeable+0x1bc/0x280 +[ 1.432905] kernel_init+0x18/0x160 +[ 1.433115] ret_from_fork+0x10/0x18 +[ 1.433297] ---[ end trace 27fd415390eb9883 ]--- + +Rework to set suppress_bind_attrs flag to avoid removing the device when +CONFIG_DEBUG_TEST_DRIVER_REMOVE=y, since there's no real reason to +remove the armv8_pmuv3 driver. + +Cc: Arnd Bergmann +Co-developed-by: Arnd Bergmann +Signed-off-by: Anders Roxell +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/perf_event.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c +index e213f8e867f6..8a91ac067d44 100644 +--- a/arch/arm64/kernel/perf_event.c ++++ b/arch/arm64/kernel/perf_event.c +@@ -1274,6 +1274,7 @@ static struct platform_driver armv8_pmu_driver = { + .driver = { + .name = ARMV8_PMU_PDEV_NAME, + .of_match_table = armv8_pmu_of_device_ids, ++ .suppress_bind_attrs = true, + }, + .probe = armv8_pmu_device_probe, + }; +-- +2.19.1 + diff --git a/queue-4.19/asoc-pcm3168a-don-t-disable-pcm3168a-when-config_pm-.patch b/queue-4.19/asoc-pcm3168a-don-t-disable-pcm3168a-when-config_pm-.patch new file mode 100644 index 00000000000..50f003e7ab9 --- /dev/null +++ b/queue-4.19/asoc-pcm3168a-don-t-disable-pcm3168a-when-config_pm-.patch @@ -0,0 +1,423 @@ +From 66ec03adaebc7afed69b830e3183ae07aaded98d Mon Sep 17 00:00:00 2001 +From: Jiada Wang +Date: Wed, 28 Nov 2018 21:26:12 +0900 +Subject: ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined + +[ Upstream commit 489db5d941500249583ec6b49fa70e006bd8f632 ] + +pcm3168 codec support runtime_[resume|suspend], whenever it +is not active, it enters suspend mode, and it's clock and regulators +will be disabled. so there is no need to disable them again in +remove callback. Otherwise we got following kernel warnings, +when unload pcm3168a driver + +[ 222.257514] unbalanced disables for amp-en-regulator +[ 222.262526] ------------[ cut here ]------------ +[ 222.267158] WARNING: CPU: 0 PID: 2423 at drivers/regulator/core.c:2264 _regulator_disable+0x28/0x108 +[ 222.276291] Modules linked in: +[ 222.279343] snd_soc_pcm3168a_i2c(-) +[ 222.282916] snd_aloop +[ 222.285272] arc4 +[ 222.287194] wl18xx +[ 222.289289] wlcore +[ 222.291385] mac80211 +[ 222.293654] cfg80211 +[ 222.295923] aes_ce_blk +[ 222.298366] crypto_simd +[ 222.300896] cryptd +[ 222.302992] aes_ce_cipher +[ 222.305696] crc32_ce +[ 222.307965] ghash_ce +[ 222.310234] aes_arm64 +[ 222.312590] gf128mul +[ 222.314860] snd_soc_rcar +[ 222.317476] sha2_ce +[ 222.319658] xhci_plat_hcd +[ 222.322362] sha256_arm64 +[ 222.324978] xhci_hcd +[ 222.327247] sha1_ce +[ 222.329430] renesas_usbhs +[ 222.332133] evdev +[ 222.334142] sha1_generic +[ 222.336758] rcar_gen3_thermal +[ 222.339810] cpufreq_dt +[ 222.342253] ravb_streaming(C) +[ 222.345304] wlcore_sdio +[ 222.347834] thermal_sys +[ 222.350363] udc_core +[ 222.352632] mch_core(C) +[ 222.355161] usb_dmac +[ 222.357430] snd_soc_pcm3168a +[ 222.360394] snd_soc_ak4613 +[ 222.363184] gpio_keys +[ 222.365540] virt_dma +[ 222.367809] nfsd +[ 222.369730] ipv6 +[ 222.371652] autofs4 +[ 222.373834] [last unloaded: snd_soc_pcm3168a_i2c] +[ 222.378629] CPU: 0 PID: 2423 Comm: rmmod Tainted: G WC 4.14.63-04798-gd456126e4a42-dirty #457 +[ 222.388196] Hardware name: Renesas H3ULCB Kingfisher board based on r8a7795 ES2.0+ (DT) +[ 222.396199] task: ffff8006fa8c6200 task.stack: ffff00000a0a0000 +[ 222.402117] PC is at _regulator_disable+0x28/0x108 +[ 222.406906] LR is at _regulator_disable+0x28/0x108 +[ 222.411695] pc : [] lr : [] pstate: 00000145 +[ 222.419089] sp : ffff00000a0a3c80 +[ 222.422401] x29: ffff00000a0a3c80 +[ 222.425799] x28: ffff8006fa8c6200 +[ 222.429199] x27: ffff0000086f1000 +[ 222.432597] x26: 000000000000006a +[ 222.435997] x25: 0000000000000124 +[ 222.439395] x24: 0000000000000018 +[ 222.442795] x23: 0000000000000006 +[ 222.446193] x22: ffff8006f925d490 +[ 222.449592] x21: ffff8006f9ac2068 +[ 222.452991] x20: ffff8006f9ac2000 +[ 222.456390] x19: 0000000000000005 +[ 222.459787] x18: 000000000000000a +[ 222.463186] x17: 0000000000000000 +[ 222.466584] x16: 0000000000000000 +[ 222.469984] x15: 000000000d3f616a +[ 222.473382] x14: 0720072007200720 +[ 222.476781] x13: 0720072007200720 +[ 222.480179] x12: 0720072007200720 +[ 222.483578] x11: 0720072007200720 +[ 222.486975] x10: 0720072007200720 +[ 222.490375] x9 : 0720072007200720 +[ 222.493773] x8 : 07200772076f0774 +[ 222.497172] x7 : 0000000000000000 +[ 222.500570] x6 : 0000000000000007 +[ 222.503969] x5 : 0000000000000000 +[ 222.507367] x4 : 0000000000000000 +[ 222.510766] x3 : 0000000000000000 +[ 222.514164] x2 : c790b852091e2600 +[ 222.517563] x1 : 0000000000000000 +[ 222.520961] x0 : 0000000000000028 +[ 222.524361] Call trace: +[ 222.526805] Exception stack(0xffff00000a0a3b40 to 0xffff00000a0a3c80) +[ 222.533245] 3b40: 0000000000000028 0000000000000000 c790b852091e2600 0000000000000000 +[ 222.541075] 3b60: 0000000000000000 0000000000000000 0000000000000007 0000000000000000 +[ 222.548905] 3b80: 07200772076f0774 0720072007200720 0720072007200720 0720072007200720 +[ 222.556735] 3ba0: 0720072007200720 0720072007200720 0720072007200720 000000000d3f616a +[ 222.564564] 3bc0: 0000000000000000 0000000000000000 000000000000000a 0000000000000005 +[ 222.572394] 3be0: ffff8006f9ac2000 ffff8006f9ac2068 ffff8006f925d490 0000000000000006 +[ 222.580224] 3c00: 0000000000000018 0000000000000124 000000000000006a ffff0000086f1000 +[ 222.588053] 3c20: ffff8006fa8c6200 ffff00000a0a3c80 ffff0000083bd89c ffff00000a0a3c80 +[ 222.595883] 3c40: ffff0000083bd89c 0000000000000145 0000000000000000 0000000000000000 +[ 222.603713] 3c60: 0000ffffffffffff ffff00000a0a3c30 ffff00000a0a3c80 ffff0000083bd89c +[ 222.611543] [] _regulator_disable+0x28/0x108 +[ 222.617375] [] regulator_disable+0x48/0x68 +[ 222.623033] [] regulator_bulk_disable+0x58/0xc0 +[ 222.629134] [] pcm3168a_remove+0x30/0x50 [snd_soc_pcm3168a] +[ 222.636270] [] pcm3168a_i2c_remove+0x10/0x1c [snd_soc_pcm3168a_i2c] +[ 222.644106] [] i2c_device_remove+0x38/0x70 +[ 222.649766] [] device_release_driver_internal+0xd0/0x1c0 +[ 222.656640] [] driver_detach+0x70/0x7c +[ 222.661951] [] bus_remove_driver+0x74/0xa0 +[ 222.667609] [] driver_unregister+0x48/0x4c +[ 222.673268] [] i2c_del_driver+0x24/0x30 +[ 222.678666] [] pcm3168a_i2c_driver_exit+0x10/0xf98 [snd_soc_pcm3168a_i2c] +[ 222.687019] [] SyS_delete_module+0x198/0x1d4 +[ 222.692850] Exception stack(0xffff00000a0a3ec0 to 0xffff00000a0a4000) +[ 222.699289] 3ec0: 0000aaaafeb4b268 0000000000000800 14453f6470497100 0000fffffaa520d8 +[ 222.707119] 3ee0: 0000fffffaa520d9 000000000000000a 1999999999999999 0000000000000000 +[ 222.714948] 3f00: 000000000000006a 0000ffffa8f7d1d8 000000000000000a 0000000000000005 +[ 222.722778] 3f20: 0000000000000000 0000000000000000 000000000000002d 0000000000000000 +[ 222.730607] 3f40: 0000aaaae19b9f68 0000ffffa8f411f0 0000000000000000 0000aaaae19b9000 +[ 222.738436] 3f60: 0000fffffaa533b8 0000fffffaa531f0 0000000000000000 0000000000000001 +[ 222.746266] 3f80: 0000fffffaa53ec6 0000000000000000 0000aaaafeb4b200 0000aaaafeb4a010 +[ 222.754096] 3fa0: 0000000000000000 0000fffffaa53130 0000aaaae199f36c 0000fffffaa53130 +[ 222.761926] 3fc0: 0000ffffa8f411f8 0000000000000000 0000aaaafeb4b268 000000000000006a +[ 222.769755] 3fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ 222.777589] [] el0_svc_naked+0x34/0x38 +[ 222.782899] ---[ end trace eaf8939a3698b1a8 ]--- +[ 222.787609] Failed to disable VCCDA2: -5 +[ 222.791649] ------------[ cut here ]------------ +[ 222.796283] WARNING: CPU: 0 PID: 2423 at drivers/clk/clk.c:595 clk_core_disable+0xc/0x1d8 +[ 222.804460] Modules linked in: +[ 222.807511] snd_soc_pcm3168a_i2c(-) +[ 222.811083] snd_aloop +[ 222.813439] arc4 +[ 222.815360] wl18xx +[ 222.817456] wlcore +[ 222.819551] mac80211 +[ 222.821820] cfg80211 +[ 222.824088] aes_ce_blk +[ 222.826531] crypto_simd +[ 222.829060] cryptd +[ 222.831155] aes_ce_cipher +[ 222.833859] crc32_ce +[ 222.836127] ghash_ce +[ 222.838396] aes_arm64 +[ 222.840752] gf128mul +[ 222.843020] snd_soc_rcar +[ 222.845637] sha2_ce +[ 222.847818] xhci_plat_hcd +[ 222.850522] sha256_arm64 +[ 222.853138] xhci_hcd +[ 222.855407] sha1_ce +[ 222.857589] renesas_usbhs +[ 222.860292] evdev +[ 222.862300] sha1_generic +[ 222.864917] rcar_gen3_thermal +[ 222.867968] cpufreq_dt +[ 222.870410] ravb_streaming(C) +[ 222.873461] wlcore_sdio +[ 222.875991] thermal_sys +[ 222.878520] udc_core +[ 222.880789] mch_core(C) +[ 222.883318] usb_dmac +[ 222.885587] snd_soc_pcm3168a +[ 222.888551] snd_soc_ak4613 +[ 222.891341] gpio_keys +[ 222.893696] virt_dma +[ 222.895965] nfsd +[ 222.897886] ipv6 +[ 222.899808] autofs4 +[ 222.901990] [last unloaded: snd_soc_pcm3168a_i2c] +[ 222.906783] CPU: 0 PID: 2423 Comm: rmmod Tainted: G WC 4.14.63-04798-gd456126e4a42-dirty #457 +[ 222.916349] Hardware name: Renesas H3ULCB Kingfisher board based on r8a7795 ES2.0+ (DT) +[ 222.924351] task: ffff8006fa8c6200 task.stack: ffff00000a0a0000 +[ 222.930270] PC is at clk_core_disable+0xc/0x1d8 +[ 222.934799] LR is at clk_core_disable_lock+0x20/0x34 +[ 222.939761] pc : [] lr : [] pstate: 800001c5 +[ 222.947154] sp : ffff00000a0a3cf0 +[ 222.950466] x29: ffff00000a0a3cf0 +[ 222.953864] x28: ffff8006fa8c6200 +[ 222.957263] x27: ffff0000086f1000 +[ 222.960661] x26: 000000000000006a +[ 222.964061] x25: 0000000000000124 +[ 222.967458] x24: 0000000000000015 +[ 222.970858] x23: ffff8006f9ffa8d0 +[ 222.974256] x22: ffff8006faf16480 +[ 222.977655] x21: ffff0000007e7040 +[ 222.981053] x20: ffff8006faadd100 +[ 222.984452] x19: 0000000000000140 +[ 222.987850] x18: 000000000000000a +[ 222.991249] x17: 0000000000000000 +[ 222.994647] x16: 0000000000000000 +[ 222.998046] x15: 000000000d477819 +[ 223.001444] x14: 0720072007200720 +[ 223.004843] x13: 0720072007200720 +[ 223.008242] x12: 0720072007200720 +[ 223.011641] x11: 0720072007200720 +[ 223.015039] x10: 0720072007200720 +[ 223.018438] x9 : 0720072007200720 +[ 223.021837] x8 : 0720072007200720 +[ 223.025236] x7 : 0000000000000000 +[ 223.028634] x6 : 0000000000000007 +[ 223.032034] x5 : 0000000000000000 +[ 223.035432] x4 : 0000000000000000 +[ 223.038831] x3 : 0000000000000000 +[ 223.042229] x2 : 0000000004720471 +[ 223.045628] x1 : 0000000000000000 +[ 223.049026] x0 : ffff8006faadd100 +[ 223.052426] Call trace: +[ 223.054870] Exception stack(0xffff00000a0a3bb0 to 0xffff00000a0a3cf0) +[ 223.061309] 3ba0: ffff8006faadd100 0000000000000000 +[ 223.069139] 3bc0: 0000000004720471 0000000000000000 0000000000000000 0000000000000000 +[ 223.076969] 3be0: 0000000000000007 0000000000000000 0720072007200720 0720072007200720 +[ 223.084798] 3c00: 0720072007200720 0720072007200720 0720072007200720 0720072007200720 +[ 223.092628] 3c20: 0720072007200720 000000000d477819 0000000000000000 0000000000000000 +[ 223.100458] 3c40: 000000000000000a 0000000000000140 ffff8006faadd100 ffff0000007e7040 +[ 223.108287] 3c60: ffff8006faf16480 ffff8006f9ffa8d0 0000000000000015 0000000000000124 +[ 223.116117] 3c80: 000000000000006a ffff0000086f1000 ffff8006fa8c6200 ffff00000a0a3cf0 +[ 223.123947] 3ca0: ffff0000083acd28 ffff00000a0a3cf0 ffff0000083ab9b8 00000000800001c5 +[ 223.131777] 3cc0: ffff00000a0a3cf0 ffff0000083acd1c 0000ffffffffffff ffff8006faadd100 +[ 223.139606] 3ce0: ffff00000a0a3cf0 ffff0000083ab9b8 +[ 223.144483] [] clk_core_disable+0xc/0x1d8 +[ 223.150054] [] clk_disable+0x1c/0x28 +[ 223.155198] [] pcm3168a_remove+0x3c/0x50 [snd_soc_pcm3168a] +[ 223.162334] [] pcm3168a_i2c_remove+0x10/0x1c [snd_soc_pcm3168a_i2c] +[ 223.170167] [] i2c_device_remove+0x38/0x70 +[ 223.175826] [] device_release_driver_internal+0xd0/0x1c0 +[ 223.182700] [] driver_detach+0x70/0x7c +[ 223.188012] [] bus_remove_driver+0x74/0xa0 +[ 223.193669] [] driver_unregister+0x48/0x4c +[ 223.199329] [] i2c_del_driver+0x24/0x30 +[ 223.204726] [] pcm3168a_i2c_driver_exit+0x10/0xf98 [snd_soc_pcm3168a_i2c] +[ 223.213079] [] SyS_delete_module+0x198/0x1d4 +[ 223.218909] Exception stack(0xffff00000a0a3ec0 to 0xffff00000a0a4000) +[ 223.225349] 3ec0: 0000aaaafeb4b268 0000000000000800 14453f6470497100 0000fffffaa520d8 +[ 223.233179] 3ee0: 0000fffffaa520d9 000000000000000a 1999999999999999 0000000000000000 +[ 223.241008] 3f00: 000000000000006a 0000ffffa8f7d1d8 000000000000000a 0000000000000005 +[ 223.248838] 3f20: 0000000000000000 0000000000000000 000000000000002d 0000000000000000 +[ 223.256668] 3f40: 0000aaaae19b9f68 0000ffffa8f411f0 0000000000000000 0000aaaae19b9000 +[ 223.264497] 3f60: 0000fffffaa533b8 0000fffffaa531f0 0000000000000000 0000000000000001 +[ 223.272327] 3f80: 0000fffffaa53ec6 0000000000000000 0000aaaafeb4b200 0000aaaafeb4a010 +[ 223.280157] 3fa0: 0000000000000000 0000fffffaa53130 0000aaaae199f36c 0000fffffaa53130 +[ 223.287986] 3fc0: 0000ffffa8f411f8 0000000000000000 0000aaaafeb4b268 000000000000006a +[ 223.295816] 3fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ 223.303648] [] el0_svc_naked+0x34/0x38 +[ 223.308958] ---[ end trace eaf8939a3698b1a9 ]--- +[ 223.313752] ------------[ cut here ]------------ +[ 223.318383] WARNING: CPU: 0 PID: 2423 at drivers/clk/clk.c:477 clk_core_unprepare+0xc/0x1ac +[ 223.326733] Modules linked in: +[ 223.329784] snd_soc_pcm3168a_i2c(-) +[ 223.333356] snd_aloop +[ 223.335712] arc4 +[ 223.337633] wl18xx +[ 223.339728] wlcore +[ 223.341823] mac80211 +[ 223.344092] cfg80211 +[ 223.346360] aes_ce_blk +[ 223.348803] crypto_simd +[ 223.351332] cryptd +[ 223.353428] aes_ce_cipher +[ 223.356131] crc32_ce +[ 223.358400] ghash_ce +[ 223.360668] aes_arm64 +[ 223.363024] gf128mul +[ 223.365293] snd_soc_rcar +[ 223.367909] sha2_ce +[ 223.370091] xhci_plat_hcd +[ 223.372794] sha256_arm64 +[ 223.375410] xhci_hcd +[ 223.377679] sha1_ce +[ 223.379861] renesas_usbhs +[ 223.382564] evdev +[ 223.384572] sha1_generic +[ 223.387188] rcar_gen3_thermal +[ 223.390239] cpufreq_dt +[ 223.392682] ravb_streaming(C) +[ 223.395732] wlcore_sdio +[ 223.398261] thermal_sys +[ 223.400790] udc_core +[ 223.403059] mch_core(C) +[ 223.405588] usb_dmac +[ 223.407856] snd_soc_pcm3168a +[ 223.410820] snd_soc_ak4613 +[ 223.413609] gpio_keys +[ 223.415965] virt_dma +[ 223.418234] nfsd +[ 223.420155] ipv6 +[ 223.422076] autofs4 +[ 223.424258] [last unloaded: snd_soc_pcm3168a_i2c] +[ 223.429050] CPU: 0 PID: 2423 Comm: rmmod Tainted: G WC 4.14.63-04798-gd456126e4a42-dirty #457 +[ 223.438616] Hardware name: Renesas H3ULCB Kingfisher board based on r8a7795 ES2.0+ (DT) +[ 223.446618] task: ffff8006fa8c6200 task.stack: ffff00000a0a0000 +[ 223.452536] PC is at clk_core_unprepare+0xc/0x1ac +[ 223.457239] LR is at clk_unprepare+0x28/0x3c +[ 223.461506] pc : [] lr : [] pstate: 60000145 +[ 223.468900] sp : ffff00000a0a3d00 +[ 223.472211] x29: ffff00000a0a3d00 +[ 223.475609] x28: ffff8006fa8c6200 +[ 223.479009] x27: ffff0000086f1000 +[ 223.482407] x26: 000000000000006a +[ 223.485807] x25: 0000000000000124 +[ 223.489205] x24: 0000000000000015 +[ 223.492604] x23: ffff8006f9ffa8d0 +[ 223.496003] x22: ffff8006faf16480 +[ 223.499402] x21: ffff0000007e7040 +[ 223.502800] x20: ffff8006faf16420 +[ 223.506199] x19: ffff8006faadd100 +[ 223.509597] x18: 000000000000000a +[ 223.512997] x17: 0000000000000000 +[ 223.516395] x16: 0000000000000000 +[ 223.519794] x15: 0000000000000000 +[ 223.523192] x14: 00000033fe89076c +[ 223.526591] x13: 0000000000000400 +[ 223.529989] x12: 0000000000000400 +[ 223.533388] x11: 0000000000000000 +[ 223.536786] x10: 00000000000009e0 +[ 223.540185] x9 : ffff00000a0a3be0 +[ 223.543583] x8 : ffff8006fa8c6c40 +[ 223.546982] x7 : ffff8006fa8c6400 +[ 223.550380] x6 : 0000000000000001 +[ 223.553780] x5 : 0000000000000000 +[ 223.557178] x4 : ffff8006fa8c6200 +[ 223.560577] x3 : 0000000000000000 +[ 223.563975] x2 : ffff8006fa8c6200 +[ 223.567374] x1 : 0000000000000000 +[ 223.570772] x0 : ffff8006faadd100 +[ 223.574170] Call trace: +[ 223.576615] Exception stack(0xffff00000a0a3bc0 to 0xffff00000a0a3d00) +[ 223.583054] 3bc0: ffff8006faadd100 0000000000000000 ffff8006fa8c6200 0000000000000000 +[ 223.590884] 3be0: ffff8006fa8c6200 0000000000000000 0000000000000001 ffff8006fa8c6400 +[ 223.598714] 3c00: ffff8006fa8c6c40 ffff00000a0a3be0 00000000000009e0 0000000000000000 +[ 223.606544] 3c20: 0000000000000400 0000000000000400 00000033fe89076c 0000000000000000 +[ 223.614374] 3c40: 0000000000000000 0000000000000000 000000000000000a ffff8006faadd100 +[ 223.622204] 3c60: ffff8006faf16420 ffff0000007e7040 ffff8006faf16480 ffff8006f9ffa8d0 +[ 223.630033] 3c80: 0000000000000015 0000000000000124 000000000000006a ffff0000086f1000 +[ 223.637863] 3ca0: ffff8006fa8c6200 ffff00000a0a3d00 ffff0000083ace4c ffff00000a0a3d00 +[ 223.645693] 3cc0: ffff0000083ab5a4 0000000060000145 0000000000000140 ffff8006faadd100 +[ 223.653523] 3ce0: 0000ffffffffffff ffff0000083ace44 ffff00000a0a3d00 ffff0000083ab5a4 +[ 223.661353] [] clk_core_unprepare+0xc/0x1ac +[ 223.667103] [] pcm3168a_remove+0x44/0x50 [snd_soc_pcm3168a] +[ 223.674239] [] pcm3168a_i2c_remove+0x10/0x1c [snd_soc_pcm3168a_i2c] +[ 223.682070] [] i2c_device_remove+0x38/0x70 +[ 223.687731] [] device_release_driver_internal+0xd0/0x1c0 +[ 223.694604] [] driver_detach+0x70/0x7c +[ 223.699915] [] bus_remove_driver+0x74/0xa0 +[ 223.705572] [] driver_unregister+0x48/0x4c +[ 223.711230] [] i2c_del_driver+0x24/0x30 +[ 223.716628] [] pcm3168a_i2c_driver_exit+0x10/0xf98 [snd_soc_pcm3168a_i2c] +[ 223.724980] [] SyS_delete_module+0x198/0x1d4 +[ 223.730811] Exception stack(0xffff00000a0a3ec0 to 0xffff00000a0a4000) +[ 223.737250] 3ec0: 0000aaaafeb4b268 0000000000000800 14453f6470497100 0000fffffaa520d8 +[ 223.745079] 3ee0: 0000fffffaa520d9 000000000000000a 1999999999999999 0000000000000000 +[ 223.752909] 3f00: 000000000000006a 0000ffffa8f7d1d8 000000000000000a 0000000000000005 +[ 223.760739] 3f20: 0000000000000000 0000000000000000 000000000000002d 0000000000000000 +[ 223.768568] 3f40: 0000aaaae19b9f68 0000ffffa8f411f0 0000000000000000 0000aaaae19b9000 +[ 223.776398] 3f60: 0000fffffaa533b8 0000fffffaa531f0 0000000000000000 0000000000000001 +[ 223.784227] 3f80: 0000fffffaa53ec6 0000000000000000 0000aaaafeb4b200 0000aaaafeb4a010 +[ 223.792057] 3fa0: 0000000000000000 0000fffffaa53130 0000aaaae199f36c 0000fffffaa53130 +[ 223.799886] 3fc0: 0000ffffa8f411f8 0000000000000000 0000aaaafeb4b268 000000000000006a +[ 223.807715] 3fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ 223.815546] [] el0_svc_naked+0x34/0x38 +[ 223.820855] ---[ end trace eaf8939a3698b1aa ]--- + +Fix this issue by only disable clock and regulators in remove callback +when CONFIG_PM isn't defined + +Signed-off-by: Jiada Wang +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/pcm3168a.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/sound/soc/codecs/pcm3168a.c b/sound/soc/codecs/pcm3168a.c +index 3356c91f55b0..e3de1ff3b6c2 100644 +--- a/sound/soc/codecs/pcm3168a.c ++++ b/sound/soc/codecs/pcm3168a.c +@@ -688,15 +688,22 @@ err_clk: + } + EXPORT_SYMBOL_GPL(pcm3168a_probe); + +-void pcm3168a_remove(struct device *dev) ++static void pcm3168a_disable(struct device *dev) + { + struct pcm3168a_priv *pcm3168a = dev_get_drvdata(dev); + +- pm_runtime_disable(dev); + regulator_bulk_disable(ARRAY_SIZE(pcm3168a->supplies), +- pcm3168a->supplies); ++ pcm3168a->supplies); + clk_disable_unprepare(pcm3168a->scki); + } ++ ++void pcm3168a_remove(struct device *dev) ++{ ++ pm_runtime_disable(dev); ++#ifndef CONFIG_PM ++ pcm3168a_disable(dev); ++#endif ++} + EXPORT_SYMBOL_GPL(pcm3168a_remove); + + #ifdef CONFIG_PM +@@ -751,10 +758,7 @@ static int pcm3168a_rt_suspend(struct device *dev) + + regcache_cache_only(pcm3168a->regmap, true); + +- regulator_bulk_disable(ARRAY_SIZE(pcm3168a->supplies), +- pcm3168a->supplies); +- +- clk_disable_unprepare(pcm3168a->scki); ++ pcm3168a_disable(dev); + + return 0; + } +-- +2.19.1 + diff --git a/queue-4.19/asoc-use-dma_ops-of-parent-device-for-acp_audio_dma.patch b/queue-4.19/asoc-use-dma_ops-of-parent-device-for-acp_audio_dma.patch new file mode 100644 index 00000000000..18b5c7b1521 --- /dev/null +++ b/queue-4.19/asoc-use-dma_ops-of-parent-device-for-acp_audio_dma.patch @@ -0,0 +1,63 @@ +From 5a318035722637ce71d19d082e2c0a4dad3864e6 Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Tue, 4 Dec 2018 15:42:53 -0700 +Subject: ASoC: use dma_ops of parent device for acp_audio_dma + +[ Upstream commit 23aa128bb28d9da69bb1bdb2b70e50128857884a ] + +AMD platform device acp_audio_dma can only be created by parent PCI +device driver (drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c). Pass struct +device of the parent to snd_pcm_lib_preallocate_pages() so +dma_alloc_coherent() can use correct dma_ops. Otherwise, it will +use default dma_ops which is nommu_dma_ops on x86_64 even when +IOMMU is enabled and set to non passthrough mode. + +Though platform device inherits some dma related fields during its +creation in mfd_add_device(), we can't simply pass its struct device +to snd_pcm_lib_preallocate_pages() because dma_ops is not among the +inherited fields. Even it were, drivers/iommu/amd_iommu.c would +ignore it because get_device_id() doesn't handle platform device. + +This change shouldn't give us any trouble even struct device of the +parent becomes null or represents some non PCI device in the future, +because get_dma_ops() correctly handles null struct device or uses +the default dma_ops if struct device doesn't have it set. + +Signed-off-by: Yu Zhao +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp-pcm-dma.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/amd/acp-pcm-dma.c b/sound/soc/amd/acp-pcm-dma.c +index 3135e9eafd18..7f376b63a166 100644 +--- a/sound/soc/amd/acp-pcm-dma.c ++++ b/sound/soc/amd/acp-pcm-dma.c +@@ -1147,18 +1147,21 @@ static int acp_dma_new(struct snd_soc_pcm_runtime *rtd) + struct snd_soc_component *component = snd_soc_rtdcom_lookup(rtd, + DRV_NAME); + struct audio_drv_data *adata = dev_get_drvdata(component->dev); ++ struct device *parent = component->dev->parent; + + switch (adata->asic_type) { + case CHIP_STONEY: + ret = snd_pcm_lib_preallocate_pages_for_all(rtd->pcm, + SNDRV_DMA_TYPE_DEV, +- NULL, ST_MIN_BUFFER, ++ parent, ++ ST_MIN_BUFFER, + ST_MAX_BUFFER); + break; + default: + ret = snd_pcm_lib_preallocate_pages_for_all(rtd->pcm, + SNDRV_DMA_TYPE_DEV, +- NULL, MIN_BUFFER, ++ parent, ++ MIN_BUFFER, + MAX_BUFFER); + break; + } +-- +2.19.1 + diff --git a/queue-4.19/ath10k-fix-peer-stats-null-pointer-dereference.patch b/queue-4.19/ath10k-fix-peer-stats-null-pointer-dereference.patch new file mode 100644 index 00000000000..62343f2df40 --- /dev/null +++ b/queue-4.19/ath10k-fix-peer-stats-null-pointer-dereference.patch @@ -0,0 +1,85 @@ +From dc8a054b103b6f9ec4ab02136218b47b0d8182df Mon Sep 17 00:00:00 2001 +From: Zhi Chen +Date: Thu, 20 Dec 2018 14:24:43 +0200 +Subject: ath10k: fix peer stats null pointer dereference + +[ Upstream commit 2d3b55853b123c177037cf534c5aaa2650310094 ] + +There was a race condition in SMP that an ath10k_peer was created but its +member sta was null. Following are procedures of ath10k_peer creation and +member sta access in peer statistics path. + + 1. Peer creation: + ath10k_peer_create() + =>ath10k_wmi_peer_create() + =>ath10k_wait_for_peer_created() + ... + + # another kernel path, RX from firmware + ath10k_htt_t2h_msg_handler() + =>ath10k_peer_map_event() + =>wake_up() + # ar->peer_map[id] = peer //add peer to map + + #wake up original path from waiting + ... + # peer->sta = sta //sta assignment + + 2. RX path of statistics + ath10k_htt_t2h_msg_handler() + =>ath10k_update_per_peer_tx_stats() + =>ath10k_htt_fetch_peer_stats() + # peer->sta //sta accessing + +Any access of peer->sta after peer was added to peer_map but before sta was +assigned could cause a null pointer issue. And because these two steps are +asynchronous, no proper lock can protect them. So both peer and sta need to +be checked before access. + +Tested: QCA9984 with firmware ver 10.4-3.9.0.1-00005 +Signed-off-by: Zhi Chen +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/debugfs_sta.c | 2 +- + drivers/net/wireless/ath/ath10k/htt_rx.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c +index a63c97e2c50c..6f10331e986b 100644 +--- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c ++++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c +@@ -71,7 +71,7 @@ void ath10k_sta_update_rx_tid_stats_ampdu(struct ath10k *ar, u16 peer_id, u8 tid + spin_lock_bh(&ar->data_lock); + + peer = ath10k_peer_find_by_id(ar, peer_id); +- if (!peer) ++ if (!peer || !peer->sta) + goto out; + + arsta = (struct ath10k_sta *)peer->sta->drv_priv; +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index 4d1cd90d6d27..03d4cc6f35bc 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -2589,7 +2589,7 @@ static void ath10k_htt_fetch_peer_stats(struct ath10k *ar, + rcu_read_lock(); + spin_lock_bh(&ar->data_lock); + peer = ath10k_peer_find_by_id(ar, peer_id); +- if (!peer) { ++ if (!peer || !peer->sta) { + ath10k_warn(ar, "Invalid peer id %d peer stats buffer\n", + peer_id); + goto out; +@@ -2642,7 +2642,7 @@ static void ath10k_fetch_10_2_tx_stats(struct ath10k *ar, u8 *data) + rcu_read_lock(); + spin_lock_bh(&ar->data_lock); + peer = ath10k_peer_find_by_id(ar, peer_id); +- if (!peer) { ++ if (!peer || !peer->sta) { + ath10k_warn(ar, "Invalid peer id %d in peer stats buffer\n", + peer_id); + goto out; +-- +2.19.1 + diff --git a/queue-4.19/bluetooth-btusb-add-support-for-intel-bluetooth-devi.patch b/queue-4.19/bluetooth-btusb-add-support-for-intel-bluetooth-devi.patch new file mode 100644 index 00000000000..f8b4237a9ae --- /dev/null +++ b/queue-4.19/bluetooth-btusb-add-support-for-intel-bluetooth-devi.patch @@ -0,0 +1,164 @@ +From 1c8f38060723620b7c4af748a67954fc678c8117 Mon Sep 17 00:00:00 2001 +From: Raghuram Hegde +Date: Wed, 19 Dec 2018 11:42:18 +0530 +Subject: Bluetooth: btusb: Add support for Intel bluetooth device 8087:0029 + +[ Upstream commit 2da711bcebe81209a9f2f90e145600eb1bae2b71 ] + +Include the new USB product ID for Intel Bluetooth device 22260 +family(CcPeak) + +The /sys/kernel/debug/usb/devices portion for this device is: + +T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 2.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=8087 ProdID=0029 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms + +Signed-off-by: Raghuram Hegde +Signed-off-by: Chethan T N +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 72 ++++++++++++++++++++------------------- + 1 file changed, 37 insertions(+), 35 deletions(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index cd2e5cf14ea5..77b67a5f21ee 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -343,6 +343,7 @@ static const struct usb_device_id blacklist_table[] = { + /* Intel Bluetooth devices */ + { USB_DEVICE(0x8087, 0x0025), .driver_info = BTUSB_INTEL_NEW }, + { USB_DEVICE(0x8087, 0x0026), .driver_info = BTUSB_INTEL_NEW }, ++ { USB_DEVICE(0x8087, 0x0029), .driver_info = BTUSB_INTEL_NEW }, + { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR }, + { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL }, + { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL }, +@@ -2054,6 +2055,35 @@ static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb) + return -EILSEQ; + } + ++static bool btusb_setup_intel_new_get_fw_name(struct intel_version *ver, ++ struct intel_boot_params *params, ++ char *fw_name, size_t len, ++ const char *suffix) ++{ ++ switch (ver->hw_variant) { ++ case 0x0b: /* SfP */ ++ case 0x0c: /* WsP */ ++ snprintf(fw_name, len, "intel/ibt-%u-%u.%s", ++ le16_to_cpu(ver->hw_variant), ++ le16_to_cpu(params->dev_revid), ++ suffix); ++ break; ++ case 0x11: /* JfP */ ++ case 0x12: /* ThP */ ++ case 0x13: /* HrP */ ++ case 0x14: /* CcP */ ++ snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s", ++ le16_to_cpu(ver->hw_variant), ++ le16_to_cpu(ver->hw_revision), ++ le16_to_cpu(ver->fw_revision), ++ suffix); ++ break; ++ default: ++ return false; ++ } ++ return true; ++} ++ + static int btusb_setup_intel_new(struct hci_dev *hdev) + { + struct btusb_data *data = hci_get_drvdata(hdev); +@@ -2105,7 +2135,7 @@ static int btusb_setup_intel_new(struct hci_dev *hdev) + case 0x11: /* JfP */ + case 0x12: /* ThP */ + case 0x13: /* HrP */ +- case 0x14: /* QnJ, IcP */ ++ case 0x14: /* CcP */ + break; + default: + bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)", +@@ -2189,23 +2219,9 @@ static int btusb_setup_intel_new(struct hci_dev *hdev) + * ibt---.sfi. + * + */ +- switch (ver.hw_variant) { +- case 0x0b: /* SfP */ +- case 0x0c: /* WsP */ +- snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u.sfi", +- le16_to_cpu(ver.hw_variant), +- le16_to_cpu(params.dev_revid)); +- break; +- case 0x11: /* JfP */ +- case 0x12: /* ThP */ +- case 0x13: /* HrP */ +- case 0x14: /* QnJ, IcP */ +- snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u-%u.sfi", +- le16_to_cpu(ver.hw_variant), +- le16_to_cpu(ver.hw_revision), +- le16_to_cpu(ver.fw_revision)); +- break; +- default: ++ err = btusb_setup_intel_new_get_fw_name(&ver, ¶ms, fwname, ++ sizeof(fwname), "sfi"); ++ if (!err) { + bt_dev_err(hdev, "Unsupported Intel firmware naming"); + return -EINVAL; + } +@@ -2221,23 +2237,9 @@ static int btusb_setup_intel_new(struct hci_dev *hdev) + /* Save the DDC file name for later use to apply once the firmware + * downloading is done. + */ +- switch (ver.hw_variant) { +- case 0x0b: /* SfP */ +- case 0x0c: /* WsP */ +- snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u.ddc", +- le16_to_cpu(ver.hw_variant), +- le16_to_cpu(params.dev_revid)); +- break; +- case 0x11: /* JfP */ +- case 0x12: /* ThP */ +- case 0x13: /* HrP */ +- case 0x14: /* QnJ, IcP */ +- snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u-%u.ddc", +- le16_to_cpu(ver.hw_variant), +- le16_to_cpu(ver.hw_revision), +- le16_to_cpu(ver.fw_revision)); +- break; +- default: ++ err = btusb_setup_intel_new_get_fw_name(&ver, ¶ms, fwname, ++ sizeof(fwname), "ddc"); ++ if (!err) { + bt_dev_err(hdev, "Unsupported Intel firmware naming"); + return -EINVAL; + } +-- +2.19.1 + diff --git a/queue-4.19/bpf-allow-narrow-loads-with-offset-0.patch b/queue-4.19/bpf-allow-narrow-loads-with-offset-0.patch new file mode 100644 index 00000000000..49bb3432d22 --- /dev/null +++ b/queue-4.19/bpf-allow-narrow-loads-with-offset-0.patch @@ -0,0 +1,149 @@ +From b5be37549813eee65a53fdf274f211c942255aa3 Mon Sep 17 00:00:00 2001 +From: Andrey Ignatov +Date: Sat, 10 Nov 2018 22:15:13 -0800 +Subject: bpf: Allow narrow loads with offset > 0 + +[ Upstream commit 46f53a65d2de3e1591636c22b626b09d8684fd71 ] + +Currently BPF verifier allows narrow loads for a context field only with +offset zero. E.g. if there is a __u32 field then only the following +loads are permitted: + * off=0, size=1 (narrow); + * off=0, size=2 (narrow); + * off=0, size=4 (full). + +On the other hand LLVM can generate a load with offset different than +zero that make sense from program logic point of view, but verifier +doesn't accept it. + +E.g. tools/testing/selftests/bpf/sendmsg4_prog.c has code: + + #define DST_IP4 0xC0A801FEU /* 192.168.1.254 */ + ... + if ((ctx->user_ip4 >> 24) == (bpf_htonl(DST_IP4) >> 24) && + +where ctx is struct bpf_sock_addr. + +Some versions of LLVM can produce the following byte code for it: + + 8: 71 12 07 00 00 00 00 00 r2 = *(u8 *)(r1 + 7) + 9: 67 02 00 00 18 00 00 00 r2 <<= 24 + 10: 18 03 00 00 00 00 00 fe 00 00 00 00 00 00 00 00 r3 = 4261412864 ll + 12: 5d 32 07 00 00 00 00 00 if r2 != r3 goto +7 + +where `*(u8 *)(r1 + 7)` means narrow load for ctx->user_ip4 with size=1 +and offset=3 (7 - sizeof(ctx->user_family) = 3). This load is currently +rejected by verifier. + +Verifier code that rejects such loads is in bpf_ctx_narrow_access_ok() +what means any is_valid_access implementation, that uses the function, +works this way, e.g. bpf_skb_is_valid_access() for __sk_buff or +sock_addr_is_valid_access() for bpf_sock_addr. + +The patch makes such loads supported. Offset can be in [0; size_default) +but has to be multiple of load size. E.g. for __u32 field the following +loads are supported now: + * off=0, size=1 (narrow); + * off=1, size=1 (narrow); + * off=2, size=1 (narrow); + * off=3, size=1 (narrow); + * off=0, size=2 (narrow); + * off=2, size=2 (narrow); + * off=0, size=4 (full). + +Reported-by: Yonghong Song +Signed-off-by: Andrey Ignatov +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 16 +--------------- + kernel/bpf/verifier.c | 21 ++++++++++++++++----- + 2 files changed, 17 insertions(+), 20 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index 6791a0ac0139..ec90d5255cf7 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -665,24 +665,10 @@ static inline u32 bpf_ctx_off_adjust_machine(u32 size) + return size; + } + +-static inline bool bpf_ctx_narrow_align_ok(u32 off, u32 size_access, +- u32 size_default) +-{ +- size_default = bpf_ctx_off_adjust_machine(size_default); +- size_access = bpf_ctx_off_adjust_machine(size_access); +- +-#ifdef __LITTLE_ENDIAN +- return (off & (size_default - 1)) == 0; +-#else +- return (off & (size_default - 1)) + size_access == size_default; +-#endif +-} +- + static inline bool + bpf_ctx_narrow_access_ok(u32 off, u32 size, u32 size_default) + { +- return bpf_ctx_narrow_align_ok(off, size, size_default) && +- size <= size_default && (size & (size - 1)) == 0; ++ return size <= size_default && (size & (size - 1)) == 0; + } + + #define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0])) +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 2954e4b3abd5..89cea3ed535d 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5341,10 +5341,10 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env) + int i, cnt, size, ctx_field_size, delta = 0; + const int insn_cnt = env->prog->len; + struct bpf_insn insn_buf[16], *insn; ++ u32 target_size, size_default, off; + struct bpf_prog *new_prog; + enum bpf_access_type type; + bool is_narrower_load; +- u32 target_size; + + if (ops->gen_prologue) { + cnt = ops->gen_prologue(insn_buf, env->seen_direct_write, +@@ -5421,9 +5421,9 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env) + * we will apply proper mask to the result. + */ + is_narrower_load = size < ctx_field_size; ++ size_default = bpf_ctx_off_adjust_machine(ctx_field_size); ++ off = insn->off; + if (is_narrower_load) { +- u32 size_default = bpf_ctx_off_adjust_machine(ctx_field_size); +- u32 off = insn->off; + u8 size_code; + + if (type == BPF_WRITE) { +@@ -5451,12 +5451,23 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env) + } + + if (is_narrower_load && size < target_size) { +- if (ctx_field_size <= 4) ++ u8 shift = (off & (size_default - 1)) * 8; ++ ++ if (ctx_field_size <= 4) { ++ if (shift) ++ insn_buf[cnt++] = BPF_ALU32_IMM(BPF_RSH, ++ insn->dst_reg, ++ shift); + insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg, + (1 << size * 8) - 1); +- else ++ } else { ++ if (shift) ++ insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH, ++ insn->dst_reg, ++ shift); + insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg, + (1 << size * 8) - 1); ++ } + } + + new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); +-- +2.19.1 + diff --git a/queue-4.19/bpf-relax-verifier-restriction-on-bpf_mov-bpf_alu.patch b/queue-4.19/bpf-relax-verifier-restriction-on-bpf_mov-bpf_alu.patch new file mode 100644 index 00000000000..dba2e05ea85 --- /dev/null +++ b/queue-4.19/bpf-relax-verifier-restriction-on-bpf_mov-bpf_alu.patch @@ -0,0 +1,173 @@ +From 0138b344afc529aa274d04e91654d0917395bfda Mon Sep 17 00:00:00 2001 +From: Jiong Wang +Date: Fri, 7 Dec 2018 12:16:18 -0500 +Subject: bpf: relax verifier restriction on BPF_MOV | BPF_ALU + +[ Upstream commit e434b8cdf788568ba65a0a0fd9f3cb41f3ca1803 ] + +Currently, the destination register is marked as unknown for 32-bit +sub-register move (BPF_MOV | BPF_ALU) whenever the source register type is +SCALAR_VALUE. + +This is too conservative that some valid cases will be rejected. +Especially, this may turn a constant scalar value into unknown value that +could break some assumptions of verifier. + +For example, test_l4lb_noinline.c has the following C code: + + struct real_definition *dst + +1: if (!get_packet_dst(&dst, &pckt, vip_info, is_ipv6)) +2: return TC_ACT_SHOT; +3: +4: if (dst->flags & F_IPV6) { + +get_packet_dst is responsible for initializing "dst" into valid pointer and +return true (1), otherwise return false (0). The compiled instruction +sequence using alu32 will be: + + 412: (54) (u32) r7 &= (u32) 1 + 413: (bc) (u32) r0 = (u32) r7 + 414: (95) exit + +insn 413, a BPF_MOV | BPF_ALU, however will turn r0 into unknown value even +r7 contains SCALAR_VALUE 1. + +This causes trouble when verifier is walking the code path that hasn't +initialized "dst" inside get_packet_dst, for which case 0 is returned and +we would then expect verifier concluding line 1 in the above C code pass +the "if" check, therefore would skip fall through path starting at line 4. +Now, because r0 returned from callee has became unknown value, so verifier +won't skip analyzing path starting at line 4 and "dst->flags" requires +dereferencing the pointer "dst" which actually hasn't be initialized for +this path. + +This patch relaxed the code marking sub-register move destination. For a +SCALAR_VALUE, it is safe to just copy the value from source then truncate +it into 32-bit. + +A unit test also included to demonstrate this issue. This test will fail +before this patch. + +This relaxation could let verifier skipping more paths for conditional +comparison against immediate. It also let verifier recording a more +accurate/strict value for one register at one state, if this state end up +with going through exit without rejection and it is used for state +comparison later, then it is possible an inaccurate/permissive value is +better. So the real impact on verifier processed insn number is complex. +But in all, without this fix, valid program could be rejected. + +>From real benchmarking on kernel selftests and Cilium bpf tests, there is +no impact on processed instruction number when tests ares compiled with +default compilation options. There is slightly improvements when they are +compiled with -mattr=+alu32 after this patch. + +Also, test_xdp_noinline/-mattr=+alu32 now passed verification. It is +rejected before this fix. + +Insn processed before/after this patch: + + default -mattr=+alu32 + +Kernel selftest + +=== +test_xdp.o 371/371 369/369 +test_l4lb.o 6345/6345 5623/5623 +test_xdp_noinline.o 2971/2971 rejected/2727 +test_tcp_estates.o 429/429 430/430 + +Cilium bpf +=== +bpf_lb-DLB_L3.o: 2085/2085 1685/1687 +bpf_lb-DLB_L4.o: 2287/2287 1986/1982 +bpf_lb-DUNKNOWN.o: 690/690 622/622 +bpf_lxc.o: 95033/95033 N/A +bpf_netdev.o: 7245/7245 N/A +bpf_overlay.o: 2898/2898 3085/2947 + +NOTE: + - bpf_lxc.o and bpf_netdev.o compiled by -mattr=+alu32 are rejected by + verifier due to another issue inside verifier on supporting alu32 + binary. + - Each cilium bpf program could generate several processed insn number, + above number is sum of them. + +v1->v2: + - Restrict the change on SCALAR_VALUE. + - Update benchmark numbers on Cilium bpf tests. + +Signed-off-by: Jiong Wang +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 16 ++++++++++++---- + tools/testing/selftests/bpf/test_verifier.c | 13 +++++++++++++ + 2 files changed, 25 insertions(+), 4 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 89cea3ed535d..341806668f03 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3285,12 +3285,15 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) + return err; + + if (BPF_SRC(insn->code) == BPF_X) { ++ struct bpf_reg_state *src_reg = regs + insn->src_reg; ++ struct bpf_reg_state *dst_reg = regs + insn->dst_reg; ++ + if (BPF_CLASS(insn->code) == BPF_ALU64) { + /* case: R1 = R2 + * copy register state to dest reg + */ +- regs[insn->dst_reg] = regs[insn->src_reg]; +- regs[insn->dst_reg].live |= REG_LIVE_WRITTEN; ++ *dst_reg = *src_reg; ++ dst_reg->live |= REG_LIVE_WRITTEN; + } else { + /* R1 = (u32) R2 */ + if (is_pointer_value(env, insn->src_reg)) { +@@ -3298,9 +3301,14 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) + "R%d partial copy of pointer\n", + insn->src_reg); + return -EACCES; ++ } else if (src_reg->type == SCALAR_VALUE) { ++ *dst_reg = *src_reg; ++ dst_reg->live |= REG_LIVE_WRITTEN; ++ } else { ++ mark_reg_unknown(env, regs, ++ insn->dst_reg); + } +- mark_reg_unknown(env, regs, insn->dst_reg); +- coerce_reg_to_size(®s[insn->dst_reg], 4); ++ coerce_reg_to_size(dst_reg, 4); + } + } else { + /* case: R = imm +diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c +index e436b67f2426..9db5a7378f40 100644 +--- a/tools/testing/selftests/bpf/test_verifier.c ++++ b/tools/testing/selftests/bpf/test_verifier.c +@@ -2748,6 +2748,19 @@ static struct bpf_test tests[] = { + .result_unpriv = REJECT, + .result = ACCEPT, + }, ++ { ++ "alu32: mov u32 const", ++ .insns = { ++ BPF_MOV32_IMM(BPF_REG_7, 0), ++ BPF_ALU32_IMM(BPF_AND, BPF_REG_7, 1), ++ BPF_MOV32_REG(BPF_REG_0, BPF_REG_7), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), ++ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .result = ACCEPT, ++ .retval = 0, ++ }, + { + "unpriv: partial copy of pointer", + .insns = { +-- +2.19.1 + diff --git a/queue-4.19/btrfs-alloc_chunk-fix-more-dup-stripe-size-handling.patch b/queue-4.19/btrfs-alloc_chunk-fix-more-dup-stripe-size-handling.patch new file mode 100644 index 00000000000..262b2850a9f --- /dev/null +++ b/queue-4.19/btrfs-alloc_chunk-fix-more-dup-stripe-size-handling.patch @@ -0,0 +1,95 @@ +From 07aae42fa7ac9d7d7034f69fd988071353688af1 Mon Sep 17 00:00:00 2001 +From: Hans van Kranenburg +Date: Thu, 4 Oct 2018 23:24:40 +0200 +Subject: btrfs: alloc_chunk: fix more DUP stripe size handling + +[ Upstream commit baf92114c7e6dd6124aa3d506e4bc4b694da3bc3 ] + +Commit 92e222df7b "btrfs: alloc_chunk: fix DUP stripe size handling" +fixed calculating the stripe_size for a new DUP chunk. + +However, the same calculation reappears a bit later, and that one was +not changed yet. The resulting bug that is exposed is that the newly +allocated device extents ('stripes') can have a few MiB overlap with the +next thing stored after them, which is another device extent or the end +of the disk. + +The scenario in which this can happen is: +* The block device for the filesystem is less than 10GiB in size. +* The amount of contiguous free unallocated disk space chosen to use for + chunk allocation is 20% of the total device size, or a few MiB more or + less. + +An example: +- The filesystem device is 7880MiB (max_chunk_size gets set to 788MiB) +- There's 1578MiB unallocated raw disk space left in one contiguous + piece. + +In this case stripe_size is first calculated as 789MiB, (half of +1578MiB). + +Since 789MiB (stripe_size * data_stripes) > 788MiB (max_chunk_size), we +enter the if block. Now stripe_size value is immediately overwritten +while calculating an adjusted value based on max_chunk_size, which ends +up as 788MiB. + +Next, the value is rounded up to a 16MiB boundary, 800MiB, which is +actually more than the value we had before. However, the last comparison +fails to detect this, because it's comparing the value with the total +amount of free space, which is about twice the size of stripe_size. + +In the example above, this means that the resulting raw disk space being +allocated is 1600MiB, while only a gap of 1578MiB has been found. The +second device extent object for this DUP chunk will overlap for 22MiB +with whatever comes next. + +The underlying problem here is that the stripe_size is reused all the +time for different things. So, when entering the code in the if block, +stripe_size is immediately overwritten with something else. If later we +decide we want to have the previous value back, then the logic to +compute it was copy pasted in again. + +With this change, the value in stripe_size is not unnecessarily +destroyed, so the duplicated calculation is not needed any more. + +Signed-off-by: Hans van Kranenburg +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index dbb893d0ae81..0ee1cd4b56fb 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4768,19 +4768,17 @@ static int __btrfs_alloc_chunk(struct btrfs_trans_handle *trans, + /* + * Use the number of data stripes to figure out how big this chunk + * is really going to be in terms of logical address space, +- * and compare that answer with the max chunk size ++ * and compare that answer with the max chunk size. If it's higher, ++ * we try to reduce stripe_size. + */ + if (stripe_size * data_stripes > max_chunk_size) { +- stripe_size = div_u64(max_chunk_size, data_stripes); +- +- /* bump the answer up to a 16MB boundary */ +- stripe_size = round_up(stripe_size, SZ_16M); +- + /* +- * But don't go higher than the limits we found while searching +- * for free extents ++ * Reduce stripe_size, round it up to a 16MB boundary again and ++ * then use it, unless it ends up being even bigger than the ++ * previous value we had already. + */ +- stripe_size = min(devices_info[ndevs - 1].max_avail, ++ stripe_size = min(round_up(div_u64(max_chunk_size, ++ data_stripes), SZ_16M), + stripe_size); + } + +-- +2.19.1 + diff --git a/queue-4.19/btrfs-fix-use-after-free-due-to-race-between-replace.patch b/queue-4.19/btrfs-fix-use-after-free-due-to-race-between-replace.patch new file mode 100644 index 00000000000..7932a8988a5 --- /dev/null +++ b/queue-4.19/btrfs-fix-use-after-free-due-to-race-between-replace.patch @@ -0,0 +1,176 @@ +From e79acaaa5185b3edaf344a7c18a433fdeb2d08d6 Mon Sep 17 00:00:00 2001 +From: Anand Jain +Date: Wed, 14 Nov 2018 13:50:26 +0800 +Subject: btrfs: fix use-after-free due to race between replace start and + cancel + +[ Upstream commit d189dd70e2556181732598956d808ea53cc8774e ] + +The device replace cancel thread can race with the replace start thread +and if fs_info::scrubs_running is not yet set, btrfs_scrub_cancel() will +fail to stop the scrub thread. + +The scrub thread continues with the scrub for replace which then will +try to write to the target device and which is already freed by the +cancel thread. + +scrub_setup_ctx() warns as tgtdev is NULL. + + struct scrub_ctx *scrub_setup_ctx(struct btrfs_device *dev, int is_dev_replace) + { + ... + if (is_dev_replace) { + WARN_ON(!fs_info->dev_replace.tgtdev); <=== + sctx->pages_per_wr_bio = SCRUB_PAGES_PER_WR_BIO; + sctx->wr_tgtdev = fs_info->dev_replace.tgtdev; + sctx->flush_all_writes = false; + } + + [ 6724.497655] BTRFS info (device sdb): dev_replace from /dev/sdb (devid 1) to /dev/sdc started + [ 6753.945017] BTRFS info (device sdb): dev_replace from /dev/sdb (devid 1) to /dev/sdc canceled + [ 6852.426700] WARNING: CPU: 0 PID: 4494 at fs/btrfs/scrub.c:622 scrub_setup_ctx.isra.19+0x220/0x230 [btrfs] + ... + [ 6852.428928] RIP: 0010:scrub_setup_ctx.isra.19+0x220/0x230 [btrfs] + ... + [ 6852.432970] Call Trace: + [ 6852.433202] btrfs_scrub_dev+0x19b/0x5c0 [btrfs] + [ 6852.433471] btrfs_dev_replace_start+0x48c/0x6a0 [btrfs] + [ 6852.433800] btrfs_dev_replace_by_ioctl+0x3a/0x60 [btrfs] + [ 6852.434097] btrfs_ioctl+0x2476/0x2d20 [btrfs] + [ 6852.434365] ? do_sigaction+0x7d/0x1e0 + [ 6852.434623] do_vfs_ioctl+0xa9/0x6c0 + [ 6852.434865] ? syscall_trace_enter+0x1c8/0x310 + [ 6852.435124] ? syscall_trace_enter+0x1c8/0x310 + [ 6852.435387] ksys_ioctl+0x60/0x90 + [ 6852.435663] __x64_sys_ioctl+0x16/0x20 + [ 6852.435907] do_syscall_64+0x50/0x180 + [ 6852.436150] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Further, as the replace thread enters scrub_write_page_to_dev_replace() +without the target device it panics: + + static int scrub_add_page_to_wr_bio(struct scrub_ctx *sctx, + struct scrub_page *spage) + { + ... + bio_set_dev(bio, sbio->dev->bdev); <====== + + [ 6929.715145] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0 + .. + [ 6929.717106] Workqueue: btrfs-scrub btrfs_scrub_helper [btrfs] + [ 6929.717420] RIP: 0010:scrub_write_page_to_dev_replace+0xb4/0x260 + [btrfs] + .. + [ 6929.721430] Call Trace: + [ 6929.721663] scrub_write_block_to_dev_replace+0x3f/0x60 [btrfs] + [ 6929.721975] scrub_bio_end_io_worker+0x1af/0x490 [btrfs] + [ 6929.722277] normal_work_helper+0xf0/0x4c0 [btrfs] + [ 6929.722552] process_one_work+0x1f4/0x520 + [ 6929.722805] ? process_one_work+0x16e/0x520 + [ 6929.723063] worker_thread+0x46/0x3d0 + [ 6929.723313] kthread+0xf8/0x130 + [ 6929.723544] ? process_one_work+0x520/0x520 + [ 6929.723800] ? kthread_delayed_work_timer_fn+0x80/0x80 + [ 6929.724081] ret_from_fork+0x3a/0x50 + +Fix this by letting the btrfs_dev_replace_finishing() to do the job of +cleaning after the cancel, including freeing of the target device. +btrfs_dev_replace_finishing() is called when btrfs_scub_dev() returns +along with the scrub return status. + +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/dev-replace.c | 63 +++++++++++++++++++++++++++--------------- + 1 file changed, 41 insertions(+), 22 deletions(-) + +diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c +index b2b283e48439..8fed470bb7e1 100644 +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -800,39 +800,58 @@ int btrfs_dev_replace_cancel(struct btrfs_fs_info *fs_info) + case BTRFS_IOCTL_DEV_REPLACE_STATE_CANCELED: + result = BTRFS_IOCTL_DEV_REPLACE_RESULT_NOT_STARTED; + btrfs_dev_replace_write_unlock(dev_replace); +- goto leave; ++ break; + case BTRFS_IOCTL_DEV_REPLACE_STATE_STARTED: ++ result = BTRFS_IOCTL_DEV_REPLACE_RESULT_NO_ERROR; ++ tgt_device = dev_replace->tgtdev; ++ src_device = dev_replace->srcdev; ++ btrfs_dev_replace_write_unlock(dev_replace); ++ btrfs_scrub_cancel(fs_info); ++ /* btrfs_dev_replace_finishing() will handle the cleanup part */ ++ btrfs_info_in_rcu(fs_info, ++ "dev_replace from %s (devid %llu) to %s canceled", ++ btrfs_dev_name(src_device), src_device->devid, ++ btrfs_dev_name(tgt_device)); ++ break; + case BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED: ++ /* ++ * Scrub doing the replace isn't running so we need to do the ++ * cleanup step of btrfs_dev_replace_finishing() here ++ */ + result = BTRFS_IOCTL_DEV_REPLACE_RESULT_NO_ERROR; + tgt_device = dev_replace->tgtdev; + src_device = dev_replace->srcdev; + dev_replace->tgtdev = NULL; + dev_replace->srcdev = NULL; +- break; +- } +- dev_replace->replace_state = BTRFS_IOCTL_DEV_REPLACE_STATE_CANCELED; +- dev_replace->time_stopped = ktime_get_real_seconds(); +- dev_replace->item_needs_writeback = 1; +- btrfs_dev_replace_write_unlock(dev_replace); +- btrfs_scrub_cancel(fs_info); ++ dev_replace->replace_state = ++ BTRFS_IOCTL_DEV_REPLACE_STATE_CANCELED; ++ dev_replace->time_stopped = ktime_get_real_seconds(); ++ dev_replace->item_needs_writeback = 1; + +- trans = btrfs_start_transaction(root, 0); +- if (IS_ERR(trans)) { +- mutex_unlock(&dev_replace->lock_finishing_cancel_unmount); +- return PTR_ERR(trans); +- } +- ret = btrfs_commit_transaction(trans); +- WARN_ON(ret); ++ btrfs_dev_replace_write_unlock(dev_replace); + +- btrfs_info_in_rcu(fs_info, +- "dev_replace from %s (devid %llu) to %s canceled", +- btrfs_dev_name(src_device), src_device->devid, +- btrfs_dev_name(tgt_device)); ++ btrfs_scrub_cancel(fs_info); ++ ++ trans = btrfs_start_transaction(root, 0); ++ if (IS_ERR(trans)) { ++ mutex_unlock(&dev_replace->lock_finishing_cancel_unmount); ++ return PTR_ERR(trans); ++ } ++ ret = btrfs_commit_transaction(trans); ++ WARN_ON(ret); + +- if (tgt_device) +- btrfs_destroy_dev_replace_tgtdev(tgt_device); ++ btrfs_info_in_rcu(fs_info, ++ "suspended dev_replace from %s (devid %llu) to %s canceled", ++ btrfs_dev_name(src_device), src_device->devid, ++ btrfs_dev_name(tgt_device)); ++ ++ if (tgt_device) ++ btrfs_destroy_dev_replace_tgtdev(tgt_device); ++ break; ++ default: ++ result = -EINVAL; ++ } + +-leave: + mutex_unlock(&dev_replace->lock_finishing_cancel_unmount); + return result; + } +-- +2.19.1 + diff --git a/queue-4.19/btrfs-improve-error-handling-of-btrfs_add_link.patch b/queue-4.19/btrfs-improve-error-handling-of-btrfs_add_link.patch new file mode 100644 index 00000000000..6347730d28a --- /dev/null +++ b/queue-4.19/btrfs-improve-error-handling-of-btrfs_add_link.patch @@ -0,0 +1,56 @@ +From a5cf92320a90230df1d3a8872c82f59a471b63e2 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Wed, 12 Dec 2018 15:14:17 +0100 +Subject: btrfs: improve error handling of btrfs_add_link + +[ Upstream commit 1690dd41e0cb1dade80850ed8a3eb0121b96d22f ] + +In the error handling block, err holds the return value of either +btrfs_del_root_ref() or btrfs_del_inode_ref() but it hasn't been checked +since it's introduction with commit fe66a05a0679 (Btrfs: improve error +handling for btrfs_insert_dir_item callers) in 2012. + +If the error handling in the error handling fails, there's not much left +to do and the abort either happened earlier in the callees or is +necessary here. + +So if one of btrfs_del_root_ref() or btrfs_del_inode_ref() failed, abort +the transaction, but still return the original code of the failure +stored in 'ret' as this will be reported to the user. + +Signed-off-by: Johannes Thumshirn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 4f6dc56b4f4d..83b3a626c796 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -6440,14 +6440,19 @@ fail_dir_item: + err = btrfs_del_root_ref(trans, key.objectid, + root->root_key.objectid, parent_ino, + &local_index, name, name_len); +- ++ if (err) ++ btrfs_abort_transaction(trans, err); + } else if (add_backref) { + u64 local_index; + int err; + + err = btrfs_del_inode_ref(trans, root, name, name_len, + ino, parent_ino, &local_index); ++ if (err) ++ btrfs_abort_transaction(trans, err); + } ++ ++ /* Return the original error code */ + return ret; + } + +-- +2.19.1 + diff --git a/queue-4.19/btrfs-volumes-make-sure-there-is-no-overlap-of-dev-e.patch b/queue-4.19/btrfs-volumes-make-sure-there-is-no-overlap-of-dev-e.patch new file mode 100644 index 00000000000..542808d9391 --- /dev/null +++ b/queue-4.19/btrfs-volumes-make-sure-there-is-no-overlap-of-dev-e.patch @@ -0,0 +1,149 @@ +From f28c201709b9708f1eb04e430998f6b195cf11db Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 5 Oct 2018 17:45:54 +0800 +Subject: btrfs: volumes: Make sure there is no overlap of dev extents at mount + time + +[ Upstream commit 5eb193812a42dc49331f25137a38dfef9612d3e4 ] + +Enhance btrfs_verify_dev_extents() to remember previous checked dev +extents, so it can verify no dev extents can overlap. + +Analysis from Hans: + +"Imagine allocating a DATA|DUP chunk. + + In the chunk allocator, we first set... + max_stripe_size = SZ_1G; + max_chunk_size = BTRFS_MAX_DATA_CHUNK_SIZE + ... which is 10GiB. + + Then... + /* we don't want a chunk larger than 10% of writeable space */ + max_chunk_size = min(div_factor(fs_devices->total_rw_bytes, 1), + max_chunk_size); + + Imagine we only have one 7880MiB block device in this filesystem. Now + max_chunk_size is down to 788MiB. + + The next step in the code is to search for max_stripe_size * dev_stripes + amount of free space on the device, which is in our example 1GiB * 2 = + 2GiB. Imagine the device has exactly 1578MiB free in one contiguous + piece. This amount of bytes will be put in devices_info[ndevs - 1].max_avail + + Next we recalculate the stripe_size (which is actually the device extent + length), based on the actual maximum amount of available raw disk space: + stripe_size = div_u64(devices_info[ndevs - 1].max_avail, dev_stripes); + + stripe_size is now 789MiB + + Next we do... + data_stripes = num_stripes / ncopies + ...where data_stripes ends up as 1, because num_stripes is 2 (the amount + of device extents we're going to have), and DUP has ncopies 2. + + Next there's a check... + if (stripe_size * data_stripes > max_chunk_size) + ...which matches because 789MiB * 1 > 788MiB. + + We go into the if code, and next is... + stripe_size = div_u64(max_chunk_size, data_stripes); + ...which resets stripe_size to max_chunk_size: 788MiB + + Next is a fun one... + /* bump the answer up to a 16MB boundary */ + stripe_size = round_up(stripe_size, SZ_16M); + ...which changes stripe_size from 788MiB to 800MiB. + + We're not done changing stripe_size yet... + /* But don't go higher than the limits we found while searching + * for free extents + */ + stripe_size = min(devices_info[ndevs - 1].max_avail, + stripe_size); + + This is bad. max_avail is twice the stripe_size (we need to fit 2 device + extents on the same device for DUP). + + The result here is that 800MiB < 1578MiB, so it's unchanged. However, + the resulting DUP chunk will need 1600MiB disk space, which isn't there, + and the second dev_extent might extend into the next thing (next + dev_extent? end of device?) for 22MiB. + + The last shown line of code relies on a situation where there's twice + the value of stripe_size present as value for the variable stripe_size + when it's DUP. This was actually the case before commit 92e222df7b + "btrfs: alloc_chunk: fix DUP stripe size handling", from which I quote: + "[...] in the meantime there's a check to see if the stripe_size does + not exceed max_chunk_size. Since during this check stripe_size is twice + the amount as intended, the check will reduce the stripe_size to + max_chunk_size if the actual correct to be used stripe_size is more than + half the amount of max_chunk_size." + + In the previous version of the code, the 16MiB alignment (why is this + done, by the way?) would result in a 50% chance that it would actually + do an 8MiB alignment for the individual dev_extents, since it was + operating on double the size. Does this matter? + + Does it matter that stripe_size can be set to anything which is not + 16MiB aligned because of the amount of remaining available disk space + which is just taken? + + What is the main purpose of this round_up? + + The most straightforward thing to do seems something like... + stripe_size = min( + div_u64(devices_info[ndevs - 1].max_avail, dev_stripes), + stripe_size + ) + ..just putting half of the max_avail into stripe_size." + +Link: https://lore.kernel.org/linux-btrfs/b3461a38-e5f8-f41d-c67c-2efac8129054@mendix.com/ +Reported-by: Hans van Kranenburg +Signed-off-by: Qu Wenruo +[ add analysis from report ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 223334f08530..dbb893d0ae81 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -7474,6 +7474,8 @@ int btrfs_verify_dev_extents(struct btrfs_fs_info *fs_info) + struct btrfs_path *path; + struct btrfs_root *root = fs_info->dev_root; + struct btrfs_key key; ++ u64 prev_devid = 0; ++ u64 prev_dev_ext_end = 0; + int ret = 0; + + key.objectid = 1; +@@ -7518,10 +7520,22 @@ int btrfs_verify_dev_extents(struct btrfs_fs_info *fs_info) + chunk_offset = btrfs_dev_extent_chunk_offset(leaf, dext); + physical_len = btrfs_dev_extent_length(leaf, dext); + ++ /* Check if this dev extent overlaps with the previous one */ ++ if (devid == prev_devid && physical_offset < prev_dev_ext_end) { ++ btrfs_err(fs_info, ++"dev extent devid %llu physical offset %llu overlap with previous dev extent end %llu", ++ devid, physical_offset, prev_dev_ext_end); ++ ret = -EUCLEAN; ++ goto out; ++ } ++ + ret = verify_one_dev_extent(fs_info, chunk_offset, devid, + physical_offset, physical_len); + if (ret < 0) + goto out; ++ prev_devid = devid; ++ prev_dev_ext_end = physical_offset + physical_len; ++ + ret = btrfs_next_item(root, path); + if (ret < 0) + goto out; +-- +2.19.1 + diff --git a/queue-4.19/clk-imx-make-mux-parent-strings-const.patch b/queue-4.19/clk-imx-make-mux-parent-strings-const.patch new file mode 100644 index 00000000000..6ed0a3fc2cd --- /dev/null +++ b/queue-4.19/clk-imx-make-mux-parent-strings-const.patch @@ -0,0 +1,127 @@ +From 6fa939c32515ddeceb81b2058ef9e9b69961f5a3 Mon Sep 17 00:00:00 2001 +From: "A.s. Dong" +Date: Wed, 14 Nov 2018 13:02:00 +0000 +Subject: clk: imx: make mux parent strings const + +[ Upstream commit 9e5ef7a57ca75a1b9411c46caeeb6881124284a3 ] + +As the commit 2893c379461a ("clk: make strings in parent name arrays +const"), let's make the parent strings const, otherwise we may meet +the following warning when compiling: + +drivers/clk/imx/clk-imx7ulp.c: In function 'imx7ulp_clocks_init': +drivers/clk/imx/clk-imx7ulp.c:73:35: warning: passing argument 5 of + 'imx_clk_mux_flags' discards 'const' qualifier from pointer target type + + clks[IMX7ULP_CLK_APLL_PRE_SEL] = imx_clk_mux_flags("apll_pre_sel", base + 0x508, 0, + 1, pll_pre_sels, ARRAY_SIZE(pll_pre_sels), CLK_SET_PARENT_GATE); + ^ +In file included from drivers/clk/imx/clk-imx7ulp.c:23:0: +drivers/clk/imx/clk.h:200:27: note: expected 'const char **' but argument is + of type 'const char * const*' +... + +Cc: Stephen Boyd +Cc: Michael Turquette +Cc: Shawn Guo +Signed-off-by: Dong Aisheng +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-busy.c | 2 +- + drivers/clk/imx/clk-fixup-mux.c | 2 +- + drivers/clk/imx/clk.h | 18 +++++++++++------- + 3 files changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/clk/imx/clk-busy.c b/drivers/clk/imx/clk-busy.c +index 99036527eb0d..e695622c5aa5 100644 +--- a/drivers/clk/imx/clk-busy.c ++++ b/drivers/clk/imx/clk-busy.c +@@ -154,7 +154,7 @@ static const struct clk_ops clk_busy_mux_ops = { + + struct clk *imx_clk_busy_mux(const char *name, void __iomem *reg, u8 shift, + u8 width, void __iomem *busy_reg, u8 busy_shift, +- const char **parent_names, int num_parents) ++ const char * const *parent_names, int num_parents) + { + struct clk_busy_mux *busy; + struct clk *clk; +diff --git a/drivers/clk/imx/clk-fixup-mux.c b/drivers/clk/imx/clk-fixup-mux.c +index c9b327e0a8dd..44817c1b0b88 100644 +--- a/drivers/clk/imx/clk-fixup-mux.c ++++ b/drivers/clk/imx/clk-fixup-mux.c +@@ -70,7 +70,7 @@ static const struct clk_ops clk_fixup_mux_ops = { + }; + + struct clk *imx_clk_fixup_mux(const char *name, void __iomem *reg, +- u8 shift, u8 width, const char **parents, ++ u8 shift, u8 width, const char * const *parents, + int num_parents, void (*fixup)(u32 *val)) + { + struct clk_fixup_mux *fixup_mux; +diff --git a/drivers/clk/imx/clk.h b/drivers/clk/imx/clk.h +index 8076ec040f37..e65c1115d978 100644 +--- a/drivers/clk/imx/clk.h ++++ b/drivers/clk/imx/clk.h +@@ -63,14 +63,14 @@ struct clk *imx_clk_busy_divider(const char *name, const char *parent_name, + + struct clk *imx_clk_busy_mux(const char *name, void __iomem *reg, u8 shift, + u8 width, void __iomem *busy_reg, u8 busy_shift, +- const char **parent_names, int num_parents); ++ const char * const *parent_names, int num_parents); + + struct clk *imx_clk_fixup_divider(const char *name, const char *parent, + void __iomem *reg, u8 shift, u8 width, + void (*fixup)(u32 *val)); + + struct clk *imx_clk_fixup_mux(const char *name, void __iomem *reg, +- u8 shift, u8 width, const char **parents, ++ u8 shift, u8 width, const char * const *parents, + int num_parents, void (*fixup)(u32 *val)); + + static inline struct clk *imx_clk_fixed(const char *name, int rate) +@@ -79,7 +79,8 @@ static inline struct clk *imx_clk_fixed(const char *name, int rate) + } + + static inline struct clk *imx_clk_mux_ldb(const char *name, void __iomem *reg, +- u8 shift, u8 width, const char **parents, int num_parents) ++ u8 shift, u8 width, const char * const *parents, ++ int num_parents) + { + return clk_register_mux(NULL, name, parents, num_parents, + CLK_SET_RATE_NO_REPARENT | CLK_SET_RATE_PARENT, reg, +@@ -192,7 +193,8 @@ static inline struct clk *imx_clk_gate4(const char *name, const char *parent, + } + + static inline struct clk *imx_clk_mux(const char *name, void __iomem *reg, +- u8 shift, u8 width, const char **parents, int num_parents) ++ u8 shift, u8 width, const char * const *parents, ++ int num_parents) + { + return clk_register_mux(NULL, name, parents, num_parents, + CLK_SET_RATE_NO_REPARENT, reg, shift, +@@ -200,7 +202,8 @@ static inline struct clk *imx_clk_mux(const char *name, void __iomem *reg, + } + + static inline struct clk *imx_clk_mux2(const char *name, void __iomem *reg, +- u8 shift, u8 width, const char **parents, int num_parents) ++ u8 shift, u8 width, const char * const *parents, ++ int num_parents) + { + return clk_register_mux(NULL, name, parents, num_parents, + CLK_SET_RATE_NO_REPARENT | CLK_OPS_PARENT_ENABLE, +@@ -208,8 +211,9 @@ static inline struct clk *imx_clk_mux2(const char *name, void __iomem *reg, + } + + static inline struct clk *imx_clk_mux_flags(const char *name, +- void __iomem *reg, u8 shift, u8 width, const char **parents, +- int num_parents, unsigned long flags) ++ void __iomem *reg, u8 shift, u8 width, ++ const char * const *parents, int num_parents, ++ unsigned long flags) + { + return clk_register_mux(NULL, name, parents, num_parents, + flags | CLK_SET_RATE_NO_REPARENT, reg, shift, width, 0, +-- +2.19.1 + diff --git a/queue-4.19/clk-imx6q-reset-exclusive-gates-on-init.patch b/queue-4.19/clk-imx6q-reset-exclusive-gates-on-init.patch new file mode 100644 index 00000000000..82192601d01 --- /dev/null +++ b/queue-4.19/clk-imx6q-reset-exclusive-gates-on-init.patch @@ -0,0 +1,44 @@ +From 810b9f0ae8a100b6933c6edcd1586ae59f4ec7c4 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Thu, 15 Nov 2018 15:30:26 +0100 +Subject: clk: imx6q: reset exclusive gates on init + +[ Upstream commit f7542d817733f461258fd3a47d77da35b2d9fc81 ] + +The exclusive gates may be set up in the wrong way by software running +before the clock driver comes up. In that case the exclusive setup is +locked in its initial state, as the complementary function can't be +activated without disabling the initial setup first. + +To avoid this lock situation, reset the exclusive gates to the off +state and allow the kernel to provide the proper setup. + +Signed-off-by: Lucas Stach +Reviewed-by: Dong Aisheng +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx6q.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/imx/clk-imx6q.c b/drivers/clk/imx/clk-imx6q.c +index 8c7c2fcb8d94..c509324f6338 100644 +--- a/drivers/clk/imx/clk-imx6q.c ++++ b/drivers/clk/imx/clk-imx6q.c +@@ -508,8 +508,12 @@ static void __init imx6q_clocks_init(struct device_node *ccm_node) + * lvds1_gate and lvds2_gate are pseudo-gates. Both can be + * independently configured as clock inputs or outputs. We treat + * the "output_enable" bit as a gate, even though it's really just +- * enabling clock output. ++ * enabling clock output. Initially the gate bits are cleared, as ++ * otherwise the exclusive configuration gets locked in the setup done ++ * by software running before the clock driver, with no way to change ++ * it. + */ ++ writel(readl(base + 0x160) & ~0x3c00, base + 0x160); + clk[IMX6QDL_CLK_LVDS1_GATE] = imx_clk_gate_exclusive("lvds1_gate", "lvds1_sel", base + 0x160, 10, BIT(12)); + clk[IMX6QDL_CLK_LVDS2_GATE] = imx_clk_gate_exclusive("lvds2_gate", "lvds2_sel", base + 0x160, 11, BIT(13)); + +-- +2.19.1 + diff --git a/queue-4.19/clk-meson-meson8b-fix-incorrect-divider-mapping-in-c.patch b/queue-4.19/clk-meson-meson8b-fix-incorrect-divider-mapping-in-c.patch new file mode 100644 index 00000000000..f589c6cfa0b --- /dev/null +++ b/queue-4.19/clk-meson-meson8b-fix-incorrect-divider-mapping-in-c.patch @@ -0,0 +1,107 @@ +From 67451914c7c25a397c1c05d271da2ca8d6b31a69 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Thu, 27 Sep 2018 10:59:20 +0200 +Subject: clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table + +[ Upstream commit ad9b2b8e53af61375322e3c7d624acf3a3ef53b0 ] + +The public S805 datasheet only mentions that +HHI_SYS_CPU_CLK_CNTL1[20:29] contains a divider called "cpu_scale_div". +Unfortunately it does not mention how to use the register contents. + +The Amlogic 3.10 GPL kernel sources are using the following code to +calculate the CPU clock based on that register (taken from +arch/arm/mach-meson8/clock.c in the 3.10 Amlogic kernel, shortened to +make it easier to read): +N = (aml_read_reg32(P_HHI_SYS_CPU_CLK_CNTL1) >> 20) & 0x3FF; +if (sel == 3) /* use cpu_scale_div */ + div = 2 * N; +else + div = ... /* not relevant for this example */ +cpu_clk = parent_clk / div; + +This suggests that the formula is: parent_rate / 2 * register_value +However, running perf (which can measure the CPU clock rate thanks to +the ARM PMU) shows that this formula is not correct. +This can be reproduced with the following steps: +1. boot into u-boot +2. let the CPU clock run off the XTAL clock: + mw.l 0xC110419C 0x30 1 +3. set the cpu_scale_div register: + to value 0x1: mw.l 0xC110415C 0x801016A2 1 + to value 0x2: mw.l 0xC110415C 0x802016A2 1 + to value 0x5: mw.l 0xC110415C 0x805016A2 1 +4. let the CPU clock run off cpu_scale_div: + mw.l 0xC110419C 0xbd 1 +5. boot Linux +6. run: perf stat -aB stress --cpu 4 --timeout 10 +7. check the "cycles" value + +I get the following results depending on the cpu_scale_div value: +- (cpu_in_sel - this is the input clock for cpu_scale_div - runs at + 1.2GHz) +- 0x1 = 300MHz +- 0x2 = 200MHz +- 0x5 = 100MHz + +This means that the actual formula to calculate the output of the +cpu_scale_div clock is: parent_rate / 2 * (register value + 1). + +The register value 0x0 is reserved. When letting the CPU clock run off +the cpu_scale_div while the value is 0x0 the whole board hangs (even in +u-boot). + +I also verified this with the TWD timer: when adding this to the .dts +without specifying it's clock it will auto-detect the PERIPH (which is +the input clock of the TWD) clock rate (and the result is shown in the +kernel log). On Meson8, Meson8b and Meson8m2 the PERIPH clock is CPUCLK +divided by 4. This also matched for all three test-cases from above (in +all cases the TWD timer clock rate was approx. one fourth of the CPU +clock rate). + +A small note regarding the "fixes" tag: the original issue seems to +exist virtually since forever. Even commit 28b9fcd016126e ("clk: +meson8b: Add support for Meson8b clocks") seems to handle this wrong. I +still decided to use commit 251b6fd38bcb9c ("clk: meson: rework meson8b +cpu clock") because this is the first commit which gets the CPU hiearchy +correct and thus it's the first commit where the cpu_scale_div register +is used correctly (apart from the bug in the cpu_scale_table). + +Fixes: 251b6fd38bcb9c ("clk: meson: rework meson8b cpu clock") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Link: https://lkml.kernel.org/r/20180927085921.24627-2-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/meson8b.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/clk/meson/meson8b.c b/drivers/clk/meson/meson8b.c +index 74697e145dde..50060e895e7a 100644 +--- a/drivers/clk/meson/meson8b.c ++++ b/drivers/clk/meson/meson8b.c +@@ -568,13 +568,14 @@ static struct clk_fixed_factor meson8b_cpu_div3 = { + }; + + static const struct clk_div_table cpu_scale_table[] = { +- { .val = 2, .div = 4 }, +- { .val = 3, .div = 6 }, +- { .val = 4, .div = 8 }, +- { .val = 5, .div = 10 }, +- { .val = 6, .div = 12 }, +- { .val = 7, .div = 14 }, +- { .val = 8, .div = 16 }, ++ { .val = 1, .div = 4 }, ++ { .val = 2, .div = 6 }, ++ { .val = 3, .div = 8 }, ++ { .val = 4, .div = 10 }, ++ { .val = 5, .div = 12 }, ++ { .val = 6, .div = 14 }, ++ { .val = 7, .div = 16 }, ++ { .val = 8, .div = 18 }, + { /* sentinel */ }, + }; + +-- +2.19.1 + diff --git a/queue-4.19/clocksource-drivers-integrator-ap-add-missing-of_nod.patch b/queue-4.19/clocksource-drivers-integrator-ap-add-missing-of_nod.patch new file mode 100644 index 00000000000..145e9d0af4f --- /dev/null +++ b/queue-4.19/clocksource-drivers-integrator-ap-add-missing-of_nod.patch @@ -0,0 +1,83 @@ +From 1a816617e603900137a41577c5f1c22634915f65 Mon Sep 17 00:00:00 2001 +From: Yangtao Li +Date: Sun, 25 Nov 2018 00:00:49 -0500 +Subject: clocksource/drivers/integrator-ap: Add missing of_node_put() + +[ Upstream commit 5eb73c831171115d3b4347e1e7124a5a35d8086c ] + +The function of_find_node_by_path() acquires a reference to the node +returned by it and that reference needs to be dropped by its caller. + +integrator_ap_timer_init_of() doesn't do that. The pri_node and the +sec_node are used as an identifier to compare against the current +node, so we can directly drop the refcount after getting the node from +the path as it is not used as pointer. + +By dropping the refcount right after getting it, a single variable is +needed instead of two. + +Fix this by use a single variable and drop the refcount right after +of_find_node_by_path(). + +Signed-off-by: Yangtao Li +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-integrator-ap.c | 25 +++++++++++++++-------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/drivers/clocksource/timer-integrator-ap.c b/drivers/clocksource/timer-integrator-ap.c +index 62d24690ba02..9701107806a7 100644 +--- a/drivers/clocksource/timer-integrator-ap.c ++++ b/drivers/clocksource/timer-integrator-ap.c +@@ -181,8 +181,7 @@ static int __init integrator_ap_timer_init_of(struct device_node *node) + int irq; + struct clk *clk; + unsigned long rate; +- struct device_node *pri_node; +- struct device_node *sec_node; ++ struct device_node *alias_node; + + base = of_io_request_and_map(node, 0, "integrator-timer"); + if (IS_ERR(base)) +@@ -204,7 +203,18 @@ static int __init integrator_ap_timer_init_of(struct device_node *node) + return err; + } + +- pri_node = of_find_node_by_path(path); ++ alias_node = of_find_node_by_path(path); ++ ++ /* ++ * The pointer is used as an identifier not as a pointer, we ++ * can drop the refcount on the of__node immediately after ++ * getting it. ++ */ ++ of_node_put(alias_node); ++ ++ if (node == alias_node) ++ /* The primary timer lacks IRQ, use as clocksource */ ++ return integrator_clocksource_init(rate, base); + + err = of_property_read_string(of_aliases, + "arm,timer-secondary", &path); +@@ -213,14 +223,11 @@ static int __init integrator_ap_timer_init_of(struct device_node *node) + return err; + } + ++ alias_node = of_find_node_by_path(path); + +- sec_node = of_find_node_by_path(path); +- +- if (node == pri_node) +- /* The primary timer lacks IRQ, use as clocksource */ +- return integrator_clocksource_init(rate, base); ++ of_node_put(alias_node); + +- if (node == sec_node) { ++ if (node == alias_node) { + /* The secondary timer will drive the clock event */ + irq = irq_of_parse_and_map(node, 0); + return integrator_clockevent_init(rate, base, irq); +-- +2.19.1 + diff --git a/queue-4.19/crypto-ecc-regularize-scalar-for-scalar-multiplicati.patch b/queue-4.19/crypto-ecc-regularize-scalar-for-scalar-multiplicati.patch new file mode 100644 index 00000000000..77307e51079 --- /dev/null +++ b/queue-4.19/crypto-ecc-regularize-scalar-for-scalar-multiplicati.patch @@ -0,0 +1,84 @@ +From 390937de8a87c07e94f9d3fc8cd1b999f5544f82 Mon Sep 17 00:00:00 2001 +From: Vitaly Chikunov +Date: Sun, 11 Nov 2018 20:40:02 +0300 +Subject: crypto: ecc - regularize scalar for scalar multiplication + +[ Upstream commit 3da2c1dfdb802b184eea0653d1e589515b52d74b ] + +ecc_point_mult is supposed to be used with a regularized scalar, +otherwise, it's possible to deduce the position of the top bit of the +scalar with timing attack. This is important when the scalar is a +private key. + +ecc_point_mult is already using a regular algorithm (i.e. having an +operation flow independent of the input scalar) but regularization step +is not implemented. + +Arrange scalar to always have fixed top bit by adding a multiple of the +curve order (n). + +References: +The constant time regularization step is based on micro-ecc by Kenneth +MacKay and also referenced in the literature (Bernstein, D. J., & Lange, +T. (2017). Montgomery curves and the Montgomery ladder. (Cryptology +ePrint Archive; Vol. 2017/293). s.l.: IACR. Chapter 4.6.2.) + +Signed-off-by: Vitaly Chikunov +Cc: kernel-hardening@lists.openwall.com +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/ecc.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/crypto/ecc.c b/crypto/ecc.c +index 8facafd67802..adcce310f646 100644 +--- a/crypto/ecc.c ++++ b/crypto/ecc.c +@@ -842,15 +842,23 @@ static void xycz_add_c(u64 *x1, u64 *y1, u64 *x2, u64 *y2, u64 *curve_prime, + + static void ecc_point_mult(struct ecc_point *result, + const struct ecc_point *point, const u64 *scalar, +- u64 *initial_z, u64 *curve_prime, ++ u64 *initial_z, const struct ecc_curve *curve, + unsigned int ndigits) + { + /* R0 and R1 */ + u64 rx[2][ECC_MAX_DIGITS]; + u64 ry[2][ECC_MAX_DIGITS]; + u64 z[ECC_MAX_DIGITS]; ++ u64 sk[2][ECC_MAX_DIGITS]; ++ u64 *curve_prime = curve->p; + int i, nb; +- int num_bits = vli_num_bits(scalar, ndigits); ++ int num_bits; ++ int carry; ++ ++ carry = vli_add(sk[0], scalar, curve->n, ndigits); ++ vli_add(sk[1], sk[0], curve->n, ndigits); ++ scalar = sk[!carry]; ++ num_bits = sizeof(u64) * ndigits * 8 + 1; + + vli_set(rx[1], point->x, ndigits); + vli_set(ry[1], point->y, ndigits); +@@ -1004,7 +1012,7 @@ int ecc_make_pub_key(unsigned int curve_id, unsigned int ndigits, + goto out; + } + +- ecc_point_mult(pk, &curve->g, priv, NULL, curve->p, ndigits); ++ ecc_point_mult(pk, &curve->g, priv, NULL, curve, ndigits); + if (ecc_point_is_zero(pk)) { + ret = -EAGAIN; + goto err_free_point; +@@ -1090,7 +1098,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, + goto err_alloc_product; + } + +- ecc_point_mult(product, pk, priv, rand_z, curve->p, ndigits); ++ ecc_point_mult(product, pk, priv, rand_z, curve, ndigits); + + ecc_swap_digits(product->x, secret, ndigits); + +-- +2.19.1 + diff --git a/queue-4.19/dm-check-for-device-sector-overflow-if-config_lbdaf-.patch b/queue-4.19/dm-check-for-device-sector-overflow-if-config_lbdaf-.patch new file mode 100644 index 00000000000..b4208f101ed --- /dev/null +++ b/queue-4.19/dm-check-for-device-sector-overflow-if-config_lbdaf-.patch @@ -0,0 +1,116 @@ +From c4ec875be816d6da202c9ced2831db683caa299d Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Wed, 7 Nov 2018 22:24:55 +0100 +Subject: dm: Check for device sector overflow if CONFIG_LBDAF is not set + +[ Upstream commit ef87bfc24f9b8da82c89aff493df20f078bc9cb1 ] + +Reference to a device in device-mapper table contains offset in sectors. + +If the sector_t is 32bit integer (CONFIG_LBDAF is not set), then +several device-mapper targets can overflow this offset and validity +check is then performed on a wrong offset and a wrong table is activated. + +See for example (on 32bit without CONFIG_LBDAF) this overflow: + + # dmsetup create test --table "0 2048 linear /dev/sdg 4294967297" + # dmsetup table test + 0 2048 linear 8:96 1 + +This patch adds explicit check for overflow if the offset is sector_t type. + +Signed-off-by: Milan Broz +Reviewed-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-crypt.c | 2 +- + drivers/md/dm-delay.c | 2 +- + drivers/md/dm-flakey.c | 2 +- + drivers/md/dm-linear.c | 2 +- + drivers/md/dm-raid1.c | 3 ++- + drivers/md/dm-unstripe.c | 2 +- + 6 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c +index f192ba38f332..f2ec882f96be 100644 +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -2780,7 +2780,7 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv) + } + + ret = -EINVAL; +- if (sscanf(argv[4], "%llu%c", &tmpll, &dummy) != 1) { ++ if (sscanf(argv[4], "%llu%c", &tmpll, &dummy) != 1 || tmpll != (sector_t)tmpll) { + ti->error = "Invalid device sector"; + goto bad; + } +diff --git a/drivers/md/dm-delay.c b/drivers/md/dm-delay.c +index 2fb7bb4304ad..fddffe251bf6 100644 +--- a/drivers/md/dm-delay.c ++++ b/drivers/md/dm-delay.c +@@ -141,7 +141,7 @@ static int delay_class_ctr(struct dm_target *ti, struct delay_class *c, char **a + unsigned long long tmpll; + char dummy; + +- if (sscanf(argv[1], "%llu%c", &tmpll, &dummy) != 1) { ++ if (sscanf(argv[1], "%llu%c", &tmpll, &dummy) != 1 || tmpll != (sector_t)tmpll) { + ti->error = "Invalid device sector"; + return -EINVAL; + } +diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c +index 32aabe27b37c..b86d2439ffc7 100644 +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -213,7 +213,7 @@ static int flakey_ctr(struct dm_target *ti, unsigned int argc, char **argv) + devname = dm_shift_arg(&as); + + r = -EINVAL; +- if (sscanf(dm_shift_arg(&as), "%llu%c", &tmpll, &dummy) != 1) { ++ if (sscanf(dm_shift_arg(&as), "%llu%c", &tmpll, &dummy) != 1 || tmpll != (sector_t)tmpll) { + ti->error = "Invalid device sector"; + goto bad; + } +diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c +index 2f7c44a006c4..caa08c4b84cd 100644 +--- a/drivers/md/dm-linear.c ++++ b/drivers/md/dm-linear.c +@@ -45,7 +45,7 @@ static int linear_ctr(struct dm_target *ti, unsigned int argc, char **argv) + } + + ret = -EINVAL; +- if (sscanf(argv[1], "%llu%c", &tmp, &dummy) != 1) { ++ if (sscanf(argv[1], "%llu%c", &tmp, &dummy) != 1 || tmp != (sector_t)tmp) { + ti->error = "Invalid device sector"; + goto bad; + } +diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c +index 79eab1071ec2..5a51151f680d 100644 +--- a/drivers/md/dm-raid1.c ++++ b/drivers/md/dm-raid1.c +@@ -943,7 +943,8 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti, + char dummy; + int ret; + +- if (sscanf(argv[1], "%llu%c", &offset, &dummy) != 1) { ++ if (sscanf(argv[1], "%llu%c", &offset, &dummy) != 1 || ++ offset != (sector_t)offset) { + ti->error = "Invalid offset"; + return -EINVAL; + } +diff --git a/drivers/md/dm-unstripe.c b/drivers/md/dm-unstripe.c +index 954b7ab4e684..e673dacf6418 100644 +--- a/drivers/md/dm-unstripe.c ++++ b/drivers/md/dm-unstripe.c +@@ -78,7 +78,7 @@ static int unstripe_ctr(struct dm_target *ti, unsigned int argc, char **argv) + goto err; + } + +- if (sscanf(argv[4], "%llu%c", &start, &dummy) != 1) { ++ if (sscanf(argv[4], "%llu%c", &start, &dummy) != 1 || start != (sector_t)start) { + ti->error = "Invalid striped device offset"; + goto err; + } +-- +2.19.1 + diff --git a/queue-4.19/dm-crypt-use-u64-instead-of-sector_t-to-store-iv_off.patch b/queue-4.19/dm-crypt-use-u64-instead-of-sector_t-to-store-iv_off.patch new file mode 100644 index 00000000000..0a6a04aa2a2 --- /dev/null +++ b/queue-4.19/dm-crypt-use-u64-instead-of-sector_t-to-store-iv_off.patch @@ -0,0 +1,81 @@ +From ec5ebecd167c52a5fe9f43ed8f1454d448c3101c Mon Sep 17 00:00:00 2001 +From: AliOS system security +Date: Mon, 5 Nov 2018 15:31:42 +0800 +Subject: dm crypt: use u64 instead of sector_t to store iv_offset + +[ Upstream commit 8d683dcd65c037efc9fb38c696ec9b65b306e573 ] + +The iv_offset in the mapping table of crypt target is a 64bit number when +IV algorithm is plain64, plain64be, essiv or benbi. It will be assigned to +iv_offset of struct crypt_config, cc_sector of struct convert_context and +iv_sector of struct dm_crypt_request. These structures members are defined +as a sector_t. But sector_t is 32bit when CONFIG_LBDAF is not set in 32bit +kernel. In this situation sector_t is not big enough to store the 64bit +iv_offset. + +Here is a reproducer. +Prepare test image and device (loop is automatically allocated by cryptsetup): + + # dd if=/dev/zero of=tst.img bs=1M count=1 + # echo "tst"|cryptsetup open --type plain -c aes-xts-plain64 \ + --skip 500000000000000000 tst.img test + +On 32bit system (use IV offset value that overflows to 64bit; CONFIG_LBDAF if off) +and device checksum is wrong: + + # dmsetup table test --showkeys + 0 2048 crypt aes-xts-plain64 dfa7cfe3c481f2239155739c42e539ae8f2d38f304dcc89d20b26f69daaf0933 3551657984 7:0 0 + + # sha256sum /dev/mapper/test + 533e25c09176632b3794f35303488c4a8f3f965dffffa6ec2df347c168cb6c19 /dev/mapper/test + +On 64bit system (and on 32bit system with the patch), table and checksum is now correct: + + # dmsetup table test --showkeys + 0 2048 crypt aes-xts-plain64 dfa7cfe3c481f2239155739c42e539ae8f2d38f304dcc89d20b26f69daaf0933 500000000000000000 7:0 0 + + # sha256sum /dev/mapper/test + 5d16160f9d5f8c33d8051e65fdb4f003cc31cd652b5abb08f03aa6fce0df75fc /dev/mapper/test + +Signed-off-by: AliOS system security +Tested-and-Reviewed-by: Milan Broz +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-crypt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c +index 0481223b1deb..f192ba38f332 100644 +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -49,7 +49,7 @@ struct convert_context { + struct bio *bio_out; + struct bvec_iter iter_in; + struct bvec_iter iter_out; +- sector_t cc_sector; ++ u64 cc_sector; + atomic_t cc_pending; + union { + struct skcipher_request *req; +@@ -81,7 +81,7 @@ struct dm_crypt_request { + struct convert_context *ctx; + struct scatterlist sg_in[4]; + struct scatterlist sg_out[4]; +- sector_t iv_sector; ++ u64 iv_sector; + }; + + struct crypt_config; +@@ -160,7 +160,7 @@ struct crypt_config { + struct iv_lmk_private lmk; + struct iv_tcw_private tcw; + } iv_gen_private; +- sector_t iv_offset; ++ u64 iv_offset; + unsigned int iv_size; + unsigned short int sector_size; + unsigned char sector_shift; +-- +2.19.1 + diff --git a/queue-4.19/dm-kcopyd-fix-bug-causing-workqueue-stalls.patch b/queue-4.19/dm-kcopyd-fix-bug-causing-workqueue-stalls.patch new file mode 100644 index 00000000000..4ecac1dbd02 --- /dev/null +++ b/queue-4.19/dm-kcopyd-fix-bug-causing-workqueue-stalls.patch @@ -0,0 +1,159 @@ +From 9c3f9fdf84b60489c017ec5d213ce1b4cbdc85e8 Mon Sep 17 00:00:00 2001 +From: Nikos Tsironis +Date: Wed, 31 Oct 2018 17:53:09 -0400 +Subject: dm kcopyd: Fix bug causing workqueue stalls + +[ Upstream commit d7e6b8dfc7bcb3f4f3a18313581f67486a725b52 ] + +When using kcopyd to run callbacks through dm_kcopyd_do_callback() or +submitting copy jobs with a source size of 0, the jobs are pushed +directly to the complete_jobs list, which could be under processing by +the kcopyd thread. As a result, the kcopyd thread can continue running +completed jobs indefinitely, without releasing the CPU, as long as +someone keeps submitting new completed jobs through the aforementioned +paths. Processing of work items, queued for execution on the same CPU as +the currently running kcopyd thread, is thus stalled for excessive +amounts of time, hurting performance. + +Running the following test, from the device mapper test suite [1], + + dmtest run --suite snapshot -n parallel_io_to_many_snaps_N + +, with 8 active snapshots, we get, in dmesg, messages like the +following: + +[68899.948523] BUG: workqueue lockup - pool cpus=0 node=0 flags=0x0 nice=0 stuck for 95s! +[68899.949282] Showing busy workqueues and worker pools: +[68899.949288] workqueue events: flags=0x0 +[68899.949295] pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=2/256 +[68899.949306] pending: vmstat_shepherd, cache_reap +[68899.949331] workqueue mm_percpu_wq: flags=0x8 +[68899.949337] pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 +[68899.949345] pending: vmstat_update +[68899.949387] workqueue dm_bufio_cache: flags=0x8 +[68899.949392] pwq 4: cpus=2 node=0 flags=0x0 nice=0 active=1/256 +[68899.949400] pending: work_fn [dm_bufio] +[68899.949423] workqueue kcopyd: flags=0x8 +[68899.949429] pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 +[68899.949437] pending: do_work [dm_mod] +[68899.949452] workqueue kcopyd: flags=0x8 +[68899.949458] pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=2/256 +[68899.949466] in-flight: 13:do_work [dm_mod] +[68899.949474] pending: do_work [dm_mod] +[68899.949487] workqueue kcopyd: flags=0x8 +[68899.949493] pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 +[68899.949501] pending: do_work [dm_mod] +[68899.949515] workqueue kcopyd: flags=0x8 +[68899.949521] pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 +[68899.949529] pending: do_work [dm_mod] +[68899.949541] workqueue kcopyd: flags=0x8 +[68899.949547] pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 +[68899.949555] pending: do_work [dm_mod] +[68899.949568] pool 0: cpus=0 node=0 flags=0x0 nice=0 hung=95s workers=4 idle: 27130 27223 1084 + +Fix this by splitting the complete_jobs list into two parts: A user +facing part, named callback_jobs, and one used internally by kcopyd, +retaining the name complete_jobs. dm_kcopyd_do_callback() and +dispatch_job() now push their jobs to the callback_jobs list, which is +spliced to the complete_jobs list once, every time the kcopyd thread +wakes up. This prevents kcopyd from hogging the CPU indefinitely and +causing workqueue stalls. + +Re-running the aforementioned test: + + * Workqueue stalls are eliminated + * The maximum writing time among all targets is reduced from 09m37.10s + to 06m04.85s and the total run time of the test is reduced from + 10m43.591s to 7m19.199s + +[1] https://github.com/jthornber/device-mapper-test-suite + +Signed-off-by: Nikos Tsironis +Signed-off-by: Ilias Tsitsimpis +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-kcopyd.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/dm-kcopyd.c b/drivers/md/dm-kcopyd.c +index 2fc4213e02b5..671c24332802 100644 +--- a/drivers/md/dm-kcopyd.c ++++ b/drivers/md/dm-kcopyd.c +@@ -56,15 +56,17 @@ struct dm_kcopyd_client { + atomic_t nr_jobs; + + /* +- * We maintain three lists of jobs: ++ * We maintain four lists of jobs: + * + * i) jobs waiting for pages + * ii) jobs that have pages, and are waiting for the io to be issued. +- * iii) jobs that have completed. ++ * iii) jobs that don't need to do any IO and just run a callback ++ * iv) jobs that have completed. + * +- * All three of these are protected by job_lock. ++ * All four of these are protected by job_lock. + */ + spinlock_t job_lock; ++ struct list_head callback_jobs; + struct list_head complete_jobs; + struct list_head io_jobs; + struct list_head pages_jobs; +@@ -625,6 +627,7 @@ static void do_work(struct work_struct *work) + struct dm_kcopyd_client *kc = container_of(work, + struct dm_kcopyd_client, kcopyd_work); + struct blk_plug plug; ++ unsigned long flags; + + /* + * The order that these are called is *very* important. +@@ -633,6 +636,10 @@ static void do_work(struct work_struct *work) + * list. io jobs call wake when they complete and it all + * starts again. + */ ++ spin_lock_irqsave(&kc->job_lock, flags); ++ list_splice_tail_init(&kc->callback_jobs, &kc->complete_jobs); ++ spin_unlock_irqrestore(&kc->job_lock, flags); ++ + blk_start_plug(&plug); + process_jobs(&kc->complete_jobs, kc, run_complete_job); + process_jobs(&kc->pages_jobs, kc, run_pages_job); +@@ -650,7 +657,7 @@ static void dispatch_job(struct kcopyd_job *job) + struct dm_kcopyd_client *kc = job->kc; + atomic_inc(&kc->nr_jobs); + if (unlikely(!job->source.count)) +- push(&kc->complete_jobs, job); ++ push(&kc->callback_jobs, job); + else if (job->pages == &zero_page_list) + push(&kc->io_jobs, job); + else +@@ -858,7 +865,7 @@ void dm_kcopyd_do_callback(void *j, int read_err, unsigned long write_err) + job->read_err = read_err; + job->write_err = write_err; + +- push(&kc->complete_jobs, job); ++ push(&kc->callback_jobs, job); + wake(kc); + } + EXPORT_SYMBOL(dm_kcopyd_do_callback); +@@ -888,6 +895,7 @@ struct dm_kcopyd_client *dm_kcopyd_client_create(struct dm_kcopyd_throttle *thro + return ERR_PTR(-ENOMEM); + + spin_lock_init(&kc->job_lock); ++ INIT_LIST_HEAD(&kc->callback_jobs); + INIT_LIST_HEAD(&kc->complete_jobs); + INIT_LIST_HEAD(&kc->io_jobs); + INIT_LIST_HEAD(&kc->pages_jobs); +@@ -939,6 +947,7 @@ void dm_kcopyd_client_destroy(struct dm_kcopyd_client *kc) + /* Wait for completion of all jobs submitted by this client. */ + wait_event(kc->destroyq, !atomic_read(&kc->nr_jobs)); + ++ BUG_ON(!list_empty(&kc->callback_jobs)); + BUG_ON(!list_empty(&kc->complete_jobs)); + BUG_ON(!list_empty(&kc->io_jobs)); + BUG_ON(!list_empty(&kc->pages_jobs)); +-- +2.19.1 + diff --git a/queue-4.19/dm-snapshot-fix-excessive-memory-usage-and-workqueue.patch b/queue-4.19/dm-snapshot-fix-excessive-memory-usage-and-workqueue.patch new file mode 100644 index 00000000000..4d21ab024ea --- /dev/null +++ b/queue-4.19/dm-snapshot-fix-excessive-memory-usage-and-workqueue.patch @@ -0,0 +1,225 @@ +From e4ee2db53de21e4f4e23ed6e9ec150e4ad1d6f35 Mon Sep 17 00:00:00 2001 +From: Nikos Tsironis +Date: Wed, 31 Oct 2018 17:53:08 -0400 +Subject: dm snapshot: Fix excessive memory usage and workqueue stalls + +[ Upstream commit 721b1d98fb517ae99ab3b757021cf81db41e67be ] + +kcopyd has no upper limit to the number of jobs one can allocate and +issue. Under certain workloads this can lead to excessive memory usage +and workqueue stalls. For example, when creating multiple dm-snapshot +targets with a 4K chunk size and then writing to the origin through the +page cache. Syncing the page cache causes a large number of BIOs to be +issued to the dm-snapshot origin target, which itself issues an even +larger (because of the BIO splitting taking place) number of kcopyd +jobs. + +Running the following test, from the device mapper test suite [1], + + dmtest run --suite snapshot -n many_snapshots_of_same_volume_N + +, with 8 active snapshots, results in the kcopyd job slab cache growing +to 10G. Depending on the available system RAM this can lead to the OOM +killer killing user processes: + +[463.492878] kthreadd invoked oom-killer: gfp_mask=0x6040c0(GFP_KERNEL|__GFP_COMP), + nodemask=(null), order=1, oom_score_adj=0 +[463.492894] kthreadd cpuset=/ mems_allowed=0 +[463.492948] CPU: 7 PID: 2 Comm: kthreadd Not tainted 4.19.0-rc7 #3 +[463.492950] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 +[463.492952] Call Trace: +[463.492964] dump_stack+0x7d/0xbb +[463.492973] dump_header+0x6b/0x2fc +[463.492987] ? lockdep_hardirqs_on+0xee/0x190 +[463.493012] oom_kill_process+0x302/0x370 +[463.493021] out_of_memory+0x113/0x560 +[463.493030] __alloc_pages_slowpath+0xf40/0x1020 +[463.493055] __alloc_pages_nodemask+0x348/0x3c0 +[463.493067] cache_grow_begin+0x81/0x8b0 +[463.493072] ? cache_grow_begin+0x874/0x8b0 +[463.493078] fallback_alloc+0x1e4/0x280 +[463.493092] kmem_cache_alloc_node+0xd6/0x370 +[463.493098] ? copy_process.part.31+0x1c5/0x20d0 +[463.493105] copy_process.part.31+0x1c5/0x20d0 +[463.493115] ? __lock_acquire+0x3cc/0x1550 +[463.493121] ? __switch_to_asm+0x34/0x70 +[463.493129] ? kthread_create_worker_on_cpu+0x70/0x70 +[463.493135] ? finish_task_switch+0x90/0x280 +[463.493165] _do_fork+0xe0/0x6d0 +[463.493191] ? kthreadd+0x19f/0x220 +[463.493233] kernel_thread+0x25/0x30 +[463.493235] kthreadd+0x1bf/0x220 +[463.493242] ? kthread_create_on_cpu+0x90/0x90 +[463.493248] ret_from_fork+0x3a/0x50 +[463.493279] Mem-Info: +[463.493285] active_anon:20631 inactive_anon:4831 isolated_anon:0 +[463.493285] active_file:80216 inactive_file:80107 isolated_file:435 +[463.493285] unevictable:0 dirty:51266 writeback:109372 unstable:0 +[463.493285] slab_reclaimable:31191 slab_unreclaimable:3483521 +[463.493285] mapped:526 shmem:4903 pagetables:1759 bounce:0 +[463.493285] free:33623 free_pcp:2392 free_cma:0 +... +[463.493489] Unreclaimable slab info: +[463.493513] Name Used Total +[463.493522] bio-6 1028KB 1028KB +[463.493525] bio-5 1028KB 1028KB +[463.493528] dm_snap_pending_exception 236783KB 243789KB +[463.493531] dm_exception 41KB 42KB +[463.493534] bio-4 1216KB 1216KB +[463.493537] bio-3 439396KB 439396KB +[463.493539] kcopyd_job 6973427KB 6973427KB +... +[463.494340] Out of memory: Kill process 1298 (ruby2.3) score 1 or sacrifice child +[463.494673] Killed process 1298 (ruby2.3) total-vm:435740kB, anon-rss:20180kB, file-rss:4kB, shmem-rss:0kB +[463.506437] oom_reaper: reaped process 1298 (ruby2.3), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB + +Moreover, issuing a large number of kcopyd jobs results in kcopyd +hogging the CPU, while processing them. As a result, processing of work +items, queued for execution on the same CPU as the currently running +kcopyd thread, is stalled for long periods of time, hurting performance. +Running the aforementioned test we get, in dmesg, messages like the +following: + +[67501.194592] BUG: workqueue lockup - pool cpus=4 node=0 flags=0x0 nice=0 stuck for 27s! +[67501.195586] Showing busy workqueues and worker pools: +[67501.195591] workqueue events: flags=0x0 +[67501.195597] pwq 8: cpus=4 node=0 flags=0x0 nice=0 active=1/256 +[67501.195611] pending: cache_reap +[67501.195641] workqueue mm_percpu_wq: flags=0x8 +[67501.195645] pwq 8: cpus=4 node=0 flags=0x0 nice=0 active=1/256 +[67501.195656] pending: vmstat_update +[67501.195682] workqueue kblockd: flags=0x18 +[67501.195687] pwq 5: cpus=2 node=0 flags=0x0 nice=-20 active=1/256 +[67501.195698] pending: blk_timeout_work +[67501.195753] workqueue kcopyd: flags=0x8 +[67501.195757] pwq 8: cpus=4 node=0 flags=0x0 nice=0 active=1/256 +[67501.195768] pending: do_work [dm_mod] +[67501.195802] workqueue kcopyd: flags=0x8 +[67501.195806] pwq 8: cpus=4 node=0 flags=0x0 nice=0 active=1/256 +[67501.195817] pending: do_work [dm_mod] +[67501.195834] workqueue kcopyd: flags=0x8 +[67501.195838] pwq 8: cpus=4 node=0 flags=0x0 nice=0 active=1/256 +[67501.195848] pending: do_work [dm_mod] +[67501.195881] workqueue kcopyd: flags=0x8 +[67501.195885] pwq 8: cpus=4 node=0 flags=0x0 nice=0 active=1/256 +[67501.195896] pending: do_work [dm_mod] +[67501.195920] workqueue kcopyd: flags=0x8 +[67501.195924] pwq 8: cpus=4 node=0 flags=0x0 nice=0 active=2/256 +[67501.195935] in-flight: 67:do_work [dm_mod] +[67501.195945] pending: do_work [dm_mod] +[67501.195961] pool 8: cpus=4 node=0 flags=0x0 nice=0 hung=27s workers=3 idle: 129 23765 + +The root cause for these issues is the way dm-snapshot uses kcopyd. In +particular, the lack of an explicit or implicit limit to the maximum +number of in-flight COW jobs. The merging path is not affected because +it implicitly limits the in-flight kcopyd jobs to one. + +Fix these issues by using a semaphore to limit the maximum number of +in-flight kcopyd jobs. We grab the semaphore before allocating a new +kcopyd job in start_copy() and start_full_bio() and release it after the +job finishes in copy_callback(). + +The initial semaphore value is configurable through a module parameter, +to allow fine tuning the maximum number of in-flight COW jobs. Setting +this parameter to zero initializes the semaphore to INT_MAX. + +A default value of 2048 maximum in-flight kcopyd jobs was chosen. This +value was decided experimentally as a trade-off between memory +consumption, stalling the kernel's workqueues and maintaining a high +enough throughput. + +Re-running the aforementioned test: + + * Workqueue stalls are eliminated + * kcopyd's job slab cache uses a maximum of 130MB + * The time taken by the test to write to the snapshot-origin target is + reduced from 05m20.48s to 03m26.38s + +[1] https://github.com/jthornber/device-mapper-test-suite + +Signed-off-by: Nikos Tsironis +Signed-off-by: Ilias Tsitsimpis +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-snap.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c +index ae4b33d10924..36805b12661e 100644 +--- a/drivers/md/dm-snap.c ++++ b/drivers/md/dm-snap.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #include "dm.h" + +@@ -105,6 +106,9 @@ struct dm_snapshot { + /* The on disk metadata handler */ + struct dm_exception_store *store; + ++ /* Maximum number of in-flight COW jobs. */ ++ struct semaphore cow_count; ++ + struct dm_kcopyd_client *kcopyd_client; + + /* Wait for events based on state_bits */ +@@ -145,6 +149,19 @@ struct dm_snapshot { + #define RUNNING_MERGE 0 + #define SHUTDOWN_MERGE 1 + ++/* ++ * Maximum number of chunks being copied on write. ++ * ++ * The value was decided experimentally as a trade-off between memory ++ * consumption, stalling the kernel's workqueues and maintaining a high enough ++ * throughput. ++ */ ++#define DEFAULT_COW_THRESHOLD 2048 ++ ++static int cow_threshold = DEFAULT_COW_THRESHOLD; ++module_param_named(snapshot_cow_threshold, cow_threshold, int, 0644); ++MODULE_PARM_DESC(snapshot_cow_threshold, "Maximum number of chunks being copied on write"); ++ + DECLARE_DM_KCOPYD_THROTTLE_WITH_MODULE_PARM(snapshot_copy_throttle, + "A percentage of time allocated for copy on write"); + +@@ -1190,6 +1207,8 @@ static int snapshot_ctr(struct dm_target *ti, unsigned int argc, char **argv) + goto bad_hash_tables; + } + ++ sema_init(&s->cow_count, (cow_threshold > 0) ? cow_threshold : INT_MAX); ++ + s->kcopyd_client = dm_kcopyd_client_create(&dm_kcopyd_throttle); + if (IS_ERR(s->kcopyd_client)) { + r = PTR_ERR(s->kcopyd_client); +@@ -1575,6 +1594,7 @@ static void copy_callback(int read_err, unsigned long write_err, void *context) + rb_link_node(&pe->out_of_order_node, parent, p); + rb_insert_color(&pe->out_of_order_node, &s->out_of_order_tree); + } ++ up(&s->cow_count); + } + + /* +@@ -1598,6 +1618,7 @@ static void start_copy(struct dm_snap_pending_exception *pe) + dest.count = src.count; + + /* Hand over to kcopyd */ ++ down(&s->cow_count); + dm_kcopyd_copy(s->kcopyd_client, &src, 1, &dest, 0, copy_callback, pe); + } + +@@ -1617,6 +1638,7 @@ static void start_full_bio(struct dm_snap_pending_exception *pe, + pe->full_bio = bio; + pe->full_bio_end_io = bio->bi_end_io; + ++ down(&s->cow_count); + callback_data = dm_kcopyd_prepare_callback(s->kcopyd_client, + copy_callback, pe); + +-- +2.19.1 + diff --git a/queue-4.19/drm-amd-display-guard-against-null-stream_state-in-s.patch b/queue-4.19/drm-amd-display-guard-against-null-stream_state-in-s.patch new file mode 100644 index 00000000000..02cf7c0efa9 --- /dev/null +++ b/queue-4.19/drm-amd-display-guard-against-null-stream_state-in-s.patch @@ -0,0 +1,47 @@ +From 88d06d9cdf83afe203c94eda2701c3051245d1c1 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Thu, 18 Oct 2018 15:49:41 -0400 +Subject: drm/amd/display: Guard against null stream_state in set_crc_source + +[ Upstream commit f41a895026b8cb6f765190de7d2e7bc3ccbbd183 ] + +[Why] + +The igt@kms_plane@pixel-format-pipe tests can create a sequence where +stream_state is NULL during amdgpu_dm_crtc_set_crc_source which results +in a null pointer dereference. + +[How] + +Guard against stream_state being NULL before accessing its fields. This +doesn't fix the root cause of the issue so a DRM_ERROR is generated +to still fail the tests. + +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: David Francis +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c +index 9bfb040352e9..6a6d977ddd7a 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c +@@ -60,6 +60,11 @@ int amdgpu_dm_crtc_set_crc_source(struct drm_crtc *crtc, const char *src_name, + return -EINVAL; + } + ++ if (!stream_state) { ++ DRM_ERROR("No stream state for CRTC%d\n", crtc->index); ++ return -EINVAL; ++ } ++ + /* When enabling CRC, we should also disable dithering. */ + if (source == AMDGPU_DM_PIPE_CRC_SOURCE_AUTO) { + if (dc_stream_configure_crc(stream_state->ctx->dc, +-- +2.19.1 + diff --git a/queue-4.19/drm-amdgpu-reorder-uvd-ring-init-before-uvd-resume.patch b/queue-4.19/drm-amdgpu-reorder-uvd-ring-init-before-uvd-resume.patch new file mode 100644 index 00000000000..66b416e254a --- /dev/null +++ b/queue-4.19/drm-amdgpu-reorder-uvd-ring-init-before-uvd-resume.patch @@ -0,0 +1,197 @@ +From a248a835b1f377cc1f2a66fc2e7000622d9eb06e Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Fri, 16 Nov 2018 09:34:24 +0000 +Subject: drm/amdgpu: Reorder uvd ring init before uvd resume +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3b34c14fd50c302db091f020f26dd00ede902c80 ] + +As amd_uvd_resume() accesses the uvd ring, it must be initialised first +or else we trigger errors like: + +[ 5.595963] [drm] Found UVD firmware Version: 1.87 Family ID: 17 +[ 5.595969] [drm] PSP loading UVD firmware +[ 5.596266] ------------[ cut here ]------------ +[ 5.596268] ODEBUG: assert_init not available (active state 0) object type: timer_list hint: (null) +[ 5.596285] WARNING: CPU: 0 PID: 507 at lib/debugobjects.c:329 debug_print_object+0x6a/0x80 +[ 5.596286] Modules linked in: amdgpu(+) hid_logitech_hidpp(+) chash gpu_sched amd_iommu_v2 ttm drm_kms_helper crc32c_intel drm hid_sony ff_memless igb hid_logitech_dj nvme dca i2c_algo_bit nvme_core wmi pinctrl_amd uas usb_storage +[ 5.596299] CPU: 0 PID: 507 Comm: systemd-udevd Tainted: G W 4.20.0-0.rc1.git4.1.fc30.x86_64 #1 +[ 5.596301] Hardware name: System manufacturer System Product Name/ROG STRIX X470-I GAMING, BIOS 0901 07/23/2018 +[ 5.596303] RIP: 0010:debug_print_object+0x6a/0x80 +[ 5.596305] Code: 8b 43 10 83 c2 01 8b 4b 14 4c 89 e6 89 15 e6 82 b0 02 4c 8b 45 00 48 c7 c7 60 fd 34 a6 48 8b 14 c5 a0 da 08 a6 e8 6a 6a b8 ff <0f> 0b 5b 83 05 d0 45 3e 01 01 5d 41 5c c3 83 05 c5 45 3e 01 01 c3 +[ 5.596306] RSP: 0018:ffffa02ac863f8c0 EFLAGS: 00010282 +[ 5.596307] RAX: 0000000000000000 RBX: ffffa02ac863f8e0 RCX: 0000000000000006 +[ 5.596308] RDX: 0000000000000007 RSI: ffff9160e9a7bfe8 RDI: ffff9160f91d6c60 +[ 5.596310] RBP: ffffffffa6742740 R08: 0000000000000002 R09: 0000000000000000 +[ 5.596311] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa634ff69 +[ 5.596312] R13: 00000000000b79d0 R14: ffffffffa80f76d8 R15: 0000000000266000 +[ 5.596313] FS: 00007f762abf7940(0000) GS:ffff9160f9000000(0000) knlGS:0000000000000000 +[ 5.596314] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5.596315] CR2: 000055fdc593f000 CR3: 00000007e999c000 CR4: 00000000003406f0 +[ 5.596317] Call Trace: +[ 5.596321] debug_object_assert_init+0x14a/0x180 +[ 5.596327] del_timer+0x2e/0x90 +[ 5.596383] amdgpu_fence_process+0x47/0x100 [amdgpu] +[ 5.596430] amdgpu_uvd_resume+0xf6/0x120 [amdgpu] +[ 5.596475] uvd_v7_0_sw_init+0xe0/0x280 [amdgpu] +[ 5.596523] amdgpu_device_init.cold.30+0xf97/0x14b6 [amdgpu] +[ 5.596563] ? amdgpu_driver_load_kms+0x53/0x330 [amdgpu] +[ 5.596604] amdgpu_driver_load_kms+0x86/0x330 [amdgpu] +[ 5.596614] drm_dev_register+0x115/0x150 [drm] +[ 5.596654] amdgpu_pci_probe+0xbd/0x120 [amdgpu] +[ 5.596658] local_pci_probe+0x41/0x90 +[ 5.596661] pci_device_probe+0x188/0x1a0 +[ 5.596666] really_probe+0xf8/0x3b0 +[ 5.596669] driver_probe_device+0xb3/0xf0 +[ 5.596672] __driver_attach+0xe1/0x110 +[ 5.596674] ? driver_probe_device+0xf0/0xf0 +[ 5.596676] bus_for_each_dev+0x79/0xc0 +[ 5.596679] bus_add_driver+0x155/0x230 +[ 5.596681] ? 0xffffffffc07d9000 +[ 5.596683] driver_register+0x6b/0xb0 +[ 5.596685] ? 0xffffffffc07d9000 +[ 5.596688] do_one_initcall+0x5d/0x2be +[ 5.596691] ? rcu_read_lock_sched_held+0x79/0x80 +[ 5.596693] ? kmem_cache_alloc_trace+0x264/0x290 +[ 5.596695] ? do_init_module+0x22/0x210 +[ 5.596698] do_init_module+0x5a/0x210 +[ 5.596701] load_module+0x2137/0x2430 +[ 5.596703] ? lockdep_hardirqs_on+0xed/0x180 +[ 5.596714] ? __do_sys_init_module+0x150/0x1a0 +[ 5.596715] __do_sys_init_module+0x150/0x1a0 +[ 5.596722] do_syscall_64+0x60/0x1f0 +[ 5.596725] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 5.596726] RIP: 0033:0x7f762b877dee +[ 5.596728] Code: 48 8b 0d 9d 20 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 af 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6a 20 0c 00 f7 d8 64 89 01 48 +[ 5.596729] RSP: 002b:00007ffc777b8558 EFLAGS: 00000246 ORIG_RAX: 00000000000000af +[ 5.596730] RAX: ffffffffffffffda RBX: 000055fdc48da320 RCX: 00007f762b877dee +[ 5.596731] RDX: 00007f762b9f284d RSI: 00000000006c5fc6 RDI: 000055fdc527a060 +[ 5.596732] RBP: 00007f762b9f284d R08: 0000000000000003 R09: 0000000000000002 +[ 5.596733] R10: 000055fdc48ad010 R11: 0000000000000246 R12: 000055fdc527a060 +[ 5.596734] R13: 000055fdc48dca20 R14: 0000000000020000 R15: 0000000000000000 +[ 5.596740] irq event stamp: 134618 +[ 5.596743] hardirqs last enabled at (134617): [] console_unlock+0x45e/0x610 +[ 5.596744] hardirqs last disabled at (134618): [] trace_hardirqs_off_thunk+0x1a/0x1c +[ 5.596746] softirqs last enabled at (133146): [] __do_softirq+0x365/0x47c +[ 5.596748] softirqs last disabled at (133139): [] irq_exit+0x119/0x120 +[ 5.596749] ---[ end trace eaee508abfebccdc ]--- + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108709 +Reviewed-by: Christian König +Signed-off-by: Chris Wilson +Cc: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c | 8 ++++---- + drivers/gpu/drm/amd/amdgpu/uvd_v5_0.c | 8 ++++---- + drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c | 8 ++++---- + drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c | 8 ++++---- + 4 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c b/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c +index 8a926d1df939..2b4199adcd94 100644 +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c +@@ -116,16 +116,16 @@ static int uvd_v4_2_sw_init(void *handle) + if (r) + return r; + +- r = amdgpu_uvd_resume(adev); +- if (r) +- return r; +- + ring = &adev->uvd.inst->ring; + sprintf(ring->name, "uvd"); + r = amdgpu_ring_init(adev, ring, 512, &adev->uvd.inst->irq, 0); + if (r) + return r; + ++ r = amdgpu_uvd_resume(adev); ++ if (r) ++ return r; ++ + r = amdgpu_uvd_entity_init(adev); + + return r; +diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v5_0.c b/drivers/gpu/drm/amd/amdgpu/uvd_v5_0.c +index 50248059412e..88c006c5ee2c 100644 +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v5_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v5_0.c +@@ -113,16 +113,16 @@ static int uvd_v5_0_sw_init(void *handle) + if (r) + return r; + +- r = amdgpu_uvd_resume(adev); +- if (r) +- return r; +- + ring = &adev->uvd.inst->ring; + sprintf(ring->name, "uvd"); + r = amdgpu_ring_init(adev, ring, 512, &adev->uvd.inst->irq, 0); + if (r) + return r; + ++ r = amdgpu_uvd_resume(adev); ++ if (r) ++ return r; ++ + r = amdgpu_uvd_entity_init(adev); + + return r; +diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c b/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c +index 6ae82cc2e55e..d4070839ac80 100644 +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c +@@ -420,16 +420,16 @@ static int uvd_v6_0_sw_init(void *handle) + DRM_INFO("UVD ENC is disabled\n"); + } + +- r = amdgpu_uvd_resume(adev); +- if (r) +- return r; +- + ring = &adev->uvd.inst->ring; + sprintf(ring->name, "uvd"); + r = amdgpu_ring_init(adev, ring, 512, &adev->uvd.inst->irq, 0); + if (r) + return r; + ++ r = amdgpu_uvd_resume(adev); ++ if (r) ++ return r; ++ + if (uvd_v6_0_enc_support(adev)) { + for (i = 0; i < adev->uvd.num_enc_rings; ++i) { + ring = &adev->uvd.inst->ring_enc[i]; +diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c b/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c +index 9b7f8469bc5c..057151b17b45 100644 +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c +@@ -444,10 +444,6 @@ static int uvd_v7_0_sw_init(void *handle) + DRM_INFO("PSP loading UVD firmware\n"); + } + +- r = amdgpu_uvd_resume(adev); +- if (r) +- return r; +- + for (j = 0; j < adev->uvd.num_uvd_inst; j++) { + if (adev->uvd.harvest_config & (1 << j)) + continue; +@@ -479,6 +475,10 @@ static int uvd_v7_0_sw_init(void *handle) + } + } + ++ r = amdgpu_uvd_resume(adev); ++ if (r) ++ return r; ++ + r = amdgpu_uvd_entity_init(adev); + if (r) + return r; +-- +2.19.1 + diff --git a/queue-4.19/drm-amdkfd-fix-interrupt-spin-lock.patch b/queue-4.19/drm-amdkfd-fix-interrupt-spin-lock.patch new file mode 100644 index 00000000000..0e8d7260bb5 --- /dev/null +++ b/queue-4.19/drm-amdkfd-fix-interrupt-spin-lock.patch @@ -0,0 +1,83 @@ +From 09ce133c2eba83a2e64a2f982801626a3c73189f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Fri, 2 Nov 2018 14:46:24 +0100 +Subject: drm/amdkfd: fix interrupt spin lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 2383a767c0ca06f96534456d8313909017c6c8d0 ] + +Vega10 has multiple interrupt rings, so this can be called from multiple +calles at the same time resulting in: + +[ 71.779334] ================================ +[ 71.779406] WARNING: inconsistent lock state +[ 71.779478] 4.19.0-rc1+ #44 Tainted: G W +[ 71.779565] -------------------------------- +[ 71.779637] inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. +[ 71.779740] kworker/6:1/120 [HC0[0]:SC0[0]:HE1:SE1] takes: +[ 71.779832] 00000000ad761971 (&(&kfd->interrupt_lock)->rlock){?...}, +at: kgd2kfd_interrupt+0x75/0x100 [amdgpu] +[ 71.780058] {IN-HARDIRQ-W} state was registered at: +[ 71.780115] _raw_spin_lock+0x2c/0x40 +[ 71.780180] kgd2kfd_interrupt+0x75/0x100 [amdgpu] +[ 71.780248] amdgpu_irq_callback+0x6c/0x150 [amdgpu] +[ 71.780315] amdgpu_ih_process+0x88/0x100 [amdgpu] +[ 71.780380] amdgpu_irq_handler+0x20/0x40 [amdgpu] +[ 71.780409] __handle_irq_event_percpu+0x49/0x2a0 +[ 71.780436] handle_irq_event_percpu+0x30/0x70 +[ 71.780461] handle_irq_event+0x37/0x60 +[ 71.780484] handle_edge_irq+0x83/0x1b0 +[ 71.780506] handle_irq+0x1f/0x30 +[ 71.780526] do_IRQ+0x53/0x110 +[ 71.780544] ret_from_intr+0x0/0x22 +[ 71.780566] cpuidle_enter_state+0xaa/0x330 +[ 71.780591] do_idle+0x203/0x280 +[ 71.780610] cpu_startup_entry+0x6f/0x80 +[ 71.780634] start_secondary+0x1b0/0x200 +[ 71.780657] secondary_startup_64+0xa4/0xb0 + +Fix this by always using irq save spin locks. + +Signed-off-by: Christian König +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +index 1427675d0e5a..5aba50f63ac6 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +@@ -661,6 +661,7 @@ void kgd2kfd_interrupt(struct kfd_dev *kfd, const void *ih_ring_entry) + { + uint32_t patched_ihre[KFD_MAX_RING_ENTRY_SIZE]; + bool is_patched = false; ++ unsigned long flags; + + if (!kfd->init_complete) + return; +@@ -670,7 +671,7 @@ void kgd2kfd_interrupt(struct kfd_dev *kfd, const void *ih_ring_entry) + return; + } + +- spin_lock(&kfd->interrupt_lock); ++ spin_lock_irqsave(&kfd->interrupt_lock, flags); + + if (kfd->interrupts_active + && interrupt_is_wanted(kfd, ih_ring_entry, +@@ -679,7 +680,7 @@ void kgd2kfd_interrupt(struct kfd_dev *kfd, const void *ih_ring_entry) + is_patched ? patched_ihre : ih_ring_entry)) + queue_work(kfd->ih_wq, &kfd->interrupt_work); + +- spin_unlock(&kfd->interrupt_lock); ++ spin_unlock_irqrestore(&kfd->interrupt_lock, flags); + } + + int kgd2kfd_quiesce_mm(struct mm_struct *mm) +-- +2.19.1 + diff --git a/queue-4.19/drm-atomic-helper-complete-fake_commit-flip_done-pot.patch b/queue-4.19/drm-atomic-helper-complete-fake_commit-flip_done-pot.patch new file mode 100644 index 00000000000..8bbcd08d2a9 --- /dev/null +++ b/queue-4.19/drm-atomic-helper-complete-fake_commit-flip_done-pot.patch @@ -0,0 +1,67 @@ +From e7189e7974a92afeaf40ec7e0f33eae219310d88 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 22 Nov 2018 16:34:11 +0200 +Subject: drm/atomic-helper: Complete fake_commit->flip_done potentially + earlier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 2de42f79bb21a412f40ade8831eb6fc445cb78a4 ] + +Consider the following scenario: +1. nonblocking enable crtc +2. wait for the event +3. nonblocking disable crtc + +On i915 this can lead to a spurious -EBUSY from step 3 on +account of non-enabled planes getting the fake_commit in step 1 +and we don't complete the fake_commit-> flip_done until +drm_atomic_helper_commit_hw_done() which can happen a long +time after the flip event was sent out. + +This will become somewhat easy to hit on SKL+ once we start +to add all the planes for the crtc to every modeset commit +for the purposes of forcing a watermark register programming +[1]. + +To make the race a little less pronounced let's complete +fake_commit->flip_done after drm_atomic_helper_wait_for_flip_done(). +For the single crtc case this should make the race quite +theoretical, assuming drm_atomic_helper_wait_for_flip_done() +actually has to wait for the real commit flip_done. In case +the real commit flip_done gets completed singificantly before +drm_atomic_helper_wait_for_flip_done(), or we are dealing with +multiple crtcs whose vblanks don't line up nicely the race still +exists. + +[1] https://patchwork.freedesktop.org/patch/262670/ + +Cc: Maarten Lankhorst +Fixes: 080de2e5be2d ("drm/atomic: Check for busy planes/connectors before setting the commit") +Testcase: igt/kms_cursor_legacy/*nonblocking-modeset-vs-cursor-atomic +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20181122143412.11655-1-ville.syrjala@linux.intel.com +Reviewed-by: Maarten Lankhorst +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_atomic_helper.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c +index 1bb4c318bdd4..f77bff5aa307 100644 +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -1425,6 +1425,9 @@ void drm_atomic_helper_wait_for_flip_done(struct drm_device *dev, + DRM_ERROR("[CRTC:%d:%s] flip_done timed out\n", + crtc->base.id, crtc->name); + } ++ ++ if (old_state->fake_commit) ++ complete_all(&old_state->fake_commit->flip_done); + } + EXPORT_SYMBOL(drm_atomic_helper_wait_for_flip_done); + +-- +2.19.1 + diff --git a/queue-4.19/e1000e-allow-non-monotonic-systim-readings.patch b/queue-4.19/e1000e-allow-non-monotonic-systim-readings.patch new file mode 100644 index 00000000000..2f910a45b5b --- /dev/null +++ b/queue-4.19/e1000e-allow-non-monotonic-systim-readings.patch @@ -0,0 +1,71 @@ +From ca7bab1aa0bf461501ef7544352706ae98ad8dfe Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Tue, 23 Oct 2018 14:37:39 +0200 +Subject: e1000e: allow non-monotonic SYSTIM readings + +[ Upstream commit e1f65b0d70e9e5c80e15105cd96fa00174d7c436 ] + +It seems with some NICs supported by the e1000e driver a SYSTIM reading +may occasionally be few microseconds before the previous reading and if +enabled also pass e1000e_sanitize_systim() without reaching the maximum +number of rereads, even if the function is modified to check three +consecutive readings (i.e. it doesn't look like a double read error). +This causes an underflow in the timecounter and the PHC time jumps hours +ahead. + +This was observed on 82574, I217 and I219. The fastest way to reproduce +it is to run a program that continuously calls the PTP_SYS_OFFSET ioctl +on the PHC. + +Modify e1000e_phc_gettime() to use timecounter_cyc2time() instead of +timecounter_read() in order to allow non-monotonic SYSTIM readings and +prevent the PHC from jumping. + +Cc: Richard Cochran +Signed-off-by: Miroslav Lichvar +Acked-by: Jacob Keller +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/ptp.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/ptp.c b/drivers/net/ethernet/intel/e1000e/ptp.c +index 37c76945ad9b..e1f821edbc21 100644 +--- a/drivers/net/ethernet/intel/e1000e/ptp.c ++++ b/drivers/net/ethernet/intel/e1000e/ptp.c +@@ -173,10 +173,14 @@ static int e1000e_phc_gettime(struct ptp_clock_info *ptp, struct timespec64 *ts) + struct e1000_adapter *adapter = container_of(ptp, struct e1000_adapter, + ptp_clock_info); + unsigned long flags; +- u64 ns; ++ u64 cycles, ns; + + spin_lock_irqsave(&adapter->systim_lock, flags); +- ns = timecounter_read(&adapter->tc); ++ ++ /* Use timecounter_cyc2time() to allow non-monotonic SYSTIM readings */ ++ cycles = adapter->cc.read(&adapter->cc); ++ ns = timecounter_cyc2time(&adapter->tc, cycles); ++ + spin_unlock_irqrestore(&adapter->systim_lock, flags); + + *ts = ns_to_timespec64(ns); +@@ -232,9 +236,12 @@ static void e1000e_systim_overflow_work(struct work_struct *work) + systim_overflow_work.work); + struct e1000_hw *hw = &adapter->hw; + struct timespec64 ts; ++ u64 ns; + +- adapter->ptp_clock_info.gettime64(&adapter->ptp_clock_info, &ts); ++ /* Update the timecounter */ ++ ns = timecounter_read(&adapter->tc); + ++ ts = ns_to_timespec64(ns); + e_dbg("SYSTIM overflow check at %lld.%09lu\n", + (long long) ts.tv_sec, ts.tv_nsec); + +-- +2.19.1 + diff --git a/queue-4.19/efi-libstub-disable-some-warnings-for-x86-_64.patch b/queue-4.19/efi-libstub-disable-some-warnings-for-x86-_64.patch new file mode 100644 index 00000000000..09a0959e284 --- /dev/null +++ b/queue-4.19/efi-libstub-disable-some-warnings-for-x86-_64.patch @@ -0,0 +1,76 @@ +From b090d714691571ce7642fc008d9c23842f661817 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 29 Nov 2018 18:12:26 +0100 +Subject: efi/libstub: Disable some warnings for x86{,_64} + +[ Upstream commit 3db5e0ba8b8f4aee631d7ee04b7a11c56cfdc213 ] + +When building the kernel with Clang, some disabled warnings appear +because this Makefile overrides KBUILD_CFLAGS for x86{,_64}. Add them to +this list so that the build is clean again. + +-Wpointer-sign was disabled for the whole kernel before the beginning of Git history. + +-Waddress-of-packed-member was disabled for the whole kernel and for +the early boot code in these commits: + + bfb38988c51e ("kbuild: clang: Disable 'address-of-packed-member' warning") + 20c6c1890455 ("x86/boot: Disable the address-of-packed-member compiler warning"). + +-Wgnu was disabled for the whole kernel and for the early boot code in +these commits: + + 61163efae020 ("kbuild: LLVMLinux: Add Kbuild support for building kernel with Clang") + 6c3b56b19730 ("x86/boot: Disable Clang warnings about GNU extensions"). + + [ mingo: Made the changelog more readable. ] + +Tested-by: Sedat Dilek +Signed-off-by: Nathan Chancellor +Signed-off-by: Ard Biesheuvel +Reviewed-by: Sedat Dilek +Cc: Andy Lutomirski +Cc: Arend van Spriel +Cc: Bhupesh Sharma +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Eric Snowberg +Cc: Hans de Goede +Cc: Joe Perches +Cc: Jon Hunter +Cc: Julien Thierry +Cc: Linus Torvalds +Cc: Marc Zyngier +Cc: Matt Fleming +Cc: Peter Zijlstra +Cc: Sai Praneeth Prakhya +Cc: Thomas Gleixner +Cc: YiFei Zhu +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20181129171230.18699-8-ard.biesheuvel@linaro.org +Link: https://github.com/ClangBuiltLinux/linux/issues/112 +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/Makefile | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile +index c51627660dbb..d9845099635e 100644 +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -9,7 +9,10 @@ cflags-$(CONFIG_X86_32) := -march=i386 + cflags-$(CONFIG_X86_64) := -mcmodel=small + cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ -O2 \ + -fPIC -fno-strict-aliasing -mno-red-zone \ +- -mno-mmx -mno-sse -fshort-wchar ++ -mno-mmx -mno-sse -fshort-wchar \ ++ -Wno-pointer-sign \ ++ $(call cc-disable-warning, address-of-packed-member) \ ++ $(call cc-disable-warning, gnu) + + # arm64 uses the full KBUILD_CFLAGS so it's necessary to explicitly + # disable the stackleak plugin +-- +2.19.1 + diff --git a/queue-4.19/fpga-altera-cvp-fix-probing-for-multiple-fpgas-on-th.patch b/queue-4.19/fpga-altera-cvp-fix-probing-for-multiple-fpgas-on-th.patch new file mode 100644 index 00000000000..74644223109 --- /dev/null +++ b/queue-4.19/fpga-altera-cvp-fix-probing-for-multiple-fpgas-on-th.patch @@ -0,0 +1,110 @@ +From f45c174135a162277c52befa4280bcf6df6d98b2 Mon Sep 17 00:00:00 2001 +From: Anatolij Gustschin +Date: Mon, 26 Nov 2018 11:35:27 -0600 +Subject: fpga: altera-cvp: fix probing for multiple FPGAs on the bus + +[ Upstream commit 30522a951f9d02f261d0697c35cb42205b1fae17 ] + +Currently registering CvP managers works only for first probed CvP +device, for all other devices it is refused due to duplicated chkcfg +sysfs entry: + +fpga_manager fpga3: Altera CvP FPGA Manager @0000:0c:00.0 registered +sysfs: cannot create duplicate filename '/bus/pci/drivers/altera-cvp/chkcfg' +CPU: 0 PID: 3808 Comm: bash Tainted: G O 4.19.0-custom+ #5 +Call Trace: + dump_stack+0x46/0x5b + sysfs_warn_dup+0x53/0x60 + sysfs_add_file_mode_ns+0x16d/0x180 + sysfs_create_file_ns+0x51/0x60 + altera_cvp_probe+0x16f/0x2a0 [altera_cvp] + local_pci_probe+0x3f/0xa0 + ? pci_match_device+0xb1/0xf0 + pci_device_probe+0x116/0x170 + really_probe+0x21b/0x2c0 + driver_probe_device+0x4b/0xe0 + bind_store+0xcb/0x130 + kernfs_fop_write+0xfd/0x180 + __vfs_write+0x21/0x150 + ? selinux_file_permission+0xdc/0x130 + vfs_write+0xa8/0x1a0 + ? find_vma+0xd/0x60 + ksys_write+0x3d/0x90 + do_syscall_64+0x44/0xf0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + ... + altera-cvp 0000:0c:00.0: Can't create sysfs chkcfg file + fpga_manager fpga3: fpga_mgr_unregister Altera CvP FPGA Manager @0000:0c:00.0 + +Move chkcfg creation to module init as suggested by Alan. + +Signed-off-by: Anatolij Gustschin +Acked-by: Alan Tull +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/fpga/altera-cvp.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/drivers/fpga/altera-cvp.c b/drivers/fpga/altera-cvp.c +index 7fa793672a7a..68e4b2b98c8f 100644 +--- a/drivers/fpga/altera-cvp.c ++++ b/drivers/fpga/altera-cvp.c +@@ -468,14 +468,6 @@ static int altera_cvp_probe(struct pci_dev *pdev, + goto err_unmap; + } + +- ret = driver_create_file(&altera_cvp_driver.driver, +- &driver_attr_chkcfg); +- if (ret) { +- dev_err(&pdev->dev, "Can't create sysfs chkcfg file\n"); +- fpga_mgr_unregister(mgr); +- goto err_unmap; +- } +- + return 0; + + err_unmap: +@@ -493,7 +485,6 @@ static void altera_cvp_remove(struct pci_dev *pdev) + struct altera_cvp_conf *conf = mgr->priv; + u16 cmd; + +- driver_remove_file(&altera_cvp_driver.driver, &driver_attr_chkcfg); + fpga_mgr_unregister(mgr); + pci_iounmap(pdev, conf->map); + pci_release_region(pdev, CVP_BAR); +@@ -502,7 +493,30 @@ static void altera_cvp_remove(struct pci_dev *pdev) + pci_write_config_word(pdev, PCI_COMMAND, cmd); + } + +-module_pci_driver(altera_cvp_driver); ++static int __init altera_cvp_init(void) ++{ ++ int ret; ++ ++ ret = pci_register_driver(&altera_cvp_driver); ++ if (ret) ++ return ret; ++ ++ ret = driver_create_file(&altera_cvp_driver.driver, ++ &driver_attr_chkcfg); ++ if (ret) ++ pr_warn("Can't create sysfs chkcfg file\n"); ++ ++ return 0; ++} ++ ++static void __exit altera_cvp_exit(void) ++{ ++ driver_remove_file(&altera_cvp_driver.driver, &driver_attr_chkcfg); ++ pci_unregister_driver(&altera_cvp_driver); ++} ++ ++module_init(altera_cvp_init); ++module_exit(altera_cvp_exit); + + MODULE_LICENSE("GPL v2"); + MODULE_AUTHOR("Anatolij Gustschin "); +-- +2.19.1 + diff --git a/queue-4.19/gpio-pl061-move-irq_chip-definition-inside-struct-pl.patch b/queue-4.19/gpio-pl061-move-irq_chip-definition-inside-struct-pl.patch new file mode 100644 index 00000000000..37d582d78c6 --- /dev/null +++ b/queue-4.19/gpio-pl061-move-irq_chip-definition-inside-struct-pl.patch @@ -0,0 +1,86 @@ +From e2941c7e11ad450698125680fb0a70d471f504a5 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Wed, 24 Oct 2018 22:59:15 +0530 +Subject: gpio: pl061: Move irq_chip definition inside struct pl061 + +[ Upstream commit ed8dce4c6f726b7f3c6bf40859b92a9e32f189c1 ] + +Keeping the irq_chip definition static will make it shared with multiple +giochips in the system. This practice is considered to be bad and now we +will get the below warning from gpiolib core: + +"detected irqchip that is shared with multiple gpiochips: please fix the +driver." + +Hence, move the irq_chip definition from static to `struct pl061` for +using a unique irq_chip for each gpiochip. + +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pl061.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/drivers/gpio/gpio-pl061.c b/drivers/gpio/gpio-pl061.c +index 2afd9de84a0d..dc42571e6fdc 100644 +--- a/drivers/gpio/gpio-pl061.c ++++ b/drivers/gpio/gpio-pl061.c +@@ -54,6 +54,7 @@ struct pl061 { + + void __iomem *base; + struct gpio_chip gc; ++ struct irq_chip irq_chip; + int parent_irq; + + #ifdef CONFIG_PM +@@ -281,15 +282,6 @@ static int pl061_irq_set_wake(struct irq_data *d, unsigned int state) + return irq_set_irq_wake(pl061->parent_irq, state); + } + +-static struct irq_chip pl061_irqchip = { +- .name = "pl061", +- .irq_ack = pl061_irq_ack, +- .irq_mask = pl061_irq_mask, +- .irq_unmask = pl061_irq_unmask, +- .irq_set_type = pl061_irq_type, +- .irq_set_wake = pl061_irq_set_wake, +-}; +- + static int pl061_probe(struct amba_device *adev, const struct amba_id *id) + { + struct device *dev = &adev->dev; +@@ -328,6 +320,13 @@ static int pl061_probe(struct amba_device *adev, const struct amba_id *id) + /* + * irq_chip support + */ ++ pl061->irq_chip.name = dev_name(dev); ++ pl061->irq_chip.irq_ack = pl061_irq_ack; ++ pl061->irq_chip.irq_mask = pl061_irq_mask; ++ pl061->irq_chip.irq_unmask = pl061_irq_unmask; ++ pl061->irq_chip.irq_set_type = pl061_irq_type; ++ pl061->irq_chip.irq_set_wake = pl061_irq_set_wake; ++ + writeb(0, pl061->base + GPIOIE); /* disable irqs */ + irq = adev->irq[0]; + if (irq < 0) { +@@ -336,14 +335,14 @@ static int pl061_probe(struct amba_device *adev, const struct amba_id *id) + } + pl061->parent_irq = irq; + +- ret = gpiochip_irqchip_add(&pl061->gc, &pl061_irqchip, ++ ret = gpiochip_irqchip_add(&pl061->gc, &pl061->irq_chip, + 0, handle_bad_irq, + IRQ_TYPE_NONE); + if (ret) { + dev_info(&adev->dev, "could not add irqchip\n"); + return ret; + } +- gpiochip_set_chained_irqchip(&pl061->gc, &pl061_irqchip, ++ gpiochip_set_chained_irqchip(&pl061->gc, &pl061->irq_chip, + irq, pl061_irq_handler); + + amba_set_drvdata(adev, pl061); +-- +2.19.1 + diff --git a/queue-4.19/ib-usnic-fix-potential-deadlock.patch b/queue-4.19/ib-usnic-fix-potential-deadlock.patch new file mode 100644 index 00000000000..035b4b0b8b2 --- /dev/null +++ b/queue-4.19/ib-usnic-fix-potential-deadlock.patch @@ -0,0 +1,63 @@ +From df68930fdd402b21b21eee7e45a1047b3c88644a Mon Sep 17 00:00:00 2001 +From: Parvi Kaustubhi +Date: Tue, 11 Dec 2018 14:15:42 -0800 +Subject: IB/usnic: Fix potential deadlock + +[ Upstream commit 8036e90f92aae2784b855a0007ae2d8154d28b3c ] + +Acquiring the rtnl lock while holding usdev_lock could result in a +deadlock. + +For example: + +usnic_ib_query_port() +| mutex_lock(&us_ibdev->usdev_lock) + | ib_get_eth_speed() + | rtnl_lock() + +rtnl_lock() +| usnic_ib_netdevice_event() + | mutex_lock(&us_ibdev->usdev_lock) + +This commit moves the usdev_lock acquisition after the rtnl lock has been +released. + +This is safe to do because usdev_lock is not protecting anything being +accessed in ib_get_eth_speed(). Hence, the correct order of holding locks +(rtnl -> usdev_lock) is not violated. + +Signed-off-by: Parvi Kaustubhi +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c +index 9973ac893635..3db232429630 100644 +--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c ++++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c +@@ -334,13 +334,16 @@ int usnic_ib_query_port(struct ib_device *ibdev, u8 port, + + usnic_dbg("\n"); + +- mutex_lock(&us_ibdev->usdev_lock); + if (ib_get_eth_speed(ibdev, port, &props->active_speed, +- &props->active_width)) { +- mutex_unlock(&us_ibdev->usdev_lock); ++ &props->active_width)) + return -EINVAL; +- } + ++ /* ++ * usdev_lock is acquired after (and not before) ib_get_eth_speed call ++ * because acquiring rtnl_lock in ib_get_eth_speed, while holding ++ * usdev_lock could lead to a deadlock. ++ */ ++ mutex_lock(&us_ibdev->usdev_lock); + /* props being zeroed by the caller, avoid zeroing it here */ + + props->lid = 0; +-- +2.19.1 + diff --git a/queue-4.19/iomap-don-t-search-past-page-end-in-iomap_is_partial.patch b/queue-4.19/iomap-don-t-search-past-page-end-in-iomap_is_partial.patch new file mode 100644 index 00000000000..b70b917d287 --- /dev/null +++ b/queue-4.19/iomap-don-t-search-past-page-end-in-iomap_is_partial.patch @@ -0,0 +1,78 @@ +From 86270fc16a58f060408a5c3936a42e221006f885 Mon Sep 17 00:00:00 2001 +From: Eric Sandeen +Date: Fri, 21 Dec 2018 08:42:50 -0800 +Subject: iomap: don't search past page end in iomap_is_partially_uptodate + +[ Upstream commit 3cc31fa65d85610574c0f6a474e89f4c419923d5 ] + +iomap_is_partially_uptodate() is intended to check wither blocks within +the selected range of a not-uptodate page are uptodate; if the range we +care about is up to date, it's an optimization. + +However, the iomap implementation continues to check all blocks up to +from+count, which is beyond the page, and can even be well beyond the +iop->uptodate bitmap. + +I think the worst that will happen is that we may eventually find a zero +bit and return "not partially uptodate" when it would have otherwise +returned true, and skip the optimization. Still, it's clearly an invalid +memory access that must be fixed. + +So: fix this by limiting the search to within the page as is done in the +non-iomap variant, block_is_partially_uptodate(). + +Zorro noticed thiswhen KASAN went off for 512 byte blocks on a 64k +page system: + + BUG: KASAN: slab-out-of-bounds in iomap_is_partially_uptodate+0x1a0/0x1e0 + Read of size 8 at addr ffff800120c3a318 by task fsstress/22337 + +Reported-by: Zorro Lang +Signed-off-by: Eric Sandeen +Signed-off-by: Eric Sandeen +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/iomap.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/fs/iomap.c b/fs/iomap.c +index ec15cf2ec696..e57fb1e534c5 100644 +--- a/fs/iomap.c ++++ b/fs/iomap.c +@@ -488,16 +488,29 @@ done: + } + EXPORT_SYMBOL_GPL(iomap_readpages); + ++/* ++ * iomap_is_partially_uptodate checks whether blocks within a page are ++ * uptodate or not. ++ * ++ * Returns true if all blocks which correspond to a file portion ++ * we want to read within the page are uptodate. ++ */ + int + iomap_is_partially_uptodate(struct page *page, unsigned long from, + unsigned long count) + { + struct iomap_page *iop = to_iomap_page(page); + struct inode *inode = page->mapping->host; +- unsigned first = from >> inode->i_blkbits; +- unsigned last = (from + count - 1) >> inode->i_blkbits; ++ unsigned len, first, last; + unsigned i; + ++ /* Limit range to one page */ ++ len = min_t(unsigned, PAGE_SIZE - from, count); ++ ++ /* First and last blocks in range within page */ ++ first = from >> inode->i_blkbits; ++ last = (from + len - 1) >> inode->i_blkbits; ++ + if (iop) { + for (i = first; i <= last; i++) + if (!test_bit(i, iop->uptodate)) +-- +2.19.1 + diff --git a/queue-4.19/ixgbe-allow-ipsec-tx-offload-in-vepa-mode.patch b/queue-4.19/ixgbe-allow-ipsec-tx-offload-in-vepa-mode.patch new file mode 100644 index 00000000000..cebb7f8606c --- /dev/null +++ b/queue-4.19/ixgbe-allow-ipsec-tx-offload-in-vepa-mode.patch @@ -0,0 +1,55 @@ +From a455168ded92c350f2009c32ee9a04f7d8c95f32 Mon Sep 17 00:00:00 2001 +From: Shannon Nelson +Date: Thu, 4 Oct 2018 16:28:52 -0700 +Subject: ixgbe: allow IPsec Tx offload in VEPA mode + +[ Upstream commit 7fa57ca443cffe81ce8416b57966bfb0370678a1 ] + +When it's possible that the PF might end up trying to send a +packet to one of its own VFs, we have to forbid IPsec offload +because the device drops the packets into a black hole. +See commit 47b6f50077e6 ("ixgbe: disallow IPsec Tx offload +when in SR-IOV mode") for more info. + +This really is only necessary when the device is in the default +VEB mode. If instead the device is running in VEPA mode, +the packets will go through the encryption engine and out the +MAC/PHY as normal, and get "hairpinned" as needed by the switch. + +So let's not block IPsec offload when in VEPA mode. To get +there with the ixgbe device, use the handy 'bridge' command: + bridge link set dev eth1 hwmode vepa + +Signed-off-by: Shannon Nelson +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +index add124e0381d..b27f7a968820 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +@@ -4,6 +4,7 @@ + #include "ixgbe.h" + #include + #include ++#include + + /** + * ixgbe_ipsec_set_tx_sa - set the Tx SA registers +@@ -676,7 +677,8 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs) + } else { + struct tx_sa tsa; + +- if (adapter->num_vfs) ++ if (adapter->num_vfs && ++ adapter->bridge_mode != BRIDGE_MODE_VEPA) + return -EOPNOTSUPP; + + /* find the first unused index */ +-- +2.19.1 + diff --git a/queue-4.19/jffs2-fix-use-of-uninitialized-delayed_work-lockdep-.patch b/queue-4.19/jffs2-fix-use-of-uninitialized-delayed_work-lockdep-.patch new file mode 100644 index 00000000000..834e63716dd --- /dev/null +++ b/queue-4.19/jffs2-fix-use-of-uninitialized-delayed_work-lockdep-.patch @@ -0,0 +1,69 @@ +From cdf002b549625252b1fc1855ca48776158011cd8 Mon Sep 17 00:00:00 2001 +From: Daniel Santos +Date: Fri, 19 Oct 2018 03:30:20 -0500 +Subject: jffs2: Fix use of uninitialized delayed_work, lockdep breakage + +[ Upstream commit a788c5272769ddbcdbab297cf386413eeac04463 ] + +jffs2_sync_fs makes the assumption that if CONFIG_JFFS2_FS_WRITEBUFFER +is defined then a write buffer is available and has been initialized. +However, this does is not the case when the mtd device has no +out-of-band buffer: + +int jffs2_nand_flash_setup(struct jffs2_sb_info *c) +{ + if (!c->mtd->oobsize) + return 0; +... + +The resulting call to cancel_delayed_work_sync passing a uninitialized +(but zeroed) delayed_work struct forces lockdep to become disabled. + +[ 90.050639] overlayfs: upper fs does not support tmpfile. +[ 90.652264] INFO: trying to register non-static key. +[ 90.662171] the code is fine but needs lockdep annotation. +[ 90.673090] turning off the locking correctness validator. +[ 90.684021] CPU: 0 PID: 1762 Comm: mount_root Not tainted 4.14.63 #0 +[ 90.696672] Stack : 00000000 00000000 80d8f6a2 00000038 805f0000 80444600 8fe364f4 805dfbe7 +[ 90.713349] 80563a30 000006e2 8068370c 00000001 00000000 00000001 8e2fdc48 ffffffff +[ 90.730020] 00000000 00000000 80d90000 00000000 00000106 00000000 6465746e 312e3420 +[ 90.746690] 6b636f6c 03bf0000 f8000000 20676e69 00000000 80000000 00000000 8e2c2a90 +[ 90.763362] 80d90000 00000001 00000000 8e2c2a90 00000003 80260dc0 08052098 80680000 +[ 90.780033] ... +[ 90.784902] Call Trace: +[ 90.789793] [<8000f0d8>] show_stack+0xb8/0x148 +[ 90.798659] [<8005a000>] register_lock_class+0x270/0x55c +[ 90.809247] [<8005cb64>] __lock_acquire+0x13c/0xf7c +[ 90.818964] [<8005e314>] lock_acquire+0x194/0x1dc +[ 90.828345] [<8003f27c>] flush_work+0x200/0x24c +[ 90.837374] [<80041dfc>] __cancel_work_timer+0x158/0x210 +[ 90.847958] [<801a8770>] jffs2_sync_fs+0x20/0x54 +[ 90.857173] [<80125cf4>] iterate_supers+0xf4/0x120 +[ 90.866729] [<80158fc4>] sys_sync+0x44/0x9c +[ 90.875067] [<80014424>] syscall_common+0x34/0x58 + +Signed-off-by: Daniel Santos +Reviewed-by: Hou Tao +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +--- + fs/jffs2/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c +index 902a7dd10e5c..bb6ae387469f 100644 +--- a/fs/jffs2/super.c ++++ b/fs/jffs2/super.c +@@ -101,7 +101,8 @@ static int jffs2_sync_fs(struct super_block *sb, int wait) + struct jffs2_sb_info *c = JFFS2_SB_INFO(sb); + + #ifdef CONFIG_JFFS2_FS_WRITEBUFFER +- cancel_delayed_work_sync(&c->wbuf_dwork); ++ if (jffs2_is_writebuffered(c)) ++ cancel_delayed_work_sync(&c->wbuf_dwork); + #endif + + mutex_lock(&c->alloc_sem); +-- +2.19.1 + diff --git a/queue-4.19/kconfig-fix-file-name-and-line-number-of-warn_ignore.patch b/queue-4.19/kconfig-fix-file-name-and-line-number-of-warn_ignore.patch new file mode 100644 index 00000000000..8bc418ad603 --- /dev/null +++ b/queue-4.19/kconfig-fix-file-name-and-line-number-of-warn_ignore.patch @@ -0,0 +1,58 @@ +From 5d3e967859fcb2c5b8f253c4b53add18055c4dae Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Tue, 11 Dec 2018 20:00:44 +0900 +Subject: kconfig: fix file name and line number of warn_ignored_character() + +[ Upstream commit 77c1c0fa8b1477c5799bdad65026ea5ff676da44 ] + +Currently, warn_ignore_character() displays invalid file name and +line number. + +The lexer should use current_file->name and yylineno, while the parser +should use zconf_curname() and zconf_lineno(). + +This difference comes from that the lexer is always going ahead +of the parser. The parser needs to look ahead one token to make a +shift/reduce decision, so the lexer is requested to scan more text +from the input file. + +This commit fixes the warning message from warn_ignored_character(). + +[Test Code] + + ----(Kconfig begin)---- + / + -----(Kconfig end)----- + +[Output] + + Before the fix: + + :0:warning: ignoring unsupported character '/' + + After the fix: + + Kconfig:1:warning: ignoring unsupported character '/' + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/zconf.l | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/zconf.l b/scripts/kconfig/zconf.l +index 25bd2b89fe3f..eeac64ccc730 100644 +--- a/scripts/kconfig/zconf.l ++++ b/scripts/kconfig/zconf.l +@@ -73,7 +73,7 @@ static void warn_ignored_character(char chr) + { + fprintf(stderr, + "%s:%d:warning: ignoring unsupported character '%c'\n", +- zconf_curname(), zconf_lineno(), chr); ++ current_file->name, yylineno, chr); + } + %} + +-- +2.19.1 + diff --git a/queue-4.19/kconfig-fix-memory-leak-when-eof-is-encountered-in-q.patch b/queue-4.19/kconfig-fix-memory-leak-when-eof-is-encountered-in-q.patch new file mode 100644 index 00000000000..689209457e7 --- /dev/null +++ b/queue-4.19/kconfig-fix-memory-leak-when-eof-is-encountered-in-q.patch @@ -0,0 +1,67 @@ +From 3bee3126d70ffffb074b14cb3ae7cca0caaa9c33 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Tue, 11 Dec 2018 20:00:45 +0900 +Subject: kconfig: fix memory leak when EOF is encountered in quotation + +[ Upstream commit fbac5977d81cb2b2b7e37b11c459055d9585273c ] + +An unterminated string literal followed by new line is passed to the +parser (with "multi-line strings not supported" warning shown), then +handled properly there. + +On the other hand, an unterminated string literal at end of file is +never passed to the parser, then results in memory leak. + +[Test Code] + + ----------(Kconfig begin)---------- + source "Kconfig.inc" + + config A + bool "a" + -----------(Kconfig end)----------- + + --------(Kconfig.inc begin)-------- + config B + bool "b\No new line at end of file + ---------(Kconfig.inc end)--------- + +[Summary from Valgrind] + + Before the fix: + + LEAK SUMMARY: + definitely lost: 16 bytes in 1 blocks + ... + + After the fix: + + LEAK SUMMARY: + definitely lost: 0 bytes in 0 blocks + ... + +Eliminate the memory leak path by handling this case. Of course, such +a Kconfig file is wrong already, so I will add an error message later. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/zconf.l | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/scripts/kconfig/zconf.l b/scripts/kconfig/zconf.l +index eeac64ccc730..c2f577d71964 100644 +--- a/scripts/kconfig/zconf.l ++++ b/scripts/kconfig/zconf.l +@@ -221,6 +221,8 @@ n [A-Za-z0-9_-] + } + <> { + BEGIN(INITIAL); ++ yylval.string = text; ++ return T_WORD_QUOTE; + } + } + +-- +2.19.1 + diff --git a/queue-4.19/media-firewire-fix-app_info-parameter-type-in-avc_ca.patch b/queue-4.19/media-firewire-fix-app_info-parameter-type-in-avc_ca.patch new file mode 100644 index 00000000000..21f4266173b --- /dev/null +++ b/queue-4.19/media-firewire-fix-app_info-parameter-type-in-avc_ca.patch @@ -0,0 +1,89 @@ +From 9d06e590e755e5ef283a22753eeda27b4792891a Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 18 Oct 2018 16:03:06 -0400 +Subject: media: firewire: Fix app_info parameter type in avc_ca{,_app}_info + +[ Upstream commit b2e9a4eda11fd2cb1e6714e9ad3f455c402568ff ] + +Clang warns: + +drivers/media/firewire/firedtv-avc.c:999:45: warning: implicit +conversion from 'int' to 'char' changes value from 159 to -97 +[-Wconstant-conversion] + app_info[0] = (EN50221_TAG_APP_INFO >> 16) & 0xff; + ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ +drivers/media/firewire/firedtv-avc.c:1000:45: warning: implicit +conversion from 'int' to 'char' changes value from 128 to -128 +[-Wconstant-conversion] + app_info[1] = (EN50221_TAG_APP_INFO >> 8) & 0xff; + ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ +drivers/media/firewire/firedtv-avc.c:1040:44: warning: implicit +conversion from 'int' to 'char' changes value from 159 to -97 +[-Wconstant-conversion] + app_info[0] = (EN50221_TAG_CA_INFO >> 16) & 0xff; + ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ +drivers/media/firewire/firedtv-avc.c:1041:44: warning: implicit +conversion from 'int' to 'char' changes value from 128 to -128 +[-Wconstant-conversion] + app_info[1] = (EN50221_TAG_CA_INFO >> 8) & 0xff; + ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ +4 warnings generated. + +Change app_info's type to unsigned char to match the type of the +member msg in struct ca_msg, which is the only thing passed into the +app_info parameter in this function. + +Link: https://github.com/ClangBuiltLinux/linux/issues/105 + +Signed-off-by: Nathan Chancellor +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/firewire/firedtv-avc.c | 6 ++++-- + drivers/media/firewire/firedtv.h | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c +index 1c933b2cf760..3ef5df1648d7 100644 +--- a/drivers/media/firewire/firedtv-avc.c ++++ b/drivers/media/firewire/firedtv-avc.c +@@ -968,7 +968,8 @@ static int get_ca_object_length(struct avc_response_frame *r) + return r->operand[7]; + } + +-int avc_ca_app_info(struct firedtv *fdtv, char *app_info, unsigned int *len) ++int avc_ca_app_info(struct firedtv *fdtv, unsigned char *app_info, ++ unsigned int *len) + { + struct avc_command_frame *c = (void *)fdtv->avc_data; + struct avc_response_frame *r = (void *)fdtv->avc_data; +@@ -1009,7 +1010,8 @@ out: + return ret; + } + +-int avc_ca_info(struct firedtv *fdtv, char *app_info, unsigned int *len) ++int avc_ca_info(struct firedtv *fdtv, unsigned char *app_info, ++ unsigned int *len) + { + struct avc_command_frame *c = (void *)fdtv->avc_data; + struct avc_response_frame *r = (void *)fdtv->avc_data; +diff --git a/drivers/media/firewire/firedtv.h b/drivers/media/firewire/firedtv.h +index 876cdec8329b..009905a19947 100644 +--- a/drivers/media/firewire/firedtv.h ++++ b/drivers/media/firewire/firedtv.h +@@ -124,8 +124,10 @@ int avc_lnb_control(struct firedtv *fdtv, char voltage, char burst, + struct dvb_diseqc_master_cmd *diseqcmd); + void avc_remote_ctrl_work(struct work_struct *work); + int avc_register_remote_control(struct firedtv *fdtv); +-int avc_ca_app_info(struct firedtv *fdtv, char *app_info, unsigned int *len); +-int avc_ca_info(struct firedtv *fdtv, char *app_info, unsigned int *len); ++int avc_ca_app_info(struct firedtv *fdtv, unsigned char *app_info, ++ unsigned int *len); ++int avc_ca_info(struct firedtv *fdtv, unsigned char *app_info, ++ unsigned int *len); + int avc_ca_reset(struct firedtv *fdtv); + int avc_ca_pmt(struct firedtv *fdtv, char *app_info, int length); + int avc_ca_get_time_date(struct firedtv *fdtv, int *interval); +-- +2.19.1 + diff --git a/queue-4.19/media-uvcvideo-refactor-teardown-of-uvc-on-usb-disco.patch b/queue-4.19/media-uvcvideo-refactor-teardown-of-uvc-on-usb-disco.patch new file mode 100644 index 00000000000..159c78ab37d --- /dev/null +++ b/queue-4.19/media-uvcvideo-refactor-teardown-of-uvc-on-usb-disco.patch @@ -0,0 +1,185 @@ +From 29aa4f2f8c346ce4eb9902feb892dcc91877ed5b Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Sun, 23 Apr 2017 00:53:49 -0400 +Subject: media: uvcvideo: Refactor teardown of uvc on USB disconnect + +[ Upstream commit 10e1fdb95809ed21406f53b5b4f064673a1b9ceb ] + +Currently, disconnecting a USB webcam while it is in use prints out a +number of warnings, such as: + +WARNING: CPU: 2 PID: 3118 at /build/linux-ezBi1T/linux-4.8.0/fs/sysfs/group.c:237 sysfs_remove_group+0x8b/0x90 +sysfs group ffffffffa7cd0780 not found for kobject 'event13' + +This has been noticed before. [0] + +This is because of the order in which things are torn down. + +If there are no streams active during a USB disconnect: + + - uvc_disconnect() is invoked via device_del() through the bus + notifier mechanism. + + - this calls uvc_unregister_video(). + + - uvc_unregister_video() unregisters the video device for each + stream, + + - because there are no streams open, it calls uvc_delete() + + - uvc_delete() calls uvc_status_cleanup(), which cleans up the status + input device. + + - uvc_delete() calls media_device_unregister(), which cleans up the + media device + + - uvc_delete(), uvc_unregister_video() and uvc_disconnect() all + return, and we end up back in device_del(). + + - device_del() then cleans up the sysfs folder for the camera with + dpm_sysfs_remove(). Because uvc_status_cleanup() and + media_device_unregister() have already been called, this all works + nicely. + +If, on the other hand, there *are* streams active during a USB disconnect: + + - uvc_disconnect() is invoked + + - this calls uvc_unregister_video() + + - uvc_unregister_video() unregisters the video device for each + stream, + + - uvc_unregister_video() and uvc_disconnect() return, and we end up + back in device_del(). + + - device_del() then cleans up the sysfs folder for the camera with + dpm_sysfs_remove(). Because the status input device and the media + device are children of the USB device, this also deletes their + sysfs folders. + + - Sometime later, the final stream is closed, invoking uvc_release(). + + - uvc_release() calls uvc_delete() + + - uvc_delete() calls uvc_status_cleanup(), which cleans up the status + input device. Because the sysfs directory has already been removed, + this causes a WARNing. + + - uvc_delete() calls media_device_unregister(), which cleans up the + media device. Because the sysfs directory has already been removed, + this causes another WARNing. + +To fix this, we need to make sure the devices are always unregistered +before the end of uvc_disconnect(). To this, move the unregistration +into the disconnect path: + + - split uvc_status_cleanup() into two parts, one on disconnect that + unregisters and one on delete that frees. + + - move v4l2_device_unregister() and media_device_unregister() into + the disconnect path. + +[0]: https://lkml.org/lkml/2016/12/8/657 + +[Renamed uvc_input_cleanup() to uvc_input_unregister()] + +Signed-off-by: Daniel Axtens +Acked-by: Greg Kroah-Hartman +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 13 +++++++++---- + drivers/media/usb/uvc/uvc_status.c | 12 ++++++++---- + drivers/media/usb/uvc/uvcvideo.h | 1 + + 3 files changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index d46dc432456c..361abbc00486 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -1824,11 +1824,7 @@ static void uvc_delete(struct kref *kref) + usb_put_intf(dev->intf); + usb_put_dev(dev->udev); + +- if (dev->vdev.dev) +- v4l2_device_unregister(&dev->vdev); + #ifdef CONFIG_MEDIA_CONTROLLER +- if (media_devnode_is_registered(dev->mdev.devnode)) +- media_device_unregister(&dev->mdev); + media_device_cleanup(&dev->mdev); + #endif + +@@ -1885,6 +1881,15 @@ static void uvc_unregister_video(struct uvc_device *dev) + + uvc_debugfs_cleanup_stream(stream); + } ++ ++ uvc_status_unregister(dev); ++ ++ if (dev->vdev.dev) ++ v4l2_device_unregister(&dev->vdev); ++#ifdef CONFIG_MEDIA_CONTROLLER ++ if (media_devnode_is_registered(dev->mdev.devnode)) ++ media_device_unregister(&dev->mdev); ++#endif + } + + int uvc_register_video_device(struct uvc_device *dev, +diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc_status.c +index 0722dc684378..883e4cab45e7 100644 +--- a/drivers/media/usb/uvc/uvc_status.c ++++ b/drivers/media/usb/uvc/uvc_status.c +@@ -54,7 +54,7 @@ error: + return ret; + } + +-static void uvc_input_cleanup(struct uvc_device *dev) ++static void uvc_input_unregister(struct uvc_device *dev) + { + if (dev->input) + input_unregister_device(dev->input); +@@ -71,7 +71,7 @@ static void uvc_input_report_key(struct uvc_device *dev, unsigned int code, + + #else + #define uvc_input_init(dev) +-#define uvc_input_cleanup(dev) ++#define uvc_input_unregister(dev) + #define uvc_input_report_key(dev, code, value) + #endif /* CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV */ + +@@ -292,12 +292,16 @@ int uvc_status_init(struct uvc_device *dev) + return 0; + } + +-void uvc_status_cleanup(struct uvc_device *dev) ++void uvc_status_unregister(struct uvc_device *dev) + { + usb_kill_urb(dev->int_urb); ++ uvc_input_unregister(dev); ++} ++ ++void uvc_status_cleanup(struct uvc_device *dev) ++{ + usb_free_urb(dev->int_urb); + kfree(dev->status); +- uvc_input_cleanup(dev); + } + + int uvc_status_start(struct uvc_device *dev, gfp_t flags) +diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h +index e5f5d84f1d1d..a738486fd9d6 100644 +--- a/drivers/media/usb/uvc/uvcvideo.h ++++ b/drivers/media/usb/uvc/uvcvideo.h +@@ -750,6 +750,7 @@ int uvc_register_video_device(struct uvc_device *dev, + + /* Status */ + int uvc_status_init(struct uvc_device *dev); ++void uvc_status_unregister(struct uvc_device *dev); + void uvc_status_cleanup(struct uvc_device *dev); + int uvc_status_start(struct uvc_device *dev, gfp_t flags); + void uvc_status_stop(struct uvc_device *dev); +-- +2.19.1 + diff --git a/queue-4.19/media-venus-core-set-dma-maximum-segment-size.patch b/queue-4.19/media-venus-core-set-dma-maximum-segment-size.patch new file mode 100644 index 00000000000..6e02cc3e66f --- /dev/null +++ b/queue-4.19/media-venus-core-set-dma-maximum-segment-size.patch @@ -0,0 +1,94 @@ +From f33987b299dfe9a6d35d00231c7f7a1555bf615e Mon Sep 17 00:00:00 2001 +From: Vivek Gautam +Date: Wed, 5 Dec 2018 03:31:51 -0500 +Subject: media: venus: core: Set dma maximum segment size + +[ Upstream commit de2563bce7a157f5296bab94f3843d7d64fb14b4 ] + +Turning on CONFIG_DMA_API_DEBUG_SG results in the following error: + +[ 460.308650] ------------[ cut here ]------------ +[ 460.313490] qcom-venus aa00000.video-codec: DMA-API: mapping sg segment longer than device claims to support [len=4194304] [max=65536] +[ 460.326017] WARNING: CPU: 3 PID: 3555 at src/kernel/dma/debug.c:1301 debug_dma_map_sg+0x174/0x254 +[ 460.338888] Modules linked in: venus_dec venus_enc videobuf2_dma_sg videobuf2_memops hci_uart btqca bluetooth venus_core v4l2_mem2mem videobuf2_v4l2 videobuf2_common ath10k_snoc ath10k_core ath lzo lzo_compress zramjoydev +[ 460.375811] CPU: 3 PID: 3555 Comm: V4L2DecoderThre Tainted: G W 4.19.1 #82 +[ 460.384223] Hardware name: Google Cheza (rev1) (DT) +[ 460.389251] pstate: 60400009 (nZCv daif +PAN -UAO) +[ 460.394191] pc : debug_dma_map_sg+0x174/0x254 +[ 460.398680] lr : debug_dma_map_sg+0x174/0x254 +[ 460.403162] sp : ffffff80200c37d0 +[ 460.406583] x29: ffffff80200c3830 x28: 0000000000010000 +[ 460.412056] x27: 00000000ffffffff x26: ffffffc0f785ea80 +[ 460.417532] x25: 0000000000000000 x24: ffffffc0f4ea1290 +[ 460.423001] x23: ffffffc09e700300 x22: ffffffc0f4ea1290 +[ 460.428470] x21: ffffff8009037000 x20: 0000000000000001 +[ 460.433936] x19: ffffff80091b0000 x18: 0000000000000000 +[ 460.439411] x17: 0000000000000000 x16: 000000000000f251 +[ 460.444885] x15: 0000000000000006 x14: 0720072007200720 +[ 460.450354] x13: ffffff800af536e0 x12: 0000000000000000 +[ 460.455822] x11: 0000000000000000 x10: 0000000000000000 +[ 460.461288] x9 : 537944d9c6c48d00 x8 : 537944d9c6c48d00 +[ 460.466758] x7 : 0000000000000000 x6 : ffffffc0f8d98f80 +[ 460.472230] x5 : 0000000000000000 x4 : 0000000000000000 +[ 460.477703] x3 : 000000000000008a x2 : ffffffc0fdb13948 +[ 460.483170] x1 : ffffffc0fdb0b0b0 x0 : 000000000000007a +[ 460.488640] Call trace: +[ 460.491165] debug_dma_map_sg+0x174/0x254 +[ 460.495307] vb2_dma_sg_alloc+0x260/0x2dc [videobuf2_dma_sg] +[ 460.501150] __vb2_queue_alloc+0x164/0x374 [videobuf2_common] +[ 460.507076] vb2_core_reqbufs+0xfc/0x23c [videobuf2_common] +[ 460.512815] vb2_reqbufs+0x44/0x5c [videobuf2_v4l2] +[ 460.517853] v4l2_m2m_reqbufs+0x44/0x78 [v4l2_mem2mem] +[ 460.523144] v4l2_m2m_ioctl_reqbufs+0x1c/0x28 [v4l2_mem2mem] +[ 460.528976] v4l_reqbufs+0x30/0x40 +[ 460.532480] __video_do_ioctl+0x36c/0x454 +[ 460.536610] video_usercopy+0x25c/0x51c +[ 460.540572] video_ioctl2+0x38/0x48 +[ 460.544176] v4l2_ioctl+0x60/0x74 +[ 460.547602] do_video_ioctl+0x948/0x3520 +[ 460.551648] v4l2_compat_ioctl32+0x60/0x98 +[ 460.555872] __arm64_compat_sys_ioctl+0x134/0x20c +[ 460.560718] el0_svc_common+0x9c/0xe4 +[ 460.564498] el0_svc_compat_handler+0x2c/0x38 +[ 460.568982] el0_svc_compat+0x8/0x18 +[ 460.572672] ---[ end trace ce209b87b2f3af88 ]--- + +>From above warning one would deduce that the sg segment will overflow +the device's capacity. In reality, the hardware can accommodate larger +sg segments. +So, initialize the max segment size properly to weed out this warning. + +Based on a similar patch sent by Sean Paul for mdss: +https://patchwork.kernel.org/patch/10671457/ + +Signed-off-by: Vivek Gautam +Acked-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c +index bb6add9d340e..5b8350e87e75 100644 +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -264,6 +264,14 @@ static int venus_probe(struct platform_device *pdev) + if (ret) + return ret; + ++ if (!dev->dma_parms) { ++ dev->dma_parms = devm_kzalloc(dev, sizeof(*dev->dma_parms), ++ GFP_KERNEL); ++ if (!dev->dma_parms) ++ return -ENOMEM; ++ } ++ dma_set_max_seg_size(dev, DMA_BIT_MASK(32)); ++ + INIT_LIST_HEAD(&core->instances); + mutex_init(&core->lock); + INIT_DELAYED_WORK(&core->work, venus_sys_error_handler); +-- +2.19.1 + diff --git a/queue-4.19/mips-sibyte-enable-swiotlb-for-swarm-littlesur-and-b.patch b/queue-4.19/mips-sibyte-enable-swiotlb-for-swarm-littlesur-and-b.patch new file mode 100644 index 00000000000..e1f2627a990 --- /dev/null +++ b/queue-4.19/mips-sibyte-enable-swiotlb-for-swarm-littlesur-and-b.patch @@ -0,0 +1,155 @@ +From 380bdb0b61cc61ce958281f481c797c475f0e315 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 13 Nov 2018 22:42:44 +0000 +Subject: MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur + +[ Upstream commit e4849aff1e169b86c561738daf8ff020e9de1011 ] + +The Broadcom SiByte BCM1250, BCM1125, and BCM1125H SOCs have an onchip +DRAM controller that supports memory amounts of up to 16GiB, and due to +how the address decoder has been wired in the SOC any memory beyond 1GiB +is actually mapped starting from 4GiB physical up, that is beyond the +32-bit addressable limit[1]. Consequently if the maximum amount of +memory has been installed, then it will span up to 19GiB. + +Many of the evaluation boards we support that are based on one of these +SOCs have their memory soldered and the amount present fits in the +32-bit address range. The BCM91250A SWARM board however has actual DIMM +slots and accepts, depending on the peripherals revision of the SOC, up +to 4GiB or 8GiB of memory in commercially available JEDEC modules[2]. +I believe this is also the case with the BCM91250C2 LittleSur board. +This means that up to either 3GiB or 7GiB of memory requires 64-bit +addressing to access. + +I believe the BCM91480B BigSur board, which has the BCM1480 SOC instead, +accepts at least as much memory, although I have no documentation or +actual hardware available to verify that. + +Both systems have PCI slots installed for use by any PCI option boards, +including ones that only support 32-bit addressing (additionally the +32-bit PCI host bridge of the BCM1250, BCM1125, and BCM1125H SOCs limits +addressing to 32-bits), and there is no IOMMU available. Therefore for +PCI DMA to work in the presence of memory beyond enable swiotlb for the +affected systems. + +All the other SOC onchip DMA devices use 40-bit addressing and therefore +can address the whole memory, so only enable swiotlb if PCI support and +support for DMA beyond 4GiB have been both enabled in the configuration +of the kernel. + +This shows up as follows: + +Broadcom SiByte BCM1250 B2 @ 800 MHz (SB1 rev 2) +Board type: SiByte BCM91250A (SWARM) +Determined physical RAM map: + memory: 000000000fe7fe00 @ 0000000000000000 (usable) + memory: 000000001ffffe00 @ 0000000080000000 (usable) + memory: 000000000ffffe00 @ 00000000c0000000 (usable) + memory: 0000000087fffe00 @ 0000000100000000 (usable) +software IO TLB: mapped [mem 0xcbffc000-0xcfffc000] (64MB) + +in the bootstrap log and removes failures like these: + +defxx 0000:02:00.0: dma_direct_map_page: overflow 0x0000000185bc6080+4608 of device mask ffffffff bus mask 0 +fddi0: Receive buffer allocation failed +fddi0: Adapter open failed! +IP-Config: Failed to open fddi0 +defxx 0000:09:08.0: dma_direct_map_page: overflow 0x0000000185bc6080+4608 of device mask ffffffff bus mask 0 +fddi1: Receive buffer allocation failed +fddi1: Adapter open failed! +IP-Config: Failed to open fddi1 + +when memory beyond 4GiB is handed out to devices that can only do 32-bit +addressing. + +This updates commit cce335ae47e2 ("[MIPS] 64-bit Sibyte kernels need +DMA32."). + +References: + +[1] "BCM1250/BCM1125/BCM1125H User Manual", Revision 1250_1125-UM100-R, + Broadcom Corporation, 21 Oct 2002, Section 3: "System Overview", + "Memory Map", pp. 34-38 + +[2] "BCM91250A User Manual", Revision 91250A-UM100-R, Broadcom + Corporation, 18 May 2004, Section 3: "Physical Description", + "Supported DRAM", p. 23 + +Signed-off-by: Maciej W. Rozycki +[paul.burton@mips.com: Remove GPL text from dma.c; SPDX tag covers it] +Signed-off-by: Paul Burton +Reviewed-by: Christoph Hellwig +Patchwork: https://patchwork.linux-mips.org/patch/21108/ +References: cce335ae47e2 ("[MIPS] 64-bit Sibyte kernels need DMA32.") +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/Kconfig | 3 +++ + arch/mips/sibyte/common/Makefile | 1 + + arch/mips/sibyte/common/dma.c | 14 ++++++++++++++ + 3 files changed, 18 insertions(+) + create mode 100644 arch/mips/sibyte/common/dma.c + +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index 154b811d5894..201caf226b47 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -794,6 +794,7 @@ config SIBYTE_SWARM + select SYS_SUPPORTS_HIGHMEM + select SYS_SUPPORTS_LITTLE_ENDIAN + select ZONE_DMA32 if 64BIT ++ select SWIOTLB if ARCH_DMA_ADDR_T_64BIT && PCI + + config SIBYTE_LITTLESUR + bool "Sibyte BCM91250C2-LittleSur" +@@ -814,6 +815,7 @@ config SIBYTE_SENTOSA + select SYS_HAS_CPU_SB1 + select SYS_SUPPORTS_BIG_ENDIAN + select SYS_SUPPORTS_LITTLE_ENDIAN ++ select SWIOTLB if ARCH_DMA_ADDR_T_64BIT && PCI + + config SIBYTE_BIGSUR + bool "Sibyte BCM91480B-BigSur" +@@ -826,6 +828,7 @@ config SIBYTE_BIGSUR + select SYS_SUPPORTS_HIGHMEM + select SYS_SUPPORTS_LITTLE_ENDIAN + select ZONE_DMA32 if 64BIT ++ select SWIOTLB if ARCH_DMA_ADDR_T_64BIT && PCI + + config SNI_RM + bool "SNI RM200/300/400" +diff --git a/arch/mips/sibyte/common/Makefile b/arch/mips/sibyte/common/Makefile +index b3d6bf23a662..3ef3fb658136 100644 +--- a/arch/mips/sibyte/common/Makefile ++++ b/arch/mips/sibyte/common/Makefile +@@ -1,4 +1,5 @@ + obj-y := cfe.o ++obj-$(CONFIG_SWIOTLB) += dma.o + obj-$(CONFIG_SIBYTE_BUS_WATCHER) += bus_watcher.o + obj-$(CONFIG_SIBYTE_CFE_CONSOLE) += cfe_console.o + obj-$(CONFIG_SIBYTE_TBPROF) += sb_tbprof.o +diff --git a/arch/mips/sibyte/common/dma.c b/arch/mips/sibyte/common/dma.c +new file mode 100644 +index 000000000000..eb47a94f3583 +--- /dev/null ++++ b/arch/mips/sibyte/common/dma.c +@@ -0,0 +1,14 @@ ++// SPDX-License-Identifier: GPL-2.0+ ++/* ++ * DMA support for Broadcom SiByte platforms. ++ * ++ * Copyright (c) 2018 Maciej W. Rozycki ++ */ ++ ++#include ++#include ++ ++void __init plat_swiotlb_setup(void) ++{ ++ swiotlb_init(1); ++} +-- +2.19.1 + diff --git a/queue-4.19/mm-page-writeback.c-don-t-break-integrity-writeback-.patch b/queue-4.19/mm-page-writeback.c-don-t-break-integrity-writeback-.patch new file mode 100644 index 00000000000..399c24bed41 --- /dev/null +++ b/queue-4.19/mm-page-writeback.c-don-t-break-integrity-writeback-.patch @@ -0,0 +1,109 @@ +From 0271809d3c759f5be0b64a7c2f9ed879aeb3402c Mon Sep 17 00:00:00 2001 +From: Brian Foster +Date: Fri, 28 Dec 2018 00:37:20 -0800 +Subject: mm/page-writeback.c: don't break integrity writeback on ->writepage() + error + +[ Upstream commit 3fa750dcf29e8606e3969d13d8e188cc1c0f511d ] + +write_cache_pages() is used in both background and integrity writeback +scenarios by various filesystems. Background writeback is mostly +concerned with cleaning a certain number of dirty pages based on various +mm heuristics. It may not write the full set of dirty pages or wait for +I/O to complete. Integrity writeback is responsible for persisting a set +of dirty pages before the writeback job completes. For example, an +fsync() call must perform integrity writeback to ensure data is on disk +before the call returns. + +write_cache_pages() unconditionally breaks out of its processing loop in +the event of a ->writepage() error. This is fine for background +writeback, which had no strict requirements and will eventually come +around again. This can cause problems for integrity writeback on +filesystems that might need to clean up state associated with failed page +writeouts. For example, XFS performs internal delayed allocation +accounting before returning a ->writepage() error, where applicable. If +the current writeback happens to be associated with an unmount and +write_cache_pages() completes the writeback prematurely due to error, the +filesystem is unmounted in an inconsistent state if dirty+delalloc pages +still exist. + +To handle this problem, update write_cache_pages() to always process the +full set of pages for integrity writeback regardless of ->writepage() +errors. Save the first encountered error and return it to the caller once +complete. This facilitates XFS (or any other fs that expects integrity +writeback to process the entire set of dirty pages) to clean up its +internal state completely in the event of persistent mapping errors. +Background writeback continues to exit on the first error encountered. + +[akpm@linux-foundation.org: fix typo in comment] +Link: http://lkml.kernel.org/r/20181116134304.32440-1-bfoster@redhat.com +Signed-off-by: Brian Foster +Reviewed-by: Jan Kara +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/page-writeback.c | 35 +++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +diff --git a/mm/page-writeback.c b/mm/page-writeback.c +index 84ae9bf5858a..ea4fd3af3b4b 100644 +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -2156,6 +2156,7 @@ int write_cache_pages(struct address_space *mapping, + { + int ret = 0; + int done = 0; ++ int error; + struct pagevec pvec; + int nr_pages; + pgoff_t uninitialized_var(writeback_index); +@@ -2236,25 +2237,31 @@ continue_unlock: + goto continue_unlock; + + trace_wbc_writepage(wbc, inode_to_bdi(mapping->host)); +- ret = (*writepage)(page, wbc, data); +- if (unlikely(ret)) { +- if (ret == AOP_WRITEPAGE_ACTIVATE) { ++ error = (*writepage)(page, wbc, data); ++ if (unlikely(error)) { ++ /* ++ * Handle errors according to the type of ++ * writeback. There's no need to continue for ++ * background writeback. Just push done_index ++ * past this page so media errors won't choke ++ * writeout for the entire file. For integrity ++ * writeback, we must process the entire dirty ++ * set regardless of errors because the fs may ++ * still have state to clear for each page. In ++ * that case we continue processing and return ++ * the first error. ++ */ ++ if (error == AOP_WRITEPAGE_ACTIVATE) { + unlock_page(page); +- ret = 0; +- } else { +- /* +- * done_index is set past this page, +- * so media errors will not choke +- * background writeout for the entire +- * file. This has consequences for +- * range_cyclic semantics (ie. it may +- * not be suitable for data integrity +- * writeout). +- */ ++ error = 0; ++ } else if (wbc->sync_mode != WB_SYNC_ALL) { ++ ret = error; + done_index = page->index + 1; + done = 1; + break; + } ++ if (!ret) ++ ret = error; + } + + /* +-- +2.19.1 + diff --git a/queue-4.19/mm-proc-be-more-verbose-about-unstable-vma-flags-in-.patch b/queue-4.19/mm-proc-be-more-verbose-about-unstable-vma-flags-in-.patch new file mode 100644 index 00000000000..1a1904a0ea5 --- /dev/null +++ b/queue-4.19/mm-proc-be-more-verbose-about-unstable-vma-flags-in-.patch @@ -0,0 +1,107 @@ +From e904a889c14ed958ddf5251a67ab7244f25c3c35 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Fri, 28 Dec 2018 00:38:17 -0800 +Subject: mm, proc: be more verbose about unstable VMA flags in + /proc//smaps + +[ Upstream commit 7550c6079846a24f30d15ac75a941c8515dbedfb ] + +Patch series "THP eligibility reporting via proc". + +This series of three patches aims at making THP eligibility reporting much +more robust and long term sustainable. The trigger for the change is a +regression report [2] and the long follow up discussion. In short the +specific application didn't have good API to query whether a particular +mapping can be backed by THP so it has used VMA flags to workaround that. +These flags represent a deep internal state of VMAs and as such they +should be used by userspace with a great deal of caution. + +A similar has happened for [3] when users complained that VM_MIXEDMAP is +no longer set on DAX mappings. Again a lack of a proper API led to an +abuse. + +The first patch in the series tries to emphasise that that the semantic of +flags might change and any application consuming those should be really +careful. + +The remaining two patches provide a more suitable interface to address [2] +and provide a consistent API to query the THP status both for each VMA and +process wide as well. [1] + +http://lkml.kernel.org/r/20181120103515.25280-1-mhocko@kernel.org [2] +http://lkml.kernel.org/r/http://lkml.kernel.org/r/alpine.DEB.2.21.1809241054050.224429@chino.kir.corp.google.com +[3] http://lkml.kernel.org/r/20181002100531.GC4135@quack2.suse.cz + +This patch (of 3): + +Even though vma flags exported via /proc//smaps are explicitly +documented to be not guaranteed for future compatibility the warning +doesn't go far enough because it doesn't mention semantic changes to those +flags. And they are important as well because these flags are a deep +implementation internal to the MM code and the semantic might change at +any time. + +Let's consider two recent examples: +http://lkml.kernel.org/r/20181002100531.GC4135@quack2.suse.cz +: commit e1fb4a086495 "dax: remove VM_MIXEDMAP for fsdax and device dax" has +: removed VM_MIXEDMAP flag from DAX VMAs. Now our testing shows that in the +: mean time certain customer of ours started poking into /proc//smaps +: and looks at VMA flags there and if VM_MIXEDMAP is missing among the VMA +: flags, the application just fails to start complaining that DAX support is +: missing in the kernel. + +http://lkml.kernel.org/r/alpine.DEB.2.21.1809241054050.224429@chino.kir.corp.google.com +: Commit 1860033237d4 ("mm: make PR_SET_THP_DISABLE immediately active") +: introduced a regression in that userspace cannot always determine the set +: of vmas where thp is ineligible. +: Userspace relies on the "nh" flag being emitted as part of /proc/pid/smaps +: to determine if a vma is eligible to be backed by hugepages. +: Previous to this commit, prctl(PR_SET_THP_DISABLE, 1) would cause thp to +: be disabled and emit "nh" as a flag for the corresponding vmas as part of +: /proc/pid/smaps. After the commit, thp is disabled by means of an mm +: flag and "nh" is not emitted. +: This causes smaps parsing libraries to assume a vma is eligible for thp +: and ends up puzzling the user on why its memory is not backed by thp. + +In both cases userspace was relying on a semantic of a specific VMA flag. +The primary reason why that happened is a lack of a proper interface. +While this has been worked on and it will be fixed properly, it seems that +our wording could see some refinement and be more vocal about semantic +aspect of these flags as well. + +Link: http://lkml.kernel.org/r/20181211143641.3503-2-mhocko@kernel.org +Signed-off-by: Michal Hocko +Acked-by: Jan Kara +Acked-by: Dan Williams +Acked-by: David Rientjes +Acked-by: Mike Rapoport +Acked-by: Vlastimil Babka +Cc: Dan Williams +Cc: David Rientjes +Cc: Paul Oppenheimer +Cc: William Kucharski +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + Documentation/filesystems/proc.txt | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt +index 22b4b00dee31..06ac6dda9b34 100644 +--- a/Documentation/filesystems/proc.txt ++++ b/Documentation/filesystems/proc.txt +@@ -496,7 +496,9 @@ manner. The codes are the following: + + Note that there is no guarantee that every flag and associated mnemonic will + be present in all further kernel releases. Things get changed, the flags may +-be vanished or the reverse -- new added. ++be vanished or the reverse -- new added. Interpretation of their meaning ++might change in future as well. So each consumer of these flags has to ++follow each specific kernel version for the exact semantic. + + This file is only present if the CONFIG_MMU kernel configuration option is + enabled. +-- +2.19.1 + diff --git a/queue-4.19/mm-swap-use-nr_node_ids-for-avail_lists-in-swap_info.patch b/queue-4.19/mm-swap-use-nr_node_ids-for-avail_lists-in-swap_info.patch new file mode 100644 index 00000000000..721b40f76fd --- /dev/null +++ b/queue-4.19/mm-swap-use-nr_node_ids-for-avail_lists-in-swap_info.patch @@ -0,0 +1,95 @@ +From 290151b174ed0239e5f24e5c546d700fc34cdb1c Mon Sep 17 00:00:00 2001 +From: Aaron Lu +Date: Fri, 28 Dec 2018 00:34:39 -0800 +Subject: mm/swap: use nr_node_ids for avail_lists in swap_info_struct + +[ Upstream commit 66f71da9dd38af17dc17209cdde7987d4679a699 ] + +Since a2468cc9bfdf ("swap: choose swap device according to numa node"), +avail_lists field of swap_info_struct is changed to an array with +MAX_NUMNODES elements. This made swap_info_struct size increased to 40KiB +and needs an order-4 page to hold it. + +This is not optimal in that: +1 Most systems have way less than MAX_NUMNODES(1024) nodes so it + is a waste of memory; +2 It could cause swapon failure if the swap device is swapped on + after system has been running for a while, due to no order-4 + page is available as pointed out by Vasily Averin. + +Solve the above two issues by using nr_node_ids(which is the actual +possible node number the running system has) for avail_lists instead of +MAX_NUMNODES. + +nr_node_ids is unknown at compile time so can't be directly used when +declaring this array. What I did here is to declare avail_lists as zero +element array and allocate space for it when allocating space for +swap_info_struct. The reason why keep using array but not pointer is +plist_for_each_entry needs the field to be part of the struct, so pointer +will not work. + +This patch is on top of Vasily Averin's fix commit. I think the use of +kvzalloc for swap_info_struct is still needed in case nr_node_ids is +really big on some systems. + +Link: http://lkml.kernel.org/r/20181115083847.GA11129@intel.com +Signed-off-by: Aaron Lu +Reviewed-by: Andrew Morton +Acked-by: Michal Hocko +Cc: Vasily Averin +Cc: Huang Ying +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/swap.h | 11 ++++++++++- + mm/swapfile.c | 3 ++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/include/linux/swap.h b/include/linux/swap.h +index 8e2c11e692ba..77221c16733a 100644 +--- a/include/linux/swap.h ++++ b/include/linux/swap.h +@@ -232,7 +232,6 @@ struct swap_info_struct { + unsigned long flags; /* SWP_USED etc: see above */ + signed short prio; /* swap priority of this type */ + struct plist_node list; /* entry in swap_active_head */ +- struct plist_node avail_lists[MAX_NUMNODES];/* entry in swap_avail_heads */ + signed char type; /* strange name for an index */ + unsigned int max; /* extent of the swap_map */ + unsigned char *swap_map; /* vmalloc'ed array of usage counts */ +@@ -273,6 +272,16 @@ struct swap_info_struct { + */ + struct work_struct discard_work; /* discard worker */ + struct swap_cluster_list discard_clusters; /* discard clusters list */ ++ struct plist_node avail_lists[0]; /* ++ * entries in swap_avail_heads, one ++ * entry per node. ++ * Must be last as the number of the ++ * array is nr_node_ids, which is not ++ * a fixed value so have to allocate ++ * dynamically. ++ * And it has to be an array so that ++ * plist_for_each_* can work. ++ */ + }; + + #ifdef CONFIG_64BIT +diff --git a/mm/swapfile.c b/mm/swapfile.c +index 67aaf7ae22ff..340ef3177686 100644 +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2820,8 +2820,9 @@ static struct swap_info_struct *alloc_swap_info(void) + struct swap_info_struct *p; + unsigned int type; + int i; ++ int size = sizeof(*p) + nr_node_ids * sizeof(struct plist_node); + +- p = kvzalloc(sizeof(*p), GFP_KERNEL); ++ p = kvzalloc(size, GFP_KERNEL); + if (!p) + return ERR_PTR(-ENOMEM); + +-- +2.19.1 + diff --git a/queue-4.19/mmc-atmel-mci-do-not-assume-idle-after-atmci_request.patch b/queue-4.19/mmc-atmel-mci-do-not-assume-idle-after-atmci_request.patch new file mode 100644 index 00000000000..d993c0f75f5 --- /dev/null +++ b/queue-4.19/mmc-atmel-mci-do-not-assume-idle-after-atmci_request.patch @@ -0,0 +1,68 @@ +From 7fb5236c2c7be3b7d0c2a3aacd0ea0d58a66c530 Mon Sep 17 00:00:00 2001 +From: Jonas Danielsson +Date: Fri, 19 Oct 2018 16:40:05 +0200 +Subject: mmc: atmel-mci: do not assume idle after atmci_request_end + +[ Upstream commit ae460c115b7aa50c9a36cf78fced07b27962c9d0 ] + +On our AT91SAM9260 board we use the same sdio bus for wifi and for the +sd card slot. This caused the atmel-mci to give the following splat on +the serial console: + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 538 at drivers/mmc/host/atmel-mci.c:859 atmci_send_command+0x24/0x44 + Modules linked in: + CPU: 0 PID: 538 Comm: mmcqd/0 Not tainted 4.14.76 #14 + Hardware name: Atmel AT91SAM9 + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (__warn+0xd8/0xf4) + [] (__warn) from [] (warn_slowpath_null+0x1c/0x24) + [] (warn_slowpath_null) from [] (atmci_send_command+0x24/0x44) + [] (atmci_send_command) from [] (atmci_start_request+0x1f4/0x2dc) + [] (atmci_start_request) from [] (atmci_request+0xf0/0x164) + [] (atmci_request) from [] (mmc_start_request+0x280/0x2d0) + [] (mmc_start_request) from [] (mmc_start_areq+0x230/0x330) + [] (mmc_start_areq) from [] (mmc_blk_issue_rw_rq+0xc4/0x310) + [] (mmc_blk_issue_rw_rq) from [] (mmc_blk_issue_rq+0x118/0x5ac) + [] (mmc_blk_issue_rq) from [] (mmc_queue_thread+0xc4/0x118) + [] (mmc_queue_thread) from [] (kthread+0x100/0x118) + [] (kthread) from [] (ret_from_fork+0x14/0x34) + ---[ end trace 594371ddfa284bd6 ]--- + +This is: + WARN_ON(host->cmd); + +This was fixed on our board by letting atmci_request_end determine what +state we are in. Instead of unconditionally setting it to STATE_IDLE on +STATE_END_REQUEST. + +Signed-off-by: Jonas Danielsson +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/atmel-mci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/atmel-mci.c b/drivers/mmc/host/atmel-mci.c +index be53044086c7..fbc56ee99682 100644 +--- a/drivers/mmc/host/atmel-mci.c ++++ b/drivers/mmc/host/atmel-mci.c +@@ -1954,13 +1954,14 @@ static void atmci_tasklet_func(unsigned long priv) + } + + atmci_request_end(host, host->mrq); +- state = STATE_IDLE; ++ goto unlock; /* atmci_request_end() sets host->state */ + break; + } + } while (state != prev_state); + + host->state = state; + ++unlock: + spin_unlock(&host->lock); + } + +-- +2.19.1 + diff --git a/queue-4.19/net-call-sk_dst_reset-when-set-so_dontroute.patch b/queue-4.19/net-call-sk_dst_reset-when-set-so_dontroute.patch new file mode 100644 index 00000000000..0550e286708 --- /dev/null +++ b/queue-4.19/net-call-sk_dst_reset-when-set-so_dontroute.patch @@ -0,0 +1,65 @@ +From a90677b14ce407dba64be9f097533d1007ea3ee2 Mon Sep 17 00:00:00 2001 +From: yupeng +Date: Wed, 5 Dec 2018 18:56:28 -0800 +Subject: net: call sk_dst_reset when set SO_DONTROUTE + +[ Upstream commit 0fbe82e628c817e292ff588cd5847fc935e025f2 ] + +after set SO_DONTROUTE to 1, the IP layer should not route packets if +the dest IP address is not in link scope. But if the socket has cached +the dst_entry, such packets would be routed until the sk_dst_cache +expires. So we should clean the sk_dst_cache when a user set +SO_DONTROUTE option. Below are server/client python scripts which +could reprodue this issue: + +server side code: + +========================================================================== +import socket +import struct +import time + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.bind(('0.0.0.0', 9000)) +s.listen(1) +sock, addr = s.accept() +sock.setsockopt(socket.SOL_SOCKET, socket.SO_DONTROUTE, struct.pack('i', 1)) +while True: + sock.send(b'foo') + time.sleep(1) +========================================================================== + +client side code: +========================================================================== +import socket +import time + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(('server_address', 9000)) +while True: + data = s.recv(1024) + print(data) +========================================================================== + +Signed-off-by: yupeng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 5a8a3b76832f..c9668dcb5eb9 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -698,6 +698,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, + break; + case SO_DONTROUTE: + sock_valbool_flag(sk, SOCK_LOCALROUTE, valbool); ++ sk_dst_reset(sk); + break; + case SO_BROADCAST: + sock_valbool_flag(sk, SOCK_BROADCAST, valbool); +-- +2.19.1 + diff --git a/queue-4.19/netfilter-ipset-allow-matching-on-destination-mac-ad.patch b/queue-4.19/netfilter-ipset-allow-matching-on-destination-mac-ad.patch new file mode 100644 index 00000000000..cc6e8f9c863 --- /dev/null +++ b/queue-4.19/netfilter-ipset-allow-matching-on-destination-mac-ad.patch @@ -0,0 +1,135 @@ +From 6dbb97e53fee5568f37f02a17f6972bb8d3f268b Mon Sep 17 00:00:00 2001 +From: Stefano Brivio +Date: Fri, 17 Aug 2018 21:09:47 +0200 +Subject: netfilter: ipset: Allow matching on destination MAC address for mac + and ipmac sets + +[ Upstream commit 8cc4ccf58379935f3ad456cc34e61c4e4c921d0e ] + +There doesn't seem to be any reason to restrict MAC address +matching to source MAC addresses in set types bitmap:ipmac, +hash:ipmac and hash:mac. With this patch, and this setup: + + ip netns add A + ip link add veth1 type veth peer name veth2 netns A + ip addr add 192.0.2.1/24 dev veth1 + ip -net A addr add 192.0.2.2/24 dev veth2 + ip link set veth1 up + ip -net A link set veth2 up + + ip netns exec A ipset create test hash:mac + dst=$(ip netns exec A cat /sys/class/net/veth2/address) + ip netns exec A ipset add test ${dst} + ip netns exec A iptables -P INPUT DROP + ip netns exec A iptables -I INPUT -m set --match-set test dst -j ACCEPT + +ipset will match packets based on destination MAC address: + + # ping -c1 192.0.2.2 >/dev/null + # echo $? + 0 + +Reported-by: Yi Chen +Signed-off-by: Stefano Brivio +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_bitmap_ipmac.c | 10 +++++----- + net/netfilter/ipset/ip_set_hash_ipmac.c | 16 ++++++++++------ + net/netfilter/ipset/ip_set_hash_mac.c | 10 +++++----- + 3 files changed, 20 insertions(+), 16 deletions(-) + +diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +index c00b6a2e8e3c..13ade5782847 100644 +--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +@@ -219,10 +219,6 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb, + struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); + u32 ip; + +- /* MAC can be src only */ +- if (!(opt->flags & IPSET_DIM_TWO_SRC)) +- return 0; +- + ip = ntohl(ip4addr(skb, opt->flags & IPSET_DIM_ONE_SRC)); + if (ip < map->first_ip || ip > map->last_ip) + return -IPSET_ERR_BITMAP_RANGE; +@@ -233,7 +229,11 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb, + return -EINVAL; + + e.id = ip_to_id(map, ip); +- memcpy(e.ether, eth_hdr(skb)->h_source, ETH_ALEN); ++ ++ if (opt->flags & IPSET_DIM_ONE_SRC) ++ ether_addr_copy(e.ether, eth_hdr(skb)->h_source); ++ else ++ ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); + + return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); + } +diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c +index 1ab5ed2f6839..fd87de3ed55b 100644 +--- a/net/netfilter/ipset/ip_set_hash_ipmac.c ++++ b/net/netfilter/ipset/ip_set_hash_ipmac.c +@@ -103,7 +103,11 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb, + (skb_mac_header(skb) + ETH_HLEN) > skb->data) + return -EINVAL; + +- memcpy(e.ether, eth_hdr(skb)->h_source, ETH_ALEN); ++ if (opt->flags & IPSET_DIM_ONE_SRC) ++ ether_addr_copy(e.ether, eth_hdr(skb)->h_source); ++ else ++ ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); ++ + if (ether_addr_equal(e.ether, invalid_ether)) + return -EINVAL; + +@@ -211,15 +215,15 @@ hash_ipmac6_kadt(struct ip_set *set, const struct sk_buff *skb, + }; + struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); + +- /* MAC can be src only */ +- if (!(opt->flags & IPSET_DIM_TWO_SRC)) +- return 0; +- + if (skb_mac_header(skb) < skb->head || + (skb_mac_header(skb) + ETH_HLEN) > skb->data) + return -EINVAL; + +- memcpy(e.ether, eth_hdr(skb)->h_source, ETH_ALEN); ++ if (opt->flags & IPSET_DIM_ONE_SRC) ++ ether_addr_copy(e.ether, eth_hdr(skb)->h_source); ++ else ++ ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); ++ + if (ether_addr_equal(e.ether, invalid_ether)) + return -EINVAL; + +diff --git a/net/netfilter/ipset/ip_set_hash_mac.c b/net/netfilter/ipset/ip_set_hash_mac.c +index f9d5a2a1e3d0..4fe5f243d0a3 100644 +--- a/net/netfilter/ipset/ip_set_hash_mac.c ++++ b/net/netfilter/ipset/ip_set_hash_mac.c +@@ -81,15 +81,15 @@ hash_mac4_kadt(struct ip_set *set, const struct sk_buff *skb, + struct hash_mac4_elem e = { { .foo[0] = 0, .foo[1] = 0 } }; + struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); + +- /* MAC can be src only */ +- if (!(opt->flags & IPSET_DIM_ONE_SRC)) +- return 0; +- + if (skb_mac_header(skb) < skb->head || + (skb_mac_header(skb) + ETH_HLEN) > skb->data) + return -EINVAL; + +- ether_addr_copy(e.ether, eth_hdr(skb)->h_source); ++ if (opt->flags & IPSET_DIM_ONE_SRC) ++ ether_addr_copy(e.ether, eth_hdr(skb)->h_source); ++ else ++ ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); ++ + if (is_zero_ether_addr(e.ether)) + return -EINVAL; + return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); +-- +2.19.1 + diff --git a/queue-4.19/netfilter-ipt_clusterip-check-mac-address-when-dupli.patch b/queue-4.19/netfilter-ipt_clusterip-check-mac-address-when-dupli.patch new file mode 100644 index 00000000000..639ddbfb814 --- /dev/null +++ b/queue-4.19/netfilter-ipt_clusterip-check-mac-address-when-dupli.patch @@ -0,0 +1,47 @@ +From c38ccb312db731c9b49b89fd0dc664258a368ad7 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Mon, 5 Nov 2018 18:23:25 +0900 +Subject: netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is + set + +[ Upstream commit 06aa151ad1fc74a49b45336672515774a678d78d ] + +If same destination IP address config is already existing, that config is +just used. MAC address also should be same. +However, there is no MAC address checking routine. +So that MAC address checking routine is added. + +test commands: + %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \ + -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1 + %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \ + -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:5e:00:00:21 --total-nodes 2 --local-node 1 + +After this patch, above commands are disallowed. + +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/ipt_CLUSTERIP.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c +index 2c8d313ae216..e40e6795bd20 100644 +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -496,7 +496,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) + if (IS_ERR(config)) + return PTR_ERR(config); + } +- } ++ } else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN)) ++ return -EINVAL; + + ret = nf_ct_netns_get(par->net, par->family); + if (ret < 0) { +-- +2.19.1 + diff --git a/queue-4.19/netfilter-ipt_clusterip-fix-deadlock-in-netns-exit-r.patch b/queue-4.19/netfilter-ipt_clusterip-fix-deadlock-in-netns-exit-r.patch new file mode 100644 index 00000000000..27d54279ca5 --- /dev/null +++ b/queue-4.19/netfilter-ipt_clusterip-fix-deadlock-in-netns-exit-r.patch @@ -0,0 +1,418 @@ +From cbc9938617c828f5c1ed3b2b7bd8eddb2598b638 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Mon, 5 Nov 2018 18:22:44 +0900 +Subject: netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine + +[ Upstream commit 5a86d68bcf02f2d1e9a5897dd482079fd5f75e7f ] + +When network namespace is destroyed, cleanup_net() is called. +cleanup_net() holds pernet_ops_rwsem then calls each ->exit callback. +So that clusterip_tg_destroy() is called by cleanup_net(). +And clusterip_tg_destroy() calls unregister_netdevice_notifier(). + +But both cleanup_net() and clusterip_tg_destroy() hold same +lock(pernet_ops_rwsem). hence deadlock occurrs. + +After this patch, only 1 notifier is registered when module is inserted. +And all of configs are added to per-net list. + +test commands: + %ip netns add vm1 + %ip netns exec vm1 bash + %ip link set lo up + %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \ + -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1 + %exit + %ip netns del vm1 + +splat looks like: +[ 341.809674] ============================================ +[ 341.809674] WARNING: possible recursive locking detected +[ 341.809674] 4.19.0-rc5+ #16 Tainted: G W +[ 341.809674] -------------------------------------------- +[ 341.809674] kworker/u4:2/87 is trying to acquire lock: +[ 341.809674] 000000005da2d519 (pernet_ops_rwsem){++++}, at: unregister_netdevice_notifier+0x8c/0x460 +[ 341.809674] +[ 341.809674] but task is already holding lock: +[ 341.809674] 000000005da2d519 (pernet_ops_rwsem){++++}, at: cleanup_net+0x119/0x900 +[ 341.809674] +[ 341.809674] other info that might help us debug this: +[ 341.809674] Possible unsafe locking scenario: +[ 341.809674] +[ 341.809674] CPU0 +[ 341.809674] ---- +[ 341.809674] lock(pernet_ops_rwsem); +[ 341.809674] lock(pernet_ops_rwsem); +[ 341.809674] +[ 341.809674] *** DEADLOCK *** +[ 341.809674] +[ 341.809674] May be due to missing lock nesting notation +[ 341.809674] +[ 341.809674] 3 locks held by kworker/u4:2/87: +[ 341.809674] #0: 00000000d9df6c92 ((wq_completion)"%s""netns"){+.+.}, at: process_one_work+0xafe/0x1de0 +[ 341.809674] #1: 00000000c2cbcee2 (net_cleanup_work){+.+.}, at: process_one_work+0xb60/0x1de0 +[ 341.809674] #2: 000000005da2d519 (pernet_ops_rwsem){++++}, at: cleanup_net+0x119/0x900 +[ 341.809674] +[ 341.809674] stack backtrace: +[ 341.809674] CPU: 1 PID: 87 Comm: kworker/u4:2 Tainted: G W 4.19.0-rc5+ #16 +[ 341.809674] Workqueue: netns cleanup_net +[ 341.809674] Call Trace: +[ ... ] +[ 342.070196] down_write+0x93/0x160 +[ 342.070196] ? unregister_netdevice_notifier+0x8c/0x460 +[ 342.070196] ? down_read+0x1e0/0x1e0 +[ 342.070196] ? sched_clock_cpu+0x126/0x170 +[ 342.070196] ? find_held_lock+0x39/0x1c0 +[ 342.070196] unregister_netdevice_notifier+0x8c/0x460 +[ 342.070196] ? register_netdevice_notifier+0x790/0x790 +[ 342.070196] ? __local_bh_enable_ip+0xe9/0x1b0 +[ 342.070196] ? __local_bh_enable_ip+0xe9/0x1b0 +[ 342.070196] ? clusterip_tg_destroy+0x372/0x650 [ipt_CLUSTERIP] +[ 342.070196] ? trace_hardirqs_on+0x93/0x210 +[ 342.070196] ? __bpf_trace_preemptirq_template+0x10/0x10 +[ 342.070196] ? clusterip_tg_destroy+0x372/0x650 [ipt_CLUSTERIP] +[ 342.123094] clusterip_tg_destroy+0x3ad/0x650 [ipt_CLUSTERIP] +[ 342.123094] ? clusterip_net_init+0x3d0/0x3d0 [ipt_CLUSTERIP] +[ 342.123094] ? cleanup_match+0x17d/0x200 [ip_tables] +[ 342.123094] ? xt_unregister_table+0x215/0x300 [x_tables] +[ 342.123094] ? kfree+0xe2/0x2a0 +[ 342.123094] cleanup_entry+0x1d5/0x2f0 [ip_tables] +[ 342.123094] ? cleanup_match+0x200/0x200 [ip_tables] +[ 342.123094] __ipt_unregister_table+0x9b/0x1a0 [ip_tables] +[ 342.123094] iptable_filter_net_exit+0x43/0x80 [iptable_filter] +[ 342.123094] ops_exit_list.isra.10+0x94/0x140 +[ 342.123094] cleanup_net+0x45b/0x900 +[ ... ] + +Fixes: 202f59afd441 ("netfilter: ipt_CLUSTERIP: do not hold dev") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/ipt_CLUSTERIP.c | 155 ++++++++++++++++------------- + 1 file changed, 87 insertions(+), 68 deletions(-) + +diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c +index 33491cb6b9d1..fb1e7f237f53 100644 +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -57,17 +57,14 @@ struct clusterip_config { + enum clusterip_hashmode hash_mode; /* which hashing mode */ + u_int32_t hash_initval; /* hash initialization */ + struct rcu_head rcu; +- ++ struct net *net; /* netns for pernet list */ + char ifname[IFNAMSIZ]; /* device ifname */ +- struct notifier_block notifier; /* refresh c->ifindex in it */ + }; + + #ifdef CONFIG_PROC_FS + static const struct file_operations clusterip_proc_fops; + #endif + +-static unsigned int clusterip_net_id __read_mostly; +- + struct clusterip_net { + struct list_head configs; + /* lock protects the configs list */ +@@ -78,16 +75,30 @@ struct clusterip_net { + #endif + }; + ++static unsigned int clusterip_net_id __read_mostly; ++static inline struct clusterip_net *clusterip_pernet(struct net *net) ++{ ++ return net_generic(net, clusterip_net_id); ++} ++ + static inline void + clusterip_config_get(struct clusterip_config *c) + { + refcount_inc(&c->refcount); + } + +- + static void clusterip_config_rcu_free(struct rcu_head *head) + { +- kfree(container_of(head, struct clusterip_config, rcu)); ++ struct clusterip_config *config; ++ struct net_device *dev; ++ ++ config = container_of(head, struct clusterip_config, rcu); ++ dev = dev_get_by_name(config->net, config->ifname); ++ if (dev) { ++ dev_mc_del(dev, config->clustermac); ++ dev_put(dev); ++ } ++ kfree(config); + } + + static inline void +@@ -101,9 +112,9 @@ clusterip_config_put(struct clusterip_config *c) + * entry(rule) is removed, remove the config from lists, but don't free it + * yet, since proc-files could still be holding references */ + static inline void +-clusterip_config_entry_put(struct net *net, struct clusterip_config *c) ++clusterip_config_entry_put(struct clusterip_config *c) + { +- struct clusterip_net *cn = net_generic(net, clusterip_net_id); ++ struct clusterip_net *cn = clusterip_pernet(c->net); + + local_bh_disable(); + if (refcount_dec_and_lock(&c->entries, &cn->lock)) { +@@ -118,8 +129,6 @@ clusterip_config_entry_put(struct net *net, struct clusterip_config *c) + spin_unlock(&cn->lock); + local_bh_enable(); + +- unregister_netdevice_notifier(&c->notifier); +- + return; + } + local_bh_enable(); +@@ -129,7 +138,7 @@ static struct clusterip_config * + __clusterip_config_find(struct net *net, __be32 clusterip) + { + struct clusterip_config *c; +- struct clusterip_net *cn = net_generic(net, clusterip_net_id); ++ struct clusterip_net *cn = clusterip_pernet(net); + + list_for_each_entry_rcu(c, &cn->configs, list) { + if (c->clusterip == clusterip) +@@ -181,32 +190,37 @@ clusterip_netdev_event(struct notifier_block *this, unsigned long event, + void *ptr) + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct net *net = dev_net(dev); ++ struct clusterip_net *cn = clusterip_pernet(net); + struct clusterip_config *c; + +- c = container_of(this, struct clusterip_config, notifier); +- switch (event) { +- case NETDEV_REGISTER: +- if (!strcmp(dev->name, c->ifname)) { +- c->ifindex = dev->ifindex; +- dev_mc_add(dev, c->clustermac); +- } +- break; +- case NETDEV_UNREGISTER: +- if (dev->ifindex == c->ifindex) { +- dev_mc_del(dev, c->clustermac); +- c->ifindex = -1; +- } +- break; +- case NETDEV_CHANGENAME: +- if (!strcmp(dev->name, c->ifname)) { +- c->ifindex = dev->ifindex; +- dev_mc_add(dev, c->clustermac); +- } else if (dev->ifindex == c->ifindex) { +- dev_mc_del(dev, c->clustermac); +- c->ifindex = -1; ++ spin_lock_bh(&cn->lock); ++ list_for_each_entry_rcu(c, &cn->configs, list) { ++ switch (event) { ++ case NETDEV_REGISTER: ++ if (!strcmp(dev->name, c->ifname)) { ++ c->ifindex = dev->ifindex; ++ dev_mc_add(dev, c->clustermac); ++ } ++ break; ++ case NETDEV_UNREGISTER: ++ if (dev->ifindex == c->ifindex) { ++ dev_mc_del(dev, c->clustermac); ++ c->ifindex = -1; ++ } ++ break; ++ case NETDEV_CHANGENAME: ++ if (!strcmp(dev->name, c->ifname)) { ++ c->ifindex = dev->ifindex; ++ dev_mc_add(dev, c->clustermac); ++ } else if (dev->ifindex == c->ifindex) { ++ dev_mc_del(dev, c->clustermac); ++ c->ifindex = -1; ++ } ++ break; + } +- break; + } ++ spin_unlock_bh(&cn->lock); + + return NOTIFY_DONE; + } +@@ -215,30 +229,44 @@ static struct clusterip_config * + clusterip_config_init(struct net *net, const struct ipt_clusterip_tgt_info *i, + __be32 ip, const char *iniface) + { +- struct clusterip_net *cn = net_generic(net, clusterip_net_id); ++ struct clusterip_net *cn = clusterip_pernet(net); + struct clusterip_config *c; ++ struct net_device *dev; + int err; + ++ if (iniface[0] == '\0') { ++ pr_info("Please specify an interface name\n"); ++ return ERR_PTR(-EINVAL); ++ } ++ + c = kzalloc(sizeof(*c), GFP_ATOMIC); + if (!c) + return ERR_PTR(-ENOMEM); + +- strcpy(c->ifname, iniface); +- c->ifindex = -1; +- c->clusterip = ip; ++ dev = dev_get_by_name(net, iniface); ++ if (!dev) { ++ pr_info("no such interface %s\n", iniface); ++ kfree(c); ++ return ERR_PTR(-ENOENT); ++ } ++ c->ifindex = dev->ifindex; ++ strcpy(c->ifname, dev->name); + memcpy(&c->clustermac, &i->clustermac, ETH_ALEN); ++ dev_mc_add(dev, c->clustermac); ++ dev_put(dev); ++ ++ c->clusterip = ip; + c->num_total_nodes = i->num_total_nodes; + clusterip_config_init_nodelist(c, i); + c->hash_mode = i->hash_mode; + c->hash_initval = i->hash_initval; ++ c->net = net; + refcount_set(&c->refcount, 1); + + spin_lock_bh(&cn->lock); + if (__clusterip_config_find(net, ip)) { +- spin_unlock_bh(&cn->lock); +- kfree(c); +- +- return ERR_PTR(-EBUSY); ++ err = -EBUSY; ++ goto out_config_put; + } + + list_add_rcu(&c->list, &cn->configs); +@@ -260,22 +288,17 @@ clusterip_config_init(struct net *net, const struct ipt_clusterip_tgt_info *i, + } + #endif + +- c->notifier.notifier_call = clusterip_netdev_event; +- err = register_netdevice_notifier(&c->notifier); +- if (!err) { +- refcount_set(&c->entries, 1); +- return c; +- } ++ refcount_set(&c->entries, 1); ++ return c; + + #ifdef CONFIG_PROC_FS +- proc_remove(c->pde); + err: + #endif + spin_lock_bh(&cn->lock); + list_del_rcu(&c->list); ++out_config_put: + spin_unlock_bh(&cn->lock); + clusterip_config_put(c); +- + return ERR_PTR(err); + } + +@@ -475,21 +498,6 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) + &e->ip.dst.s_addr); + return -EINVAL; + } else { +- struct net_device *dev; +- +- if (e->ip.iniface[0] == '\0') { +- pr_info("Please specify an interface name\n"); +- return -EINVAL; +- } +- +- dev = dev_get_by_name(par->net, e->ip.iniface); +- if (!dev) { +- pr_info("no such interface %s\n", +- e->ip.iniface); +- return -ENOENT; +- } +- dev_put(dev); +- + config = clusterip_config_init(par->net, cipinfo, + e->ip.dst.s_addr, + e->ip.iniface); +@@ -503,7 +511,7 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) + if (ret < 0) { + pr_info("cannot load conntrack support for proto=%u\n", + par->family); +- clusterip_config_entry_put(par->net, config); ++ clusterip_config_entry_put(config); + clusterip_config_put(config); + return ret; + } +@@ -525,7 +533,7 @@ static void clusterip_tg_destroy(const struct xt_tgdtor_param *par) + + /* if no more entries are referencing the config, remove it + * from the list and destroy the proc entry */ +- clusterip_config_entry_put(par->net, cipinfo->config); ++ clusterip_config_entry_put(cipinfo->config); + + clusterip_config_put(cipinfo->config); + +@@ -807,7 +815,7 @@ static const struct file_operations clusterip_proc_fops = { + + static int clusterip_net_init(struct net *net) + { +- struct clusterip_net *cn = net_generic(net, clusterip_net_id); ++ struct clusterip_net *cn = clusterip_pernet(net); + int ret; + + INIT_LIST_HEAD(&cn->configs); +@@ -832,7 +840,7 @@ static int clusterip_net_init(struct net *net) + + static void clusterip_net_exit(struct net *net) + { +- struct clusterip_net *cn = net_generic(net, clusterip_net_id); ++ struct clusterip_net *cn = clusterip_pernet(net); + #ifdef CONFIG_PROC_FS + proc_remove(cn->procdir); + cn->procdir = NULL; +@@ -847,6 +855,10 @@ static struct pernet_operations clusterip_net_ops = { + .size = sizeof(struct clusterip_net), + }; + ++struct notifier_block cip_netdev_notifier = { ++ .notifier_call = clusterip_netdev_event ++}; ++ + static int __init clusterip_tg_init(void) + { + int ret; +@@ -859,11 +871,17 @@ static int __init clusterip_tg_init(void) + if (ret < 0) + goto cleanup_subsys; + ++ ret = register_netdevice_notifier(&cip_netdev_notifier); ++ if (ret < 0) ++ goto unregister_target; ++ + pr_info("ClusterIP Version %s loaded successfully\n", + CLUSTERIP_VERSION); + + return 0; + ++unregister_target: ++ xt_unregister_target(&clusterip_tg_reg); + cleanup_subsys: + unregister_pernet_subsys(&clusterip_net_ops); + return ret; +@@ -873,6 +891,7 @@ static void __exit clusterip_tg_exit(void) + { + pr_info("ClusterIP Version %s unloading\n", CLUSTERIP_VERSION); + ++ unregister_netdevice_notifier(&cip_netdev_notifier); + xt_unregister_target(&clusterip_tg_reg); + unregister_pernet_subsys(&clusterip_net_ops); + +-- +2.19.1 + diff --git a/queue-4.19/netfilter-ipt_clusterip-remove-wrong-warn_on_once-in.patch b/queue-4.19/netfilter-ipt_clusterip-remove-wrong-warn_on_once-in.patch new file mode 100644 index 00000000000..5858aeccd43 --- /dev/null +++ b/queue-4.19/netfilter-ipt_clusterip-remove-wrong-warn_on_once-in.patch @@ -0,0 +1,72 @@ +From 0f7aa49d52769015147e904721c375762c1ff5cb Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Mon, 5 Nov 2018 18:22:55 +0900 +Subject: netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit + routine + +[ Upstream commit b12f7bad5ad3724d19754390a3e80928525c0769 ] + +When network namespace is destroyed, both clusterip_tg_destroy() and +clusterip_net_exit() are called. and clusterip_net_exit() is called +before clusterip_tg_destroy(). +Hence cleanup check code in clusterip_net_exit() doesn't make sense. + +test commands: + %ip netns add vm1 + %ip netns exec vm1 bash + %ip link set lo up + %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \ + -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1 + %exit + %ip netns del vm1 + +splat looks like: +[ 341.184508] WARNING: CPU: 1 PID: 87 at net/ipv4/netfilter/ipt_CLUSTERIP.c:840 clusterip_net_exit+0x319/0x380 [ipt_CLUSTERIP] +[ 341.184850] Modules linked in: ipt_CLUSTERIP nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_tcpudp iptable_filter bpfilter ip_tables x_tables +[ 341.184850] CPU: 1 PID: 87 Comm: kworker/u4:2 Not tainted 4.19.0-rc5+ #16 +[ 341.227509] Workqueue: netns cleanup_net +[ 341.227509] RIP: 0010:clusterip_net_exit+0x319/0x380 [ipt_CLUSTERIP] +[ 341.227509] Code: 0f 85 7f fe ff ff 48 c7 c2 80 64 2c c0 be a8 02 00 00 48 c7 c7 a0 63 2c c0 c6 05 18 6e 00 00 01 e8 bc 38 ff f5 e9 5b fe ff ff <0f> 0b e9 33 ff ff ff e8 4b 90 50 f6 e9 2d fe ff ff 48 89 df e8 de +[ 341.227509] RSP: 0018:ffff88011086f408 EFLAGS: 00010202 +[ 341.227509] RAX: dffffc0000000000 RBX: 1ffff1002210de85 RCX: 0000000000000000 +[ 341.227509] RDX: 1ffff1002210de85 RSI: ffff880110813be8 RDI: ffffed002210de58 +[ 341.227509] RBP: ffff88011086f4d0 R08: 0000000000000000 R09: 0000000000000000 +[ 341.227509] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1002210de81 +[ 341.227509] R13: ffff880110625a48 R14: ffff880114cec8c8 R15: 0000000000000014 +[ 341.227509] FS: 0000000000000000(0000) GS:ffff880116600000(0000) knlGS:0000000000000000 +[ 341.227509] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 341.227509] CR2: 00007f11fd38e000 CR3: 000000013ca16000 CR4: 00000000001006e0 +[ 341.227509] Call Trace: +[ 341.227509] ? __clusterip_config_find+0x460/0x460 [ipt_CLUSTERIP] +[ 341.227509] ? default_device_exit+0x1ca/0x270 +[ 341.227509] ? remove_proc_entry+0x1cd/0x390 +[ 341.227509] ? dev_change_net_namespace+0xd00/0xd00 +[ 341.227509] ? __init_waitqueue_head+0x130/0x130 +[ 341.227509] ops_exit_list.isra.10+0x94/0x140 +[ 341.227509] cleanup_net+0x45b/0x900 +[ ... ] + +Fixes: 613d0776d3fe ("netfilter: exit_net cleanup check added") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/ipt_CLUSTERIP.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c +index e40e6795bd20..33491cb6b9d1 100644 +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -838,7 +838,6 @@ static void clusterip_net_exit(struct net *net) + cn->procdir = NULL; + #endif + nf_unregister_net_hook(net, &cip_arp_ops); +- WARN_ON_ONCE(!list_empty(&cn->configs)); + } + + static struct pernet_operations clusterip_net_ops = { +-- +2.19.1 + diff --git a/queue-4.19/ocfs2-fix-panic-due-to-unrecovered-local-alloc.patch b/queue-4.19/ocfs2-fix-panic-due-to-unrecovered-local-alloc.patch new file mode 100644 index 00000000000..5d10dad2b8f --- /dev/null +++ b/queue-4.19/ocfs2-fix-panic-due-to-unrecovered-local-alloc.patch @@ -0,0 +1,105 @@ +From c9df174d6724652246c2073772d3156567d03148 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Fri, 28 Dec 2018 00:32:50 -0800 +Subject: ocfs2: fix panic due to unrecovered local alloc + +[ Upstream commit 532e1e54c8140188e192348c790317921cb2dc1c ] + +mount.ocfs2 ignore the inconsistent error that journal is clean but +local alloc is unrecovered. After mount, local alloc not empty, then +reserver cluster didn't alloc a new local alloc window, reserveration +map is empty(ocfs2_reservation_map.m_bitmap_len = 0), that triggered the +following panic. + +This issue was reported at + + https://oss.oracle.com/pipermail/ocfs2-devel/2015-May/010854.html + +and was advised to fixed during mount. But this is a very unusual +inconsistent state, usually journal dirty flag should be cleared at the +last stage of umount until every other things go right. We may need do +further debug to check that. Any way to avoid possible futher +corruption, mount should be abort and fsck should be run. + + (mount.ocfs2,1765,1):ocfs2_load_local_alloc:353 ERROR: Local alloc hasn't been recovered! + found = 6518, set = 6518, taken = 8192, off = 15912372 + ocfs2: Mounting device (202,64) on (node 0, slot 3) with ordered data mode. + o2dlm: Joining domain 89CEAC63CC4F4D03AC185B44E0EE0F3F ( 0 1 2 3 4 5 6 8 ) 8 nodes + ocfs2: Mounting device (202,80) on (node 0, slot 3) with ordered data mode. + o2hb: Region 89CEAC63CC4F4D03AC185B44E0EE0F3F (xvdf) is now a quorum device + o2net: Accepted connection from node yvwsoa17p (num 7) at 172.22.77.88:7777 + o2dlm: Node 7 joins domain 64FE421C8C984E6D96ED12C55FEE2435 ( 0 1 2 3 4 5 6 7 8 ) 9 nodes + o2dlm: Node 7 joins domain 89CEAC63CC4F4D03AC185B44E0EE0F3F ( 0 1 2 3 4 5 6 7 8 ) 9 nodes + ------------[ cut here ]------------ + kernel BUG at fs/ocfs2/reservations.c:507! + invalid opcode: 0000 [#1] SMP + Modules linked in: ocfs2 rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs fscache lockd grace ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs sunrpc ipt_REJECT nf_reject_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr ipv6 ovmapi ppdev parport_pc parport xen_netfront fb_sys_fops sysimgblt sysfillrect syscopyarea acpi_cpufreq pcspkr i2c_piix4 i2c_core sg ext4 jbd2 mbcache2 sr_mod cdrom xen_blkfront pata_acpi ata_generic ata_piix floppy dm_mirror dm_region_hash dm_log dm_mod + CPU: 0 PID: 4349 Comm: startWebLogic.s Not tainted 4.1.12-124.19.2.el6uek.x86_64 #2 + Hardware name: Xen HVM domU, BIOS 4.4.4OVM 09/06/2018 + task: ffff8803fb04e200 ti: ffff8800ea4d8000 task.ti: ffff8800ea4d8000 + RIP: 0010:[] [] __ocfs2_resv_find_window+0x498/0x760 [ocfs2] + Call Trace: + ocfs2_resmap_resv_bits+0x10d/0x400 [ocfs2] + ocfs2_claim_local_alloc_bits+0xd0/0x640 [ocfs2] + __ocfs2_claim_clusters+0x178/0x360 [ocfs2] + ocfs2_claim_clusters+0x1f/0x30 [ocfs2] + ocfs2_convert_inline_data_to_extents+0x634/0xa60 [ocfs2] + ocfs2_write_begin_nolock+0x1c6/0x1da0 [ocfs2] + ocfs2_write_begin+0x13e/0x230 [ocfs2] + generic_perform_write+0xbf/0x1c0 + __generic_file_write_iter+0x19c/0x1d0 + ocfs2_file_write_iter+0x589/0x1360 [ocfs2] + __vfs_write+0xb8/0x110 + vfs_write+0xa9/0x1b0 + SyS_write+0x46/0xb0 + system_call_fastpath+0x18/0xd7 + Code: ff ff 8b 75 b8 39 75 b0 8b 45 c8 89 45 98 0f 84 e5 fe ff ff 45 8b 74 24 18 41 8b 54 24 1c e9 56 fc ff ff 85 c0 0f 85 48 ff ff ff <0f> 0b 48 8b 05 cf c3 de ff 48 ba 00 00 00 00 00 00 00 10 48 85 + RIP __ocfs2_resv_find_window+0x498/0x760 [ocfs2] + RSP + ---[ end trace 566f07529f2edf3c ]--- + Kernel panic - not syncing: Fatal exception + Kernel Offset: disabled + +Link: http://lkml.kernel.org/r/20181121020023.3034-2-junxiao.bi@oracle.com +Signed-off-by: Junxiao Bi +Reviewed-by: Yiwen Jiang +Acked-by: Joseph Qi +Cc: Jun Piao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/localalloc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/ocfs2/localalloc.c b/fs/ocfs2/localalloc.c +index 7642b6712c39..30208233f65b 100644 +--- a/fs/ocfs2/localalloc.c ++++ b/fs/ocfs2/localalloc.c +@@ -345,13 +345,18 @@ int ocfs2_load_local_alloc(struct ocfs2_super *osb) + if (num_used + || alloc->id1.bitmap1.i_used + || alloc->id1.bitmap1.i_total +- || la->la_bm_off) +- mlog(ML_ERROR, "Local alloc hasn't been recovered!\n" ++ || la->la_bm_off) { ++ mlog(ML_ERROR, "inconsistent detected, clean journal with" ++ " unrecovered local alloc, please run fsck.ocfs2!\n" + "found = %u, set = %u, taken = %u, off = %u\n", + num_used, le32_to_cpu(alloc->id1.bitmap1.i_used), + le32_to_cpu(alloc->id1.bitmap1.i_total), + OCFS2_LOCAL_ALLOC(alloc)->la_bm_off); + ++ status = -EINVAL; ++ goto bail; ++ } ++ + osb->local_alloc_bh = alloc_bh; + osb->local_alloc_state = OCFS2_LA_ENABLED; + +-- +2.19.1 + diff --git a/queue-4.19/of-overlay-add-missing-of_node_put-after-add-new-nod.patch b/queue-4.19/of-overlay-add-missing-of_node_put-after-add-new-nod.patch new file mode 100644 index 00000000000..08a7750fcc2 --- /dev/null +++ b/queue-4.19/of-overlay-add-missing-of_node_put-after-add-new-nod.patch @@ -0,0 +1,69 @@ +From f2759009a34df32e31003f83c96f0d3b5d2e4dc2 Mon Sep 17 00:00:00 2001 +From: Frank Rowand +Date: Thu, 4 Oct 2018 20:25:13 -0700 +Subject: of: overlay: add missing of_node_put() after add new node to + changeset + +[ Upstream commit 7c528e457d53c75107d5aa56892316d265c778de ] + +The refcount of a newly added overlay node decrements to one +(instead of zero) when the overlay changeset is destroyed. This +change will cause the final decrement be to zero. + +After applying this patch, new validation warnings will be +reported from the devicetree unittest during boot due to +a pre-existing devicetree bug. The warnings will be similar to: + + OF: ERROR: memory leak before free overlay changeset, /testcase-data/overlay-node/test-bus/test-unittest4 + +This pre-existing devicetree bug will also trigger a WARN_ONCE() from +refcount_sub_and_test_checked() when an overlay changeset is +destroyed without having first been applied. This scenario occurs +when an error in the overlay is detected during the overlay changeset +creation: + + WARNING: CPU: 0 PID: 1 at lib/refcount.c:187 refcount_sub_and_test_checked+0xa8/0xbc + refcount_t: underflow; use-after-free. + + (unwind_backtrace) from (show_stack+0x10/0x14) + (show_stack) from (dump_stack+0x6c/0x8c) + (dump_stack) from (__warn+0xdc/0x104) + (__warn) from (warn_slowpath_fmt+0x44/0x6c) + (warn_slowpath_fmt) from (refcount_sub_and_test_checked+0xa8/0xbc) + (refcount_sub_and_test_checked) from (kobject_put+0x24/0x208) + (kobject_put) from (of_changeset_destroy+0x2c/0xb4) + (of_changeset_destroy) from (free_overlay_changeset+0x1c/0x9c) + (free_overlay_changeset) from (of_overlay_remove+0x284/0x2cc) + (of_overlay_remove) from (of_unittest_apply_revert_overlay_check.constprop.4+0xf8/0x1e8) + (of_unittest_apply_revert_overlay_check.constprop.4) from (of_unittest_overlay+0x960/0xed8) + (of_unittest_overlay) from (of_unittest+0x1cc4/0x2138) + (of_unittest) from (do_one_initcall+0x4c/0x28c) + (do_one_initcall) from (kernel_init_freeable+0x29c/0x378) + (kernel_init_freeable) from (kernel_init+0x8/0x110) + (kernel_init) from (ret_from_fork+0x14/0x2c) + +Tested-by: Alan Tull +Signed-off-by: Frank Rowand +Signed-off-by: Sasha Levin +--- + drivers/of/overlay.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c +index eda57ef12fd0..baa9cee6fa2c 100644 +--- a/drivers/of/overlay.c ++++ b/drivers/of/overlay.c +@@ -378,7 +378,9 @@ static int add_changeset_node(struct overlay_changeset *ovcs, + if (ret) + return ret; + +- return build_changeset_next_level(ovcs, tchild, node); ++ ret = build_changeset_next_level(ovcs, tchild, node); ++ of_node_put(tchild); ++ return ret; + } + + if (node->phandle && tchild->phandle) +-- +2.19.1 + diff --git a/queue-4.19/perf-cs-etm-correct-packets-swapping-in-cs_etm__flus.patch b/queue-4.19/perf-cs-etm-correct-packets-swapping-in-cs_etm__flus.patch new file mode 100644 index 00000000000..d64e150bd64 --- /dev/null +++ b/queue-4.19/perf-cs-etm-correct-packets-swapping-in-cs_etm__flus.patch @@ -0,0 +1,61 @@ +From 3fc10e5f028ca02bb401f9ef7803a5880f9d22b4 Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Tue, 11 Dec 2018 15:38:21 +0800 +Subject: perf cs-etm: Correct packets swapping in cs_etm__flush() + +[ Upstream commit 43fd56669c28cd354e9228bdb58e4bca1c1a8b66 ] + +The structure cs_etm_queue uses 'prev_packet' to point to previous +packet, this can be used to combine with new coming packet to generate +samples. + +In function cs_etm__flush() it swaps packets only when the flag +'etm->synth_opts.last_branch' is true, this means that it will not swap +packets if without option '--itrace=il' to generate last branch entries; +thus for this case the 'prev_packet' doesn't point to the correct +previous packet and the stale packet still will be used to generate +sequential sample. Thus if dump trace with 'perf script' command we can +see the incorrect flow with the stale packet's address info. + +This patch corrects packets swapping in cs_etm__flush(); except using +the flag 'etm->synth_opts.last_branch' it also checks the another flag +'etm->sample_branches', if any flag is true then it swaps packets so can +save correct content to 'prev_packet'. Finally this can fix the wrong +program flow dumping issue. + +The patch has a minor refactoring to use 'etm->synth_opts.last_branch' +instead of 'etmq->etm->synth_opts.last_branch' for condition checking, +this is consistent with that is done in cs_etm__sample(). + +Signed-off-by: Leo Yan +Reviewed-by: Mathieu Poirier +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mike Leach +Cc: Namhyung Kim +Cc: Robert Walker +Cc: coresight@lists.linaro.org +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/1544513908-16805-2-git-send-email-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/cs-etm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/cs-etm.c b/tools/perf/util/cs-etm.c +index ca577658e890..7b5e15cc6b71 100644 +--- a/tools/perf/util/cs-etm.c ++++ b/tools/perf/util/cs-etm.c +@@ -1005,7 +1005,7 @@ static int cs_etm__flush(struct cs_etm_queue *etmq) + } + + swap_packet: +- if (etmq->etm->synth_opts.last_branch) { ++ if (etm->sample_branches || etm->synth_opts.last_branch) { + /* + * Swap PACKET with PREV_PACKET: PACKET becomes PREV_PACKET for + * the next incoming packet. +-- +2.19.1 + diff --git a/queue-4.19/perf-intel-pt-fix-error-with-config-term-pt-0.patch b/queue-4.19/perf-intel-pt-fix-error-with-config-term-pt-0.patch new file mode 100644 index 00000000000..cc4ad7e2f82 --- /dev/null +++ b/queue-4.19/perf-intel-pt-fix-error-with-config-term-pt-0.patch @@ -0,0 +1,70 @@ +From ba8c5718864fbd8bd013bc96ced78b7164a5e64f Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 26 Nov 2018 14:12:52 +0200 +Subject: perf intel-pt: Fix error with config term "pt=0" + +[ Upstream commit 1c6f709b9f96366cc47af23c05ecec9b8c0c392d ] + +Users should never use 'pt=0', but if they do it may give a meaningless +error: + + $ perf record -e intel_pt/pt=0/u uname + Error: + The sys_perf_event_open() syscall returned with 22 (Invalid argument) for + event (intel_pt/pt=0/u). + +Fix that by forcing 'pt=1'. + +Committer testing: + + # perf record -e intel_pt/pt=0/u uname + Error: + The sys_perf_event_open() syscall returned with 22 (Invalid argument) for event (intel_pt/pt=0/u). + /bin/dmesg | grep -i perf may provide additional information. + + # perf record -e intel_pt/pt=0/u uname + pt=0 doesn't make sense, forcing pt=1 + Linux + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.020 MB perf.data ] + # + +Signed-off-by: Adrian Hunter +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Link: http://lkml.kernel.org/r/b7c5b4e5-9497-10e5-fd43-5f3e4a0fe51d@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/x86/util/intel-pt.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tools/perf/arch/x86/util/intel-pt.c b/tools/perf/arch/x86/util/intel-pt.c +index db0ba8caf5a2..ba8ecaf52200 100644 +--- a/tools/perf/arch/x86/util/intel-pt.c ++++ b/tools/perf/arch/x86/util/intel-pt.c +@@ -524,10 +524,21 @@ static int intel_pt_validate_config(struct perf_pmu *intel_pt_pmu, + struct perf_evsel *evsel) + { + int err; ++ char c; + + if (!evsel) + return 0; + ++ /* ++ * If supported, force pass-through config term (pt=1) even if user ++ * sets pt=0, which avoids senseless kernel errors. ++ */ ++ if (perf_pmu__scan_file(intel_pt_pmu, "format/pt", "%c", &c) == 1 && ++ !(evsel->attr.config & 1)) { ++ pr_warning("pt=0 doesn't make sense, forcing pt=1\n"); ++ evsel->attr.config |= 1; ++ } ++ + err = intel_pt_val_config_term(intel_pt_pmu, "caps/cycle_thresholds", + "cyc_thresh", "caps/psb_cyc", + evsel->attr.config); +-- +2.19.1 + diff --git a/queue-4.19/perf-parse-events-fix-unchecked-usage-of-strncpy.patch b/queue-4.19/perf-parse-events-fix-unchecked-usage-of-strncpy.patch new file mode 100644 index 00000000000..685ec586e4b --- /dev/null +++ b/queue-4.19/perf-parse-events-fix-unchecked-usage-of-strncpy.patch @@ -0,0 +1,56 @@ +From c00ee681e2610f927aed674313328da63312e029 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Thu, 6 Dec 2018 13:52:13 -0300 +Subject: perf parse-events: Fix unchecked usage of strncpy() + +[ Upstream commit bd8d57fb7e25e9fcf67a9eef5fa13aabe2016e07 ] + +The strncpy() function may leave the destination string buffer +unterminated, better use strlcpy() that we have a __weak fallback +implementation for systems without it. + +This fixes this warning on an Alpine Linux Edge system with gcc 8.2: + + util/parse-events.c: In function 'print_symbol_events': + util/parse-events.c:2465:4: error: 'strncpy' specified bound 100 equals destination size [-Werror=stringop-truncation] + strncpy(name, syms->symbol, MAX_NAME_LEN); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In function 'print_symbol_events.constprop', + inlined from 'print_events' at util/parse-events.c:2508:2: + util/parse-events.c:2465:4: error: 'strncpy' specified bound 100 equals destination size [-Werror=stringop-truncation] + strncpy(name, syms->symbol, MAX_NAME_LEN); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In function 'print_symbol_events.constprop', + inlined from 'print_events' at util/parse-events.c:2511:2: + util/parse-events.c:2465:4: error: 'strncpy' specified bound 100 equals destination size [-Werror=stringop-truncation] + strncpy(name, syms->symbol, MAX_NAME_LEN); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Fixes: 947b4ad1d198 ("perf list: Fix max event string size") +Link: https://lkml.kernel.org/n/tip-b663e33bm6x8hrkie4uxh7u2@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/parse-events.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c +index f8cd3e7c9186..ebb18a9bc460 100644 +--- a/tools/perf/util/parse-events.c ++++ b/tools/perf/util/parse-events.c +@@ -2454,7 +2454,7 @@ restart: + if (!name_only && strlen(syms->alias)) + snprintf(name, MAX_NAME_LEN, "%s OR %s", syms->symbol, syms->alias); + else +- strncpy(name, syms->symbol, MAX_NAME_LEN); ++ strlcpy(name, syms->symbol, MAX_NAME_LEN); + + evt_list[evt_i] = strdup(name); + if (evt_list[evt_i] == NULL) +-- +2.19.1 + diff --git a/queue-4.19/perf-stat-avoid-segfaults-caused-by-negated-options.patch b/queue-4.19/perf-stat-avoid-segfaults-caused-by-negated-options.patch new file mode 100644 index 00000000000..ab8e756d68f --- /dev/null +++ b/queue-4.19/perf-stat-avoid-segfaults-caused-by-negated-options.patch @@ -0,0 +1,61 @@ +From ad10a8e06fe2b00a8b3cf580edfb93675985129a Mon Sep 17 00:00:00 2001 +From: Michael Petlan +Date: Mon, 10 Dec 2018 11:00:04 -0500 +Subject: perf stat: Avoid segfaults caused by negated options + +[ Upstream commit 51433ead1460fb3f46e1c34f68bb22fd2dd0f5d0 ] + +Some 'perf stat' options do not make sense to be negated (event, +cgroup), some do not have negated path implemented (metrics). Due to +that, it is better to disable the "no-" prefix for them, since +otherwise, the later opt-parsing segfaults. + +Before: + + $ perf stat --no-metrics -- ls + Segmentation fault (core dumped) + +After: + + $ perf stat --no-metrics -- ls + Error: option `no-metrics' isn't available + Usage: perf stat [] [] + +Signed-off-by: Michael Petlan +Tested-by: Arnaldo Carvalho de Melo +LPU-Reference: 1485912065.62416880.1544457604340.JavaMail.zimbra@redhat.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-stat.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c +index d097b5b47eb8..40720150ccd8 100644 +--- a/tools/perf/builtin-stat.c ++++ b/tools/perf/builtin-stat.c +@@ -1961,7 +1961,7 @@ static int parse_metric_groups(const struct option *opt, + return metricgroup__parse_groups(opt, str, &metric_events); + } + +-static const struct option stat_options[] = { ++static struct option stat_options[] = { + OPT_BOOLEAN('T', "transaction", &transaction_run, + "hardware transaction statistics"), + OPT_CALLBACK('e', "event", &evsel_list, "event", +@@ -2847,6 +2847,12 @@ int cmd_stat(int argc, const char **argv) + return -ENOMEM; + + parse_events__shrink_config_terms(); ++ ++ /* String-parsing callback-based options would segfault when negated */ ++ set_option_flag(stat_options, 'e', "event", PARSE_OPT_NONEG); ++ set_option_flag(stat_options, 'M', "metrics", PARSE_OPT_NONEG); ++ set_option_flag(stat_options, 'G', "cgroup", PARSE_OPT_NONEG); ++ + argc = parse_options_subcommand(argc, argv, stat_options, stat_subcommands, + (const char **) stat_usage, + PARSE_OPT_STOP_AT_NON_OPTION); +-- +2.19.1 + diff --git a/queue-4.19/perf-svghelper-fix-unchecked-usage-of-strncpy.patch b/queue-4.19/perf-svghelper-fix-unchecked-usage-of-strncpy.patch new file mode 100644 index 00000000000..21ded70ea9b --- /dev/null +++ b/queue-4.19/perf-svghelper-fix-unchecked-usage-of-strncpy.patch @@ -0,0 +1,55 @@ +From e30e0a7839ea5b4611e153a8680d7b00c106e577 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Thu, 6 Dec 2018 11:29:48 -0300 +Subject: perf svghelper: Fix unchecked usage of strncpy() + +[ Upstream commit 2f5302533f306d5ee87bd375aef9ca35b91762cb ] + +The strncpy() function may leave the destination string buffer +unterminated, better use strlcpy() that we have a __weak fallback +implementation for systems without it. + +In this specific case this would only happen if fgets() was buggy, as +its man page states that it should read one less byte than the size of +the destination buffer, so that it can put the nul byte at the end of +it, so it would never copy 255 non-nul chars, as fgets reads into the +orig buffer at most 254 non-nul chars and terminates it. But lets just +switch to strlcpy to keep the original intent and silence the gcc 8.2 +warning. + +This fixes this warning on an Alpine Linux Edge system with gcc 8.2: + + In function 'cpu_model', + inlined from 'svg_cpu_box' at util/svghelper.c:378:2: + util/svghelper.c:337:5: error: 'strncpy' output may be truncated copying 255 bytes from a string of length 255 [-Werror=stringop-truncation] + strncpy(cpu_m, &buf[13], 255); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Arjan van de Ven +Fixes: f48d55ce7871 ("perf: Add a SVG helper library file") +Link: https://lkml.kernel.org/n/tip-xzkoo0gyr56gej39ltivuh9g@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/svghelper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/svghelper.c b/tools/perf/util/svghelper.c +index 1cbada2dc6be..f735ee038713 100644 +--- a/tools/perf/util/svghelper.c ++++ b/tools/perf/util/svghelper.c +@@ -334,7 +334,7 @@ static char *cpu_model(void) + if (file) { + while (fgets(buf, 255, file)) { + if (strstr(buf, "model name")) { +- strncpy(cpu_m, &buf[13], 255); ++ strlcpy(cpu_m, &buf[13], 255); + break; + } + } +-- +2.19.1 + diff --git a/queue-4.19/perf-tests-arm-disable-breakpoint-tests-32-bit.patch b/queue-4.19/perf-tests-arm-disable-breakpoint-tests-32-bit.patch new file mode 100644 index 00000000000..b3095fa6cb5 --- /dev/null +++ b/queue-4.19/perf-tests-arm-disable-breakpoint-tests-32-bit.patch @@ -0,0 +1,70 @@ +From 655e044fc3f1849359cbb6498a53a84eb494c74f Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 3 Dec 2018 11:11:36 -0800 +Subject: perf tests ARM: Disable breakpoint tests 32-bit + +[ Upstream commit 24f967337f6d6bce931425769c0f5ff5cf2d212e ] + +The breakpoint tests on the ARM 32-bit kernel are broken in several +ways. + +The breakpoint length requested does not necessarily match whether the +function address has the Thumb bit (bit 0) set or not, and this does +matter to the ARM kernel hw_breakpoint infrastructure. See [1] for +background. + +[1]: https://lkml.org/lkml/2018/11/15/205 + +As Will indicated, the overflow handling would require single-stepping +which is not supported at the moment. Just disable those tests for the +ARM 32-bit platforms and update the comment above to explain these +limitations. + +Co-developed-by: Will Deacon +Signed-off-by: Florian Fainelli +Signed-off-by: Will Deacon +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20181203191138.2419-1-f.fainelli@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/bp_signal.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/tools/perf/tests/bp_signal.c b/tools/perf/tests/bp_signal.c +index a467615c5a0e..910e25e64188 100644 +--- a/tools/perf/tests/bp_signal.c ++++ b/tools/perf/tests/bp_signal.c +@@ -291,12 +291,20 @@ int test__bp_signal(struct test *test __maybe_unused, int subtest __maybe_unused + + bool test__bp_signal_is_supported(void) + { +-/* +- * The powerpc so far does not have support to even create +- * instruction breakpoint using the perf event interface. +- * Once it's there we can release this. +- */ +-#if defined(__powerpc__) || defined(__s390x__) ++ /* ++ * PowerPC and S390 do not support creation of instruction ++ * breakpoints using the perf_event interface. ++ * ++ * ARM requires explicit rounding down of the instruction ++ * pointer in Thumb mode, and then requires the single-step ++ * to be handled explicitly in the overflow handler to avoid ++ * stepping into the SIGIO handler and getting stuck on the ++ * breakpointed instruction. ++ * ++ * Just disable the test for these architectures until these ++ * issues are resolved. ++ */ ++#if defined(__powerpc__) || defined(__s390x__) || defined(__arm__) + return false; + #else + return true; +-- +2.19.1 + diff --git a/queue-4.19/perf-tools-add-missing-open_memstream-prototype-for-.patch b/queue-4.19/perf-tools-add-missing-open_memstream-prototype-for-.patch new file mode 100644 index 00000000000..c41d6b1cd28 --- /dev/null +++ b/queue-4.19/perf-tools-add-missing-open_memstream-prototype-for-.patch @@ -0,0 +1,71 @@ +From e1e17dd719d67f44bbe1676a45ec309dcc374c7c Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Tue, 11 Dec 2018 16:31:19 -0300 +Subject: perf tools: Add missing open_memstream() prototype for systems + lacking it + +[ Upstream commit d7a8c4a6a055097a67ccfa3ca7c9ff1b64603a70 ] + +There are systems such as the Android NDK API level 24 has the +open_memstream() function but doesn't provide a prototype, adding noise +to the build: + + builtin-timechart.c: In function 'cat_backtrace': + builtin-timechart.c:486:2: warning: implicit declaration of function 'open_memstream' [-Wimplicit-function-declaration] + FILE *f = open_memstream(&p, &p_len); + ^ + builtin-timechart.c:486:2: warning: nested extern declaration of 'open_memstream' [-Wnested-externs] + builtin-timechart.c:486:12: warning: initialization makes pointer from integer without a cast + FILE *f = open_memstream(&p, &p_len); + ^ + +Define a LACKS_OPEN_MEMSTREAM_PROTOTYPE define so that code needing that +can get a prototype. + +Checked in the bionic git repo to be available since level 23: + +https://android.googlesource.com/platform/bionic/+/master/libc/include/stdio.h#241 + + FILE* open_memstream(char** __ptr, size_t* __size_ptr) __INTRODUCED_IN(23); + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-343ashae97e5bq6vizusyfno@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 1 + + tools/perf/builtin-timechart.c | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index ff7a753cc487..f00ea77f5f08 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -295,6 +295,7 @@ ifndef NO_BIONIC + ifeq ($(feature-bionic), 1) + BIONIC := 1 + CFLAGS += -DLACKS_SIGQUEUE_PROTOTYPE ++ CFLAGS += -DLACKS_OPEN_MEMSTREAM_PROTOTYPE + EXTLIBS := $(filter-out -lrt,$(EXTLIBS)) + EXTLIBS := $(filter-out -lpthread,$(EXTLIBS)) + endif +diff --git a/tools/perf/builtin-timechart.c b/tools/perf/builtin-timechart.c +index a827919c6263..775b99833e51 100644 +--- a/tools/perf/builtin-timechart.c ++++ b/tools/perf/builtin-timechart.c +@@ -43,6 +43,10 @@ + #include "util/data.h" + #include "util/debug.h" + ++#ifdef LACKS_OPEN_MEMSTREAM_PROTOTYPE ++FILE *open_memstream(char **ptr, size_t *sizeloc); ++#endif ++ + #define SUPPORT_OLD_POWER_EVENTS 1 + #define PWR_EVENT_EXIT -1 + +-- +2.19.1 + diff --git a/queue-4.19/perf-tools-add-missing-sigqueue-prototype-for-system.patch b/queue-4.19/perf-tools-add-missing-sigqueue-prototype-for-system.patch new file mode 100644 index 00000000000..effb557d01f --- /dev/null +++ b/queue-4.19/perf-tools-add-missing-sigqueue-prototype-for-system.patch @@ -0,0 +1,67 @@ +From 2ac152eecb33b1896f97ed73f2c3c1f417104c81 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Tue, 11 Dec 2018 15:48:47 -0300 +Subject: perf tools: Add missing sigqueue() prototype for systems lacking it + +[ Upstream commit 748fe0889c1ff12d378946bd5326e8ee8eacf5cf ] + +There are systems such as the Android NDK API level 24 has the +sigqueue() function but doesn't provide a prototype, adding noise to the +build: + + util/evlist.c: In function 'perf_evlist__prepare_workload': + util/evlist.c:1494:4: warning: implicit declaration of function 'sigqueue' [-Wimplicit-function-declaration] + if (sigqueue(getppid(), SIGUSR1, val)) + ^ + util/evlist.c:1494:4: warning: nested extern declaration of 'sigqueue' [-Wnested-externs] + +Define a LACKS_SIGQUEUE_PROTOTYPE define so that code needing that can +get a prototype. + +Checked in the bionic git repo to be available since level 23: + +https://android.googlesource.com/platform/bionic/+/master/libc/include/signal.h#123 + + int sigqueue(pid_t __pid, int __signal, const union sigval __value) __INTRODUCED_IN(23); + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-lmhpev1uni9kdrv7j29glyov@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 1 + + tools/perf/util/evlist.c | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index e30d20fb482d..ff7a753cc487 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -294,6 +294,7 @@ ifndef NO_BIONIC + $(call feature_check,bionic) + ifeq ($(feature-bionic), 1) + BIONIC := 1 ++ CFLAGS += -DLACKS_SIGQUEUE_PROTOTYPE + EXTLIBS := $(filter-out -lrt,$(EXTLIBS)) + EXTLIBS := $(filter-out -lpthread,$(EXTLIBS)) + endif +diff --git a/tools/perf/util/evlist.c b/tools/perf/util/evlist.c +index be440df29615..819aa4491b53 100644 +--- a/tools/perf/util/evlist.c ++++ b/tools/perf/util/evlist.c +@@ -34,6 +34,10 @@ + #include + #include + ++#ifdef LACKS_SIGQUEUE_PROTOTYPE ++int sigqueue(pid_t pid, int sig, const union sigval value); ++#endif ++ + #define FD(e, x, y) (*(int *)xyarray__entry(e->fd, x, y)) + #define SID(e, x, y) xyarray__entry(e->sample_id, x, y) + +-- +2.19.1 + diff --git a/queue-4.19/perf-vendor-events-intel-fix-load_miss_real_latency-.patch b/queue-4.19/perf-vendor-events-intel-fix-load_miss_real_latency-.patch new file mode 100644 index 00000000000..6439cccdc3b --- /dev/null +++ b/queue-4.19/perf-vendor-events-intel-fix-load_miss_real_latency-.patch @@ -0,0 +1,75 @@ +From 7f8457e0b3a7bb3573a068cc9cd89e0a51ffb99a Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Mon, 19 Nov 2018 21:06:35 -0800 +Subject: perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX + +[ Upstream commit 91b2b97025097ce7ca7536bc87eba2bf14760fb4 ] + +Fix incorrect event names for the Load_Miss_Real_Latency metric for +Skylake and Skylake Server. + +Fixes https://github.com/andikleen/pmu-tools/issues/158 + +Before: + + % perf stat -M Load_Miss_Real_Latency true + event syntax error: '..ss.pending,mem_load_retired.l1_miss_ps,mem_load_retired.fb_hit_ps}:W' + \___ parser error + + Usage: perf stat [] [] + + -M, --metrics + monitor specified metrics or metric groups (separated by ,) + +After: + + % perf stat -M Load_Miss_Real_Latency true + + Performance counter stats for 'true': + + 279,204 l1d_pend_miss.pending # 14.0 Load_Miss_Real_Latency + 4,784 mem_load_uops_retired.l1_miss + 15,188 mem_load_uops_retired.hit_lfb + + 0.000899640 seconds time elapsed + +Signed-off-by: Andi Kleen +Acked-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Link: http://lkml.kernel.org/r/20181120050635.4215-1-andi@firstfloor.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/pmu-events/arch/x86/skylake/skl-metrics.json | 2 +- + tools/perf/pmu-events/arch/x86/skylakex/skx-metrics.json | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/pmu-events/arch/x86/skylake/skl-metrics.json b/tools/perf/pmu-events/arch/x86/skylake/skl-metrics.json +index 36c903faed0b..71e9737f4614 100644 +--- a/tools/perf/pmu-events/arch/x86/skylake/skl-metrics.json ++++ b/tools/perf/pmu-events/arch/x86/skylake/skl-metrics.json +@@ -73,7 +73,7 @@ + }, + { + "BriefDescription": "Actual Average Latency for L1 data-cache miss demand loads", +- "MetricExpr": "L1D_PEND_MISS.PENDING / ( MEM_LOAD_RETIRED.L1_MISS_PS + MEM_LOAD_RETIRED.FB_HIT_PS )", ++ "MetricExpr": "L1D_PEND_MISS.PENDING / ( MEM_LOAD_RETIRED.L1_MISS + MEM_LOAD_RETIRED.FB_HIT )", + "MetricGroup": "Memory_Bound;Memory_Lat", + "MetricName": "Load_Miss_Real_Latency" + }, +diff --git a/tools/perf/pmu-events/arch/x86/skylakex/skx-metrics.json b/tools/perf/pmu-events/arch/x86/skylakex/skx-metrics.json +index 36c903faed0b..71e9737f4614 100644 +--- a/tools/perf/pmu-events/arch/x86/skylakex/skx-metrics.json ++++ b/tools/perf/pmu-events/arch/x86/skylakex/skx-metrics.json +@@ -73,7 +73,7 @@ + }, + { + "BriefDescription": "Actual Average Latency for L1 data-cache miss demand loads", +- "MetricExpr": "L1D_PEND_MISS.PENDING / ( MEM_LOAD_RETIRED.L1_MISS_PS + MEM_LOAD_RETIRED.FB_HIT_PS )", ++ "MetricExpr": "L1D_PEND_MISS.PENDING / ( MEM_LOAD_RETIRED.L1_MISS + MEM_LOAD_RETIRED.FB_HIT )", + "MetricGroup": "Memory_Bound;Memory_Lat", + "MetricName": "Load_Miss_Real_Latency" + }, +-- +2.19.1 + diff --git a/queue-4.19/platform-x86-asus-wmi-tell-the-ec-the-os-will-handle.patch b/queue-4.19/platform-x86-asus-wmi-tell-the-ec-the-os-will-handle.patch new file mode 100644 index 00000000000..0bf80a65b33 --- /dev/null +++ b/queue-4.19/platform-x86-asus-wmi-tell-the-ec-the-os-will-handle.patch @@ -0,0 +1,135 @@ +From ef798dd3b030fa2adde862ee4bc397348e95023f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= +Date: Wed, 31 Oct 2018 17:21:26 -0700 +Subject: platform/x86: asus-wmi: Tell the EC the OS will handle the display + off hotkey +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 78f3ac76d9e5219589718b9e4733bee21627b3f5 ] + +In the past, Asus firmwares would change the panel backlight directly +through the EC when the display off hotkey (Fn+F7) was pressed, and +only notify the OS of such change, with 0x33 when the LCD was ON and +0x34 when the LCD was OFF. These are currently mapped to +KEY_DISPLAYTOGGLE and KEY_DISPLAY_OFF, respectively. + +Most recently the EC on Asus most machines lost ability to toggle the +LCD backlight directly, but unless the OS informs the firmware it is +going to handle the display toggle hotkey events, the firmware still +tries change the brightness through the EC, to no effect. The end result +is a long list (at Endless we counted 11) of Asus laptop models where +the display toggle hotkey does not perform any action. Our firmware +engineers contacts at Asus were surprised that there were still machines +out there with the old behavior. + +Calling WMNB(ASUS_WMI_DEVID_BACKLIGHT==0x00050011, 2) on the _WDG device +tells the firmware that it should let the OS handle the display toggle +event, in which case it will simply notify the OS of a key press with +0x35, as shown by the DSDT excerpts bellow. + + Scope (_SB) + { + (...) + + Device (ATKD) + { + (...) + + Name (_WDG, Buffer (0x28) + { + /* 0000 */ 0xD0, 0x5E, 0x84, 0x97, 0x6D, 0x4E, 0xDE, 0x11, + /* 0008 */ 0x8A, 0x39, 0x08, 0x00, 0x20, 0x0C, 0x9A, 0x66, + /* 0010 */ 0x4E, 0x42, 0x01, 0x02, 0x35, 0xBB, 0x3C, 0x0B, + /* 0018 */ 0xC2, 0xE3, 0xED, 0x45, 0x91, 0xC2, 0x4C, 0x5A, + /* 0020 */ 0x6D, 0x19, 0x5D, 0x1C, 0xFF, 0x00, 0x01, 0x08 + }) + Method (WMNB, 3, Serialized) + { + CreateDWordField (Arg2, Zero, IIA0) + CreateDWordField (Arg2, 0x04, IIA1) + Local0 = (Arg1 & 0xFFFFFFFF) + + (...) + + If ((Local0 == 0x53564544)) + { + (...) + + If ((IIA0 == 0x00050011)) + { + If ((IIA1 == 0x02)) + { + ^^PCI0.SBRG.EC0.SPIN (0x72, One) + ^^PCI0.SBRG.EC0.BLCT = One + } + + Return (One) + } + } + (...) + } + (...) + } + (...) + } + (...) + + Scope (_SB.PCI0.SBRG.EC0) + { + (...) + + Name (BLCT, Zero) + + (...) + + Method (_Q10, 0, NotSerialized) // _Qxx: EC Query + { + If ((BLCT == Zero)) + { + Local0 = One + Local0 = RPIN (0x72) + Local0 ^= One + SPIN (0x72, Local0) + If (ATKP) + { + Local0 = (0x34 - Local0) + ^^^^ATKD.IANE (Local0) + } + } + ElseIf ((BLCT == One)) + { + If (ATKP) + { + ^^^^ATKD.IANE (0x35) + } + } + } + (...) + } + +Signed-off-by: João Paulo Rechi Vita +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 2d6e272315a8..db3556dc90d1 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -2231,7 +2231,8 @@ static int asus_wmi_add(struct platform_device *pdev) + err = asus_wmi_backlight_init(asus); + if (err && err != -ENODEV) + goto fail_backlight; +- } ++ } else ++ err = asus_wmi_set_devstate(ASUS_WMI_DEVID_BACKLIGHT, 2, NULL); + + status = wmi_install_notify_handler(asus->driver->event_guid, + asus_wmi_notify, asus); +-- +2.19.1 + diff --git a/queue-4.19/powerpc-pseries-cpuidle-fix-preempt-warning.patch b/queue-4.19/powerpc-pseries-cpuidle-fix-preempt-warning.patch new file mode 100644 index 00000000000..be298cb3031 --- /dev/null +++ b/queue-4.19/powerpc-pseries-cpuidle-fix-preempt-warning.patch @@ -0,0 +1,68 @@ +From 70e913ed4c281a991a51a7a1584f8ed4de7215ec Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Fri, 23 Nov 2018 14:30:11 -0200 +Subject: powerpc/pseries/cpuidle: Fix preempt warning + +[ Upstream commit 2b038cbc5fcf12a7ee1cc9bfd5da1e46dacdee87 ] + +When booting a pseries kernel with PREEMPT enabled, it dumps the +following warning: + + BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1 + caller is pseries_processor_idle_init+0x5c/0x22c + CPU: 13 PID: 1 Comm: swapper/0 Not tainted 4.20.0-rc3-00090-g12201a0128bc-dirty #828 + Call Trace: + [c000000429437ab0] [c0000000009c8878] dump_stack+0xec/0x164 (unreliable) + [c000000429437b00] [c0000000005f2f24] check_preemption_disabled+0x154/0x160 + [c000000429437b90] [c000000000cab8e8] pseries_processor_idle_init+0x5c/0x22c + [c000000429437c10] [c000000000010ed4] do_one_initcall+0x64/0x300 + [c000000429437ce0] [c000000000c54500] kernel_init_freeable+0x3f0/0x500 + [c000000429437db0] [c0000000000112dc] kernel_init+0x2c/0x160 + [c000000429437e20] [c00000000000c1d0] ret_from_kernel_thread+0x5c/0x6c + +This happens because the code calls get_lppaca() which calls +get_paca() and it checks if preemption is disabled through +check_preemption_disabled(). + +Preemption should be disabled because the per CPU variable may make no +sense if there is a preemption (and a CPU switch) after it reads the +per CPU data and when it is used. + +In this device driver specifically, it is not a problem, because this +code just needs to have access to one lppaca struct, and it does not +matter if it is the current per CPU lppaca struct or not (i.e. when +there is a preemption and a CPU migration). + +That said, the most appropriate fix seems to be related to avoiding +the debug_smp_processor_id() call at get_paca(), instead of calling +preempt_disable() before get_paca(). + +Signed-off-by: Breno Leitao +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/cpuidle-pseries.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpuidle/cpuidle-pseries.c b/drivers/cpuidle/cpuidle-pseries.c +index 9e56bc411061..74c247972bb3 100644 +--- a/drivers/cpuidle/cpuidle-pseries.c ++++ b/drivers/cpuidle/cpuidle-pseries.c +@@ -247,7 +247,13 @@ static int pseries_idle_probe(void) + return -ENODEV; + + if (firmware_has_feature(FW_FEATURE_SPLPAR)) { +- if (lppaca_shared_proc(get_lppaca())) { ++ /* ++ * Use local_paca instead of get_lppaca() since ++ * preemption is not disabled, and it is not required in ++ * fact, since lppaca_ptr does not need to be the value ++ * associated to the current CPU, it can be from any CPU. ++ */ ++ if (lppaca_shared_proc(local_paca->lppaca_ptr)) { + cpuidle_state_table = shared_states; + max_idle_state = ARRAY_SIZE(shared_states); + } else { +-- +2.19.1 + diff --git a/queue-4.19/powerpc-xmon-fix-invocation-inside-lock-region.patch b/queue-4.19/powerpc-xmon-fix-invocation-inside-lock-region.patch new file mode 100644 index 00000000000..b9ba5f4f9da --- /dev/null +++ b/queue-4.19/powerpc-xmon-fix-invocation-inside-lock-region.patch @@ -0,0 +1,86 @@ +From 710fa55b30256d65bb5311bdb5ac1d0662d48dbe Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Thu, 8 Nov 2018 15:12:42 -0200 +Subject: powerpc/xmon: Fix invocation inside lock region + +[ Upstream commit 8d4a862276a9c30a269d368d324fb56529e6d5fd ] + +Currently xmon needs to get devtree_lock (through rtas_token()) during its +invocation (at crash time). If there is a crash while devtree_lock is being +held, then xmon tries to get the lock but spins forever and never get into +the interactive debugger, as in the following case: + + int *ptr = NULL; + raw_spin_lock_irqsave(&devtree_lock, flags); + *ptr = 0xdeadbeef; + +This patch avoids calling rtas_token(), thus trying to get the same lock, +at crash time. This new mechanism proposes getting the token at +initialization time (xmon_init()) and just consuming it at crash time. + +This would allow xmon to be possible invoked independent of devtree_lock +being held or not. + +Signed-off-by: Breno Leitao +Reviewed-by: Thiago Jung Bauermann +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/xmon/xmon.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c +index 4264aedc7775..dd6badc31f45 100644 +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -75,6 +75,9 @@ static int xmon_gate; + #define xmon_owner 0 + #endif /* CONFIG_SMP */ + ++#ifdef CONFIG_PPC_PSERIES ++static int set_indicator_token = RTAS_UNKNOWN_SERVICE; ++#endif + static unsigned long in_xmon __read_mostly = 0; + static int xmon_on = IS_ENABLED(CONFIG_XMON_DEFAULT); + +@@ -358,7 +361,6 @@ static inline void disable_surveillance(void) + #ifdef CONFIG_PPC_PSERIES + /* Since this can't be a module, args should end up below 4GB. */ + static struct rtas_args args; +- int token; + + /* + * At this point we have got all the cpus we can into +@@ -367,11 +369,11 @@ static inline void disable_surveillance(void) + * If we did try to take rtas.lock there would be a + * real possibility of deadlock. + */ +- token = rtas_token("set-indicator"); +- if (token == RTAS_UNKNOWN_SERVICE) ++ if (set_indicator_token == RTAS_UNKNOWN_SERVICE) + return; + +- rtas_call_unlocked(&args, token, 3, 1, NULL, SURVEILLANCE_TOKEN, 0, 0); ++ rtas_call_unlocked(&args, set_indicator_token, 3, 1, NULL, ++ SURVEILLANCE_TOKEN, 0, 0); + + #endif /* CONFIG_PPC_PSERIES */ + } +@@ -3672,6 +3674,14 @@ static void xmon_init(int enable) + __debugger_iabr_match = xmon_iabr_match; + __debugger_break_match = xmon_break_match; + __debugger_fault_handler = xmon_fault_handler; ++ ++#ifdef CONFIG_PPC_PSERIES ++ /* ++ * Get the token here to avoid trying to get a lock ++ * during the crash, causing a deadlock. ++ */ ++ set_indicator_token = rtas_token("set-indicator"); ++#endif + } else { + __debugger = NULL; + __debugger_ipi = NULL; +-- +2.19.1 + diff --git a/queue-4.19/pstore-ram-do-not-treat-empty-buffers-as-valid.patch b/queue-4.19/pstore-ram-do-not-treat-empty-buffers-as-valid.patch new file mode 100644 index 00000000000..d304db86a3e --- /dev/null +++ b/queue-4.19/pstore-ram-do-not-treat-empty-buffers-as-valid.patch @@ -0,0 +1,51 @@ +From 007e9094865ae78263bc5c01a73d8ff9fd7c4aa7 Mon Sep 17 00:00:00 2001 +From: "Joel Fernandes (Google)" +Date: Sat, 3 Nov 2018 16:38:18 -0700 +Subject: pstore/ram: Do not treat empty buffers as valid + +[ Upstream commit 30696378f68a9e3dad6bfe55938b112e72af00c2 ] + +The ramoops backend currently calls persistent_ram_save_old() even +if a buffer is empty. While this appears to work, it is does not seem +like the right thing to do and could lead to future bugs so lets avoid +that. It also prevents misleading prints in the logs which claim the +buffer is valid. + +I got something like: + + found existing buffer, size 0, start 0 + +When I was expecting: + + no valid data in buffer (sig = ...) + +This bails out early (and reports with pr_debug()), since it's an +acceptable state. + +Signed-off-by: Joel Fernandes (Google) +Co-developed-by: Kees Cook +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/pstore/ram_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c +index 0792595ebcfb..3c777ec80d47 100644 +--- a/fs/pstore/ram_core.c ++++ b/fs/pstore/ram_core.c +@@ -496,6 +496,11 @@ static int persistent_ram_post_init(struct persistent_ram_zone *prz, u32 sig, + sig ^= PERSISTENT_RAM_SIG; + + if (prz->buffer->sig == sig) { ++ if (buffer_size(prz) == 0) { ++ pr_debug("found existing empty buffer\n"); ++ return 0; ++ } ++ + if (buffer_size(prz) > prz->buffer_size || + buffer_start(prz) > buffer_size(prz)) + pr_info("found existing invalid buffer, size %zu, start %zu\n", +-- +2.19.1 + diff --git a/queue-4.19/quota-lock-s_umount-in-exclusive-mode-for-q_xquota-o.patch b/queue-4.19/quota-lock-s_umount-in-exclusive-mode-for-q_xquota-o.patch new file mode 100644 index 00000000000..fe7da9c86e3 --- /dev/null +++ b/queue-4.19/quota-lock-s_umount-in-exclusive-mode-for-q_xquota-o.patch @@ -0,0 +1,87 @@ +From 59ad7dc4ac2bf48c982e73d446b989bf2dc77ec6 Mon Sep 17 00:00:00 2001 +From: Javier Barrio +Date: Thu, 13 Dec 2018 01:06:29 +0100 +Subject: quota: Lock s_umount in exclusive mode for Q_XQUOTA{ON,OFF} + quotactls. + +[ Upstream commit 41c4f85cdac280d356df1f483000ecec4a8868be ] + +Commit 1fa5efe3622db58cb8c7b9a50665e9eb9a6c7e97 (ext4: Use generic helpers for quotaon +and quotaoff) made possible to call quotactl(Q_XQUOTAON/OFF) on ext4 filesystems +with sysfile quota support. This leads to calling dquot_enable/disable without s_umount +held in excl. mode, because quotactl_cmd_onoff checks only for Q_QUOTAON/OFF. + +The following WARN_ON_ONCE triggers (in this case for dquot_enable, ext4, latest Linus' tree): + +[ 117.807056] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: quota,prjquota + +[...] + +[ 155.036847] WARNING: CPU: 0 PID: 2343 at fs/quota/dquot.c:2469 dquot_enable+0x34/0xb9 +[ 155.036851] Modules linked in: quota_v2 quota_tree ipv6 af_packet joydev mousedev psmouse serio_raw pcspkr i2c_piix4 intel_agp intel_gtt e1000 ttm drm_kms_helper drm agpgart fb_sys_fops syscopyarea sysfillrect sysimgblt i2c_core input_leds kvm_intel kvm irqbypass qemu_fw_cfg floppy evdev parport_pc parport button crc32c_generic dm_mod ata_generic pata_acpi ata_piix libata loop ext4 crc16 mbcache jbd2 usb_storage usbcore sd_mod scsi_mod +[ 155.036901] CPU: 0 PID: 2343 Comm: qctl Not tainted 4.20.0-rc6-00025-gf5d582777bcb #9 +[ 155.036903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +[ 155.036911] RIP: 0010:dquot_enable+0x34/0xb9 +[ 155.036915] Code: 41 56 41 55 41 54 55 53 4c 8b 6f 28 74 02 0f 0b 4d 8d 7d 70 49 89 fc 89 cb 41 89 d6 89 f5 4c 89 ff e8 23 09 ea ff 85 c0 74 0a <0f> 0b 4c 89 ff e8 8b 09 ea ff 85 db 74 6a 41 8b b5 f8 00 00 00 0f +[ 155.036918] RSP: 0018:ffffb09b00493e08 EFLAGS: 00010202 +[ 155.036922] RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000000000000008 +[ 155.036924] RDX: 0000000000000001 RSI: 0000000000000002 RDI: ffff9781b67cd870 +[ 155.036926] RBP: 0000000000000002 R08: 0000000000000000 R09: 61c8864680b583eb +[ 155.036929] R10: ffffb09b00493e48 R11: ffffffffff7ce7d4 R12: ffff9781b7ee8d78 +[ 155.036932] R13: ffff9781b67cd800 R14: 0000000000000004 R15: ffff9781b67cd870 +[ 155.036936] FS: 00007fd813250b88(0000) GS:ffff9781ba000000(0000) knlGS:0000000000000000 +[ 155.036939] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 155.036942] CR2: 00007fd812ff61d6 CR3: 000000007c882000 CR4: 00000000000006b0 +[ 155.036951] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 155.036953] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 155.036955] Call Trace: +[ 155.037004] dquot_quota_enable+0x8b/0xd0 +[ 155.037011] kernel_quotactl+0x628/0x74e +[ 155.037027] ? do_mprotect_pkey+0x2a6/0x2cd +[ 155.037034] __x64_sys_quotactl+0x1a/0x1d +[ 155.037041] do_syscall_64+0x55/0xe4 +[ 155.037078] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 155.037105] RIP: 0033:0x7fd812fe1198 +[ 155.037109] Code: 02 77 0d 48 89 c1 48 c1 e9 3f 75 04 48 8b 04 24 48 83 c4 50 5b c3 48 83 ec 08 49 89 ca 48 63 d2 48 63 ff b8 b3 00 00 00 0f 05 <48> 89 c7 e8 c1 eb ff ff 5a c3 48 63 ff b8 bb 00 00 00 0f 05 48 89 +[ 155.037112] RSP: 002b:00007ffe8cd7b050 EFLAGS: 00000206 ORIG_RAX: 00000000000000b3 +[ 155.037116] RAX: ffffffffffffffda RBX: 00007ffe8cd7b148 RCX: 00007fd812fe1198 +[ 155.037119] RDX: 0000000000000000 RSI: 00007ffe8cd7cea9 RDI: 0000000000580102 +[ 155.037121] RBP: 00007ffe8cd7b0f0 R08: 000055fc8eba8a9d R09: 0000000000000000 +[ 155.037124] R10: 00007ffe8cd7b074 R11: 0000000000000206 R12: 00007ffe8cd7b168 +[ 155.037126] R13: 000055fc8eba8897 R14: 0000000000000000 R15: 0000000000000000 +[ 155.037131] ---[ end trace 210f864257175c51 ]--- + +and then the syscall proceeds without s_umount locking. + +This patch locks the superblock ->s_umount sem. in exclusive mode for all Q_XQUOTAON/OFF +quotactls too in addition to Q_QUOTAON/OFF. + +AFAICT, other than ext4, only xfs and ocfs2 are affected by this change. +The VFS will now call in xfs_quota_* functions with s_umount held, which wasn't the case +before. This looks good to me but I can not say for sure. Ext4 and ocfs2 where already +beeing called with s_umount exclusive via quota_quotaon/off which is basically the same. + +Signed-off-by: Javier Barrio +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/quota.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/quota/quota.c b/fs/quota/quota.c +index f0cbf58ad4da..fd5dd806f1b9 100644 +--- a/fs/quota/quota.c ++++ b/fs/quota/quota.c +@@ -791,7 +791,8 @@ static int quotactl_cmd_write(int cmd) + /* Return true if quotactl command is manipulating quota on/off state */ + static bool quotactl_cmd_onoff(int cmd) + { +- return (cmd == Q_QUOTAON) || (cmd == Q_QUOTAOFF); ++ return (cmd == Q_QUOTAON) || (cmd == Q_QUOTAOFF) || ++ (cmd == Q_XQUOTAON) || (cmd == Q_XQUOTAOFF); + } + + /* +-- +2.19.1 + diff --git a/queue-4.19/rxe-ib_wr_reg_mr-does-not-capture-mr-s-iova-field.patch b/queue-4.19/rxe-ib_wr_reg_mr-does-not-capture-mr-s-iova-field.patch new file mode 100644 index 00000000000..0dc4fde7afa --- /dev/null +++ b/queue-4.19/rxe-ib_wr_reg_mr-does-not-capture-mr-s-iova-field.patch @@ -0,0 +1,47 @@ +From 1125a176d4fd075bf4c22725019422aebf3661cd Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sun, 25 Nov 2018 17:13:08 -0500 +Subject: rxe: IB_WR_REG_MR does not capture MR's iova field + +[ Upstream commit b024dd0eba6e6d568f69d63c5e3153aba94c23e3 ] + +FRWR memory registration is done with a series of calls and WRs. +1. ULP invokes ib_dma_map_sg() +2. ULP invokes ib_map_mr_sg() +3. ULP posts an IB_WR_REG_MR on the Send queue + +Step 2 generates an iova. It is permissible for ULPs to change this +iova (with certain restrictions) between steps 2 and 3. + +rxe_map_mr_sg captures the MR's iova but later when rxe processes the +REG_MR WR, it ignores the MR's iova field. If a ULP alters the MR's iova +after step 2 but before step 3, rxe never captures that change. + +When the remote sends an RDMA Read targeting that MR, rxe looks up the +R_key, but the altered iova does not match the iova stored in the MR, +causing the RDMA Read request to fail. + +Reported-by: Anna Schumaker +Signed-off-by: Chuck Lever +Reviewed-by: Sagi Grimberg +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_req.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c +index 8be27238a86e..fa98a5279647 100644 +--- a/drivers/infiniband/sw/rxe/rxe_req.c ++++ b/drivers/infiniband/sw/rxe/rxe_req.c +@@ -640,6 +640,7 @@ next_wqe: + rmr->access = wqe->wr.wr.reg.access; + rmr->lkey = wqe->wr.wr.reg.key; + rmr->rkey = wqe->wr.wr.reg.key; ++ rmr->iova = wqe->wr.wr.reg.mr->iova; + wqe->state = wqe_state_done; + wqe->status = IB_WC_SUCCESS; + } else { +-- +2.19.1 + diff --git a/queue-4.19/samples-bpf-fix-error-handling-regarding-kprobe_even.patch b/queue-4.19/samples-bpf-fix-error-handling-regarding-kprobe_even.patch new file mode 100644 index 00000000000..826d06a09d0 --- /dev/null +++ b/queue-4.19/samples-bpf-fix-error-handling-regarding-kprobe_even.patch @@ -0,0 +1,118 @@ +From 4339ca55ad89ddb874d8385df9945b5324d95950 Mon Sep 17 00:00:00 2001 +From: "Daniel T. Lee" +Date: Fri, 23 Nov 2018 07:14:32 +0900 +Subject: samples: bpf: fix: error handling regarding kprobe_events + +[ Upstream commit 5a863813216ce79e16a8c1503b2543c528b778b6 ] + +Currently, kprobe_events failure won't be handled properly. +Due to calling system() indirectly to write to kprobe_events, +it can't be identified whether an error is derived from kprobe or system. + + // buf = "echo '%c:%s %s' >> /s/k/d/t/kprobe_events" + err = system(buf); + if (err < 0) { + printf("failed to create kprobe .."); + return -1; + } + +For example, running ./tracex7 sample in ext4 partition, +"echo p:open_ctree open_ctree >> /s/k/d/t/kprobe_events" +gets 256 error code system() failure. +=> The error comes from kprobe, but it's not handled correctly. + +According to man of system(3), it's return value +just passes the termination status of the child shell +rather than treating the error as -1. (don't care success) + +Which means, currently it's not working as desired. +(According to the upper code snippet) + + ex) running ./tracex7 with ext4 env. + # Current Output + sh: echo: I/O error + failed to open event open_ctree + + # Desired Output + failed to create kprobe 'open_ctree' error 'No such file or directory' + +The problem is, error can't be verified whether from child ps +or system. But using write() directly can verify the command +failure, and it will treat all error as -1. So I suggest using +write() directly to 'kprobe_events' rather than calling system(). + +Signed-off-by: Daniel T. Lee +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + samples/bpf/bpf_load.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c +index 904e775d1a44..cf40a8284a38 100644 +--- a/samples/bpf/bpf_load.c ++++ b/samples/bpf/bpf_load.c +@@ -55,6 +55,23 @@ static int populate_prog_array(const char *event, int prog_fd) + return 0; + } + ++static int write_kprobe_events(const char *val) ++{ ++ int fd, ret, flags; ++ ++ if ((val != NULL) && (val[0] == '\0')) ++ flags = O_WRONLY | O_TRUNC; ++ else ++ flags = O_WRONLY | O_APPEND; ++ ++ fd = open("/sys/kernel/debug/tracing/kprobe_events", flags); ++ ++ ret = write(fd, val, strlen(val)); ++ close(fd); ++ ++ return ret; ++} ++ + static int load_and_attach(const char *event, struct bpf_insn *prog, int size) + { + bool is_socket = strncmp(event, "socket", 6) == 0; +@@ -166,10 +183,9 @@ static int load_and_attach(const char *event, struct bpf_insn *prog, int size) + + #ifdef __x86_64__ + if (strncmp(event, "sys_", 4) == 0) { +- snprintf(buf, sizeof(buf), +- "echo '%c:__x64_%s __x64_%s' >> /sys/kernel/debug/tracing/kprobe_events", +- is_kprobe ? 'p' : 'r', event, event); +- err = system(buf); ++ snprintf(buf, sizeof(buf), "%c:__x64_%s __x64_%s", ++ is_kprobe ? 'p' : 'r', event, event); ++ err = write_kprobe_events(buf); + if (err >= 0) { + need_normal_check = false; + event_prefix = "__x64_"; +@@ -177,10 +193,9 @@ static int load_and_attach(const char *event, struct bpf_insn *prog, int size) + } + #endif + if (need_normal_check) { +- snprintf(buf, sizeof(buf), +- "echo '%c:%s %s' >> /sys/kernel/debug/tracing/kprobe_events", +- is_kprobe ? 'p' : 'r', event, event); +- err = system(buf); ++ snprintf(buf, sizeof(buf), "%c:%s %s", ++ is_kprobe ? 'p' : 'r', event, event); ++ err = write_kprobe_events(buf); + if (err < 0) { + printf("failed to create kprobe '%s' error '%s'\n", + event, strerror(errno)); +@@ -520,7 +535,7 @@ static int do_load_bpf_file(const char *path, fixup_map_cb fixup_map) + return 1; + + /* clear all kprobes */ +- i = system("echo \"\" > /sys/kernel/debug/tracing/kprobe_events"); ++ i = write_kprobe_events(""); + + /* scan over all elf sections to get license and map info */ + for (i = 1; i < ehdr.e_shnum; i++) { +-- +2.19.1 + diff --git a/queue-4.19/scsi-megaraid-fix-out-of-bound-array-accesses.patch b/queue-4.19/scsi-megaraid-fix-out-of-bound-array-accesses.patch new file mode 100644 index 00000000000..2057301b9c9 --- /dev/null +++ b/queue-4.19/scsi-megaraid-fix-out-of-bound-array-accesses.patch @@ -0,0 +1,120 @@ +From 1f7a208e5a19da3cb1f75c7599a2ff81bd0d6188 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Thu, 13 Dec 2018 08:27:27 -0500 +Subject: scsi: megaraid: fix out-of-bound array accesses + +[ Upstream commit c7a082e4242fd8cd21a441071e622f87c16bdacc ] + +UBSAN reported those with MegaRAID SAS-3 3108, + +[ 77.467308] UBSAN: Undefined behaviour in drivers/scsi/megaraid/megaraid_sas_fp.c:117:32 +[ 77.475402] index 255 is out of range for type 'MR_LD_SPAN_MAP [1]' +[ 77.481677] CPU: 16 PID: 333 Comm: kworker/16:1 Not tainted 4.20.0-rc5+ #1 +[ 77.488556] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.50 06/01/2018 +[ 77.495791] Workqueue: events work_for_cpu_fn +[ 77.500154] Call trace: +[ 77.502610] dump_backtrace+0x0/0x2c8 +[ 77.506279] show_stack+0x24/0x30 +[ 77.509604] dump_stack+0x118/0x19c +[ 77.513098] ubsan_epilogue+0x14/0x60 +[ 77.516765] __ubsan_handle_out_of_bounds+0xfc/0x13c +[ 77.521767] mr_update_load_balance_params+0x150/0x158 [megaraid_sas] +[ 77.528230] MR_ValidateMapInfo+0x2cc/0x10d0 [megaraid_sas] +[ 77.533825] megasas_get_map_info+0x244/0x2f0 [megaraid_sas] +[ 77.539505] megasas_init_adapter_fusion+0x9b0/0xf48 [megaraid_sas] +[ 77.545794] megasas_init_fw+0x1ab4/0x3518 [megaraid_sas] +[ 77.551212] megasas_probe_one+0x2c4/0xbe0 [megaraid_sas] +[ 77.556614] local_pci_probe+0x7c/0xf0 +[ 77.560365] work_for_cpu_fn+0x34/0x50 +[ 77.564118] process_one_work+0x61c/0xf08 +[ 77.568129] worker_thread+0x534/0xa70 +[ 77.571882] kthread+0x1c8/0x1d0 +[ 77.575114] ret_from_fork+0x10/0x1c + +[ 89.240332] UBSAN: Undefined behaviour in drivers/scsi/megaraid/megaraid_sas_fp.c:117:32 +[ 89.248426] index 255 is out of range for type 'MR_LD_SPAN_MAP [1]' +[ 89.254700] CPU: 16 PID: 95 Comm: kworker/u130:0 Not tainted 4.20.0-rc5+ #1 +[ 89.261665] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.50 06/01/2018 +[ 89.268903] Workqueue: events_unbound async_run_entry_fn +[ 89.274222] Call trace: +[ 89.276680] dump_backtrace+0x0/0x2c8 +[ 89.280348] show_stack+0x24/0x30 +[ 89.283671] dump_stack+0x118/0x19c +[ 89.287167] ubsan_epilogue+0x14/0x60 +[ 89.290835] __ubsan_handle_out_of_bounds+0xfc/0x13c +[ 89.295828] MR_LdRaidGet+0x50/0x58 [megaraid_sas] +[ 89.300638] megasas_build_io_fusion+0xbb8/0xd90 [megaraid_sas] +[ 89.306576] megasas_build_and_issue_cmd_fusion+0x138/0x460 [megaraid_sas] +[ 89.313468] megasas_queue_command+0x398/0x3d0 [megaraid_sas] +[ 89.319222] scsi_dispatch_cmd+0x1dc/0x8a8 +[ 89.323321] scsi_request_fn+0x8e8/0xdd0 +[ 89.327249] __blk_run_queue+0xc4/0x158 +[ 89.331090] blk_execute_rq_nowait+0xf4/0x158 +[ 89.335449] blk_execute_rq+0xdc/0x158 +[ 89.339202] __scsi_execute+0x130/0x258 +[ 89.343041] scsi_probe_and_add_lun+0x2fc/0x1488 +[ 89.347661] __scsi_scan_target+0x1cc/0x8c8 +[ 89.351848] scsi_scan_channel.part.3+0x8c/0xc0 +[ 89.356382] scsi_scan_host_selected+0x130/0x1f0 +[ 89.361002] do_scsi_scan_host+0xd8/0xf0 +[ 89.364927] do_scan_async+0x9c/0x320 +[ 89.368594] async_run_entry_fn+0x138/0x420 +[ 89.372780] process_one_work+0x61c/0xf08 +[ 89.376793] worker_thread+0x13c/0xa70 +[ 89.380546] kthread+0x1c8/0x1d0 +[ 89.383778] ret_from_fork+0x10/0x1c + +This is because when populating Driver Map using firmware raid map, all +non-existing VDs set their ldTgtIdToLd to 0xff, so it can be skipped later. + +From drivers/scsi/megaraid/megaraid_sas_base.c , +memset(instance->ld_ids, 0xff, MEGASAS_MAX_LD_IDS); + +From drivers/scsi/megaraid/megaraid_sas_fp.c , +/* For non existing VDs, iterate to next VD*/ +if (ld >= (MAX_LOGICAL_DRIVES_EXT - 1)) + continue; + +However, there are a few places that failed to skip those non-existing VDs +due to off-by-one errors. Then, those 0xff leaked into MR_LdRaidGet(0xff, +map) and triggered the out-of-bound accesses. + +Fixes: 51087a8617fe ("megaraid_sas : Extended VD support") +Signed-off-by: Qian Cai +Acked-by: Sumit Saxena +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_fp.c | 2 +- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_fp.c b/drivers/scsi/megaraid/megaraid_sas_fp.c +index 59ecbb3b53b5..a33628550425 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_fp.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fp.c +@@ -1266,7 +1266,7 @@ void mr_update_load_balance_params(struct MR_DRV_RAID_MAP_ALL *drv_map, + + for (ldCount = 0; ldCount < MAX_LOGICAL_DRIVES_EXT; ldCount++) { + ld = MR_TargetIdToLdGet(ldCount, drv_map); +- if (ld >= MAX_LOGICAL_DRIVES_EXT) { ++ if (ld >= MAX_LOGICAL_DRIVES_EXT - 1) { + lbInfo[ldCount].loadBalanceFlag = 0; + continue; + } +diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c +index c7f95bace353..f45c54f02bfa 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -2832,7 +2832,7 @@ static void megasas_build_ld_nonrw_fusion(struct megasas_instance *instance, + device_id < instance->fw_supported_vd_count)) { + + ld = MR_TargetIdToLdGet(device_id, local_map_ptr); +- if (ld >= instance->fw_supported_vd_count) ++ if (ld >= instance->fw_supported_vd_count - 1) + fp_possible = 0; + else { + raid = MR_LdRaidGet(ld, local_map_ptr); +-- +2.19.1 + diff --git a/queue-4.19/scsi-mpt3sas-fix-memory-ordering-on-64bit-writes.patch b/queue-4.19/scsi-mpt3sas-fix-memory-ordering-on-64bit-writes.patch new file mode 100644 index 00000000000..e07c202539f --- /dev/null +++ b/queue-4.19/scsi-mpt3sas-fix-memory-ordering-on-64bit-writes.patch @@ -0,0 +1,59 @@ +From 676364a6a063b145278ece639cdf18c45a7bbd02 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stephan=20G=C3=BCnther?= +Date: Sun, 16 Dec 2018 13:08:21 +0100 +Subject: scsi: mpt3sas: fix memory ordering on 64bit writes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 23c3828aa2f84edec7020c7397a22931e7a879e1 ] + +With commit 09c2f95ad404 ("scsi: mpt3sas: Swap I/O memory read value back +to cpu endianness"), 64bit writes in _base_writeq() were rewritten to use +__raw_writeq() instad of writeq(). + +This introduced a bug apparent on powerpc64 systems such as the Raptor +Talos II that causes the HBA to drop from the PCIe bus under heavy load and +being reinitialized after a couple of seconds. + +It can easily be triggered on affacted systems by using something like + + fio --name=random-write --iodepth=4 --rw=randwrite --bs=4k --direct=0 \ + --size=128M --numjobs=64 --end_fsync=1 + fio --name=random-write --iodepth=4 --rw=randwrite --bs=64k --direct=0 \ + --size=128M --numjobs=64 --end_fsync=1 + +a couple of times. In my case I tested it on both a ZFS raidz2 and a btrfs +raid6 using LSI 9300-8i and 9400-8i controllers. + +The fix consists in resembling the write ordering of writeq() by adding a +mandatory write memory barrier before device access and a compiler barrier +afterwards. The additional MMIO barrier is superfluous. + +Signed-off-by: Stephan Günther +Reported-by: Matt Corallo +Acked-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c +index 59d7844ee022..b59bba3e6516 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -3344,8 +3344,9 @@ _base_mpi_ep_writeq(__u64 b, volatile void __iomem *addr, + static inline void + _base_writeq(__u64 b, volatile void __iomem *addr, spinlock_t *writeq_lock) + { ++ wmb(); + __raw_writeq(b, addr); +- mmiowb(); ++ barrier(); + } + #else + static inline void +-- +2.19.1 + diff --git a/queue-4.19/scsi-qedi-check-for-session-online-before-getting-is.patch b/queue-4.19/scsi-qedi-check-for-session-online-before-getting-is.patch new file mode 100644 index 00000000000..b9f41658c2f --- /dev/null +++ b/queue-4.19/scsi-qedi-check-for-session-online-before-getting-is.patch @@ -0,0 +1,66 @@ +From 14ee9c28a2f4fded998f62cde5efb88a381439fb Mon Sep 17 00:00:00 2001 +From: Manish Rangankar +Date: Wed, 21 Nov 2018 01:25:19 -0800 +Subject: scsi: qedi: Check for session online before getting iSCSI TLV data. + +[ Upstream commit d5632b11f0a17efa6356311e535ae135d178438d ] + +The kernel panic was observed after switch side perturbation, + +BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [] strcmp+0x20/0x40 + PGD 0 Oops: 0000 [#1] SMP +CPU: 8 PID: 647 Comm: kworker/8:1 Tainted: G W OE ------------ 3.10.0-693.el7.x86_64 #1 +Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/20/2018 +Workqueue: slowpath-13:00. qed_slowpath_task [qed] +task: ffff880429eb8fd0 ti: ffff880429190000 task.ti: ffff880429190000 +RIP: 0010:[] [] strcmp+0x20/0x40 +RSP: 0018:ffff880429193c68 EFLAGS: 00010202 +RAX: 000000000000000a RBX: 0000000000000002 RCX: 0000000000000000 +RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff88042bda7a41 +RBP: ffff880429193c68 R08: 000000000000ffff R09: 000000000000ffff +R10: 0000000000000007 R11: ffff88042b3af338 R12: ffff880420b007a0 +R13: ffff88081aa56af8 R14: 0000000000000001 R15: ffff88081aa50410 +FS: 0000000000000000(0000) GS:ffff88042fe00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000019f2000 CR4: 00000000003407e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Stack: +ffff880429193d20 ffffffffc02a0c90 ffffc90004b32000 ffff8803fd3ec600 +ffff88042bda7800 ffff88042bda7a00 ffff88042bda7840 ffff88042bda7a40 +0000000129193d10 2e3836312e323931 ff000a342e363232 ffffffffc01ad99d +Call Trace: +[] qedi_get_protocol_tlv_data+0x270/0x470 [qedi] +[] ? qed_mfw_process_tlv_req+0x24d/0xbf0 [qed] +[] qed_mfw_fill_tlv_data+0x5e/0xd0 [qed] +[] qed_mfw_process_tlv_req+0x269/0xbf0 [qed] + +Fix kernel NULL pointer deref by checking for session is online before +getting iSCSI TLV data. + +Signed-off-by: Manish Rangankar +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c +index e5bd035ebad0..4de740da547b 100644 +--- a/drivers/scsi/qedi/qedi_main.c ++++ b/drivers/scsi/qedi/qedi_main.c +@@ -952,6 +952,9 @@ static int qedi_find_boot_info(struct qedi_ctx *qedi, + cls_sess = iscsi_conn_to_session(cls_conn); + sess = cls_sess->dd_data; + ++ if (!iscsi_is_session_online(cls_sess)) ++ continue; ++ + if (pri_ctrl_flags) { + if (!strcmp(pri_tgt->iscsi_name, sess->targetname) && + !strcmp(pri_tgt->ip_addr, ep_ip_addr)) { +-- +2.19.1 + diff --git a/queue-4.19/scsi-smartpqi-call-pqi_free_interrupts-in-pqi_shutdo.patch b/queue-4.19/scsi-smartpqi-call-pqi_free_interrupts-in-pqi_shutdo.patch new file mode 100644 index 00000000000..a50dd3a9c6c --- /dev/null +++ b/queue-4.19/scsi-smartpqi-call-pqi_free_interrupts-in-pqi_shutdo.patch @@ -0,0 +1,65 @@ +From b1bc78ac0dbc09480ca280830fe558e8005105af Mon Sep 17 00:00:00 2001 +From: Yanjiang Jin +Date: Thu, 20 Dec 2018 16:32:35 +0800 +Subject: scsi: smartpqi: call pqi_free_interrupts() in pqi_shutdown() + +[ Upstream commit e57b2945aa654e48f85a41e8917793c64ecb9de8 ] + +We must free all irqs during shutdown, else kexec's 2nd kernel would hang +in pqi_wait_for_completion_io() as below: + +Call trace: + + pqi_wait_for_completion_io + pqi_submit_raid_request_synchronous.constprop.78+0x23c/0x310 [smartpqi] + pqi_configure_events+0xec/0x1f8 [smartpqi] + pqi_ctrl_init+0x814/0xca0 [smartpqi] + pqi_pci_probe+0x400/0x46c [smartpqi] + local_pci_probe+0x48/0xb0 + pci_device_probe+0x14c/0x1b0 + really_probe+0x218/0x3fc + driver_probe_device+0x70/0x140 + __driver_attach+0x11c/0x134 + bus_for_each_dev+0x70/0xc8 + driver_attach+0x30/0x38 + bus_add_driver+0x1f0/0x294 + driver_register+0x74/0x12c + __pci_register_driver+0x64/0x70 + pqi_init+0xd0/0x10000 [smartpqi] + do_one_initcall+0x60/0x1d8 + do_init_module+0x64/0x1f8 + load_module+0x10ec/0x1350 + __se_sys_finit_module+0xd4/0x100 + __arm64_sys_finit_module+0x28/0x34 + el0_svc_handler+0x104/0x160 + el0_svc+0x8/0xc + +This happens only in the following combinations: + +1. smartpqi is built as module, not built-in; +2. We have a disk connected to smartpqi card; +3. Both kexec's 1st and 2nd kernels use this disk as Rootfs' mount point. + +Signed-off-by: Yanjiang Jin +Acked-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi_init.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index c62df3eefd5a..8c1a232ac6bf 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -6689,6 +6689,7 @@ static void pqi_shutdown(struct pci_dev *pci_dev) + * storage. + */ + rc = pqi_flush_cache(ctrl_info, SHUTDOWN); ++ pqi_free_interrupts(ctrl_info); + pqi_reset(ctrl_info); + if (rc == 0) + return; +-- +2.19.1 + diff --git a/queue-4.19/scsi-smartpqi-correct-lun-reset-issues.patch b/queue-4.19/scsi-smartpqi-correct-lun-reset-issues.patch new file mode 100644 index 00000000000..e858cf9559f --- /dev/null +++ b/queue-4.19/scsi-smartpqi-correct-lun-reset-issues.patch @@ -0,0 +1,79 @@ +From 6937917dc85d847e0a6eb3364394d636a93f48e5 Mon Sep 17 00:00:00 2001 +From: Kevin Barnett +Date: Fri, 7 Dec 2018 16:29:51 -0600 +Subject: scsi: smartpqi: correct lun reset issues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 2ba55c9851d74eb015a554ef69ddf2ef061d5780 ] + +Problem: +The Linux kernel takes a logical volume offline after a LUN reset. This is +generally accompanied by this message in the dmesg output: + +Device offlined - not ready after error recovery + +Root Cause: +The root cause is a "quirk" in the timeout handling in the Linux SCSI +layer. The Linux kernel places a 30-second timeout on most media access +commands (reads and writes) that it send to device drivers. When a media +access command times out, the Linux kernel goes into error recovery mode +for the LUN that was the target of the command that timed out. Every +command that timed out is kept on a list inside of the Linux kernel to be +retried later. The kernel attempts to recover the command(s) that timed out +by issuing a LUN reset followed by a TEST UNIT READY. If the LUN reset and +TEST UNIT READY commands are successful, the kernel retries the command(s) +that timed out. + +Each SCSI command issued by the kernel has a result field associated with +it. This field indicates the final result of the command (success or +error). When a command times out, the kernel places a value in this result +field indicating that the command timed out. + +The "quirk" is that after the LUN reset and TEST UNIT READY commands are +completed, the kernel checks each command on the timed-out command list +before retrying it. If the result field is still "timed out", the kernel +treats that command as not having been successfully recovered for a +retry. If the number of commands that are in this state are greater than +two, the kernel takes the LUN offline. + +Fix: +When our RAIDStack receives a LUN reset, it simply waits until all +outstanding commands complete. Generally, all of these outstanding commands +complete successfully. Therefore, the fix in the smartpqi driver is to +always set the command result field to indicate success when a request +completes successfully. This normally isn’t necessary because the result +field is always initialized to success when the command is submitted to the +driver. So when the command completes successfully, the result field is +left untouched. But in this case, the kernel changes the result field +behind the driver’s back and then expects the field to be changed by the +driver as the commands that timed-out complete. + +Reviewed-by: Dave Carroll +Reviewed-by: Scott Teel +Signed-off-by: Kevin Barnett +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi_init.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index 2112ea6723c6..c62df3eefd5a 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -2720,6 +2720,9 @@ static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info, + switch (response->header.iu_type) { + case PQI_RESPONSE_IU_RAID_PATH_IO_SUCCESS: + case PQI_RESPONSE_IU_AIO_PATH_IO_SUCCESS: ++ if (io_request->scmd) ++ io_request->scmd->result = 0; ++ /* fall through */ + case PQI_RESPONSE_IU_GENERAL_MANAGEMENT: + break; + case PQI_RESPONSE_IU_TASK_MANAGEMENT: +-- +2.19.1 + diff --git a/queue-4.19/scsi-target-core-make-sure-that-target_wait_for_sess.patch b/queue-4.19/scsi-target-core-make-sure-that-target_wait_for_sess.patch new file mode 100644 index 00000000000..dd71545e267 --- /dev/null +++ b/queue-4.19/scsi-target-core-make-sure-that-target_wait_for_sess.patch @@ -0,0 +1,223 @@ +From a59456cc22a240b617fd5205380b87655518577b Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Tue, 27 Nov 2018 15:51:58 -0800 +Subject: scsi: target/core: Make sure that target_wait_for_sess_cmds() waits + long enough + +[ Upstream commit ad669505c4e9db9af9faeb5c51aa399326a80d91 ] + +A session must only be released after all code that accesses the session +structure has finished. Make sure that this is the case by introducing a +new command counter per session that is only decremented after the +.release_cmd() callback has finished. This patch fixes the following crash: + +BUG: KASAN: use-after-free in do_raw_spin_lock+0x1c/0x130 +Read of size 4 at addr ffff8801534b16e4 by task rmdir/14805 +CPU: 16 PID: 14805 Comm: rmdir Not tainted 4.18.0-rc2-dbg+ #5 +Call Trace: +dump_stack+0xa4/0xf5 +print_address_description+0x6f/0x270 +kasan_report+0x241/0x360 +__asan_load4+0x78/0x80 +do_raw_spin_lock+0x1c/0x130 +_raw_spin_lock_irqsave+0x52/0x60 +srpt_set_ch_state+0x27/0x70 [ib_srpt] +srpt_disconnect_ch+0x1b/0xc0 [ib_srpt] +srpt_close_session+0xa8/0x260 [ib_srpt] +target_shutdown_sessions+0x170/0x180 [target_core_mod] +core_tpg_del_initiator_node_acl+0xf3/0x200 [target_core_mod] +target_fabric_nacl_base_release+0x25/0x30 [target_core_mod] +config_item_release+0x9c/0x110 [configfs] +config_item_put+0x26/0x30 [configfs] +configfs_rmdir+0x3b8/0x510 [configfs] +vfs_rmdir+0xb3/0x1e0 +do_rmdir+0x262/0x2c0 +do_syscall_64+0x77/0x230 +entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Cc: Nicholas Bellinger +Cc: Mike Christie +Cc: Christoph Hellwig +Cc: David Disseldorp +Cc: Hannes Reinecke +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_transport.c | 35 ++++++++++++++++++-------- + drivers/target/target_core_xcopy.c | 6 ++++- + include/target/target_core_base.h | 1 + + include/target/target_core_fabric.h | 2 +- + 4 files changed, 32 insertions(+), 12 deletions(-) + +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index fc3093d21b96..3f7aad45d215 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -224,19 +224,28 @@ void transport_subsystem_check_init(void) + sub_api_initialized = 1; + } + ++static void target_release_sess_cmd_refcnt(struct percpu_ref *ref) ++{ ++ struct se_session *sess = container_of(ref, typeof(*sess), cmd_count); ++ ++ wake_up(&sess->cmd_list_wq); ++} ++ + /** + * transport_init_session - initialize a session object + * @se_sess: Session object pointer. + * + * The caller must have zero-initialized @se_sess before calling this function. + */ +-void transport_init_session(struct se_session *se_sess) ++int transport_init_session(struct se_session *se_sess) + { + INIT_LIST_HEAD(&se_sess->sess_list); + INIT_LIST_HEAD(&se_sess->sess_acl_list); + INIT_LIST_HEAD(&se_sess->sess_cmd_list); + spin_lock_init(&se_sess->sess_cmd_lock); + init_waitqueue_head(&se_sess->cmd_list_wq); ++ return percpu_ref_init(&se_sess->cmd_count, ++ target_release_sess_cmd_refcnt, 0, GFP_KERNEL); + } + EXPORT_SYMBOL(transport_init_session); + +@@ -247,6 +256,7 @@ EXPORT_SYMBOL(transport_init_session); + struct se_session *transport_alloc_session(enum target_prot_op sup_prot_ops) + { + struct se_session *se_sess; ++ int ret; + + se_sess = kmem_cache_zalloc(se_sess_cache, GFP_KERNEL); + if (!se_sess) { +@@ -254,7 +264,11 @@ struct se_session *transport_alloc_session(enum target_prot_op sup_prot_ops) + " se_sess_cache\n"); + return ERR_PTR(-ENOMEM); + } +- transport_init_session(se_sess); ++ ret = transport_init_session(se_sess); ++ if (ret < 0) { ++ kfree(se_sess); ++ return ERR_PTR(ret); ++ } + se_sess->sup_prot_ops = sup_prot_ops; + + return se_sess; +@@ -581,6 +595,7 @@ void transport_free_session(struct se_session *se_sess) + sbitmap_queue_free(&se_sess->sess_tag_pool); + kvfree(se_sess->sess_cmd_map); + } ++ percpu_ref_exit(&se_sess->cmd_count); + kmem_cache_free(se_sess_cache, se_sess); + } + EXPORT_SYMBOL(transport_free_session); +@@ -2724,6 +2739,7 @@ int target_get_sess_cmd(struct se_cmd *se_cmd, bool ack_kref) + } + se_cmd->transport_state |= CMD_T_PRE_EXECUTE; + list_add_tail(&se_cmd->se_cmd_list, &se_sess->sess_cmd_list); ++ percpu_ref_get(&se_sess->cmd_count); + out: + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); + +@@ -2754,8 +2770,6 @@ static void target_release_cmd_kref(struct kref *kref) + if (se_sess) { + spin_lock_irqsave(&se_sess->sess_cmd_lock, flags); + list_del_init(&se_cmd->se_cmd_list); +- if (se_sess->sess_tearing_down && list_empty(&se_sess->sess_cmd_list)) +- wake_up(&se_sess->cmd_list_wq); + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); + } + +@@ -2763,6 +2777,8 @@ static void target_release_cmd_kref(struct kref *kref) + se_cmd->se_tfo->release_cmd(se_cmd); + if (compl) + complete(compl); ++ ++ percpu_ref_put(&se_sess->cmd_count); + } + + /** +@@ -2891,6 +2907,8 @@ void target_sess_cmd_list_set_waiting(struct se_session *se_sess) + spin_lock_irqsave(&se_sess->sess_cmd_lock, flags); + se_sess->sess_tearing_down = 1; + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); ++ ++ percpu_ref_kill(&se_sess->cmd_count); + } + EXPORT_SYMBOL(target_sess_cmd_list_set_waiting); + +@@ -2905,17 +2923,14 @@ void target_wait_for_sess_cmds(struct se_session *se_sess) + + WARN_ON_ONCE(!se_sess->sess_tearing_down); + +- spin_lock_irq(&se_sess->sess_cmd_lock); + do { +- ret = wait_event_lock_irq_timeout( +- se_sess->cmd_list_wq, +- list_empty(&se_sess->sess_cmd_list), +- se_sess->sess_cmd_lock, 180 * HZ); ++ ret = wait_event_timeout(se_sess->cmd_list_wq, ++ percpu_ref_is_zero(&se_sess->cmd_count), ++ 180 * HZ); + list_for_each_entry(cmd, &se_sess->sess_cmd_list, se_cmd_list) + target_show_cmd("session shutdown: still waiting for ", + cmd); + } while (ret <= 0); +- spin_unlock_irq(&se_sess->sess_cmd_lock); + } + EXPORT_SYMBOL(target_wait_for_sess_cmds); + +diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c +index 2718a933c0c6..7cdb5d7f6538 100644 +--- a/drivers/target/target_core_xcopy.c ++++ b/drivers/target/target_core_xcopy.c +@@ -480,6 +480,8 @@ static const struct target_core_fabric_ops xcopy_pt_tfo = { + + int target_xcopy_setup_pt(void) + { ++ int ret; ++ + xcopy_wq = alloc_workqueue("xcopy_wq", WQ_MEM_RECLAIM, 0); + if (!xcopy_wq) { + pr_err("Unable to allocate xcopy_wq\n"); +@@ -497,7 +499,9 @@ int target_xcopy_setup_pt(void) + INIT_LIST_HEAD(&xcopy_pt_nacl.acl_list); + INIT_LIST_HEAD(&xcopy_pt_nacl.acl_sess_list); + memset(&xcopy_pt_sess, 0, sizeof(struct se_session)); +- transport_init_session(&xcopy_pt_sess); ++ ret = transport_init_session(&xcopy_pt_sess); ++ if (ret < 0) ++ return ret; + + xcopy_pt_nacl.se_tpg = &xcopy_pt_tpg; + xcopy_pt_nacl.nacl_sess = &xcopy_pt_sess; +diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h +index 7a4ee7852ca4..2cfd3b4573b0 100644 +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -602,6 +602,7 @@ struct se_session { + struct se_node_acl *se_node_acl; + struct se_portal_group *se_tpg; + void *fabric_sess_ptr; ++ struct percpu_ref cmd_count; + struct list_head sess_list; + struct list_head sess_acl_list; + struct list_head sess_cmd_list; +diff --git a/include/target/target_core_fabric.h b/include/target/target_core_fabric.h +index f4147b398431..eb9d0923c55c 100644 +--- a/include/target/target_core_fabric.h ++++ b/include/target/target_core_fabric.h +@@ -116,7 +116,7 @@ struct se_session *target_setup_session(struct se_portal_group *, + struct se_session *, void *)); + void target_remove_session(struct se_session *); + +-void transport_init_session(struct se_session *); ++int transport_init_session(struct se_session *se_sess); + struct se_session *transport_alloc_session(enum target_prot_op); + int transport_alloc_session_tags(struct se_session *, unsigned int, + unsigned int); +-- +2.19.1 + diff --git a/queue-4.19/scsi-target-use-consistent-left-aligned-ascii-inquir.patch b/queue-4.19/scsi-target-use-consistent-left-aligned-ascii-inquir.patch new file mode 100644 index 00000000000..c8f7e337ebd --- /dev/null +++ b/queue-4.19/scsi-target-use-consistent-left-aligned-ascii-inquir.patch @@ -0,0 +1,77 @@ +From 811480576f8d76948444a44aed13d3fad5a6dedd Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Wed, 5 Dec 2018 13:18:34 +0100 +Subject: scsi: target: use consistent left-aligned ASCII INQUIRY data + +[ Upstream commit 0de263577de5d5e052be5f4f93334e63cc8a7f0b ] + +spc5r17.pdf specifies: + + 4.3.1 ASCII data field requirements + ASCII data fields shall contain only ASCII printable characters (i.e., + code values 20h to 7Eh) and may be terminated with one or more ASCII null + (00h) characters. ASCII data fields described as being left-aligned + shall have any unused bytes at the end of the field (i.e., highest + offset) and the unused bytes shall be filled with ASCII space characters + (20h). + +LIO currently space-pads the T10 VENDOR IDENTIFICATION and PRODUCT +IDENTIFICATION fields in the standard INQUIRY data. However, the PRODUCT +REVISION LEVEL field in the standard INQUIRY data as well as the T10 VENDOR +IDENTIFICATION field in the INQUIRY Device Identification VPD Page are +zero-terminated/zero-padded. + +Fix this inconsistency by using space-padding for all of the above fields. + +Signed-off-by: David Disseldorp +Reviewed-by: Christoph Hellwig +Reviewed-by: Bryant G. Ly +Reviewed-by: Lee Duncan +Reviewed-by: Hannes Reinecke +Reviewed-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_spc.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/target/target_core_spc.c b/drivers/target/target_core_spc.c +index cb0461a10808..93424db5f002 100644 +--- a/drivers/target/target_core_spc.c ++++ b/drivers/target/target_core_spc.c +@@ -108,12 +108,17 @@ spc_emulate_inquiry_std(struct se_cmd *cmd, unsigned char *buf) + + buf[7] = 0x2; /* CmdQue=1 */ + +- memcpy(&buf[8], "LIO-ORG ", 8); +- memset(&buf[16], 0x20, 16); ++ /* ++ * ASCII data fields described as being left-aligned shall have any ++ * unused bytes at the end of the field (i.e., highest offset) and the ++ * unused bytes shall be filled with ASCII space characters (20h). ++ */ ++ memset(&buf[8], 0x20, 8 + 16 + 4); ++ memcpy(&buf[8], "LIO-ORG", sizeof("LIO-ORG") - 1); + memcpy(&buf[16], dev->t10_wwn.model, +- min_t(size_t, strlen(dev->t10_wwn.model), 16)); ++ strnlen(dev->t10_wwn.model, 16)); + memcpy(&buf[32], dev->t10_wwn.revision, +- min_t(size_t, strlen(dev->t10_wwn.revision), 4)); ++ strnlen(dev->t10_wwn.revision, 4)); + buf[4] = 31; /* Set additional length to 31 */ + + return 0; +@@ -251,7 +256,9 @@ check_t10_vend_desc: + buf[off] = 0x2; /* ASCII */ + buf[off+1] = 0x1; /* T10 Vendor ID */ + buf[off+2] = 0x0; +- memcpy(&buf[off+4], "LIO-ORG", 8); ++ /* left align Vendor ID and pad with spaces */ ++ memset(&buf[off+4], 0x20, 8); ++ memcpy(&buf[off+4], "LIO-ORG", sizeof("LIO-ORG") - 1); + /* Extra Byte for NULL Terminator */ + id_len++; + /* Identifier Length */ +-- +2.19.1 + diff --git a/queue-4.19/selftests-bpf-enable-uncomment-all-tests-in-test_lib.patch b/queue-4.19/selftests-bpf-enable-uncomment-all-tests-in-test_lib.patch new file mode 100644 index 00000000000..2a64d8ae314 --- /dev/null +++ b/queue-4.19/selftests-bpf-enable-uncomment-all-tests-in-test_lib.patch @@ -0,0 +1,104 @@ +From 906d372e2940081b8f23e621ee9c10a6dfd9ddc5 Mon Sep 17 00:00:00 2001 +From: Quentin Monnet +Date: Wed, 7 Nov 2018 12:28:45 +0000 +Subject: selftests/bpf: enable (uncomment) all tests in test_libbpf.sh + +[ Upstream commit f96afa767baffba7645f5e10998f5178948bb9aa ] + +libbpf is now able to load successfully test_l4lb_noinline.o and +samples/bpf/tracex3_kern.o. + +For the test_l4lb_noinline, uncomment related tests from test_libbpf.c +and remove the associated "TODO". + +For tracex3_kern.o, instead of loading a program from samples/bpf/ that +might not have been compiled at this stage, try loading a program from +BPF selftests. Since this test case is about loading a program compiled +without the "-target bpf" flag, change the Makefile to compile one +program accordingly (instead of passing the flag for compiling all +programs). + +Regarding test_xdp_noinline.o: in its current shape the program fails to +load because it provides no version section, but the loader needs one. +The test was added to make sure that libbpf could load XDP programs even +if they do not provide a version number in a dedicated section. But +libbpf is already capable of doing that: in our case loading fails +because the loader does not know that this is an XDP program (it does +not need to, since it does not attach the program). So trying to load +test_xdp_noinline.o does not bring much here: just delete this subtest. + +For the record, the error message obtained with tracex3_kern.o was +fixed by commit e3d91b0ca523 ("tools/libbpf: handle issues with bpf ELF +objects containing .eh_frames") + +I have not been abled to reproduce the "libbpf: incorrect bpf_call +opcode" error for test_l4lb_noinline.o, even with the version of libbpf +present at the time when test_libbpf.sh and test_libbpf_open.c were +created. + +RFC -> v1: +- Compile test_xdp without the "-target bpf" flag, and try to load it + instead of ../../samples/bpf/tracex3_kern.o. +- Delete test_xdp_noinline.o subtest. + +Cc: Jesper Dangaard Brouer +Signed-off-by: Quentin Monnet +Acked-by: Jakub Kicinski +Acked-by: Jesper Dangaard Brouer +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/Makefile | 10 ++++++++++ + tools/testing/selftests/bpf/test_libbpf.sh | 14 ++++---------- + 2 files changed, 14 insertions(+), 10 deletions(-) + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index fff7fb1285fc..f3f874ba186b 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -124,6 +124,16 @@ endif + endif + endif + ++# Have one program compiled without "-target bpf" to test whether libbpf loads ++# it successfully ++$(OUTPUT)/test_xdp.o: test_xdp.c ++ $(CLANG) $(CLANG_FLAGS) \ ++ -O2 -emit-llvm -c $< -o - | \ ++ $(LLC) -march=bpf -mcpu=$(CPU) $(LLC_FLAGS) -filetype=obj -o $@ ++ifeq ($(DWARF2BTF),y) ++ $(BTF_PAHOLE) -J $@ ++endif ++ + $(OUTPUT)/%.o: %.c + $(CLANG) $(CLANG_FLAGS) \ + -O2 -target bpf -emit-llvm -c $< -o - | \ +diff --git a/tools/testing/selftests/bpf/test_libbpf.sh b/tools/testing/selftests/bpf/test_libbpf.sh +index d97dc914cd49..8b1bc96d8e0c 100755 +--- a/tools/testing/selftests/bpf/test_libbpf.sh ++++ b/tools/testing/selftests/bpf/test_libbpf.sh +@@ -33,17 +33,11 @@ trap exit_handler 0 2 3 6 9 + + libbpf_open_file test_l4lb.o + +-# TODO: fix libbpf to load noinline functions +-# [warning] libbpf: incorrect bpf_call opcode +-#libbpf_open_file test_l4lb_noinline.o ++# Load a program with BPF-to-BPF calls ++libbpf_open_file test_l4lb_noinline.o + +-# TODO: fix test_xdp_meta.c to load with libbpf +-# [warning] libbpf: test_xdp_meta.o doesn't provide kernel version +-#libbpf_open_file test_xdp_meta.o +- +-# TODO: fix libbpf to handle .eh_frame +-# [warning] libbpf: relocation failed: no section(10) +-#libbpf_open_file ../../../../samples/bpf/tracex3_kern.o ++# Load a program compiled without the "-target bpf" flag ++libbpf_open_file test_xdp.o + + # Success + exit 0 +-- +2.19.1 + diff --git a/queue-4.19/selftests-do-not-macro-expand-failed-assertion-expre.patch b/queue-4.19/selftests-do-not-macro-expand-failed-assertion-expre.patch new file mode 100644 index 00000000000..644a3a98709 --- /dev/null +++ b/queue-4.19/selftests-do-not-macro-expand-failed-assertion-expre.patch @@ -0,0 +1,243 @@ +From 3bba90d42e2f84defe9248b1c380998c4036e3ab Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Mon, 10 Dec 2018 02:00:47 +0300 +Subject: selftests: do not macro-expand failed assertion expressions + +[ Upstream commit b708a3cc9600390ccaa2b68a88087dd265154b2b ] + +I've stumbled over the current macro-expand behaviour of the test +harness: + +$ gcc -Wall -xc - <<'__EOF__' +TEST(macro) { + int status = 0; + ASSERT_TRUE(WIFSIGNALED(status)); +} +TEST_HARNESS_MAIN +__EOF__ +$ ./a.out +[==========] Running 1 tests from 1 test cases. +[ RUN ] global.macro +:4:global.macro:Expected 0 (0) != (((signed char) (((status) & 0x7f) + 1) >> 1) > 0) (0) +global.macro: Test terminated by assertion +[ FAIL ] global.macro +[==========] 0 / 1 tests passed. +[ FAILED ] + +With this change the output of the same test looks much more +comprehensible: + +[==========] Running 1 tests from 1 test cases. +[ RUN ] global.macro +:4:global.macro:Expected 0 (0) != WIFSIGNALED(status) (0) +global.macro: Test terminated by assertion +[ FAIL ] global.macro +[==========] 0 / 1 tests passed. +[ FAILED ] + +The issue is very similar to the bug fixed in glibc assert(3) +three years ago: +https://sourceware.org/bugzilla/show_bug.cgi?id=18604 + +Cc: Shuah Khan +Cc: Kees Cook +Cc: Andy Lutomirski +Cc: Will Drewry +Cc: linux-kselftest@vger.kernel.org +Signed-off-by: Dmitry V. Levin +Acked-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kselftest_harness.h | 42 ++++++++++----------- + 1 file changed, 21 insertions(+), 21 deletions(-) + +diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h +index 6ae3730c4ee3..76d654ef3234 100644 +--- a/tools/testing/selftests/kselftest_harness.h ++++ b/tools/testing/selftests/kselftest_harness.h +@@ -354,7 +354,7 @@ + * ASSERT_EQ(expected, measured): expected == measured + */ + #define ASSERT_EQ(expected, seen) \ +- __EXPECT(expected, seen, ==, 1) ++ __EXPECT(expected, #expected, seen, #seen, ==, 1) + + /** + * ASSERT_NE(expected, seen) +@@ -365,7 +365,7 @@ + * ASSERT_NE(expected, measured): expected != measured + */ + #define ASSERT_NE(expected, seen) \ +- __EXPECT(expected, seen, !=, 1) ++ __EXPECT(expected, #expected, seen, #seen, !=, 1) + + /** + * ASSERT_LT(expected, seen) +@@ -376,7 +376,7 @@ + * ASSERT_LT(expected, measured): expected < measured + */ + #define ASSERT_LT(expected, seen) \ +- __EXPECT(expected, seen, <, 1) ++ __EXPECT(expected, #expected, seen, #seen, <, 1) + + /** + * ASSERT_LE(expected, seen) +@@ -387,7 +387,7 @@ + * ASSERT_LE(expected, measured): expected <= measured + */ + #define ASSERT_LE(expected, seen) \ +- __EXPECT(expected, seen, <=, 1) ++ __EXPECT(expected, #expected, seen, #seen, <=, 1) + + /** + * ASSERT_GT(expected, seen) +@@ -398,7 +398,7 @@ + * ASSERT_GT(expected, measured): expected > measured + */ + #define ASSERT_GT(expected, seen) \ +- __EXPECT(expected, seen, >, 1) ++ __EXPECT(expected, #expected, seen, #seen, >, 1) + + /** + * ASSERT_GE(expected, seen) +@@ -409,7 +409,7 @@ + * ASSERT_GE(expected, measured): expected >= measured + */ + #define ASSERT_GE(expected, seen) \ +- __EXPECT(expected, seen, >=, 1) ++ __EXPECT(expected, #expected, seen, #seen, >=, 1) + + /** + * ASSERT_NULL(seen) +@@ -419,7 +419,7 @@ + * ASSERT_NULL(measured): NULL == measured + */ + #define ASSERT_NULL(seen) \ +- __EXPECT(NULL, seen, ==, 1) ++ __EXPECT(NULL, "NULL", seen, #seen, ==, 1) + + /** + * ASSERT_TRUE(seen) +@@ -429,7 +429,7 @@ + * ASSERT_TRUE(measured): measured != 0 + */ + #define ASSERT_TRUE(seen) \ +- ASSERT_NE(0, seen) ++ __EXPECT(0, "0", seen, #seen, !=, 1) + + /** + * ASSERT_FALSE(seen) +@@ -439,7 +439,7 @@ + * ASSERT_FALSE(measured): measured == 0 + */ + #define ASSERT_FALSE(seen) \ +- ASSERT_EQ(0, seen) ++ __EXPECT(0, "0", seen, #seen, ==, 1) + + /** + * ASSERT_STREQ(expected, seen) +@@ -472,7 +472,7 @@ + * EXPECT_EQ(expected, measured): expected == measured + */ + #define EXPECT_EQ(expected, seen) \ +- __EXPECT(expected, seen, ==, 0) ++ __EXPECT(expected, #expected, seen, #seen, ==, 0) + + /** + * EXPECT_NE(expected, seen) +@@ -483,7 +483,7 @@ + * EXPECT_NE(expected, measured): expected != measured + */ + #define EXPECT_NE(expected, seen) \ +- __EXPECT(expected, seen, !=, 0) ++ __EXPECT(expected, #expected, seen, #seen, !=, 0) + + /** + * EXPECT_LT(expected, seen) +@@ -494,7 +494,7 @@ + * EXPECT_LT(expected, measured): expected < measured + */ + #define EXPECT_LT(expected, seen) \ +- __EXPECT(expected, seen, <, 0) ++ __EXPECT(expected, #expected, seen, #seen, <, 0) + + /** + * EXPECT_LE(expected, seen) +@@ -505,7 +505,7 @@ + * EXPECT_LE(expected, measured): expected <= measured + */ + #define EXPECT_LE(expected, seen) \ +- __EXPECT(expected, seen, <=, 0) ++ __EXPECT(expected, #expected, seen, #seen, <=, 0) + + /** + * EXPECT_GT(expected, seen) +@@ -516,7 +516,7 @@ + * EXPECT_GT(expected, measured): expected > measured + */ + #define EXPECT_GT(expected, seen) \ +- __EXPECT(expected, seen, >, 0) ++ __EXPECT(expected, #expected, seen, #seen, >, 0) + + /** + * EXPECT_GE(expected, seen) +@@ -527,7 +527,7 @@ + * EXPECT_GE(expected, measured): expected >= measured + */ + #define EXPECT_GE(expected, seen) \ +- __EXPECT(expected, seen, >=, 0) ++ __EXPECT(expected, #expected, seen, #seen, >=, 0) + + /** + * EXPECT_NULL(seen) +@@ -537,7 +537,7 @@ + * EXPECT_NULL(measured): NULL == measured + */ + #define EXPECT_NULL(seen) \ +- __EXPECT(NULL, seen, ==, 0) ++ __EXPECT(NULL, "NULL", seen, #seen, ==, 0) + + /** + * EXPECT_TRUE(seen) +@@ -547,7 +547,7 @@ + * EXPECT_TRUE(measured): 0 != measured + */ + #define EXPECT_TRUE(seen) \ +- EXPECT_NE(0, seen) ++ __EXPECT(0, "0", seen, #seen, !=, 0) + + /** + * EXPECT_FALSE(seen) +@@ -557,7 +557,7 @@ + * EXPECT_FALSE(measured): 0 == measured + */ + #define EXPECT_FALSE(seen) \ +- EXPECT_EQ(0, seen) ++ __EXPECT(0, "0", seen, #seen, ==, 0) + + /** + * EXPECT_STREQ(expected, seen) +@@ -597,7 +597,7 @@ + if (_metadata->passed && _metadata->step < 255) \ + _metadata->step++; + +-#define __EXPECT(_expected, _seen, _t, _assert) do { \ ++#define __EXPECT(_expected, _expected_str, _seen, _seen_str, _t, _assert) do { \ + /* Avoid multiple evaluation of the cases */ \ + __typeof__(_expected) __exp = (_expected); \ + __typeof__(_seen) __seen = (_seen); \ +@@ -606,8 +606,8 @@ + unsigned long long __exp_print = (uintptr_t)__exp; \ + unsigned long long __seen_print = (uintptr_t)__seen; \ + __TH_LOG("Expected %s (%llu) %s %s (%llu)", \ +- #_expected, __exp_print, #_t, \ +- #_seen, __seen_print); \ ++ _expected_str, __exp_print, #_t, \ ++ _seen_str, __seen_print); \ + _metadata->passed = 0; \ + /* Ensure the optional handler is triggered */ \ + _metadata->trigger = 1; \ +-- +2.19.1 + diff --git a/queue-4.19/selinux-always-allow-mounting-submounts.patch b/queue-4.19/selinux-always-allow-mounting-submounts.patch new file mode 100644 index 00000000000..0d4eae06963 --- /dev/null +++ b/queue-4.19/selinux-always-allow-mounting-submounts.patch @@ -0,0 +1,68 @@ +From b405c7764a86eb17b70cbd3bcbb216ce39a0265c Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Fri, 16 Nov 2018 14:12:02 +0100 +Subject: selinux: always allow mounting submounts + +[ Upstream commit 2cbdcb882f97a45f7475c67ac6257bbc16277dfe ] + +If a superblock has the MS_SUBMOUNT flag set, we should always allow +mounting it. These mounts are done automatically by the kernel either as +part of mounting some parent mount (e.g. debugfs always mounts tracefs +under "tracing" for compatibility) or they are mounted automatically as +needed on subdirectory accesses (e.g. NFS crossmnt mounts). Since such +automounts are either an implicit consequence of the parent mount (which +is already checked) or they can happen during regular accesses (where it +doesn't make sense to check against the current task's context), the +mount permission check should be skipped for them. + +Without this patch, attempts to access contents of an automounted +directory can cause unexpected SELinux denials. + +In the current kernel tree, the MS_SUBMOUNT flag is set only via +vfs_submount(), which is called only from the following places: + - AFS, when automounting special "symlinks" referencing other cells + - CIFS, when automounting "referrals" + - NFS, when automounting subtrees + - debugfs, when automounting tracefs + +In all cases the submounts are meant to be transparent to the user and +it makes sense that if mounting the master is allowed, then so should be +the automounts. Note that CAP_SYS_ADMIN capability checking is already +skipped for (SB_KERNMOUNT|SB_SUBMOUNT) in: + - sget_userns() in fs/super.c: + if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && + !(type->fs_flags & FS_USERNS_MOUNT) && + !capable(CAP_SYS_ADMIN)) + return ERR_PTR(-EPERM); + - sget() in fs/super.c: + /* Ensure the requestor has permissions over the target filesystem */ + if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && !ns_capable(user_ns, CAP_SYS_ADMIN)) + return ERR_PTR(-EPERM); + +Verified internally on patched RHEL 7.6 with a reproducer using +NFS+httpd and selinux-tesuite. + +Fixes: 93faccbbfa95 ("fs: Better permission checking for submounts") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/hooks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index fe251c6f09f1..3c3878f0d2fa 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -2934,7 +2934,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) + return rc; + + /* Allow all mounts performed by the kernel */ +- if (flags & MS_KERNMOUNT) ++ if (flags & (MS_KERNMOUNT | MS_SUBMOUNT)) + return 0; + + ad.type = LSM_AUDIT_DATA_DENTRY; +-- +2.19.1 + diff --git a/queue-4.19/serial-set-suppress_bind_attrs-flag-only-if-builtin.patch b/queue-4.19/serial-set-suppress_bind_attrs-flag-only-if-builtin.patch new file mode 100644 index 00000000000..1254d807533 --- /dev/null +++ b/queue-4.19/serial-set-suppress_bind_attrs-flag-only-if-builtin.patch @@ -0,0 +1,126 @@ +From 615f0a153289eb0c8af6ba1c6dec72a4bd29e0d0 Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Tue, 30 Oct 2018 12:35:44 +0100 +Subject: serial: set suppress_bind_attrs flag only if builtin + +[ Upstream commit 646097940ad35aa2c1f2012af932d55976a9f255 ] + +When the test 'CONFIG_DEBUG_TEST_DRIVER_REMOVE=y' is enabled, +arch_initcall(pl011_init) came before subsys_initcall(default_bdi_init). +devtmpfs gets killed because we try to remove a file and decrement the +wb reference count before the noop_backing_device_info gets initialized. + +[ 0.332075] Serial: AMBA PL011 UART driver +[ 0.485276] 9000000.pl011: ttyAMA0 at MMIO 0x9000000 (irq = 39, base_baud = 0) is a PL011 rev1 +[ 0.502382] console [ttyAMA0] enabled +[ 0.515710] Unable to handle kernel paging request at virtual address 0000800074c12000 +[ 0.516053] Mem abort info: +[ 0.516222] ESR = 0x96000004 +[ 0.516417] Exception class = DABT (current EL), IL = 32 bits +[ 0.516641] SET = 0, FnV = 0 +[ 0.516826] EA = 0, S1PTW = 0 +[ 0.516984] Data abort info: +[ 0.517149] ISV = 0, ISS = 0x00000004 +[ 0.517339] CM = 0, WnR = 0 +[ 0.517553] [0000800074c12000] user address but active_mm is swapper +[ 0.517928] Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 0.518305] Modules linked in: +[ 0.518839] CPU: 0 PID: 13 Comm: kdevtmpfs Not tainted 4.19.0-rc5-next-20180928-00002-g2ba39ab0cd01-dirty #82 +[ 0.519307] Hardware name: linux,dummy-virt (DT) +[ 0.519681] pstate: 80000005 (Nzcv daif -PAN -UAO) +[ 0.519959] pc : __destroy_inode+0x94/0x2a8 +[ 0.520212] lr : __destroy_inode+0x78/0x2a8 +[ 0.520401] sp : ffff0000098c3b20 +[ 0.520590] x29: ffff0000098c3b20 x28: 00000000087a3714 +[ 0.520904] x27: 0000000000002000 x26: 0000000000002000 +[ 0.521179] x25: ffff000009583000 x24: 0000000000000000 +[ 0.521467] x23: ffff80007bb52000 x22: ffff80007bbaa7c0 +[ 0.521737] x21: ffff0000093f9338 x20: 0000000000000000 +[ 0.522033] x19: ffff80007bbb05d8 x18: 0000000000000400 +[ 0.522376] x17: 0000000000000000 x16: 0000000000000000 +[ 0.522727] x15: 0000000000000400 x14: 0000000000000400 +[ 0.523068] x13: 0000000000000001 x12: 0000000000000001 +[ 0.523421] x11: 0000000000000000 x10: 0000000000000970 +[ 0.523749] x9 : ffff0000098c3a60 x8 : ffff80007bbab190 +[ 0.524017] x7 : ffff80007bbaa880 x6 : 0000000000000c88 +[ 0.524305] x5 : ffff0000093d96c8 x4 : 61c8864680b583eb +[ 0.524567] x3 : ffff0000093d6180 x2 : ffffffffffffffff +[ 0.524872] x1 : 0000800074c12000 x0 : 0000800074c12000 +[ 0.525207] Process kdevtmpfs (pid: 13, stack limit = 0x(____ptrval____)) +[ 0.525529] Call trace: +[ 0.525806] __destroy_inode+0x94/0x2a8 +[ 0.526108] destroy_inode+0x34/0x88 +[ 0.526370] evict+0x144/0x1c8 +[ 0.526636] iput+0x184/0x230 +[ 0.526871] dentry_unlink_inode+0x118/0x130 +[ 0.527152] d_delete+0xd8/0xe0 +[ 0.527420] vfs_unlink+0x240/0x270 +[ 0.527665] handle_remove+0x1d8/0x330 +[ 0.527875] devtmpfsd+0x138/0x1c8 +[ 0.528085] kthread+0x14c/0x158 +[ 0.528291] ret_from_fork+0x10/0x18 +[ 0.528720] Code: 92800002 aa1403e0 d538d081 8b010000 (c85f7c04) +[ 0.529367] ---[ end trace 5a3dee47727f877c ]--- + +Rework to set suppress_bind_attrs flag to avoid removing the device when +CONFIG_DEBUG_TEST_DRIVER_REMOVE=y. This applies for pic32_uart and +xilinx_uartps as well. + +Co-developed-by: Arnd Bergmann +Signed-off-by: Arnd Bergmann +Signed-off-by: Anders Roxell +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/amba-pl011.c | 2 ++ + drivers/tty/serial/pic32_uart.c | 1 + + drivers/tty/serial/xilinx_uartps.c | 1 + + 3 files changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c +index ebd33c0232e6..89ade213a1a9 100644 +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -2780,6 +2780,7 @@ static struct platform_driver arm_sbsa_uart_platform_driver = { + .name = "sbsa-uart", + .of_match_table = of_match_ptr(sbsa_uart_of_match), + .acpi_match_table = ACPI_PTR(sbsa_uart_acpi_match), ++ .suppress_bind_attrs = IS_BUILTIN(CONFIG_SERIAL_AMBA_PL011), + }, + }; + +@@ -2808,6 +2809,7 @@ static struct amba_driver pl011_driver = { + .drv = { + .name = "uart-pl011", + .pm = &pl011_dev_pm_ops, ++ .suppress_bind_attrs = IS_BUILTIN(CONFIG_SERIAL_AMBA_PL011), + }, + .id_table = pl011_ids, + .probe = pl011_probe, +diff --git a/drivers/tty/serial/pic32_uart.c b/drivers/tty/serial/pic32_uart.c +index fd80d999308d..0bdf1687983f 100644 +--- a/drivers/tty/serial/pic32_uart.c ++++ b/drivers/tty/serial/pic32_uart.c +@@ -919,6 +919,7 @@ static struct platform_driver pic32_uart_platform_driver = { + .driver = { + .name = PIC32_DEV_NAME, + .of_match_table = of_match_ptr(pic32_serial_dt_ids), ++ .suppress_bind_attrs = IS_BUILTIN(CONFIG_SERIAL_PIC32), + }, + }; + +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index 6ed74735b58c..87d8dd90d605 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1608,6 +1608,7 @@ static struct platform_driver cdns_uart_platform_driver = { + .name = CDNS_UART_NAME, + .of_match_table = cdns_uart_of_match, + .pm = &cdns_uart_dev_pm_ops, ++ .suppress_bind_attrs = IS_BUILTIN(CONFIG_SERIAL_XILINX_PS_UART), + }, + }; + +-- +2.19.1 + diff --git a/queue-4.19/series b/queue-4.19/series index aa44dba8f1e..5b4181207ea 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -7,3 +7,93 @@ qmi_wwan-add-mtu-default-to-qmap-network-interface.patch r8169-add-support-for-new-realtek-ethernet.patch ipv6-take-rcu_read_lock-in-__inet6_bind-for-mapped-addresses.patch net-clear-skb-tstamp-in-bridge-forwarding-path.patch +netfilter-ipset-allow-matching-on-destination-mac-ad.patch +gpio-pl061-move-irq_chip-definition-inside-struct-pl.patch +drm-amd-display-guard-against-null-stream_state-in-s.patch +drm-amdkfd-fix-interrupt-spin-lock.patch +ixgbe-allow-ipsec-tx-offload-in-vepa-mode.patch +platform-x86-asus-wmi-tell-the-ec-the-os-will-handle.patch +e1000e-allow-non-monotonic-systim-readings.patch +usb-typec-tcpm-do-not-disconnect-link-for-self-power.patch +selftests-bpf-enable-uncomment-all-tests-in-test_lib.patch +of-overlay-add-missing-of_node_put-after-add-new-nod.patch +writeback-don-t-decrement-wb-refcnt-if-wb-bdi.patch +serial-set-suppress_bind_attrs-flag-only-if-builtin.patch +bpf-allow-narrow-loads-with-offset-0.patch +alsa-oxfw-add-support-for-apogee-duet-firewire.patch +x86-mce-fix-wmissing-prototypes-warnings.patch +mips-sibyte-enable-swiotlb-for-swarm-littlesur-and-b.patch +crypto-ecc-regularize-scalar-for-scalar-multiplicati.patch +arm64-perf-set-suppress_bind_attrs-flag-to-true.patch +drm-atomic-helper-complete-fake_commit-flip_done-pot.patch +clk-meson-meson8b-fix-incorrect-divider-mapping-in-c.patch +samples-bpf-fix-error-handling-regarding-kprobe_even.patch +usb-gadget-udc-renesas_usb3-add-a-safety-connection-.patch +fpga-altera-cvp-fix-probing-for-multiple-fpgas-on-th.patch +selinux-always-allow-mounting-submounts.patch +asoc-pcm3168a-don-t-disable-pcm3168a-when-config_pm-.patch +scsi-qedi-check-for-session-online-before-getting-is.patch +drm-amdgpu-reorder-uvd-ring-init-before-uvd-resume.patch +rxe-ib_wr_reg_mr-does-not-capture-mr-s-iova-field.patch +efi-libstub-disable-some-warnings-for-x86-_64.patch +jffs2-fix-use-of-uninitialized-delayed_work-lockdep-.patch +clk-imx-make-mux-parent-strings-const.patch +pstore-ram-do-not-treat-empty-buffers-as-valid.patch +media-uvcvideo-refactor-teardown-of-uvc-on-usb-disco.patch +powerpc-xmon-fix-invocation-inside-lock-region.patch +powerpc-pseries-cpuidle-fix-preempt-warning.patch +media-firewire-fix-app_info-parameter-type-in-avc_ca.patch +asoc-use-dma_ops-of-parent-device-for-acp_audio_dma.patch +media-venus-core-set-dma-maximum-segment-size.patch +staging-erofs-fix-use-after-free-of-on-stack-z_erofs.patch +net-call-sk_dst_reset-when-set-so_dontroute.patch +scsi-target-use-consistent-left-aligned-ascii-inquir.patch +scsi-target-core-make-sure-that-target_wait_for_sess.patch +selftests-do-not-macro-expand-failed-assertion-expre.patch +arm64-kasan-increase-stack-size-for-kasan_extra.patch +clk-imx6q-reset-exclusive-gates-on-init.patch +arm64-fix-minor-issues-with-the-dcache_by_line_op-ma.patch +bpf-relax-verifier-restriction-on-bpf_mov-bpf_alu.patch +kconfig-fix-file-name-and-line-number-of-warn_ignore.patch +kconfig-fix-memory-leak-when-eof-is-encountered-in-q.patch +mmc-atmel-mci-do-not-assume-idle-after-atmci_request.patch +btrfs-volumes-make-sure-there-is-no-overlap-of-dev-e.patch +btrfs-alloc_chunk-fix-more-dup-stripe-size-handling.patch +btrfs-fix-use-after-free-due-to-race-between-replace.patch +btrfs-improve-error-handling-of-btrfs_add_link.patch +tty-serial-do-not-free-trasnmit-buffer-page-under-po.patch +perf-intel-pt-fix-error-with-config-term-pt-0.patch +perf-tests-arm-disable-breakpoint-tests-32-bit.patch +perf-svghelper-fix-unchecked-usage-of-strncpy.patch +perf-parse-events-fix-unchecked-usage-of-strncpy.patch +perf-vendor-events-intel-fix-load_miss_real_latency-.patch +netfilter-ipt_clusterip-check-mac-address-when-dupli.patch +netfilter-ipt_clusterip-remove-wrong-warn_on_once-in.patch +netfilter-ipt_clusterip-fix-deadlock-in-netns-exit-r.patch +x86-topology-use-total_cpus-for-max-logical-packages.patch +dm-crypt-use-u64-instead-of-sector_t-to-store-iv_off.patch +dm-kcopyd-fix-bug-causing-workqueue-stalls.patch +perf-stat-avoid-segfaults-caused-by-negated-options.patch +tools-lib-subcmd-don-t-add-the-kernel-sources-to-the.patch +dm-snapshot-fix-excessive-memory-usage-and-workqueue.patch +perf-cs-etm-correct-packets-swapping-in-cs_etm__flus.patch +perf-tools-add-missing-sigqueue-prototype-for-system.patch +perf-tools-add-missing-open_memstream-prototype-for-.patch +quota-lock-s_umount-in-exclusive-mode-for-q_xquota-o.patch +clocksource-drivers-integrator-ap-add-missing-of_nod.patch +dm-check-for-device-sector-overflow-if-config_lbdaf-.patch +bluetooth-btusb-add-support-for-intel-bluetooth-devi.patch +alsa-bebob-fix-model-id-of-unit-for-apogee-ensemble.patch +sysfs-disable-lockdep-for-driver-bind-unbind-files.patch +ib-usnic-fix-potential-deadlock.patch +scsi-mpt3sas-fix-memory-ordering-on-64bit-writes.patch +scsi-smartpqi-correct-lun-reset-issues.patch +ath10k-fix-peer-stats-null-pointer-dereference.patch +scsi-smartpqi-call-pqi_free_interrupts-in-pqi_shutdo.patch +scsi-megaraid-fix-out-of-bound-array-accesses.patch +iomap-don-t-search-past-page-end-in-iomap_is_partial.patch +ocfs2-fix-panic-due-to-unrecovered-local-alloc.patch +mm-page-writeback.c-don-t-break-integrity-writeback-.patch +mm-swap-use-nr_node_ids-for-avail_lists-in-swap_info.patch +userfaultfd-clear-flag-if-remap-event-not-enabled.patch +mm-proc-be-more-verbose-about-unstable-vma-flags-in-.patch diff --git a/queue-4.19/staging-erofs-fix-use-after-free-of-on-stack-z_erofs.patch b/queue-4.19/staging-erofs-fix-use-after-free-of-on-stack-z_erofs.patch new file mode 100644 index 00000000000..91726f8a652 --- /dev/null +++ b/queue-4.19/staging-erofs-fix-use-after-free-of-on-stack-z_erofs.patch @@ -0,0 +1,87 @@ +From 328c97df2a81e3f743ac3ec8b2e45c1fd603bbf2 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Sat, 8 Dec 2018 00:19:12 +0800 +Subject: staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io' + +[ Upstream commit 848bd9acdcd00c164b42b14aacec242949ecd471 ] + +The root cause is the race as follows: + Thread #0 Thread #1 + + z_erofs_vle_unzip_kickoff z_erofs_submit_and_unzip + + struct z_erofs_vle_unzip_io io[] + atomic_add_return() + wait_event() + [end of function] + wake_up() + +Fix it by taking the waitqueue lock between atomic_add_return and +wake_up to close such the race. + +kernel message: + +Unable to handle kernel paging request at virtual address 97f7052caa1303dc +... +Workqueue: kverityd verity_work +task: ffffffe32bcb8000 task.stack: ffffffe3298a0000 +PC is at __wake_up_common+0x48/0xa8 +LR is at __wake_up+0x3c/0x58 +... +Call trace: +... +[] __wake_up_common+0x48/0xa8 +[] __wake_up+0x3c/0x58 +[] z_erofs_vle_unzip_kickoff+0x40/0x64 +[] z_erofs_vle_read_endio+0x94/0x134 +[] bio_endio+0xe4/0xf8 +[] dec_pending+0x134/0x32c +[] clone_endio+0x90/0xf4 +[] bio_endio+0xe4/0xf8 +[] verity_work+0x210/0x368 +[] process_one_work+0x188/0x4b4 +[] worker_thread+0x140/0x458 +[] kthread+0xec/0x108 +[] ret_from_fork+0x10/0x1c +Code: d1006273 54000260 f9400804 b9400019 (b85fc081) +---[ end trace be9dde154f677cd1 ]--- + +Reviewed-by: Chao Yu +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Sasha Levin +--- + drivers/staging/erofs/unzip_vle.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/erofs/unzip_vle.c b/drivers/staging/erofs/unzip_vle.c +index 14da8cc2246a..0346630b67c8 100644 +--- a/drivers/staging/erofs/unzip_vle.c ++++ b/drivers/staging/erofs/unzip_vle.c +@@ -724,13 +724,18 @@ static void z_erofs_vle_unzip_kickoff(void *ptr, int bios) + struct z_erofs_vle_unzip_io *io = tagptr_unfold_ptr(t); + bool background = tagptr_unfold_tags(t); + +- if (atomic_add_return(bios, &io->pending_bios)) ++ if (!background) { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&io->u.wait.lock, flags); ++ if (!atomic_add_return(bios, &io->pending_bios)) ++ wake_up_locked(&io->u.wait); ++ spin_unlock_irqrestore(&io->u.wait.lock, flags); + return; ++ } + +- if (background) ++ if (!atomic_add_return(bios, &io->pending_bios)) + queue_work(z_erofs_workqueue, &io->u.work); +- else +- wake_up(&io->u.wait); + } + + static inline void z_erofs_vle_read_endio(struct bio *bio) +-- +2.19.1 + diff --git a/queue-4.19/sysfs-disable-lockdep-for-driver-bind-unbind-files.patch b/queue-4.19/sysfs-disable-lockdep-for-driver-bind-unbind-files.patch new file mode 100644 index 00000000000..e94e47f0059 --- /dev/null +++ b/queue-4.19/sysfs-disable-lockdep-for-driver-bind-unbind-files.patch @@ -0,0 +1,174 @@ +From 014790534e2babfd05e6e0985a7394fd21b412c7 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Wed, 19 Dec 2018 13:39:09 +0100 +Subject: sysfs: Disable lockdep for driver bind/unbind files + +[ Upstream commit 4f4b374332ec0ae9c738ff8ec9bed5cd97ff9adc ] + +This is the much more correct fix for my earlier attempt at: + +https://lkml.org/lkml/2018/12/10/118 + +Short recap: + +- There's not actually a locking issue, it's just lockdep being a bit + too eager to complain about a possible deadlock. + +- Contrary to what I claimed the real problem is recursion on + kn->count. Greg pointed me at sysfs_break_active_protection(), used + by the scsi subsystem to allow a sysfs file to unbind itself. That + would be a real deadlock, which isn't what's happening here. Also, + breaking the active protection means we'd need to manually handle + all the lifetime fun. + +- With Rafael we discussed the task_work approach, which kinda works, + but has two downsides: It's a functional change for a lockdep + annotation issue, and it won't work for the bind file (which needs + to get the errno from the driver load function back to userspace). + +- Greg also asked why this never showed up: To hit this you need to + unregister a 2nd driver from the unload code of your first driver. I + guess only gpus do that. The bug has always been there, but only + with a recent patch series did we add more locks so that lockdep + built a chain from unbinding the snd-hda driver to the + acpi_video_unregister call. + +Full lockdep splat: + +[12301.898799] ============================================ +[12301.898805] WARNING: possible recursive locking detected +[12301.898811] 4.20.0-rc7+ #84 Not tainted +[12301.898815] -------------------------------------------- +[12301.898821] bash/5297 is trying to acquire lock: +[12301.898826] 00000000f61c6093 (kn->count#39){++++}, at: kernfs_remove_by_name_ns+0x3b/0x80 +[12301.898841] but task is already holding lock: +[12301.898847] 000000005f634021 (kn->count#39){++++}, at: kernfs_fop_write+0xdc/0x190 +[12301.898856] other info that might help us debug this: +[12301.898862] Possible unsafe locking scenario: +[12301.898867] CPU0 +[12301.898870] ---- +[12301.898874] lock(kn->count#39); +[12301.898879] lock(kn->count#39); +[12301.898883] *** DEADLOCK *** +[12301.898891] May be due to missing lock nesting notation +[12301.898899] 5 locks held by bash/5297: +[12301.898903] #0: 00000000cd800e54 (sb_writers#4){.+.+}, at: vfs_write+0x17f/0x1b0 +[12301.898915] #1: 000000000465e7c2 (&of->mutex){+.+.}, at: kernfs_fop_write+0xd3/0x190 +[12301.898925] #2: 000000005f634021 (kn->count#39){++++}, at: kernfs_fop_write+0xdc/0x190 +[12301.898936] #3: 00000000414ef7ac (&dev->mutex){....}, at: device_release_driver_internal+0x34/0x240 +[12301.898950] #4: 000000003218fbdf (register_count_mutex){+.+.}, at: acpi_video_unregister+0xe/0x40 +[12301.898960] stack backtrace: +[12301.898968] CPU: 1 PID: 5297 Comm: bash Not tainted 4.20.0-rc7+ #84 +[12301.898974] Hardware name: Hewlett-Packard HP EliteBook 8460p/161C, BIOS 68SCF Ver. F.01 03/11/2011 +[12301.898982] Call Trace: +[12301.898989] dump_stack+0x67/0x9b +[12301.898997] __lock_acquire+0x6ad/0x1410 +[12301.899003] ? kernfs_remove_by_name_ns+0x3b/0x80 +[12301.899010] ? find_held_lock+0x2d/0x90 +[12301.899017] ? mutex_spin_on_owner+0xe4/0x150 +[12301.899023] ? find_held_lock+0x2d/0x90 +[12301.899030] ? lock_acquire+0x90/0x180 +[12301.899036] lock_acquire+0x90/0x180 +[12301.899042] ? kernfs_remove_by_name_ns+0x3b/0x80 +[12301.899049] __kernfs_remove+0x296/0x310 +[12301.899055] ? kernfs_remove_by_name_ns+0x3b/0x80 +[12301.899060] ? kernfs_name_hash+0xd/0x80 +[12301.899066] ? kernfs_find_ns+0x6c/0x100 +[12301.899073] kernfs_remove_by_name_ns+0x3b/0x80 +[12301.899080] bus_remove_driver+0x92/0xa0 +[12301.899085] acpi_video_unregister+0x24/0x40 +[12301.899127] i915_driver_unload+0x42/0x130 [i915] +[12301.899160] i915_pci_remove+0x19/0x30 [i915] +[12301.899169] pci_device_remove+0x36/0xb0 +[12301.899176] device_release_driver_internal+0x185/0x240 +[12301.899183] unbind_store+0xaf/0x180 +[12301.899189] kernfs_fop_write+0x104/0x190 +[12301.899195] __vfs_write+0x31/0x180 +[12301.899203] ? rcu_read_lock_sched_held+0x6f/0x80 +[12301.899209] ? rcu_sync_lockdep_assert+0x29/0x50 +[12301.899216] ? __sb_start_write+0x13c/0x1a0 +[12301.899221] ? vfs_write+0x17f/0x1b0 +[12301.899227] vfs_write+0xb9/0x1b0 +[12301.899233] ksys_write+0x50/0xc0 +[12301.899239] do_syscall_64+0x4b/0x180 +[12301.899247] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[12301.899253] RIP: 0033:0x7f452ac7f7a4 +[12301.899259] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 80 00 00 00 00 8b 05 aa f0 2c 00 48 63 ff 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 55 53 48 89 d5 48 89 f3 48 83 +[12301.899273] RSP: 002b:00007ffceafa6918 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[12301.899282] RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f452ac7f7a4 +[12301.899288] RDX: 000000000000000d RSI: 00005612a1abf7c0 RDI: 0000000000000001 +[12301.899295] RBP: 00005612a1abf7c0 R08: 000000000000000a R09: 00005612a1c46730 +[12301.899301] R10: 000000000000000a R11: 0000000000000246 R12: 000000000000000d +[12301.899308] R13: 0000000000000001 R14: 00007f452af4a740 R15: 000000000000000d + +Looking around I've noticed that usb and i2c already handle similar +recursion problems, where a sysfs file can unbind the same type of +sysfs somewhere else in the hierarchy. Relevant commits are: + +commit 356c05d58af05d582e634b54b40050c73609617b +Author: Alan Stern +Date: Mon May 14 13:30:03 2012 -0400 + + sysfs: get rid of some lockdep false positives + +commit e9b526fe704812364bca07edd15eadeba163ebfb +Author: Alexander Sverdlin +Date: Fri May 17 14:56:35 2013 +0200 + + i2c: suppress lockdep warning on delete_device + +Implement the same trick for driver bind/unbind. + +v2: Put the macro into bus.c (Greg). + +Reviewed-by: Rafael J. Wysocki +Cc: Ramalingam C +Cc: Arend van Spriel +Cc: Andy Shevchenko +Cc: Geert Uytterhoeven +Cc: Bartosz Golaszewski +Cc: Heikki Krogerus +Cc: Vivek Gautam +Cc: Joe Perches +Signed-off-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/bus.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/bus.c b/drivers/base/bus.c +index 8bfd27ec73d6..585e2e1c9c8f 100644 +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -31,6 +31,9 @@ static struct kset *system_kset; + + #define to_drv_attr(_attr) container_of(_attr, struct driver_attribute, attr) + ++#define DRIVER_ATTR_IGNORE_LOCKDEP(_name, _mode, _show, _store) \ ++ struct driver_attribute driver_attr_##_name = \ ++ __ATTR_IGNORE_LOCKDEP(_name, _mode, _show, _store) + + static int __must_check bus_rescan_devices_helper(struct device *dev, + void *data); +@@ -195,7 +198,7 @@ static ssize_t unbind_store(struct device_driver *drv, const char *buf, + bus_put(bus); + return err; + } +-static DRIVER_ATTR_WO(unbind); ++static DRIVER_ATTR_IGNORE_LOCKDEP(unbind, S_IWUSR, NULL, unbind_store); + + /* + * Manually attach a device to a driver. +@@ -231,7 +234,7 @@ static ssize_t bind_store(struct device_driver *drv, const char *buf, + bus_put(bus); + return err; + } +-static DRIVER_ATTR_WO(bind); ++static DRIVER_ATTR_IGNORE_LOCKDEP(bind, S_IWUSR, NULL, bind_store); + + static ssize_t show_drivers_autoprobe(struct bus_type *bus, char *buf) + { +-- +2.19.1 + diff --git a/queue-4.19/tools-lib-subcmd-don-t-add-the-kernel-sources-to-the.patch b/queue-4.19/tools-lib-subcmd-don-t-add-the-kernel-sources-to-the.patch new file mode 100644 index 00000000000..30581d44e04 --- /dev/null +++ b/queue-4.19/tools-lib-subcmd-don-t-add-the-kernel-sources-to-the.patch @@ -0,0 +1,71 @@ +From cdb429f5e33205cdda3dfb7afe588b5f351b5499 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Tue, 11 Dec 2018 15:00:52 -0300 +Subject: tools lib subcmd: Don't add the kernel sources to the include path + +[ Upstream commit ece9804985b57e1ccd83b1fb6288520955a29d51 ] + +At some point we decided not to directly include kernel sources files +when building tools/perf/, but when tools/lib/subcmd/ was forked from +tools/perf it somehow ended up adding it via these two lines in its +Makefile: + + CFLAGS += -I$(srctree)/include/uapi + CFLAGS += -I$(srctree)/include + +As $(srctree) points to the kernel sources. + +Removing those lines and keeping just: + + CFLAGS += -I$(srctree)/tools/include/ + +Is enough to build tools/perf and tools/objtool. + +This fixes the build when building from the sources in environments such +as the Android NDK crossbuilding from a fedora:26 system: + + subcmd-util.h:11:15: error: expected ',' or ';' before 'void' + static inline void report(const char *prefix, const char *err, va_list params) + ^ + In file included from /git/perf/include/uapi/linux/stddef.h:2:0, + from /git/perf/include/uapi/linux/posix_types.h:5, + from /opt/android-ndk-r12b/platforms/android-24/arch-arm/usr/include/sys/types.h:36, + from /opt/android-ndk-r12b/platforms/android-24/arch-arm/usr/include/unistd.h:33, + from run-command.c:2: + subcmd-util.h:18:17: error: '__no_instrument_function__' attribute applies only to functions + +The /opt/android-ndk-r12b/platforms/android-24/arch-arm/usr/include/sys/types.h +file that includes linux/posix_types.h ends up getting the one in the kernel +sources causing the breakage. Fix it. + +Test built tools/objtool/ too. + +Reported-by: Jiri Olsa +Tested-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Josh Poimboeuf +Cc: Namhyung Kim +Fixes: 4b6ab94eabe4 ("perf subcmd: Create subcmd library") +Link: https://lkml.kernel.org/n/tip-5lhaoecrj12t0bqwvpiu14sm@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/subcmd/Makefile | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tools/lib/subcmd/Makefile b/tools/lib/subcmd/Makefile +index 95563b8e1ad7..ed61fb3a46c0 100644 +--- a/tools/lib/subcmd/Makefile ++++ b/tools/lib/subcmd/Makefile +@@ -36,8 +36,6 @@ endif + CFLAGS += -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE + + CFLAGS += -I$(srctree)/tools/include/ +-CFLAGS += -I$(srctree)/include/uapi +-CFLAGS += -I$(srctree)/include + + SUBCMD_IN := $(OUTPUT)libsubcmd-in.o + +-- +2.19.1 + diff --git a/queue-4.19/tty-serial-do-not-free-trasnmit-buffer-page-under-po.patch b/queue-4.19/tty-serial-do-not-free-trasnmit-buffer-page-under-po.patch new file mode 100644 index 00000000000..435e49c907c --- /dev/null +++ b/queue-4.19/tty-serial-do-not-free-trasnmit-buffer-page-under-po.patch @@ -0,0 +1,114 @@ +From 841a7fe1dbfb31fec94cd575b53ef5af45063c92 Mon Sep 17 00:00:00 2001 +From: Sergey Senozhatsky +Date: Thu, 13 Dec 2018 13:58:39 +0900 +Subject: tty/serial: do not free trasnmit buffer page under port lock + +[ Upstream commit d72402145ace0697a6a9e8e75a3de5bf3375f78d ] + +LKP has hit yet another circular locking dependency between uart +console drivers and debugobjects [1]: + + CPU0 CPU1 + + rhltable_init() + __init_work() + debug_object_init + uart_shutdown() /* db->lock */ + /* uart_port->lock */ debug_print_object() + free_page() printk() + call_console_drivers() + debug_check_no_obj_freed() /* uart_port->lock */ + /* db->lock */ + debug_print_object() + +So there are two dependency chains: + uart_port->lock -> db->lock +And + db->lock -> uart_port->lock + +This particular circular locking dependency can be addressed in several +ways: + +a) One way would be to move debug_print_object() out of db->lock scope + and, thus, break the db->lock -> uart_port->lock chain. +b) Another one would be to free() transmit buffer page out of db->lock + in UART code; which is what this patch does. + +It makes sense to apply a) and b) independently: there are too many things +going on behind free(), none of which depend on uart_port->lock. + +The patch fixes transmit buffer page free() in uart_shutdown() and, +additionally, in uart_port_startup() (as was suggested by Dmitry Safonov). + +[1] https://lore.kernel.org/lkml/20181211091154.GL23332@shao2-debian/T/#u +Signed-off-by: Sergey Senozhatsky +Reviewed-by: Petr Mladek +Acked-by: Peter Zijlstra (Intel) +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: Andrew Morton +Cc: Waiman Long +Cc: Dmitry Safonov +Cc: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial_core.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index 80bb56facfb6..ad126f51d549 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -205,10 +205,15 @@ static int uart_port_startup(struct tty_struct *tty, struct uart_state *state, + if (!state->xmit.buf) { + state->xmit.buf = (unsigned char *) page; + uart_circ_clear(&state->xmit); ++ uart_port_unlock(uport, flags); + } else { ++ uart_port_unlock(uport, flags); ++ /* ++ * Do not free() the page under the port lock, see ++ * uart_shutdown(). ++ */ + free_page(page); + } +- uart_port_unlock(uport, flags); + + retval = uport->ops->startup(uport); + if (retval == 0) { +@@ -268,6 +273,7 @@ static void uart_shutdown(struct tty_struct *tty, struct uart_state *state) + struct uart_port *uport = uart_port_check(state); + struct tty_port *port = &state->port; + unsigned long flags = 0; ++ char *xmit_buf = NULL; + + /* + * Set the TTY IO error marker +@@ -298,14 +304,18 @@ static void uart_shutdown(struct tty_struct *tty, struct uart_state *state) + tty_port_set_suspended(port, 0); + + /* +- * Free the transmit buffer page. ++ * Do not free() the transmit buffer page under the port lock since ++ * this can create various circular locking scenarios. For instance, ++ * console driver may need to allocate/free a debug object, which ++ * can endup in printk() recursion. + */ + uart_port_lock(state, flags); +- if (state->xmit.buf) { +- free_page((unsigned long)state->xmit.buf); +- state->xmit.buf = NULL; +- } ++ xmit_buf = state->xmit.buf; ++ state->xmit.buf = NULL; + uart_port_unlock(uport, flags); ++ ++ if (xmit_buf) ++ free_page((unsigned long)xmit_buf); + } + + /** +-- +2.19.1 + diff --git a/queue-4.19/usb-gadget-udc-renesas_usb3-add-a-safety-connection-.patch b/queue-4.19/usb-gadget-udc-renesas_usb3-add-a-safety-connection-.patch new file mode 100644 index 00000000000..3c24e3dd1f7 --- /dev/null +++ b/queue-4.19/usb-gadget-udc-renesas_usb3-add-a-safety-connection-.patch @@ -0,0 +1,91 @@ +From d88c5192e94c4ad2e3206f9653094cb4539678b0 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Fri, 9 Nov 2018 20:44:36 +0900 +Subject: usb: gadget: udc: renesas_usb3: add a safety connection way for + forced_b_device + +[ Upstream commit ceb94bc52c437463f0903e61060a94a2226fb672 ] + +This patch adds a safety connection way for "forced_b_device" with +"workaround_for_vbus" like below: + +< Example for R-Car E3 Ebisu > + # modprobe + # echo 1 > /sys/kernel/debug/ee020000.usb/b_device + (connect a usb cable to host side.) + # echo 2 > /sys/kernel/debug/ee020000.usb/b_device + +Previous code should have connected a usb cable before the "b_device" +is set to 1 on the Ebisu board. However, if xHCI driver on the board +is probed, it causes some troubles: + - Conflicts USB VBUS/signals between the board and another host. + - "Cannot enable. Maybe the USB cable is bad?" might happen on + both the board and another host with a usb hub. + - Cannot enumerate a usb gadget correctly because an interruption + of VBUS change happens unexpectedly. + +Reported-by: Kazuya Mizuguchi +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/renesas_usb3.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c +index 67d8a501d994..fea02c7ad4f4 100644 +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -358,6 +358,7 @@ struct renesas_usb3 { + bool extcon_host; /* check id and set EXTCON_USB_HOST */ + bool extcon_usb; /* check vbus and set EXTCON_USB */ + bool forced_b_device; ++ bool start_to_connect; + }; + + #define gadget_to_renesas_usb3(_gadget) \ +@@ -476,7 +477,8 @@ static void usb3_init_axi_bridge(struct renesas_usb3 *usb3) + static void usb3_init_epc_registers(struct renesas_usb3 *usb3) + { + usb3_write(usb3, ~0, USB3_USB_INT_STA_1); +- usb3_enable_irq_1(usb3, USB_INT_1_VBUS_CNG); ++ if (!usb3->workaround_for_vbus) ++ usb3_enable_irq_1(usb3, USB_INT_1_VBUS_CNG); + } + + static bool usb3_wakeup_usb2_phy(struct renesas_usb3 *usb3) +@@ -700,8 +702,7 @@ static void usb3_mode_config(struct renesas_usb3 *usb3, bool host, bool a_dev) + usb3_set_mode_by_role_sw(usb3, host); + usb3_vbus_out(usb3, a_dev); + /* for A-Peripheral or forced B-device mode */ +- if ((!host && a_dev) || +- (usb3->workaround_for_vbus && usb3->forced_b_device)) ++ if ((!host && a_dev) || usb3->start_to_connect) + usb3_connect(usb3); + spin_unlock_irqrestore(&usb3->lock, flags); + } +@@ -2432,7 +2433,11 @@ static ssize_t renesas_usb3_b_device_write(struct file *file, + if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) + return -EFAULT; + +- if (!strncmp(buf, "1", 1)) ++ usb3->start_to_connect = false; ++ if (usb3->workaround_for_vbus && usb3->forced_b_device && ++ !strncmp(buf, "2", 1)) ++ usb3->start_to_connect = true; ++ else if (!strncmp(buf, "1", 1)) + usb3->forced_b_device = true; + else + usb3->forced_b_device = false; +@@ -2440,7 +2445,7 @@ static ssize_t renesas_usb3_b_device_write(struct file *file, + if (usb3->workaround_for_vbus) + usb3_disconnect(usb3); + +- /* Let this driver call usb3_connect() anyway */ ++ /* Let this driver call usb3_connect() if needed */ + usb3_check_id(usb3); + + return count; +-- +2.19.1 + diff --git a/queue-4.19/usb-typec-tcpm-do-not-disconnect-link-for-self-power.patch b/queue-4.19/usb-typec-tcpm-do-not-disconnect-link-for-self-power.patch new file mode 100644 index 00000000000..6cdba0370c4 --- /dev/null +++ b/queue-4.19/usb-typec-tcpm-do-not-disconnect-link-for-self-power.patch @@ -0,0 +1,116 @@ +From 0eb06ad7bc4376fe4a9dc4fa2fd8d127b4a23ef1 Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Mon, 1 Oct 2018 12:45:00 -0700 +Subject: usb: typec: tcpm: Do not disconnect link for self powered devices + +[ Upstream commit 23b5f73266e59a598c1e5dd435d87651b5a7626b ] + +During HARD_RESET the data link is disconnected. +For self powered device, the spec is advising against doing that. + +>From USB_PD_R3_0 +7.1.5 Response to Hard Resets +Device operation during and after a Hard Reset is defined as follows: +Self-powered devices Should Not disconnect from USB during a Hard Reset +(see Section 9.1.2). +Bus powered devices will disconnect from USB during a Hard Reset due to the +loss of their power source. + +Tackle this by letting TCPM know whether the device is self or bus powered. + +This overcomes unnecessary port disconnections from hard reset. +Also, speeds up the enumeration time when connected to Type-A ports. + +Signed-off-by: Badhri Jagan Sridharan +Reviewed-by: Heikki Krogerus +--------- +Version history: +V3: +Rebase on top of usb-next + +V2: +Based on feedback from heikki.krogerus@linux.intel.com +- self_powered added to the struct tcpm_port which is populated from + a. "connector" node of the device tree in tcpm_fw_get_caps() + b. "self_powered" node of the tcpc_config in tcpm_copy_caps + +Based on feedbase from linux@roeck-us.net +- Code was refactored +- SRC_HARD_RESET_VBUS_OFF sets the link state to false based + on self_powered flag + +V1 located here: +https://lkml.org/lkml/2018/9/13/94 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/tcpm.c | 12 ++++++++++-- + include/linux/usb/tcpm.h | 1 + + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/typec/tcpm.c b/drivers/usb/typec/tcpm.c +index c74cc9c309b1..3457c1fdebd1 100644 +--- a/drivers/usb/typec/tcpm.c ++++ b/drivers/usb/typec/tcpm.c +@@ -317,6 +317,9 @@ struct tcpm_port { + /* Deadline in jiffies to exit src_try_wait state */ + unsigned long max_wait; + ++ /* port belongs to a self powered device */ ++ bool self_powered; ++ + #ifdef CONFIG_DEBUG_FS + struct dentry *dentry; + struct mutex logbuffer_lock; /* log buffer access lock */ +@@ -3257,7 +3260,8 @@ static void run_state_machine(struct tcpm_port *port) + case SRC_HARD_RESET_VBUS_OFF: + tcpm_set_vconn(port, true); + tcpm_set_vbus(port, false); +- tcpm_set_roles(port, false, TYPEC_SOURCE, TYPEC_HOST); ++ tcpm_set_roles(port, port->self_powered, TYPEC_SOURCE, ++ TYPEC_HOST); + tcpm_set_state(port, SRC_HARD_RESET_VBUS_ON, PD_T_SRC_RECOVER); + break; + case SRC_HARD_RESET_VBUS_ON: +@@ -3270,7 +3274,8 @@ static void run_state_machine(struct tcpm_port *port) + memset(&port->pps_data, 0, sizeof(port->pps_data)); + tcpm_set_vconn(port, false); + tcpm_set_charge(port, false); +- tcpm_set_roles(port, false, TYPEC_SINK, TYPEC_DEVICE); ++ tcpm_set_roles(port, port->self_powered, TYPEC_SINK, ++ TYPEC_DEVICE); + /* + * VBUS may or may not toggle, depending on the adapter. + * If it doesn't toggle, transition to SNK_HARD_RESET_SINK_ON +@@ -4415,6 +4420,8 @@ sink: + return -EINVAL; + port->operating_snk_mw = mw / 1000; + ++ port->self_powered = fwnode_property_read_bool(fwnode, "self-powered"); ++ + return 0; + } + +@@ -4723,6 +4730,7 @@ static int tcpm_copy_caps(struct tcpm_port *port, + port->typec_caps.prefer_role = tcfg->default_role; + port->typec_caps.type = tcfg->type; + port->typec_caps.data = tcfg->data; ++ port->self_powered = port->tcpc->config->self_powered; + + return 0; + } +diff --git a/include/linux/usb/tcpm.h b/include/linux/usb/tcpm.h +index 7e7fbfb84e8e..50c74a77db55 100644 +--- a/include/linux/usb/tcpm.h ++++ b/include/linux/usb/tcpm.h +@@ -89,6 +89,7 @@ struct tcpc_config { + enum typec_port_data data; + enum typec_role default_role; + bool try_role_hw; /* try.{src,snk} implemented in hardware */ ++ bool self_powered; /* port belongs to a self powered device */ + + const struct typec_altmode_desc *alt_modes; + }; +-- +2.19.1 + diff --git a/queue-4.19/userfaultfd-clear-flag-if-remap-event-not-enabled.patch b/queue-4.19/userfaultfd-clear-flag-if-remap-event-not-enabled.patch new file mode 100644 index 00000000000..c6853fc89d5 --- /dev/null +++ b/queue-4.19/userfaultfd-clear-flag-if-remap-event-not-enabled.patch @@ -0,0 +1,59 @@ +From f341d72045bd2755f4dd663acd00dbd2574feb20 Mon Sep 17 00:00:00 2001 +From: Peter Xu +Date: Fri, 28 Dec 2018 00:38:47 -0800 +Subject: userfaultfd: clear flag if remap event not enabled + +[ Upstream commit 3cfd22be0ad663248fadfc8f6ffa3e255c394552 ] + +When the process being tracked does mremap() without +UFFD_FEATURE_EVENT_REMAP on the corresponding tracking uffd file handle, +we should not generate the remap event, and at the same time we should +clear all the uffd flags on the new VMA. Without this patch, we can still +have the VM_UFFD_MISSING|VM_UFFD_WP flags on the new VMA even the fault +handling process does not even know the existance of the VMA. + +Link: http://lkml.kernel.org/r/20181211053409.20317-1-peterx@redhat.com +Signed-off-by: Peter Xu +Reviewed-by: Andrea Arcangeli +Acked-by: Mike Rapoport +Reviewed-by: William Kucharski +Cc: Andrea Arcangeli +Cc: Mike Rapoport +Cc: Kirill A. Shutemov +Cc: Hugh Dickins +Cc: Pavel Emelyanov +Cc: Pravin Shedge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/userfaultfd.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index 7a85e609fc27..d8b8323e80f4 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -736,10 +736,18 @@ void mremap_userfaultfd_prep(struct vm_area_struct *vma, + struct userfaultfd_ctx *ctx; + + ctx = vma->vm_userfaultfd_ctx.ctx; +- if (ctx && (ctx->features & UFFD_FEATURE_EVENT_REMAP)) { ++ ++ if (!ctx) ++ return; ++ ++ if (ctx->features & UFFD_FEATURE_EVENT_REMAP) { + vm_ctx->ctx = ctx; + userfaultfd_ctx_get(ctx); + WRITE_ONCE(ctx->mmap_changing, true); ++ } else { ++ /* Drop uffd context if remap feature not enabled */ ++ vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; ++ vma->vm_flags &= ~(VM_UFFD_WP | VM_UFFD_MISSING); + } + } + +-- +2.19.1 + diff --git a/queue-4.19/writeback-don-t-decrement-wb-refcnt-if-wb-bdi.patch b/queue-4.19/writeback-don-t-decrement-wb-refcnt-if-wb-bdi.patch new file mode 100644 index 00000000000..78e52f7e90c --- /dev/null +++ b/queue-4.19/writeback-don-t-decrement-wb-refcnt-if-wb-bdi.patch @@ -0,0 +1,49 @@ +From a0d8153bc522adb02c4b9d8188dd199e427072ea Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Tue, 30 Oct 2018 12:35:45 +0100 +Subject: writeback: don't decrement wb->refcnt if !wb->bdi + +[ Upstream commit 347a28b586802d09604a149c1a1f6de5dccbe6fa ] + +This happened while running in qemu-system-aarch64, the AMBA PL011 UART +driver when enabling CONFIG_DEBUG_TEST_DRIVER_REMOVE. +arch_initcall(pl011_init) came before subsys_initcall(default_bdi_init), +devtmpfs' handle_remove() crashes because the reference count is a NULL +pointer only because wb->bdi hasn't been initialized yet. + +Rework so that wb_put have an extra check if wb->bdi before decrement +wb->refcnt and also add a WARN_ON_ONCE to get a warning if it happens again +in other drivers. + +Fixes: 52ebea749aae ("writeback: make backing_dev_info host cgroup-specific bdi_writebacks") +Co-developed-by: Arnd Bergmann +Signed-off-by: Arnd Bergmann +Signed-off-by: Anders Roxell +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/linux/backing-dev-defs.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/include/linux/backing-dev-defs.h b/include/linux/backing-dev-defs.h +index 9a6bc0951cfa..c31157135598 100644 +--- a/include/linux/backing-dev-defs.h ++++ b/include/linux/backing-dev-defs.h +@@ -258,6 +258,14 @@ static inline void wb_get(struct bdi_writeback *wb) + */ + static inline void wb_put(struct bdi_writeback *wb) + { ++ if (WARN_ON_ONCE(!wb->bdi)) { ++ /* ++ * A driver bug might cause a file to be removed before bdi was ++ * initialized. ++ */ ++ return; ++ } ++ + if (wb != &wb->bdi->wb) + percpu_ref_put(&wb->refcnt); + } +-- +2.19.1 + diff --git a/queue-4.19/x86-mce-fix-wmissing-prototypes-warnings.patch b/queue-4.19/x86-mce-fix-wmissing-prototypes-warnings.patch new file mode 100644 index 00000000000..8d3ddc0a093 --- /dev/null +++ b/queue-4.19/x86-mce-fix-wmissing-prototypes-warnings.patch @@ -0,0 +1,128 @@ +From 912bf11cdb3699f783ce779da98b36bf6b3fc5db Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Fri, 9 Nov 2018 23:13:13 +0100 +Subject: x86/mce: Fix -Wmissing-prototypes warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 68b5e4326e4b8ac9080835005d8254fed0fb3c56 ] + +Add the proper includes and make smca_get_name() static. + +Fix an actual bug too which the warning triggered: + + arch/x86/kernel/cpu/mcheck/therm_throt.c:395:39: error: conflicting \ + types for ‘smp_thermal_interrupt’ + asmlinkage __visible void __irq_entry smp_thermal_interrupt(struct pt_regs *r) + ^~~~~~~~~~~~~~~~~~~~~ + In file included from arch/x86/kernel/cpu/mcheck/therm_throt.c:29: + ./arch/x86/include/asm/traps.h:107:17: note: previous declaration of \ + ‘smp_thermal_interrupt’ was here + asmlinkage void smp_thermal_interrupt(void); + +Signed-off-by: Borislav Petkov +Cc: Yi Wang +Cc: Michael Matz +Cc: x86@kernel.org +Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1811081633160.1549@nanos.tec.linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/traps.h | 6 +++--- + arch/x86/kernel/cpu/mcheck/mce_amd.c | 5 +++-- + arch/x86/kernel/cpu/mcheck/therm_throt.c | 3 ++- + arch/x86/kernel/cpu/mcheck/threshold.c | 3 ++- + 4 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h +index 3de69330e6c5..afbc87206886 100644 +--- a/arch/x86/include/asm/traps.h ++++ b/arch/x86/include/asm/traps.h +@@ -104,9 +104,9 @@ extern int panic_on_unrecovered_nmi; + + void math_emulate(struct math_emu_info *); + #ifndef CONFIG_X86_32 +-asmlinkage void smp_thermal_interrupt(void); +-asmlinkage void smp_threshold_interrupt(void); +-asmlinkage void smp_deferred_error_interrupt(void); ++asmlinkage void smp_thermal_interrupt(struct pt_regs *regs); ++asmlinkage void smp_threshold_interrupt(struct pt_regs *regs); ++asmlinkage void smp_deferred_error_interrupt(struct pt_regs *regs); + #endif + + extern void ist_enter(struct pt_regs *regs); +diff --git a/arch/x86/kernel/cpu/mcheck/mce_amd.c b/arch/x86/kernel/cpu/mcheck/mce_amd.c +index e12454e21b8a..9f915a8791cc 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c ++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c +@@ -23,6 +23,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -99,7 +100,7 @@ static u32 smca_bank_addrs[MAX_NR_BANKS][NR_BLOCKS] __ro_after_init = + [0 ... MAX_NR_BANKS - 1] = { [0 ... NR_BLOCKS - 1] = -1 } + }; + +-const char *smca_get_name(enum smca_bank_types t) ++static const char *smca_get_name(enum smca_bank_types t) + { + if (t >= N_SMCA_BANK_TYPES) + return NULL; +@@ -824,7 +825,7 @@ static void __log_error(unsigned int bank, u64 status, u64 addr, u64 misc) + mce_log(&m); + } + +-asmlinkage __visible void __irq_entry smp_deferred_error_interrupt(void) ++asmlinkage __visible void __irq_entry smp_deferred_error_interrupt(struct pt_regs *regs) + { + entering_irq(); + trace_deferred_error_apic_entry(DEFERRED_ERROR_VECTOR); +diff --git a/arch/x86/kernel/cpu/mcheck/therm_throt.c b/arch/x86/kernel/cpu/mcheck/therm_throt.c +index 2da67b70ba98..ee229ceee745 100644 +--- a/arch/x86/kernel/cpu/mcheck/therm_throt.c ++++ b/arch/x86/kernel/cpu/mcheck/therm_throt.c +@@ -25,6 +25,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -390,7 +391,7 @@ static void unexpected_thermal_interrupt(void) + + static void (*smp_thermal_vector)(void) = unexpected_thermal_interrupt; + +-asmlinkage __visible void __irq_entry smp_thermal_interrupt(struct pt_regs *r) ++asmlinkage __visible void __irq_entry smp_thermal_interrupt(struct pt_regs *regs) + { + entering_irq(); + trace_thermal_apic_entry(THERMAL_APIC_VECTOR); +diff --git a/arch/x86/kernel/cpu/mcheck/threshold.c b/arch/x86/kernel/cpu/mcheck/threshold.c +index 2b584b319eff..c21e0a1efd0f 100644 +--- a/arch/x86/kernel/cpu/mcheck/threshold.c ++++ b/arch/x86/kernel/cpu/mcheck/threshold.c +@@ -6,6 +6,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -18,7 +19,7 @@ static void default_threshold_interrupt(void) + + void (*mce_threshold_vector)(void) = default_threshold_interrupt; + +-asmlinkage __visible void __irq_entry smp_threshold_interrupt(void) ++asmlinkage __visible void __irq_entry smp_threshold_interrupt(struct pt_regs *regs) + { + entering_irq(); + trace_threshold_apic_entry(THRESHOLD_APIC_VECTOR); +-- +2.19.1 + diff --git a/queue-4.19/x86-topology-use-total_cpus-for-max-logical-packages.patch b/queue-4.19/x86-topology-use-total_cpus-for-max-logical-packages.patch new file mode 100644 index 00000000000..7004a8c0eab --- /dev/null +++ b/queue-4.19/x86-topology-use-total_cpus-for-max-logical-packages.patch @@ -0,0 +1,61 @@ +From 34540447db76d71a0652cb6678ac02369a8137ae Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Wed, 7 Nov 2018 10:36:43 +0800 +Subject: x86/topology: Use total_cpus for max logical packages calculation + +[ Upstream commit aa02ef099cff042c2a9109782ec2bf1bffc955d4 ] + +nr_cpu_ids can be limited on the command line via nr_cpus=. This can break the +logical package management because it results in a smaller number of packages +while in kdump kernel. + +Check below case: +There is a two sockets system, each socket has 8 cores, which has 16 logical +cpus while HT was turn on. + + 0 1 2 3 4 5 6 7 | 16 17 18 19 20 21 22 23 + cores on socket 0 threads on socket 0 + 8 9 10 11 12 13 14 15 | 24 25 26 27 28 29 30 31 + cores on socket 1 threads on socket 1 + +While starting the kdump kernel with command line option nr_cpus=16 panic +was triggered on one of the cpus 24-31 eg. 26, then online cpu will be +1-15, 26(cpu 0 was disabled in kdump), ncpus will be 16 and +__max_logical_packages will be 1, but actually two packages were booted on. + +This issue can reproduced by set kdump option nr_cpus=, and then trigger panic on last socket's thread, for example: + +taskset -c 26 echo c > /proc/sysrq-trigger + +Use total_cpus which will not be limited by nr_cpus command line to calculate +the value of __max_logical_packages. + +Signed-off-by: Hui Wang +Signed-off-by: Thomas Gleixner +Cc: +Cc: +Cc: +Cc: +Link: https://lkml.kernel.org/r/20181107023643.22174-1-john.wanghui@huawei.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/smpboot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c +index f02ecaf97904..6489067b78a4 100644 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -1346,7 +1346,7 @@ void __init calculate_max_logical_packages(void) + * extrapolate the boot cpu's data to all packages. + */ + ncpus = cpu_data(0).booted_cores * topology_max_smt_threads(); +- __max_logical_packages = DIV_ROUND_UP(nr_cpu_ids, ncpus); ++ __max_logical_packages = DIV_ROUND_UP(total_cpus, ncpus); + pr_info("Max logical packages: %u\n", __max_logical_packages); + } + +-- +2.19.1 +