From: Sasha Levin Date: Thu, 30 May 2019 00:04:20 +0000 (-0400) Subject: fixes for 4.19 X-Git-Tag: v5.1.6~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1daff76d722ea5b3141400d058cb8a4af6cbb9ad;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-iort-reject-platform-device-creation-on-numa-no.patch b/queue-4.19/acpi-iort-reject-platform-device-creation-on-numa-no.patch new file mode 100644 index 00000000000..16f98cf3e14 --- /dev/null +++ b/queue-4.19/acpi-iort-reject-platform-device-creation-on-numa-no.patch @@ -0,0 +1,125 @@ +From 65b29693bb6decf19743a874c22d752998edfbf9 Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Mon, 8 Apr 2019 23:21:12 +0800 +Subject: ACPI/IORT: Reject platform device creation on NUMA node mapping + failure + +[ Upstream commit 36a2ba07757df790b4a874efb1a105b9330a9ae7 ] + +In a system where, through IORT firmware mappings, the SMMU device is +mapped to a NUMA node that is not online, the kernel bootstrap results +in the following crash: + + Unable to handle kernel paging request at virtual address 0000000000001388 + Mem abort info: + ESR = 0x96000004 + Exception class = DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + Data abort info: + ISV = 0, ISS = 0x00000004 + CM = 0, WnR = 0 + [0000000000001388] user address but active_mm is swapper + Internal error: Oops: 96000004 [#1] SMP + Modules linked in: + CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.0.0 #15 + pstate: 80c00009 (Nzcv daif +PAN +UAO) + pc : __alloc_pages_nodemask+0x13c/0x1068 + lr : __alloc_pages_nodemask+0xdc/0x1068 + ... + Process swapper/0 (pid: 1, stack limit = 0x(____ptrval____)) + Call trace: + __alloc_pages_nodemask+0x13c/0x1068 + new_slab+0xec/0x570 + ___slab_alloc+0x3e0/0x4f8 + __slab_alloc+0x60/0x80 + __kmalloc_node_track_caller+0x10c/0x478 + devm_kmalloc+0x44/0xb0 + pinctrl_bind_pins+0x4c/0x188 + really_probe+0x78/0x2b8 + driver_probe_device+0x64/0x110 + device_driver_attach+0x74/0x98 + __driver_attach+0x9c/0xe8 + bus_for_each_dev+0x84/0xd8 + driver_attach+0x30/0x40 + bus_add_driver+0x170/0x218 + driver_register+0x64/0x118 + __platform_driver_register+0x54/0x60 + arm_smmu_driver_init+0x24/0x2c + do_one_initcall+0xbc/0x328 + kernel_init_freeable+0x304/0x3ac + kernel_init+0x18/0x110 + ret_from_fork+0x10/0x1c + Code: f90013b5 b9410fa1 1a9f0694 b50014c2 (b9400804) + ---[ end trace dfeaed4c373a32da ]-- + +Change the dev_set_proximity() hook prototype so that it returns a +value and make it return failure if the PXM->NUMA-node mapping +corresponds to an offline node, fixing the crash. + +Acked-by: Lorenzo Pieralisi +Signed-off-by: Kefeng Wang +Link: https://lore.kernel.org/linux-arm-kernel/20190315021940.86905-1-wangkefeng.wang@huawei.com/ +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/acpi/arm64/iort.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c +index e48eebc27b81b..43c2615434b48 100644 +--- a/drivers/acpi/arm64/iort.c ++++ b/drivers/acpi/arm64/iort.c +@@ -1231,18 +1231,24 @@ static bool __init arm_smmu_v3_is_coherent(struct acpi_iort_node *node) + /* + * set numa proximity domain for smmuv3 device + */ +-static void __init arm_smmu_v3_set_proximity(struct device *dev, ++static int __init arm_smmu_v3_set_proximity(struct device *dev, + struct acpi_iort_node *node) + { + struct acpi_iort_smmu_v3 *smmu; + + smmu = (struct acpi_iort_smmu_v3 *)node->node_data; + if (smmu->flags & ACPI_IORT_SMMU_V3_PXM_VALID) { +- set_dev_node(dev, acpi_map_pxm_to_node(smmu->pxm)); ++ int node = acpi_map_pxm_to_node(smmu->pxm); ++ ++ if (node != NUMA_NO_NODE && !node_online(node)) ++ return -EINVAL; ++ ++ set_dev_node(dev, node); + pr_info("SMMU-v3[%llx] Mapped to Proximity domain %d\n", + smmu->base_address, + smmu->pxm); + } ++ return 0; + } + #else + #define arm_smmu_v3_set_proximity NULL +@@ -1317,7 +1323,7 @@ struct iort_dev_config { + int (*dev_count_resources)(struct acpi_iort_node *node); + void (*dev_init_resources)(struct resource *res, + struct acpi_iort_node *node); +- void (*dev_set_proximity)(struct device *dev, ++ int (*dev_set_proximity)(struct device *dev, + struct acpi_iort_node *node); + }; + +@@ -1368,8 +1374,11 @@ static int __init iort_add_platform_device(struct acpi_iort_node *node, + if (!pdev) + return -ENOMEM; + +- if (ops->dev_set_proximity) +- ops->dev_set_proximity(&pdev->dev, node); ++ if (ops->dev_set_proximity) { ++ ret = ops->dev_set_proximity(&pdev->dev, node); ++ if (ret) ++ goto dev_put; ++ } + + count = ops->dev_count_resources(node); + +-- +2.20.1 + diff --git a/queue-4.19/acpi-property-fix-handling-of-data_nodes-in-acpi_get.patch b/queue-4.19/acpi-property-fix-handling-of-data_nodes-in-acpi_get.patch new file mode 100644 index 00000000000..c60e5023582 --- /dev/null +++ b/queue-4.19/acpi-property-fix-handling-of-data_nodes-in-acpi_get.patch @@ -0,0 +1,56 @@ +From 703618073609ac243e5f7751acc0c7f8a00facda Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Tue, 30 Apr 2019 10:52:29 -0500 +Subject: ACPI / property: fix handling of data_nodes in + acpi_get_next_subnode() + +[ Upstream commit 23583f7795025e3c783b680d906509366b0906ad ] + +When the DSDT tables expose devices with subdevices and a set of +hierarchical _DSD properties, the data returned by +acpi_get_next_subnode() is incorrect, with the results suggesting a bad +pointer assignment. The parser works fine with device_nodes or +data_nodes, but not with a combination of the two. + +The problem is traced to an invalid pointer used when jumping from +handling device_nodes to data nodes. The existing code looks for data +nodes below the last subdevice found instead of the common root. Fix +by forcing the acpi_device pointer to be derived from the same fwnode +for the two types of subnodes. + +This same problem of handling device and data nodes was already fixed +in a similar way by 'commit bf4703fdd166 ("ACPI / property: fix data +node parsing in acpi_get_next_subnode()")' but broken later by 'commit +34055190b19 ("ACPI / property: Add fwnode_get_next_child_node()")', so +this should probably go to linux-stable all the way to 4.12 + +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/property.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/property.c b/drivers/acpi/property.c +index 693cf05b0cc44..288673cff85ea 100644 +--- a/drivers/acpi/property.c ++++ b/drivers/acpi/property.c +@@ -975,6 +975,14 @@ struct fwnode_handle *acpi_get_next_subnode(const struct fwnode_handle *fwnode, + const struct acpi_data_node *data = to_acpi_data_node(fwnode); + struct acpi_data_node *dn; + ++ /* ++ * We can have a combination of device and data nodes, e.g. with ++ * hierarchical _DSD properties. Make sure the adev pointer is ++ * restored before going through data nodes, otherwise we will ++ * be looking for data_nodes below the last device found instead ++ * of the common fwnode shared by device_nodes and data_nodes. ++ */ ++ adev = to_acpi_device_node(fwnode); + if (adev) + head = &adev->data.subnodes; + else if (data) +-- +2.20.1 + diff --git a/queue-4.19/arm-vdso-remove-dependency-with-the-arch_timer-drive.patch b/queue-4.19/arm-vdso-remove-dependency-with-the-arch_timer-drive.patch new file mode 100644 index 00000000000..92a0c1222e0 --- /dev/null +++ b/queue-4.19/arm-vdso-remove-dependency-with-the-arch_timer-drive.patch @@ -0,0 +1,65 @@ +From 4e9d04df6d15de25961703991514dd8dc1b9ba75 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Mon, 8 Apr 2019 16:49:01 +0100 +Subject: ARM: vdso: Remove dependency with the arch_timer driver internals + +[ Upstream commit 1f5b62f09f6b314c8d70b9de5182dae4de1f94da ] + +The VDSO code uses the kernel helper that was originally designed +to abstract the access between 32 and 64bit systems. It worked so +far because this function is declared as 'inline'. + +As we're about to revamp that part of the code, the VDSO would +break. Let's fix it by doing what should have been done from +the start, a proper system register access. + +Reviewed-by: Mark Rutland +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/cp15.h | 2 ++ + arch/arm/vdso/vgettimeofday.c | 5 +++-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/include/asm/cp15.h b/arch/arm/include/asm/cp15.h +index 07e27f212dc75..d2453e2d3f1f3 100644 +--- a/arch/arm/include/asm/cp15.h ++++ b/arch/arm/include/asm/cp15.h +@@ -68,6 +68,8 @@ + #define BPIALL __ACCESS_CP15(c7, 0, c5, 6) + #define ICIALLU __ACCESS_CP15(c7, 0, c5, 0) + ++#define CNTVCT __ACCESS_CP15_64(1, c14) ++ + extern unsigned long cr_alignment; /* defined in entry-armv.S */ + + static inline unsigned long get_cr(void) +diff --git a/arch/arm/vdso/vgettimeofday.c b/arch/arm/vdso/vgettimeofday.c +index a9dd619c6c290..7bdbf5d5c47d3 100644 +--- a/arch/arm/vdso/vgettimeofday.c ++++ b/arch/arm/vdso/vgettimeofday.c +@@ -18,9 +18,9 @@ + #include + #include + #include +-#include + #include + #include ++#include + #include + #include + #include +@@ -123,7 +123,8 @@ static notrace u64 get_ns(struct vdso_data *vdata) + u64 cycle_now; + u64 nsec; + +- cycle_now = arch_counter_get_cntvct(); ++ isb(); ++ cycle_now = read_sysreg(CNTVCT); + + cycle_delta = (cycle_now - vdata->cs_cycle_last) & vdata->cs_mask; + +-- +2.20.1 + diff --git a/queue-4.19/arm64-cpu_ops-fix-a-leaked-reference-by-adding-missi.patch b/queue-4.19/arm64-cpu_ops-fix-a-leaked-reference-by-adding-missi.patch new file mode 100644 index 00000000000..7e3b8056533 --- /dev/null +++ b/queue-4.19/arm64-cpu_ops-fix-a-leaked-reference-by-adding-missi.patch @@ -0,0 +1,43 @@ +From ec9803ece5e03280238e197e3b757c026f097a4a Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Tue, 5 Mar 2019 19:34:05 +0800 +Subject: arm64: cpu_ops: fix a leaked reference by adding missing of_node_put + +[ Upstream commit 92606ec9285fb84cd9b5943df23f07d741384bfc ] + +The call to of_get_next_child returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: + ./arch/arm64/kernel/cpu_ops.c:102:1-7: ERROR: missing of_node_put; + acquired a node pointer with refcount incremented on line 69, but + without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Reviewed-by: Florian Fainelli +Cc: Catalin Marinas +Cc: Will Deacon +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/cpu_ops.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/kernel/cpu_ops.c b/arch/arm64/kernel/cpu_ops.c +index ea001241bdd47..00f8b8612b69f 100644 +--- a/arch/arm64/kernel/cpu_ops.c ++++ b/arch/arm64/kernel/cpu_ops.c +@@ -85,6 +85,7 @@ static const char *__init cpu_read_enable_method(int cpu) + pr_err("%pOF: missing enable-method property\n", + dn); + } ++ of_node_put(dn); + } else { + enable_method = acpi_get_enable_method(cpu); + if (!enable_method) { +-- +2.20.1 + diff --git a/queue-4.19/arm64-fix-compiler-warning-from-pte_unmap-with-wunus.patch b/queue-4.19/arm64-fix-compiler-warning-from-pte_unmap-with-wunus.patch new file mode 100644 index 00000000000..766576b9520 --- /dev/null +++ b/queue-4.19/arm64-fix-compiler-warning-from-pte_unmap-with-wunus.patch @@ -0,0 +1,62 @@ +From d5ce8bf0b8b07f2c64e9a249f1aded16ec51bd4b Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Mon, 29 Apr 2019 13:37:01 -0400 +Subject: arm64: Fix compiler warning from pte_unmap() with + -Wunused-but-set-variable + +[ Upstream commit 74dd022f9e6260c3b5b8d15901d27ebcc5f21eda ] + +When building with -Wunused-but-set-variable, the compiler shouts about +a number of pte_unmap() users, since this expands to an empty macro on +arm64: + + | mm/gup.c: In function 'gup_pte_range': + | mm/gup.c:1727:16: warning: variable 'ptem' set but not used + | [-Wunused-but-set-variable] + | mm/gup.c: At top level: + | mm/memory.c: In function 'copy_pte_range': + | mm/memory.c:821:24: warning: variable 'orig_dst_pte' set but not used + | [-Wunused-but-set-variable] + | mm/memory.c:821:9: warning: variable 'orig_src_pte' set but not used + | [-Wunused-but-set-variable] + | mm/swap_state.c: In function 'swap_ra_info': + | mm/swap_state.c:641:15: warning: variable 'orig_pte' set but not used + | [-Wunused-but-set-variable] + | mm/madvise.c: In function 'madvise_free_pte_range': + | mm/madvise.c:318:9: warning: variable 'orig_pte' set but not used + | [-Wunused-but-set-variable] + +Rewrite pte_unmap() as a static inline function, which silences the +warnings. + +Signed-off-by: Qian Cai +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/pgtable.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index 1bdeca8918a68..ea423db393644 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -444,6 +444,8 @@ static inline phys_addr_t pmd_page_paddr(pmd_t pmd) + return __pmd_to_phys(pmd); + } + ++static inline void pte_unmap(pte_t *pte) { } ++ + /* Find an entry in the third-level page table. */ + #define pte_index(addr) (((addr) >> PAGE_SHIFT) & (PTRS_PER_PTE - 1)) + +@@ -452,7 +454,6 @@ static inline phys_addr_t pmd_page_paddr(pmd_t pmd) + + #define pte_offset_map(dir,addr) pte_offset_kernel((dir), (addr)) + #define pte_offset_map_nested(dir,addr) pte_offset_kernel((dir), (addr)) +-#define pte_unmap(pte) do { } while (0) + #define pte_unmap_nested(pte) do { } while (0) + + #define pte_set_fixmap(addr) ((pte_t *)set_fixmap_offset(FIX_PTE, addr)) +-- +2.20.1 + diff --git a/queue-4.19/arm64-vdso-fix-clock_getres-for-clock_realtime.patch b/queue-4.19/arm64-vdso-fix-clock_getres-for-clock_realtime.patch new file mode 100644 index 00000000000..0da1808e924 --- /dev/null +++ b/queue-4.19/arm64-vdso-fix-clock_getres-for-clock_realtime.patch @@ -0,0 +1,106 @@ +From eaacabde84c0a9ab1c074e03c3c71e5897cd6d1c Mon Sep 17 00:00:00 2001 +From: Vincenzo Frascino +Date: Tue, 16 Apr 2019 17:14:30 +0100 +Subject: arm64: vdso: Fix clock_getres() for CLOCK_REALTIME + +[ Upstream commit 81fb8736dd81da3fe94f28968dac60f392ec6746 ] + +clock_getres() in the vDSO library has to preserve the same behaviour +of posix_get_hrtimer_res(). + +In particular, posix_get_hrtimer_res() does: + + sec = 0; + ns = hrtimer_resolution; + +where 'hrtimer_resolution' depends on whether or not high resolution +timers are enabled, which is a runtime decision. + +The vDSO incorrectly returns the constant CLOCK_REALTIME_RES. Fix this +by exposing 'hrtimer_resolution' in the vDSO datapage and returning that +instead. + +Reviewed-by: Catalin Marinas +Signed-off-by: Vincenzo Frascino +[will: Use WRITE_ONCE(), move adr off COARSE path, renumber labels, use 'w' reg] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/vdso_datapage.h | 1 + + arch/arm64/kernel/asm-offsets.c | 2 +- + arch/arm64/kernel/vdso.c | 3 +++ + arch/arm64/kernel/vdso/gettimeofday.S | 7 +++---- + 4 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/include/asm/vdso_datapage.h b/arch/arm64/include/asm/vdso_datapage.h +index 2b9a63771eda8..f89263c8e11af 100644 +--- a/arch/arm64/include/asm/vdso_datapage.h ++++ b/arch/arm64/include/asm/vdso_datapage.h +@@ -38,6 +38,7 @@ struct vdso_data { + __u32 tz_minuteswest; /* Whacky timezone stuff */ + __u32 tz_dsttime; + __u32 use_syscall; ++ __u32 hrtimer_res; + }; + + #endif /* !__ASSEMBLY__ */ +diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c +index 323aeb5f2fe62..92fba851ce53a 100644 +--- a/arch/arm64/kernel/asm-offsets.c ++++ b/arch/arm64/kernel/asm-offsets.c +@@ -99,7 +99,7 @@ int main(void) + DEFINE(CLOCK_REALTIME, CLOCK_REALTIME); + DEFINE(CLOCK_MONOTONIC, CLOCK_MONOTONIC); + DEFINE(CLOCK_MONOTONIC_RAW, CLOCK_MONOTONIC_RAW); +- DEFINE(CLOCK_REALTIME_RES, MONOTONIC_RES_NSEC); ++ DEFINE(CLOCK_REALTIME_RES, offsetof(struct vdso_data, hrtimer_res)); + DEFINE(CLOCK_REALTIME_COARSE, CLOCK_REALTIME_COARSE); + DEFINE(CLOCK_MONOTONIC_COARSE,CLOCK_MONOTONIC_COARSE); + DEFINE(CLOCK_COARSE_RES, LOW_RES_NSEC); +diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c +index 2d419006ad433..ec0bb588d7553 100644 +--- a/arch/arm64/kernel/vdso.c ++++ b/arch/arm64/kernel/vdso.c +@@ -232,6 +232,9 @@ void update_vsyscall(struct timekeeper *tk) + vdso_data->wtm_clock_sec = tk->wall_to_monotonic.tv_sec; + vdso_data->wtm_clock_nsec = tk->wall_to_monotonic.tv_nsec; + ++ /* Read without the seqlock held by clock_getres() */ ++ WRITE_ONCE(vdso_data->hrtimer_res, hrtimer_resolution); ++ + if (!use_syscall) { + /* tkr_mono.cycle_last == tkr_raw.cycle_last */ + vdso_data->cs_cycle_last = tk->tkr_mono.cycle_last; +diff --git a/arch/arm64/kernel/vdso/gettimeofday.S b/arch/arm64/kernel/vdso/gettimeofday.S +index e8f60112818fc..856fee6d35129 100644 +--- a/arch/arm64/kernel/vdso/gettimeofday.S ++++ b/arch/arm64/kernel/vdso/gettimeofday.S +@@ -308,13 +308,14 @@ ENTRY(__kernel_clock_getres) + ccmp w0, #CLOCK_MONOTONIC_RAW, #0x4, ne + b.ne 1f + +- ldr x2, 5f ++ adr vdso_data, _vdso_data ++ ldr w2, [vdso_data, #CLOCK_REALTIME_RES] + b 2f + 1: + cmp w0, #CLOCK_REALTIME_COARSE + ccmp w0, #CLOCK_MONOTONIC_COARSE, #0x4, ne + b.ne 4f +- ldr x2, 6f ++ ldr x2, 5f + 2: + cbz x1, 3f + stp xzr, x2, [x1] +@@ -328,8 +329,6 @@ ENTRY(__kernel_clock_getres) + svc #0 + ret + 5: +- .quad CLOCK_REALTIME_RES +-6: + .quad CLOCK_COARSE_RES + .cfi_endproc + ENDPROC(__kernel_clock_getres) +-- +2.20.1 + diff --git a/queue-4.19/asoc-davinci-mcasp-fix-clang-warning-without-config_.patch b/queue-4.19/asoc-davinci-mcasp-fix-clang-warning-without-config_.patch new file mode 100644 index 00000000000..3a3e539632a --- /dev/null +++ b/queue-4.19/asoc-davinci-mcasp-fix-clang-warning-without-config_.patch @@ -0,0 +1,49 @@ +From bd6a1eee5a03478c45ba4c911ab4b085185ff2f1 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 7 Mar 2019 11:11:30 +0100 +Subject: ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM + +[ Upstream commit 8ca5104715cfd14254ea5aecc390ae583b707607 ] + +Building with clang shows a variable that is only used by the +suspend/resume functions but defined outside of their #ifdef block: + +sound/soc/ti/davinci-mcasp.c:48:12: error: variable 'context_regs' is not needed and will not be emitted + +We commonly fix these by marking the PM functions as __maybe_unused, +but here that would grow the davinci_mcasp structure, so instead +add another #ifdef here. + +Fixes: 1cc0c054f380 ("ASoC: davinci-mcasp: Convert the context save/restore to use array") +Signed-off-by: Arnd Bergmann +Acked-by: Peter Ujfalusi +Reviewed-by: Nathan Chancellor +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/davinci/davinci-mcasp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c +index f70db8412c7cc..160b2764b2ad8 100644 +--- a/sound/soc/davinci/davinci-mcasp.c ++++ b/sound/soc/davinci/davinci-mcasp.c +@@ -43,6 +43,7 @@ + + #define MCASP_MAX_AFIFO_DEPTH 64 + ++#ifdef CONFIG_PM + static u32 context_regs[] = { + DAVINCI_MCASP_TXFMCTL_REG, + DAVINCI_MCASP_RXFMCTL_REG, +@@ -65,6 +66,7 @@ struct davinci_mcasp_context { + u32 *xrsr_regs; /* for serializer configuration */ + bool pm_state; + }; ++#endif + + struct davinci_mcasp_ruledata { + struct davinci_mcasp *mcasp; +-- +2.20.1 + diff --git a/queue-4.19/asoc-eukrea-tlv320-fix-a-leaked-reference-by-adding-.patch b/queue-4.19/asoc-eukrea-tlv320-fix-a-leaked-reference-by-adding-.patch new file mode 100644 index 00000000000..64701cabcde --- /dev/null +++ b/queue-4.19/asoc-eukrea-tlv320-fix-a-leaked-reference-by-adding-.patch @@ -0,0 +1,52 @@ +From 3cdbecb088c34d7f4cdb8378c9a663b38f1005c2 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Tue, 26 Feb 2019 16:17:51 +0800 +Subject: ASoC: eukrea-tlv320: fix a leaked reference by adding missing + of_node_put + +[ Upstream commit b820d52e7eed7b30b2dfef5f4213a2bc3cbea6f3 ] + +The call to of_parse_phandle returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./sound/soc/fsl/eukrea-tlv320.c:121:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo nding object release within this function. +./sound/soc/fsl/eukrea-tlv320.c:127:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo nding object release within this function. + +Signed-off-by: Wen Yang +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: alsa-devel@alsa-project.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/eukrea-tlv320.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c +index 191426a6d9adf..30a3d68b5c033 100644 +--- a/sound/soc/fsl/eukrea-tlv320.c ++++ b/sound/soc/fsl/eukrea-tlv320.c +@@ -118,13 +118,13 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + if (ret) { + dev_err(&pdev->dev, + "fsl,mux-int-port node missing or invalid.\n"); +- return ret; ++ goto err; + } + ret = of_property_read_u32(np, "fsl,mux-ext-port", &ext_port); + if (ret) { + dev_err(&pdev->dev, + "fsl,mux-ext-port node missing or invalid.\n"); +- return ret; ++ goto err; + } + + /* +-- +2.20.1 + diff --git a/queue-4.19/asoc-fsl_sai-update-is_slave_mode-with-correct-value.patch b/queue-4.19/asoc-fsl_sai-update-is_slave_mode-with-correct-value.patch new file mode 100644 index 00000000000..f816fa5ffda --- /dev/null +++ b/queue-4.19/asoc-fsl_sai-update-is_slave_mode-with-correct-value.patch @@ -0,0 +1,47 @@ +From 3eade0ea3c892a99223ff51e5bbb7b5bf622bf44 Mon Sep 17 00:00:00 2001 +From: Daniel Baluta +Date: Sun, 21 Apr 2019 19:39:08 +0000 +Subject: ASoC: fsl_sai: Update is_slave_mode with correct value + +[ Upstream commit ddb351145a967ee791a0fb0156852ec2fcb746ba ] + +is_slave_mode defaults to false because sai structure +that contains it is kzalloc'ed. + +Anyhow, if we decide to set the following configuration +SAI slave -> SAI master, is_slave_mode will remain set on true +although SAI being master it should be set to false. + +Fix this by updating is_slave_mode for each call of +fsl_sai_set_dai_fmt. + +Signed-off-by: Daniel Baluta +Acked-by: Nicolin Chen +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index 4163f2cfc06fc..bfc5b21d0c3f9 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -268,12 +268,14 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai, + case SND_SOC_DAIFMT_CBS_CFS: + val_cr2 |= FSL_SAI_CR2_BCD_MSTR; + val_cr4 |= FSL_SAI_CR4_FSD_MSTR; ++ sai->is_slave_mode = false; + break; + case SND_SOC_DAIFMT_CBM_CFM: + sai->is_slave_mode = true; + break; + case SND_SOC_DAIFMT_CBS_CFM: + val_cr2 |= FSL_SAI_CR2_BCD_MSTR; ++ sai->is_slave_mode = false; + break; + case SND_SOC_DAIFMT_CBM_CFS: + val_cr4 |= FSL_SAI_CR4_FSD_MSTR; +-- +2.20.1 + diff --git a/queue-4.19/asoc-fsl_utils-fix-a-leaked-reference-by-adding-miss.patch b/queue-4.19/asoc-fsl_utils-fix-a-leaked-reference-by-adding-miss.patch new file mode 100644 index 00000000000..bbd04f3d39d --- /dev/null +++ b/queue-4.19/asoc-fsl_utils-fix-a-leaked-reference-by-adding-miss.patch @@ -0,0 +1,47 @@ +From 180de490075d3803cac9856307453bcdb4cf71a0 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Tue, 26 Feb 2019 16:17:50 +0800 +Subject: ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put + +[ Upstream commit c705247136a523488eac806bd357c3e5d79a7acd ] + +The call to of_parse_phandle returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./sound/soc/fsl/fsl_utils.c:74:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 38, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Timur Tabi +Cc: Nicolin Chen +Cc: Xiubo Li +Cc: Fabio Estevam +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: alsa-devel@alsa-project.org +Cc: linuxppc-dev@lists.ozlabs.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/fsl/fsl_utils.c b/sound/soc/fsl/fsl_utils.c +index 7f0fa4b522231..cca33ab7020a4 100644 +--- a/sound/soc/fsl/fsl_utils.c ++++ b/sound/soc/fsl/fsl_utils.c +@@ -71,6 +71,7 @@ int fsl_asoc_get_dma_channel(struct device_node *ssi_np, + iprop = of_get_property(dma_np, "cell-index", NULL); + if (!iprop) { + of_node_put(dma_np); ++ of_node_put(dma_channel_np); + return -EINVAL; + } + *dma_id = be32_to_cpup(iprop); +-- +2.20.1 + diff --git a/queue-4.19/asoc-hdmi-codec-unlock-the-device-on-startup-errors.patch b/queue-4.19/asoc-hdmi-codec-unlock-the-device-on-startup-errors.patch new file mode 100644 index 00000000000..806373531ca --- /dev/null +++ b/queue-4.19/asoc-hdmi-codec-unlock-the-device-on-startup-errors.patch @@ -0,0 +1,41 @@ +From ef508ee0a44c20583801d13e44e71e41adcc2df1 Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Mon, 29 Apr 2019 15:29:39 +0200 +Subject: ASoC: hdmi-codec: unlock the device on startup errors + +[ Upstream commit 30180e8436046344b12813dc954b2e01dfdcd22d ] + +If the hdmi codec startup fails, it should clear the current_substream +pointer to free the device. This is properly done for the audio_startup() +callback but for snd_pcm_hw_constraint_eld(). + +Make sure the pointer cleared if an error is reported. + +Signed-off-by: Jerome Brunet +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/hdmi-codec.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/hdmi-codec.c b/sound/soc/codecs/hdmi-codec.c +index d5f73c8372817..7994e8ddc7d21 100644 +--- a/sound/soc/codecs/hdmi-codec.c ++++ b/sound/soc/codecs/hdmi-codec.c +@@ -439,8 +439,12 @@ static int hdmi_codec_startup(struct snd_pcm_substream *substream, + if (!ret) { + ret = snd_pcm_hw_constraint_eld(substream->runtime, + hcp->eld); +- if (ret) ++ if (ret) { ++ mutex_lock(&hcp->current_stream_lock); ++ hcp->current_stream = NULL; ++ mutex_unlock(&hcp->current_stream_lock); + return ret; ++ } + } + /* Select chmap supported */ + hdmi_codec_eld_chmap(hcp); +-- +2.20.1 + diff --git a/queue-4.19/asoc-imx-fix-fiq-dependencies.patch b/queue-4.19/asoc-imx-fix-fiq-dependencies.patch new file mode 100644 index 00000000000..2b7e6ae9647 --- /dev/null +++ b/queue-4.19/asoc-imx-fix-fiq-dependencies.patch @@ -0,0 +1,67 @@ +From a93964ef914684e417fdf1fe0d884b092e299924 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 16 Apr 2019 15:12:23 +0200 +Subject: ASoC: imx: fix fiq dependencies + +[ Upstream commit ea751227c813ab833609afecfeedaf0aa26f327e ] + +During randconfig builds, I occasionally run into an invalid configuration +of the freescale FIQ sound support: + +WARNING: unmet direct dependencies detected for SND_SOC_IMX_PCM_FIQ + Depends on [m]: SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_IMX_SOC [=m] + Selected by [y]: + - SND_SOC_FSL_SPDIF [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_IMX_SOC [=m]!=n && (MXC_TZIC [=n] || MXC_AVIC [=y]) + +sound/soc/fsl/imx-ssi.o: In function `imx_ssi_remove': +imx-ssi.c:(.text+0x28): undefined reference to `imx_pcm_fiq_exit' +sound/soc/fsl/imx-ssi.o: In function `imx_ssi_probe': +imx-ssi.c:(.text+0xa64): undefined reference to `imx_pcm_fiq_init' + +The Kconfig warning is a result of the symbol being defined inside of +the "if SND_IMX_SOC" block, and is otherwise harmless. The link error +is more tricky and happens with SND_SOC_IMX_SSI=y, which may or may not +imply FIQ support. However, if SND_SOC_FSL_SSI is set to =m at the same +time, that selects SND_SOC_IMX_PCM_FIQ as a loadable module dependency, +which then causes a link failure from imx-ssi. + +The solution here is to make SND_SOC_IMX_PCM_FIQ built-in whenever +one of its potential users is built-in. + +Fixes: ff40260f79dc ("ASoC: fsl: refine DMA/FIQ dependencies") +Signed-off-by: Arnd Bergmann +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/Kconfig | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig +index 2e75b5bc5f1da..f721cd4e3f972 100644 +--- a/sound/soc/fsl/Kconfig ++++ b/sound/soc/fsl/Kconfig +@@ -173,16 +173,17 @@ config SND_MPC52xx_SOC_EFIKA + + endif # SND_POWERPC_SOC + ++config SND_SOC_IMX_PCM_FIQ ++ tristate ++ default y if SND_SOC_IMX_SSI=y && (SND_SOC_FSL_SSI=m || SND_SOC_FSL_SPDIF=m) && (MXC_TZIC || MXC_AVIC) ++ select FIQ ++ + if SND_IMX_SOC + + config SND_SOC_IMX_SSI + tristate + select SND_SOC_FSL_UTILS + +-config SND_SOC_IMX_PCM_FIQ +- tristate +- select FIQ +- + comment "SoC Audio support for Freescale i.MX boards:" + + config SND_MXC_SOC_WM1133_EV1 +-- +2.20.1 + diff --git a/queue-4.19/asoc-intel-kbl_da7219_max98357a-map-btn_0-to-key_pla.patch b/queue-4.19/asoc-intel-kbl_da7219_max98357a-map-btn_0-to-key_pla.patch new file mode 100644 index 00000000000..4dbe177afa5 --- /dev/null +++ b/queue-4.19/asoc-intel-kbl_da7219_max98357a-map-btn_0-to-key_pla.patch @@ -0,0 +1,49 @@ +From 73ed582e1506ccecb3014d4e0fb6b54b38e148ac Mon Sep 17 00:00:00 2001 +From: Mac Chiang +Date: Thu, 2 May 2019 14:12:04 +0800 +Subject: ASoC: Intel: kbl_da7219_max98357a: Map BTN_0 to KEY_PLAYPAUSE + +[ Upstream commit 16ec5dfe0327ddcf279957bffe4c8fe527088c63 ] + +On kbl_rt5663_max98927, commit 38a5882e4292 + ("ASoC: Intel: kbl_rt5663_max98927: Map BTN_0 to KEY_PLAYPAUSE") + This key pair mapping to play/pause when playing Youtube + +The Android 3.5mm Headset jack specification mentions that BTN_0 should +be mapped to KEY_MEDIA, but this is less logical than KEY_PLAYPAUSE, +which has much broader userspace support. + +For example, the Chrome OS userspace now supports KEY_PLAYPAUSE to toggle +play/pause of videos and audio, but does not handle KEY_MEDIA. + +Furthermore, Android itself now supports KEY_PLAYPAUSE equivalently, as the +new USB headset spec requires KEY_PLAYPAUSE for BTN_0. +https://source.android.com/devices/accessories/headset/usb-headset-spec + +The same fix is required on Chrome kbl_da7219_max98357a. + +Signed-off-by: Mac Chiang +Reviewed-by: Benson Leung +Acked-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/kbl_da7219_max98357a.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/kbl_da7219_max98357a.c b/sound/soc/intel/boards/kbl_da7219_max98357a.c +index 38f6ab74709d0..07491a0f8fb8b 100644 +--- a/sound/soc/intel/boards/kbl_da7219_max98357a.c ++++ b/sound/soc/intel/boards/kbl_da7219_max98357a.c +@@ -188,7 +188,7 @@ static int kabylake_da7219_codec_init(struct snd_soc_pcm_runtime *rtd) + + jack = &ctx->kabylake_headset; + +- snd_jack_set_key(jack->jack, SND_JACK_BTN_0, KEY_MEDIA); ++ snd_jack_set_key(jack->jack, SND_JACK_BTN_0, KEY_PLAYPAUSE); + snd_jack_set_key(jack->jack, SND_JACK_BTN_1, KEY_VOLUMEUP); + snd_jack_set_key(jack->jack, SND_JACK_BTN_2, KEY_VOLUMEDOWN); + snd_jack_set_key(jack->jack, SND_JACK_BTN_3, KEY_VOICECOMMAND); +-- +2.20.1 + diff --git a/queue-4.19/audit-fix-a-memory-leak-bug.patch b/queue-4.19/audit-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..28fedef9d94 --- /dev/null +++ b/queue-4.19/audit-fix-a-memory-leak-bug.patch @@ -0,0 +1,66 @@ +From da70611e5e757f0b6346ead251b61dc8eaa4b86b Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Fri, 19 Apr 2019 20:49:29 -0500 +Subject: audit: fix a memory leak bug + +[ Upstream commit 70c4cf17e445264453bc5323db3e50aa0ac9e81f ] + +In audit_rule_change(), audit_data_to_entry() is firstly invoked to +translate the payload data to the kernel's rule representation. In +audit_data_to_entry(), depending on the audit field type, an audit tree may +be created in audit_make_tree(), which eventually invokes kmalloc() to +allocate the tree. Since this tree is a temporary tree, it will be then +freed in the following execution, e.g., audit_add_rule() if the message +type is AUDIT_ADD_RULE or audit_del_rule() if the message type is +AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor +AUDIT_DEL_RULE, i.e., the default case of the switch statement, this +temporary tree is not freed. + +To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE +or AUDIT_DEL_RULE. + +Signed-off-by: Wenwen Wang +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/auditfilter.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c +index bf309f2592c46..425c67e4f5681 100644 +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -1114,22 +1114,24 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz) + int err = 0; + struct audit_entry *entry; + +- entry = audit_data_to_entry(data, datasz); +- if (IS_ERR(entry)) +- return PTR_ERR(entry); +- + switch (type) { + case AUDIT_ADD_RULE: ++ entry = audit_data_to_entry(data, datasz); ++ if (IS_ERR(entry)) ++ return PTR_ERR(entry); + err = audit_add_rule(entry); + audit_log_rule_change("add_rule", &entry->rule, !err); + break; + case AUDIT_DEL_RULE: ++ entry = audit_data_to_entry(data, datasz); ++ if (IS_ERR(entry)) ++ return PTR_ERR(entry); + err = audit_del_rule(entry); + audit_log_rule_change("remove_rule", &entry->rule, !err); + break; + default: +- err = -EINVAL; + WARN_ON(1); ++ return -EINVAL; + } + + if (err || type == AUDIT_DEL_RULE) { +-- +2.20.1 + diff --git a/queue-4.19/b43-shut-up-clang-wuninitialized-variable-warning.patch b/queue-4.19/b43-shut-up-clang-wuninitialized-variable-warning.patch new file mode 100644 index 00000000000..e800b5a1ddb --- /dev/null +++ b/queue-4.19/b43-shut-up-clang-wuninitialized-variable-warning.patch @@ -0,0 +1,69 @@ +From ec0d3b2895f76a6b132898eb9c60a37bdf36a308 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 22 Mar 2019 15:37:02 +0100 +Subject: b43: shut up clang -Wuninitialized variable warning + +[ Upstream commit d825db346270dbceef83b7b750dbc29f1d7dcc0e ] + +Clang warns about what is clearly a case of passing an uninitalized +variable into a static function: + +drivers/net/wireless/broadcom/b43/phy_lp.c:1852:23: error: variable 'gains' is uninitialized when used here + [-Werror,-Wuninitialized] + lpphy_papd_cal(dev, gains, 0, 1, 30); + ^~~~~ +drivers/net/wireless/broadcom/b43/phy_lp.c:1838:2: note: variable 'gains' is declared here + struct lpphy_tx_gains gains, oldgains; + ^ +1 error generated. + +However, this function is empty, and its arguments are never evaluated, +so gcc in contrast does not warn here. Both compilers behave in a +reasonable way as far as I can tell, so we should change the code +to avoid the warning everywhere. + +We could just eliminate the lpphy_papd_cal() function entirely, +given that it has had the TODO comment in it for 10 years now +and is rather unlikely to ever get done. I'm doing a simpler +change here, and just pass the 'oldgains' variable in that has +been initialized, based on the guess that this is what was +originally meant. + +Fixes: 2c0d6100da3e ("b43: LP-PHY: Begin implementing calibration & software RFKILL support") +Signed-off-by: Arnd Bergmann +Acked-by: Larry Finger +Reviewed-by: Nathan Chancellor +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/phy_lp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43/phy_lp.c b/drivers/net/wireless/broadcom/b43/phy_lp.c +index 6922cbb99a044..5a0699fb4b9ab 100644 +--- a/drivers/net/wireless/broadcom/b43/phy_lp.c ++++ b/drivers/net/wireless/broadcom/b43/phy_lp.c +@@ -1834,7 +1834,7 @@ static void lpphy_papd_cal(struct b43_wldev *dev, struct lpphy_tx_gains gains, + static void lpphy_papd_cal_txpwr(struct b43_wldev *dev) + { + struct b43_phy_lp *lpphy = dev->phy.lp; +- struct lpphy_tx_gains gains, oldgains; ++ struct lpphy_tx_gains oldgains; + int old_txpctl, old_afe_ovr, old_rf, old_bbmult; + + lpphy_read_tx_pctl_mode_from_hardware(dev); +@@ -1848,9 +1848,9 @@ static void lpphy_papd_cal_txpwr(struct b43_wldev *dev) + lpphy_set_tx_power_control(dev, B43_LPPHY_TXPCTL_OFF); + + if (dev->dev->chip_id == 0x4325 && dev->dev->chip_rev == 0) +- lpphy_papd_cal(dev, gains, 0, 1, 30); ++ lpphy_papd_cal(dev, oldgains, 0, 1, 30); + else +- lpphy_papd_cal(dev, gains, 0, 1, 65); ++ lpphy_papd_cal(dev, oldgains, 0, 1, 65); + + if (old_afe_ovr) + lpphy_set_tx_gains(dev, oldgains); +-- +2.20.1 + diff --git a/queue-4.19/batman-adv-allow-updating-dat-entry-timeouts-on-inco.patch b/queue-4.19/batman-adv-allow-updating-dat-entry-timeouts-on-inco.patch new file mode 100644 index 00000000000..0f4e9a13b5a --- /dev/null +++ b/queue-4.19/batman-adv-allow-updating-dat-entry-timeouts-on-inco.patch @@ -0,0 +1,60 @@ +From 65e3cc738a406caa43b87e5deffb44879a55ec72 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Thu, 14 Feb 2019 16:52:43 +0100 +Subject: batman-adv: allow updating DAT entry timeouts on incoming ARP Replies +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 099e6cc1582dc2903fecb898bbeae8f7cf4262c7 ] + +Currently incoming ARP Replies, for example via a DHT-PUT message, do +not update the timeout for an already existing DAT entry. These ARP +Replies are dropped instead. + +This however defeats the purpose of the DHCPACK snooping, for instance. +Right now, a DAT entry in the DHT will be purged every five minutes, +likely leading to a mesh-wide ARP Request broadcast after this timeout. +Which then recreates the entry. The idea of the DHCPACK snooping is to +be able to update an entry before a timeout happens, to avoid ARP Request +flooding. + +This patch fixes this issue by updating a DAT entry on incoming +ARP Replies even if a matching DAT entry already exists. While still +filtering the ARP Reply towards the soft-interface, to avoid duplicate +messages on the client device side. + +Signed-off-by: Linus Lüssing +Acked-by: Antonio Quartulli +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/distributed-arp-table.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c +index a60bacf7120be..2895e3b26e930 100644 +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -1394,7 +1394,6 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv, + hw_src, &ip_src, hw_dst, &ip_dst, + dat_entry->mac_addr, &dat_entry->ip); + dropped = true; +- goto out; + } + + /* Update our internal cache with both the IP addresses the node got +@@ -1403,6 +1402,9 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv, + batadv_dat_entry_add(bat_priv, ip_src, hw_src, vid); + batadv_dat_entry_add(bat_priv, ip_dst, hw_dst, vid); + ++ if (dropped) ++ goto out; ++ + /* If BLA is enabled, only forward ARP replies if we have claimed the + * source of the ARP reply or if no one else of the same backbone has + * already claimed that client. This prevents that different gateways +-- +2.20.1 + diff --git a/queue-4.19/bcache-add-failure-check-to-run_cache_set-for-journa.patch b/queue-4.19/bcache-add-failure-check-to-run_cache_set-for-journa.patch new file mode 100644 index 00000000000..734b1c71d8c --- /dev/null +++ b/queue-4.19/bcache-add-failure-check-to-run_cache_set-for-journa.patch @@ -0,0 +1,94 @@ +From 539fe643d62acf44fe9b24e724b619fde8e8f8ce Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Thu, 25 Apr 2019 00:48:34 +0800 +Subject: bcache: add failure check to run_cache_set() for journal replay + +[ Upstream commit ce3e4cfb59cb382f8e5ce359238aa580d4ae7778 ] + +Currently run_cache_set() has no return value, if there is failure in +bch_journal_replay(), the caller of run_cache_set() has no idea about +such failure and just continue to execute following code after +run_cache_set(). The internal failure is triggered inside +bch_journal_replay() and being handled in async way. This behavior is +inefficient, while failure handling inside bch_journal_replay(), cache +register code is still running to start the cache set. Registering and +unregistering code running as same time may introduce some rare race +condition, and make the code to be more hard to be understood. + +This patch adds return value to run_cache_set(), and returns -EIO if +bch_journal_rreplay() fails. Then caller of run_cache_set() may detect +such failure and stop registering code flow immedidately inside +register_cache_set(). + +If journal replay fails, run_cache_set() can report error immediately +to register_cache_set(). This patch makes the failure handling for +bch_journal_replay() be in synchronized way, easier to understand and +debug, and avoid poetential race condition for register-and-unregister +in same time. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index d8190804aee9b..2409507d7bff8 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1770,7 +1770,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) + return NULL; + } + +-static void run_cache_set(struct cache_set *c) ++static int run_cache_set(struct cache_set *c) + { + const char *err = "cannot allocate memory"; + struct cached_dev *dc, *t; +@@ -1866,7 +1866,9 @@ static void run_cache_set(struct cache_set *c) + if (j->version < BCACHE_JSET_VERSION_UUID) + __uuid_write(c); + +- bch_journal_replay(c, &journal); ++ err = "bcache: replay journal failed"; ++ if (bch_journal_replay(c, &journal)) ++ goto err; + } else { + pr_notice("invalidating existing data"); + +@@ -1934,7 +1936,7 @@ static void run_cache_set(struct cache_set *c) + flash_devs_run(c); + + set_bit(CACHE_SET_RUNNING, &c->flags); +- return; ++ return 0; + err: + while (!list_empty(&journal)) { + l = list_first_entry(&journal, struct journal_replay, list); +@@ -1945,6 +1947,8 @@ static void run_cache_set(struct cache_set *c) + closure_sync(&cl); + /* XXX: test this, it's broken */ + bch_cache_set_error(c, "%s", err); ++ ++ return -EIO; + } + + static bool can_attach_cache(struct cache *ca, struct cache_set *c) +@@ -2008,8 +2012,11 @@ static const char *register_cache_set(struct cache *ca) + ca->set->cache[ca->sb.nr_this_dev] = ca; + c->cache_by_alloc[c->caches_loaded++] = ca; + +- if (c->caches_loaded == c->sb.nr_in_set) +- run_cache_set(c); ++ if (c->caches_loaded == c->sb.nr_in_set) { ++ err = "failed to run cache set"; ++ if (run_cache_set(c) < 0) ++ goto err; ++ } + + return NULL; + err: +-- +2.20.1 + diff --git a/queue-4.19/bcache-avoid-clang-wunintialized-warning.patch b/queue-4.19/bcache-avoid-clang-wunintialized-warning.patch new file mode 100644 index 00000000000..69ff85b5150 --- /dev/null +++ b/queue-4.19/bcache-avoid-clang-wunintialized-warning.patch @@ -0,0 +1,75 @@ +From 4d2f672c27e4e62b93ed989b109d88f68dc40b1f Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 25 Apr 2019 00:48:28 +0800 +Subject: bcache: avoid clang -Wunintialized warning + +[ Upstream commit 78d4eb8ad9e1d413449d1b7a060f50b6efa81ebd ] + +clang has identified a code path in which it thinks a +variable may be unused: + +drivers/md/bcache/alloc.c:333:4: error: variable 'bucket' is used uninitialized whenever 'if' condition is false + [-Werror,-Wsometimes-uninitialized] + fifo_pop(&ca->free_inc, bucket); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop' + #define fifo_pop(fifo, i) fifo_pop_front(fifo, (i)) + ^~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/md/bcache/util.h:189:6: note: expanded from macro 'fifo_pop_front' + if (_r) { \ + ^~ +drivers/md/bcache/alloc.c:343:46: note: uninitialized use occurs here + allocator_wait(ca, bch_allocator_push(ca, bucket)); + ^~~~~~ +drivers/md/bcache/alloc.c:287:7: note: expanded from macro 'allocator_wait' + if (cond) \ + ^~~~ +drivers/md/bcache/alloc.c:333:4: note: remove the 'if' if its condition is always true + fifo_pop(&ca->free_inc, bucket); + ^ +drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop' + #define fifo_pop(fifo, i) fifo_pop_front(fifo, (i)) + ^ +drivers/md/bcache/util.h:189:2: note: expanded from macro 'fifo_pop_front' + if (_r) { \ + ^ +drivers/md/bcache/alloc.c:331:15: note: initialize the variable 'bucket' to silence this warning + long bucket; + ^ + +This cannot happen in practice because we only enter the loop +if there is at least one element in the list. + +Slightly rearranging the code makes this clearer to both the +reader and the compiler, which avoids the warning. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/alloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c +index 7a28232d868bd..de85b3af3b39d 100644 +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -327,10 +327,11 @@ static int bch_allocator_thread(void *arg) + * possibly issue discards to them, then we add the bucket to + * the free list: + */ +- while (!fifo_empty(&ca->free_inc)) { ++ while (1) { + long bucket; + +- fifo_pop(&ca->free_inc, bucket); ++ if (!fifo_pop(&ca->free_inc, bucket)) ++ break; + + if (ca->discard) { + mutex_unlock(&ca->set->bucket_lock); +-- +2.20.1 + diff --git a/queue-4.19/bcache-avoid-potential-memleak-of-list-of-journal_re.patch b/queue-4.19/bcache-avoid-potential-memleak-of-list-of-journal_re.patch new file mode 100644 index 00000000000..841579faca5 --- /dev/null +++ b/queue-4.19/bcache-avoid-potential-memleak-of-list-of-journal_re.patch @@ -0,0 +1,61 @@ +From 82731fa26c8541821f642b0b06c63a5dd32ac692 Mon Sep 17 00:00:00 2001 +From: Shenghui Wang +Date: Thu, 25 Apr 2019 00:48:43 +0800 +Subject: bcache: avoid potential memleak of list of journal_replay(s) in the + CACHE_SYNC branch of run_cache_set + +[ Upstream commit 95f18c9d1310730d075499a75aaf13bcd60405a7 ] + +In the CACHE_SYNC branch of run_cache_set(), LIST_HEAD(journal) is used +to collect journal_replay(s) and filled by bch_journal_read(). + +If all goes well, bch_journal_replay() will release the list of +jounal_replay(s) at the end of the branch. + +If something goes wrong, code flow will jump to the label "err:" and leave +the list unreleased. + +This patch will release the list of journal_replay(s) in the case of +error detected. + +v1 -> v2: +* Move the release code to the location after label 'err:' to + simply the change. + +Signed-off-by: Shenghui Wang +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 2c0d35c882ed8..d8190804aee9b 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1777,6 +1777,8 @@ static void run_cache_set(struct cache_set *c) + struct cache *ca; + struct closure cl; + unsigned int i; ++ LIST_HEAD(journal); ++ struct journal_replay *l; + + closure_init_stack(&cl); + +@@ -1934,6 +1936,12 @@ static void run_cache_set(struct cache_set *c) + set_bit(CACHE_SET_RUNNING, &c->flags); + return; + err: ++ while (!list_empty(&journal)) { ++ l = list_first_entry(&journal, struct journal_replay, list); ++ list_del(&l->list); ++ kfree(l); ++ } ++ + closure_sync(&cl); + /* XXX: test this, it's broken */ + bch_cache_set_error(c, "%s", err); +-- +2.20.1 + diff --git a/queue-4.19/bcache-fix-failure-in-journal-relplay.patch b/queue-4.19/bcache-fix-failure-in-journal-relplay.patch new file mode 100644 index 00000000000..cd0249f9a74 --- /dev/null +++ b/queue-4.19/bcache-fix-failure-in-journal-relplay.patch @@ -0,0 +1,88 @@ +From eb98e9bf93d8ab797959d0b25553e41a19470096 Mon Sep 17 00:00:00 2001 +From: Tang Junhui +Date: Thu, 25 Apr 2019 00:48:41 +0800 +Subject: bcache: fix failure in journal relplay + +[ Upstream commit 631207314d88e9091be02fbdd1fdadb1ae2ed79a ] + +journal replay failed with messages: +Sep 10 19:10:43 ceph kernel: bcache: error on +bb379a64-e44e-4812-b91d-a5599871a3b1: bcache: journal entries +2057493-2057567 missing! (replaying 2057493-2076601), disabling +caching + +The reason is in journal_reclaim(), when discard is enabled, we send +discard command and reclaim those journal buckets whose seq is old +than the last_seq_now, but before we write a journal with last_seq_now, +the machine is restarted, so the journal with the last_seq_now is not +written to the journal bucket, and the last_seq_wrote in the newest +journal is old than last_seq_now which we expect to be, so when we doing +replay, journals from last_seq_wrote to last_seq_now are missing. + +It's hard to write a journal immediately after journal_reclaim(), +and it harmless if those missed journal are caused by discarding +since those journals are already wrote to btree node. So, if miss +seqs are started from the beginning journal, we treat it as normal, +and only print a message to show the miss journal, and point out +it maybe caused by discarding. + +Patch v2 add a judgement condition to ignore the missed journal +only when discard enabled as Coly suggested. + +(Coly Li: rebase the patch with other changes in bch_journal_replay()) + +Signed-off-by: Tang Junhui +Tested-by: Dennis Schridde +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/journal.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c +index 07da39ac2d110..f880e5eba8dd9 100644 +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -317,6 +317,18 @@ void bch_journal_mark(struct cache_set *c, struct list_head *list) + } + } + ++bool is_discard_enabled(struct cache_set *s) ++{ ++ struct cache *ca; ++ unsigned int i; ++ ++ for_each_cache(ca, s, i) ++ if (ca->discard) ++ return true; ++ ++ return false; ++} ++ + int bch_journal_replay(struct cache_set *s, struct list_head *list) + { + int ret = 0, keys = 0, entries = 0; +@@ -331,10 +343,15 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list) + BUG_ON(i->pin && atomic_read(i->pin) != 1); + + if (n != i->j.seq) { +- pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)", +- n, i->j.seq - 1, start, end); +- ret = -EIO; +- goto err; ++ if (n == start && is_discard_enabled(s)) ++ pr_info("bcache: journal entries %llu-%llu may be discarded! (replaying %llu-%llu)", ++ n, i->j.seq - 1, start, end); ++ else { ++ pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)", ++ n, i->j.seq - 1, start, end); ++ ret = -EIO; ++ goto err; ++ } + } + + for (k = i->j.start; +-- +2.20.1 + diff --git a/queue-4.19/bcache-return-error-immediately-in-bch_journal_repla.patch b/queue-4.19/bcache-return-error-immediately-in-bch_journal_repla.patch new file mode 100644 index 00000000000..75478c12c67 --- /dev/null +++ b/queue-4.19/bcache-return-error-immediately-in-bch_journal_repla.patch @@ -0,0 +1,52 @@ +From fa28d0b48b67132159df34cdb733392da90759f3 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Thu, 25 Apr 2019 00:48:36 +0800 +Subject: bcache: return error immediately in bch_journal_replay() + +[ Upstream commit 68d10e6979a3b59e3cd2e90bfcafed79c4cf180a ] + +When failure happens inside bch_journal_replay(), calling +cache_set_err_on() and handling the failure in async way is not a good +idea. Because after bch_journal_replay() returns, registering code will +continue to execute following steps, and unregistering code triggered +by cache_set_err_on() is running in same time. First it is unnecessary +to handle failure and unregister cache set in an async way, second there +might be potential race condition to run register and unregister code +for same cache set. + +So in this patch, if failure happens in bch_journal_replay(), we don't +call cache_set_err_on(), and just print out the same error message to +kernel message buffer, then return -EIO immediately caller. Then caller +can detect such failure and handle it in synchrnozied way. + +Signed-off-by: Coly Li +Reviewed-by: Hannes Reinecke +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/journal.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c +index 772258ee1f517..07da39ac2d110 100644 +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -330,9 +330,12 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list) + list_for_each_entry(i, list, list) { + BUG_ON(i->pin && atomic_read(i->pin) != 1); + +- cache_set_err_on(n != i->j.seq, s, +-"bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)", +- n, i->j.seq - 1, start, end); ++ if (n != i->j.seq) { ++ pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)", ++ n, i->j.seq - 1, start, end); ++ ret = -EIO; ++ goto err; ++ } + + for (k = i->j.start; + k < bset_bkey_last(&i->j); +-- +2.20.1 + diff --git a/queue-4.19/block-fix-use-after-free-on-gendisk.patch b/queue-4.19/block-fix-use-after-free-on-gendisk.patch new file mode 100644 index 00000000000..ab501c20753 --- /dev/null +++ b/queue-4.19/block-fix-use-after-free-on-gendisk.patch @@ -0,0 +1,133 @@ +From 515629f432f6682957d020789b1e56dfe18bc490 Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Tue, 2 Apr 2019 20:06:34 +0800 +Subject: block: fix use-after-free on gendisk + +[ Upstream commit 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd ] + +commit 2da78092dda "block: Fix dev_t minor allocation lifetime" +specifically moved blk_free_devt(dev->devt) call to part_release() +to avoid reallocating device number before the device is fully +shutdown. + +However, it can cause use-after-free on gendisk in get_gendisk(). +We use md device as example to show the race scenes: + +Process1 Worker Process2 +md_free + blkdev_open +del_gendisk + add delete_partition_work_fn() to wq + __blkdev_get + get_gendisk +put_disk + disk_release + kfree(disk) + find part from ext_devt_idr + get_disk_and_module(disk) + cause use after free + + delete_partition_work_fn + put_device(part) + part_release + remove part from ext_devt_idr + +Before is removed from ext_devt_idr by +delete_partition_work_fn(), we can find the devt and then access +gendisk by hd_struct pointer. But, if we access the gendisk after +it have been freed, it can cause in use-after-freeon gendisk in +get_gendisk(). + +We fix this by adding a new helper blk_invalidate_devt() in +delete_partition() and del_gendisk(). It replaces hd_struct +pointer in idr with value 'NULL', and deletes the entry from +idr in part_release() as we do now. + +Thanks to Jan Kara for providing the solution and more clear comments +for the code. + +Fixes: 2da78092dda1 ("block: Fix dev_t minor allocation lifetime") +Cc: Al Viro +Reviewed-by: Bart Van Assche +Reviewed-by: Keith Busch +Reviewed-by: Jan Kara +Suggested-by: Jan Kara +Signed-off-by: Yufen Yu +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/genhd.c | 19 +++++++++++++++++++ + block/partition-generic.c | 7 +++++++ + include/linux/genhd.h | 1 + + 3 files changed, 27 insertions(+) + +diff --git a/block/genhd.c b/block/genhd.c +index be5bab20b2abf..2b2a936cf8480 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -518,6 +518,18 @@ void blk_free_devt(dev_t devt) + } + } + ++/** ++ * We invalidate devt by assigning NULL pointer for devt in idr. ++ */ ++void blk_invalidate_devt(dev_t devt) ++{ ++ if (MAJOR(devt) == BLOCK_EXT_MAJOR) { ++ spin_lock_bh(&ext_devt_lock); ++ idr_replace(&ext_devt_idr, NULL, blk_mangle_minor(MINOR(devt))); ++ spin_unlock_bh(&ext_devt_lock); ++ } ++} ++ + static char *bdevt_str(dev_t devt, char *buf) + { + if (MAJOR(devt) <= 0xff && MINOR(devt) <= 0xff) { +@@ -769,6 +781,13 @@ void del_gendisk(struct gendisk *disk) + + if (!(disk->flags & GENHD_FL_HIDDEN)) + blk_unregister_region(disk_devt(disk), disk->minors); ++ /* ++ * Remove gendisk pointer from idr so that it cannot be looked up ++ * while RCU period before freeing gendisk is running to prevent ++ * use-after-free issues. Note that the device number stays ++ * "in-use" until we really free the gendisk. ++ */ ++ blk_invalidate_devt(disk_devt(disk)); + + kobject_put(disk->part0.holder_dir); + kobject_put(disk->slave_dir); +diff --git a/block/partition-generic.c b/block/partition-generic.c +index 5f8db5c5140f4..98d60a59b843c 100644 +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -289,6 +289,13 @@ void delete_partition(struct gendisk *disk, int partno) + kobject_put(part->holder_dir); + device_del(part_to_dev(part)); + ++ /* ++ * Remove gendisk pointer from idr so that it cannot be looked up ++ * while RCU period before freeing gendisk is running to prevent ++ * use-after-free issues. Note that the device number stays ++ * "in-use" until we really free the gendisk. ++ */ ++ blk_invalidate_devt(part_devt(part)); + hd_struct_kill(part); + } + +diff --git a/include/linux/genhd.h b/include/linux/genhd.h +index f767293b00e66..f13272d843320 100644 +--- a/include/linux/genhd.h ++++ b/include/linux/genhd.h +@@ -596,6 +596,7 @@ struct unixware_disklabel { + + extern int blk_alloc_devt(struct hd_struct *part, dev_t *devt); + extern void blk_free_devt(dev_t devt); ++extern void blk_invalidate_devt(dev_t devt); + extern dev_t blk_lookup_devt(const char *name, int partno); + extern char *disk_name (struct gendisk *hd, int partno, char *buf); + +-- +2.20.1 + diff --git a/queue-4.19/block-sed-opal-fix-ioc_opal_enable_disable_mbr.patch b/queue-4.19/block-sed-opal-fix-ioc_opal_enable_disable_mbr.patch new file mode 100644 index 00000000000..63340124b3e --- /dev/null +++ b/queue-4.19/block-sed-opal-fix-ioc_opal_enable_disable_mbr.patch @@ -0,0 +1,65 @@ +From fcd0ee2f1c322185c50ba6820b98c76010a5b01b Mon Sep 17 00:00:00 2001 +From: David Kozub +Date: Thu, 14 Feb 2019 01:15:53 +0100 +Subject: block: sed-opal: fix IOC_OPAL_ENABLE_DISABLE_MBR + +[ Upstream commit 78bf47353b0041865564deeed257a54f047c2fdc ] + +The implementation of IOC_OPAL_ENABLE_DISABLE_MBR handled the value +opal_mbr_data.enable_disable incorrectly: enable_disable is expected +to be one of OPAL_MBR_ENABLE(0) or OPAL_MBR_DISABLE(1). enable_disable +was passed directly to set_mbr_done and set_mbr_enable_disable where +is was interpreted as either OPAL_TRUE(1) or OPAL_FALSE(0). The end +result was that calling IOC_OPAL_ENABLE_DISABLE_MBR with OPAL_MBR_ENABLE +actually disabled the shadow MBR and vice versa. + +This patch adds correct conversion from OPAL_MBR_DISABLE/ENABLE to +OPAL_FALSE/TRUE. The change affects existing programs using +IOC_OPAL_ENABLE_DISABLE_MBR but this is typically used only once when +setting up an Opal drive. + +Acked-by: Jon Derrick +Reviewed-by: Christoph Hellwig +Reviewed-by: Scott Bauer +Signed-off-by: David Kozub +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/sed-opal.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/block/sed-opal.c b/block/sed-opal.c +index e0de4dd448b3c..1196408972937 100644 +--- a/block/sed-opal.c ++++ b/block/sed-opal.c +@@ -2095,13 +2095,16 @@ static int opal_erase_locking_range(struct opal_dev *dev, + static int opal_enable_disable_shadow_mbr(struct opal_dev *dev, + struct opal_mbr_data *opal_mbr) + { ++ u8 enable_disable = opal_mbr->enable_disable == OPAL_MBR_ENABLE ? ++ OPAL_TRUE : OPAL_FALSE; ++ + const struct opal_step mbr_steps[] = { + { opal_discovery0, }, + { start_admin1LSP_opal_session, &opal_mbr->key }, +- { set_mbr_done, &opal_mbr->enable_disable }, ++ { set_mbr_done, &enable_disable }, + { end_opal_session, }, + { start_admin1LSP_opal_session, &opal_mbr->key }, +- { set_mbr_enable_disable, &opal_mbr->enable_disable }, ++ { set_mbr_enable_disable, &enable_disable }, + { end_opal_session, }, + { NULL, } + }; +@@ -2221,7 +2224,7 @@ static int __opal_lock_unlock(struct opal_dev *dev, + + static int __opal_set_mbr_done(struct opal_dev *dev, struct opal_key *key) + { +- u8 mbr_done_tf = 1; ++ u8 mbr_done_tf = OPAL_TRUE; + const struct opal_step mbrdone_step [] = { + { opal_discovery0, }, + { start_admin1LSP_opal_session, key }, +-- +2.20.1 + diff --git a/queue-4.19/bluetooth-hci_qca-give-enough-time-to-rome-controlle.patch b/queue-4.19/bluetooth-hci_qca-give-enough-time-to-rome-controlle.patch new file mode 100644 index 00000000000..b43b3214bb8 --- /dev/null +++ b/queue-4.19/bluetooth-hci_qca-give-enough-time-to-rome-controlle.patch @@ -0,0 +1,37 @@ +From 737173de00f601d23caf10e0aca3494348f68f8f Mon Sep 17 00:00:00 2001 +From: Balakrishna Godavarthi +Date: Mon, 1 Apr 2019 15:19:08 +0530 +Subject: Bluetooth: hci_qca: Give enough time to ROME controller to bootup. + +[ Upstream commit 7f09d5a6c33be66a5ca19bf9dd1c2d90c5dfcf0d ] + +This patch enables enough time to ROME controller to bootup +after we bring the enable pin out of reset. + +Fixes: 05ba533c5c11 ("Bluetooth: hci_qca: Add serdev support"). +Signed-off-by: Balakrishna Godavarthi +Reviewed-by: Rocky Liao +Tested-by: Rocky Liao +Tested-by: Claire Chang +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_qca.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index f0d593c3fa728..77004c29da089 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -504,6 +504,8 @@ static int qca_open(struct hci_uart *hu) + qcadev = serdev_device_get_drvdata(hu->serdev); + if (qcadev->btsoc_type != QCA_WCN3990) { + gpiod_set_value_cansleep(qcadev->bt_en, 1); ++ /* Controller needs time to bootup. */ ++ msleep(150); + } else { + hu->init_speed = qcadev->init_speed; + hu->oper_speed = qcadev->oper_speed; +-- +2.20.1 + diff --git a/queue-4.19/bluetooth-ignore-cc-events-not-matching-the-last-hci.patch b/queue-4.19/bluetooth-ignore-cc-events-not-matching-the-last-hci.patch new file mode 100644 index 00000000000..73a58fbeb67 --- /dev/null +++ b/queue-4.19/bluetooth-ignore-cc-events-not-matching-the-last-hci.patch @@ -0,0 +1,195 @@ +From 140777a760cfc1ffc2817746936dc24f9b68d4eb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= +Date: Thu, 2 May 2019 10:01:52 +0800 +Subject: Bluetooth: Ignore CC events not matching the last HCI command +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit f80c5dad7b6467b884c445ffea45985793b4b2d0 ] + +This commit makes the kernel not send the next queued HCI command until +a command complete arrives for the last HCI command sent to the +controller. This change avoids a problem with some buggy controllers +(seen on two SKUs of QCA9377) that send an extra command complete event +for the previous command after the kernel had already sent a new HCI +command to the controller. + +The problem was reproduced when starting an active scanning procedure, +where an extra command complete event arrives for the LE_SET_RANDOM_ADDR +command. When this happends the kernel ends up not processing the +command complete for the following commmand, LE_SET_SCAN_PARAM, and +ultimately behaving as if a passive scanning procedure was being +performed, when in fact controller is performing an active scanning +procedure. This makes it impossible to discover BLE devices as no device +found events are sent to userspace. + +This problem is reproducible on 100% of the attempts on the affected +controllers. The extra command complete event can be seen at timestamp +27.420131 on the btmon logs bellow. + +Bluetooth monitor ver 5.50 += Note: Linux version 5.0.0+ (x86_64) 0.352340 += Note: Bluetooth subsystem version 2.22 0.352343 += New Index: 80:C5:F2:8F:87:84 (Primary,USB,hci0) [hci0] 0.352344 += Open Index: 80:C5:F2:8F:87:84 [hci0] 0.352345 += Index Info: 80:C5:F2:8F:87:84 (Qualcomm) [hci0] 0.352346 +@ MGMT Open: bluetoothd (privileged) version 1.14 {0x0001} 0.352347 +@ MGMT Open: btmon (privileged) version 1.14 {0x0002} 0.352366 +@ MGMT Open: btmgmt (privileged) version 1.14 {0x0003} 27.302164 +@ MGMT Command: Start Discovery (0x0023) plen 1 {0x0003} [hci0] 27.302310 + Address type: 0x06 + LE Public + LE Random +< HCI Command: LE Set Random Address (0x08|0x0005) plen 6 #1 [hci0] 27.302496 + Address: 15:60:F2:91:B2:24 (Non-Resolvable) +> HCI Event: Command Complete (0x0e) plen 4 #2 [hci0] 27.419117 + LE Set Random Address (0x08|0x0005) ncmd 1 + Status: Success (0x00) +< HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7 #3 [hci0] 27.419244 + Type: Active (0x01) + Interval: 11.250 msec (0x0012) + Window: 11.250 msec (0x0012) + Own address type: Random (0x01) + Filter policy: Accept all advertisement (0x00) +> HCI Event: Command Complete (0x0e) plen 4 #4 [hci0] 27.420131 + LE Set Random Address (0x08|0x0005) ncmd 1 + Status: Success (0x00) +< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #5 [hci0] 27.420259 + Scanning: Enabled (0x01) + Filter duplicates: Enabled (0x01) +> HCI Event: Command Complete (0x0e) plen 4 #6 [hci0] 27.420969 + LE Set Scan Parameters (0x08|0x000b) ncmd 1 + Status: Success (0x00) +> HCI Event: Command Complete (0x0e) plen 4 #7 [hci0] 27.421983 + LE Set Scan Enable (0x08|0x000c) ncmd 1 + Status: Success (0x00) +@ MGMT Event: Command Complete (0x0001) plen 4 {0x0003} [hci0] 27.422059 + Start Discovery (0x0023) plen 1 + Status: Success (0x00) + Address type: 0x06 + LE Public + LE Random +@ MGMT Event: Discovering (0x0013) plen 2 {0x0003} [hci0] 27.422067 + Address type: 0x06 + LE Public + LE Random + Discovery: Enabled (0x01) +@ MGMT Event: Discovering (0x0013) plen 2 {0x0002} [hci0] 27.422067 + Address type: 0x06 + LE Public + LE Random + Discovery: Enabled (0x01) +@ MGMT Event: Discovering (0x0013) plen 2 {0x0001} [hci0] 27.422067 + Address type: 0x06 + LE Public + LE Random + Discovery: Enabled (0x01) + +Signed-off-by: João Paulo Rechi Vita +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci.h | 1 + + net/bluetooth/hci_core.c | 5 +++++ + net/bluetooth/hci_event.c | 12 ++++++++++++ + net/bluetooth/hci_request.c | 5 +++++ + net/bluetooth/hci_request.h | 1 + + 5 files changed, 24 insertions(+) + +diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h +index cdd9f1fe7cfa9..845d947dbae82 100644 +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -270,6 +270,7 @@ enum { + HCI_FORCE_BREDR_SMP, + HCI_FORCE_STATIC_ADDR, + HCI_LL_RPA_RESOLUTION, ++ HCI_CMD_PENDING, + + __HCI_NUM_FLAGS, + }; +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index a06f030477173..5afd67ef797a6 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -4274,6 +4274,9 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status, + return; + } + ++ /* If we reach this point this event matches the last command sent */ ++ hci_dev_clear_flag(hdev, HCI_CMD_PENDING); ++ + /* If the command succeeded and there's still more commands in + * this request the request is not yet complete. + */ +@@ -4384,6 +4387,8 @@ static void hci_cmd_work(struct work_struct *work) + + hdev->sent_cmd = skb_clone(skb, GFP_KERNEL); + if (hdev->sent_cmd) { ++ if (hci_req_status_pend(hdev)) ++ hci_dev_set_flag(hdev, HCI_CMD_PENDING); + atomic_dec(&hdev->cmd_cnt); + hci_send_frame(hdev, skb); + if (test_bit(HCI_RESET, &hdev->flags)) +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 7f800c3480f7a..3e7badb3ac2d5 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3357,6 +3357,12 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, + hci_req_cmd_complete(hdev, *opcode, *status, req_complete, + req_complete_skb); + ++ if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { ++ bt_dev_err(hdev, ++ "unexpected event for opcode 0x%4.4x", *opcode); ++ return; ++ } ++ + if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) + queue_work(hdev->workqueue, &hdev->cmd_work); + } +@@ -3464,6 +3470,12 @@ static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb, + hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, + req_complete_skb); + ++ if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { ++ bt_dev_err(hdev, ++ "unexpected event for opcode 0x%4.4x", *opcode); ++ return; ++ } ++ + if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) + queue_work(hdev->workqueue, &hdev->cmd_work); + } +diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c +index e8c9ef1e19227..9448ebd3780a3 100644 +--- a/net/bluetooth/hci_request.c ++++ b/net/bluetooth/hci_request.c +@@ -46,6 +46,11 @@ void hci_req_purge(struct hci_request *req) + skb_queue_purge(&req->cmd_q); + } + ++bool hci_req_status_pend(struct hci_dev *hdev) ++{ ++ return hdev->req_status == HCI_REQ_PEND; ++} ++ + static int req_run(struct hci_request *req, hci_req_complete_t complete, + hci_req_complete_skb_t complete_skb) + { +diff --git a/net/bluetooth/hci_request.h b/net/bluetooth/hci_request.h +index 692cc8b133682..55b2050cc9ff0 100644 +--- a/net/bluetooth/hci_request.h ++++ b/net/bluetooth/hci_request.h +@@ -37,6 +37,7 @@ struct hci_request { + + void hci_req_init(struct hci_request *req, struct hci_dev *hdev); + void hci_req_purge(struct hci_request *req); ++bool hci_req_status_pend(struct hci_dev *hdev); + int hci_req_run(struct hci_request *req, hci_req_complete_t complete); + int hci_req_run_skb(struct hci_request *req, hci_req_complete_skb_t complete); + void hci_req_add(struct hci_request *req, u16 opcode, u32 plen, +-- +2.20.1 + diff --git a/queue-4.19/bpftool-exclude-bash-completion-bpftool-from-.gitign.patch b/queue-4.19/bpftool-exclude-bash-completion-bpftool-from-.gitign.patch new file mode 100644 index 00000000000..1ac61927144 --- /dev/null +++ b/queue-4.19/bpftool-exclude-bash-completion-bpftool-from-.gitign.patch @@ -0,0 +1,57 @@ +From 6f72b39c90063675d4b8120351444eceb40d56ec Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Wed, 1 May 2019 22:45:59 +0900 +Subject: bpftool: exclude bash-completion/bpftool from .gitignore pattern + +[ Upstream commit a7d006714724de4334c5e3548701b33f7b12ca96 ] + +tools/bpf/bpftool/.gitignore has the "bpftool" pattern, which is +intended to ignore the following build artifact: + + tools/bpf/bpftool/bpftool + +However, the .gitignore entry is effective not only for the current +directory, but also for any sub-directories. + +So, from the point of .gitignore grammar, the following check-in file +is also considered to be ignored: + + tools/bpf/bpftool/bash-completion/bpftool + +As the manual gitignore(5) says "Files already tracked by Git are not +affected", this is not a problem as far as Git is concerned. + +However, Git is not the only program that parses .gitignore because +.gitignore is useful to distinguish build artifacts from source files. + +For example, tar(1) supports the --exclude-vcs-ignore option. As of +writing, this option does not work perfectly, but it intends to create +a tarball excluding files specified by .gitignore. + +So, I believe it is better to fix this issue. + +You can fix it by prefixing the pattern with a slash; the leading slash +means the specified pattern is relative to the current directory. + +Signed-off-by: Masahiro Yamada +Reviewed-by: Quentin Monnet +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/.gitignore | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/bpf/bpftool/.gitignore b/tools/bpf/bpftool/.gitignore +index 67167e44b7266..8248b8dd89d4b 100644 +--- a/tools/bpf/bpftool/.gitignore ++++ b/tools/bpf/bpftool/.gitignore +@@ -1,5 +1,5 @@ + *.d +-bpftool ++/bpftool + bpftool*.8 + bpf-helpers.* + FEATURE-DUMP.bpftool +-- +2.20.1 + diff --git a/queue-4.19/brcm80211-potential-null-dereference-in-brcmf_cfg802.patch b/queue-4.19/brcm80211-potential-null-dereference-in-brcmf_cfg802.patch new file mode 100644 index 00000000000..ddd76fa900f --- /dev/null +++ b/queue-4.19/brcm80211-potential-null-dereference-in-brcmf_cfg802.patch @@ -0,0 +1,58 @@ +From 07dd2c2e592e2dfe7a1a023f0d5f693bab7c668f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 24 Apr 2019 12:52:18 +0300 +Subject: brcm80211: potential NULL dereference in + brcmf_cfg80211_vndr_cmds_dcmd_handler() + +[ Upstream commit e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d ] + +If "ret_len" is negative then it could lead to a NULL dereference. + +The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative +then we don't allocate the "dcmd_buf" buffer. Then we pass "ret_len" to +brcmf_fil_cmd_data_set() where it is cast to a very high u32 value. +Most of the functions in that call tree check whether the buffer we pass +is NULL but there are at least a couple places which don't such as +brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd(). We memcpy() to and +from the buffer so it would result in a NULL dereference. + +The fix is to change the types so that "ret_len" can't be negative. (If +we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an +issue). + +Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c +index 8eff2753abade..d493021f60318 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c +@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy, + struct brcmf_if *ifp; + const struct brcmf_vndr_dcmd_hdr *cmdhdr = data; + struct sk_buff *reply; +- int ret, payload, ret_len; ++ unsigned int payload, ret_len; + void *dcmd_buf = NULL, *wr_pointer; + u16 msglen, maxmsglen = PAGE_SIZE - 0x100; ++ int ret; + + if (len < sizeof(*cmdhdr)) { + brcmf_err("vendor command too short: %d\n", len); +@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy, + brcmf_err("oversize return buffer %d\n", ret_len); + ret_len = BRCMF_DCMD_MAXLEN; + } +- payload = max(ret_len, len) + 1; ++ payload = max_t(unsigned int, ret_len, len) + 1; + dcmd_buf = vzalloc(payload); + if (NULL == dcmd_buf) + return -ENOMEM; +-- +2.20.1 + diff --git a/queue-4.19/brcmfmac-convert-dev_init_lock-mutex-to-completion.patch b/queue-4.19/brcmfmac-convert-dev_init_lock-mutex-to-completion.patch new file mode 100644 index 00000000000..cc58c23e24d --- /dev/null +++ b/queue-4.19/brcmfmac-convert-dev_init_lock-mutex-to-completion.patch @@ -0,0 +1,190 @@ +From c2e1adfeec1b9169422eb28d85fd7326ede7aecd Mon Sep 17 00:00:00 2001 +From: Piotr Figiel +Date: Wed, 13 Mar 2019 09:52:42 +0000 +Subject: brcmfmac: convert dev_init_lock mutex to completion + +[ Upstream commit a9fd0953fa4a62887306be28641b4b0809f3b2fd ] + +Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when +kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion +which silences those warnings and improves code readability. + +Fix below errors when connecting the USB WiFi dongle: + +brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2 +BUG: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434 + last function: hub_event +1 lock held by kworker/0:2/434: + #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac] +CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +Workqueue: usb_hub_wq hub_event +[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14) +[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4) +[<809c4324>] (dump_stack) from [<8014195c>] (process_one_work+0x710/0x808) +[<8014195c>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564) +[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c) +[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20) +Exception stack(0xed1d9fb0 to 0xed1d9ff8) +9fa0: 00000000 00000000 00000000 00000000 +9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 + +====================================================== +WARNING: possible circular locking dependency detected +4.19.23-00084-g454a789-dirty #123 Not tainted +------------------------------------------------------ +kworker/0:2/434 is trying to acquire lock: +e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808 + +but task is already holding lock: +18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac] + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #2 (&devinfo->dev_init_lock){+.+.}: + mutex_lock_nested+0x1c/0x24 + brcmf_usb_probe+0x78/0x550 [brcmfmac] + usb_probe_interface+0xc0/0x1bc + really_probe+0x228/0x2c0 + __driver_attach+0xe4/0xe8 + bus_for_each_dev+0x68/0xb4 + bus_add_driver+0x19c/0x214 + driver_register+0x78/0x110 + usb_register_driver+0x84/0x148 + process_one_work+0x228/0x808 + worker_thread+0x2c/0x564 + kthread+0x13c/0x16c + ret_from_fork+0x14/0x20 + (null) + +-> #1 (brcmf_driver_work){+.+.}: + worker_thread+0x2c/0x564 + kthread+0x13c/0x16c + ret_from_fork+0x14/0x20 + (null) + +-> #0 ((wq_completion)"events"){+.+.}: + process_one_work+0x1b8/0x808 + worker_thread+0x2c/0x564 + kthread+0x13c/0x16c + ret_from_fork+0x14/0x20 + (null) + +other info that might help us debug this: + +Chain exists of: + (wq_completion)"events" --> brcmf_driver_work --> &devinfo->dev_init_lock + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&devinfo->dev_init_lock); + lock(brcmf_driver_work); + lock(&devinfo->dev_init_lock); + lock((wq_completion)"events"); + + *** DEADLOCK *** + +1 lock held by kworker/0:2/434: + #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac] + +stack backtrace: +CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +Workqueue: events request_firmware_work_func +[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14) +[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4) +[<809c4324>] (dump_stack) from [<80172838>] (print_circular_bug+0x210/0x330) +[<80172838>] (print_circular_bug) from [<80175940>] (__lock_acquire+0x160c/0x1a30) +[<80175940>] (__lock_acquire) from [<8017671c>] (lock_acquire+0xe0/0x268) +[<8017671c>] (lock_acquire) from [<80141404>] (process_one_work+0x1b8/0x808) +[<80141404>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564) +[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c) +[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20) +Exception stack(0xed1d9fb0 to 0xed1d9ff8) +9fa0: 00000000 00000000 00000000 00000000 +9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 + +Signed-off-by: Piotr Figiel +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + .../wireless/broadcom/brcm80211/brcmfmac/usb.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +index a4308c6e72d79..5aeb401d9a024 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +@@ -160,7 +160,7 @@ struct brcmf_usbdev_info { + + struct usb_device *usbdev; + struct device *dev; +- struct mutex dev_init_lock; ++ struct completion dev_init_done; + + int ctl_in_pipe, ctl_out_pipe; + struct urb *ctl_urb; /* URB for control endpoint */ +@@ -1195,11 +1195,11 @@ static void brcmf_usb_probe_phase2(struct device *dev, int ret, + if (ret) + goto error; + +- mutex_unlock(&devinfo->dev_init_lock); ++ complete(&devinfo->dev_init_done); + return; + error: + brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), ret); +- mutex_unlock(&devinfo->dev_init_lock); ++ complete(&devinfo->dev_init_done); + device_release_driver(dev); + } + +@@ -1267,7 +1267,7 @@ static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo) + if (ret) + goto fail; + /* we are done */ +- mutex_unlock(&devinfo->dev_init_lock); ++ complete(&devinfo->dev_init_done); + return 0; + } + bus->chip = bus_pub->devid; +@@ -1327,11 +1327,10 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) + + devinfo->usbdev = usb; + devinfo->dev = &usb->dev; +- /* Take an init lock, to protect for disconnect while still loading. ++ /* Init completion, to protect for disconnect while still loading. + * Necessary because of the asynchronous firmware load construction + */ +- mutex_init(&devinfo->dev_init_lock); +- mutex_lock(&devinfo->dev_init_lock); ++ init_completion(&devinfo->dev_init_done); + + usb_set_intfdata(intf, devinfo); + +@@ -1409,7 +1408,7 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) + return 0; + + fail: +- mutex_unlock(&devinfo->dev_init_lock); ++ complete(&devinfo->dev_init_done); + kfree(devinfo); + usb_set_intfdata(intf, NULL); + return ret; +@@ -1424,7 +1423,7 @@ brcmf_usb_disconnect(struct usb_interface *intf) + devinfo = (struct brcmf_usbdev_info *)usb_get_intfdata(intf); + + if (devinfo) { +- mutex_lock(&devinfo->dev_init_lock); ++ wait_for_completion(&devinfo->dev_init_done); + /* Make sure that devinfo still exists. Firmware probe routines + * may have released the device and cleared the intfdata. + */ +-- +2.20.1 + diff --git a/queue-4.19/brcmfmac-fix-missing-checks-for-kmemdup.patch b/queue-4.19/brcmfmac-fix-missing-checks-for-kmemdup.patch new file mode 100644 index 00000000000..76c9566e3d9 --- /dev/null +++ b/queue-4.19/brcmfmac-fix-missing-checks-for-kmemdup.patch @@ -0,0 +1,43 @@ +From e0f360f739e54c04cb98b42e5b7ff97448d2b583 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Fri, 15 Mar 2019 12:04:32 -0500 +Subject: brcmfmac: fix missing checks for kmemdup + +[ Upstream commit 46953f97224d56a12ccbe9c6acaa84ca0dab2780 ] + +In case kmemdup fails, the fix sets conn_info->req_ie_len and +conn_info->resp_ie_len to zero to avoid buffer overflows. + +Signed-off-by: Kangjie Lu +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index fa1a2e5ab03fb..c7c520f327f2b 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -5368,6 +5368,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg, + conn_info->req_ie = + kmemdup(cfg->extra_buf, conn_info->req_ie_len, + GFP_KERNEL); ++ if (!conn_info->req_ie) ++ conn_info->req_ie_len = 0; + } else { + conn_info->req_ie_len = 0; + conn_info->req_ie = NULL; +@@ -5384,6 +5386,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg, + conn_info->resp_ie = + kmemdup(cfg->extra_buf, conn_info->resp_ie_len, + GFP_KERNEL); ++ if (!conn_info->resp_ie) ++ conn_info->resp_ie_len = 0; + } else { + conn_info->resp_ie_len = 0; + conn_info->resp_ie = NULL; +-- +2.20.1 + diff --git a/queue-4.19/brcmfmac-fix-oops-when-bringing-up-interface-during-.patch b/queue-4.19/brcmfmac-fix-oops-when-bringing-up-interface-during-.patch new file mode 100644 index 00000000000..a9a7e8afec6 --- /dev/null +++ b/queue-4.19/brcmfmac-fix-oops-when-bringing-up-interface-during-.patch @@ -0,0 +1,130 @@ +From 9e6d4dd52b854e256e0dbe9cc6eb4e9f0b1c2b8b Mon Sep 17 00:00:00 2001 +From: Piotr Figiel +Date: Wed, 13 Mar 2019 09:52:01 +0000 +Subject: brcmfmac: fix Oops when bringing up interface during USB disconnect + +[ Upstream commit 24d413a31afaee9bbbf79226052c386b01780ce2 ] + +Fix a race which leads to an Oops with NULL pointer dereference. The +dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get +net_device structure of interface with index 0 via if2bss mapping. This +shouldn't fail because of check for bus being ready in brcmf_netdev_open(), +but it's not synchronised with USB disconnect and there is a race: after +the check the bus can be marked down and the mapping for interface 0 may be +gone. + +Solve this by modifying disconnect handling so that the removal of mapping +of ifidx to brcmf_if structure happens after netdev removal (which is +synchronous with brcmf_netdev_open() thanks to rtln being locked in +devinet_ioctl()). This assures brcmf_netdev_open() returns before the +mapping is removed during disconnect. + +Unable to handle kernel NULL pointer dereference at virtual address 00000008 +pgd = bcae2612 +[00000008] *pgd=8be73831 +Internal error: Oops: 17 [#1] PREEMPT SMP ARM +Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit +iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 +nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis +u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc +usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs +udc_core [last unloaded: brcmutil] +CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac] +LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac] +pc : [<7f26a91c>] lr : [<7f26a914>] psr: a0070013 +sp : eca99d28 ip : 00000000 fp : ee9c6c00 +r10: 00000036 r9 : 00000000 r8 : ece4002c +r7 : edb5b800 r6 : 00000000 r5 : 80f08448 r4 : edb5b968 +r3 : ffffffff r2 : 00000000 r1 : 00000002 r0 : 00000000 +Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c5387d Table: 7ca0c04a DAC: 00000051 +Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e) +Stack: (0xeca99d28 to 0xeca9a000) +9d20: 00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32 +9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036 +9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008 +9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001 +9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58 +9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000 +9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70 +9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043 +9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914 +9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030 +9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000 +9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32 +9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40 +9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000 +9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38 +9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00 +9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 +9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118 +9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38 +9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036 +9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364 +9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003 +9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000 +[<7f26a91c>] (brcmf_cfg80211_up [brcmfmac]) from [<7f27262c>] (brcmf_netdev_open+0x74/0xe8 [brcmfmac]) +[<7f27262c>] (brcmf_netdev_open [brcmfmac]) from [<80772008>] (__dev_open+0xcc/0x150) +[<80772008>] (__dev_open) from [<807723d0>] (__dev_change_flags+0x168/0x1b4) +[<807723d0>] (__dev_change_flags) from [<80772434>] (dev_change_flags+0x18/0x48) +[<80772434>] (dev_change_flags) from [<80805f70>] (devinet_ioctl+0x67c/0x79c) +[<80805f70>] (devinet_ioctl) from [<80808b9c>] (inet_ioctl+0x210/0x3d4) +[<80808b9c>] (inet_ioctl) from [<8074721c>] (sock_ioctl+0x350/0x524) +[<8074721c>] (sock_ioctl) from [<80285138>] (do_vfs_ioctl+0xb0/0x9b0) +[<80285138>] (do_vfs_ioctl) from [<80285a6c>] (ksys_ioctl+0x34/0x5c) +[<80285a6c>] (ksys_ioctl) from [<80101000>] (ret_fast_syscall+0x0/0x28) +Exception stack(0xeca99fa8 to 0xeca99ff0) +9fa0: 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364 +9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003 +9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc +Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008) +---[ end trace 5cbac2333f3ac5df ]--- + +Signed-off-by: Piotr Figiel +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmfmac/core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index 09c5f67f4089e..36a04c1144e5d 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -784,17 +784,17 @@ static void brcmf_del_if(struct brcmf_pub *drvr, s32 bsscfgidx, + bool rtnl_locked) + { + struct brcmf_if *ifp; ++ int ifidx; + + ifp = drvr->iflist[bsscfgidx]; +- drvr->iflist[bsscfgidx] = NULL; + if (!ifp) { + brcmf_err("Null interface, bsscfgidx=%d\n", bsscfgidx); + return; + } + brcmf_dbg(TRACE, "Enter, bsscfgidx=%d, ifidx=%d\n", bsscfgidx, + ifp->ifidx); +- if (drvr->if2bss[ifp->ifidx] == bsscfgidx) +- drvr->if2bss[ifp->ifidx] = BRCMF_BSSIDX_INVALID; ++ ifidx = ifp->ifidx; ++ + if (ifp->ndev) { + if (bsscfgidx == 0) { + if (ifp->ndev->netdev_ops == &brcmf_netdev_ops_pri) { +@@ -822,6 +822,10 @@ static void brcmf_del_if(struct brcmf_pub *drvr, s32 bsscfgidx, + brcmf_p2p_ifp_removed(ifp, rtnl_locked); + kfree(ifp); + } ++ ++ drvr->iflist[bsscfgidx] = NULL; ++ if (drvr->if2bss[ifidx] == bsscfgidx) ++ drvr->if2bss[ifidx] = BRCMF_BSSIDX_INVALID; + } + + void brcmf_remove_interface(struct brcmf_if *ifp, bool rtnl_locked) +-- +2.20.1 + diff --git a/queue-4.19/brcmfmac-fix-race-during-disconnect-when-usb-complet.patch b/queue-4.19/brcmfmac-fix-race-during-disconnect-when-usb-complet.patch new file mode 100644 index 00000000000..fb8bef8de83 --- /dev/null +++ b/queue-4.19/brcmfmac-fix-race-during-disconnect-when-usb-complet.patch @@ -0,0 +1,92 @@ +From 6afd2d7b1e5e984bb5d5ad77dcf3adaa7855e633 Mon Sep 17 00:00:00 2001 +From: Piotr Figiel +Date: Fri, 8 Mar 2019 15:25:04 +0000 +Subject: brcmfmac: fix race during disconnect when USB completion is in + progress + +[ Upstream commit db3b9e2e1d58080d0754bdf9293dabf8c6491b67 ] + +It was observed that rarely during USB disconnect happening shortly after +connect (before full initialization completes) usb_hub_wq would wait +forever for the dev_init_lock to be unlocked. dev_init_lock would remain +locked though because of infinite wait during usb_kill_urb: + +[ 2730.656472] kworker/0:2 D 0 260 2 0x00000000 +[ 2730.660700] Workqueue: events request_firmware_work_func +[ 2730.664807] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac) +[ 2730.670587] [<809dd164>] (schedule) from [<8069af44>] (usb_kill_urb+0xdc/0x114) +[ 2730.676815] [<8069af44>] (usb_kill_urb) from [<7f258b50>] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac]) +[ 2730.684833] [<7f258b50>] (brcmf_usb_free_q [brcmfmac]) from [<7f2517d4>] (brcmf_detach+0xa0/0xb8 [brcmfmac]) +[ 2730.693557] [<7f2517d4>] (brcmf_detach [brcmfmac]) from [<7f251a34>] (brcmf_attach+0xac/0x3d8 [brcmfmac]) +[ 2730.702094] [<7f251a34>] (brcmf_attach [brcmfmac]) from [<7f2587ac>] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac]) +[ 2730.711601] [<7f2587ac>] (brcmf_usb_probe_phase2 [brcmfmac]) from [<7f252888>] (brcmf_fw_request_done+0x194/0x220 [brcmfmac]) +[ 2730.721795] [<7f252888>] (brcmf_fw_request_done [brcmfmac]) from [<805748e4>] (request_firmware_work_func+0x4c/0x88) +[ 2730.731125] [<805748e4>] (request_firmware_work_func) from [<80141474>] (process_one_work+0x228/0x808) +[ 2730.739223] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564) +[ 2730.746105] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c) +[ 2730.752227] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20) + +[ 2733.099695] kworker/0:3 D 0 1065 2 0x00000000 +[ 2733.103926] Workqueue: usb_hub_wq hub_event +[ 2733.106914] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac) +[ 2733.112693] [<809dd164>] (schedule) from [<809e2a8c>] (schedule_timeout+0x214/0x3e4) +[ 2733.119621] [<809e2a8c>] (schedule_timeout) from [<809dde2c>] (wait_for_common+0xc4/0x1c0) +[ 2733.126810] [<809dde2c>] (wait_for_common) from [<7f258d00>] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac]) +[ 2733.135206] [<7f258d00>] (brcmf_usb_disconnect [brcmfmac]) from [<8069e0c8>] (usb_unbind_interface+0x5c/0x1e4) +[ 2733.143943] [<8069e0c8>] (usb_unbind_interface) from [<8056d3e8>] (device_release_driver_internal+0x164/0x1fc) +[ 2733.152769] [<8056d3e8>] (device_release_driver_internal) from [<8056c078>] (bus_remove_device+0xd0/0xfc) +[ 2733.161138] [<8056c078>] (bus_remove_device) from [<8056977c>] (device_del+0x11c/0x310) +[ 2733.167939] [<8056977c>] (device_del) from [<8069cba8>] (usb_disable_device+0xa0/0x1cc) +[ 2733.174743] [<8069cba8>] (usb_disable_device) from [<8069507c>] (usb_disconnect+0x74/0x1dc) +[ 2733.181823] [<8069507c>] (usb_disconnect) from [<80695e88>] (hub_event+0x478/0xf88) +[ 2733.188278] [<80695e88>] (hub_event) from [<80141474>] (process_one_work+0x228/0x808) +[ 2733.194905] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564) +[ 2733.201724] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c) +[ 2733.207913] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20) + +It was traced down to a case where usb_kill_urb would be called on an URB +structure containing more or less random data, including large number in +its use_count. During the debugging it appeared that in brcmf_usb_free_q() +the traversal over URBs' lists is not synchronized with operations on those +lists in brcmf_usb_rx_complete() leading to handling +brcmf_usbdev_info structure (holding lists' head) as lists' element and in +result causing above problem. + +Fix it by walking through all URBs during brcmf_cancel_all_urbs using the +arrays of requests instead of linked lists. + +Signed-off-by: Piotr Figiel +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +index 5aeb401d9a024..44ead0fea7c61 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +@@ -684,12 +684,18 @@ static int brcmf_usb_up(struct device *dev) + + static void brcmf_cancel_all_urbs(struct brcmf_usbdev_info *devinfo) + { ++ int i; ++ + if (devinfo->ctl_urb) + usb_kill_urb(devinfo->ctl_urb); + if (devinfo->bulk_urb) + usb_kill_urb(devinfo->bulk_urb); +- brcmf_usb_free_q(&devinfo->tx_postq, true); +- brcmf_usb_free_q(&devinfo->rx_postq, true); ++ if (devinfo->tx_reqs) ++ for (i = 0; i < devinfo->bus_pub.ntxq; i++) ++ usb_kill_urb(devinfo->tx_reqs[i].urb); ++ if (devinfo->rx_reqs) ++ for (i = 0; i < devinfo->bus_pub.nrxq; i++) ++ usb_kill_urb(devinfo->rx_reqs[i].urb); + } + + static void brcmf_usb_down(struct device *dev) +-- +2.20.1 + diff --git a/queue-4.19/brcmfmac-fix-warning-during-usb-disconnect-in-case-o.patch b/queue-4.19/brcmfmac-fix-warning-during-usb-disconnect-in-case-o.patch new file mode 100644 index 00000000000..26ca55e98bf --- /dev/null +++ b/queue-4.19/brcmfmac-fix-warning-during-usb-disconnect-in-case-o.patch @@ -0,0 +1,131 @@ +From 71313ab1fadda533460e71dfd904fabd5e2be45b Mon Sep 17 00:00:00 2001 +From: Piotr Figiel +Date: Mon, 4 Mar 2019 15:42:49 +0000 +Subject: brcmfmac: fix WARNING during USB disconnect in case of unempty psq + +[ Upstream commit c80d26e81ef1802f30364b4ad1955c1443a592b9 ] + +brcmu_pkt_buf_free_skb emits WARNING when attempting to free a sk_buff +which is part of any queue. After USB disconnect this may have happened +when brcmf_fws_hanger_cleanup() is called as per-interface psq was never +cleaned when removing the interface. +Change brcmf_fws_macdesc_cleanup() in a way that it removes the +corresponding packets from hanger table (to avoid double-free when +brcmf_fws_hanger_cleanup() is called) and add a call to clean-up the +interface specific packet queue. + +Below is a WARNING during USB disconnect with Raspberry Pi WiFi dongle +running in AP mode. This was reproducible when the interface was +transmitting during the disconnect and is fixed with this commit. + +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 1171 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x3c/0x40 +Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base libcomposite configfs udc_core +CPU: 0 PID: 1171 Comm: kworker/0:0 Not tainted 4.19.23-00075-gde33ed8 #99 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +Workqueue: usb_hub_wq hub_event +[<8010ff84>] (unwind_backtrace) from [<8010bb64>] (show_stack+0x10/0x14) +[<8010bb64>] (show_stack) from [<80840278>] (dump_stack+0x88/0x9c) +[<80840278>] (dump_stack) from [<8011f5ec>] (__warn+0xfc/0x114) +[<8011f5ec>] (__warn) from [<8011f71c>] (warn_slowpath_null+0x40/0x48) +[<8011f71c>] (warn_slowpath_null) from [<805a476c>] (brcmu_pkt_buf_free_skb+0x3c/0x40) +[<805a476c>] (brcmu_pkt_buf_free_skb) from [<805bb6c4>] (brcmf_fws_cleanup+0x1e4/0x22c) +[<805bb6c4>] (brcmf_fws_cleanup) from [<805bc854>] (brcmf_fws_del_interface+0x58/0x68) +[<805bc854>] (brcmf_fws_del_interface) from [<805b66ac>] (brcmf_remove_interface+0x40/0x150) +[<805b66ac>] (brcmf_remove_interface) from [<805b6870>] (brcmf_detach+0x6c/0xb0) +[<805b6870>] (brcmf_detach) from [<805bdbb8>] (brcmf_usb_disconnect+0x30/0x4c) +[<805bdbb8>] (brcmf_usb_disconnect) from [<805e5d64>] (usb_unbind_interface+0x5c/0x1e0) +[<805e5d64>] (usb_unbind_interface) from [<804aab10>] (device_release_driver_internal+0x154/0x1ec) +[<804aab10>] (device_release_driver_internal) from [<804a97f4>] (bus_remove_device+0xcc/0xf8) +[<804a97f4>] (bus_remove_device) from [<804a6fc0>] (device_del+0x118/0x308) +[<804a6fc0>] (device_del) from [<805e488c>] (usb_disable_device+0xa0/0x1c8) +[<805e488c>] (usb_disable_device) from [<805dcf98>] (usb_disconnect+0x70/0x1d8) +[<805dcf98>] (usb_disconnect) from [<805ddd84>] (hub_event+0x464/0xf50) +[<805ddd84>] (hub_event) from [<80135a70>] (process_one_work+0x138/0x3f8) +[<80135a70>] (process_one_work) from [<80135d5c>] (worker_thread+0x2c/0x554) +[<80135d5c>] (worker_thread) from [<8013b1a0>] (kthread+0x124/0x154) +[<8013b1a0>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c) +Exception stack(0xecf8dfb0 to 0xecf8dff8) +dfa0: 00000000 00000000 00000000 00000000 +dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 +---[ end trace 38d234018e9e2a90 ]--- +------------[ cut here ]------------ + +Signed-off-by: Piotr Figiel +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + .../broadcom/brcm80211/brcmfmac/fwsignal.c | 42 +++++++++++-------- + 1 file changed, 24 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +index f3cbf78c8899c..5a0a29c4cdea3 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +@@ -579,24 +579,6 @@ static bool brcmf_fws_ifidx_match(struct sk_buff *skb, void *arg) + return ifidx == *(int *)arg; + } + +-static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q, +- int ifidx) +-{ +- bool (*matchfn)(struct sk_buff *, void *) = NULL; +- struct sk_buff *skb; +- int prec; +- +- if (ifidx != -1) +- matchfn = brcmf_fws_ifidx_match; +- for (prec = 0; prec < q->num_prec; prec++) { +- skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx); +- while (skb) { +- brcmu_pkt_buf_free_skb(skb); +- skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx); +- } +- } +-} +- + static void brcmf_fws_hanger_init(struct brcmf_fws_hanger *hanger) + { + int i; +@@ -668,6 +650,28 @@ static inline int brcmf_fws_hanger_poppkt(struct brcmf_fws_hanger *h, + return 0; + } + ++static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q, ++ int ifidx) ++{ ++ bool (*matchfn)(struct sk_buff *, void *) = NULL; ++ struct sk_buff *skb; ++ int prec; ++ u32 hslot; ++ ++ if (ifidx != -1) ++ matchfn = brcmf_fws_ifidx_match; ++ for (prec = 0; prec < q->num_prec; prec++) { ++ skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx); ++ while (skb) { ++ hslot = brcmf_skb_htod_tag_get_field(skb, HSLOT); ++ brcmf_fws_hanger_poppkt(&fws->hanger, hslot, &skb, ++ true); ++ brcmu_pkt_buf_free_skb(skb); ++ skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx); ++ } ++ } ++} ++ + static int brcmf_fws_hanger_mark_suppressed(struct brcmf_fws_hanger *h, + u32 slot_id) + { +@@ -2168,6 +2172,8 @@ void brcmf_fws_del_interface(struct brcmf_if *ifp) + brcmf_fws_lock(fws); + ifp->fws_desc = NULL; + brcmf_dbg(TRACE, "deleting %s\n", entry->name); ++ brcmf_fws_macdesc_cleanup(fws, &fws->desc.iface[ifp->ifidx], ++ ifp->ifidx); + brcmf_fws_macdesc_deinit(entry); + brcmf_fws_cleanup(fws, ifp->ifidx); + brcmf_fws_unlock(fws); +-- +2.20.1 + diff --git a/queue-4.19/btrfs-don-t-panic-when-we-can-t-find-a-root-key.patch b/queue-4.19/btrfs-don-t-panic-when-we-can-t-find-a-root-key.patch new file mode 100644 index 00000000000..c9b38ecdc27 --- /dev/null +++ b/queue-4.19/btrfs-don-t-panic-when-we-can-t-find-a-root-key.patch @@ -0,0 +1,51 @@ +From 5bd6fa51274b3852e9be8696fae2eb2ca52e343d Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 26 Feb 2019 16:33:56 +0800 +Subject: btrfs: Don't panic when we can't find a root key + +[ Upstream commit 7ac1e464c4d473b517bb784f30d40da1f842482e ] + +When we failed to find a root key in btrfs_update_root(), we just panic. + +That's definitely not cool, fix it by outputting an unique error +message, aborting current transaction and return -EUCLEAN. This should +not normally happen as the root has been used by the callers in some +way. + +Reviewed-by: Filipe Manana +Reviewed-by: Johannes Thumshirn +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/root-tree.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c +index fb205ebeca391..3228d3b3084a4 100644 +--- a/fs/btrfs/root-tree.c ++++ b/fs/btrfs/root-tree.c +@@ -135,11 +135,14 @@ int btrfs_update_root(struct btrfs_trans_handle *trans, struct btrfs_root + if (ret < 0) + goto out; + +- if (ret != 0) { +- btrfs_print_leaf(path->nodes[0]); +- btrfs_crit(fs_info, "unable to update root key %llu %u %llu", +- key->objectid, key->type, key->offset); +- BUG_ON(1); ++ if (ret > 0) { ++ btrfs_crit(fs_info, ++ "unable to find root key (%llu %u %llu) in tree %llu", ++ key->objectid, key->type, key->offset, ++ root->root_key.objectid); ++ ret = -EUCLEAN; ++ btrfs_abort_transaction(trans, ret); ++ goto out; + } + + l = path->nodes[0]; +-- +2.20.1 + diff --git a/queue-4.19/btrfs-fix-data-bytes_may_use-underflow-with-fallocat.patch b/queue-4.19/btrfs-fix-data-bytes_may_use-underflow-with-fallocat.patch new file mode 100644 index 00000000000..b872240d0bf --- /dev/null +++ b/queue-4.19/btrfs-fix-data-bytes_may_use-underflow-with-fallocat.patch @@ -0,0 +1,60 @@ +From 2cf442d9dcfd5ee1f279792bd487dda1f8c8081f Mon Sep 17 00:00:00 2001 +From: Robbie Ko +Date: Tue, 26 Mar 2019 11:56:11 +0800 +Subject: Btrfs: fix data bytes_may_use underflow with fallocate due to failed + quota reserve + +[ Upstream commit 39ad317315887c2cb9a4347a93a8859326ddf136 ] + +When doing fallocate, we first add the range to the reserve_list and +then reserve the quota. If quota reservation fails, we'll release all +reserved parts of reserve_list. + +However, cur_offset is not updated to indicate that this range is +already been inserted into the list. Therefore, the same range is freed +twice. Once at list_for_each_entry loop, and once at the end of the +function. This will result in WARN_ON on bytes_may_use when we free the +remaining space. + +At the end, under the 'out' label we have a call to: + + btrfs_free_reserved_data_space(inode, data_reserved, alloc_start, alloc_end - cur_offset); + +The start offset, third argument, should be cur_offset. + +Everything from alloc_start to cur_offset was freed by the +list_for_each_entry_safe_loop. + +Fixes: 18513091af94 ("btrfs: update btrfs_space_info's bytes_may_use timely") +Reviewed-by: Filipe Manana +Signed-off-by: Robbie Ko +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index de4d3baec1616..e24c0a69ff5d4 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -3161,6 +3161,7 @@ static long btrfs_fallocate(struct file *file, int mode, + ret = btrfs_qgroup_reserve_data(inode, &data_reserved, + cur_offset, last_byte - cur_offset); + if (ret < 0) { ++ cur_offset = last_byte; + free_extent_map(em); + break; + } +@@ -3210,7 +3211,7 @@ static long btrfs_fallocate(struct file *file, int mode, + /* Let go of our reservation. */ + if (ret != 0 && !(mode & FALLOC_FL_ZERO_RANGE)) + btrfs_free_reserved_data_space(inode, data_reserved, +- alloc_start, alloc_end - cur_offset); ++ cur_offset, alloc_end - cur_offset); + extent_changeset_free(data_reserved); + return ret; + } +-- +2.20.1 + diff --git a/queue-4.19/btrfs-fix-panic-during-relocation-after-enospc-befor.patch b/queue-4.19/btrfs-fix-panic-during-relocation-after-enospc-befor.patch new file mode 100644 index 00000000000..dbc329adb37 --- /dev/null +++ b/queue-4.19/btrfs-fix-panic-during-relocation-after-enospc-befor.patch @@ -0,0 +1,121 @@ +From 3bb9017bfcd9188c2f4f521a71f14a151a43fbe1 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Mon, 25 Feb 2019 11:14:45 -0500 +Subject: btrfs: fix panic during relocation after ENOSPC before writeback + happens + +[ Upstream commit ff612ba7849964b1898fd3ccd1f56941129c6aab ] + +We've been seeing the following sporadically throughout our fleet + +panic: kernel BUG at fs/btrfs/relocation.c:4584! +netversion: 5.0-0 +Backtrace: + #0 [ffffc90003adb880] machine_kexec at ffffffff81041da8 + #1 [ffffc90003adb8c8] __crash_kexec at ffffffff8110396c + #2 [ffffc90003adb988] crash_kexec at ffffffff811048ad + #3 [ffffc90003adb9a0] oops_end at ffffffff8101c19a + #4 [ffffc90003adb9c0] do_trap at ffffffff81019114 + #5 [ffffc90003adba00] do_error_trap at ffffffff810195d0 + #6 [ffffc90003adbab0] invalid_op at ffffffff81a00a9b + [exception RIP: btrfs_reloc_cow_block+692] + RIP: ffffffff8143b614 RSP: ffffc90003adbb68 RFLAGS: 00010246 + RAX: fffffffffffffff7 RBX: ffff8806b9c32000 RCX: ffff8806aad00690 + RDX: ffff880850b295e0 RSI: ffff8806b9c32000 RDI: ffff88084f205bd0 + RBP: ffff880849415000 R8: ffffc90003adbbe0 R9: ffff88085ac90000 + R10: ffff8805f7369140 R11: 0000000000000000 R12: ffff880850b295e0 + R13: ffff88084f205bd0 R14: 0000000000000000 R15: 0000000000000000 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #7 [ffffc90003adbbb0] __btrfs_cow_block at ffffffff813bf1cd + #8 [ffffc90003adbc28] btrfs_cow_block at ffffffff813bf4b3 + #9 [ffffc90003adbc78] btrfs_search_slot at ffffffff813c2e6c + +The way relocation moves data extents is by creating a reloc inode and +preallocating extents in this inode and then copying the data into these +preallocated extents. Once we've done this for all of our extents, +we'll write out these dirty pages, which marks the extent written, and +goes into btrfs_reloc_cow_block(). From here we get our current +reloc_control, which _should_ match the reloc_control for the current +block group we're relocating. + +However if we get an ENOSPC in this path at some point we'll bail out, +never initiating writeback on this inode. Not a huge deal, unless we +happen to be doing relocation on a different block group, and this block +group is now rc->stage == UPDATE_DATA_PTRS. This trips the BUG_ON() in +btrfs_reloc_cow_block(), because we expect to be done modifying the data +inode. We are in fact done modifying the metadata for the data inode +we're currently using, but not the one from the failed block group, and +thus we BUG_ON(). + +(This happens when writeback finishes for extents from the previous +group, when we are at btrfs_finish_ordered_io() which updates the data +reloc tree (inode item, drops/adds extent items, etc).) + +Fix this by writing out the reloc data inode always, and then breaking +out of the loop after that point to keep from tripping this BUG_ON() +later. + +Signed-off-by: Josef Bacik +Reviewed-by: Filipe Manana +[ add note from Filipe ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/relocation.c | 31 ++++++++++++++++++++----------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 0526b6c473c79..5d57ed6293455 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -4289,27 +4289,36 @@ int btrfs_relocate_block_group(struct btrfs_fs_info *fs_info, u64 group_start) + mutex_lock(&fs_info->cleaner_mutex); + ret = relocate_block_group(rc); + mutex_unlock(&fs_info->cleaner_mutex); +- if (ret < 0) { ++ if (ret < 0) + err = ret; +- goto out; +- } +- +- if (rc->extents_found == 0) +- break; +- +- btrfs_info(fs_info, "found %llu extents", rc->extents_found); + ++ /* ++ * We may have gotten ENOSPC after we already dirtied some ++ * extents. If writeout happens while we're relocating a ++ * different block group we could end up hitting the ++ * BUG_ON(rc->stage == UPDATE_DATA_PTRS) in ++ * btrfs_reloc_cow_block. Make sure we write everything out ++ * properly so we don't trip over this problem, and then break ++ * out of the loop if we hit an error. ++ */ + if (rc->stage == MOVE_DATA_EXTENTS && rc->found_file_extent) { + ret = btrfs_wait_ordered_range(rc->data_inode, 0, + (u64)-1); +- if (ret) { ++ if (ret) + err = ret; +- goto out; +- } + invalidate_mapping_pages(rc->data_inode->i_mapping, + 0, -1); + rc->stage = UPDATE_DATA_PTRS; + } ++ ++ if (err < 0) ++ goto out; ++ ++ if (rc->extents_found == 0) ++ break; ++ ++ btrfs_info(fs_info, "found %llu extents", rc->extents_found); ++ + } + + WARN_ON(rc->block_group->pinned > 0); +-- +2.20.1 + diff --git a/queue-4.19/cgroup-protect-cgroup-nr_-dying_-descendants-by-css_.patch b/queue-4.19/cgroup-protect-cgroup-nr_-dying_-descendants-by-css_.patch new file mode 100644 index 00000000000..1d7c5498ba1 --- /dev/null +++ b/queue-4.19/cgroup-protect-cgroup-nr_-dying_-descendants-by-css_.patch @@ -0,0 +1,94 @@ +From 367b6323a71fe4893b601432920ebaafd1a8de8d Mon Sep 17 00:00:00 2001 +From: Roman Gushchin +Date: Fri, 19 Apr 2019 10:03:03 -0700 +Subject: cgroup: protect cgroup->nr_(dying_)descendants by css_set_lock + +[ Upstream commit 4dcabece4c3a9f9522127be12cc12cc120399b2f ] + +The number of descendant cgroups and the number of dying +descendant cgroups are currently synchronized using the cgroup_mutex. + +The number of descendant cgroups will be required by the cgroup v2 +freezer, which will use it to determine if a cgroup is frozen +(depending on total number of descendants and number of frozen +descendants). It's not always acceptable to grab the cgroup_mutex, +especially from quite hot paths (e.g. exit()). + +To avoid this, let's additionally synchronize these counters using +the css_set_lock. + +So, it's safe to read these counters with either cgroup_mutex or +css_set_lock locked, and for changing both locks should be acquired. + +Signed-off-by: Roman Gushchin +Signed-off-by: Tejun Heo +Cc: kernel-team@fb.com +Signed-off-by: Sasha Levin +--- + include/linux/cgroup-defs.h | 5 +++++ + kernel/cgroup/cgroup.c | 6 ++++++ + 2 files changed, 11 insertions(+) + +diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h +index 6002275937f55..a6090154b2ab7 100644 +--- a/include/linux/cgroup-defs.h ++++ b/include/linux/cgroup-defs.h +@@ -346,6 +346,11 @@ struct cgroup { + * Dying cgroups are cgroups which were deleted by a user, + * but are still existing because someone else is holding a reference. + * max_descendants is a maximum allowed number of descent cgroups. ++ * ++ * nr_descendants and nr_dying_descendants are protected ++ * by cgroup_mutex and css_set_lock. It's fine to read them holding ++ * any of cgroup_mutex and css_set_lock; for writing both locks ++ * should be held. + */ + int nr_descendants; + int nr_dying_descendants; +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 63dae7e0ccae7..81441117f6114 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -4659,9 +4659,11 @@ static void css_release_work_fn(struct work_struct *work) + if (cgroup_on_dfl(cgrp)) + cgroup_rstat_flush(cgrp); + ++ spin_lock_irq(&css_set_lock); + for (tcgrp = cgroup_parent(cgrp); tcgrp; + tcgrp = cgroup_parent(tcgrp)) + tcgrp->nr_dying_descendants--; ++ spin_unlock_irq(&css_set_lock); + + cgroup_idr_remove(&cgrp->root->cgroup_idr, cgrp->id); + cgrp->id = -1; +@@ -4874,12 +4876,14 @@ static struct cgroup *cgroup_create(struct cgroup *parent) + if (ret) + goto out_idr_free; + ++ spin_lock_irq(&css_set_lock); + for (tcgrp = cgrp; tcgrp; tcgrp = cgroup_parent(tcgrp)) { + cgrp->ancestor_ids[tcgrp->level] = tcgrp->id; + + if (tcgrp != cgrp) + tcgrp->nr_descendants++; + } ++ spin_unlock_irq(&css_set_lock); + + if (notify_on_release(parent)) + set_bit(CGRP_NOTIFY_ON_RELEASE, &cgrp->flags); +@@ -5162,10 +5166,12 @@ static int cgroup_destroy_locked(struct cgroup *cgrp) + if (parent && cgroup_is_threaded(cgrp)) + parent->nr_threaded_children--; + ++ spin_lock_irq(&css_set_lock); + for (tcgrp = cgroup_parent(cgrp); tcgrp; tcgrp = cgroup_parent(tcgrp)) { + tcgrp->nr_descendants--; + tcgrp->nr_dying_descendants++; + } ++ spin_unlock_irq(&css_set_lock); + + cgroup1_check_for_release(parent); + +-- +2.20.1 + diff --git a/queue-4.19/chardev-add-additional-check-for-minor-range-overlap.patch b/queue-4.19/chardev-add-additional-check-for-minor-range-overlap.patch new file mode 100644 index 00000000000..0896f57660d --- /dev/null +++ b/queue-4.19/chardev-add-additional-check-for-minor-range-overlap.patch @@ -0,0 +1,38 @@ +From 034ada71c5b8bfc56a74a2071242b66808321765 Mon Sep 17 00:00:00 2001 +From: Chengguang Xu +Date: Fri, 15 Feb 2019 20:27:11 +0800 +Subject: chardev: add additional check for minor range overlap + +[ Upstream commit de36e16d1557a0b6eb328bc3516359a12ba5c25c ] + +Current overlap checking cannot correctly handle +a case which is baseminor < existing baseminor && +baseminor + minorct > existing baseminor + minorct. + +Signed-off-by: Chengguang Xu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/char_dev.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/char_dev.c b/fs/char_dev.c +index a279c58fe3606..8a63cfa290053 100644 +--- a/fs/char_dev.c ++++ b/fs/char_dev.c +@@ -159,6 +159,12 @@ __register_chrdev_region(unsigned int major, unsigned int baseminor, + ret = -EBUSY; + goto out; + } ++ ++ if (new_min < old_min && new_max > old_max) { ++ ret = -EBUSY; ++ goto out; ++ } ++ + } + + cd->next = *cp; +-- +2.20.1 + diff --git a/queue-4.19/clk-rockchip-fix-video-codec-clocks-on-rk3288.patch b/queue-4.19/clk-rockchip-fix-video-codec-clocks-on-rk3288.patch new file mode 100644 index 00000000000..f02fa5d072b --- /dev/null +++ b/queue-4.19/clk-rockchip-fix-video-codec-clocks-on-rk3288.patch @@ -0,0 +1,83 @@ +From 9f05ef34a18ab5be145e8f1ebe014cbc574263c7 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Thu, 11 Apr 2019 06:55:55 -0700 +Subject: clk: rockchip: Fix video codec clocks on rk3288 + +[ Upstream commit 00c0cd9e59d265b393553e9afa54fee8b10e8158 ] + +It appears that there is a typo in the rk3288 TRM. For +GRF_SOC_CON0[7] it says that 0 means "vepu" and 1 means "vdpu". It's +the other way around. + +How do I know? Here's my evidence: + +1. Prior to commit 4d3e84f99628 ("clk: rockchip: describe aclk_vcodec + using the new muxgrf type on rk3288") we always pretended that we + were using "aclk_vdpu" and the comment in the code said that this + matched the default setting in the system. In fact the default + setting is 0 according to the TRM and according to reading memory + at bootup. In addition rk3288-based Chromebooks ran like this and + the video codecs worked. +2. With the existing clock code if you boot up and try to enable the + new VIDEO_ROCKCHIP_VPU as a module (and without "clk_ignore_unused" + on the command line), you get errors like "failed to get ack on + domain 'pd_video', val=0x80208". After flipping vepu/vdpu things + init OK. +3. If I export and add both the vepu and vdpu to the list of clocks + for RK3288_PD_VIDEO I can get past the power domain errors, but now + I freeze when the vpu_mmu gets initted. +4. If I just mark the "vdpu" as IGNORE_UNUSED then everything boots up + and probes OK showing that somehow the "vdpu" was important to keep + enabled. This is because we were actually using it as a parent. +5. After this change I can hack "aclk_vcodec_pre" to parent from + "aclk_vepu" using assigned-clocks and the video codec still probes + OK. +6. Rockchip has said so on the mailing list [1]. + +...so let's fix it. + +Let's also add CLK_SET_RATE_PARENT to "aclk_vcodec_pre" as suggested +by Jonas Karlman. Prior to the same commit you could do +clk_set_rate() on "aclk_vcodec" and it would change "aclk_vdpu". +That's because "aclk_vcodec" was a simple gate clock (always gets +CLK_SET_RATE_PARENT) and its direct parent was "aclk_vdpu". After +that commit "aclk_vcodec_pre" gets in the way so we need to add +CLK_SET_RATE_PARENT to it too. + +[1] https://lkml.kernel.org/r/1d17b015-9e17-34b9-baf8-c285dc1957aa@rock-chips.com + +Fixes: 4d3e84f99628 ("clk: rockchip: describe aclk_vcodec using the new muxgrf type on rk3288") +Suggested-by: Jonas Karlman +Suggested-by: Randy Li +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3288.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c +index 45cd2897e586b..c6cd6d28af56f 100644 +--- a/drivers/clk/rockchip/clk-rk3288.c ++++ b/drivers/clk/rockchip/clk-rk3288.c +@@ -198,7 +198,7 @@ PNAME(mux_hsadcout_p) = { "hsadc_src", "ext_hsadc" }; + PNAME(mux_edp_24m_p) = { "ext_edp_24m", "xin24m" }; + PNAME(mux_tspout_p) = { "cpll", "gpll", "npll", "xin27m" }; + +-PNAME(mux_aclk_vcodec_pre_p) = { "aclk_vepu", "aclk_vdpu" }; ++PNAME(mux_aclk_vcodec_pre_p) = { "aclk_vdpu", "aclk_vepu" }; + PNAME(mux_usbphy480m_p) = { "sclk_otgphy1_480m", "sclk_otgphy2_480m", + "sclk_otgphy0_480m" }; + PNAME(mux_hsicphy480m_p) = { "cpll", "gpll", "usbphy480m_src" }; +@@ -399,7 +399,7 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = { + COMPOSITE(0, "aclk_vdpu", mux_pll_src_cpll_gpll_usb480m_p, 0, + RK3288_CLKSEL_CON(32), 14, 2, MFLAGS, 8, 5, DFLAGS, + RK3288_CLKGATE_CON(3), 11, GFLAGS), +- MUXGRF(0, "aclk_vcodec_pre", mux_aclk_vcodec_pre_p, 0, ++ MUXGRF(0, "aclk_vcodec_pre", mux_aclk_vcodec_pre_p, CLK_SET_RATE_PARENT, + RK3288_GRF_SOC_CON(0), 7, 1, MFLAGS), + GATE(ACLK_VCODEC, "aclk_vcodec", "aclk_vcodec_pre", 0, + RK3288_CLKGATE_CON(9), 0, GFLAGS), +-- +2.20.1 + diff --git a/queue-4.19/clk-rockchip-make-rkpwm-a-critical-clock-on-rk3288.patch b/queue-4.19/clk-rockchip-make-rkpwm-a-critical-clock-on-rk3288.patch new file mode 100644 index 00000000000..d8d34275eb9 --- /dev/null +++ b/queue-4.19/clk-rockchip-make-rkpwm-a-critical-clock-on-rk3288.patch @@ -0,0 +1,54 @@ +From d3bbc01c3e85bd43ca34649caa7d2b5eebd0c886 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 9 Apr 2019 13:47:06 -0700 +Subject: clk: rockchip: Make rkpwm a critical clock on rk3288 + +[ Upstream commit dfe7fb21cd9e730230d55a79bc72cf2ece67cdd5 ] + +Most rk3288-based boards are derived from the EVB and thus use a PWM +regulator for the logic rail. However, most rk3288-based boards don't +specify the PWM regulator in their device tree. We'll deal with that +by making it critical. + +NOTE: it's important to make it critical and not just IGNORE_UNUSED +because all PWMs in the system share the same clock. We don't want +another PWM user to turn the clock on and off and kill the logic rail. + +This change is in preparation for actually having the PWMs in the +rk3288 device tree actually point to the proper PWM clock. Up until +now they've all pointed to the clock for the old IP block and they've +all worked due to the fact that rkpwm was IGNORE_UNUSED and that the +clock rates for both clocks were the same. + +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3288.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c +index c6cd6d28af56f..64191694ff6e9 100644 +--- a/drivers/clk/rockchip/clk-rk3288.c ++++ b/drivers/clk/rockchip/clk-rk3288.c +@@ -676,7 +676,7 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = { + GATE(PCLK_TZPC, "pclk_tzpc", "pclk_cpu", 0, RK3288_CLKGATE_CON(11), 3, GFLAGS), + GATE(PCLK_UART2, "pclk_uart2", "pclk_cpu", 0, RK3288_CLKGATE_CON(11), 9, GFLAGS), + GATE(PCLK_EFUSE256, "pclk_efuse_256", "pclk_cpu", 0, RK3288_CLKGATE_CON(11), 10, GFLAGS), +- GATE(PCLK_RKPWM, "pclk_rkpwm", "pclk_cpu", CLK_IGNORE_UNUSED, RK3288_CLKGATE_CON(11), 11, GFLAGS), ++ GATE(PCLK_RKPWM, "pclk_rkpwm", "pclk_cpu", 0, RK3288_CLKGATE_CON(11), 11, GFLAGS), + + /* ddrctrl [DDR Controller PHY clock] gates */ + GATE(0, "nclk_ddrupctl0", "ddrphy", CLK_IGNORE_UNUSED, RK3288_CLKGATE_CON(11), 4, GFLAGS), +@@ -817,6 +817,8 @@ static const char *const rk3288_critical_clocks[] __initconst = { + "pclk_pd_pmu", + "pclk_pmu_niu", + "pmu_hclk_otg0", ++ /* pwm-regulators on some boards, so handoff-critical later */ ++ "pclk_rkpwm", + }; + + static void __iomem *rk3288_cru_base; +-- +2.20.1 + diff --git a/queue-4.19/clk-rockchip-undo-several-noc-and-special-clocks-as-.patch b/queue-4.19/clk-rockchip-undo-several-noc-and-special-clocks-as-.patch new file mode 100644 index 00000000000..ab6b110bb9e --- /dev/null +++ b/queue-4.19/clk-rockchip-undo-several-noc-and-special-clocks-as-.patch @@ -0,0 +1,121 @@ +From 3f9eecf19c8972ff23da5b766bdeb6da752f65e9 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 12 Apr 2019 09:17:47 -0700 +Subject: clk: rockchip: undo several noc and special clocks as critical on + rk3288 + +[ Upstream commit f4033db5b84ebe4b32c25ba2ed65ab20b628996a ] + +This is mostly a revert of commit 55bb6a633c33 ("clk: rockchip: mark +noc and some special clk as critical on rk3288") except that we're +keeping "pmu_hclk_otg0" as critical still. + +NOTE: turning these clocks off doesn't seem to do a whole lot in terms +of power savings (checking the power on the logic rail). It appears +to save maybe 1-2mW. ...but still it seems like we should turn the +clocks off if they aren't needed. + +About "pmu_hclk_otg0" (the one clock from the original commit we're +still keeping critical) from an email thread: + +> pmu ahb clock +> +> Function: Clock to pmu module when hibernation and/or ADP is +> enabled. Must be greater than or equal to 30 MHz. +> +> If the SOC design does not support hibernation/ADP function, only have +> hclk_otg, this clk can be switched according to the usage of otg. +> If the SOC design support hibernation/ADP, has two clocks, hclk_otg and +> pmu_hclk_otg0. +> Hclk_otg belongs to the closed part of otg logic, which can be switched +> according to the use of otg. +> +> pmu_hclk_otg0 belongs to the always on part. +> +> As for whether pmu_hclk_otg0 can be turned off when otg is not in use, +> we have not tested. IC suggest make pmu_hclk_otg0 always on. + +For the rest of the clocks: + +atclk: No documentation about this clock other than that it goes to +the CPU. CPU functions fine without it on. Maybe needed for JTAG? + +jtag: Presumably this clock is only needed if you're debugging with +JTAG. It doesn't seem like it makes sense to waste power for every +rk3288 user. In any case to do JTAG you'd need private patches to +adjust the pinctrl the mux the JTAG out anyway. + +pclk_dbg, pclk_core_niu: On veyron Chromebooks we turn these two +clocks on only during kernel panics in order to access some coresight +registers. Since nothing in the upstream kernel does this we should +be able to leave them off safely. Maybe also needed for JTAG? + +hsicphy12m_xin12m: There is no indication of why this clock would need +to be turned on for boards that don't use HSIC. + +pclk_ddrupctl[0-1], pclk_publ0[0-1]: On veyron Chromebooks we turn +these 4 clocks on only when doing DDR transitions and they are off +otherwise. I see no reason why they'd need to be on in the upstream +kernel which doesn't support DDRFreq. + +Signed-off-by: Douglas Anderson +Reviewed-by: Elaine Zhang +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3288.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c +index 450de24a1b422..45cd2897e586b 100644 +--- a/drivers/clk/rockchip/clk-rk3288.c ++++ b/drivers/clk/rockchip/clk-rk3288.c +@@ -292,13 +292,13 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = { + COMPOSITE_NOMUX(0, "aclk_core_mp", "armclk", CLK_IGNORE_UNUSED, + RK3288_CLKSEL_CON(0), 4, 4, DFLAGS | CLK_DIVIDER_READ_ONLY, + RK3288_CLKGATE_CON(12), 6, GFLAGS), +- COMPOSITE_NOMUX(0, "atclk", "armclk", CLK_IGNORE_UNUSED, ++ COMPOSITE_NOMUX(0, "atclk", "armclk", 0, + RK3288_CLKSEL_CON(37), 4, 5, DFLAGS | CLK_DIVIDER_READ_ONLY, + RK3288_CLKGATE_CON(12), 7, GFLAGS), + COMPOSITE_NOMUX(0, "pclk_dbg_pre", "armclk", CLK_IGNORE_UNUSED, + RK3288_CLKSEL_CON(37), 9, 5, DFLAGS | CLK_DIVIDER_READ_ONLY, + RK3288_CLKGATE_CON(12), 8, GFLAGS), +- GATE(0, "pclk_dbg", "pclk_dbg_pre", CLK_IGNORE_UNUSED, ++ GATE(0, "pclk_dbg", "pclk_dbg_pre", 0, + RK3288_CLKGATE_CON(12), 9, GFLAGS), + GATE(0, "cs_dbg", "pclk_dbg_pre", CLK_IGNORE_UNUSED, + RK3288_CLKGATE_CON(12), 10, GFLAGS), +@@ -626,7 +626,7 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = { + INVERTER(SCLK_HSADC, "sclk_hsadc", "sclk_hsadc_out", + RK3288_CLKSEL_CON(22), 7, IFLAGS), + +- GATE(0, "jtag", "ext_jtag", CLK_IGNORE_UNUSED, ++ GATE(0, "jtag", "ext_jtag", 0, + RK3288_CLKGATE_CON(4), 14, GFLAGS), + + COMPOSITE_NODIV(SCLK_USBPHY480M_SRC, "usbphy480m_src", mux_usbphy480m_p, 0, +@@ -635,7 +635,7 @@ static struct rockchip_clk_branch rk3288_clk_branches[] __initdata = { + COMPOSITE_NODIV(SCLK_HSICPHY480M, "sclk_hsicphy480m", mux_hsicphy480m_p, 0, + RK3288_CLKSEL_CON(29), 0, 2, MFLAGS, + RK3288_CLKGATE_CON(3), 6, GFLAGS), +- GATE(0, "hsicphy12m_xin12m", "xin12m", CLK_IGNORE_UNUSED, ++ GATE(0, "hsicphy12m_xin12m", "xin12m", 0, + RK3288_CLKGATE_CON(13), 9, GFLAGS), + DIV(0, "hsicphy12m_usbphy", "sclk_hsicphy480m", 0, + RK3288_CLKSEL_CON(11), 8, 6, DFLAGS), +@@ -816,11 +816,6 @@ static const char *const rk3288_critical_clocks[] __initconst = { + "pclk_alive_niu", + "pclk_pd_pmu", + "pclk_pmu_niu", +- "pclk_core_niu", +- "pclk_ddrupctl0", +- "pclk_publ0", +- "pclk_ddrupctl1", +- "pclk_publ1", + "pmu_hclk_otg0", + }; + +-- +2.20.1 + diff --git a/queue-4.19/cpufreq-kirkwood-fix-possible-object-reference-leak.patch b/queue-4.19/cpufreq-kirkwood-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..233aa46fc89 --- /dev/null +++ b/queue-4.19/cpufreq-kirkwood-fix-possible-object-reference-leak.patch @@ -0,0 +1,85 @@ +From 6e2066625a29207cefcf23d3d31ffff3d209a4f3 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Mon, 1 Apr 2019 09:37:50 +0800 +Subject: cpufreq: kirkwood: fix possible object reference leak + +[ Upstream commit 7c468966f05ac9c17bb5948275283d34e6fe0660 ] + +The call to of_get_child_by_name returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/cpufreq/kirkwood-cpufreq.c:127:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 118, but without a corresponding object release within this function. +./drivers/cpufreq/kirkwood-cpufreq.c:133:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 118, but without a corresponding object release within this function. + +and also do some cleanup: +- of_node_put(np); +- np = NULL; +... +of_node_put(np); + +Signed-off-by: Wen Yang +Cc: "Rafael J. Wysocki" +Cc: Viresh Kumar +Cc: linux-pm@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/kirkwood-cpufreq.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/cpufreq/kirkwood-cpufreq.c b/drivers/cpufreq/kirkwood-cpufreq.c +index c2dd43f3f5d8a..8d63a6dc8383c 100644 +--- a/drivers/cpufreq/kirkwood-cpufreq.c ++++ b/drivers/cpufreq/kirkwood-cpufreq.c +@@ -124,13 +124,14 @@ static int kirkwood_cpufreq_probe(struct platform_device *pdev) + priv.cpu_clk = of_clk_get_by_name(np, "cpu_clk"); + if (IS_ERR(priv.cpu_clk)) { + dev_err(priv.dev, "Unable to get cpuclk\n"); +- return PTR_ERR(priv.cpu_clk); ++ err = PTR_ERR(priv.cpu_clk); ++ goto out_node; + } + + err = clk_prepare_enable(priv.cpu_clk); + if (err) { + dev_err(priv.dev, "Unable to prepare cpuclk\n"); +- return err; ++ goto out_node; + } + + kirkwood_freq_table[0].frequency = clk_get_rate(priv.cpu_clk) / 1000; +@@ -161,20 +162,22 @@ static int kirkwood_cpufreq_probe(struct platform_device *pdev) + goto out_ddr; + } + +- of_node_put(np); +- np = NULL; +- + err = cpufreq_register_driver(&kirkwood_cpufreq_driver); +- if (!err) +- return 0; ++ if (err) { ++ dev_err(priv.dev, "Failed to register cpufreq driver\n"); ++ goto out_powersave; ++ } + +- dev_err(priv.dev, "Failed to register cpufreq driver\n"); ++ of_node_put(np); ++ return 0; + ++out_powersave: + clk_disable_unprepare(priv.powersave_clk); + out_ddr: + clk_disable_unprepare(priv.ddr_clk); + out_cpu: + clk_disable_unprepare(priv.cpu_clk); ++out_node: + of_node_put(np); + + return err; +-- +2.20.1 + diff --git a/queue-4.19/cpufreq-pasemi-fix-possible-object-reference-leak.patch b/queue-4.19/cpufreq-pasemi-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..564fd3e860a --- /dev/null +++ b/queue-4.19/cpufreq-pasemi-fix-possible-object-reference-leak.patch @@ -0,0 +1,42 @@ +From 8354f5ec6c888ed39fcbdbc5db1efe768a8834be Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Mon, 1 Apr 2019 09:37:52 +0800 +Subject: cpufreq/pasemi: fix possible object reference leak + +[ Upstream commit a9acc26b75f652f697e02a9febe2ab0da648a571 ] + +The call to of_get_cpu_node returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/cpufreq/pasemi-cpufreq.c:212:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 147, but without a corresponding object release within this function. +./drivers/cpufreq/pasemi-cpufreq.c:220:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 147, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: "Rafael J. Wysocki" +Cc: Viresh Kumar +Cc: linuxppc-dev@lists.ozlabs.org +Cc: linux-pm@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/pasemi-cpufreq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c +index 75dfbd2a58ea6..c7710c149de85 100644 +--- a/drivers/cpufreq/pasemi-cpufreq.c ++++ b/drivers/cpufreq/pasemi-cpufreq.c +@@ -146,6 +146,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + + cpu = of_get_cpu_node(policy->cpu, NULL); + ++ of_node_put(cpu); + if (!cpu) + goto out; + +-- +2.20.1 + diff --git a/queue-4.19/cpufreq-pmac32-fix-possible-object-reference-leak.patch b/queue-4.19/cpufreq-pmac32-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..9c4d9c440a9 --- /dev/null +++ b/queue-4.19/cpufreq-pmac32-fix-possible-object-reference-leak.patch @@ -0,0 +1,54 @@ +From a422f4d6c382f96da8664021d4b41c912bae5ce3 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Mon, 1 Apr 2019 09:37:53 +0800 +Subject: cpufreq: pmac32: fix possible object reference leak + +[ Upstream commit 8d10dc28a9ea6e8c02e825dab28699f3c72b02d9 ] + +The call to of_find_node_by_name returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/cpufreq/pmac32-cpufreq.c:557:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 552, but without a corresponding object release within this function. +./drivers/cpufreq/pmac32-cpufreq.c:569:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 552, but without a corresponding object release within this function. +./drivers/cpufreq/pmac32-cpufreq.c:598:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 587, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: "Rafael J. Wysocki" +Cc: Viresh Kumar +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Michael Ellerman +Cc: linux-pm@vger.kernel.org +Cc: linuxppc-dev@lists.ozlabs.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/pmac32-cpufreq.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/cpufreq/pmac32-cpufreq.c b/drivers/cpufreq/pmac32-cpufreq.c +index 61ae06ca008e7..e225edb5c3593 100644 +--- a/drivers/cpufreq/pmac32-cpufreq.c ++++ b/drivers/cpufreq/pmac32-cpufreq.c +@@ -552,6 +552,7 @@ static int pmac_cpufreq_init_7447A(struct device_node *cpunode) + volt_gpio_np = of_find_node_by_name(NULL, "cpu-vcore-select"); + if (volt_gpio_np) + voltage_gpio = read_gpio(volt_gpio_np); ++ of_node_put(volt_gpio_np); + if (!voltage_gpio){ + pr_err("missing cpu-vcore-select gpio\n"); + return 1; +@@ -588,6 +589,7 @@ static int pmac_cpufreq_init_750FX(struct device_node *cpunode) + if (volt_gpio_np) + voltage_gpio = read_gpio(volt_gpio_np); + ++ of_node_put(volt_gpio_np); + pvr = mfspr(SPRN_PVR); + has_cpu_l2lve = !((pvr & 0xf00) == 0x100); + +-- +2.20.1 + diff --git a/queue-4.19/cpufreq-ppc_cbe-fix-possible-object-reference-leak.patch b/queue-4.19/cpufreq-ppc_cbe-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..3ef7e31708a --- /dev/null +++ b/queue-4.19/cpufreq-ppc_cbe-fix-possible-object-reference-leak.patch @@ -0,0 +1,41 @@ +From 225ab1cce6b934cc5f56a6ff3541407e1b95d16c Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Mon, 1 Apr 2019 09:37:54 +0800 +Subject: cpufreq: ppc_cbe: fix possible object reference leak + +[ Upstream commit 233298032803f2802fe99892d0de4ab653bfece4 ] + +The call to of_get_cpu_node returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/cpufreq/ppc_cbe_cpufreq.c:89:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 76, but without a corresponding object release within this function. +./drivers/cpufreq/ppc_cbe_cpufreq.c:89:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 76, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: "Rafael J. Wysocki" +Cc: Viresh Kumar +Cc: linux-pm@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/ppc_cbe_cpufreq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/cpufreq/ppc_cbe_cpufreq.c b/drivers/cpufreq/ppc_cbe_cpufreq.c +index 41a0f0be3f9ff..8414c3a4ea08c 100644 +--- a/drivers/cpufreq/ppc_cbe_cpufreq.c ++++ b/drivers/cpufreq/ppc_cbe_cpufreq.c +@@ -86,6 +86,7 @@ static int cbe_cpufreq_cpu_init(struct cpufreq_policy *policy) + if (!cbe_get_cpu_pmd_regs(policy->cpu) || + !cbe_get_cpu_mic_tm_regs(policy->cpu)) { + pr_info("invalid CBE regs pointers for cpufreq\n"); ++ of_node_put(cpu); + return -EINVAL; + } + +-- +2.20.1 + diff --git a/queue-4.19/crypto-sun4i-ss-fix-invalid-calculation-of-hash-end.patch b/queue-4.19/crypto-sun4i-ss-fix-invalid-calculation-of-hash-end.patch new file mode 100644 index 00000000000..e21cc127f7d --- /dev/null +++ b/queue-4.19/crypto-sun4i-ss-fix-invalid-calculation-of-hash-end.patch @@ -0,0 +1,40 @@ +From d57a9282ee049afd63abe684619b2e0d2320cb4b Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Thu, 18 Apr 2019 10:17:34 +0200 +Subject: crypto: sun4i-ss - Fix invalid calculation of hash end + +[ Upstream commit f87391558acf816b48f325a493d81d45dec40da0 ] + +When nbytes < 4, end is wronlgy set to a negative value which, due to +uint, is then interpreted to a large value leading to a deadlock in the +following code. + +This patch fix this problem. + +Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sunxi-ss/sun4i-ss-hash.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c +index a4b5ff2b72f87..f6936bb3b7be4 100644 +--- a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c +@@ -240,7 +240,10 @@ static int sun4i_hash(struct ahash_request *areq) + } + } else { + /* Since we have the flag final, we can go up to modulo 4 */ +- end = ((areq->nbytes + op->len) / 4) * 4 - op->len; ++ if (areq->nbytes < 4) ++ end = 0; ++ else ++ end = ((areq->nbytes + op->len) / 4) * 4 - op->len; + } + + /* TODO if SGlen % 4 and !op->len then DMA */ +-- +2.20.1 + diff --git a/queue-4.19/cxgb3-l2t-fix-undefined-behaviour.patch b/queue-4.19/cxgb3-l2t-fix-undefined-behaviour.patch new file mode 100644 index 00000000000..a70430e98c9 --- /dev/null +++ b/queue-4.19/cxgb3-l2t-fix-undefined-behaviour.patch @@ -0,0 +1,49 @@ +From 07245d6c310f5b4c7eb50ad710d34f4a129905b1 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Fri, 29 Mar 2019 10:27:26 -0500 +Subject: cxgb3/l2t: Fix undefined behaviour + +[ Upstream commit 76497732932f15e7323dc805e8ea8dc11bb587cf ] + +The use of zero-sized array causes undefined behaviour when it is not +the last member in a structure. As it happens to be in this case. + +Also, the current code makes use of a language extension to the C90 +standard, but the preferred mechanism to declare variable-length +types such as this one is a flexible array member, introduced in +C99: + +struct foo { + int stuff; + struct boo array[]; +}; + +By making use of the mechanism above, we will get a compiler warning +in case the flexible array does not occur last. Which is beneficial +to cultivate a high-quality code. + +Fixes: e48f129c2f20 ("[SCSI] cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference") +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h +index c2fd323c40782..ea75f275023ff 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h ++++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h +@@ -75,8 +75,8 @@ struct l2t_data { + struct l2t_entry *rover; /* starting point for next allocation */ + atomic_t nfree; /* number of free entries */ + rwlock_t lock; +- struct l2t_entry l2tab[0]; + struct rcu_head rcu_head; /* to handle rcu cleanup */ ++ struct l2t_entry l2tab[]; + }; + + typedef void (*arp_failure_handler_func)(struct t3cdev * dev, +-- +2.20.1 + diff --git a/queue-4.19/cxgb4-fix-error-path-in-cxgb4_init_module.patch b/queue-4.19/cxgb4-fix-error-path-in-cxgb4_init_module.patch new file mode 100644 index 00000000000..2e135604815 --- /dev/null +++ b/queue-4.19/cxgb4-fix-error-path-in-cxgb4_init_module.patch @@ -0,0 +1,85 @@ +From c0bdb69435dcbc5359fc580f648b778bb5b3ecf6 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 6 May 2019 23:57:54 +0800 +Subject: cxgb4: Fix error path in cxgb4_init_module + +[ Upstream commit a3147770bea76c8dbad73eca3a24c2118da5e719 ] + +BUG: unable to handle kernel paging request at ffffffffa016a270 +PGD 3270067 P4D 3270067 PUD 3271063 PMD 230bbd067 PTE 0 +Oops: 0000 [#1 +CPU: 0 PID: 6134 Comm: modprobe Not tainted 5.1.0+ #33 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 +RIP: 0010:atomic_notifier_chain_register+0x24/0x60 +Code: 1f 80 00 00 00 00 55 48 89 e5 41 54 49 89 f4 53 48 89 fb e8 ae b4 38 01 48 8b 53 38 48 8d 4b 38 48 85 d2 74 20 45 8b 44 24 10 <44> 3b 42 10 7e 08 eb 13 44 39 42 10 7c 0d 48 8d 4a 08 48 8b 52 08 +RSP: 0018:ffffc90000e2bc60 EFLAGS: 00010086 +RAX: 0000000000000292 RBX: ffffffff83467240 RCX: ffffffff83467278 +RDX: ffffffffa016a260 RSI: ffffffff83752140 RDI: ffffffff83467240 +RBP: ffffc90000e2bc70 R08: 0000000000000000 R09: 0000000000000001 +R10: 0000000000000000 R11: 00000000014fa61f R12: ffffffffa01c8260 +R13: ffff888231091e00 R14: 0000000000000000 R15: ffffc90000e2be78 +FS: 00007fbd8d7cd540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffa016a270 CR3: 000000022c7e3000 CR4: 00000000000006f0 +Call Trace: + register_inet6addr_notifier+0x13/0x20 + cxgb4_init_module+0x6c/0x1000 [cxgb4 + ? 0xffffffffa01d7000 + do_one_initcall+0x6c/0x3cc + ? do_init_module+0x22/0x1f1 + ? rcu_read_lock_sched_held+0x97/0xb0 + ? kmem_cache_alloc_trace+0x325/0x3b0 + do_init_module+0x5b/0x1f1 + load_module+0x1db1/0x2690 + ? m_show+0x1d0/0x1d0 + __do_sys_finit_module+0xc5/0xd0 + __x64_sys_finit_module+0x15/0x20 + do_syscall_64+0x6b/0x1d0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +If pci_register_driver fails, register inet6addr_notifier is +pointless. This patch fix the error path in cxgb4_init_module. + +Fixes: b5a02f503caa ("cxgb4 : Update ipv6 address handling api") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index 961e3087d1d38..bb04c695ab9fd 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -6010,15 +6010,24 @@ static int __init cxgb4_init_module(void) + + ret = pci_register_driver(&cxgb4_driver); + if (ret < 0) +- debugfs_remove(cxgb4_debugfs_root); ++ goto err_pci; + + #if IS_ENABLED(CONFIG_IPV6) + if (!inet6addr_registered) { +- register_inet6addr_notifier(&cxgb4_inet6addr_notifier); +- inet6addr_registered = true; ++ ret = register_inet6addr_notifier(&cxgb4_inet6addr_notifier); ++ if (ret) ++ pci_unregister_driver(&cxgb4_driver); ++ else ++ inet6addr_registered = true; + } + #endif + ++ if (ret == 0) ++ return ret; ++ ++err_pci: ++ debugfs_remove(cxgb4_debugfs_root); ++ + return ret; + } + +-- +2.20.1 + diff --git a/queue-4.19/dmaengine-at_xdmac-remove-bug_on-macro-in-tasklet.patch b/queue-4.19/dmaengine-at_xdmac-remove-bug_on-macro-in-tasklet.patch new file mode 100644 index 00000000000..9307163f246 --- /dev/null +++ b/queue-4.19/dmaengine-at_xdmac-remove-bug_on-macro-in-tasklet.patch @@ -0,0 +1,40 @@ +From c5ac9025367886d9664f9826a9090003b1ec6ee0 Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre +Date: Wed, 3 Apr 2019 12:23:57 +0200 +Subject: dmaengine: at_xdmac: remove BUG_ON macro in tasklet + +[ Upstream commit e2c114c06da2d9ffad5b16690abf008d6696f689 ] + +Even if this case shouldn't happen when controller is properly programmed, +it's still better to avoid dumping a kernel Oops for this. +As the sequence may happen only for debugging purposes, log the error and +just finish the tasklet call. + +Signed-off-by: Nicolas Ferre +Acked-by: Ludovic Desroches +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/at_xdmac.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index a75b95fac3bd5..db5b8fe1dd4ab 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -1606,7 +1606,11 @@ static void at_xdmac_tasklet(unsigned long data) + struct at_xdmac_desc, + xfer_node); + dev_vdbg(chan2dev(&atchan->chan), "%s: desc 0x%p\n", __func__, desc); +- BUG_ON(!desc->active_xfer); ++ if (!desc->active_xfer) { ++ dev_err(chan2dev(&atchan->chan), "Xfer not active: exiting"); ++ spin_unlock_bh(&atchan->lock); ++ return; ++ } + + txd = &desc->tx_dma_desc; + +-- +2.20.1 + diff --git a/queue-4.19/dmaengine-pl330-_stop-clear-interrupt-status.patch b/queue-4.19/dmaengine-pl330-_stop-clear-interrupt-status.patch new file mode 100644 index 00000000000..cf16ac6b196 --- /dev/null +++ b/queue-4.19/dmaengine-pl330-_stop-clear-interrupt-status.patch @@ -0,0 +1,92 @@ +From 07a977b522cc929adefa9544bd8cdedd27101d0e Mon Sep 17 00:00:00 2001 +From: Sugar Zhang +Date: Wed, 3 Apr 2019 19:06:22 +0800 +Subject: dmaengine: pl330: _stop: clear interrupt status + +[ Upstream commit 2da254cc7908105a60a6bb219d18e8dced03dcb9 ] + +This patch kill instructs the DMAC to immediately terminate +execution of a thread. and then clear the interrupt status, +at last, stop generating interrupts for DMA_SEV. to guarantee +the next dma start is clean. otherwise, one interrupt maybe leave +to next start and make some mistake. + +we can reporduce the problem as follows: + +DMASEV: modify the event-interrupt resource, and if the INTEN sets +function as interrupt, the DMAC will set irq HIGH to +generate interrupt. write INTCLR to clear interrupt. + + DMA EXECUTING INSTRUCTS DMA TERMINATE + | | + | | + ... _stop + | | + | spin_lock_irqsave + DMASEV | + | | + | mask INTEN + | | + | DMAKILL + | | + | spin_unlock_irqrestore + +in above case, a interrupt was left, and if we unmask INTEN, the DMAC +will set irq HIGH to generate interrupt. + +to fix this, do as follows: + + DMA EXECUTING INSTRUCTS DMA TERMINATE + | | + | | + ... _stop + | | + | spin_lock_irqsave + DMASEV | + | | + | DMAKILL + | | + | clear INTCLR + | mask INTEN + | | + | spin_unlock_irqrestore + +Signed-off-by: Sugar Zhang +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/pl330.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c +index 88750a34e8598..bc8050c025b7b 100644 +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -961,6 +961,7 @@ static void _stop(struct pl330_thread *thrd) + { + void __iomem *regs = thrd->dmac->base; + u8 insn[6] = {0, 0, 0, 0, 0, 0}; ++ u32 inten = readl(regs + INTEN); + + if (_state(thrd) == PL330_STATE_FAULT_COMPLETING) + UNTIL(thrd, PL330_STATE_FAULTING | PL330_STATE_KILLING); +@@ -973,10 +974,13 @@ static void _stop(struct pl330_thread *thrd) + + _emit_KILL(0, insn); + +- /* Stop generating interrupts for SEV */ +- writel(readl(regs + INTEN) & ~(1 << thrd->ev), regs + INTEN); +- + _execute_DBGINSN(thrd, insn, is_manager(thrd)); ++ ++ /* clear the event */ ++ if (inten & (1 << thrd->ev)) ++ writel(1 << thrd->ev, regs + INTCLR); ++ /* Stop generating interrupts for SEV */ ++ writel(inten & ~(1 << thrd->ev), regs + INTEN); + } + + /* Start doing req 'idx' of thread 'thrd' */ +-- +2.20.1 + diff --git a/queue-4.19/dmaengine-tegra210-adma-use-devm_clk_-helpers.patch b/queue-4.19/dmaengine-tegra210-adma-use-devm_clk_-helpers.patch new file mode 100644 index 00000000000..66604acbd0e --- /dev/null +++ b/queue-4.19/dmaengine-tegra210-adma-use-devm_clk_-helpers.patch @@ -0,0 +1,110 @@ +From 97659ddf350bec236a35ed5ad1b7d342ac30d627 Mon Sep 17 00:00:00 2001 +From: Sameer Pujar +Date: Wed, 13 Mar 2019 17:02:36 +0530 +Subject: dmaengine: tegra210-adma: use devm_clk_*() helpers + +[ Upstream commit f6ed6491d565c336a360471e0c29228e34f4380e ] + +adma driver is using pm_clk_*() interface for managing clock resources. +With this it is observed that clocks remain ON always. This happens on +Tegra devices which use BPMP co-processor to manage clock resources, +where clocks are enabled during prepare phase. This is necessary because +clocks to BPMP are always blocking. When pm_clk_*() interface is used on +such Tegra devices, clock prepare count is not balanced till remove call +happens for the driver and hence clocks are seen ON always. Thus this +patch replaces pm_clk_*() with devm_clk_*() framework. + +Suggested-by: Mohan Kumar D +Reviewed-by: Jonathan Hunter +Signed-off-by: Sameer Pujar +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra210-adma.c | 27 ++++++++++++--------------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c +index 08b10274284a8..09b6756366c30 100644 +--- a/drivers/dma/tegra210-adma.c ++++ b/drivers/dma/tegra210-adma.c +@@ -22,7 +22,6 @@ + #include + #include + #include +-#include + #include + #include + +@@ -141,6 +140,7 @@ struct tegra_adma { + struct dma_device dma_dev; + struct device *dev; + void __iomem *base_addr; ++ struct clk *ahub_clk; + unsigned int nr_channels; + unsigned long rx_requests_reserved; + unsigned long tx_requests_reserved; +@@ -637,8 +637,9 @@ static int tegra_adma_runtime_suspend(struct device *dev) + struct tegra_adma *tdma = dev_get_drvdata(dev); + + tdma->global_cmd = tdma_read(tdma, ADMA_GLOBAL_CMD); ++ clk_disable_unprepare(tdma->ahub_clk); + +- return pm_clk_suspend(dev); ++ return 0; + } + + static int tegra_adma_runtime_resume(struct device *dev) +@@ -646,10 +647,11 @@ static int tegra_adma_runtime_resume(struct device *dev) + struct tegra_adma *tdma = dev_get_drvdata(dev); + int ret; + +- ret = pm_clk_resume(dev); +- if (ret) ++ ret = clk_prepare_enable(tdma->ahub_clk); ++ if (ret) { ++ dev_err(dev, "ahub clk_enable failed: %d\n", ret); + return ret; +- ++ } + tdma_write(tdma, ADMA_GLOBAL_CMD, tdma->global_cmd); + + return 0; +@@ -692,13 +694,11 @@ static int tegra_adma_probe(struct platform_device *pdev) + if (IS_ERR(tdma->base_addr)) + return PTR_ERR(tdma->base_addr); + +- ret = pm_clk_create(&pdev->dev); +- if (ret) +- return ret; +- +- ret = of_pm_clk_add_clk(&pdev->dev, "d_audio"); +- if (ret) +- goto clk_destroy; ++ tdma->ahub_clk = devm_clk_get(&pdev->dev, "d_audio"); ++ if (IS_ERR(tdma->ahub_clk)) { ++ dev_err(&pdev->dev, "Error: Missing ahub controller clock\n"); ++ return PTR_ERR(tdma->ahub_clk); ++ } + + pm_runtime_enable(&pdev->dev); + +@@ -775,8 +775,6 @@ static int tegra_adma_probe(struct platform_device *pdev) + pm_runtime_put_sync(&pdev->dev); + rpm_disable: + pm_runtime_disable(&pdev->dev); +-clk_destroy: +- pm_clk_destroy(&pdev->dev); + + return ret; + } +@@ -794,7 +792,6 @@ static int tegra_adma_remove(struct platform_device *pdev) + + pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); +- pm_clk_destroy(&pdev->dev); + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.19/dmaengine-tegra210-dma-free-dma-controller-in-remove.patch b/queue-4.19/dmaengine-tegra210-dma-free-dma-controller-in-remove.patch new file mode 100644 index 00000000000..8e6cc62d05a --- /dev/null +++ b/queue-4.19/dmaengine-tegra210-dma-free-dma-controller-in-remove.patch @@ -0,0 +1,87 @@ +From 896b013486eb0576403887515415f57db7b96e10 Mon Sep 17 00:00:00 2001 +From: Sameer Pujar +Date: Thu, 2 May 2019 18:25:16 +0530 +Subject: dmaengine: tegra210-dma: free dma controller in remove() + +[ Upstream commit f030e419501cb95e961e9ed35c493b5d46a04eca ] + +Following kernel panic is seen during DMA driver unload->load sequence +========================================================================== +Unable to handle kernel paging request at virtual address ffffff8001198880 +Internal error: Oops: 86000007 [#1] PREEMPT SMP +CPU: 0 PID: 5907 Comm: HwBinder:4123_1 Tainted: G C 4.9.128-tegra-g065839f +Hardware name: galen (DT) +task: ffffffc3590d1a80 task.stack: ffffffc3d0678000 +PC is at 0xffffff8001198880 +LR is at of_dma_request_slave_channel+0xd8/0x1f8 +pc : [] lr : [] pstate: 60400045 +sp : ffffffc3d067b710 +x29: ffffffc3d067b710 x28: 000000000000002f +x27: ffffff800949e000 x26: ffffff800949e750 +x25: ffffff800949e000 x24: ffffffbefe817d84 +x23: ffffff8009f77cb0 x22: 0000000000000028 +x21: ffffffc3ffda49c8 x20: 0000000000000029 +x19: 0000000000000001 x18: ffffffffffffffff +x17: 0000000000000000 x16: ffffff80082b66a0 +x15: ffffff8009e78250 x14: 000000000000000a +x13: 0000000000000038 x12: 0101010101010101 +x11: 0000000000000030 x10: 0101010101010101 +x9 : fffffffffffffffc x8 : 7f7f7f7f7f7f7f7f +x7 : 62ff726b6b64622c x6 : 0000000000008064 +x5 : 6400000000000000 x4 : ffffffbefe817c44 +x3 : ffffffc3ffda3e08 x2 : ffffff8001198880 +x1 : ffffffc3d48323c0 x0 : ffffffc3d067b788 + +Process HwBinder:4123_1 (pid: 5907, stack limit = 0xffffffc3d0678028) +Call trace: +[] 0xffffff8001198880 +[] dma_request_chan+0x50/0x1f0 +[] dma_request_slave_channel+0x28/0x40 +[] tegra_alt_pcm_open+0x114/0x170 +[] soc_pcm_open+0x10c/0x878 +[] snd_pcm_open_substream+0xc0/0x170 +[] snd_pcm_open+0xc4/0x240 +[] snd_pcm_playback_open+0x58/0x80 +[] snd_open+0xb4/0x178 +[] chrdev_open+0xb8/0x1d0 +[] do_dentry_open+0x214/0x318 +[] vfs_open+0x58/0x88 +[] do_last+0x450/0xde0 +[] path_openat+0xa8/0x368 +[] do_filp_open+0x8c/0x110 +[] do_sys_open+0x164/0x220 +[] compat_SyS_openat+0x3c/0x50 +[] el0_svc_naked+0x34/0x38 +---[ end trace 67e6d544e65b5145 ]--- +Kernel panic - not syncing: Fatal exception +========================================================================== + +In device probe(), of_dma_controller_register() registers DMA controller. +But when driver is removed, this is not freed. During driver reload this +results in data abort and kernel panic. Add of_dma_controller_free() in +driver remove path to fix the issue. + +Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA") +Signed-off-by: Sameer Pujar +Reviewed-by: Jon Hunter +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra210-adma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c +index b26256f23d67f..08b10274284a8 100644 +--- a/drivers/dma/tegra210-adma.c ++++ b/drivers/dma/tegra210-adma.c +@@ -786,6 +786,7 @@ static int tegra_adma_remove(struct platform_device *pdev) + struct tegra_adma *tdma = platform_get_drvdata(pdev); + int i; + ++ of_dma_controller_free(pdev->dev.of_node); + dma_async_device_unregister(&tdma->dma_dev); + + for (i = 0; i < tdma->nr_channels; ++i) +-- +2.20.1 + diff --git a/queue-4.19/drm-amd-display-fix-divide-by-0-in-memory-calculatio.patch b/queue-4.19/drm-amd-display-fix-divide-by-0-in-memory-calculatio.patch new file mode 100644 index 00000000000..8bbfd36a5d0 --- /dev/null +++ b/queue-4.19/drm-amd-display-fix-divide-by-0-in-memory-calculatio.patch @@ -0,0 +1,57 @@ +From a6f7cd0e0b8263644d0bc3683b7c38c1e4c9cc07 Mon Sep 17 00:00:00 2001 +From: Murton Liu +Date: Fri, 15 Feb 2019 15:05:43 -0500 +Subject: drm/amd/display: Fix Divide by 0 in memory calculations + +[ Upstream commit 59979bf8be1784ebfc44215031c6c88ca22ae65d ] + +Check if we get any values equal to 0, and set to 1 if so. + +Signed-off-by: Murton Liu +Reviewed-by: Aric Cyr +Acked-by: Bhawanpreet Lakha +Acked-by: Sivapiriyan Kumarasamy +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c | 20 ++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c +index 4a863a5dab417..321af9af95e86 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c +@@ -406,15 +406,25 @@ void dpp1_dscl_calc_lb_num_partitions( + int *num_part_y, + int *num_part_c) + { ++ int lb_memory_size, lb_memory_size_c, lb_memory_size_a, num_partitions_a, ++ lb_bpc, memory_line_size_y, memory_line_size_c, memory_line_size_a; ++ + int line_size = scl_data->viewport.width < scl_data->recout.width ? + scl_data->viewport.width : scl_data->recout.width; + int line_size_c = scl_data->viewport_c.width < scl_data->recout.width ? + scl_data->viewport_c.width : scl_data->recout.width; +- int lb_bpc = dpp1_dscl_get_lb_depth_bpc(scl_data->lb_params.depth); +- int memory_line_size_y = (line_size * lb_bpc + 71) / 72; /* +71 to ceil */ +- int memory_line_size_c = (line_size_c * lb_bpc + 71) / 72; /* +71 to ceil */ +- int memory_line_size_a = (line_size + 5) / 6; /* +5 to ceil */ +- int lb_memory_size, lb_memory_size_c, lb_memory_size_a, num_partitions_a; ++ ++ if (line_size == 0) ++ line_size = 1; ++ ++ if (line_size_c == 0) ++ line_size_c = 1; ++ ++ ++ lb_bpc = dpp1_dscl_get_lb_depth_bpc(scl_data->lb_params.depth); ++ memory_line_size_y = (line_size * lb_bpc + 71) / 72; /* +71 to ceil */ ++ memory_line_size_c = (line_size_c * lb_bpc + 71) / 72; /* +71 to ceil */ ++ memory_line_size_a = (line_size + 5) / 6; /* +5 to ceil */ + + if (lb_config == LB_MEMORY_CONFIG_1) { + lb_memory_size = 816; +-- +2.20.1 + diff --git a/queue-4.19/drm-amd-display-fix-releasing-planes-when-exiting-od.patch b/queue-4.19/drm-amd-display-fix-releasing-planes-when-exiting-od.patch new file mode 100644 index 00000000000..e745920e202 --- /dev/null +++ b/queue-4.19/drm-amd-display-fix-releasing-planes-when-exiting-od.patch @@ -0,0 +1,42 @@ +From 5c6dc1e5e489516e26b89b466572fa7be68977b5 Mon Sep 17 00:00:00 2001 +From: Dmytro Laktyushkin +Date: Thu, 7 Mar 2019 13:26:13 -0500 +Subject: drm/amd/display: fix releasing planes when exiting odm + +[ Upstream commit bc2193992b00488f5734613ac95b78ef2d2803ab ] + +Releasing planes should not release the 2nd odm pipe right away, +this change leaves us with 2 pipes with null planes and same stream +when planes are released during odm. + +Signed-off-by: Dmytro Laktyushkin +Reviewed-by: Tony Cheng +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index 87bf422f16be7..e0a96abb3c46c 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -1401,10 +1401,12 @@ bool dc_remove_plane_from_context( + * For head pipe detach surfaces from pipe for tail + * pipe just zero it out + */ +- if (!pipe_ctx->top_pipe) { ++ if (!pipe_ctx->top_pipe || ++ (!pipe_ctx->top_pipe->top_pipe && ++ pipe_ctx->top_pipe->stream_res.opp != pipe_ctx->stream_res.opp)) { + pipe_ctx->plane_state = NULL; + pipe_ctx->bottom_pipe = NULL; +- } else { ++ } else { + memset(pipe_ctx, 0, sizeof(*pipe_ctx)); + } + } +-- +2.20.1 + diff --git a/queue-4.19/drm-amd-display-set-stream-mode_changed-when-connect.patch b/queue-4.19/drm-amd-display-set-stream-mode_changed-when-connect.patch new file mode 100644 index 00000000000..b7454060491 --- /dev/null +++ b/queue-4.19/drm-amd-display-set-stream-mode_changed-when-connect.patch @@ -0,0 +1,56 @@ +From 3e629a468672ab861cc83ab1fb3cb8a1ddbcf3c1 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Fri, 8 Feb 2019 13:21:05 -0500 +Subject: drm/amd/display: Set stream->mode_changed when connectors change + +[ Upstream commit b9952f93cd2cf5fca82b06a8179c0f5f7b769e83 ] + +[Why] +The kms_plane@plane-position-covered-pipe-*-planes subtests can produce +a sequence of atomic commits such that neither active_changed nor +mode_changed but connectors_changed. + +When this happens we remove the old stream from the context and add +a new stream but the new stream doesn't have mode_changed=true set. + +This incorrect programming sequence causes CRC mismatches to occur in +the test. + +The stream->mode_changed value should be set whenever a new stream +is created. + +[How] +A new stream is created whenever drm_atomic_crtc_needs_modeset is true. +We previously covered the active_changed and mode_changed conditions +for the CRTC but connectors_changed is also checked within +drm_atomic_crtc_needs_modeset. + +So just use drm_atomic_crtc_needs_modeset directly to determine the +mode_changed flag. + +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Sun peng Li +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 76ee2de43ea66..dac7978f5ee1f 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -4369,8 +4369,7 @@ static void amdgpu_dm_commit_planes(struct drm_atomic_state *state, + static void amdgpu_dm_crtc_copy_transient_flags(struct drm_crtc_state *crtc_state, + struct dc_stream_state *stream_state) + { +- stream_state->mode_changed = +- crtc_state->mode_changed || crtc_state->active_changed; ++ stream_state->mode_changed = drm_atomic_crtc_needs_modeset(crtc_state); + } + + static int amdgpu_dm_atomic_commit(struct drm_device *dev, +-- +2.20.1 + diff --git a/queue-4.19/drm-amdgpu-fix-old-fence-check-in-amdgpu_fence_emit.patch b/queue-4.19/drm-amdgpu-fix-old-fence-check-in-amdgpu_fence_emit.patch new file mode 100644 index 00000000000..7d777d3a19e --- /dev/null +++ b/queue-4.19/drm-amdgpu-fix-old-fence-check-in-amdgpu_fence_emit.patch @@ -0,0 +1,70 @@ +From 5278b9e420119491d4ae74f1ae85a443e20d3fb4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Fri, 29 Mar 2019 19:30:23 +0100 +Subject: drm/amdgpu: fix old fence check in amdgpu_fence_emit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3d2aca8c8620346abdba96c6300d2c0b90a1d0cc ] + +We don't hold a reference to the old fence, so it can go away +any time we are waiting for it to signal. + +Signed-off-by: Christian König +Reviewed-by: Chunming Zhou +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 24 ++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +index 7056925eb3860..869ff624b108c 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +@@ -136,8 +136,9 @@ int amdgpu_fence_emit(struct amdgpu_ring *ring, struct dma_fence **f, + { + struct amdgpu_device *adev = ring->adev; + struct amdgpu_fence *fence; +- struct dma_fence *old, **ptr; ++ struct dma_fence __rcu **ptr; + uint32_t seq; ++ int r; + + fence = kmem_cache_alloc(amdgpu_fence_slab, GFP_KERNEL); + if (fence == NULL) +@@ -153,15 +154,24 @@ int amdgpu_fence_emit(struct amdgpu_ring *ring, struct dma_fence **f, + seq, flags | AMDGPU_FENCE_FLAG_INT); + + ptr = &ring->fence_drv.fences[seq & ring->fence_drv.num_fences_mask]; ++ if (unlikely(rcu_dereference_protected(*ptr, 1))) { ++ struct dma_fence *old; ++ ++ rcu_read_lock(); ++ old = dma_fence_get_rcu_safe(ptr); ++ rcu_read_unlock(); ++ ++ if (old) { ++ r = dma_fence_wait(old, false); ++ dma_fence_put(old); ++ if (r) ++ return r; ++ } ++ } ++ + /* This function can't be called concurrently anyway, otherwise + * emitting the fence would mess up the hardware ring buffer. + */ +- old = rcu_dereference_protected(*ptr, 1); +- if (old && !dma_fence_is_signaled(old)) { +- DRM_INFO("rcu slot is busy\n"); +- dma_fence_wait(old, false); +- } +- + rcu_assign_pointer(*ptr, dma_fence_get(&fence->base)); + + *f = &fence->base; +-- +2.20.1 + diff --git a/queue-4.19/drm-drv-hold-ref-on-parent-device-during-drm_device-.patch b/queue-4.19/drm-drv-hold-ref-on-parent-device-during-drm_device-.patch new file mode 100644 index 00000000000..e21189e96ce --- /dev/null +++ b/queue-4.19/drm-drv-hold-ref-on-parent-device-during-drm_device-.patch @@ -0,0 +1,54 @@ +From 074aea3d3000a94b0a012a40f5a5830db78368bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= +Date: Mon, 25 Feb 2019 15:42:26 +0100 +Subject: drm/drv: Hold ref on parent device during drm_device lifetime +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 56be6503aab2bc3a30beae408071b9be5e1bae51 ] + +This makes it safe to access drm_device->dev after the parent device has +been removed/unplugged. + +Signed-off-by: Noralf Trønnes +Reviewed-by: Gerd Hoffmann +Link: https://patchwork.freedesktop.org/patch/msgid/20190225144232.20761-2-noralf@tronnes.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_drv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c +index 0201ccb22f4ca..d8ae4ca129c70 100644 +--- a/drivers/gpu/drm/drm_drv.c ++++ b/drivers/gpu/drm/drm_drv.c +@@ -499,7 +499,7 @@ int drm_dev_init(struct drm_device *dev, + } + + kref_init(&dev->ref); +- dev->dev = parent; ++ dev->dev = get_device(parent); + dev->driver = driver; + + INIT_LIST_HEAD(&dev->filelist); +@@ -568,6 +568,7 @@ int drm_dev_init(struct drm_device *dev, + drm_minor_free(dev, DRM_MINOR_RENDER); + drm_fs_inode_free(dev->anon_inode); + err_free: ++ put_device(dev->dev); + mutex_destroy(&dev->master_mutex); + mutex_destroy(&dev->ctxlist_mutex); + mutex_destroy(&dev->clientlist_mutex); +@@ -603,6 +604,8 @@ void drm_dev_fini(struct drm_device *dev) + drm_minor_free(dev, DRM_MINOR_PRIMARY); + drm_minor_free(dev, DRM_MINOR_RENDER); + ++ put_device(dev->dev); ++ + mutex_destroy(&dev->master_mutex); + mutex_destroy(&dev->ctxlist_mutex); + mutex_destroy(&dev->clientlist_mutex); +-- +2.20.1 + diff --git a/queue-4.19/drm-etnaviv-avoid-dma-api-warning-when-importing-buf.patch b/queue-4.19/drm-etnaviv-avoid-dma-api-warning-when-importing-buf.patch new file mode 100644 index 00000000000..70bd8f43746 --- /dev/null +++ b/queue-4.19/drm-etnaviv-avoid-dma-api-warning-when-importing-buf.patch @@ -0,0 +1,92 @@ +From e5978f4169e5d89776de8508b3ed5b01566b32f0 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Mon, 25 Feb 2019 10:51:30 +0000 +Subject: drm: etnaviv: avoid DMA API warning when importing buffers + +[ Upstream commit 1262cc8893ecb0eb2c21e042d0d268cc180edb61 ] + +During boot, I get this kernel warning: + +WARNING: CPU: 0 PID: 19001 at kernel/dma/debug.c:1301 debug_dma_map_sg+0x284/0x3dc +etnaviv etnaviv: DMA-API: mapping sg segment longer than device claims to support [len=3145728] [max=65536] +Modules linked in: ip6t_REJECT nf_reject_ipv6 ip6t_rpfilter xt_tcpudp ipt_REJECT nf_reject_ipv4 xt_conntrack ip_set nfnetlink ebtable_broute ebtable_nat ip6table_raw ip6table_nat nf_nat_ipv6 ip6table_mangle iptable_raw iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv4 nf_defrag_ipv6 libcrc32c iptable_mangle ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter caam_jr error snd_soc_imx_spdif imx_thermal snd_soc_imx_audmux nvmem_imx_ocotp snd_soc_sgtl5000 +caam imx_sdma virt_dma coda rc_cec v4l2_mem2mem snd_soc_fsl_ssi snd_soc_fsl_spdif imx_vdoa imx_pcm_dma videobuf2_dma_contig etnaviv dw_hdmi_cec gpu_sched dw_hdmi_ahb_audio imx6q_cpufreq nfsd sch_fq_codel ip_tables x_tables +CPU: 0 PID: 19001 Comm: Xorg Not tainted 4.20.0+ #307 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x9c/0xd4) +[] (dump_stack) from [] (__warn+0xf8/0x124) +[] (__warn) from [] (warn_slowpath_fmt+0x38/0x48) +[] (warn_slowpath_fmt) from [] (debug_dma_map_sg+0x284/0x3dc) +[] (debug_dma_map_sg) from [] (drm_gem_map_dma_buf+0xc4/0x13c) +[] (drm_gem_map_dma_buf) from [] (dma_buf_map_attachment+0x38/0x5c) +[] (dma_buf_map_attachment) from [] (drm_gem_prime_import_dev+0x74/0x104) +[] (drm_gem_prime_import_dev) from [] (drm_gem_prime_fd_to_handle+0x84/0x17c) +[] (drm_gem_prime_fd_to_handle) from [] (drm_prime_fd_to_handle_ioctl+0x38/0x4c) +[] (drm_prime_fd_to_handle_ioctl) from [] (drm_ioctl_kernel+0x90/0xc8) +[] (drm_ioctl_kernel) from [] (drm_ioctl+0x1e0/0x3b0) +[] (drm_ioctl) from [] (do_vfs_ioctl+0x90/0xa48) +[] (do_vfs_ioctl) from [] (ksys_ioctl+0x34/0x60) +[] (ksys_ioctl) from [] (ret_fast_syscall+0x0/0x28) +Exception stack(0xd81a9fa8 to 0xd81a9ff0) +9fa0: b6c69c88 bec613f8 00000009 c00c642e bec613f8 b86c4600 +9fc0: b6c69c88 bec613f8 c00c642e 00000036 012762e0 01276348 00000300 012d91f8 +9fe0: b6989f18 bec613dc b697185c b667be5c +irq event stamp: 47905 +hardirqs last enabled at (47913): [] console_unlock+0x46c/0x680 +hardirqs last disabled at (47922): [] console_unlock+0xb8/0x680 +softirqs last enabled at (47754): [] __do_softirq+0x344/0x540 +softirqs last disabled at (47701): [] irq_exit+0x124/0x144 +---[ end trace af477747acbcc642 ]--- + +The reason is the contiguous buffer exceeds the default maximum segment +size of 64K as specified by dma_get_max_seg_size() in +linux/dma-mapping.h. Fix this by providing our own segment size, which +is set to 2GiB to cover the window found in MMUv1 GPUs. + +Signed-off-by: Russell King +Signed-off-by: Lucas Stach +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_drv.c | 5 +++++ + drivers/gpu/drm/etnaviv/etnaviv_drv.h | 1 + + 2 files changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_drv.c b/drivers/gpu/drm/etnaviv/etnaviv_drv.c +index 83c1f46670bfe..00675fcbffa2d 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c +@@ -527,6 +527,9 @@ static int etnaviv_bind(struct device *dev) + } + drm->dev_private = priv; + ++ dev->dma_parms = &priv->dma_parms; ++ dma_set_max_seg_size(dev, SZ_2G); ++ + mutex_init(&priv->gem_lock); + INIT_LIST_HEAD(&priv->gem_list); + priv->num_gpus = 0; +@@ -564,6 +567,8 @@ static void etnaviv_unbind(struct device *dev) + + component_unbind_all(dev, drm); + ++ dev->dma_parms = NULL; ++ + drm->dev_private = NULL; + kfree(priv); + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_drv.h b/drivers/gpu/drm/etnaviv/etnaviv_drv.h +index 8d02d1b7dcf5a..b2930d1fe97c0 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.h ++++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.h +@@ -43,6 +43,7 @@ struct etnaviv_file_private { + + struct etnaviv_drm_private { + int num_gpus; ++ struct device_dma_parameters dma_parms; + struct etnaviv_gpu *gpu[ETNA_MAX_PIPES]; + + /* list of GEM objects: */ +-- +2.20.1 + diff --git a/queue-4.19/drm-msm-a5xx-fix-possible-object-reference-leak.patch b/queue-4.19/drm-msm-a5xx-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..8f1bf5f9288 --- /dev/null +++ b/queue-4.19/drm-msm-a5xx-fix-possible-object-reference-leak.patch @@ -0,0 +1,73 @@ +From 8218b4a5da4b060422758e33c47886c8c9c92afc Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Thu, 4 Apr 2019 00:04:11 +0800 +Subject: drm/msm: a5xx: fix possible object reference leak + +[ Upstream commit 6cd5235c3135ea84b32469ea51b2aae384eda8af ] + +The call to of_get_child_by_name returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +drivers/gpu/drm/msm/adreno/a5xx_gpu.c:57:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function. +drivers/gpu/drm/msm/adreno/a5xx_gpu.c:66:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function. +drivers/gpu/drm/msm/adreno/a5xx_gpu.c:118:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function. +drivers/gpu/drm/msm/adreno/a5xx_gpu.c:57:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function. +drivers/gpu/drm/msm/adreno/a5xx_gpu.c:66:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function. +drivers/gpu/drm/msm/adreno/a5xx_gpu.c:118:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Rob Clark +Cc: Sean Paul +Cc: David Airlie +Cc: Daniel Vetter +Cc: Jordan Crouse +Cc: Mamta Shukla +Cc: Thomas Zimmermann +Cc: Sharat Masetty +Cc: linux-arm-msm@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: freedreno@lists.freedesktop.org +Cc: linux-kernel@vger.kernel.org (open list) +Reviewed-by: Jordan Crouse +Signed-off-by: Rob Clark +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +index ab1d9308c3114..ba6f3c14495c0 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +@@ -35,7 +35,7 @@ static int zap_shader_load_mdt(struct msm_gpu *gpu, const char *fwname) + { + struct device *dev = &gpu->pdev->dev; + const struct firmware *fw; +- struct device_node *np; ++ struct device_node *np, *mem_np; + struct resource r; + phys_addr_t mem_phys; + ssize_t mem_size; +@@ -49,11 +49,13 @@ static int zap_shader_load_mdt(struct msm_gpu *gpu, const char *fwname) + if (!np) + return -ENODEV; + +- np = of_parse_phandle(np, "memory-region", 0); +- if (!np) ++ mem_np = of_parse_phandle(np, "memory-region", 0); ++ of_node_put(np); ++ if (!mem_np) + return -EINVAL; + +- ret = of_address_to_resource(np, 0, &r); ++ ret = of_address_to_resource(mem_np, 0, &r); ++ of_node_put(mem_np); + if (ret) + return ret; + +-- +2.20.1 + diff --git a/queue-4.19/drm-nouveau-bar-nv50-ensure-bar-is-mapped.patch b/queue-4.19/drm-nouveau-bar-nv50-ensure-bar-is-mapped.patch new file mode 100644 index 00000000000..261722298c0 --- /dev/null +++ b/queue-4.19/drm-nouveau-bar-nv50-ensure-bar-is-mapped.patch @@ -0,0 +1,58 @@ +From 3e5a06714897537a8b2339e93c4a71a70be8e461 Mon Sep 17 00:00:00 2001 +From: Jon Derrick +Date: Fri, 15 Mar 2019 18:05:16 -0600 +Subject: drm/nouveau/bar/nv50: ensure BAR is mapped + +[ Upstream commit f10b83de1fd49216a4c657816f48001437e4bdd5 ] + +If the BAR is zero size, it indicates it was never successfully mapped. +Ensure that the BAR is valid during initialization before attempting to +use it. + +Signed-off-by: Jon Derrick +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c +index 157b076a12723..38c9c086754b6 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/nv50.c +@@ -109,7 +109,7 @@ nv50_bar_oneinit(struct nvkm_bar *base) + struct nvkm_device *device = bar->base.subdev.device; + static struct lock_class_key bar1_lock; + static struct lock_class_key bar2_lock; +- u64 start, limit; ++ u64 start, limit, size; + int ret; + + ret = nvkm_gpuobj_new(device, 0x20000, 0, false, NULL, &bar->mem); +@@ -127,7 +127,10 @@ nv50_bar_oneinit(struct nvkm_bar *base) + + /* BAR2 */ + start = 0x0100000000ULL; +- limit = start + device->func->resource_size(device, 3); ++ size = device->func->resource_size(device, 3); ++ if (!size) ++ return -ENOMEM; ++ limit = start + size; + + ret = nvkm_vmm_new(device, start, limit-- - start, NULL, 0, + &bar2_lock, "bar2", &bar->bar2_vmm); +@@ -164,7 +167,10 @@ nv50_bar_oneinit(struct nvkm_bar *base) + + /* BAR1 */ + start = 0x0000000000ULL; +- limit = start + device->func->resource_size(device, 1); ++ size = device->func->resource_size(device, 1); ++ if (!size) ++ return -ENOMEM; ++ limit = start + size; + + ret = nvkm_vmm_new(device, start, limit-- - start, NULL, 0, + &bar1_lock, "bar1", &bar->bar1_vmm); +-- +2.20.1 + diff --git a/queue-4.19/drm-omap-dsi-fix-pm-for-display-blank-with-paired-ds.patch b/queue-4.19/drm-omap-dsi-fix-pm-for-display-blank-with-paired-ds.patch new file mode 100644 index 00000000000..1b4a283fd31 --- /dev/null +++ b/queue-4.19/drm-omap-dsi-fix-pm-for-display-blank-with-paired-ds.patch @@ -0,0 +1,167 @@ +From f16bd0bbf60032fe0cc62af77052aa6034b3043f Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Thu, 7 Feb 2019 07:45:16 -0800 +Subject: drm/omap: dsi: Fix PM for display blank with paired dss_pll calls + +[ Upstream commit fe4ed1b457943113ee1138c939fbdeede4af6cf3 ] + +Currently dsi_display_init_dsi() calls dss_pll_enable() but it is not +paired with dss_pll_disable() in dsi_display_uninit_dsi(). This leaves +the DSS clocks enabled when the display is blanked wasting about extra +5mW of power while idle. + +The clock that is left on by not calling dss_pll_disable() is +DSS_CLKCTRL bit 10 OPTFCLKEN_SYS_CLK that is the source clock for +DSI PLL. + +We can fix this issue by by making the current dsi_pll_uninit() into +dsi_pll_disable(). This way we can just call dss_pll_disable() from +dsi_display_uninit_dsi() and the code becomes a bit easier to follow. + +However, we need to also consider that DSI PLL can be muxed for DVI too +as pointed out by Tomi Valkeinen . In the DVI +case, we want to unconditionally disable the clocks. To get around this +issue, we separate out the DSI lane handling from dsi_pll_enable() and +dsi_pll_disable() as suggested by Tomi in an earlier experimental patch. + +So we must only toggle the DSI regulator based on the vdds_dsi_enabled +flag from dsi_display_init_dsi() and dsi_display_uninit_dsi(). + +We need to make these two changes together to avoid breaking things +for DVI when fixing the DSI clock handling. And this all causes a +slight renumbering of the error path for dsi_display_init_dsi(). + +Suggested-by: Tomi Valkeinen +Signed-off-by: Tony Lindgren +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/omapdrm/dss/dsi.c | 60 ++++++++++++++++--------------- + 1 file changed, 31 insertions(+), 29 deletions(-) + +diff --git a/drivers/gpu/drm/omapdrm/dss/dsi.c b/drivers/gpu/drm/omapdrm/dss/dsi.c +index 74467b3087218..8160954ebc257 100644 +--- a/drivers/gpu/drm/omapdrm/dss/dsi.c ++++ b/drivers/gpu/drm/omapdrm/dss/dsi.c +@@ -1386,12 +1386,9 @@ static int dsi_pll_enable(struct dss_pll *pll) + */ + dsi_enable_scp_clk(dsi); + +- if (!dsi->vdds_dsi_enabled) { +- r = regulator_enable(dsi->vdds_dsi_reg); +- if (r) +- goto err0; +- dsi->vdds_dsi_enabled = true; +- } ++ r = regulator_enable(dsi->vdds_dsi_reg); ++ if (r) ++ goto err0; + + /* XXX PLL does not come out of reset without this... */ + dispc_pck_free_enable(dsi->dss->dispc, 1); +@@ -1416,36 +1413,25 @@ static int dsi_pll_enable(struct dss_pll *pll) + + return 0; + err1: +- if (dsi->vdds_dsi_enabled) { +- regulator_disable(dsi->vdds_dsi_reg); +- dsi->vdds_dsi_enabled = false; +- } ++ regulator_disable(dsi->vdds_dsi_reg); + err0: + dsi_disable_scp_clk(dsi); + dsi_runtime_put(dsi); + return r; + } + +-static void dsi_pll_uninit(struct dsi_data *dsi, bool disconnect_lanes) ++static void dsi_pll_disable(struct dss_pll *pll) + { ++ struct dsi_data *dsi = container_of(pll, struct dsi_data, pll); ++ + dsi_pll_power(dsi, DSI_PLL_POWER_OFF); +- if (disconnect_lanes) { +- WARN_ON(!dsi->vdds_dsi_enabled); +- regulator_disable(dsi->vdds_dsi_reg); +- dsi->vdds_dsi_enabled = false; +- } ++ ++ regulator_disable(dsi->vdds_dsi_reg); + + dsi_disable_scp_clk(dsi); + dsi_runtime_put(dsi); + +- DSSDBG("PLL uninit done\n"); +-} +- +-static void dsi_pll_disable(struct dss_pll *pll) +-{ +- struct dsi_data *dsi = container_of(pll, struct dsi_data, pll); +- +- dsi_pll_uninit(dsi, true); ++ DSSDBG("PLL disable done\n"); + } + + static void dsi_dump_dsi_clocks(struct dsi_data *dsi, struct seq_file *s) +@@ -4195,11 +4181,11 @@ static int dsi_display_init_dsi(struct dsi_data *dsi) + + r = dss_pll_enable(&dsi->pll); + if (r) +- goto err0; ++ return r; + + r = dsi_configure_dsi_clocks(dsi); + if (r) +- goto err1; ++ goto err0; + + dss_select_dsi_clk_source(dsi->dss, dsi->module_id, + dsi->module_id == 0 ? +@@ -4207,6 +4193,14 @@ static int dsi_display_init_dsi(struct dsi_data *dsi) + + DSSDBG("PLL OK\n"); + ++ if (!dsi->vdds_dsi_enabled) { ++ r = regulator_enable(dsi->vdds_dsi_reg); ++ if (r) ++ goto err1; ++ ++ dsi->vdds_dsi_enabled = true; ++ } ++ + r = dsi_cio_init(dsi); + if (r) + goto err2; +@@ -4235,10 +4229,13 @@ static int dsi_display_init_dsi(struct dsi_data *dsi) + err3: + dsi_cio_uninit(dsi); + err2: +- dss_select_dsi_clk_source(dsi->dss, dsi->module_id, DSS_CLK_SRC_FCK); ++ regulator_disable(dsi->vdds_dsi_reg); ++ dsi->vdds_dsi_enabled = false; + err1: +- dss_pll_disable(&dsi->pll); ++ dss_select_dsi_clk_source(dsi->dss, dsi->module_id, DSS_CLK_SRC_FCK); + err0: ++ dss_pll_disable(&dsi->pll); ++ + return r; + } + +@@ -4257,7 +4254,12 @@ static void dsi_display_uninit_dsi(struct dsi_data *dsi, bool disconnect_lanes, + + dss_select_dsi_clk_source(dsi->dss, dsi->module_id, DSS_CLK_SRC_FCK); + dsi_cio_uninit(dsi); +- dsi_pll_uninit(dsi, disconnect_lanes); ++ dss_pll_disable(&dsi->pll); ++ ++ if (disconnect_lanes) { ++ regulator_disable(dsi->vdds_dsi_reg); ++ dsi->vdds_dsi_enabled = false; ++ } + } + + static int dsi_display_enable(struct omap_dss_device *dssdev) +-- +2.20.1 + diff --git a/queue-4.19/drm-panel-otm8009a-add-delay-at-the-end-of-initializ.patch b/queue-4.19/drm-panel-otm8009a-add-delay-at-the-end-of-initializ.patch new file mode 100644 index 00000000000..4010e4ce1d9 --- /dev/null +++ b/queue-4.19/drm-panel-otm8009a-add-delay-at-the-end-of-initializ.patch @@ -0,0 +1,41 @@ +From 9c58f382a1c5b795ffcd1c4d14389c21f0d24f14 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Yannick=20Fertr=C3=A9?= +Date: Thu, 21 Mar 2019 09:04:05 +0100 +Subject: drm/panel: otm8009a: Add delay at the end of initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 0084c3c71126fc878c6dab8a6ab8ecc484c2be02 ] + +At the end of initialization, a delay is required by the panel. Without +this delay, the panel could received a frame early & generate a crash of +panel (black screen). + +Signed-off-by: Yannick Fertré +Reviewed-by: Philippe Cornu +Tested-by: Philippe Cornu +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/1553155445-13407-1-git-send-email-yannick.fertre@st.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-orisetech-otm8009a.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c b/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c +index 87fa316e1d7b0..58ccf648b70fb 100644 +--- a/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c ++++ b/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c +@@ -248,6 +248,9 @@ static int otm8009a_init_sequence(struct otm8009a *ctx) + /* Send Command GRAM memory write (no parameters) */ + dcs_write_seq(ctx, MIPI_DCS_WRITE_MEMORY_START); + ++ /* Wait a short while to let the panel be ready before the 1st frame */ ++ mdelay(10); ++ + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.19/drm-pl111-fix-possible-object-reference-leak.patch b/queue-4.19/drm-pl111-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..aaacfb9b567 --- /dev/null +++ b/queue-4.19/drm-pl111-fix-possible-object-reference-leak.patch @@ -0,0 +1,68 @@ +From c6af0c5416eb7d29054f4a06e7929a6052b6001c Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Thu, 4 Apr 2019 00:04:13 +0800 +Subject: drm/pl111: fix possible object reference leak + +[ Upstream commit bc29d3a69d4c1bd1a103e8b3c1ed81b807c1870b ] + +The call to of_find_matching_node_and_match returns a node pointer with +refcount incremented thus it must be explicitly decremented after the +last usage. + +Detected by coccinelle with the following warnings: +drivers/gpu/drm/pl111/pl111_versatile.c:333:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 317, but without a corresponding object release within this function. +drivers/gpu/drm/pl111/pl111_versatile.c:340:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 317, but without a corresponding object release within this function. +drivers/gpu/drm/pl111/pl111_versatile.c:346:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 317, but without a corresponding object release within this function. +drivers/gpu/drm/pl111/pl111_versatile.c:354:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 317, but without a corresponding object release within this function. +drivers/gpu/drm/pl111/pl111_versatile.c:395:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 317, but without a corresponding object release within this function. +drivers/gpu/drm/pl111/pl111_versatile.c:402:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 317, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Eric Anholt (supporter:DRM DRIVER FOR ARM PL111 CLCD) +Cc: David Airlie (maintainer:DRM DRIVERS) +Cc: Daniel Vetter (maintainer:DRM DRIVERS) +Cc: dri-devel@lists.freedesktop.org (open list:DRM DRIVERS) +Cc: linux-kernel@vger.kernel.org (open list) +Signed-off-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/1554307455-40361-6-git-send-email-wen.yang99@zte.com.cn +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/pl111/pl111_versatile.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/pl111/pl111_versatile.c b/drivers/gpu/drm/pl111/pl111_versatile.c +index b9baefdba38a1..1c318ad32a8cd 100644 +--- a/drivers/gpu/drm/pl111/pl111_versatile.c ++++ b/drivers/gpu/drm/pl111/pl111_versatile.c +@@ -330,6 +330,7 @@ int pl111_versatile_init(struct device *dev, struct pl111_drm_dev_private *priv) + ret = vexpress_muxfpga_init(); + if (ret) { + dev_err(dev, "unable to initialize muxfpga driver\n"); ++ of_node_put(np); + return ret; + } + +@@ -337,17 +338,20 @@ int pl111_versatile_init(struct device *dev, struct pl111_drm_dev_private *priv) + pdev = of_find_device_by_node(np); + if (!pdev) { + dev_err(dev, "can't find the sysreg device, deferring\n"); ++ of_node_put(np); + return -EPROBE_DEFER; + } + map = dev_get_drvdata(&pdev->dev); + if (!map) { + dev_err(dev, "sysreg has not yet probed\n"); + platform_device_put(pdev); ++ of_node_put(np); + return -EPROBE_DEFER; + } + } else { + map = syscon_node_to_regmap(np); + } ++ of_node_put(np); + + if (IS_ERR(map)) { + dev_err(dev, "no Versatile syscon regmap\n"); +-- +2.20.1 + diff --git a/queue-4.19/drm-sun4i-dsi-change-the-start-delay-calculation.patch b/queue-4.19/drm-sun4i-dsi-change-the-start-delay-calculation.patch new file mode 100644 index 00000000000..1d8bb68bc39 --- /dev/null +++ b/queue-4.19/drm-sun4i-dsi-change-the-start-delay-calculation.patch @@ -0,0 +1,46 @@ +From b1609a9b019d3ce9effbe723f250a82406224e83 Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Mon, 11 Feb 2019 15:41:23 +0100 +Subject: drm/sun4i: dsi: Change the start delay calculation + +[ Upstream commit da676c6aa6413d59ab0a80c97bbc273025e640b2 ] + +The current calculation for the video start delay in the current DSI driver +is that it is the total vertical size, minus the front porch and sync length, +plus 1. This equals to the active vertical size plus the back porch plus 1. + +That 1 is coming in the Allwinner BSP from an variable that is set to 1. +However, if we look at the Allwinner BSP more closely, and especially in +the "legacy" code for the display (in drivers/video/sunxi/legacy/), we can +see that this variable is actually computed from the porches and the sync +minus 10, clamped between 8 and 100. + +This fixes the start delay symptom we've seen on some panels (vblank +timeouts with vertical white stripes at the bottom of the panel). + +Reviewed-by: Paul Kocialkowski +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/6e5f72e68f47ca0223877464bf12f0c3f3978de8.1549896081.git-series.maxime.ripard@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c b/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c +index e3b34a3455460..3de41de43127b 100644 +--- a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c ++++ b/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c +@@ -357,7 +357,9 @@ static void sun6i_dsi_inst_init(struct sun6i_dsi *dsi, + static u16 sun6i_dsi_get_video_start_delay(struct sun6i_dsi *dsi, + struct drm_display_mode *mode) + { +- return mode->vtotal - (mode->vsync_end - mode->vdisplay) + 1; ++ u16 start = clamp(mode->vtotal - mode->vdisplay - 10, 8, 100); ++ ++ return mode->vtotal - (mode->vsync_end - mode->vdisplay) + start; + } + + static void sun6i_dsi_setup_burst(struct sun6i_dsi *dsi, +-- +2.20.1 + diff --git a/queue-4.19/drm-sun4i-dsi-enforce-boundaries-on-the-start-delay.patch b/queue-4.19/drm-sun4i-dsi-enforce-boundaries-on-the-start-delay.patch new file mode 100644 index 00000000000..1af57154be8 --- /dev/null +++ b/queue-4.19/drm-sun4i-dsi-enforce-boundaries-on-the-start-delay.patch @@ -0,0 +1,42 @@ +From 591a90445df13275157624d9724ea682a3dc7576 Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Mon, 11 Feb 2019 15:41:24 +0100 +Subject: drm/sun4i: dsi: Enforce boundaries on the start delay + +[ Upstream commit efa31801203ac2f5c6a82a28cb991c7163ee0f1d ] + +The Allwinner BSP makes sure that we don't end up with a null start delay +or with a delay larger than vtotal. + +The former condition is likely to happen now with the reworked start delay, +so make sure we enforce the same boundaries. + +Signed-off-by: Maxime Ripard +Reviewed-by: Paul Kocialkowski +Link: https://patchwork.freedesktop.org/patch/msgid/c9889cf5f7a3d101ef380905900b45a182596f56.1549896081.git-series.maxime.ripard@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c b/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c +index 3de41de43127b..97a0573cc5145 100644 +--- a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c ++++ b/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c +@@ -358,8 +358,12 @@ static u16 sun6i_dsi_get_video_start_delay(struct sun6i_dsi *dsi, + struct drm_display_mode *mode) + { + u16 start = clamp(mode->vtotal - mode->vdisplay - 10, 8, 100); ++ u16 delay = mode->vtotal - (mode->vsync_end - mode->vdisplay) + start; + +- return mode->vtotal - (mode->vsync_end - mode->vdisplay) + start; ++ if (delay > mode->vtotal) ++ delay = delay % mode->vtotal; ++ ++ return max_t(u16, delay, 1); + } + + static void sun6i_dsi_setup_burst(struct sun6i_dsi *dsi, +-- +2.20.1 + diff --git a/queue-4.19/drm-v3d-handle-errors-from-irq-setup.patch b/queue-4.19/drm-v3d-handle-errors-from-irq-setup.patch new file mode 100644 index 00000000000..c3229189d83 --- /dev/null +++ b/queue-4.19/drm-v3d-handle-errors-from-irq-setup.patch @@ -0,0 +1,97 @@ +From 41f30fb3856ca654160c338a645884134cd6ac81 Mon Sep 17 00:00:00 2001 +From: Eric Anholt +Date: Fri, 8 Mar 2019 09:43:35 -0800 +Subject: drm/v3d: Handle errors from IRQ setup. + +[ Upstream commit fc22771547e7e8a63679f0218e943d72b107de65 ] + +Noted in review by Dave Emett for V3D 4.2 support. + +Signed-off-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/20190308174336.7866-1-eric@anholt.net +Reviewed-by: Dave Emett +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/v3d/v3d_drv.c | 8 ++++++-- + drivers/gpu/drm/v3d/v3d_drv.h | 2 +- + drivers/gpu/drm/v3d/v3d_irq.c | 13 +++++++++++-- + 3 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/v3d/v3d_drv.c b/drivers/gpu/drm/v3d/v3d_drv.c +index 2a85fa68ffea5..2a4c6187e675f 100644 +--- a/drivers/gpu/drm/v3d/v3d_drv.c ++++ b/drivers/gpu/drm/v3d/v3d_drv.c +@@ -305,14 +305,18 @@ static int v3d_platform_drm_probe(struct platform_device *pdev) + if (ret) + goto dev_destroy; + +- v3d_irq_init(v3d); ++ ret = v3d_irq_init(v3d); ++ if (ret) ++ goto gem_destroy; + + ret = drm_dev_register(drm, 0); + if (ret) +- goto gem_destroy; ++ goto irq_disable; + + return 0; + ++irq_disable: ++ v3d_irq_disable(v3d); + gem_destroy: + v3d_gem_destroy(drm); + dev_destroy: +diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h +index e6fed696ad869..0ad73f4b7509a 100644 +--- a/drivers/gpu/drm/v3d/v3d_drv.h ++++ b/drivers/gpu/drm/v3d/v3d_drv.h +@@ -284,7 +284,7 @@ void v3d_invalidate_caches(struct v3d_dev *v3d); + void v3d_flush_caches(struct v3d_dev *v3d); + + /* v3d_irq.c */ +-void v3d_irq_init(struct v3d_dev *v3d); ++int v3d_irq_init(struct v3d_dev *v3d); + void v3d_irq_enable(struct v3d_dev *v3d); + void v3d_irq_disable(struct v3d_dev *v3d); + void v3d_irq_reset(struct v3d_dev *v3d); +diff --git a/drivers/gpu/drm/v3d/v3d_irq.c b/drivers/gpu/drm/v3d/v3d_irq.c +index e07514eb11b51..22be0f2dff99c 100644 +--- a/drivers/gpu/drm/v3d/v3d_irq.c ++++ b/drivers/gpu/drm/v3d/v3d_irq.c +@@ -137,7 +137,7 @@ v3d_hub_irq(int irq, void *arg) + return status; + } + +-void ++int + v3d_irq_init(struct v3d_dev *v3d) + { + int ret, core; +@@ -154,13 +154,22 @@ v3d_irq_init(struct v3d_dev *v3d) + ret = devm_request_irq(v3d->dev, platform_get_irq(v3d->pdev, 0), + v3d_hub_irq, IRQF_SHARED, + "v3d_hub", v3d); ++ if (ret) ++ goto fail; ++ + ret = devm_request_irq(v3d->dev, platform_get_irq(v3d->pdev, 1), + v3d_irq, IRQF_SHARED, + "v3d_core0", v3d); + if (ret) +- dev_err(v3d->dev, "IRQ setup failed: %d\n", ret); ++ goto fail; + + v3d_irq_enable(v3d); ++ return 0; ++ ++fail: ++ if (ret != -EPROBE_DEFER) ++ dev_err(v3d->dev, "IRQ setup failed: %d\n", ret); ++ return ret; + } + + void +-- +2.20.1 + diff --git a/queue-4.19/drm-wake-up-next-in-drm_read-chain-if-we-are-forced-.patch b/queue-4.19/drm-wake-up-next-in-drm_read-chain-if-we-are-forced-.patch new file mode 100644 index 00000000000..8d51c9f48d9 --- /dev/null +++ b/queue-4.19/drm-wake-up-next-in-drm_read-chain-if-we-are-forced-.patch @@ -0,0 +1,43 @@ +From 136a7ddb965a89f8425ba52a71d01305ec31b0b2 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Fri, 4 Aug 2017 09:23:28 +0100 +Subject: drm: Wake up next in drm_read() chain if we are forced to putback the + event +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 60b801999c48b6c1dd04e653a38e2e613664264e ] + +After an event is sent, we try to copy it into the user buffer of the +first waiter in drm_read() and if the user buffer doesn't have enough +room we put it back onto the list. However, we didn't wake up any +subsequent waiter, so that event may sit on the list until either a new +vblank event is sent or a new waiter appears. Rare, but in the worst +case may lead to a stuck process. + +Testcase: igt/drm_read/short-buffer-wakeup +Signed-off-by: Chris Wilson +Cc: Daniel Vetter +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20170804082328.17173-1-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c +index e4ccb52c67ea4..334addaca9c54 100644 +--- a/drivers/gpu/drm/drm_file.c ++++ b/drivers/gpu/drm/drm_file.c +@@ -567,6 +567,7 @@ ssize_t drm_read(struct file *filp, char __user *buffer, + file_priv->event_space -= length; + list_add(&e->link, &file_priv->event_list); + spin_unlock_irq(&dev->event_lock); ++ wake_up_interruptible(&file_priv->event_wait); + break; + } + +-- +2.20.1 + diff --git a/queue-4.19/e1000e-disable-runtime-pm-on-cnp.patch b/queue-4.19/e1000e-disable-runtime-pm-on-cnp.patch new file mode 100644 index 00000000000..b065ab9f367 --- /dev/null +++ b/queue-4.19/e1000e-disable-runtime-pm-on-cnp.patch @@ -0,0 +1,44 @@ +From c3254825af171e5f127ca65284917bc093414251 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Sun, 3 Feb 2019 01:40:16 +0800 +Subject: e1000e: Disable runtime PM on CNP+ + +[ Upstream commit 459d69c407f9ba122f12216555c3012284dc9fd7 ] + +There are some new e1000e devices can only be woken up from D3 one time, +by plugging Ethernet cable. Subsequent cable plugging does set PME bit +correctly, but it still doesn't get woken up. + +Since e1000e connects to the root complex directly, we rely on ACPI to +wake it up. In this case, the GPE from _PRW only works once and stops +working after that. Though it appears to be a platform bug, e1000e +maintainers confirmed that I219 does not support D3. + +So disable runtime PM on CNP+ chips. We may need to disable earlier +generations if this bug also hit older platforms. + +Bugzilla: https://bugzilla.kernel.org/attachment.cgi?id=280819 +Signed-off-by: Kai-Heng Feng +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 8b11682ebba22..8cd339c92c1af 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -7329,7 +7329,7 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + dev_pm_set_driver_flags(&pdev->dev, DPM_FLAG_NEVER_SKIP); + +- if (pci_dev_run_wake(pdev)) ++ if (pci_dev_run_wake(pdev) && hw->mac.type < e1000_pch_cnp) + pm_runtime_put_noidle(&pdev->dev); + + return 0; +-- +2.20.1 + diff --git a/queue-4.19/efifb-omit-memory-map-check-on-legacy-boot.patch b/queue-4.19/efifb-omit-memory-map-check-on-legacy-boot.patch new file mode 100644 index 00000000000..08fff996f00 --- /dev/null +++ b/queue-4.19/efifb-omit-memory-map-check-on-legacy-boot.patch @@ -0,0 +1,56 @@ +From 60a810ac95c43f71b8f5662d3c3b5bb52d3cc2c5 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 28 Mar 2019 20:34:26 +0100 +Subject: efifb: Omit memory map check on legacy boot + +[ Upstream commit c2999c281ea2d2ebbdfce96cecc7b52e2ae7c406 ] + +Since the following commit: + + 38ac0287b7f4 ("fbdev/efifb: Honour UEFI memory map attributes when mapping the FB") + +efifb_probe() checks its memory range via efi_mem_desc_lookup(), +and this leads to a spurious error message: + + EFI_MEMMAP is not enabled + +at every boot on KVM. This is quite annoying since the error message +appears even if you set "quiet" boot option. + +Since this happens on legacy boot, which strangely enough exposes +a EFI framebuffer via screen_info, let's double check that we are +doing an EFI boot before attempting to access the EFI memory map. + +Reported-by: Takashi Iwai +Tested-by: Takashi Iwai +Signed-off-by: Ard Biesheuvel +Cc: Linus Torvalds +Cc: Matt Fleming +Cc: Peter Jones +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20190328193429.21373-3-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/efifb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c +index fd02e8a4841d6..9f39f0c360e0c 100644 +--- a/drivers/video/fbdev/efifb.c ++++ b/drivers/video/fbdev/efifb.c +@@ -464,7 +464,8 @@ static int efifb_probe(struct platform_device *dev) + info->apertures->ranges[0].base = efifb_fix.smem_start; + info->apertures->ranges[0].size = size_remap; + +- if (!efi_mem_desc_lookup(efifb_fix.smem_start, &md)) { ++ if (efi_enabled(EFI_BOOT) && ++ !efi_mem_desc_lookup(efifb_fix.smem_start, &md)) { + if ((efifb_fix.smem_start + efifb_fix.smem_len) > + (md.phys_addr + (md.num_pages << EFI_PAGE_SHIFT))) { + pr_err("efifb: video memory @ 0x%lx spans multiple EFI memory regions\n", +-- +2.20.1 + diff --git a/queue-4.19/extcon-arizona-disable-mic-detect-if-running-when-dr.patch b/queue-4.19/extcon-arizona-disable-mic-detect-if-running-when-dr.patch new file mode 100644 index 00000000000..b102e421129 --- /dev/null +++ b/queue-4.19/extcon-arizona-disable-mic-detect-if-running-when-dr.patch @@ -0,0 +1,48 @@ +From 86ed8cfafff76d301f9bbdddafe4b74e1632a0cf Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Thu, 4 Apr 2019 17:33:56 +0100 +Subject: extcon: arizona: Disable mic detect if running when driver is removed + +[ Upstream commit 00053de52231117ddc154042549f2256183ffb86 ] + +Microphone detection provides the button detection features on the +Arizona CODECs as such it will be running if the jack is currently +inserted. If the driver is unbound whilst the jack is still inserted +this will cause warnings from the regulator framework as the MICVDD +regulator is put but was never disabled. + +Correct this by disabling microphone detection on driver removal and if +the microphone detection was running disable the regulator and put the +runtime reference that was currently held. + +Signed-off-by: Charles Keepax +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon-arizona.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c +index da0e9bc4262fa..9327479c719c2 100644 +--- a/drivers/extcon/extcon-arizona.c ++++ b/drivers/extcon/extcon-arizona.c +@@ -1726,6 +1726,16 @@ static int arizona_extcon_remove(struct platform_device *pdev) + struct arizona_extcon_info *info = platform_get_drvdata(pdev); + struct arizona *arizona = info->arizona; + int jack_irq_rise, jack_irq_fall; ++ bool change; ++ ++ regmap_update_bits_check(arizona->regmap, ARIZONA_MIC_DETECT_1, ++ ARIZONA_MICD_ENA, 0, ++ &change); ++ ++ if (change) { ++ regulator_disable(info->micvdd); ++ pm_runtime_put(info->dev); ++ } + + gpiod_put(info->micd_pol_gpio); + +-- +2.20.1 + diff --git a/queue-4.19/gfs2-fix-lru_count-going-negative.patch b/queue-4.19/gfs2-fix-lru_count-going-negative.patch new file mode 100644 index 00000000000..3815b01cf10 --- /dev/null +++ b/queue-4.19/gfs2-fix-lru_count-going-negative.patch @@ -0,0 +1,111 @@ +From 857db7843b4996b78318942b703368f53b5bf612 Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Wed, 27 Mar 2019 17:09:17 +0000 +Subject: gfs2: Fix lru_count going negative + +[ Upstream commit 7881ef3f33bb80f459ea6020d1e021fc524a6348 ] + +Under certain conditions, lru_count may drop below zero resulting in +a large amount of log spam like this: + +vmscan: shrink_slab: gfs2_dump_glock+0x3b0/0x630 [gfs2] \ + negative objects to delete nr=-1 + +This happens as follows: +1) A glock is moved from lru_list to the dispose list and lru_count is + decremented. +2) The dispose function calls cond_resched() and drops the lru lock. +3) Another thread takes the lru lock and tries to add the same glock to + lru_list, checking if the glock is on an lru list. +4) It is on a list (actually the dispose list) and so it avoids + incrementing lru_count. +5) The glock is moved to lru_list. +5) The original thread doesn't dispose it because it has been re-added + to the lru list but the lru_count has still decreased by one. + +Fix by checking if the LRU flag is set on the glock rather than checking +if the glock is on some list and rearrange the code so that the LRU flag +is added/removed precisely when the glock is added/removed from lru_list. + +Signed-off-by: Ross Lagerwall +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 9d566e62684c2..775256141e9fb 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -183,15 +183,19 @@ static int demote_ok(const struct gfs2_glock *gl) + + void gfs2_glock_add_to_lru(struct gfs2_glock *gl) + { ++ if (!(gl->gl_ops->go_flags & GLOF_LRU)) ++ return; ++ + spin_lock(&lru_lock); + +- if (!list_empty(&gl->gl_lru)) +- list_del_init(&gl->gl_lru); +- else ++ list_del(&gl->gl_lru); ++ list_add_tail(&gl->gl_lru, &lru_list); ++ ++ if (!test_bit(GLF_LRU, &gl->gl_flags)) { ++ set_bit(GLF_LRU, &gl->gl_flags); + atomic_inc(&lru_count); ++ } + +- list_add_tail(&gl->gl_lru, &lru_list); +- set_bit(GLF_LRU, &gl->gl_flags); + spin_unlock(&lru_lock); + } + +@@ -201,7 +205,7 @@ static void gfs2_glock_remove_from_lru(struct gfs2_glock *gl) + return; + + spin_lock(&lru_lock); +- if (!list_empty(&gl->gl_lru)) { ++ if (test_bit(GLF_LRU, &gl->gl_flags)) { + list_del_init(&gl->gl_lru); + atomic_dec(&lru_count); + clear_bit(GLF_LRU, &gl->gl_flags); +@@ -1158,8 +1162,7 @@ void gfs2_glock_dq(struct gfs2_holder *gh) + !test_bit(GLF_DEMOTE, &gl->gl_flags)) + fast_path = 1; + } +- if (!test_bit(GLF_LFLUSH, &gl->gl_flags) && demote_ok(gl) && +- (glops->go_flags & GLOF_LRU)) ++ if (!test_bit(GLF_LFLUSH, &gl->gl_flags) && demote_ok(gl)) + gfs2_glock_add_to_lru(gl); + + trace_gfs2_glock_queue(gh, 0); +@@ -1455,6 +1458,7 @@ __acquires(&lru_lock) + if (!spin_trylock(&gl->gl_lockref.lock)) { + add_back_to_lru: + list_add(&gl->gl_lru, &lru_list); ++ set_bit(GLF_LRU, &gl->gl_flags); + atomic_inc(&lru_count); + continue; + } +@@ -1462,7 +1466,6 @@ __acquires(&lru_lock) + spin_unlock(&gl->gl_lockref.lock); + goto add_back_to_lru; + } +- clear_bit(GLF_LRU, &gl->gl_flags); + gl->gl_lockref.count++; + if (demote_ok(gl)) + handle_callback(gl, LM_ST_UNLOCKED, 0, false); +@@ -1497,6 +1500,7 @@ static long gfs2_scan_glock_lru(int nr) + if (!test_bit(GLF_LOCK, &gl->gl_flags)) { + list_move(&gl->gl_lru, &dispose); + atomic_dec(&lru_count); ++ clear_bit(GLF_LRU, &gl->gl_flags); + freed++; + continue; + } +-- +2.20.1 + diff --git a/queue-4.19/gfs2-fix-occasional-glock-use-after-free.patch b/queue-4.19/gfs2-fix-occasional-glock-use-after-free.patch new file mode 100644 index 00000000000..778a67d4cff --- /dev/null +++ b/queue-4.19/gfs2-fix-occasional-glock-use-after-free.patch @@ -0,0 +1,97 @@ +From cb188c44db95d0a33b7d781dceaed5989585d478 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Thu, 4 Apr 2019 21:11:11 +0100 +Subject: gfs2: Fix occasional glock use-after-free + +[ Upstream commit 9287c6452d2b1f24ea8e84bd3cf6f3c6f267f712 ] + +This patch has to do with the life cycle of glocks and buffers. When +gfs2 metadata or journaled data is queued to be written, a gfs2_bufdata +object is assigned to track the buffer, and that is queued to various +lists, including the glock's gl_ail_list to indicate it's on the active +items list. Once the page associated with the buffer has been written, +it is removed from the ail list, but its life isn't over until a revoke +has been successfully written. + +So after the block is written, its bufdata object is moved from the +glock's gl_ail_list to a file-system-wide list of pending revokes, +sd_log_le_revoke. At that point the glock still needs to track how many +revokes it contributed to that list (in gl_revokes) so that things like +glock go_sync can ensure all the metadata has been not only written, but +also revoked before the glock is granted to a different node. This is +to guarantee journal replay doesn't replay the block once the glock has +been granted to another node. + +Ross Lagerwall recently discovered a race in which an inode could be +evicted, and its glock freed after its ail list had been synced, but +while it still had unwritten revokes on the sd_log_le_revoke list. The +evict decremented the glock reference count to zero, which allowed the +glock to be freed. After the revoke was written, function +revoke_lo_after_commit tried to adjust the glock's gl_revokes counter +and clear its GLF_LFLUSH flag, at which time it referenced the freed +glock. + +This patch fixes the problem by incrementing the glock reference count +in gfs2_add_revoke when the glock's first bufdata object is moved from +the glock to the global revokes list. Later, when the glock's last such +bufdata object is freed, the reference count is decremented. This +guarantees that whichever process finishes last (the revoke writing or +the evict) will properly free the glock, and neither will reference the +glock after it has been freed. + +Reported-by: Ross Lagerwall +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 1 + + fs/gfs2/log.c | 3 ++- + fs/gfs2/lops.c | 6 ++++-- + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 775256141e9fb..ccdd8c821abd7 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -140,6 +140,7 @@ void gfs2_glock_free(struct gfs2_glock *gl) + { + struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; + ++ BUG_ON(atomic_read(&gl->gl_revokes)); + rhashtable_remove_fast(&gl_hash_table, &gl->gl_node, ht_parms); + smp_mb(); + wake_up_glock(gl); +diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c +index ee20ea42e7b59..cd85092723dea 100644 +--- a/fs/gfs2/log.c ++++ b/fs/gfs2/log.c +@@ -604,7 +604,8 @@ void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd) + bd->bd_bh = NULL; + bd->bd_ops = &gfs2_revoke_lops; + sdp->sd_log_num_revoke++; +- atomic_inc(&gl->gl_revokes); ++ if (atomic_inc_return(&gl->gl_revokes) == 1) ++ gfs2_glock_hold(gl); + set_bit(GLF_LFLUSH, &gl->gl_flags); + list_add(&bd->bd_list, &sdp->sd_log_le_revoke); + } +diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c +index f2567f958d002..8f99b395d7bf6 100644 +--- a/fs/gfs2/lops.c ++++ b/fs/gfs2/lops.c +@@ -662,8 +662,10 @@ static void revoke_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr) + bd = list_entry(head->next, struct gfs2_bufdata, bd_list); + list_del_init(&bd->bd_list); + gl = bd->bd_gl; +- atomic_dec(&gl->gl_revokes); +- clear_bit(GLF_LFLUSH, &gl->gl_flags); ++ if (atomic_dec_return(&gl->gl_revokes) == 0) { ++ clear_bit(GLF_LFLUSH, &gl->gl_flags); ++ gfs2_glock_queue_put(gl); ++ } + kmem_cache_free(gfs2_bufdata_cachep, bd); + } + } +-- +2.20.1 + diff --git a/queue-4.19/hid-core-move-usage-page-concatenation-to-main-item.patch b/queue-4.19/hid-core-move-usage-page-concatenation-to-main-item.patch new file mode 100644 index 00000000000..a759d9fc359 --- /dev/null +++ b/queue-4.19/hid-core-move-usage-page-concatenation-to-main-item.patch @@ -0,0 +1,148 @@ +From d7b16fad3ac8d574c9ff1e4f2ad95322f6c7c57c Mon Sep 17 00:00:00 2001 +From: Nicolas Saenz Julienne +Date: Wed, 27 Mar 2019 11:18:48 +0100 +Subject: HID: core: move Usage Page concatenation to Main item + +[ Upstream commit 58e75155009cc800005629955d3482f36a1e0eec ] + +As seen on some USB wireless keyboards manufactured by Primax, the HID +parser was using some assumptions that are not always true. In this case +it's s the fact that, inside the scope of a main item, an Usage Page +will always precede an Usage. + +The spec is not pretty clear as 6.2.2.7 states "Any usage that follows +is interpreted as a Usage ID and concatenated with the Usage Page". +While 6.2.2.8 states "When the parser encounters a main item it +concatenates the last declared Usage Page with a Usage to form a +complete usage value." Being somewhat contradictory it was decided to +match Window's implementation, which follows 6.2.2.8. + +In summary, the patch moves the Usage Page concatenation from the local +item parsing function to the main item parsing function. + +Signed-off-by: Nicolas Saenz Julienne +Reviewed-by: Terry Junge +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 36 ++++++++++++++++++++++++------------ + include/linux/hid.h | 1 + + 2 files changed, 25 insertions(+), 12 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 44564f61e9cc3..861375561156c 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -215,13 +215,14 @@ static unsigned hid_lookup_collection(struct hid_parser *parser, unsigned type) + * Add a usage to the temporary parser table. + */ + +-static int hid_add_usage(struct hid_parser *parser, unsigned usage) ++static int hid_add_usage(struct hid_parser *parser, unsigned usage, u8 size) + { + if (parser->local.usage_index >= HID_MAX_USAGES) { + hid_err(parser->device, "usage index exceeded\n"); + return -1; + } + parser->local.usage[parser->local.usage_index] = usage; ++ parser->local.usage_size[parser->local.usage_index] = size; + parser->local.collection_index[parser->local.usage_index] = + parser->collection_stack_ptr ? + parser->collection_stack[parser->collection_stack_ptr - 1] : 0; +@@ -482,10 +483,7 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item) + return 0; + } + +- if (item->size <= 2) +- data = (parser->global.usage_page << 16) + data; +- +- return hid_add_usage(parser, data); ++ return hid_add_usage(parser, data, item->size); + + case HID_LOCAL_ITEM_TAG_USAGE_MINIMUM: + +@@ -494,9 +492,6 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item) + return 0; + } + +- if (item->size <= 2) +- data = (parser->global.usage_page << 16) + data; +- + parser->local.usage_minimum = data; + return 0; + +@@ -507,9 +502,6 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item) + return 0; + } + +- if (item->size <= 2) +- data = (parser->global.usage_page << 16) + data; +- + count = data - parser->local.usage_minimum; + if (count + parser->local.usage_index >= HID_MAX_USAGES) { + /* +@@ -529,7 +521,7 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item) + } + + for (n = parser->local.usage_minimum; n <= data; n++) +- if (hid_add_usage(parser, n)) { ++ if (hid_add_usage(parser, n, item->size)) { + dbg_hid("hid_add_usage failed\n"); + return -1; + } +@@ -543,6 +535,22 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item) + return 0; + } + ++/* ++ * Concatenate Usage Pages into Usages where relevant: ++ * As per specification, 6.2.2.8: "When the parser encounters a main item it ++ * concatenates the last declared Usage Page with a Usage to form a complete ++ * usage value." ++ */ ++ ++static void hid_concatenate_usage_page(struct hid_parser *parser) ++{ ++ int i; ++ ++ for (i = 0; i < parser->local.usage_index; i++) ++ if (parser->local.usage_size[i] <= 2) ++ parser->local.usage[i] += parser->global.usage_page << 16; ++} ++ + /* + * Process a main item. + */ +@@ -552,6 +560,8 @@ static int hid_parser_main(struct hid_parser *parser, struct hid_item *item) + __u32 data; + int ret; + ++ hid_concatenate_usage_page(parser); ++ + data = item_udata(item); + + switch (item->tag) { +@@ -761,6 +771,8 @@ static int hid_scan_main(struct hid_parser *parser, struct hid_item *item) + __u32 data; + int i; + ++ hid_concatenate_usage_page(parser); ++ + data = item_udata(item); + + switch (item->tag) { +diff --git a/include/linux/hid.h b/include/linux/hid.h +index d44a783629425..8b3e5e8a72fbc 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -414,6 +414,7 @@ struct hid_global { + + struct hid_local { + unsigned usage[HID_MAX_USAGES]; /* usage array */ ++ u8 usage_size[HID_MAX_USAGES]; /* usage size array */ + unsigned collection_index[HID_MAX_USAGES]; /* collection index array */ + unsigned usage_index; + unsigned usage_minimum; +-- +2.20.1 + diff --git a/queue-4.19/hid-logitech-hidpp-change-low-battery-level-threshol.patch b/queue-4.19/hid-logitech-hidpp-change-low-battery-level-threshol.patch new file mode 100644 index 00000000000..1c1ee309943 --- /dev/null +++ b/queue-4.19/hid-logitech-hidpp-change-low-battery-level-threshol.patch @@ -0,0 +1,52 @@ +From fbedf8d357d06295072840a8793c2a33aafca05e Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 22 Mar 2019 08:41:40 +0100 +Subject: HID: logitech-hidpp: change low battery level threshold from 31 to 30 + percent + +[ Upstream commit 1f87b0cd32b3456d7efdfb017fcf74d0bfe3ec29 ] + +According to hidpp20_batterylevel_get_battery_info my Logitech K270 +keyboard reports only 2 battery levels. This matches with what I've seen +after testing with batteries at varying level of fullness, it always +reports either 5% or 30%. + +Windows reports "battery good" for the 30% level. I've captured an USB +trace of Windows reading the battery and it is getting the same info +as the Linux hidpp code gets. + +Now that Linux handles these devices as hidpp devices, it reports the +battery as being low as it treats anything under 31% as low, this leads +to the user constantly getting a "Keyboard battery is low" warning from +GNOME3, which is very annoying. + +This commit fixes this by changing the low threshold to anything under +30%, which I assume is what Windows does. + +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index edf224ad13369..e642cfaf303b4 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -910,7 +910,11 @@ static int hidpp_map_battery_level(int capacity) + { + if (capacity < 11) + return POWER_SUPPLY_CAPACITY_LEVEL_CRITICAL; +- else if (capacity < 31) ++ /* ++ * The spec says this should be < 31 but some devices report 30 ++ * with brand new batteries and Windows reports 30 as "Good". ++ */ ++ else if (capacity < 30) + return POWER_SUPPLY_CAPACITY_LEVEL_LOW; + else if (capacity < 81) + return POWER_SUPPLY_CAPACITY_LEVEL_NORMAL; +-- +2.20.1 + diff --git a/queue-4.19/hid-logitech-hidpp-use-rap-instead-of-fap-to-get-the.patch b/queue-4.19/hid-logitech-hidpp-use-rap-instead-of-fap-to-get-the.patch new file mode 100644 index 00000000000..3be816ce8db --- /dev/null +++ b/queue-4.19/hid-logitech-hidpp-use-rap-instead-of-fap-to-get-the.patch @@ -0,0 +1,77 @@ +From 7ab186c58ce66f8fdc060ed0cdb48bf974893859 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 20 Apr 2019 13:22:10 +0200 +Subject: HID: logitech-hidpp: use RAP instead of FAP to get the protocol + version + +[ Upstream commit 096377525cdb8251e4656085efc988bdf733fb4c ] + +According to the logitech_hidpp_2.0_specification_draft_2012-06-04.pdf doc: +https://lekensteyn.nl/files/logitech/logitech_hidpp_2.0_specification_draft_2012-06-04.pdf + +We should use a register-access-protocol request using the short input / +output report ids. This is necessary because 27MHz HID++ receivers have +a max-packetsize on their HIP++ endpoint of 8, so they cannot support +long reports. Using a feature-access-protocol request (which is always +long or very-long) with these will cause a timeout error, followed by +the hidpp driver treating the device as not being HID++ capable. + +This commit fixes this by switching to using a rap request to get the +protocol version. + +Besides being tested with a (046d:c517) 27MHz receiver with various +27MHz keyboards and mice, this has also been tested to not cause +regressions on a non-unifying dual-HID++ nano receiver (046d:c534) with +k270 and m185 HID++-2.0 devices connected and on a unifying/dj receiver +(046d:c52b) with a HID++-2.0 Logitech Rechargeable Touchpad T650. + +Signed-off-by: Hans de Goede +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index 8425d3548a414..edf224ad13369 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -725,13 +725,16 @@ static int hidpp_root_get_feature(struct hidpp_device *hidpp, u16 feature, + + static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp) + { ++ const u8 ping_byte = 0x5a; ++ u8 ping_data[3] = { 0, 0, ping_byte }; + struct hidpp_report response; + int ret; + +- ret = hidpp_send_fap_command_sync(hidpp, ++ ret = hidpp_send_rap_command_sync(hidpp, ++ REPORT_ID_HIDPP_SHORT, + HIDPP_PAGE_ROOT_IDX, + CMD_ROOT_GET_PROTOCOL_VERSION, +- NULL, 0, &response); ++ ping_data, sizeof(ping_data), &response); + + if (ret == HIDPP_ERROR_INVALID_SUBID) { + hidpp->protocol_major = 1; +@@ -751,8 +754,14 @@ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp) + if (ret) + return ret; + +- hidpp->protocol_major = response.fap.params[0]; +- hidpp->protocol_minor = response.fap.params[1]; ++ if (response.rap.params[2] != ping_byte) { ++ hid_err(hidpp->hid_dev, "%s: ping mismatch 0x%02x != 0x%02x\n", ++ __func__, response.rap.params[2], ping_byte); ++ return -EPROTO; ++ } ++ ++ hidpp->protocol_major = response.rap.params[0]; ++ hidpp->protocol_minor = response.rap.params[1]; + + return ret; + } +-- +2.20.1 + diff --git a/queue-4.19/hv_netvsc-fix-race-that-may-miss-tx-queue-wakeup.patch b/queue-4.19/hv_netvsc-fix-race-that-may-miss-tx-queue-wakeup.patch new file mode 100644 index 00000000000..78820e05f75 --- /dev/null +++ b/queue-4.19/hv_netvsc-fix-race-that-may-miss-tx-queue-wakeup.patch @@ -0,0 +1,60 @@ +From 64c047295d07aeaf9fd8c5e28d00e591cab8c724 Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang +Date: Tue, 30 Apr 2019 19:29:07 +0000 +Subject: hv_netvsc: fix race that may miss tx queue wakeup + +[ Upstream commit 93aa4792c3908eac87ddd368ee0fe0564148232b ] + +When the ring buffer is almost full due to RX completion messages, a +TX packet may reach the "low watermark" and cause the queue stopped. +If the TX completion arrives earlier than queue stopping, the wakeup +may be missed. + +This patch moves the check for the last pending packet to cover both +EAGAIN and success cases, so the queue will be reliably waked up when +necessary. + +Reported-and-tested-by: Stephan Klein +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c +index fb12b63439c67..35413041dcf81 100644 +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -872,12 +872,6 @@ static inline int netvsc_send_pkt( + } else if (ret == -EAGAIN) { + netif_tx_stop_queue(txq); + ndev_ctx->eth_stats.stop_queue++; +- if (atomic_read(&nvchan->queue_sends) < 1 && +- !net_device->tx_disable) { +- netif_tx_wake_queue(txq); +- ndev_ctx->eth_stats.wake_queue++; +- ret = -ENOSPC; +- } + } else { + netdev_err(ndev, + "Unable to send packet pages %u len %u, ret %d\n", +@@ -885,6 +879,15 @@ static inline int netvsc_send_pkt( + ret); + } + ++ if (netif_tx_queue_stopped(txq) && ++ atomic_read(&nvchan->queue_sends) < 1 && ++ !net_device->tx_disable) { ++ netif_tx_wake_queue(txq); ++ ndev_ctx->eth_stats.wake_queue++; ++ if (ret == -EAGAIN) ++ ret = -ENOSPC; ++ } ++ + return ret; + } + +-- +2.20.1 + diff --git a/queue-4.19/hwmon-f71805f-use-request_muxed_region-for-super-io-.patch b/queue-4.19/hwmon-f71805f-use-request_muxed_region-for-super-io-.patch new file mode 100644 index 00000000000..09dde0a0620 --- /dev/null +++ b/queue-4.19/hwmon-f71805f-use-request_muxed_region-for-super-io-.patch @@ -0,0 +1,91 @@ +From b50055a0d55a98c5ca69d52f5d22cdb89c030051 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 4 Apr 2019 10:52:43 -0700 +Subject: hwmon: (f71805f) Use request_muxed_region for Super-IO accesses + +[ Upstream commit 73e6ff71a7ea924fb7121d576a2d41e3be3fc6b5 ] + +Super-IO accesses may fail on a system with no or unmapped LPC bus. + +Unable to handle kernel paging request at virtual address ffffffbffee0002e +pgd = ffffffc1d68d4000 +[ffffffbffee0002e] *pgd=0000000000000000, *pud=0000000000000000 +Internal error: Oops: 94000046 [#1] PREEMPT SMP +Modules linked in: f71805f(+) hwmon +CPU: 3 PID: 1659 Comm: insmod Not tainted 4.5.0+ #88 +Hardware name: linux,dummy-virt (DT) +task: ffffffc1f6665400 ti: ffffffc1d6418000 task.ti: ffffffc1d6418000 +PC is at f71805f_find+0x6c/0x358 [f71805f] + +Also, other drivers may attempt to access the LPC bus at the same time, +resulting in undefined behavior. + +Use request_muxed_region() to ensure that IO access on the requested +address space is supported, and to ensure that access by multiple +drivers is synchronized. + +Fixes: e53004e20a58e ("hwmon: New f71805f driver") +Reported-by: Kefeng Wang +Reported-by: John Garry +Cc: John Garry +Acked-by: John Garry +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/f71805f.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwmon/f71805f.c b/drivers/hwmon/f71805f.c +index 73c681162653b..623736d2a7c1d 100644 +--- a/drivers/hwmon/f71805f.c ++++ b/drivers/hwmon/f71805f.c +@@ -96,17 +96,23 @@ superio_select(int base, int ld) + outb(ld, base + 1); + } + +-static inline void ++static inline int + superio_enter(int base) + { ++ if (!request_muxed_region(base, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x87, base); + outb(0x87, base); ++ ++ return 0; + } + + static inline void + superio_exit(int base) + { + outb(0xaa, base); ++ release_region(base, 2); + } + + /* +@@ -1561,7 +1567,7 @@ static int __init f71805f_device_add(unsigned short address, + static int __init f71805f_find(int sioaddr, unsigned short *address, + struct f71805f_sio_data *sio_data) + { +- int err = -ENODEV; ++ int err; + u16 devid; + + static const char * const names[] = { +@@ -1569,8 +1575,11 @@ static int __init f71805f_find(int sioaddr, unsigned short *address, + "F71872F/FG or F71806F/FG", + }; + +- superio_enter(sioaddr); ++ err = superio_enter(sioaddr); ++ if (err) ++ return err; + ++ err = -ENODEV; + devid = superio_inw(sioaddr, SIO_REG_MANID); + if (devid != SIO_FINTEK_ID) + goto exit; +-- +2.20.1 + diff --git a/queue-4.19/hwmon-pc87427-use-request_muxed_region-for-super-io-.patch b/queue-4.19/hwmon-pc87427-use-request_muxed_region-for-super-io-.patch new file mode 100644 index 00000000000..79d1f983c61 --- /dev/null +++ b/queue-4.19/hwmon-pc87427-use-request_muxed_region-for-super-io-.patch @@ -0,0 +1,69 @@ +From ab899ff191e836ac67e410af5b9c5ac52a27d321 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 4 Apr 2019 11:16:20 -0700 +Subject: hwmon: (pc87427) Use request_muxed_region for Super-IO accesses + +[ Upstream commit 755a9b0f8aaa5639ba5671ca50080852babb89ce ] + +Super-IO accesses may fail on a system with no or unmapped LPC bus. + +Also, other drivers may attempt to access the LPC bus at the same time, +resulting in undefined behavior. + +Use request_muxed_region() to ensure that IO access on the requested +address space is supported, and to ensure that access by multiple drivers +is synchronized. + +Fixes: ba224e2c4f0a7 ("hwmon: New PC87427 hardware monitoring driver") +Reported-by: Kefeng Wang +Reported-by: John Garry +Cc: John Garry +Acked-by: John Garry +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pc87427.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/pc87427.c b/drivers/hwmon/pc87427.c +index dc5a9d5ada516..81a05cd1a5121 100644 +--- a/drivers/hwmon/pc87427.c ++++ b/drivers/hwmon/pc87427.c +@@ -106,6 +106,13 @@ static const char *logdev_str[2] = { DRVNAME " FMC", DRVNAME " HMC" }; + #define LD_IN 1 + #define LD_TEMP 1 + ++static inline int superio_enter(int sioaddr) ++{ ++ if (!request_muxed_region(sioaddr, 2, DRVNAME)) ++ return -EBUSY; ++ return 0; ++} ++ + static inline void superio_outb(int sioaddr, int reg, int val) + { + outb(reg, sioaddr); +@@ -122,6 +129,7 @@ static inline void superio_exit(int sioaddr) + { + outb(0x02, sioaddr); + outb(0x02, sioaddr + 1); ++ release_region(sioaddr, 2); + } + + /* +@@ -1220,7 +1228,11 @@ static int __init pc87427_find(int sioaddr, struct pc87427_sio_data *sio_data) + { + u16 val; + u8 cfg, cfg_b; +- int i, err = 0; ++ int i, err; ++ ++ err = superio_enter(sioaddr); ++ if (err) ++ return err; + + /* Identify device */ + val = force_id ? force_id : superio_inb(sioaddr, SIOREG_DEVID); +-- +2.20.1 + diff --git a/queue-4.19/hwmon-smsc47b397-use-request_muxed_region-for-super-.patch b/queue-4.19/hwmon-smsc47b397-use-request_muxed_region-for-super-.patch new file mode 100644 index 00000000000..69382717c33 --- /dev/null +++ b/queue-4.19/hwmon-smsc47b397-use-request_muxed_region-for-super-.patch @@ -0,0 +1,69 @@ +From df68c0f27841c094c59724d47789542145c723bc Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 4 Apr 2019 11:22:42 -0700 +Subject: hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses + +[ Upstream commit 8c0826756744c0ac1df600a5e4cca1a341b13101 ] + +Super-IO accesses may fail on a system with no or unmapped LPC bus. + +Also, other drivers may attempt to access the LPC bus at the same time, +resulting in undefined behavior. + +Use request_muxed_region() to ensure that IO access on the requested +address space is supported, and to ensure that access by multiple drivers +is synchronized. + +Fixes: 8d5d45fb1468 ("I2C: Move hwmon drivers (2/3)") +Reported-by: Kefeng Wang +Reported-by: John Garry +Cc: John Garry +Acked-by: John Garry +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/smsc47b397.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/smsc47b397.c b/drivers/hwmon/smsc47b397.c +index 6bd2007565603..cbdb5c4991ae3 100644 +--- a/drivers/hwmon/smsc47b397.c ++++ b/drivers/hwmon/smsc47b397.c +@@ -72,14 +72,19 @@ static inline void superio_select(int ld) + superio_outb(0x07, ld); + } + +-static inline void superio_enter(void) ++static inline int superio_enter(void) + { ++ if (!request_muxed_region(REG, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x55, REG); ++ return 0; + } + + static inline void superio_exit(void) + { + outb(0xAA, REG); ++ release_region(REG, 2); + } + + #define SUPERIO_REG_DEVID 0x20 +@@ -300,8 +305,12 @@ static int __init smsc47b397_find(void) + u8 id, rev; + char *name; + unsigned short addr; ++ int err; ++ ++ err = superio_enter(); ++ if (err) ++ return err; + +- superio_enter(); + id = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID); + + switch (id) { +-- +2.20.1 + diff --git a/queue-4.19/hwmon-smsc47m1-use-request_muxed_region-for-super-io.patch b/queue-4.19/hwmon-smsc47m1-use-request_muxed_region-for-super-io.patch new file mode 100644 index 00000000000..3dc4caa3cc7 --- /dev/null +++ b/queue-4.19/hwmon-smsc47m1-use-request_muxed_region-for-super-io.patch @@ -0,0 +1,93 @@ +From 897e43b3358436a02b968dceaa450065793488f2 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 4 Apr 2019 11:28:37 -0700 +Subject: hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses + +[ Upstream commit d6410408ad2a798c4cc685252c1baa713be0ad69 ] + +Super-IO accesses may fail on a system with no or unmapped LPC bus. + +Also, other drivers may attempt to access the LPC bus at the same time, +resulting in undefined behavior. + +Use request_muxed_region() to ensure that IO access on the requested +address space is supported, and to ensure that access by multiple drivers +is synchronized. + +Fixes: 8d5d45fb1468 ("I2C: Move hwmon drivers (2/3)") +Reported-by: Kefeng Wang +Reported-by: John Garry +Cc: John Garry +Acked-by: John Garry +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/smsc47m1.c | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +diff --git a/drivers/hwmon/smsc47m1.c b/drivers/hwmon/smsc47m1.c +index c7b6a425e2c02..5eeac9853d0ae 100644 +--- a/drivers/hwmon/smsc47m1.c ++++ b/drivers/hwmon/smsc47m1.c +@@ -73,16 +73,21 @@ superio_inb(int reg) + /* logical device for fans is 0x0A */ + #define superio_select() superio_outb(0x07, 0x0A) + +-static inline void ++static inline int + superio_enter(void) + { ++ if (!request_muxed_region(REG, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x55, REG); ++ return 0; + } + + static inline void + superio_exit(void) + { + outb(0xAA, REG); ++ release_region(REG, 2); + } + + #define SUPERIO_REG_ACT 0x30 +@@ -531,8 +536,12 @@ static int __init smsc47m1_find(struct smsc47m1_sio_data *sio_data) + { + u8 val; + unsigned short addr; ++ int err; ++ ++ err = superio_enter(); ++ if (err) ++ return err; + +- superio_enter(); + val = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID); + + /* +@@ -608,13 +617,14 @@ static int __init smsc47m1_find(struct smsc47m1_sio_data *sio_data) + static void smsc47m1_restore(const struct smsc47m1_sio_data *sio_data) + { + if ((sio_data->activate & 0x01) == 0) { +- superio_enter(); +- superio_select(); +- +- pr_info("Disabling device\n"); +- superio_outb(SUPERIO_REG_ACT, sio_data->activate); +- +- superio_exit(); ++ if (!superio_enter()) { ++ superio_select(); ++ pr_info("Disabling device\n"); ++ superio_outb(SUPERIO_REG_ACT, sio_data->activate); ++ superio_exit(); ++ } else { ++ pr_warn("Failed to disable device\n"); ++ } + } + } + +-- +2.20.1 + diff --git a/queue-4.19/hwmon-vt1211-use-request_muxed_region-for-super-io-a.patch b/queue-4.19/hwmon-vt1211-use-request_muxed_region-for-super-io-a.patch new file mode 100644 index 00000000000..29a121c0a84 --- /dev/null +++ b/queue-4.19/hwmon-vt1211-use-request_muxed_region-for-super-io-a.patch @@ -0,0 +1,70 @@ +From b6698adfc5f7b1e46fae3efce81230c4b7412e44 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Fri, 5 Apr 2019 08:53:08 -0700 +Subject: hwmon: (vt1211) Use request_muxed_region for Super-IO accesses + +[ Upstream commit 14b97ba5c20056102b3dd22696bf17b057e60976 ] + +Super-IO accesses may fail on a system with no or unmapped LPC bus. + +Also, other drivers may attempt to access the LPC bus at the same time, +resulting in undefined behavior. + +Use request_muxed_region() to ensure that IO access on the requested +address space is supported, and to ensure that access by multiple drivers +is synchronized. + +Fixes: 2219cd81a6cd ("hwmon/vt1211: Add probing of alternate config index port") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/vt1211.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwmon/vt1211.c b/drivers/hwmon/vt1211.c +index 3a6bfa51cb94f..95d5e8ec8b7fc 100644 +--- a/drivers/hwmon/vt1211.c ++++ b/drivers/hwmon/vt1211.c +@@ -226,15 +226,21 @@ static inline void superio_select(int sio_cip, int ldn) + outb(ldn, sio_cip + 1); + } + +-static inline void superio_enter(int sio_cip) ++static inline int superio_enter(int sio_cip) + { ++ if (!request_muxed_region(sio_cip, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x87, sio_cip); + outb(0x87, sio_cip); ++ ++ return 0; + } + + static inline void superio_exit(int sio_cip) + { + outb(0xaa, sio_cip); ++ release_region(sio_cip, 2); + } + + /* --------------------------------------------------------------------- +@@ -1282,11 +1288,14 @@ static int __init vt1211_device_add(unsigned short address) + + static int __init vt1211_find(int sio_cip, unsigned short *address) + { +- int err = -ENODEV; ++ int err; + int devid; + +- superio_enter(sio_cip); ++ err = superio_enter(sio_cip); ++ if (err) ++ return err; + ++ err = -ENODEV; + devid = force_id ? force_id : superio_inb(sio_cip, SIO_VT1211_DEVID); + if (devid != SIO_VT1211_ID) + goto EXIT; +-- +2.20.1 + diff --git a/queue-4.19/hwrng-omap-set-default-quality.patch b/queue-4.19/hwrng-omap-set-default-quality.patch new file mode 100644 index 00000000000..be53d2b75c0 --- /dev/null +++ b/queue-4.19/hwrng-omap-set-default-quality.patch @@ -0,0 +1,42 @@ +From da0bacdfeba2ad9a0b50242a07c0cb9fb49bfbc0 Mon Sep 17 00:00:00 2001 +From: Rouven Czerwinski +Date: Mon, 11 Mar 2019 11:58:57 +0100 +Subject: hwrng: omap - Set default quality + +[ Upstream commit 62f95ae805fa9e1e84d47d3219adddd97b2654b7 ] + +Newer combinations of the glibc, kernel and openssh can result in long initial +startup times on OMAP devices: + +[ 6.671425] systemd-rc-once[102]: Creating ED25519 key; this may take some time ... +[ 142.652491] systemd-rc-once[102]: Creating ED25519 key; done. + +due to the blocking getrandom(2) system call: + +[ 142.610335] random: crng init done + +Set the quality level for the omap hwrng driver allowing the kernel to use the +hwrng as an entropy source at boot. + +Signed-off-by: Rouven Czerwinski +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/omap-rng.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/char/hw_random/omap-rng.c b/drivers/char/hw_random/omap-rng.c +index b65ff69628995..e9b6ac61fb7f6 100644 +--- a/drivers/char/hw_random/omap-rng.c ++++ b/drivers/char/hw_random/omap-rng.c +@@ -443,6 +443,7 @@ static int omap_rng_probe(struct platform_device *pdev) + priv->rng.read = omap_rng_do_read; + priv->rng.init = omap_rng_init; + priv->rng.cleanup = omap_rng_cleanup; ++ priv->rng.quality = 900; + + priv->rng.priv = (unsigned long)priv; + platform_set_drvdata(pdev, priv); +-- +2.20.1 + diff --git a/queue-4.19/i40e-able-to-add-up-to-16-mac-filters-on-an-untruste.patch b/queue-4.19/i40e-able-to-add-up-to-16-mac-filters-on-an-untruste.patch new file mode 100644 index 00000000000..1c22e9a91b7 --- /dev/null +++ b/queue-4.19/i40e-able-to-add-up-to-16-mac-filters-on-an-untruste.patch @@ -0,0 +1,41 @@ +From 794871d5e2a22c9a86f24859ffe39278de98f88c Mon Sep 17 00:00:00 2001 +From: Adam Ludkiewicz +Date: Wed, 6 Feb 2019 15:08:25 -0800 +Subject: i40e: Able to add up to 16 MAC filters on an untrusted VF + +[ Upstream commit 06b6e2a2333eb3581567a7ac43ca465ef45f4daa ] + +This patch fixes the problem with the driver being able to add only 7 +multicast MAC address filters instead of 16. The problem is fixed by +changing the maximum number of MAC address filters to 16+1+1 (two extra +are needed because the driver uses 1 for unicast MAC address and 1 for +broadcast). + +Signed-off-by: Adam Ludkiewicz +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index c6d24eaede184..d86f3fa7aa6a4 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -2399,8 +2399,10 @@ static int i40e_vc_get_stats_msg(struct i40e_vf *vf, u8 *msg, u16 msglen) + (u8 *)&stats, sizeof(stats)); + } + +-/* If the VF is not trusted restrict the number of MAC/VLAN it can program */ +-#define I40E_VC_MAX_MAC_ADDR_PER_VF 12 ++/* If the VF is not trusted restrict the number of MAC/VLAN it can program ++ * MAC filters: 16 for multicast, 1 for MAC, 1 for broadcast ++ */ ++#define I40E_VC_MAX_MAC_ADDR_PER_VF (16 + 1 + 1) + #define I40E_VC_MAX_VLAN_PER_VF 8 + + /** +-- +2.20.1 + diff --git a/queue-4.19/i40e-don-t-allow-changes-to-hw-vlan-stripping-on-act.patch b/queue-4.19/i40e-don-t-allow-changes-to-hw-vlan-stripping-on-act.patch new file mode 100644 index 00000000000..4e771e61b9d --- /dev/null +++ b/queue-4.19/i40e-don-t-allow-changes-to-hw-vlan-stripping-on-act.patch @@ -0,0 +1,47 @@ +From 87bf2312bf78e78542a0169fb0e47b82de0efb12 Mon Sep 17 00:00:00 2001 +From: Nicholas Nunley +Date: Wed, 6 Feb 2019 15:08:17 -0800 +Subject: i40e: don't allow changes to HW VLAN stripping on active port VLANs + +[ Upstream commit bfb0ebed53857cfc57f11c63fa3689940d71c1c8 ] + +Modifying the VLAN stripping options when a port VLAN is configured +will break traffic for the VSI, and conceptually doesn't make sense, +so don't allow this. + +Signed-off-by: Nicholas Nunley +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index f81ad0aa8b095..df8808cd7e114 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -2654,6 +2654,10 @@ void i40e_vlan_stripping_enable(struct i40e_vsi *vsi) + struct i40e_vsi_context ctxt; + i40e_status ret; + ++ /* Don't modify stripping options if a port VLAN is active */ ++ if (vsi->info.pvid) ++ return; ++ + if ((vsi->info.valid_sections & + cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID)) && + ((vsi->info.port_vlan_flags & I40E_AQ_VSI_PVLAN_MODE_MASK) == 0)) +@@ -2684,6 +2688,10 @@ void i40e_vlan_stripping_disable(struct i40e_vsi *vsi) + struct i40e_vsi_context ctxt; + i40e_status ret; + ++ /* Don't modify stripping options if a port VLAN is active */ ++ if (vsi->info.pvid) ++ return; ++ + if ((vsi->info.valid_sections & + cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID)) && + ((vsi->info.port_vlan_flags & I40E_AQ_VSI_PVLAN_EMOD_MASK) == +-- +2.20.1 + diff --git a/queue-4.19/ib-hfi1-fix-wq_mem_reclaim-warning.patch b/queue-4.19/ib-hfi1-fix-wq_mem_reclaim-warning.patch new file mode 100644 index 00000000000..2dd224013ad --- /dev/null +++ b/queue-4.19/ib-hfi1-fix-wq_mem_reclaim-warning.patch @@ -0,0 +1,62 @@ +From 20058a9a0870d9f77fbe6a9b2edffa0e32eb2c39 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Mon, 18 Mar 2019 09:55:09 -0700 +Subject: IB/hfi1: Fix WQ_MEM_RECLAIM warning + +[ Upstream commit 4c4b1996b5db688e2dcb8242b0a3bf7b1e845e42 ] + +The work_item cancels that occur when a QP is destroyed can elicit the +following trace: + + workqueue: WQ_MEM_RECLAIM ipoib_wq:ipoib_cm_tx_reap [ib_ipoib] is flushing !WQ_MEM_RECLAIM hfi0_0:_hfi1_do_send [hfi1] + WARNING: CPU: 7 PID: 1403 at kernel/workqueue.c:2486 check_flush_dependency+0xb1/0x100 + Call Trace: + __flush_work.isra.29+0x8c/0x1a0 + ? __switch_to_asm+0x40/0x70 + __cancel_work_timer+0x103/0x190 + ? schedule+0x32/0x80 + iowait_cancel_work+0x15/0x30 [hfi1] + rvt_reset_qp+0x1f8/0x3e0 [rdmavt] + rvt_destroy_qp+0x65/0x1f0 [rdmavt] + ? _cond_resched+0x15/0x30 + ib_destroy_qp+0xe9/0x230 [ib_core] + ipoib_cm_tx_reap+0x21c/0x560 [ib_ipoib] + process_one_work+0x171/0x370 + worker_thread+0x49/0x3f0 + kthread+0xf8/0x130 + ? max_active_store+0x80/0x80 + ? kthread_bind+0x10/0x10 + ret_from_fork+0x35/0x40 + +Since QP destruction frees memory, hfi1_wq should have the WQ_MEM_RECLAIM. + +The hfi1_wq does not allocate memory with GFP_KERNEL or otherwise become +entangled with memory reclaim, so this flag is appropriate. + +Fixes: 0a226edd203f ("staging/rdma/hfi1: Use parallel workqueue for SDMA engines") +Reviewed-by: Michael J. Ruhl +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/init.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hfi1/init.c b/drivers/infiniband/hw/hfi1/init.c +index da786eb18558d..368f4f08b6866 100644 +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -798,7 +798,8 @@ static int create_workqueues(struct hfi1_devdata *dd) + ppd->hfi1_wq = + alloc_workqueue( + "hfi%d_%d", +- WQ_SYSFS | WQ_HIGHPRI | WQ_CPU_INTENSIVE, ++ WQ_SYSFS | WQ_HIGHPRI | WQ_CPU_INTENSIVE | ++ WQ_MEM_RECLAIM, + HFI1_MAX_ACTIVE_WORKQUEUE_ENTRIES, + dd->unit, pidx); + if (!ppd->hfi1_wq) +-- +2.20.1 + diff --git a/queue-4.19/igb-exclude-device-from-suspend-direct-complete-opti.patch b/queue-4.19/igb-exclude-device-from-suspend-direct-complete-opti.patch new file mode 100644 index 00000000000..b5c09862091 --- /dev/null +++ b/queue-4.19/igb-exclude-device-from-suspend-direct-complete-opti.patch @@ -0,0 +1,42 @@ +From 244eee5caedc87f17db4c404e20efce15164509c Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 11 Dec 2018 15:59:38 +0800 +Subject: igb: Exclude device from suspend direct complete optimization + +[ Upstream commit 5b6e13216be29ced7350d9c354a1af8fe0ad9a3e ] + +igb sets different WoL settings in system suspend callback and runtime +suspend callback. + +The suspend direct complete optimization leaves igb in runtime suspended +state with wrong WoL setting during system suspend. + +To fix this, we need to disable suspend direct complete optimization to +let igb always use suspend callback to set correct WoL during system +suspend. + +Signed-off-by: Kai-Heng Feng +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index aa39a068858e9..5aa083d9a6c9a 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3468,6 +3468,9 @@ static int igb_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + break; + } + } ++ ++ dev_pm_set_driver_flags(&pdev->dev, DPM_FLAG_NEVER_SKIP); ++ + pm_runtime_put_noidle(&pdev->dev); + return 0; + +-- +2.20.1 + diff --git a/queue-4.19/iio-ad_sigma_delta-properly-handle-spi-bus-locking-v.patch b/queue-4.19/iio-ad_sigma_delta-properly-handle-spi-bus-locking-v.patch new file mode 100644 index 00000000000..a56ed0ae058 --- /dev/null +++ b/queue-4.19/iio-ad_sigma_delta-properly-handle-spi-bus-locking-v.patch @@ -0,0 +1,122 @@ +From 3c483c8c2e3dc1bafe80556a5e6514c500392dba Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Tue, 19 Mar 2019 13:37:55 +0200 +Subject: iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion + +[ Upstream commit df1d80aee963480c5c2938c64ec0ac3e4a0df2e0 ] + +For devices from the SigmaDelta family we need to keep CS low when doing a +conversion, since the device will use the MISO line as a interrupt to +indicate that the conversion is complete. + +This is why the driver locks the SPI bus and when the SPI bus is locked +keeps as long as a conversion is going on. The current implementation gets +one small detail wrong though. CS is only de-asserted after the SPI bus is +unlocked. This means it is possible for a different SPI device on the same +bus to send a message which would be wrongfully be addressed to the +SigmaDelta device as well. Make sure that the last SPI transfer that is +done while holding the SPI bus lock de-asserts the CS signal. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Alexandru Ardelean +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad_sigma_delta.c | 16 +++++++++++----- + include/linux/iio/adc/ad_sigma_delta.h | 1 + + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c +index ae2a5097f4493..25af4c76b57fe 100644 +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -62,7 +62,7 @@ int ad_sd_write_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg, + struct spi_transfer t = { + .tx_buf = data, + .len = size + 1, +- .cs_change = sigma_delta->bus_locked, ++ .cs_change = sigma_delta->keep_cs_asserted, + }; + struct spi_message m; + int ret; +@@ -218,6 +218,7 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta, + + spi_bus_lock(sigma_delta->spi->master); + sigma_delta->bus_locked = true; ++ sigma_delta->keep_cs_asserted = true; + reinit_completion(&sigma_delta->completion); + + ret = ad_sigma_delta_set_mode(sigma_delta, mode); +@@ -235,9 +236,10 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta, + ret = 0; + } + out: ++ sigma_delta->keep_cs_asserted = false; ++ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + sigma_delta->bus_locked = false; + spi_bus_unlock(sigma_delta->spi->master); +- ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + + return ret; + } +@@ -289,6 +291,7 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev, + + spi_bus_lock(sigma_delta->spi->master); + sigma_delta->bus_locked = true; ++ sigma_delta->keep_cs_asserted = true; + reinit_completion(&sigma_delta->completion); + + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_SINGLE); +@@ -298,9 +301,6 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev, + ret = wait_for_completion_interruptible_timeout( + &sigma_delta->completion, HZ); + +- sigma_delta->bus_locked = false; +- spi_bus_unlock(sigma_delta->spi->master); +- + if (ret == 0) + ret = -EIO; + if (ret < 0) +@@ -316,7 +316,10 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev, + sigma_delta->irq_dis = true; + } + ++ sigma_delta->keep_cs_asserted = false; + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); ++ sigma_delta->bus_locked = false; ++ spi_bus_unlock(sigma_delta->spi->master); + mutex_unlock(&indio_dev->mlock); + + if (ret) +@@ -353,6 +356,8 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev) + + spi_bus_lock(sigma_delta->spi->master); + sigma_delta->bus_locked = true; ++ sigma_delta->keep_cs_asserted = true; ++ + ret = ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_CONTINUOUS); + if (ret) + goto err_unlock; +@@ -381,6 +386,7 @@ static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev) + sigma_delta->irq_dis = true; + } + ++ sigma_delta->keep_cs_asserted = false; + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + + sigma_delta->bus_locked = false; +diff --git a/include/linux/iio/adc/ad_sigma_delta.h b/include/linux/iio/adc/ad_sigma_delta.h +index 730ead1a46df6..57c122ae54523 100644 +--- a/include/linux/iio/adc/ad_sigma_delta.h ++++ b/include/linux/iio/adc/ad_sigma_delta.h +@@ -66,6 +66,7 @@ struct ad_sigma_delta { + bool irq_dis; + + bool bus_locked; ++ bool keep_cs_asserted; + + uint8_t comm; + +-- +2.20.1 + diff --git a/queue-4.19/iio-adc-stm32-dfsdm-fix-unmet-direct-dependencies-de.patch b/queue-4.19/iio-adc-stm32-dfsdm-fix-unmet-direct-dependencies-de.patch new file mode 100644 index 00000000000..c8101af9525 --- /dev/null +++ b/queue-4.19/iio-adc-stm32-dfsdm-fix-unmet-direct-dependencies-de.patch @@ -0,0 +1,40 @@ +From b0c1dcf40ba6c24b939f0cf02401ef51262d5e6c Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Mon, 15 Apr 2019 15:00:50 +0200 +Subject: iio: adc: stm32-dfsdm: fix unmet direct dependencies detected + +[ Upstream commit ba7ecfe43d6bf12e2aa76705c45f7d187ae3d7c0 ] + +This fixes unmet direct dependencies seen when CONFIG_STM32_DFSDM_ADC +is selected: + +WARNING: unmet direct dependencies detected for IIO_BUFFER_HW_CONSUMER + Depends on [n]: IIO [=y] && IIO_BUFFER [=n] + Selected by [y]: + - STM32_DFSDM_ADC [=y] && IIO [=y] && (ARCH_STM32 [=y] && OF [=y] || + COMPILE_TEST [=n]) + +Fixes: e2e6771c6462 ("IIO: ADC: add STM32 DFSDM sigma delta ADC support") + +Signed-off-by: Fabrice Gasnier +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig +index 4a754921fb6f9..9421c1ec86f73 100644 +--- a/drivers/iio/adc/Kconfig ++++ b/drivers/iio/adc/Kconfig +@@ -696,6 +696,7 @@ config STM32_DFSDM_ADC + depends on (ARCH_STM32 && OF) || COMPILE_TEST + select STM32_DFSDM_CORE + select REGMAP_MMIO ++ select IIO_BUFFER + select IIO_BUFFER_HW_CONSUMER + help + Select this option to support ADCSigma delta modulator for +-- +2.20.1 + diff --git a/queue-4.19/iio-adc-ti-ads7950-fix-improper-use-of-mlock.patch b/queue-4.19/iio-adc-ti-ads7950-fix-improper-use-of-mlock.patch new file mode 100644 index 00000000000..1ddf723c6b0 --- /dev/null +++ b/queue-4.19/iio-adc-ti-ads7950-fix-improper-use-of-mlock.patch @@ -0,0 +1,109 @@ +From 29055faa89d2d54d05ebe0ac8e6a1a3dd401ad88 Mon Sep 17 00:00:00 2001 +From: Justin Chen +Date: Thu, 28 Feb 2019 14:16:48 -0800 +Subject: iio: adc: ti-ads7950: Fix improper use of mlock + +[ Upstream commit abbde2792999c9ad3514dd25d7f8d9a96034fe16 ] + +Indio->mlock is used for protecting the different iio device modes. +It is currently not being used in this way. Replace the lock with +an internal lock specifically used for protecting the SPI transfer +buffer. + +Signed-off-by: Justin Chen +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ti-ads7950.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/ti-ads7950.c b/drivers/iio/adc/ti-ads7950.c +index a5bd5944bc660..c9cd7e5c1b614 100644 +--- a/drivers/iio/adc/ti-ads7950.c ++++ b/drivers/iio/adc/ti-ads7950.c +@@ -56,6 +56,9 @@ struct ti_ads7950_state { + struct spi_message ring_msg; + struct spi_message scan_single_msg; + ++ /* Lock to protect the spi xfer buffers */ ++ struct mutex slock; ++ + struct regulator *reg; + unsigned int vref_mv; + +@@ -277,6 +280,7 @@ static irqreturn_t ti_ads7950_trigger_handler(int irq, void *p) + struct ti_ads7950_state *st = iio_priv(indio_dev); + int ret; + ++ mutex_lock(&st->slock); + ret = spi_sync(st->spi, &st->ring_msg); + if (ret < 0) + goto out; +@@ -285,6 +289,7 @@ static irqreturn_t ti_ads7950_trigger_handler(int irq, void *p) + iio_get_time_ns(indio_dev)); + + out: ++ mutex_unlock(&st->slock); + iio_trigger_notify_done(indio_dev->trig); + + return IRQ_HANDLED; +@@ -295,7 +300,7 @@ static int ti_ads7950_scan_direct(struct iio_dev *indio_dev, unsigned int ch) + struct ti_ads7950_state *st = iio_priv(indio_dev); + int ret, cmd; + +- mutex_lock(&indio_dev->mlock); ++ mutex_lock(&st->slock); + + cmd = TI_ADS7950_CR_WRITE | TI_ADS7950_CR_CHAN(ch) | st->settings; + st->single_tx = cpu_to_be16(cmd); +@@ -307,7 +312,7 @@ static int ti_ads7950_scan_direct(struct iio_dev *indio_dev, unsigned int ch) + ret = be16_to_cpu(st->single_rx); + + out: +- mutex_unlock(&indio_dev->mlock); ++ mutex_unlock(&st->slock); + + return ret; + } +@@ -423,16 +428,19 @@ static int ti_ads7950_probe(struct spi_device *spi) + if (ACPI_COMPANION(&spi->dev)) + st->vref_mv = TI_ADS7950_VA_MV_ACPI_DEFAULT; + ++ mutex_init(&st->slock); ++ + st->reg = devm_regulator_get(&spi->dev, "vref"); + if (IS_ERR(st->reg)) { + dev_err(&spi->dev, "Failed get get regulator \"vref\"\n"); +- return PTR_ERR(st->reg); ++ ret = PTR_ERR(st->reg); ++ goto error_destroy_mutex; + } + + ret = regulator_enable(st->reg); + if (ret) { + dev_err(&spi->dev, "Failed to enable regulator \"vref\"\n"); +- return ret; ++ goto error_destroy_mutex; + } + + ret = iio_triggered_buffer_setup(indio_dev, NULL, +@@ -454,6 +462,8 @@ static int ti_ads7950_probe(struct spi_device *spi) + iio_triggered_buffer_cleanup(indio_dev); + error_disable_reg: + regulator_disable(st->reg); ++error_destroy_mutex: ++ mutex_destroy(&st->slock); + + return ret; + } +@@ -466,6 +476,7 @@ static int ti_ads7950_remove(struct spi_device *spi) + iio_device_unregister(indio_dev); + iio_triggered_buffer_cleanup(indio_dev); + regulator_disable(st->reg); ++ mutex_destroy(&st->slock); + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.19/iio-common-ssp_sensors-initialize-calculated_time-in.patch b/queue-4.19/iio-common-ssp_sensors-initialize-calculated_time-in.patch new file mode 100644 index 00000000000..ab8a7ef07d9 --- /dev/null +++ b/queue-4.19/iio-common-ssp_sensors-initialize-calculated_time-in.patch @@ -0,0 +1,49 @@ +From abcd819f09289fe07d580a984bae0db1f673f444 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 7 Mar 2019 14:45:46 -0700 +Subject: iio: common: ssp_sensors: Initialize calculated_time in + ssp_common_process_data + +[ Upstream commit 6f9ca1d3eb74b81f811a87002de2d51640d135b1 ] + +When building with -Wsometimes-uninitialized, Clang warns: + +drivers/iio/common/ssp_sensors/ssp_iio.c:95:6: warning: variable +'calculated_time' is used uninitialized whenever 'if' condition is false +[-Wsometimes-uninitialized] + +While it isn't wrong, this will never be a problem because +iio_push_to_buffers_with_timestamp only uses calculated_time +on the same condition that it is assigned (when scan_timestamp +is not zero). While iio_push_to_buffers_with_timestamp is marked +as inline, Clang does inlining in the optimization stage, which +happens after the semantic analysis phase (plus inline is merely +a hint to the compiler). + +Fix this by just zero initializing calculated_time. + +Link: https://github.com/ClangBuiltLinux/linux/issues/394 +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/common/ssp_sensors/ssp_iio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/common/ssp_sensors/ssp_iio.c b/drivers/iio/common/ssp_sensors/ssp_iio.c +index 645f2e3975db4..e38f704d88b7e 100644 +--- a/drivers/iio/common/ssp_sensors/ssp_iio.c ++++ b/drivers/iio/common/ssp_sensors/ssp_iio.c +@@ -81,7 +81,7 @@ int ssp_common_process_data(struct iio_dev *indio_dev, void *buf, + unsigned int len, int64_t timestamp) + { + __le32 time; +- int64_t calculated_time; ++ int64_t calculated_time = 0; + struct ssp_sensor_data *spd = iio_priv(indio_dev); + + if (indio_dev->scan_bytes == 0) +-- +2.20.1 + diff --git a/queue-4.19/iio-hmc5843-fix-potential-null-pointer-dereferences.patch b/queue-4.19/iio-hmc5843-fix-potential-null-pointer-dereferences.patch new file mode 100644 index 00000000000..563fb597e80 --- /dev/null +++ b/queue-4.19/iio-hmc5843-fix-potential-null-pointer-dereferences.patch @@ -0,0 +1,66 @@ +From 19b5aa4fe547b06c2d0096d8097182ebf98a3612 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Sat, 16 Mar 2019 17:08:33 -0500 +Subject: iio: hmc5843: fix potential NULL pointer dereferences + +[ Upstream commit 536cc27deade8f1ec3c1beefa60d5fbe0f6fcb28 ] + +devm_regmap_init_i2c may fail and return NULL. The fix returns +the error when it fails. + +Signed-off-by: Kangjie Lu +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/magnetometer/hmc5843_i2c.c | 7 ++++++- + drivers/iio/magnetometer/hmc5843_spi.c | 7 ++++++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/magnetometer/hmc5843_i2c.c b/drivers/iio/magnetometer/hmc5843_i2c.c +index 3de7f4426ac40..86abba5827a25 100644 +--- a/drivers/iio/magnetometer/hmc5843_i2c.c ++++ b/drivers/iio/magnetometer/hmc5843_i2c.c +@@ -58,8 +58,13 @@ static const struct regmap_config hmc5843_i2c_regmap_config = { + static int hmc5843_i2c_probe(struct i2c_client *cli, + const struct i2c_device_id *id) + { ++ struct regmap *regmap = devm_regmap_init_i2c(cli, ++ &hmc5843_i2c_regmap_config); ++ if (IS_ERR(regmap)) ++ return PTR_ERR(regmap); ++ + return hmc5843_common_probe(&cli->dev, +- devm_regmap_init_i2c(cli, &hmc5843_i2c_regmap_config), ++ regmap, + id->driver_data, id->name); + } + +diff --git a/drivers/iio/magnetometer/hmc5843_spi.c b/drivers/iio/magnetometer/hmc5843_spi.c +index 535f03a70d630..79b2b707f90e7 100644 +--- a/drivers/iio/magnetometer/hmc5843_spi.c ++++ b/drivers/iio/magnetometer/hmc5843_spi.c +@@ -58,6 +58,7 @@ static const struct regmap_config hmc5843_spi_regmap_config = { + static int hmc5843_spi_probe(struct spi_device *spi) + { + int ret; ++ struct regmap *regmap; + const struct spi_device_id *id = spi_get_device_id(spi); + + spi->mode = SPI_MODE_3; +@@ -67,8 +68,12 @@ static int hmc5843_spi_probe(struct spi_device *spi) + if (ret) + return ret; + ++ regmap = devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config); ++ if (IS_ERR(regmap)) ++ return PTR_ERR(regmap); ++ + return hmc5843_common_probe(&spi->dev, +- devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config), ++ regmap, + id->driver_data, id->name); + } + +-- +2.20.1 + diff --git a/queue-4.19/irq_work-do-not-raise-an-ipi-when-queueing-work-on-t.patch b/queue-4.19/irq_work-do-not-raise-an-ipi-when-queueing-work-on-t.patch new file mode 100644 index 00000000000..93a38de2f7e --- /dev/null +++ b/queue-4.19/irq_work-do-not-raise-an-ipi-when-queueing-work-on-t.patch @@ -0,0 +1,144 @@ +From ac3b7440ada8a2cfd076ce2ea9b7cc42a7c836cd Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Tue, 9 Apr 2019 19:34:03 +1000 +Subject: irq_work: Do not raise an IPI when queueing work on the local CPU + +[ Upstream commit 471ba0e686cb13752bc1ff3216c54b69a2d250ea ] + +The QEMU PowerPC/PSeries machine model was not expecting a self-IPI, +and it may be a bit surprising thing to do, so have irq_work_queue_on +do local queueing when target is the current CPU. + +Suggested-by: Steven Rostedt +Reported-by: Sebastian Andrzej Siewior +Tested-by: Sebastian Andrzej Siewior +Signed-off-by: Nicholas Piggin +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Frederic Weisbecker +Acked-by: Peter Zijlstra (Intel) +Cc: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= +Cc: Linus Torvalds +Cc: Paul Mackerras +Cc: Peter Zijlstra +Cc: Suraj Jitindar Singh +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190409093403.20994-1-npiggin@gmail.com +[ Simplified the preprocessor comments. + Fixed unbalanced curly brackets pointed out by Thomas. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/irq_work.c | 75 ++++++++++++++++++++++++++--------------------- + 1 file changed, 42 insertions(+), 33 deletions(-) + +diff --git a/kernel/irq_work.c b/kernel/irq_work.c +index 6b7cdf17ccf89..73288914ed5e7 100644 +--- a/kernel/irq_work.c ++++ b/kernel/irq_work.c +@@ -56,61 +56,70 @@ void __weak arch_irq_work_raise(void) + */ + } + +-/* +- * Enqueue the irq_work @work on @cpu unless it's already pending +- * somewhere. +- * +- * Can be re-enqueued while the callback is still in progress. +- */ +-bool irq_work_queue_on(struct irq_work *work, int cpu) ++/* Enqueue on current CPU, work must already be claimed and preempt disabled */ ++static void __irq_work_queue_local(struct irq_work *work) + { +- /* All work should have been flushed before going offline */ +- WARN_ON_ONCE(cpu_is_offline(cpu)); +- +-#ifdef CONFIG_SMP +- +- /* Arch remote IPI send/receive backend aren't NMI safe */ +- WARN_ON_ONCE(in_nmi()); ++ /* If the work is "lazy", handle it from next tick if any */ ++ if (work->flags & IRQ_WORK_LAZY) { ++ if (llist_add(&work->llnode, this_cpu_ptr(&lazy_list)) && ++ tick_nohz_tick_stopped()) ++ arch_irq_work_raise(); ++ } else { ++ if (llist_add(&work->llnode, this_cpu_ptr(&raised_list))) ++ arch_irq_work_raise(); ++ } ++} + ++/* Enqueue the irq work @work on the current CPU */ ++bool irq_work_queue(struct irq_work *work) ++{ + /* Only queue if not already pending */ + if (!irq_work_claim(work)) + return false; + +- if (llist_add(&work->llnode, &per_cpu(raised_list, cpu))) +- arch_send_call_function_single_ipi(cpu); +- +-#else /* #ifdef CONFIG_SMP */ +- irq_work_queue(work); +-#endif /* #else #ifdef CONFIG_SMP */ ++ /* Queue the entry and raise the IPI if needed. */ ++ preempt_disable(); ++ __irq_work_queue_local(work); ++ preempt_enable(); + + return true; + } ++EXPORT_SYMBOL_GPL(irq_work_queue); + +-/* Enqueue the irq work @work on the current CPU */ +-bool irq_work_queue(struct irq_work *work) ++/* ++ * Enqueue the irq_work @work on @cpu unless it's already pending ++ * somewhere. ++ * ++ * Can be re-enqueued while the callback is still in progress. ++ */ ++bool irq_work_queue_on(struct irq_work *work, int cpu) + { ++#ifndef CONFIG_SMP ++ return irq_work_queue(work); ++ ++#else /* CONFIG_SMP: */ ++ /* All work should have been flushed before going offline */ ++ WARN_ON_ONCE(cpu_is_offline(cpu)); ++ + /* Only queue if not already pending */ + if (!irq_work_claim(work)) + return false; + +- /* Queue the entry and raise the IPI if needed. */ + preempt_disable(); +- +- /* If the work is "lazy", handle it from next tick if any */ +- if (work->flags & IRQ_WORK_LAZY) { +- if (llist_add(&work->llnode, this_cpu_ptr(&lazy_list)) && +- tick_nohz_tick_stopped()) +- arch_irq_work_raise(); ++ if (cpu != smp_processor_id()) { ++ /* Arch remote IPI send/receive backend aren't NMI safe */ ++ WARN_ON_ONCE(in_nmi()); ++ if (llist_add(&work->llnode, &per_cpu(raised_list, cpu))) ++ arch_send_call_function_single_ipi(cpu); + } else { +- if (llist_add(&work->llnode, this_cpu_ptr(&raised_list))) +- arch_irq_work_raise(); ++ __irq_work_queue_local(work); + } +- + preempt_enable(); + + return true; ++#endif /* CONFIG_SMP */ + } +-EXPORT_SYMBOL_GPL(irq_work_queue); ++ + + bool irq_work_needs_cpu(void) + { +-- +2.20.1 + diff --git a/queue-4.19/iwlwifi-pcie-don-t-crash-on-invalid-rx-interrupt.patch b/queue-4.19/iwlwifi-pcie-don-t-crash-on-invalid-rx-interrupt.patch new file mode 100644 index 00000000000..05d808e31d9 --- /dev/null +++ b/queue-4.19/iwlwifi-pcie-don-t-crash-on-invalid-rx-interrupt.patch @@ -0,0 +1,45 @@ +From 536d966676fe02b3253f7d38c844aadb362718db Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 5 Mar 2019 10:31:11 +0100 +Subject: iwlwifi: pcie: don't crash on invalid RX interrupt + +[ Upstream commit 30f24eabab8cd801064c5c37589d803cb4341929 ] + +If for some reason the device gives us an RX interrupt before we're +ready for it, perhaps during device power-on with misconfigured IRQ +causes mapping or so, we can crash trying to access the queues. + +Prevent that by checking that we actually have RXQs and that they +were properly allocated. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +index b2905f01b7df3..6dcd5374d9b4d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +@@ -1388,10 +1388,15 @@ static struct iwl_rx_mem_buffer *iwl_pcie_get_rxb(struct iwl_trans *trans, + static void iwl_pcie_rx_handle(struct iwl_trans *trans, int queue) + { + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); +- struct iwl_rxq *rxq = &trans_pcie->rxq[queue]; ++ struct iwl_rxq *rxq; + u32 r, i, count = 0; + bool emergency = false; + ++ if (WARN_ON_ONCE(!trans_pcie->rxq || !trans_pcie->rxq[queue].bd)) ++ return; ++ ++ rxq = &trans_pcie->rxq[queue]; ++ + restart: + spin_lock(&rxq->lock); + /* uCode's read index (stored in shared DRAM) indicates the last Rx +-- +2.20.1 + diff --git a/queue-4.19/kobject-don-t-trigger-kobject_uevent-kobj_remove-twi.patch b/queue-4.19/kobject-don-t-trigger-kobject_uevent-kobj_remove-twi.patch new file mode 100644 index 00000000000..b99148fd526 --- /dev/null +++ b/queue-4.19/kobject-don-t-trigger-kobject_uevent-kobj_remove-twi.patch @@ -0,0 +1,72 @@ +From 843fc91cd8093d9ca268cb3e358a80194f011eb3 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sun, 17 Mar 2019 14:02:31 +0900 +Subject: kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice. + +[ Upstream commit c03a0fd0b609e2f5c669c2b7f27c8e1928e9196e ] + +syzbot is hitting use-after-free bug in uinput module [1]. This is because +kobject_uevent(KOBJ_REMOVE) is called again due to commit 0f4dafc0563c6c49 +("Kobject: auto-cleanup on final unref") after memory allocation fault +injection made kobject_uevent(KOBJ_REMOVE) from device_del() from +input_unregister_device() fail, while uinput_destroy_device() is expecting +that kobject_uevent(KOBJ_REMOVE) is not called after device_del() from +input_unregister_device() completed. + +That commit intended to catch cases where nobody even attempted to send +"remove" uevents. But there is no guarantee that an event will ultimately +be sent. We are at the point of no return as far as the rest of the kernel +is concerned; there are no repeats or do-overs. + +Also, it is not clear whether some subsystem depends on that commit. +If no subsystem depends on that commit, it will be better to remove +the state_{add,remove}_uevent_sent logic. But we don't want to risk +a regression (in a patch which will be backported) by trying to remove +that logic. Therefore, as a first step, let's avoid the use-after-free bug +by making sure that kobject_uevent(KOBJ_REMOVE) won't be triggered twice. + +[1] https://syzkaller.appspot.com/bug?id=8b17c134fe938bbddd75a45afaa9e68af43a362d + +Reported-by: syzbot +Analyzed-by: Dmitry Torokhov +Fixes: 0f4dafc0563c6c49 ("Kobject: auto-cleanup on final unref") +Cc: Kay Sievers +Signed-off-by: Tetsuo Handa +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/kobject_uevent.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c +index 63d0816ab23b0..7761f32943391 100644 +--- a/lib/kobject_uevent.c ++++ b/lib/kobject_uevent.c +@@ -464,6 +464,13 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action, + int i = 0; + int retval = 0; + ++ /* ++ * Mark "remove" event done regardless of result, for some subsystems ++ * do not want to re-trigger "remove" event via automatic cleanup. ++ */ ++ if (action == KOBJ_REMOVE) ++ kobj->state_remove_uevent_sent = 1; ++ + pr_debug("kobject: '%s' (%p): %s\n", + kobject_name(kobj), kobj, __func__); + +@@ -565,10 +572,6 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action, + kobj->state_add_uevent_sent = 1; + break; + +- case KOBJ_REMOVE: +- kobj->state_remove_uevent_sent = 1; +- break; +- + case KOBJ_UNBIND: + zap_modalias_env(env); + break; +-- +2.20.1 + diff --git a/queue-4.19/libbpf-fix-samples-bpf-build-failure-due-to-undefine.patch b/queue-4.19/libbpf-fix-samples-bpf-build-failure-due-to-undefine.patch new file mode 100644 index 00000000000..14fccbd103c --- /dev/null +++ b/queue-4.19/libbpf-fix-samples-bpf-build-failure-due-to-undefine.patch @@ -0,0 +1,63 @@ +From f3c1d23786175739bfa1830b5f9d0a1726e09e71 Mon Sep 17 00:00:00 2001 +From: "Daniel T. Lee" +Date: Wed, 24 Apr 2019 05:24:56 +0900 +Subject: libbpf: fix samples/bpf build failure due to undefined UINT32_MAX + +[ Upstream commit 32e621e55496a0009f44fe4914cd4a23cade4984 ] + +Currently, building bpf samples will cause the following error. + + ./tools/lib/bpf/bpf.h:132:27: error: 'UINT32_MAX' undeclared here (not in a function) .. + #define BPF_LOG_BUF_SIZE (UINT32_MAX >> 8) /* verifier maximum in kernels <= 5.1 */ + ^ + ./samples/bpf/bpf_load.h:31:25: note: in expansion of macro 'BPF_LOG_BUF_SIZE' + extern char bpf_log_buf[BPF_LOG_BUF_SIZE]; + ^~~~~~~~~~~~~~~~ + +Due to commit 4519efa6f8ea ("libbpf: fix BPF_LOG_BUF_SIZE off-by-one error") +hard-coded size of BPF_LOG_BUF_SIZE has been replaced with UINT32_MAX which is +defined in header. + +Even with this change, bpf selftests are running fine since these are built +with clang and it includes header(-idirafter) from clang/6.0.0/include. +(it has ) + + clang -I. -I./include/uapi -I../../../include/uapi -idirafter /usr/local/include -idirafter /usr/include \ + -idirafter /usr/lib/llvm-6.0/lib/clang/6.0.0/include -idirafter /usr/include/x86_64-linux-gnu \ + -Wno-compare-distinct-pointer-types -O2 -target bpf -emit-llvm -c progs/test_sysctl_prog.c -o - | \ + llc -march=bpf -mcpu=generic -filetype=obj -o /linux/tools/testing/selftests/bpf/test_sysctl_prog.o + +But bpf samples are compiled with GCC, and it only searches and includes +headers declared at the target file. As '#include ' hasn't been +declared in tools/lib/bpf/bpf.h, it causes build failure of bpf samples. + + gcc -Wp,-MD,./samples/bpf/.sockex3_user.o.d -Wall -Wmissing-prototypes -Wstrict-prototypes \ + -O2 -fomit-frame-pointer -std=gnu89 -I./usr/include -I./tools/lib/ -I./tools/testing/selftests/bpf/ \ + -I./tools/ lib/ -I./tools/include -I./tools/perf -c -o ./samples/bpf/sockex3_user.o ./samples/bpf/sockex3_user.c; + +This commit add declaration of '#include ' to tools/lib/bpf/bpf.h +to fix this problem. + +Signed-off-by: Daniel T. Lee +Acked-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h +index 6f38164b26181..c3145ab3bdcac 100644 +--- a/tools/lib/bpf/bpf.h ++++ b/tools/lib/bpf/bpf.h +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + struct bpf_create_map_attr { + const char *name; +-- +2.20.1 + diff --git a/queue-4.19/mac80211-cfg80211-update-bss-channel-on-channel-swit.patch b/queue-4.19/mac80211-cfg80211-update-bss-channel-on-channel-swit.patch new file mode 100644 index 00000000000..561c4f7bef5 --- /dev/null +++ b/queue-4.19/mac80211-cfg80211-update-bss-channel-on-channel-swit.patch @@ -0,0 +1,68 @@ +From 7c5a85350f82b72b940cc564322a9ebadfd9b807 Mon Sep 17 00:00:00 2001 +From: Sergey Matyukevich +Date: Tue, 26 Mar 2019 09:27:37 +0000 +Subject: mac80211/cfg80211: update bss channel on channel switch + +[ Upstream commit 5dc8cdce1d722c733f8c7af14c5fb595cfedbfa8 ] + +FullMAC STAs have no way to update bss channel after CSA channel switch +completion. As a result, user-space tools may provide inconsistent +channel info. For instance, consider the following two commands: +$ sudo iw dev wlan0 link +$ sudo iw dev wlan0 info +The latter command gets channel info from the hardware, so most probably +its output will be correct. However the former command gets channel info +from scan cache, so its output will contain outdated channel info. +In fact, current bss channel info will not be updated until the +next [re-]connect. + +Note that mac80211 STAs have a workaround for this, but it requires +access to internal cfg80211 data, see ieee80211_chswitch_work: + + /* XXX: shouldn't really modify cfg80211-owned data! */ + ifmgd->associated->channel = sdata->csa_chandef.chan; + +This patch suggests to convert mac80211 workaround into cfg80211 behavior +and to update current bss channel in cfg80211_ch_switch_notify. + +Signed-off-by: Sergey Matyukevich +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 3 --- + net/wireless/nl80211.c | 5 +++++ + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 3dbecae4be73c..2ac749c4a6b26 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1156,9 +1156,6 @@ static void ieee80211_chswitch_work(struct work_struct *work) + goto out; + } + +- /* XXX: shouldn't really modify cfg80211-owned data! */ +- ifmgd->associated->channel = sdata->csa_chandef.chan; +- + ifmgd->csa_waiting_bcn = true; + + ieee80211_sta_reset_beacon_monitor(sdata); +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 048e004ed0ee8..c6711ead5e591 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -15441,6 +15441,11 @@ void cfg80211_ch_switch_notify(struct net_device *dev, + + wdev->chandef = *chandef; + wdev->preset_chandef = *chandef; ++ ++ if (wdev->iftype == NL80211_IFTYPE_STATION && ++ !WARN_ON(!wdev->current_bss)) ++ wdev->current_bss->pub.channel = chandef->chan; ++ + nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL, + NL80211_CMD_CH_SWITCH_NOTIFY, 0); + } +-- +2.20.1 + diff --git a/queue-4.19/media-au0828-fix-null-pointer-dereference-in-au0828_.patch b/queue-4.19/media-au0828-fix-null-pointer-dereference-in-au0828_.patch new file mode 100644 index 00000000000..b178e99be87 --- /dev/null +++ b/queue-4.19/media-au0828-fix-null-pointer-dereference-in-au0828_.patch @@ -0,0 +1,78 @@ +From 64b9efa584b1bef4d1890107865f30cb6c335d29 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Mon, 1 Apr 2019 20:43:17 -0400 +Subject: media: au0828: Fix NULL pointer dereference in + au0828_analog_stream_enable() + +[ Upstream commit 898bc40bfcc26abb6e06e960d6d4754c36c58b50 ] + +Fix au0828_analog_stream_enable() to check if device is in the right +state first. When unbind happens while bind is in progress, usbdev +pointer could be invalid in au0828_analog_stream_enable() and a call +to usb_ifnum_to_if() will result in the null pointer dereference. + +This problem is found with the new media_dev_allocator.sh test. + +kernel: [ 590.359623] BUG: unable to handle kernel NULL pointer dereference at 00000000000004e8 +kernel: [ 590.359627] #PF error: [normal kernel read fault] +kernel: [ 590.359629] PGD 0 P4D 0 +kernel: [ 590.359632] Oops: 0000 [#1] SMP PTI +kernel: [ 590.359634] CPU: 3 PID: 1458 Comm: v4l_id Not tainted 5.1.0-rc2+ #30 +kernel: [ 590.359636] Hardware name: Dell Inc. OptiPlex 7 90/0HY9JP, BIOS A18 09/24/2013 +kernel: [ 590.359641] RIP: 0010:usb_ifnum_to_if+0x6/0x60 +kernel: [ 590.359643] Code: 5d 41 5e 41 5f 5d c3 48 83 c4 + 10 b8 fa ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 b8 fa ff ff ff c3 0f 1f 00 6 +6 66 66 66 90 55 <48> 8b 97 e8 04 00 00 48 89 e5 48 85 d2 74 41 0f b6 4a 04 84 c +9 74 +kernel: [ 590.359645] RSP: 0018:ffffad3cc3c1fc00 EFLAGS: 00010246 +kernel: [ 590.359646] RAX: 0000000000000000 RBX: ffff8ded b1f3c000 RCX: 1f377e4500000000 +kernel: [ 590.359648] RDX: ffff8dedfa3a6b50 RSI: 00000000 00000000 RDI: 0000000000000000 +kernel: [ 590.359649] RBP: ffffad3cc3c1fc28 R08: 00000000 8574acc2 R09: ffff8dedfa3a6b50 +kernel: [ 590.359650] R10: 0000000000000001 R11: 00000000 00000000 R12: 0000000000000000 +kernel: [ 590.359652] R13: ffff8dedb1f3f0f0 R14: ffffffff adcf7ec0 R15: 0000000000000000 +kernel: [ 590.359654] FS: 00007f7917198540(0000) GS:ffff 8dee258c0000(0000) knlGS:0000000000000000 +kernel: [ 590.359655] CS: 0010 DS: 0000 ES: 0000 CR0: 00 00000080050033 +kernel: [ 590.359657] CR2: 00000000000004e8 CR3: 00000001 a388e002 CR4: 00000000000606e0 +kernel: [ 590.359658] Call Trace: +kernel: [ 590.359664] ? au0828_analog_stream_enable+0x2c/0x180 +kernel: [ 590.359666] au0828_v4l2_open+0xa4/0x110 +kernel: [ 590.359670] v4l2_open+0x8b/0x120 +kernel: [ 590.359674] chrdev_open+0xa6/0x1c0 +kernel: [ 590.359676] ? cdev_put.part.3+0x20/0x20 +kernel: [ 590.359678] do_dentry_open+0x1f6/0x360 +kernel: [ 590.359681] vfs_open+0x2f/0x40 +kernel: [ 590.359684] path_openat+0x299/0xc20 +kernel: [ 590.359688] do_filp_open+0x9b/0x110 +kernel: [ 590.359695] ? _raw_spin_unlock+0x27/0x40 +kernel: [ 590.359697] ? __alloc_fd+0xb2/0x160 +kernel: [ 590.359700] do_sys_open+0x1ba/0x260 +kernel: [ 590.359702] ? do_sys_open+0x1ba/0x260 +kernel: [ 590.359712] __x64_sys_openat+0x20/0x30 +kernel: [ 590.359715] do_syscall_64+0x5a/0x120 +kernel: [ 590.359718] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Shuah Khan +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/au0828/au0828-video.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c +index 72095465856a2..3e111f7f56dfe 100644 +--- a/drivers/media/usb/au0828/au0828-video.c ++++ b/drivers/media/usb/au0828/au0828-video.c +@@ -758,6 +758,9 @@ static int au0828_analog_stream_enable(struct au0828_dev *d) + + dprintk(1, "au0828_analog_stream_enable called\n"); + ++ if (test_bit(DEV_DISCONNECTED, &d->dev_state)) ++ return -ENODEV; ++ + iface = usb_ifnum_to_if(d->usbdev, 0); + if (iface && iface->cur_altsetting->desc.bAlternateSetting != 5) { + dprintk(1, "Changing intf#0 to alt 5\n"); +-- +2.20.1 + diff --git a/queue-4.19/media-au0828-stop-video-streaming-only-when-last-use.patch b/queue-4.19/media-au0828-stop-video-streaming-only-when-last-use.patch new file mode 100644 index 00000000000..00d2082d92c --- /dev/null +++ b/queue-4.19/media-au0828-stop-video-streaming-only-when-last-use.patch @@ -0,0 +1,69 @@ +From 0de325f00d6f165789fd691744d5a4225840d8af Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 2 Apr 2019 03:24:15 -0400 +Subject: media: au0828: stop video streaming only when last user stops + +[ Upstream commit f604f0f5afb88045944567f604409951b5eb6af8 ] + +If the application was streaming from both videoX and vbiX, and streaming +from videoX was stopped, then the vbi streaming also stopped. + +The cause being that stop_streaming for video stopped the subdevs as well, +instead of only doing that if dev->streaming_users reached 0. + +au0828_stop_vbi_streaming was also wrong since it didn't stop the subdevs +at all when dev->streaming_users reached 0. + +Signed-off-by: Hans Verkuil +Tested-by: Shuah Khan +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/au0828/au0828-video.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c +index 62b45062b1e68..72095465856a2 100644 +--- a/drivers/media/usb/au0828/au0828-video.c ++++ b/drivers/media/usb/au0828/au0828-video.c +@@ -839,9 +839,9 @@ int au0828_start_analog_streaming(struct vb2_queue *vq, unsigned int count) + return rc; + } + ++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 1); ++ + if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) { +- v4l2_device_call_all(&dev->v4l2_dev, 0, video, +- s_stream, 1); + dev->vid_timeout_running = 1; + mod_timer(&dev->vid_timeout, jiffies + (HZ / 10)); + } else if (vq->type == V4L2_BUF_TYPE_VBI_CAPTURE) { +@@ -861,10 +861,11 @@ static void au0828_stop_streaming(struct vb2_queue *vq) + + dprintk(1, "au0828_stop_streaming called %d\n", dev->streaming_users); + +- if (dev->streaming_users-- == 1) ++ if (dev->streaming_users-- == 1) { + au0828_uninit_isoc(dev); ++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0); ++ } + +- v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0); + dev->vid_timeout_running = 0; + del_timer_sync(&dev->vid_timeout); + +@@ -893,8 +894,10 @@ void au0828_stop_vbi_streaming(struct vb2_queue *vq) + dprintk(1, "au0828_stop_vbi_streaming called %d\n", + dev->streaming_users); + +- if (dev->streaming_users-- == 1) ++ if (dev->streaming_users-- == 1) { + au0828_uninit_isoc(dev); ++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0); ++ } + + spin_lock_irqsave(&dev->slock, flags); + if (dev->isoc_ctl.vbi_buf != NULL) { +-- +2.20.1 + diff --git a/queue-4.19/media-coda-clear-error-return-value-before-picture-r.patch b/queue-4.19/media-coda-clear-error-return-value-before-picture-r.patch new file mode 100644 index 00000000000..23e7b4e6d17 --- /dev/null +++ b/queue-4.19/media-coda-clear-error-return-value-before-picture-r.patch @@ -0,0 +1,37 @@ +From 39928b698975fe720727d5eaf68995313b01f1b8 Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Mon, 8 Apr 2019 08:32:49 -0400 +Subject: media: coda: clear error return value before picture run + +[ Upstream commit bbeefa7357a648afe70e7183914c87c3878d528d ] + +The error return value is not written by some firmware codecs, such as +MPEG-2 decode on CodaHx4. Clear the error return value before starting +the picture run to avoid misinterpreting unrelated values returned by +sequence initialization as error return value. + +Signed-off-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-bit.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c +index d20d3df5778bc..a3cfefdbee127 100644 +--- a/drivers/media/platform/coda/coda-bit.c ++++ b/drivers/media/platform/coda/coda-bit.c +@@ -1999,6 +1999,9 @@ static int coda_prepare_decode(struct coda_ctx *ctx) + /* Clear decode success flag */ + coda_write(dev, 0, CODA_RET_DEC_PIC_SUCCESS); + ++ /* Clear error return value */ ++ coda_write(dev, 0, CODA_RET_DEC_PIC_ERR_MB); ++ + trace_coda_dec_pic_run(ctx, meta); + + coda_command_async(ctx, CODA_COMMAND_PIC_RUN); +-- +2.20.1 + diff --git a/queue-4.19/media-dvbsky-avoid-leaking-dvb-frontend.patch b/queue-4.19/media-dvbsky-avoid-leaking-dvb-frontend.patch new file mode 100644 index 00000000000..c0d3a5c862a --- /dev/null +++ b/queue-4.19/media-dvbsky-avoid-leaking-dvb-frontend.patch @@ -0,0 +1,145 @@ +From c664fbd79f9c46fe5b355ac4cc50c52c8a8847eb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stefan=20Br=C3=BCns?= +Date: Sat, 19 Jan 2019 20:30:04 -0500 +Subject: media: dvbsky: Avoid leaking dvb frontend +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit fdfa59cd63b184e1e96d51ff170fcac739bc6f6f ] + +Commit 14f4eaeddabc ("media: dvbsky: fix driver unregister logic") fixed +a use-after-free by removing the reference to the frontend after deleting +the backing i2c device. + +This has the unfortunate side effect the frontend device is never freed +in the dvb core leaving a dangling device, leading to errors when the +dvb core tries to register the frontend after e.g. a replug as reported +here: https://www.spinics.net/lists/linux-media/msg138181.html + +media: dvbsky: issues with DVBSky T680CI + +=== +[ 561.119145] sp2 8-0040: CIMaX SP2 successfully attached +[ 561.119161] usb 2-3: DVB: registering adapter 0 frontend 0 (Silicon Labs +Si2168)... +[ 561.119174] sysfs: cannot create duplicate filename '/class/dvb/ +dvb0.frontend0' +=== + +The use after free happened as dvb_usbv2_disconnect calls in this order: +- dvb_usb_device::props->exit(...) +- dvb_usbv2_adapter_frontend_exit(...) + + if (fe) dvb_unregister_frontend(fe) + + dvb_usb_device::props->frontend_detach(...) + +Moving the release of the i2c device from exit() to frontend_detach() +avoids the dangling pointer access and allows the core to unregister +the frontend. + +This was originally reported for a DVBSky T680CI, but it also affects +the MyGica T230C. As all supported devices structure the registration/ +unregistration identically, apply the change for all device types. + +Signed-off-by: Stefan Brüns +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/dvbsky.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/dvbsky.c b/drivers/media/usb/dvb-usb-v2/dvbsky.c +index e28bd8836751e..ae0814dd202a6 100644 +--- a/drivers/media/usb/dvb-usb-v2/dvbsky.c ++++ b/drivers/media/usb/dvb-usb-v2/dvbsky.c +@@ -615,16 +615,18 @@ static int dvbsky_init(struct dvb_usb_device *d) + return 0; + } + +-static void dvbsky_exit(struct dvb_usb_device *d) ++static int dvbsky_frontend_detach(struct dvb_usb_adapter *adap) + { ++ struct dvb_usb_device *d = adap_to_d(adap); + struct dvbsky_state *state = d_to_priv(d); +- struct dvb_usb_adapter *adap = &d->adapter[0]; ++ ++ dev_dbg(&d->udev->dev, "%s: adap=%d\n", __func__, adap->id); + + dvb_module_release(state->i2c_client_tuner); + dvb_module_release(state->i2c_client_demod); + dvb_module_release(state->i2c_client_ci); + +- adap->fe[0] = NULL; ++ return 0; + } + + /* DVB USB Driver stuff */ +@@ -640,11 +642,11 @@ static struct dvb_usb_device_properties dvbsky_s960_props = { + + .i2c_algo = &dvbsky_i2c_algo, + .frontend_attach = dvbsky_s960_attach, ++ .frontend_detach = dvbsky_frontend_detach, + .init = dvbsky_init, + .get_rc_config = dvbsky_get_rc_config, + .streaming_ctrl = dvbsky_streaming_ctrl, + .identify_state = dvbsky_identify_state, +- .exit = dvbsky_exit, + .read_mac_address = dvbsky_read_mac_addr, + + .num_adapters = 1, +@@ -667,11 +669,11 @@ static struct dvb_usb_device_properties dvbsky_s960c_props = { + + .i2c_algo = &dvbsky_i2c_algo, + .frontend_attach = dvbsky_s960c_attach, ++ .frontend_detach = dvbsky_frontend_detach, + .init = dvbsky_init, + .get_rc_config = dvbsky_get_rc_config, + .streaming_ctrl = dvbsky_streaming_ctrl, + .identify_state = dvbsky_identify_state, +- .exit = dvbsky_exit, + .read_mac_address = dvbsky_read_mac_addr, + + .num_adapters = 1, +@@ -694,11 +696,11 @@ static struct dvb_usb_device_properties dvbsky_t680c_props = { + + .i2c_algo = &dvbsky_i2c_algo, + .frontend_attach = dvbsky_t680c_attach, ++ .frontend_detach = dvbsky_frontend_detach, + .init = dvbsky_init, + .get_rc_config = dvbsky_get_rc_config, + .streaming_ctrl = dvbsky_streaming_ctrl, + .identify_state = dvbsky_identify_state, +- .exit = dvbsky_exit, + .read_mac_address = dvbsky_read_mac_addr, + + .num_adapters = 1, +@@ -721,11 +723,11 @@ static struct dvb_usb_device_properties dvbsky_t330_props = { + + .i2c_algo = &dvbsky_i2c_algo, + .frontend_attach = dvbsky_t330_attach, ++ .frontend_detach = dvbsky_frontend_detach, + .init = dvbsky_init, + .get_rc_config = dvbsky_get_rc_config, + .streaming_ctrl = dvbsky_streaming_ctrl, + .identify_state = dvbsky_identify_state, +- .exit = dvbsky_exit, + .read_mac_address = dvbsky_read_mac_addr, + + .num_adapters = 1, +@@ -748,11 +750,11 @@ static struct dvb_usb_device_properties mygica_t230c_props = { + + .i2c_algo = &dvbsky_i2c_algo, + .frontend_attach = dvbsky_mygica_t230c_attach, ++ .frontend_detach = dvbsky_frontend_detach, + .init = dvbsky_init, + .get_rc_config = dvbsky_get_rc_config, + .streaming_ctrl = dvbsky_streaming_ctrl, + .identify_state = dvbsky_identify_state, +- .exit = dvbsky_exit, + + .num_adapters = 1, + .adapter = { +-- +2.20.1 + diff --git a/queue-4.19/media-go7007-avoid-clang-frame-overflow-warning-with.patch b/queue-4.19/media-go7007-avoid-clang-frame-overflow-warning-with.patch new file mode 100644 index 00000000000..4b1b01663ce --- /dev/null +++ b/queue-4.19/media-go7007-avoid-clang-frame-overflow-warning-with.patch @@ -0,0 +1,45 @@ +From 6da74c82d40e05dcd07f4ea26a11578c776f2bb3 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 19 Feb 2019 12:01:58 -0500 +Subject: media: go7007: avoid clang frame overflow warning with KASAN + +[ Upstream commit ed713a4a1367aca5c0f2f329579465db00c17995 ] + +clang-8 warns about one function here when KASAN is enabled, even +without the 'asan-stack' option: + +drivers/media/usb/go7007/go7007-fw.c:1551:5: warning: stack frame size of 2656 bytes in function + +I have reported this issue in the llvm bugzilla, but to make +it work with the clang-8 release, a small annotation is still +needed. + +Link: https://bugs.llvm.org/show_bug.cgi?id=38809 + +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +[hverkuil-cisco@xs4all.nl: fix checkpatch warning] +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/go7007-fw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/go7007/go7007-fw.c b/drivers/media/usb/go7007/go7007-fw.c +index 24f5b615dc7af..dfa9f899d0c25 100644 +--- a/drivers/media/usb/go7007/go7007-fw.c ++++ b/drivers/media/usb/go7007/go7007-fw.c +@@ -1499,8 +1499,8 @@ static int modet_to_package(struct go7007 *go, __le16 *code, int space) + return cnt; + } + +-static int do_special(struct go7007 *go, u16 type, __le16 *code, int space, +- int *framelen) ++static noinline_for_stack int do_special(struct go7007 *go, u16 type, ++ __le16 *code, int space, int *framelen) + { + switch (type) { + case SPECIAL_FRM_HEAD: +-- +2.20.1 + diff --git a/queue-4.19/media-gspca-do-not-resubmit-urbs-when-streaming-has-.patch b/queue-4.19/media-gspca-do-not-resubmit-urbs-when-streaming-has-.patch new file mode 100644 index 00000000000..6794e86778b --- /dev/null +++ b/queue-4.19/media-gspca-do-not-resubmit-urbs-when-streaming-has-.patch @@ -0,0 +1,69 @@ +From 2064d93697b67dea82bd0f65c09fc5ae7c1fa5d7 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 26 Feb 2019 07:54:22 -0500 +Subject: media: gspca: do not resubmit URBs when streaming has stopped + +[ Upstream commit e6f8bd59c28f758feea403a70d6c3ef28c50959f ] + +When streaming is stopped all URBs are killed, but in fill_frame and in +bulk_irq this results in an attempt to resubmit the killed URB. That is +not what you want and causes spurious kernel messages. + +So check if streaming has stopped before resubmitting. + +Also check against gspca_dev->streaming rather than vb2_start_streaming_called() +since vb2_start_streaming_called() will return true when in stop_streaming, +but gspca_dev->streaming is set to false when stop_streaming is called. + +Fixes: 6992effe5344 ("gspca: Kill all URBs before releasing any of them") + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/gspca/gspca.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c +index fd4a1456b6ca2..b12356c533a65 100644 +--- a/drivers/media/usb/gspca/gspca.c ++++ b/drivers/media/usb/gspca/gspca.c +@@ -314,6 +314,8 @@ static void fill_frame(struct gspca_dev *gspca_dev, + } + + resubmit: ++ if (!gspca_dev->streaming) ++ return; + /* resubmit the URB */ + st = usb_submit_urb(urb, GFP_ATOMIC); + if (st < 0) +@@ -330,7 +332,7 @@ static void isoc_irq(struct urb *urb) + struct gspca_dev *gspca_dev = (struct gspca_dev *) urb->context; + + gspca_dbg(gspca_dev, D_PACK, "isoc irq\n"); +- if (!vb2_start_streaming_called(&gspca_dev->queue)) ++ if (!gspca_dev->streaming) + return; + fill_frame(gspca_dev, urb); + } +@@ -344,7 +346,7 @@ static void bulk_irq(struct urb *urb) + int st; + + gspca_dbg(gspca_dev, D_PACK, "bulk irq\n"); +- if (!vb2_start_streaming_called(&gspca_dev->queue)) ++ if (!gspca_dev->streaming) + return; + switch (urb->status) { + case 0: +@@ -367,6 +369,8 @@ static void bulk_irq(struct urb *urb) + urb->actual_length); + + resubmit: ++ if (!gspca_dev->streaming) ++ return; + /* resubmit the URB */ + if (gspca_dev->cam.bulk_nurbs != 0) { + st = usb_submit_urb(urb, GFP_ATOMIC); +-- +2.20.1 + diff --git a/queue-4.19/media-gspca-kill-urbs-on-usb-device-disconnect.patch b/queue-4.19/media-gspca-kill-urbs-on-usb-device-disconnect.patch new file mode 100644 index 00000000000..843306eacc2 --- /dev/null +++ b/queue-4.19/media-gspca-kill-urbs-on-usb-device-disconnect.patch @@ -0,0 +1,49 @@ +From 6db3c963403634f839d14bc6f491b0b85d9d2c3e Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Thu, 28 Feb 2019 10:28:34 -0500 +Subject: media: gspca: Kill URBs on USB device disconnect + +[ Upstream commit 9b9ea7c2b57a0c9c3341fc6db039d1f7971a432e ] + +In order to prevent ISOC URBs from being infinitely resubmitted, +the driver's USB disconnect handler must kill all the in-flight URBs. + +While here, change the URB packet status message to a debug level, +to avoid spamming the console too much. + +This commit fixes a lockup caused by an interrupt storm coming +from the URB completion handler. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/gspca/gspca.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c +index 405a6a76d820f..fd4a1456b6ca2 100644 +--- a/drivers/media/usb/gspca/gspca.c ++++ b/drivers/media/usb/gspca/gspca.c +@@ -294,7 +294,7 @@ static void fill_frame(struct gspca_dev *gspca_dev, + /* check the packet status and length */ + st = urb->iso_frame_desc[i].status; + if (st) { +- pr_err("ISOC data error: [%d] len=%d, status=%d\n", ++ gspca_dbg(gspca_dev, D_PACK, "ISOC data error: [%d] len=%d, status=%d\n", + i, len, st); + gspca_dev->last_packet_type = DISCARD_PACKET; + continue; +@@ -1630,6 +1630,8 @@ void gspca_disconnect(struct usb_interface *intf) + + mutex_lock(&gspca_dev->usb_lock); + gspca_dev->present = false; ++ destroy_urbs(gspca_dev); ++ gspca_input_destroy_urb(gspca_dev); + + vb2_queue_error(&gspca_dev->queue); + +-- +2.20.1 + diff --git a/queue-4.19/media-m88ds3103-serialize-reset-messages-in-m88ds310.patch b/queue-4.19/media-m88ds3103-serialize-reset-messages-in-m88ds310.patch new file mode 100644 index 00000000000..a103cfc4ee4 --- /dev/null +++ b/queue-4.19/media-m88ds3103-serialize-reset-messages-in-m88ds310.patch @@ -0,0 +1,102 @@ +From 3bbd6482f0eec11e2da13333f4133c6c684b4728 Mon Sep 17 00:00:00 2001 +From: James Hutchinson +Date: Sun, 13 Jan 2019 16:13:47 -0500 +Subject: media: m88ds3103: serialize reset messages in m88ds3103_set_frontend + +[ Upstream commit 981fbe3da20a6f35f17977453bce7dfc1664d74f ] + +Ref: https://bugzilla.kernel.org/show_bug.cgi?id=199323 + +Users are experiencing problems with the DVBSky S960/S960C USB devices +since the following commit: + +9d659ae: ("locking/mutex: Add lock handoff to avoid starvation") + +The device malfunctions after running for an indeterminable period of +time, and the problem can only be cleared by rebooting the machine. + +It is possible to encourage the problem to surface by blocking the +signal to the LNB. + +Further debugging revealed the cause of the problem. + +In the following capture: +- thread #1325 is running m88ds3103_set_frontend +- thread #42 is running ts2020_stat_work + +a> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 80 + [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 08 + [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 68 3f + [42] usb 1-1: dvb_usb_v2_generic_io: <<< 08 ff + [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11 + [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 + [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 3d + [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff +b> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 00 + [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07 + [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11 + [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 + [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 21 + [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff + [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11 + [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 + [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 66 + [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff + [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11 + [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07 + [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 60 02 10 0b + [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07 + +Two i2c messages are sent to perform a reset in m88ds3103_set_frontend: + + a. 0x07, 0x80 + b. 0x07, 0x00 + +However, as shown in the capture, the regmap mutex is being handed over +to another thread (ts2020_stat_work) in between these two messages. + +>From here, the device responds to every i2c message with an 07 message, +and will only return to normal operation following a power cycle. + +Use regmap_multi_reg_write to group the two reset messages, ensuring +both are processed before the regmap mutex is unlocked. + +Signed-off-by: James Hutchinson +Reviewed-by: Antti Palosaari +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/m88ds3103.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/dvb-frontends/m88ds3103.c b/drivers/media/dvb-frontends/m88ds3103.c +index dffd2d4bf1c8b..c25c927974089 100644 +--- a/drivers/media/dvb-frontends/m88ds3103.c ++++ b/drivers/media/dvb-frontends/m88ds3103.c +@@ -309,6 +309,9 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe) + u16 u16tmp; + u32 tuner_frequency_khz, target_mclk; + s32 s32tmp; ++ static const struct reg_sequence reset_buf[] = { ++ {0x07, 0x80}, {0x07, 0x00} ++ }; + + dev_dbg(&client->dev, + "delivery_system=%d modulation=%d frequency=%u symbol_rate=%d inversion=%d pilot=%d rolloff=%d\n", +@@ -321,11 +324,7 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe) + } + + /* reset */ +- ret = regmap_write(dev->regmap, 0x07, 0x80); +- if (ret) +- goto err; +- +- ret = regmap_write(dev->regmap, 0x07, 0x00); ++ ret = regmap_multi_reg_write(dev->regmap, reset_buf, 2); + if (ret) + goto err; + +-- +2.20.1 + diff --git a/queue-4.19/media-ov2659-make-s_fmt-succeed-even-if-requested-fo.patch b/queue-4.19/media-ov2659-make-s_fmt-succeed-even-if-requested-fo.patch new file mode 100644 index 00000000000..fbd1e574ced --- /dev/null +++ b/queue-4.19/media-ov2659-make-s_fmt-succeed-even-if-requested-fo.patch @@ -0,0 +1,51 @@ +From 59efecd787aa480a37908d564f151b448137ac78 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Sat, 30 Mar 2019 10:01:31 -0400 +Subject: media: ov2659: make S_FMT succeed even if requested format doesn't + match + +[ Upstream commit bccb89cf9cd07a0690d519696a00c00a973b3fe4 ] + +This driver returns an error if unsupported media bus pixel code is +requested by VIDIOC_SUBDEV_S_FMT. + +But according to Documentation/media/uapi/v4l/vidioc-subdev-g-fmt.rst, + +Drivers must not return an error solely because the requested format +doesn't match the device capabilities. They must instead modify the +format to match what the hardware can provide. + +So select default format code and return success in that case. + +This is detected by v4l2-compliance. + +Cc: "Lad, Prabhakar" +Signed-off-by: Akinobu Mita +Acked-by: Lad, Prabhakar +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2659.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/ov2659.c b/drivers/media/i2c/ov2659.c +index 4715edc8ca33e..e6a8b5669b9cc 100644 +--- a/drivers/media/i2c/ov2659.c ++++ b/drivers/media/i2c/ov2659.c +@@ -1117,8 +1117,10 @@ static int ov2659_set_fmt(struct v4l2_subdev *sd, + if (ov2659_formats[index].code == mf->code) + break; + +- if (index < 0) +- return -EINVAL; ++ if (index < 0) { ++ index = 0; ++ mf->code = ov2659_formats[index].code; ++ } + + mf->colorspace = V4L2_COLORSPACE_SRGB; + mf->field = V4L2_FIELD_NONE; +-- +2.20.1 + diff --git a/queue-4.19/media-ov6650-move-v4l2_clk_get-to-ov6650_video_probe.patch b/queue-4.19/media-ov6650-move-v4l2_clk_get-to-ov6650_video_probe.patch new file mode 100644 index 00000000000..1df5ef9a750 --- /dev/null +++ b/queue-4.19/media-ov6650-move-v4l2_clk_get-to-ov6650_video_probe.patch @@ -0,0 +1,79 @@ +From ba60a06a35cf6cd237bbc2642785fc370146c726 Mon Sep 17 00:00:00 2001 +From: Janusz Krzysztofik +Date: Fri, 29 Mar 2019 21:06:09 -0400 +Subject: media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper + +[ Upstream commit ccdd85d518d8b9320ace1d87271f0ba2175f21fa ] + +In preparation for adding asynchronous subdevice support to the driver, +don't acquire v4l2_clk from the driver .probe() callback as that may +fail if the clock is provided by a bridge driver which may be not yet +initialized. Move the v4l2_clk_get() to ov6650_video_probe() helper +which is going to be converted to v4l2_subdev_internal_ops.registered() +callback, executed only when the bridge driver is ready. + +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov6650.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/i2c/ov6650.c b/drivers/media/i2c/ov6650.c +index a9264d515e546..edded869d7920 100644 +--- a/drivers/media/i2c/ov6650.c ++++ b/drivers/media/i2c/ov6650.c +@@ -811,9 +811,16 @@ static int ov6650_video_probe(struct i2c_client *client) + u8 pidh, pidl, midh, midl; + int ret; + ++ priv->clk = v4l2_clk_get(&client->dev, NULL); ++ if (IS_ERR(priv->clk)) { ++ ret = PTR_ERR(priv->clk); ++ dev_err(&client->dev, "v4l2_clk request err: %d\n", ret); ++ return ret; ++ } ++ + ret = ov6650_s_power(&priv->subdev, 1); + if (ret < 0) +- return ret; ++ goto eclkput; + + msleep(20); + +@@ -850,6 +857,11 @@ static int ov6650_video_probe(struct i2c_client *client) + + done: + ov6650_s_power(&priv->subdev, 0); ++ if (!ret) ++ return 0; ++eclkput: ++ v4l2_clk_put(priv->clk); ++ + return ret; + } + +@@ -992,18 +1004,9 @@ static int ov6650_probe(struct i2c_client *client, + priv->code = MEDIA_BUS_FMT_YUYV8_2X8; + priv->colorspace = V4L2_COLORSPACE_JPEG; + +- priv->clk = v4l2_clk_get(&client->dev, NULL); +- if (IS_ERR(priv->clk)) { +- ret = PTR_ERR(priv->clk); +- goto eclkget; +- } +- + ret = ov6650_video_probe(client); +- if (ret) { +- v4l2_clk_put(priv->clk); +-eclkget: ++ if (ret) + v4l2_ctrl_handler_free(&priv->hdl); +- } + + return ret; + } +-- +2.20.1 + diff --git a/queue-4.19/media-pvrusb2-prevent-a-buffer-overflow.patch b/queue-4.19/media-pvrusb2-prevent-a-buffer-overflow.patch new file mode 100644 index 00000000000..7461bcc609f --- /dev/null +++ b/queue-4.19/media-pvrusb2-prevent-a-buffer-overflow.patch @@ -0,0 +1,60 @@ +From e7a33f57913144be441982b9a93359d38fedec1a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 8 Apr 2019 05:52:38 -0400 +Subject: media: pvrusb2: Prevent a buffer overflow + +[ Upstream commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb ] + +The ctrl_check_input() function is called from pvr2_ctrl_range_check(). +It's supposed to validate user supplied input and return true or false +depending on whether the input is valid or not. The problem is that +negative shifts or shifts greater than 31 are undefined in C. In +practice with GCC they result in shift wrapping so this function returns +true for some inputs which are not valid and this could result in a +buffer overflow: + + drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname() + warn: uncapped user index 'names[val]' + +The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create() +and the highest valid bit is BIT(4). + +Fixes: 7fb20fa38caa ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability") + +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 ++ + drivers/media/usb/pvrusb2/pvrusb2-hdw.h | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +index a8519da0020bf..673fdca8d2dac 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -666,6 +666,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp) + + static int ctrl_check_input(struct pvr2_ctrl *cptr,int v) + { ++ if (v < 0 || v > PVR2_CVAL_INPUT_MAX) ++ return 0; + return ((1 << v) & cptr->hdw->input_allowed_mask) != 0; + } + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h +index 25648add77e58..bd2b7a67b7322 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h +@@ -50,6 +50,7 @@ + #define PVR2_CVAL_INPUT_COMPOSITE 2 + #define PVR2_CVAL_INPUT_SVIDEO 3 + #define PVR2_CVAL_INPUT_RADIO 4 ++#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO + + enum pvr2_config { + pvr2_config_empty, /* No configuration */ +-- +2.20.1 + diff --git a/queue-4.19/media-saa7146-avoid-high-stack-usage-with-clang.patch b/queue-4.19/media-saa7146-avoid-high-stack-usage-with-clang.patch new file mode 100644 index 00000000000..77ca42db57d --- /dev/null +++ b/queue-4.19/media-saa7146-avoid-high-stack-usage-with-clang.patch @@ -0,0 +1,72 @@ +From 754ab9d27298fa00adccc556865ba7bceb25ae72 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 19 Feb 2019 12:01:56 -0500 +Subject: media: saa7146: avoid high stack usage with clang + +[ Upstream commit 03aa4f191a36f33fce015387f84efa0eee94408e ] + +Two saa7146/hexium files contain a construct that causes a warning +when built with clang: + +drivers/media/pci/saa7146/hexium_orion.c:210:12: error: stack frame size of 2272 bytes in function 'hexium_probe' + [-Werror,-Wframe-larger-than=] +static int hexium_probe(struct saa7146_dev *dev) + ^ +drivers/media/pci/saa7146/hexium_gemini.c:257:12: error: stack frame size of 2304 bytes in function 'hexium_attach' + [-Werror,-Wframe-larger-than=] +static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info) + ^ + +This one happens regardless of KASAN, and the problem is that a +constructor to initialize a dynamically allocated structure leads +to a copy of that structure on the stack, whereas gcc initializes +it in place. + +Link: https://bugs.llvm.org/show_bug.cgi?id=40776 + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nick Desaulniers +Signed-off-by: Hans Verkuil +[hverkuil-cisco@xs4all.nl: fix checkpatch warnings] +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7146/hexium_gemini.c | 5 ++--- + drivers/media/pci/saa7146/hexium_orion.c | 5 ++--- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c +index 5817d9cde4d0c..6d8e4afe9673a 100644 +--- a/drivers/media/pci/saa7146/hexium_gemini.c ++++ b/drivers/media/pci/saa7146/hexium_gemini.c +@@ -270,9 +270,8 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d + /* enable i2c-port pins */ + saa7146_write(dev, MC1, (MASK_08 | MASK_24 | MASK_10 | MASK_26)); + +- hexium->i2c_adapter = (struct i2c_adapter) { +- .name = "hexium gemini", +- }; ++ strscpy(hexium->i2c_adapter.name, "hexium gemini", ++ sizeof(hexium->i2c_adapter.name)); + saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480); + if (i2c_add_adapter(&hexium->i2c_adapter) < 0) { + DEB_S("cannot register i2c-device. skipping.\n"); +diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c +index 0a05176c18ab6..a794f9e5f9908 100644 +--- a/drivers/media/pci/saa7146/hexium_orion.c ++++ b/drivers/media/pci/saa7146/hexium_orion.c +@@ -231,9 +231,8 @@ static int hexium_probe(struct saa7146_dev *dev) + saa7146_write(dev, DD1_STREAM_B, 0x00000000); + saa7146_write(dev, MC2, (MASK_09 | MASK_25 | MASK_10 | MASK_26)); + +- hexium->i2c_adapter = (struct i2c_adapter) { +- .name = "hexium orion", +- }; ++ strscpy(hexium->i2c_adapter.name, "hexium orion", ++ sizeof(hexium->i2c_adapter.name)); + saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480); + if (i2c_add_adapter(&hexium->i2c_adapter) < 0) { + DEB_S("cannot register i2c-device. skipping.\n"); +-- +2.20.1 + diff --git a/queue-4.19/media-si2165-fix-a-missing-check-of-return-value.patch b/queue-4.19/media-si2165-fix-a-missing-check-of-return-value.patch new file mode 100644 index 00000000000..1645e253c81 --- /dev/null +++ b/queue-4.19/media-si2165-fix-a-missing-check-of-return-value.patch @@ -0,0 +1,55 @@ +From 644d3889926b37279ea1ae7355a01f07d70959ce Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 20 Dec 2018 23:54:03 -0500 +Subject: media: si2165: fix a missing check of return value + +[ Upstream commit 0ab34a08812a3334350dbaf69a018ee0ab3d2ddd ] + +si2165_readreg8() may fail. Looking into si2165_readreg8(), we will find +that "val_tmp" will be an uninitialized value when regmap_read() fails. +"val_tmp" is then assigned to "val". So if si2165_readreg8() fails, +"val" will be a random value. Further use will lead to undefined +behaviors. The fix checks if si2165_readreg8() fails, and if so, returns +its error code upstream. + +Signed-off-by: Kangjie Lu +Reviewed-by: Matthias Schwarzott +Tested-by: Matthias Schwarzott +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/si2165.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/dvb-frontends/si2165.c b/drivers/media/dvb-frontends/si2165.c +index feacd8da421da..d55d8f169dca6 100644 +--- a/drivers/media/dvb-frontends/si2165.c ++++ b/drivers/media/dvb-frontends/si2165.c +@@ -275,18 +275,20 @@ static u32 si2165_get_fe_clk(struct si2165_state *state) + + static int si2165_wait_init_done(struct si2165_state *state) + { +- int ret = -EINVAL; ++ int ret; + u8 val = 0; + int i; + + for (i = 0; i < 3; ++i) { +- si2165_readreg8(state, REG_INIT_DONE, &val); ++ ret = si2165_readreg8(state, REG_INIT_DONE, &val); ++ if (ret < 0) ++ return ret; + if (val == 0x01) + return 0; + usleep_range(1000, 50000); + } + dev_err(&state->client->dev, "init_done was not set\n"); +- return ret; ++ return -EINVAL; + } + + static int si2165_upload_firmware_block(struct si2165_state *state, +-- +2.20.1 + diff --git a/queue-4.19/media-staging-davinci_vpfe-disallow-building-with-co.patch b/queue-4.19/media-staging-davinci_vpfe-disallow-building-with-co.patch new file mode 100644 index 00000000000..0518328665a --- /dev/null +++ b/queue-4.19/media-staging-davinci_vpfe-disallow-building-with-co.patch @@ -0,0 +1,63 @@ +From 467ca8c553a19a543778fc24427cc627138e0314 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 5 Mar 2019 08:29:48 -0500 +Subject: media: staging: davinci_vpfe: disallow building with COMPILE_TEST + +[ Upstream commit 49dc762cffd8305a861ca649e82dc5533b3e3344 ] + +The driver should really call dm365_isif_setup_pinmux() through a callback, +but uses a hack to include a davinci specific machine header file when +compile testing instead. This works almost everywhere, but not on the +ARM omap1 platform, which has another header named mach/mux.h. This +causes a build failure: + +drivers/staging/media/davinci_vpfe/dm365_isif.c:2028:2: error: implicit declaration of function 'davinci_cfg_reg' [-Werror,-Wimplicit-function-declaration] + davinci_cfg_reg(DM365_VIN_CAM_WEN); + ^ +drivers/staging/media/davinci_vpfe/dm365_isif.c:2028:2: error: this function declaration is not a prototype [-Werror,-Wstrict-prototypes] +drivers/staging/media/davinci_vpfe/dm365_isif.c:2028:18: error: use of undeclared identifier 'DM365_VIN_CAM_WEN' + davinci_cfg_reg(DM365_VIN_CAM_WEN); + ^ +drivers/staging/media/davinci_vpfe/dm365_isif.c:2029:18: error: use of undeclared identifier 'DM365_VIN_CAM_VD' + davinci_cfg_reg(DM365_VIN_CAM_VD); + ^ +drivers/staging/media/davinci_vpfe/dm365_isif.c:2030:18: error: use of undeclared identifier 'DM365_VIN_CAM_HD' + davinci_cfg_reg(DM365_VIN_CAM_HD); + ^ +drivers/staging/media/davinci_vpfe/dm365_isif.c:2031:18: error: use of undeclared identifier 'DM365_VIN_YIN4_7_EN' + davinci_cfg_reg(DM365_VIN_YIN4_7_EN); + ^ +drivers/staging/media/davinci_vpfe/dm365_isif.c:2032:18: error: use of undeclared identifier 'DM365_VIN_YIN0_3_EN' + davinci_cfg_reg(DM365_VIN_YIN0_3_EN); + ^ +7 errors generated. + +Exclude omap1 from compile-testing, under the assumption that all others +still work. + +Fixes: 4907c73deefe ("media: staging: davinci_vpfe: allow building with COMPILE_TEST") + +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/davinci_vpfe/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/media/davinci_vpfe/Kconfig b/drivers/staging/media/davinci_vpfe/Kconfig +index aea449a8dbf8a..76818cc48ddcb 100644 +--- a/drivers/staging/media/davinci_vpfe/Kconfig ++++ b/drivers/staging/media/davinci_vpfe/Kconfig +@@ -1,7 +1,7 @@ + config VIDEO_DM365_VPFE + tristate "DM365 VPFE Media Controller Capture Driver" + depends on VIDEO_V4L2 +- depends on (ARCH_DAVINCI_DM365 && !VIDEO_DM365_ISIF) || COMPILE_TEST ++ depends on (ARCH_DAVINCI_DM365 && !VIDEO_DM365_ISIF) || (COMPILE_TEST && !ARCH_OMAP1) + depends on VIDEO_V4L2_SUBDEV_API + depends on VIDEO_DAVINCI_VPBE_DISPLAY + select VIDEOBUF2_DMA_CONTIG +-- +2.20.1 + diff --git a/queue-4.19/media-stm32-dcmi-fix-crash-when-subdev-do-not-expose.patch b/queue-4.19/media-stm32-dcmi-fix-crash-when-subdev-do-not-expose.patch new file mode 100644 index 00000000000..52a6968ca28 --- /dev/null +++ b/queue-4.19/media-stm32-dcmi-fix-crash-when-subdev-do-not-expose.patch @@ -0,0 +1,45 @@ +From 5316bb63afc3ef788f0f91068d3aac6f4f811301 Mon Sep 17 00:00:00 2001 +From: Hugues Fruchet +Date: Mon, 1 Apr 2019 04:56:09 -0400 +Subject: media: stm32-dcmi: fix crash when subdev do not expose any formats + +[ Upstream commit 33dfeb62e23c31619d2197850f7e8b50e8cc5466 ] + +Do not access sd_formats[] if num_of_sd_formats is zero, ie +subdev sensor didn't expose any formats. + +Signed-off-by: Hugues Fruchet +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/stm32/stm32-dcmi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c +index 100a5922d75fd..d386822658922 100644 +--- a/drivers/media/platform/stm32/stm32-dcmi.c ++++ b/drivers/media/platform/stm32/stm32-dcmi.c +@@ -808,6 +808,9 @@ static int dcmi_try_fmt(struct stm32_dcmi *dcmi, struct v4l2_format *f, + + sd_fmt = find_format_by_fourcc(dcmi, pix->pixelformat); + if (!sd_fmt) { ++ if (!dcmi->num_of_sd_formats) ++ return -ENODATA; ++ + sd_fmt = dcmi->sd_formats[dcmi->num_of_sd_formats - 1]; + pix->pixelformat = sd_fmt->fourcc; + } +@@ -986,6 +989,9 @@ static int dcmi_set_sensor_format(struct stm32_dcmi *dcmi, + + sd_fmt = find_format_by_fourcc(dcmi, pix->pixelformat); + if (!sd_fmt) { ++ if (!dcmi->num_of_sd_formats) ++ return -ENODATA; ++ + sd_fmt = dcmi->sd_formats[dcmi->num_of_sd_formats - 1]; + pix->pixelformat = sd_fmt->fourcc; + } +-- +2.20.1 + diff --git a/queue-4.19/media-stm32-dcmi-return-appropriate-error-codes-duri.patch b/queue-4.19/media-stm32-dcmi-return-appropriate-error-codes-duri.patch new file mode 100644 index 00000000000..d4b17a460c1 --- /dev/null +++ b/queue-4.19/media-stm32-dcmi-return-appropriate-error-codes-duri.patch @@ -0,0 +1,72 @@ +From 4768a52e91bcb80fe376d341744d3ced07cb0c0b Mon Sep 17 00:00:00 2001 +From: Fabien Dessenne +Date: Wed, 24 Apr 2019 09:25:44 -0400 +Subject: media: stm32-dcmi: return appropriate error codes during probe + +[ Upstream commit b5b5a27bee5884860798ffd0f08e611a3942064b ] + +During probe, return the provided errors value instead of -ENODEV. +This allows the driver to be deferred probed if needed. + +Signed-off-by: Fabien Dessenne +Acked-by: Hugues Fruchet +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/stm32/stm32-dcmi.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c +index 721564176d8c0..100a5922d75fd 100644 +--- a/drivers/media/platform/stm32/stm32-dcmi.c ++++ b/drivers/media/platform/stm32/stm32-dcmi.c +@@ -1645,7 +1645,7 @@ static int dcmi_probe(struct platform_device *pdev) + dcmi->rstc = devm_reset_control_get_exclusive(&pdev->dev, NULL); + if (IS_ERR(dcmi->rstc)) { + dev_err(&pdev->dev, "Could not get reset control\n"); +- return -ENODEV; ++ return PTR_ERR(dcmi->rstc); + } + + /* Get bus characteristics from devicetree */ +@@ -1660,7 +1660,7 @@ static int dcmi_probe(struct platform_device *pdev) + of_node_put(np); + if (ret) { + dev_err(&pdev->dev, "Could not parse the endpoint\n"); +- return -ENODEV; ++ return ret; + } + + if (ep.bus_type == V4L2_MBUS_CSI2) { +@@ -1673,8 +1673,9 @@ static int dcmi_probe(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + if (irq <= 0) { +- dev_err(&pdev->dev, "Could not get irq\n"); +- return -ENODEV; ++ if (irq != -EPROBE_DEFER) ++ dev_err(&pdev->dev, "Could not get irq\n"); ++ return irq; + } + + dcmi->res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +@@ -1694,12 +1695,13 @@ static int dcmi_probe(struct platform_device *pdev) + dev_name(&pdev->dev), dcmi); + if (ret) { + dev_err(&pdev->dev, "Unable to request irq %d\n", irq); +- return -ENODEV; ++ return ret; + } + + mclk = devm_clk_get(&pdev->dev, "mclk"); + if (IS_ERR(mclk)) { +- dev_err(&pdev->dev, "Unable to get mclk\n"); ++ if (PTR_ERR(mclk) != -EPROBE_DEFER) ++ dev_err(&pdev->dev, "Unable to get mclk\n"); + return PTR_ERR(mclk); + } + +-- +2.20.1 + diff --git a/queue-4.19/media-video-mux-fix-null-pointer-dereferences.patch b/queue-4.19/media-video-mux-fix-null-pointer-dereferences.patch new file mode 100644 index 00000000000..f0bc874b89d --- /dev/null +++ b/queue-4.19/media-video-mux-fix-null-pointer-dereferences.patch @@ -0,0 +1,41 @@ +From 0edddc802bc71f8f659b3965d0e4f17af4adcb27 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Sat, 9 Mar 2019 02:20:56 -0500 +Subject: media: video-mux: fix null pointer dereferences + +[ Upstream commit aeb0d0f581e2079868e64a2e5ee346d340376eae ] + +devm_kcalloc may fail and return a null pointer. The fix returns +-ENOMEM upon failures to avoid null pointer dereferences. + +Signed-off-by: Kangjie Lu +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/video-mux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/platform/video-mux.c b/drivers/media/platform/video-mux.c +index c01e1592ad0a8..c8ffe7bff77f1 100644 +--- a/drivers/media/platform/video-mux.c ++++ b/drivers/media/platform/video-mux.c +@@ -365,9 +365,14 @@ static int video_mux_probe(struct platform_device *pdev) + vmux->active = -1; + vmux->pads = devm_kcalloc(dev, num_pads, sizeof(*vmux->pads), + GFP_KERNEL); ++ if (!vmux->pads) ++ return -ENOMEM; ++ + vmux->format_mbus = devm_kcalloc(dev, num_pads, + sizeof(*vmux->format_mbus), + GFP_KERNEL); ++ if (!vmux->format_mbus) ++ return -ENOMEM; + + for (i = 0; i < num_pads; i++) { + vmux->pads[i].flags = (i < num_pads - 1) ? MEDIA_PAD_FL_SINK +-- +2.20.1 + diff --git a/queue-4.19/media-vimc-stream-fix-thread-state-before-sleep.patch b/queue-4.19/media-vimc-stream-fix-thread-state-before-sleep.patch new file mode 100644 index 00000000000..b6588e63162 --- /dev/null +++ b/queue-4.19/media-vimc-stream-fix-thread-state-before-sleep.patch @@ -0,0 +1,49 @@ +From ce22c17227ad5926e765f23665af54c50f078014 Mon Sep 17 00:00:00 2001 +From: Helen Fornazier +Date: Wed, 6 Mar 2019 17:42:38 -0500 +Subject: media: vimc: stream: fix thread state before sleep + +[ Upstream commit 2978a505aaa981b279ef359f74ba93d25098e0a0 ] + +The state TASK_UNINTERRUPTIBLE should be set just before +schedule_timeout() call, so it knows the sleep mode it should enter. +There is no point in setting TASK_UNINTERRUPTIBLE at the initialization +of the thread as schedule_timeout() will set the state back to +TASK_RUNNING. + +This fixes a warning in __might_sleep() call, as it's expecting the +task to be in TASK_RUNNING state just before changing the state to +a sleeping state. + +Reported-by: Hans Verkuil +Signed-off-by: Helen Koike +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vimc/vimc-streamer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/vimc/vimc-streamer.c b/drivers/media/platform/vimc/vimc-streamer.c +index fcc897fb247bc..392754c18046c 100644 +--- a/drivers/media/platform/vimc/vimc-streamer.c ++++ b/drivers/media/platform/vimc/vimc-streamer.c +@@ -120,7 +120,6 @@ static int vimc_streamer_thread(void *data) + int i; + + set_freezable(); +- set_current_state(TASK_UNINTERRUPTIBLE); + + for (;;) { + try_to_freeze(); +@@ -137,6 +136,7 @@ static int vimc_streamer_thread(void *data) + break; + } + //wait for 60hz ++ set_current_state(TASK_UNINTERRUPTIBLE); + schedule_timeout(HZ / 60); + } + +-- +2.20.1 + diff --git a/queue-4.19/media-vimc-zero-the-media_device-on-probe.patch b/queue-4.19/media-vimc-zero-the-media_device-on-probe.patch new file mode 100644 index 00000000000..4bad63768c5 --- /dev/null +++ b/queue-4.19/media-vimc-zero-the-media_device-on-probe.patch @@ -0,0 +1,38 @@ +From fe051ef2764f998ec279e9f7cae27afa0f0d6372 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Fri, 8 Mar 2019 08:02:26 -0500 +Subject: media: vimc: zero the media_device on probe + +[ Upstream commit f74267b51cb36321f777807b2e04ca02167ecc08 ] + +The media_device is part of a static global vimc_device struct. +The media framework expects this to be zeroed before it is +used, however, since this is a global this is not the case if +vimc is unbound and then bound again. + +So call memset to ensure any left-over values are cleared. + +Signed-off-by: Hans Verkuil +Reviewed-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vimc/vimc-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/vimc/vimc-core.c b/drivers/media/platform/vimc/vimc-core.c +index 9246f265de31b..27db8835c2410 100644 +--- a/drivers/media/platform/vimc/vimc-core.c ++++ b/drivers/media/platform/vimc/vimc-core.c +@@ -303,6 +303,8 @@ static int vimc_probe(struct platform_device *pdev) + + dev_dbg(&pdev->dev, "probe"); + ++ memset(&vimc->mdev, 0, sizeof(vimc->mdev)); ++ + /* Create platform_device for each entity in the topology*/ + vimc->subdevs = devm_kcalloc(&vimc->pdev.dev, vimc->pipe_cfg->num_ents, + sizeof(*vimc->subdevs), GFP_KERNEL); +-- +2.20.1 + diff --git a/queue-4.19/media-wl128x-prevent-two-potential-buffer-overflows.patch b/queue-4.19/media-wl128x-prevent-two-potential-buffer-overflows.patch new file mode 100644 index 00000000000..497c44c66f0 --- /dev/null +++ b/queue-4.19/media-wl128x-prevent-two-potential-buffer-overflows.patch @@ -0,0 +1,62 @@ +From 2f2427edc1fdcca2d3614e504db6850d3af3f9c5 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 26 Mar 2019 01:12:07 -0400 +Subject: media: wl128x: prevent two potential buffer overflows + +[ Upstream commit 9c2ccc324b3a6cbc865ab8b3e1a09e93d3c8ade9 ] + +Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen" +can copy up to 255 bytes and we only have room for two bytes. Even +if this comes from the firmware and we trust it, the new policy +generally is just to fix it as kernel hardenning. + +I can't test this code so I tried to be very conservative. I considered +not allowing "evt_hdr->dlen == 1" because it doesn't initialize the +whole variable but in the end I decided to allow it and manually +initialized "asic_id" and "asic_ver" to zero. + +Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources") + +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/radio/wl128x/fmdrv_common.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/radio/wl128x/fmdrv_common.c b/drivers/media/radio/wl128x/fmdrv_common.c +index 800d69c3f80b8..1cf4019689a56 100644 +--- a/drivers/media/radio/wl128x/fmdrv_common.c ++++ b/drivers/media/radio/wl128x/fmdrv_common.c +@@ -489,7 +489,8 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 fm_op, u16 type, void *payload, + return -EIO; + } + /* Send response data to caller */ +- if (response != NULL && response_len != NULL && evt_hdr->dlen) { ++ if (response != NULL && response_len != NULL && evt_hdr->dlen && ++ evt_hdr->dlen <= payload_len) { + /* Skip header info and copy only response data */ + skb_pull(skb, sizeof(struct fm_event_msg_hdr)); + memcpy(response, skb->data, evt_hdr->dlen); +@@ -583,6 +584,8 @@ static void fm_irq_handle_flag_getcmd_resp(struct fmdev *fmdev) + return; + + fm_evt_hdr = (void *)skb->data; ++ if (fm_evt_hdr->dlen > sizeof(fmdev->irq_info.flag)) ++ return; + + /* Skip header info and copy only response data */ + skb_pull(skb, sizeof(struct fm_event_msg_hdr)); +@@ -1308,7 +1311,7 @@ static int load_default_rx_configuration(struct fmdev *fmdev) + static int fm_power_up(struct fmdev *fmdev, u8 mode) + { + u16 payload; +- __be16 asic_id, asic_ver; ++ __be16 asic_id = 0, asic_ver = 0; + int resp_len, ret; + u8 fw_name[50]; + +-- +2.20.1 + diff --git a/queue-4.19/mm-uaccess-use-unsigned-long-to-placate-ubsan-warnin.patch b/queue-4.19/mm-uaccess-use-unsigned-long-to-placate-ubsan-warnin.patch new file mode 100644 index 00000000000..f5037a20a40 --- /dev/null +++ b/queue-4.19/mm-uaccess-use-unsigned-long-to-placate-ubsan-warnin.patch @@ -0,0 +1,77 @@ +From 25e53d36fb5b32d90d389ea73ac4390559d49fcf Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 24 Apr 2019 09:19:25 +0200 +Subject: mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older + GCC versions + +[ Upstream commit 29da93fea3ea39ab9b12270cc6be1b70ef201c9e ] + +Randy reported objtool triggered on his (GCC-7.4) build: + + lib/strncpy_from_user.o: warning: objtool: strncpy_from_user()+0x315: call to __ubsan_handle_add_overflow() with UACCESS enabled + lib/strnlen_user.o: warning: objtool: strnlen_user()+0x337: call to __ubsan_handle_sub_overflow() with UACCESS enabled + +This is due to UBSAN generating signed-overflow-UB warnings where it +should not. Prior to GCC-8 UBSAN ignored -fwrapv (which the kernel +uses through -fno-strict-overflow). + +Make the functions use 'unsigned long' throughout. + +Reported-by: Randy Dunlap +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Randy Dunlap # build-tested +Acked-by: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: luto@kernel.org +Link: http://lkml.kernel.org/r/20190424072208.754094071@infradead.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + lib/strncpy_from_user.c | 5 +++-- + lib/strnlen_user.c | 4 ++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c +index b53e1b5d80f42..e304b54c9c7dd 100644 +--- a/lib/strncpy_from_user.c ++++ b/lib/strncpy_from_user.c +@@ -23,10 +23,11 @@ + * hit it), 'max' is the address space maximum (and we return + * -EFAULT if we hit it). + */ +-static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max) ++static inline long do_strncpy_from_user(char *dst, const char __user *src, ++ unsigned long count, unsigned long max) + { + const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS; +- long res = 0; ++ unsigned long res = 0; + + /* + * Truncate 'max' to the user-specified limit, so that +diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c +index 60d0bbda8f5e5..184f80f7bacfa 100644 +--- a/lib/strnlen_user.c ++++ b/lib/strnlen_user.c +@@ -28,7 +28,7 @@ + static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max) + { + const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS; +- long align, res = 0; ++ unsigned long align, res = 0; + unsigned long c; + + /* +@@ -42,7 +42,7 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count, + * Do everything aligned. But that means that we + * need to also expand the maximum.. + */ +- align = (sizeof(long) - 1) & (unsigned long)src; ++ align = (sizeof(unsigned long) - 1) & (unsigned long)src; + src -= align; + max += align; + +-- +2.20.1 + diff --git a/queue-4.19/mmc-core-make-pwrseq_emmc-partially-support-sleepy-g.patch b/queue-4.19/mmc-core-make-pwrseq_emmc-partially-support-sleepy-g.patch new file mode 100644 index 00000000000..ce0d923a984 --- /dev/null +++ b/queue-4.19/mmc-core-make-pwrseq_emmc-partially-support-sleepy-g.patch @@ -0,0 +1,117 @@ +From 4f9f82e7f8f98aff91b2d0b1db982ca25b3f945c Mon Sep 17 00:00:00 2001 +From: Andrea Merello +Date: Fri, 5 Apr 2019 10:34:58 +0200 +Subject: mmc: core: make pwrseq_emmc (partially) support sleepy GPIO + controllers + +[ Upstream commit 002ee28e8b322d4d4b7b83234b5d0f4ebd428eda ] + +pwrseq_emmc.c implements a HW reset procedure for eMMC chip by driving a +GPIO line. + +It registers the .reset() cb on mmc_pwrseq_ops and it registers a system +restart notification handler; both of them perform reset by unconditionally +calling gpiod_set_value(). + +If the eMMC reset line is tied to a GPIO controller whose driver can sleep +(i.e. I2C GPIO controller), then the kernel would spit warnings when trying +to reset the eMMC chip by means of .reset() mmc_pwrseq_ops cb (that is +exactly what I'm seeing during boot). + +Furthermore, on system reset we would gets to the system restart +notification handler with disabled interrupts - local_irq_disable() is +called in machine_restart() at least on ARM/ARM64 - and we would be in +trouble when the GPIO driver tries to sleep (which indeed doesn't happen +here, likely because in my case the machine specific code doesn't call +do_kernel_restart(), I guess..). + +This patch fixes the .reset() cb to make use of gpiod_set_value_cansleep(), +so that the eMMC gets reset on boot without complaints, while, since there +isn't that much we can do, we avoid register the restart handler if the +GPIO controller has a sleepy driver (and we spit a dev_notice() message to +let people know).. + +This had been tested on a downstream 4.9 kernel with backported +commit 83f37ee7ba33 ("mmc: pwrseq: Add reset callback to the struct +mmc_pwrseq_ops") and commit ae60fb031cf2 ("mmc: core: Don't do eMMC HW +reset when resuming the eMMC card"), because I couldn't boot my board +otherwise. Maybe worth to RFT. + +Signed-off-by: Andrea Merello +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/pwrseq_emmc.c | 38 ++++++++++++++++++---------------- + 1 file changed, 20 insertions(+), 18 deletions(-) + +diff --git a/drivers/mmc/core/pwrseq_emmc.c b/drivers/mmc/core/pwrseq_emmc.c +index efb8a7965dd4a..154f4204d58cb 100644 +--- a/drivers/mmc/core/pwrseq_emmc.c ++++ b/drivers/mmc/core/pwrseq_emmc.c +@@ -30,19 +30,14 @@ struct mmc_pwrseq_emmc { + + #define to_pwrseq_emmc(p) container_of(p, struct mmc_pwrseq_emmc, pwrseq) + +-static void __mmc_pwrseq_emmc_reset(struct mmc_pwrseq_emmc *pwrseq) +-{ +- gpiod_set_value(pwrseq->reset_gpio, 1); +- udelay(1); +- gpiod_set_value(pwrseq->reset_gpio, 0); +- udelay(200); +-} +- + static void mmc_pwrseq_emmc_reset(struct mmc_host *host) + { + struct mmc_pwrseq_emmc *pwrseq = to_pwrseq_emmc(host->pwrseq); + +- __mmc_pwrseq_emmc_reset(pwrseq); ++ gpiod_set_value_cansleep(pwrseq->reset_gpio, 1); ++ udelay(1); ++ gpiod_set_value_cansleep(pwrseq->reset_gpio, 0); ++ udelay(200); + } + + static int mmc_pwrseq_emmc_reset_nb(struct notifier_block *this, +@@ -50,8 +45,11 @@ static int mmc_pwrseq_emmc_reset_nb(struct notifier_block *this, + { + struct mmc_pwrseq_emmc *pwrseq = container_of(this, + struct mmc_pwrseq_emmc, reset_nb); ++ gpiod_set_value(pwrseq->reset_gpio, 1); ++ udelay(1); ++ gpiod_set_value(pwrseq->reset_gpio, 0); ++ udelay(200); + +- __mmc_pwrseq_emmc_reset(pwrseq); + return NOTIFY_DONE; + } + +@@ -72,14 +70,18 @@ static int mmc_pwrseq_emmc_probe(struct platform_device *pdev) + if (IS_ERR(pwrseq->reset_gpio)) + return PTR_ERR(pwrseq->reset_gpio); + +- /* +- * register reset handler to ensure emmc reset also from +- * emergency_reboot(), priority 255 is the highest priority +- * so it will be executed before any system reboot handler. +- */ +- pwrseq->reset_nb.notifier_call = mmc_pwrseq_emmc_reset_nb; +- pwrseq->reset_nb.priority = 255; +- register_restart_handler(&pwrseq->reset_nb); ++ if (!gpiod_cansleep(pwrseq->reset_gpio)) { ++ /* ++ * register reset handler to ensure emmc reset also from ++ * emergency_reboot(), priority 255 is the highest priority ++ * so it will be executed before any system reboot handler. ++ */ ++ pwrseq->reset_nb.notifier_call = mmc_pwrseq_emmc_reset_nb; ++ pwrseq->reset_nb.priority = 255; ++ register_restart_handler(&pwrseq->reset_nb); ++ } else { ++ dev_notice(dev, "EMMC reset pin tied to a sleepy GPIO driver; reset on emergency-reboot disabled\n"); ++ } + + pwrseq->pwrseq.ops = &mmc_pwrseq_emmc_ops; + pwrseq->pwrseq.dev = dev; +-- +2.20.1 + diff --git a/queue-4.19/mmc-core-verify-sd-bus-width.patch b/queue-4.19/mmc-core-verify-sd-bus-width.patch new file mode 100644 index 00000000000..a8a7c40dc14 --- /dev/null +++ b/queue-4.19/mmc-core-verify-sd-bus-width.patch @@ -0,0 +1,55 @@ +From 91c305c836a9f9a85ba10c1efaf046c54531155b Mon Sep 17 00:00:00 2001 +From: Raul E Rangel +Date: Mon, 29 Apr 2019 11:32:39 -0600 +Subject: mmc: core: Verify SD bus width + +[ Upstream commit 9e4be8d03f50d1b25c38e2b59e73b194c130df7d ] + +The SD Physical Layer Spec says the following: Since the SD Memory Card +shall support at least the two bus modes 1-bit or 4-bit width, then any SD +Card shall set at least bits 0 and 2 (SD_BUS_WIDTH="0101"). + +This change verifies the card has specified a bus width. + +AMD SDHC Device 7806 can get into a bad state after a card disconnect +where anything transferred via the DATA lines will always result in a +zero filled buffer. Currently the driver will continue without error if +the HC is in this condition. A block device will be created, but reading +from it will result in a zero buffer. This makes it seem like the SD +device has been erased, when in actuality the data is never getting +copied from the DATA lines to the data buffer. + +SCR is the first command in the SD initialization sequence that uses the +DATA lines. By checking that the response was invalid, we can abort +mounting the card. + +Reviewed-by: Avri Altman +Signed-off-by: Raul E Rangel +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/sd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c +index d0d9f90e7cdfb..cfb8ee24eaba1 100644 +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -216,6 +216,14 @@ static int mmc_decode_scr(struct mmc_card *card) + + if (scr->sda_spec3) + scr->cmds = UNSTUFF_BITS(resp, 32, 2); ++ ++ /* SD Spec says: any SD Card shall set at least bits 0 and 2 */ ++ if (!(scr->bus_widths & SD_SCR_BUS_WIDTH_1) || ++ !(scr->bus_widths & SD_SCR_BUS_WIDTH_4)) { ++ pr_err("%s: invalid bus width\n", mmc_hostname(card->host)); ++ return -EINVAL; ++ } ++ + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.19/mmc-sdhci-of-esdhc-add-erratum-a-009204-support.patch b/queue-4.19/mmc-sdhci-of-esdhc-add-erratum-a-009204-support.patch new file mode 100644 index 00000000000..4e834e9a825 --- /dev/null +++ b/queue-4.19/mmc-sdhci-of-esdhc-add-erratum-a-009204-support.patch @@ -0,0 +1,42 @@ +From c1fea3c279b200baac91217bc0750dcb1cbee3a9 Mon Sep 17 00:00:00 2001 +From: Yinbo Zhu +Date: Mon, 11 Mar 2019 02:16:44 +0000 +Subject: mmc: sdhci-of-esdhc: add erratum A-009204 support + +[ Upstream commit 5dd195522562542bc6ebe6e7bd47890d8b7ca93c ] + +In the event of that any data error (like, IRQSTAT[DCE]) occurs +during an eSDHC data transaction where DMA is used for data +transfer to/from the system memory, setting the SYSCTL[RSTD] +register may cause a system hang. If software sets the register +SYSCTL[RSTD] to 1 for error recovery while DMA transferring is +not complete, eSDHC may hang the system bus. This happens because +the software register SYSCTL[RSTD] resets the DMA engine without +waiting for the completion of pending system transactions. This +erratum is to fix this issue. + +Signed-off-by: Yinbo Zhu +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-of-esdhc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c +index b2199d621b8c5..e63d22fb99edf 100644 +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -643,6 +643,9 @@ static void esdhc_reset(struct sdhci_host *host, u8 mask) + sdhci_writel(host, host->ier, SDHCI_INT_ENABLE); + sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE); + ++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) ++ mdelay(5); ++ + if (mask & SDHCI_RESET_ALL) { + val = sdhci_readl(host, ESDHC_TBCTL); + val &= ~ESDHC_TB_EN; +-- +2.20.1 + diff --git a/queue-4.19/mmc-sdhci-of-esdhc-add-erratum-esdhc-a001-and-a-0083.patch b/queue-4.19/mmc-sdhci-of-esdhc-add-erratum-esdhc-a001-and-a-0083.patch new file mode 100644 index 00000000000..8c9b9d51e0e --- /dev/null +++ b/queue-4.19/mmc-sdhci-of-esdhc-add-erratum-esdhc-a001-and-a-0083.patch @@ -0,0 +1,50 @@ +From 484af09439def4313186eee84d29f3b102637500 Mon Sep 17 00:00:00 2001 +From: Yinbo Zhu +Date: Mon, 11 Mar 2019 02:16:40 +0000 +Subject: mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 05cb6b2a66fa7837211a060878e91be5eb10cb07 ] + +eSDHC-A001: The data timeout counter (SYSCTL[DTOCV]) is not +reliable for DTOCV values 0x4(2^17 SD clock), 0x8(2^21 SD clock), +and 0xC(2^25 SD clock). The data timeout counter can count from +2^13–2^27, but for values 2^17, 2^21, and 2^25, the timeout +counter counts for only 2^13 SD clocks. +A-008358: The data timeout counter value loaded into the timeout +counter is less than expected and can result into early timeout +error in case of eSDHC data transactions. The table below shows +the expected vs actual timeout period for different values of +SYSCTL[DTOCV]: +these two erratum has the same quirk to control it, and set +SDHCI_QUIRK_RESET_AFTER_REQUEST to fix above issue. + +Signed-off-by: Yinbo Zhu +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-of-esdhc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c +index e63d22fb99edf..e5c598ae5f244 100644 +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -920,8 +920,10 @@ static int sdhci_esdhc_probe(struct platform_device *pdev) + if (esdhc->vendor_ver > VENDOR_V_22) + host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ; + +- if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) ++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) { + host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST; ++ host->quirks2 |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; ++ } + + if (of_device_is_compatible(np, "fsl,p5040-esdhc") || + of_device_is_compatible(np, "fsl,p5020-esdhc") || +-- +2.20.1 + diff --git a/queue-4.19/mmc-sdhci-of-esdhc-add-erratum-esdhc5-support.patch b/queue-4.19/mmc-sdhci-of-esdhc-add-erratum-esdhc5-support.patch new file mode 100644 index 00000000000..c36f22f0c82 --- /dev/null +++ b/queue-4.19/mmc-sdhci-of-esdhc-add-erratum-esdhc5-support.patch @@ -0,0 +1,38 @@ +From 06de883402877e6c59ce80a8420f0913ce552c19 Mon Sep 17 00:00:00 2001 +From: Yinbo Zhu +Date: Mon, 11 Mar 2019 02:16:36 +0000 +Subject: mmc: sdhci-of-esdhc: add erratum eSDHC5 support + +[ Upstream commit a46e42712596b51874f04c73f1cdf1017f88df52 ] + +Software writing to the Transfer Type configuration register +(system clock domain) can cause a setup/hold violation in the +CRC flops (card clock domain), which can cause write accesses +to be sent with corrupt CRC values. This issue occurs only for +write preceded by read. this erratum is to fix this issue. + +Signed-off-by: Yinbo Zhu +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-of-esdhc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c +index a7bf8515116fd..b2199d621b8c5 100644 +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -917,6 +917,9 @@ static int sdhci_esdhc_probe(struct platform_device *pdev) + if (esdhc->vendor_ver > VENDOR_V_22) + host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ; + ++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) ++ host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST; ++ + if (of_device_is_compatible(np, "fsl,p5040-esdhc") || + of_device_is_compatible(np, "fsl,p5020-esdhc") || + of_device_is_compatible(np, "fsl,p4080-esdhc") || +-- +2.20.1 + diff --git a/queue-4.19/mmc_spi-add-a-status-check-for-spi_sync_locked.patch b/queue-4.19/mmc_spi-add-a-status-check-for-spi_sync_locked.patch new file mode 100644 index 00000000000..672eee1d6c6 --- /dev/null +++ b/queue-4.19/mmc_spi-add-a-status-check-for-spi_sync_locked.patch @@ -0,0 +1,36 @@ +From a4eac35ad22e1c16a1c25da729d56b6678ce58d7 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Mon, 11 Mar 2019 00:53:33 -0500 +Subject: mmc_spi: add a status check for spi_sync_locked + +[ Upstream commit 611025983b7976df0183390a63a2166411d177f1 ] + +In case spi_sync_locked fails, the fix reports the error and +returns the error code upstream. + +Signed-off-by: Kangjie Lu +Reviewed-by: Laurent Pinchart +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mmc_spi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c +index 67f6bd24a9d0c..ea254d00541f1 100644 +--- a/drivers/mmc/host/mmc_spi.c ++++ b/drivers/mmc/host/mmc_spi.c +@@ -819,6 +819,10 @@ mmc_spi_readblock(struct mmc_spi_host *host, struct spi_transfer *t, + } + + status = spi_sync_locked(spi, &host->m); ++ if (status < 0) { ++ dev_dbg(&spi->dev, "read error %d\n", status); ++ return status; ++ } + + if (host->dma_dev) { + dma_sync_single_for_cpu(host->dma_dev, +-- +2.20.1 + diff --git a/queue-4.19/mwifiex-fix-mem-leak-in-mwifiex_tm_cmd.patch b/queue-4.19/mwifiex-fix-mem-leak-in-mwifiex_tm_cmd.patch new file mode 100644 index 00000000000..2916641375a --- /dev/null +++ b/queue-4.19/mwifiex-fix-mem-leak-in-mwifiex_tm_cmd.patch @@ -0,0 +1,48 @@ +From f27d6c40efcc7aa78e32d394b8a454eec96022e6 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Tue, 12 Mar 2019 15:03:58 +0800 +Subject: mwifiex: Fix mem leak in mwifiex_tm_cmd + +[ Upstream commit 003b686ace820ce2d635a83f10f2d7f9c147dabc ] + +'hostcmd' is alloced by kzalloc, should be freed before +leaving from the error handling cases, otherwise it will +cause mem leak. + +Fixes: 3935ccc14d2c ("mwifiex: add cfg80211 testmode support") +Signed-off-by: YueHaibing +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +index 2d87ebbfa4dab..47ec5293c045d 100644 +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -4045,16 +4045,20 @@ static int mwifiex_tm_cmd(struct wiphy *wiphy, struct wireless_dev *wdev, + + if (mwifiex_send_cmd(priv, 0, 0, 0, hostcmd, true)) { + dev_err(priv->adapter->dev, "Failed to process hostcmd\n"); ++ kfree(hostcmd); + return -EFAULT; + } + + /* process hostcmd response*/ + skb = cfg80211_testmode_alloc_reply_skb(wiphy, hostcmd->len); +- if (!skb) ++ if (!skb) { ++ kfree(hostcmd); + return -ENOMEM; ++ } + err = nla_put(skb, MWIFIEX_TM_ATTR_DATA, + hostcmd->len, hostcmd->cmd); + if (err) { ++ kfree(hostcmd); + kfree_skb(skb); + return -EMSGSIZE; + } +-- +2.20.1 + diff --git a/queue-4.19/mwifiex-prevent-an-array-overflow.patch b/queue-4.19/mwifiex-prevent-an-array-overflow.patch new file mode 100644 index 00000000000..251efdafa24 --- /dev/null +++ b/queue-4.19/mwifiex-prevent-an-array-overflow.patch @@ -0,0 +1,38 @@ +From 47b96c943559a4d9a4427e93b685ee4277c8acb7 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 4 Apr 2019 11:44:23 +0300 +Subject: mwifiex: prevent an array overflow + +[ Upstream commit b4c35c17227fe437ded17ce683a6927845f8c4a4 ] + +The "rate_index" is only used as an index into the phist_data->rx_rate[] +array in the mwifiex_hist_data_set() function. That array has +MWIFIEX_MAX_AC_RX_RATES (74) elements and it's used to generate some +debugfs information. The "rate_index" variable comes from the network +skb->data[] and it is a u8 so it's in the 0-255 range. We need to cap +it to prevent an array overflow. + +Fixes: cbf6e05527a7 ("mwifiex: add rx histogram statistics support") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/cfp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/cfp.c b/drivers/net/wireless/marvell/mwifiex/cfp.c +index bfe84e55df776..f1522fb1c1e87 100644 +--- a/drivers/net/wireless/marvell/mwifiex/cfp.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfp.c +@@ -531,5 +531,8 @@ u8 mwifiex_adjust_data_rate(struct mwifiex_private *priv, + rate_index = (rx_rate > MWIFIEX_RATE_INDEX_OFDM0) ? + rx_rate - 1 : rx_rate; + ++ if (rate_index >= MWIFIEX_MAX_AC_RX_RATES) ++ rate_index = MWIFIEX_MAX_AC_RX_RATES - 1; ++ + return rate_index; + } +-- +2.20.1 + diff --git a/queue-4.19/net-cw1200-fix-a-null-pointer-dereference.patch b/queue-4.19/net-cw1200-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..e814c271142 --- /dev/null +++ b/queue-4.19/net-cw1200-fix-a-null-pointer-dereference.patch @@ -0,0 +1,36 @@ +From 540f4209ed0bd610d622aef0c4dc35986cdfba19 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 12 Mar 2019 03:05:02 -0500 +Subject: net: cw1200: fix a NULL pointer dereference + +[ Upstream commit 0ed2a005347400500a39ea7c7318f1fea57fb3ca ] + +In case create_singlethread_workqueue fails, the fix free the +hardware and returns NULL to avoid NULL pointer dereference. + +Signed-off-by: Kangjie Lu +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/st/cw1200/main.c b/drivers/net/wireless/st/cw1200/main.c +index 90dc979f260b6..c1608f0bf6d01 100644 +--- a/drivers/net/wireless/st/cw1200/main.c ++++ b/drivers/net/wireless/st/cw1200/main.c +@@ -345,6 +345,11 @@ static struct ieee80211_hw *cw1200_init_common(const u8 *macaddr, + mutex_init(&priv->wsm_cmd_mux); + mutex_init(&priv->conf_mutex); + priv->workqueue = create_singlethread_workqueue("cw1200_wq"); ++ if (!priv->workqueue) { ++ ieee80211_free_hw(hw); ++ return NULL; ++ } ++ + sema_init(&priv->scan.lock, 1); + INIT_WORK(&priv->scan.work, cw1200_scan_work); + INIT_DELAYED_WORK(&priv->scan.probe_work, cw1200_probe_work); +-- +2.20.1 + diff --git a/queue-4.19/net-ena-gcc-8-fix-compilation-warning.patch b/queue-4.19/net-ena-gcc-8-fix-compilation-warning.patch new file mode 100644 index 00000000000..80f43e65c92 --- /dev/null +++ b/queue-4.19/net-ena-gcc-8-fix-compilation-warning.patch @@ -0,0 +1,47 @@ +From 31247f3e248ff08842fff9b0b58394c4cfb15de7 Mon Sep 17 00:00:00 2001 +From: Sameeh Jubran +Date: Wed, 1 May 2019 16:47:10 +0300 +Subject: net: ena: gcc 8: fix compilation warning + +[ Upstream commit f913308879bc6ae437ce64d878c7b05643ddea44 ] + +GCC 8 contains a number of new warnings as well as enhancements to existing +checkers. The warning - Wstringop-truncation - warns for calls to bounded +string manipulation functions such as strncat, strncpy, and stpncpy that +may either truncate the copied string or leave the destination unchanged. + +In our case the destination string length (32 bytes) is much shorter than +the source string (64 bytes) which causes this warning to show up. In +general the destination has to be at least a byte larger than the length +of the source string with strncpy for this warning not to showup. + +This can be easily fixed by using strlcpy instead which already does the +truncation to the string. Documentation for this function can be +found here: + +https://elixir.bootlin.com/linux/latest/source/lib/string.c#L141 + +Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)") +Signed-off-by: Sameeh Jubran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index 1b5f591cf0a23..b5d72815776cb 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -2223,7 +2223,7 @@ static void ena_config_host_info(struct ena_com_dev *ena_dev) + + host_info->os_type = ENA_ADMIN_OS_LINUX; + host_info->kernel_ver = LINUX_VERSION_CODE; +- strncpy(host_info->kernel_ver_str, utsname()->version, ++ strlcpy(host_info->kernel_ver_str, utsname()->version, + sizeof(host_info->kernel_ver_str) - 1); + host_info->os_dist = 0; + strncpy(host_info->os_dist_str, utsname()->release, +-- +2.20.1 + diff --git a/queue-4.19/nfs-fix-a-double-unlock-from-nfs_match-get_client.patch b/queue-4.19/nfs-fix-a-double-unlock-from-nfs_match-get_client.patch new file mode 100644 index 00000000000..3a889822c3e --- /dev/null +++ b/queue-4.19/nfs-fix-a-double-unlock-from-nfs_match-get_client.patch @@ -0,0 +1,38 @@ +From df6e1a67ad7a52f6c6dd9e51573f27a2e905c75f Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Thu, 9 May 2019 07:25:21 -0400 +Subject: NFS: Fix a double unlock from nfs_match,get_client + +[ Upstream commit c260121a97a3e4df6536edbc2f26e166eff370ce ] + +Now that nfs_match_client drops the nfs_client_lock, we should be +careful +to always return it in the same condition: locked. + +Fixes: 950a578c6128 ("NFS: make nfs_match_client killable") +Reported-by: syzbot+228a82b263b5da91883d@syzkaller.appspotmail.com +Signed-off-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/client.c b/fs/nfs/client.c +index 846d45cb1a3c8..c092661147b30 100644 +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -305,9 +305,9 @@ static struct nfs_client *nfs_match_client(const struct nfs_client_initdata *dat + spin_unlock(&nn->nfs_client_lock); + error = nfs_wait_client_init_complete(clp); + nfs_put_client(clp); ++ spin_lock(&nn->nfs_client_lock); + if (error < 0) + return ERR_PTR(error); +- spin_lock(&nn->nfs_client_lock); + goto again; + } + +-- +2.20.1 + diff --git a/queue-4.19/nfs-make-nfs_match_client-killable.patch b/queue-4.19/nfs-make-nfs_match_client-killable.patch new file mode 100644 index 00000000000..7ea1002f60c --- /dev/null +++ b/queue-4.19/nfs-make-nfs_match_client-killable.patch @@ -0,0 +1,59 @@ +From 7f6d837c099dea1719febb293dce7267e0d1ad74 Mon Sep 17 00:00:00 2001 +From: Roberto Bergantinos Corpas +Date: Thu, 25 Apr 2019 15:36:51 +0200 +Subject: NFS: make nfs_match_client killable + +[ Upstream commit 950a578c6128c2886e295b9c7ecb0b6b22fcc92b ] + + Actually we don't do anything with return value from + nfs_wait_client_init_complete in nfs_match_client, as a + consequence if we get a fatal signal and client is not + fully initialised, we'll loop to "again" label + + This has been proven to cause soft lockups on some scenarios + (no-carrier but configured network interfaces) + +Signed-off-by: Roberto Bergantinos Corpas +Reviewed-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/client.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/client.c b/fs/nfs/client.c +index 751ca65da8a35..846d45cb1a3c8 100644 +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -290,6 +290,7 @@ static struct nfs_client *nfs_match_client(const struct nfs_client_initdata *dat + struct nfs_client *clp; + const struct sockaddr *sap = data->addr; + struct nfs_net *nn = net_generic(data->net, nfs_net_id); ++ int error; + + again: + list_for_each_entry(clp, &nn->nfs_client_list, cl_share_link) { +@@ -302,8 +303,10 @@ static struct nfs_client *nfs_match_client(const struct nfs_client_initdata *dat + if (clp->cl_cons_state > NFS_CS_READY) { + refcount_inc(&clp->cl_count); + spin_unlock(&nn->nfs_client_lock); +- nfs_wait_client_init_complete(clp); ++ error = nfs_wait_client_init_complete(clp); + nfs_put_client(clp); ++ if (error < 0) ++ return ERR_PTR(error); + spin_lock(&nn->nfs_client_lock); + goto again; + } +@@ -413,6 +416,8 @@ struct nfs_client *nfs_get_client(const struct nfs_client_initdata *cl_init) + clp = nfs_match_client(cl_init); + if (clp) { + spin_unlock(&nn->nfs_client_lock); ++ if (IS_ERR(clp)) ++ return clp; + if (new) + new->rpc_ops->free_client(new); + return nfs_found_client(cl_init, clp); +-- +2.20.1 + diff --git a/queue-4.19/nvme-rdma-fix-a-null-deref-when-an-admin-connect-tim.patch b/queue-4.19/nvme-rdma-fix-a-null-deref-when-an-admin-connect-tim.patch new file mode 100644 index 00000000000..61d378425ff --- /dev/null +++ b/queue-4.19/nvme-rdma-fix-a-null-deref-when-an-admin-connect-tim.patch @@ -0,0 +1,51 @@ +From 4572bc2b46bceb09b804c4255756330db30a5e73 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Wed, 24 Apr 2019 11:53:18 -0700 +Subject: nvme-rdma: fix a NULL deref when an admin connect times out + +[ Upstream commit 1007709d7d06fab09bf2d007657575958676282b ] + +If we timeout the admin startup sequence we might not yet have +an I/O tagset allocated which causes the teardown sequence to crash. +Make nvme_tcp_teardown_io_queues safe by not iterating inflight tags +if the tagset wasn't allocated. + +Fixes: 4c174e636674 ("nvme-rdma: fix timeout handler") +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 0939a4e178fb9..e4f167e35353f 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -880,8 +880,9 @@ static void nvme_rdma_teardown_admin_queue(struct nvme_rdma_ctrl *ctrl, + { + blk_mq_quiesce_queue(ctrl->ctrl.admin_q); + nvme_rdma_stop_queue(&ctrl->queues[0]); +- blk_mq_tagset_busy_iter(&ctrl->admin_tag_set, nvme_cancel_request, +- &ctrl->ctrl); ++ if (ctrl->ctrl.admin_tagset) ++ blk_mq_tagset_busy_iter(ctrl->ctrl.admin_tagset, ++ nvme_cancel_request, &ctrl->ctrl); + blk_mq_unquiesce_queue(ctrl->ctrl.admin_q); + nvme_rdma_destroy_admin_queue(ctrl, remove); + } +@@ -892,8 +893,9 @@ static void nvme_rdma_teardown_io_queues(struct nvme_rdma_ctrl *ctrl, + if (ctrl->ctrl.queue_count > 1) { + nvme_stop_queues(&ctrl->ctrl); + nvme_rdma_stop_io_queues(ctrl); +- blk_mq_tagset_busy_iter(&ctrl->tag_set, nvme_cancel_request, +- &ctrl->ctrl); ++ if (ctrl->ctrl.tagset) ++ blk_mq_tagset_busy_iter(ctrl->ctrl.tagset, ++ nvme_cancel_request, &ctrl->ctrl); + if (remove) + nvme_start_queues(&ctrl->ctrl); + nvme_rdma_destroy_io_queues(ctrl, remove); +-- +2.20.1 + diff --git a/queue-4.19/nvme-set-0-capacity-if-namespace-block-size-exceeds-.patch b/queue-4.19/nvme-set-0-capacity-if-namespace-block-size-exceeds-.patch new file mode 100644 index 00000000000..4190a7a5975 --- /dev/null +++ b/queue-4.19/nvme-set-0-capacity-if-namespace-block-size-exceeds-.patch @@ -0,0 +1,48 @@ +From 48f19606fe793bc6915151891073ad2d9bc21992 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Mon, 11 Mar 2019 15:02:25 -0700 +Subject: nvme: set 0 capacity if namespace block size exceeds PAGE_SIZE + +[ Upstream commit 01fa017484ad98fccdeaab32db0077c574b6bd6f ] + +If our target exposed a namespace with a block size that is greater +than PAGE_SIZE, set 0 capacity on the namespace as we do not support it. + +This issue encountered when the nvmet namespace was backed by a tempfile. + +Signed-off-by: Sagi Grimberg +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 2cdb3032ca0fc..abfb46378cc13 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1480,6 +1480,10 @@ static void nvme_update_disk_info(struct gendisk *disk, + sector_t capacity = le64_to_cpup(&id->nsze) << (ns->lba_shift - 9); + unsigned short bs = 1 << ns->lba_shift; + ++ if (ns->lba_shift > PAGE_SHIFT) { ++ /* unsupported block size, set capacity to 0 later */ ++ bs = (1 << 9); ++ } + blk_mq_freeze_queue(disk->queue); + blk_integrity_unregister(disk); + +@@ -1490,7 +1494,8 @@ static void nvme_update_disk_info(struct gendisk *disk, + if (ns->ms && !ns->ext && + (ns->ctrl->ops->flags & NVME_F_METADATA_SUPPORTED)) + nvme_init_integrity(disk, ns->ms, ns->pi_type); +- if (ns->ms && !nvme_ns_has_pi(ns) && !blk_get_integrity(disk)) ++ if ((ns->ms && !nvme_ns_has_pi(ns) && !blk_get_integrity(disk)) || ++ ns->lba_shift > PAGE_SHIFT) + capacity = 0; + + set_capacity(disk, capacity); +-- +2.20.1 + diff --git a/queue-4.19/overflow-fix-wtype-limits-compilation-warnings.patch b/queue-4.19/overflow-fix-wtype-limits-compilation-warnings.patch new file mode 100644 index 00000000000..5de9c4305f0 --- /dev/null +++ b/queue-4.19/overflow-fix-wtype-limits-compilation-warnings.patch @@ -0,0 +1,76 @@ +From 7646228a4bea9877ff6c61fd889188a4563f7803 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Sun, 17 Mar 2019 12:11:14 +0200 +Subject: overflow: Fix -Wtype-limits compilation warnings + +[ Upstream commit dc7fe518b0493faa0af0568d6d8c2a33c00f58d0 ] + +Attempt to use check_shl_overflow() with inputs of unsigned type +produces the following compilation warnings. + +drivers/infiniband/hw/mlx5/qp.c: In function _set_user_rq_size_: +./include/linux/overflow.h:230:6: warning: comparison of unsigned +expression >= 0 is always true [-Wtype-limits] + _s >= 0 && _s < 8 * sizeof(*d) ? _s : 0; \ + ^~ +drivers/infiniband/hw/mlx5/qp.c:5820:6: note: in expansion of macro _check_shl_overflow_ + if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift, +&rwq->buf_size)) + ^~~~~~~~~~~~~~~~~~ +./include/linux/overflow.h:232:26: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits] + (_to_shift != _s || *_d < 0 || _a < 0 || \ + ^ +drivers/infiniband/hw/mlx5/qp.c:5820:6: note: in expansion of macro _check_shl_overflow_ + if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift, &rwq->buf_size)) + ^~~~~~~~~~~~~~~~~~ +./include/linux/overflow.h:232:36: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits] + (_to_shift != _s || *_d < 0 || _a < 0 || \ + ^ +drivers/infiniband/hw/mlx5/qp.c:5820:6: note: in expansion of macro _check_shl_overflow_ + if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift,&rwq->buf_size)) + ^~~~~~~~~~~~~~~~~~ + +Fixes: 0c66847793d1 ("overflow.h: Add arithmetic shift helper") +Reviewed-by: Bart Van Assche +Acked-by: Kees Cook +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + include/linux/overflow.h | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/include/linux/overflow.h b/include/linux/overflow.h +index 40b48e2133cb8..15eb85de92269 100644 +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -36,6 +36,12 @@ + #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T))) + #define type_min(T) ((T)((T)-type_max(T)-(T)1)) + ++/* ++ * Avoids triggering -Wtype-limits compilation warning, ++ * while using unsigned data types to check a < 0. ++ */ ++#define is_non_negative(a) ((a) > 0 || (a) == 0) ++#define is_negative(a) (!(is_non_negative(a))) + + #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW + /* +@@ -227,10 +233,10 @@ + typeof(d) _d = d; \ + u64 _a_full = _a; \ + unsigned int _to_shift = \ +- _s >= 0 && _s < 8 * sizeof(*d) ? _s : 0; \ ++ is_non_negative(_s) && _s < 8 * sizeof(*d) ? _s : 0; \ + *_d = (_a_full << _to_shift); \ +- (_to_shift != _s || *_d < 0 || _a < 0 || \ +- (*_d >> _to_shift) != _a); \ ++ (_to_shift != _s || is_negative(*_d) || is_negative(_a) || \ ++ (*_d >> _to_shift) != _a); \ + }) + + /** +-- +2.20.1 + diff --git a/queue-4.19/perf-arm-cci-remove-broken-race-mitigation.patch b/queue-4.19/perf-arm-cci-remove-broken-race-mitigation.patch new file mode 100644 index 00000000000..1854a070090 --- /dev/null +++ b/queue-4.19/perf-arm-cci-remove-broken-race-mitigation.patch @@ -0,0 +1,100 @@ +From 3e32ca61ea885e0132cffde935912857d804ef6d Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Tue, 16 Apr 2019 16:24:24 +0100 +Subject: perf/arm-cci: Remove broken race mitigation + +[ Upstream commit 0d2e2a82d4de298d006bf8eddc86829e3c7da820 ] + +Uncore PMU drivers face an awkward cyclic dependency wherein: + + - They have to pick a valid online CPU to associate with before + registering the PMU device, since it will get exposed to userspace + immediately. + - The PMU registration has to be be at least partly complete before + hotplug events can be handled, since trying to migrate an + uninitialised context would be bad. + - The hotplug handler has to be ready as soon as a CPU is chosen, lest + it go offline without the user-visible cpumask value getting updated. + +The arm-cci driver has tried to solve this by using get_cpu() to pick +the current CPU and prevent it from disappearing while both +registrations are performed, but that results in taking mutexes with +preemption disabled, which makes certain configurations very unhappy: + +[ 1.983337] BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:2004 +[ 1.983340] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0 +[ 1.983342] Preemption disabled at: +[ 1.983353] [] cci_pmu_probe+0x1dc/0x488 +[ 1.983360] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.18.20-rt8-yocto-preempt-rt #1 +[ 1.983362] Hardware name: ZynqMP ZCU102 Rev1.0 (DT) +[ 1.983364] Call trace: +[ 1.983369] dump_backtrace+0x0/0x158 +[ 1.983372] show_stack+0x24/0x30 +[ 1.983378] dump_stack+0x80/0xa4 +[ 1.983383] ___might_sleep+0x138/0x160 +[ 1.983386] __might_sleep+0x58/0x90 +[ 1.983391] __rt_mutex_lock_state+0x30/0xc0 +[ 1.983395] _mutex_lock+0x24/0x30 +[ 1.983400] perf_pmu_register+0x2c/0x388 +[ 1.983404] cci_pmu_probe+0x2bc/0x488 +[ 1.983409] platform_drv_probe+0x58/0xa8 + +It is not feasible to resolve all the possible races outside of the perf +core itself, so address the immediate bug by following the example of +nearly every other PMU driver and not even trying to do so. Registering +the hotplug notifier first should minimise the window in which things +can go wrong, so that's about as much as we can reasonably do here. This +also revealed an additional race in assigning the global pointer too +late relative to the hotplug notifier, which gets fixed in the process. + +Reported-by: Li, Meng +Tested-by: Corentin Labbe +Reviewed-by: Suzuki K Poulose +Signed-off-by: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm-cci.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/drivers/perf/arm-cci.c b/drivers/perf/arm-cci.c +index 1bfeb160c5b16..14a541c453e58 100644 +--- a/drivers/perf/arm-cci.c ++++ b/drivers/perf/arm-cci.c +@@ -1692,21 +1692,24 @@ static int cci_pmu_probe(struct platform_device *pdev) + raw_spin_lock_init(&cci_pmu->hw_events.pmu_lock); + mutex_init(&cci_pmu->reserve_mutex); + atomic_set(&cci_pmu->active_events, 0); +- cci_pmu->cpu = get_cpu(); +- +- ret = cci_pmu_init(cci_pmu, pdev); +- if (ret) { +- put_cpu(); +- return ret; +- } + ++ cci_pmu->cpu = raw_smp_processor_id(); ++ g_cci_pmu = cci_pmu; + cpuhp_setup_state_nocalls(CPUHP_AP_PERF_ARM_CCI_ONLINE, + "perf/arm/cci:online", NULL, + cci_pmu_offline_cpu); +- put_cpu(); +- g_cci_pmu = cci_pmu; ++ ++ ret = cci_pmu_init(cci_pmu, pdev); ++ if (ret) ++ goto error_pmu_init; ++ + pr_info("ARM %s PMU driver probed", cci_pmu->model->name); + return 0; ++ ++error_pmu_init: ++ cpuhp_remove_state(CPUHP_AP_PERF_ARM_CCI_ONLINE); ++ g_cci_pmu = NULL; ++ return ret; + } + + static int cci_pmu_remove(struct platform_device *pdev) +-- +2.20.1 + diff --git a/queue-4.19/perf-x86-intel-cstate-add-icelake-support.patch b/queue-4.19/perf-x86-intel-cstate-add-icelake-support.patch new file mode 100644 index 00000000000..3bb65ad644e --- /dev/null +++ b/queue-4.19/perf-x86-intel-cstate-add-icelake-support.patch @@ -0,0 +1,44 @@ +From 2146079ceab297fa55648cf106aa3bc4aa864c2d Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Tue, 2 Apr 2019 12:45:06 -0700 +Subject: perf/x86/intel/cstate: Add Icelake support + +[ Upstream commit f08c47d1f86c6dc666c7e659d94bf6d4492aa9d7 ] + +Icelake uses the same C-state residency events as Sandy Bridge. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Cc: jolsa@kernel.org +Link: https://lkml.kernel.org/r/20190402194509.2832-10-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/cstate.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/events/intel/cstate.c b/arch/x86/events/intel/cstate.c +index 56194c571299f..4a650eb3d94a3 100644 +--- a/arch/x86/events/intel/cstate.c ++++ b/arch/x86/events/intel/cstate.c +@@ -584,6 +584,8 @@ static const struct x86_cpu_id intel_cstates_match[] __initconst = { + X86_CSTATES_MODEL(INTEL_FAM6_ATOM_GOLDMONT_X, glm_cstates), + + X86_CSTATES_MODEL(INTEL_FAM6_ATOM_GOLDMONT_PLUS, glm_cstates), ++ ++ X86_CSTATES_MODEL(INTEL_FAM6_ICELAKE_MOBILE, snb_cstates), + { }, + }; + MODULE_DEVICE_TABLE(x86cpu, intel_cstates_match); +-- +2.20.1 + diff --git a/queue-4.19/perf-x86-intel-rapl-add-icelake-support.patch b/queue-4.19/perf-x86-intel-rapl-add-icelake-support.patch new file mode 100644 index 00000000000..2be52601d41 --- /dev/null +++ b/queue-4.19/perf-x86-intel-rapl-add-icelake-support.patch @@ -0,0 +1,44 @@ +From 7dfc193c368e1ce36b007492e60ae06bd22cf78e Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Tue, 2 Apr 2019 12:45:07 -0700 +Subject: perf/x86/intel/rapl: Add Icelake support + +[ Upstream commit b3377c3acb9e54cf86efcfe25f2e792bca599ed4 ] + +Icelake support the same RAPL counters as Skylake. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Cc: jolsa@kernel.org +Link: https://lkml.kernel.org/r/20190402194509.2832-11-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/rapl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/events/intel/rapl.c b/arch/x86/events/intel/rapl.c +index 91039ffed6333..2413169ce3627 100644 +--- a/arch/x86/events/intel/rapl.c ++++ b/arch/x86/events/intel/rapl.c +@@ -780,6 +780,8 @@ static const struct x86_cpu_id rapl_cpu_match[] __initconst = { + X86_RAPL_MODEL_MATCH(INTEL_FAM6_ATOM_GOLDMONT_X, hsw_rapl_init), + + X86_RAPL_MODEL_MATCH(INTEL_FAM6_ATOM_GOLDMONT_PLUS, hsw_rapl_init), ++ ++ X86_RAPL_MODEL_MATCH(INTEL_FAM6_ICELAKE_MOBILE, skl_rapl_init), + {}, + }; + +-- +2.20.1 + diff --git a/queue-4.19/perf-x86-msr-add-icelake-support.patch b/queue-4.19/perf-x86-msr-add-icelake-support.patch new file mode 100644 index 00000000000..85dc6cf0e0a --- /dev/null +++ b/queue-4.19/perf-x86-msr-add-icelake-support.patch @@ -0,0 +1,43 @@ +From e909244600aba6c141ea7b7c5122b1b0ad4065ea Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Tue, 2 Apr 2019 12:45:08 -0700 +Subject: perf/x86/msr: Add Icelake support + +[ Upstream commit cf50d79a8cfe5adae37fec026220b009559bbeed ] + +Icelake is the same as the existing Skylake parts. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Cc: jolsa@kernel.org +Link: https://lkml.kernel.org/r/20190402194509.2832-12-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/msr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/events/msr.c b/arch/x86/events/msr.c +index 1b9f85abf9bc1..ace6c1e752fb1 100644 +--- a/arch/x86/events/msr.c ++++ b/arch/x86/events/msr.c +@@ -89,6 +89,7 @@ static bool test_intel(int idx) + case INTEL_FAM6_SKYLAKE_X: + case INTEL_FAM6_KABYLAKE_MOBILE: + case INTEL_FAM6_KABYLAKE_DESKTOP: ++ case INTEL_FAM6_ICELAKE_MOBILE: + if (idx == PERF_MSR_SMI || idx == PERF_MSR_PPERF) + return true; + break; +-- +2.20.1 + diff --git a/queue-4.19/phy-mapphone-mdm6600-add-gpiolib-dependency.patch b/queue-4.19/phy-mapphone-mdm6600-add-gpiolib-dependency.patch new file mode 100644 index 00000000000..3063e144c0a --- /dev/null +++ b/queue-4.19/phy-mapphone-mdm6600-add-gpiolib-dependency.patch @@ -0,0 +1,42 @@ +From a0b3aa5b3485d4f2f9c569ca99d99e07d9c338ad Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 4 Mar 2019 21:23:58 +0100 +Subject: phy: mapphone-mdm6600: add gpiolib dependency + +[ Upstream commit 208d3423ee463ab257908456f6bbca4024ab63f7 ] + +gcc points out that when CONFIG_GPIOLIB is disabled, +gpiod_get_array_value_cansleep() returns 0 but fails to set its output: + +drivers/phy/motorola/phy-mapphone-mdm6600.c: In function 'phy_mdm6600_status': +drivers/phy/motorola/phy-mapphone-mdm6600.c:220:24: error: 'values[0]' is used uninitialized in this function [-Werror=uninitialized] + +This could be fixed more generally in gpiolib by returning a failure +code, but for this specific case, the easier workaround is to add a +gpiolib dependency. + +Fixes: 5d1ebbda0318 ("phy: mapphone-mdm6600: Add USB PHY driver for MDM6600 on Droid 4") +Signed-off-by: Arnd Bergmann +Acked-by: Tony Lindgren +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/phy/motorola/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/motorola/Kconfig b/drivers/phy/motorola/Kconfig +index 82651524ffb9c..718f8729701df 100644 +--- a/drivers/phy/motorola/Kconfig ++++ b/drivers/phy/motorola/Kconfig +@@ -13,7 +13,7 @@ config PHY_CPCAP_USB + + config PHY_MAPPHONE_MDM6600 + tristate "Motorola Mapphone MDM6600 modem USB PHY driver" +- depends on OF && USB_SUPPORT ++ depends on OF && USB_SUPPORT && GPIOLIB + select GENERIC_PHY + help + Enable this for MDM6600 USB modem to work on Motorola phones +-- +2.20.1 + diff --git a/queue-4.19/phy-sun4i-usb-make-sure-to-disable-phy0-passby-for-p.patch b/queue-4.19/phy-sun4i-usb-make-sure-to-disable-phy0-passby-for-p.patch new file mode 100644 index 00000000000..e163e9f900b --- /dev/null +++ b/queue-4.19/phy-sun4i-usb-make-sure-to-disable-phy0-passby-for-p.patch @@ -0,0 +1,48 @@ +From 347882d8ab44d75788102b931ebc88ff9808e4ac Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Thu, 14 Mar 2019 14:05:18 +0100 +Subject: phy: sun4i-usb: Make sure to disable PHY0 passby for peripheral mode + +[ Upstream commit e6f32efb1b128344a2c7df9875bc1a1abaa1d395 ] + +On platforms where the MUSB and HCI controllers share PHY0, PHY passby +is required when using the HCI controller with the PHY, but it must be +disabled when the MUSB controller is used instead. + +Without this, PHY0 passby is always enabled, which results in broken +peripheral mode on such platforms (e.g. H3/H5). + +Fixes: ba4bdc9e1dc0 ("PHY: sunxi: Add driver for sunxi usb phy") + +Signed-off-by: Paul Kocialkowski +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/phy/allwinner/phy-sun4i-usb.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/phy/allwinner/phy-sun4i-usb.c b/drivers/phy/allwinner/phy-sun4i-usb.c +index 15c8fc2abf01f..1f8809bab002c 100644 +--- a/drivers/phy/allwinner/phy-sun4i-usb.c ++++ b/drivers/phy/allwinner/phy-sun4i-usb.c +@@ -550,6 +550,7 @@ static void sun4i_usb_phy0_id_vbus_det_scan(struct work_struct *work) + struct sun4i_usb_phy_data *data = + container_of(work, struct sun4i_usb_phy_data, detect.work); + struct phy *phy0 = data->phys[0].phy; ++ struct sun4i_usb_phy *phy = phy_get_drvdata(phy0); + bool force_session_end, id_notify = false, vbus_notify = false; + int id_det, vbus_det; + +@@ -606,6 +607,9 @@ static void sun4i_usb_phy0_id_vbus_det_scan(struct work_struct *work) + mutex_unlock(&phy0->mutex); + } + ++ /* Enable PHY0 passby for host mode only. */ ++ sun4i_usb_phy_passby(phy, !id_det); ++ + /* Re-route PHY0 if necessary */ + if (data->cfg->phy0_dual_route) + sun4i_usb_phy0_reroute(data, id_det); +-- +2.20.1 + diff --git a/queue-4.19/pinctrl-pistachio-fix-leaked-of_node-references.patch b/queue-4.19/pinctrl-pistachio-fix-leaked-of_node-references.patch new file mode 100644 index 00000000000..ab5c8ba9754 --- /dev/null +++ b/queue-4.19/pinctrl-pistachio-fix-leaked-of_node-references.patch @@ -0,0 +1,47 @@ +From 7d05da2a19472772992abadc2097cd78cca72a6e Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 12 Apr 2019 14:02:19 +0800 +Subject: pinctrl: pistachio: fix leaked of_node references + +[ Upstream commit 44a4455ac2c6b0981eace683a2b6eccf47689022 ] + +The call to of_get_child_by_name returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/pinctrl/pinctrl-pistachio.c:1422:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1360, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Linus Walleij +Cc: linux-gpio@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-pistachio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-pistachio.c b/drivers/pinctrl/pinctrl-pistachio.c +index 302190d1558d9..0d7d379e9bb80 100644 +--- a/drivers/pinctrl/pinctrl-pistachio.c ++++ b/drivers/pinctrl/pinctrl-pistachio.c +@@ -1368,6 +1368,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl) + if (!of_find_property(child, "gpio-controller", NULL)) { + dev_err(pctl->dev, + "No gpio-controller property for bank %u\n", i); ++ of_node_put(child); + ret = -ENODEV; + goto err; + } +@@ -1375,6 +1376,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl) + irq = irq_of_parse_and_map(child, 0); + if (irq < 0) { + dev_err(pctl->dev, "No IRQ for bank %u: %d\n", i, irq); ++ of_node_put(child); + ret = irq; + goto err; + } +-- +2.20.1 + diff --git a/queue-4.19/pinctrl-samsung-fix-leaked-of_node-references.patch b/queue-4.19/pinctrl-samsung-fix-leaked-of_node-references.patch new file mode 100644 index 00000000000..d322359dd80 --- /dev/null +++ b/queue-4.19/pinctrl-samsung-fix-leaked-of_node-references.patch @@ -0,0 +1,45 @@ +From 47f61d2dd57ea7b34c3bdc8f8dbc48306ea0ded5 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 12 Apr 2019 14:02:22 +0800 +Subject: pinctrl: samsung: fix leaked of_node references + +[ Upstream commit 44b9f86cd41db6c522effa5aec251d664a52fbc0 ] + +The call to of_find_compatible_node returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/pinctrl/samsung/pinctrl-exynos-arm.c:76:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 66, but without a corresponding object release within this function. +./drivers/pinctrl/samsung/pinctrl-exynos-arm.c:82:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 66, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Linus Walleij +Cc: Tomasz Figa +Cc: Sylwester Nawrocki +Cc: Kukjin Kim +Cc: linux-samsung-soc@vger.kernel.org +Cc: linux-gpio@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/samsung/pinctrl-exynos-arm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/samsung/pinctrl-exynos-arm.c b/drivers/pinctrl/samsung/pinctrl-exynos-arm.c +index 44c6b753f692a..85ddf49a51885 100644 +--- a/drivers/pinctrl/samsung/pinctrl-exynos-arm.c ++++ b/drivers/pinctrl/samsung/pinctrl-exynos-arm.c +@@ -71,6 +71,7 @@ s5pv210_retention_init(struct samsung_pinctrl_drv_data *drvdata, + } + + clk_base = of_iomap(np, 0); ++ of_node_put(np); + if (!clk_base) { + pr_err("%s: failed to map clock registers\n", __func__); + return ERR_PTR(-EINVAL); +-- +2.20.1 + diff --git a/queue-4.19/pinctrl-zte-fix-leaked-of_node-references.patch b/queue-4.19/pinctrl-zte-fix-leaked-of_node-references.patch new file mode 100644 index 00000000000..d84c0a0a7ea --- /dev/null +++ b/queue-4.19/pinctrl-zte-fix-leaked-of_node-references.patch @@ -0,0 +1,46 @@ +From 0e3ec0c8258897e8a2cb61e35f45b2c95f680cb6 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 12 Apr 2019 14:02:23 +0800 +Subject: pinctrl: zte: fix leaked of_node references + +[ Upstream commit 02d15f0d80720545f1f4922a1550ea4aaad4e152 ] + +The call to of_parse_phandle returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/pinctrl/zte/pinctrl-zx.c:415:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function. +./drivers/pinctrl/zte/pinctrl-zx.c:422:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function. +./drivers/pinctrl/zte/pinctrl-zx.c:436:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function. +./drivers/pinctrl/zte/pinctrl-zx.c:444:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function. +./drivers/pinctrl/zte/pinctrl-zx.c:448:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 407, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Linus Walleij +Cc: Jun Nie +Cc: Linus Walleij +Cc: linux-gpio@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Acked-by: Shawn Guo +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/zte/pinctrl-zx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/zte/pinctrl-zx.c b/drivers/pinctrl/zte/pinctrl-zx.c +index caa44dd2880a8..3cb69309912ba 100644 +--- a/drivers/pinctrl/zte/pinctrl-zx.c ++++ b/drivers/pinctrl/zte/pinctrl-zx.c +@@ -411,6 +411,7 @@ int zx_pinctrl_init(struct platform_device *pdev, + } + + zpctl->aux_base = of_iomap(np, 0); ++ of_node_put(np); + if (!zpctl->aux_base) + return -ENOMEM; + +-- +2.20.1 + diff --git a/queue-4.19/pm-core-propagate-dev-power.wakeup_path-when-no-call.patch b/queue-4.19/pm-core-propagate-dev-power.wakeup_path-when-no-call.patch new file mode 100644 index 00000000000..7efd59f5737 --- /dev/null +++ b/queue-4.19/pm-core-propagate-dev-power.wakeup_path-when-no-call.patch @@ -0,0 +1,47 @@ +From a29aad1713ea7cfb8818e4eca426cce355844789 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Wed, 10 Apr 2019 11:55:16 +0200 +Subject: PM / core: Propagate dev->power.wakeup_path when no callbacks + +[ Upstream commit dc351d4c5f4fe4d0f274d6d660227be0c3a03317 ] + +The dev->power.direct_complete flag may become set in device_prepare() in +case the device don't have any PM callbacks (dev->power.no_pm_callbacks is +set). This leads to a broken behaviour, when there is child having wakeup +enabled and relies on its parent to be used in the wakeup path. + +More precisely, when the direct complete path becomes selected for the +child in __device_suspend(), the propagation of the dev->power.wakeup_path +becomes skipped as well. + +Let's address this problem, by checking if the device is a part the wakeup +path or has wakeup enabled, then prevent the direct complete path from +being used. + +Reported-by: Loic Pallardy +Signed-off-by: Ulf Hansson +[ rjw: Comment cleanup ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index a690fd4002605..4abd7c6531d9d 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1736,6 +1736,10 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async) + if (dev->power.syscore) + goto Complete; + ++ /* Avoid direct_complete to let wakeup_path propagate. */ ++ if (device_may_wakeup(dev) || dev->power.wakeup_path) ++ dev->power.direct_complete = false; ++ + if (dev->power.direct_complete) { + if (pm_runtime_status_suspended(dev)) { + pm_runtime_disable(dev); +-- +2.20.1 + diff --git a/queue-4.19/powerpc-64-fix-booting-large-kernels-with-strict_ker.patch b/queue-4.19/powerpc-64-fix-booting-large-kernels-with-strict_ker.patch new file mode 100644 index 00000000000..c6d91df2494 --- /dev/null +++ b/queue-4.19/powerpc-64-fix-booting-large-kernels-with-strict_ker.patch @@ -0,0 +1,42 @@ +From de87f108a29f8aacd448aefcaa7f1fba0955242e Mon Sep 17 00:00:00 2001 +From: Russell Currey +Date: Wed, 27 Mar 2019 14:35:54 +1100 +Subject: powerpc/64: Fix booting large kernels with STRICT_KERNEL_RWX + +[ Upstream commit 56c46bba9bbfe229b4472a5be313c44c5b714a39 ] + +With STRICT_KERNEL_RWX enabled anything marked __init is placed at a 16M +boundary. This is necessary so that it can be repurposed later with +different permissions. However, in kernels with text larger than 16M, +this pushes early_setup past 32M, incapable of being reached by the +branch instruction. + +Fix this by setting the CTR and branching there instead. + +Fixes: 1e0fc9d1eb2b ("powerpc/Kconfig: Enable STRICT_KERNEL_RWX for some configs") +Signed-off-by: Russell Currey +[mpe: Fix it to work on BE by using DOTSYM()] +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/head_64.S | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/head_64.S b/arch/powerpc/kernel/head_64.S +index 4898e9491a1cd..9168a247e24ff 100644 +--- a/arch/powerpc/kernel/head_64.S ++++ b/arch/powerpc/kernel/head_64.S +@@ -970,7 +970,9 @@ start_here_multiplatform: + + /* Restore parameters passed from prom_init/kexec */ + mr r3,r31 +- bl early_setup /* also sets r13 and SPRG_PACA */ ++ LOAD_REG_ADDR(r12, DOTSYM(early_setup)) ++ mtctr r12 ++ bctrl /* also sets r13 and SPRG_PACA */ + + LOAD_REG_ADDR(r3, start_here_common) + ld r4,PACAKMSR(r13) +-- +2.20.1 + diff --git a/queue-4.19/powerpc-boot-fix-missing-check-of-lseek-return-value.patch b/queue-4.19/powerpc-boot-fix-missing-check-of-lseek-return-value.patch new file mode 100644 index 00000000000..c672a8a0e31 --- /dev/null +++ b/queue-4.19/powerpc-boot-fix-missing-check-of-lseek-return-value.patch @@ -0,0 +1,36 @@ +From 9f36ff6ba6459f125f75ae6359212a837ff9ac7a Mon Sep 17 00:00:00 2001 +From: Bo YU +Date: Tue, 30 Oct 2018 09:21:55 -0400 +Subject: powerpc/boot: Fix missing check of lseek() return value + +[ Upstream commit 5d085ec04a000fefb5182d3b03ee46ca96d8389b ] + +This is detected by Coverity scan: CID: 1440481 + +Signed-off-by: Bo YU +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/addnote.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/boot/addnote.c b/arch/powerpc/boot/addnote.c +index 9d9f6f334d3cc..3da3e2b1b51bc 100644 +--- a/arch/powerpc/boot/addnote.c ++++ b/arch/powerpc/boot/addnote.c +@@ -223,7 +223,11 @@ main(int ac, char **av) + PUT_16(E_PHNUM, np + 2); + + /* write back */ +- lseek(fd, (long) 0, SEEK_SET); ++ i = lseek(fd, (long) 0, SEEK_SET); ++ if (i < 0) { ++ perror("lseek"); ++ exit(1); ++ } + i = write(fd, buf, n); + if (i < 0) { + perror("write"); +-- +2.20.1 + diff --git a/queue-4.19/powerpc-numa-improve-control-of-topology-updates.patch b/queue-4.19/powerpc-numa-improve-control-of-topology-updates.patch new file mode 100644 index 00000000000..e3fbc877113 --- /dev/null +++ b/queue-4.19/powerpc-numa-improve-control-of-topology-updates.patch @@ -0,0 +1,81 @@ +From 7765685a42651934bfdac564c27066df4bce19bb Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Thu, 18 Apr 2019 13:56:57 -0500 +Subject: powerpc/numa: improve control of topology updates + +[ Upstream commit 2d4d9b308f8f8dec68f6dbbff18c68ec7c6bd26f ] + +When booted with "topology_updates=no", or when "off" is written to +/proc/powerpc/topology_updates, NUMA reassignments are inhibited for +PRRN and VPHN events. However, migration and suspend unconditionally +re-enable reassignments via start_topology_update(). This is +incoherent. + +Check the topology_updates_enabled flag in +start/stop_topology_update() so that callers of those APIs need not be +aware of whether reassignments are enabled. This allows the +administrative decision on reassignments to remain in force across +migrations and suspensions. + +Signed-off-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/numa.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c +index 10fb43efef508..f473c05e96497 100644 +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -1495,6 +1495,9 @@ int start_topology_update(void) + { + int rc = 0; + ++ if (!topology_updates_enabled) ++ return 0; ++ + if (firmware_has_feature(FW_FEATURE_PRRN)) { + if (!prrn_enabled) { + prrn_enabled = 1; +@@ -1524,6 +1527,9 @@ int stop_topology_update(void) + { + int rc = 0; + ++ if (!topology_updates_enabled) ++ return 0; ++ + if (prrn_enabled) { + prrn_enabled = 0; + #ifdef CONFIG_SMP +@@ -1579,11 +1585,13 @@ static ssize_t topology_write(struct file *file, const char __user *buf, + + kbuf[read_len] = '\0'; + +- if (!strncmp(kbuf, "on", 2)) ++ if (!strncmp(kbuf, "on", 2)) { ++ topology_updates_enabled = true; + start_topology_update(); +- else if (!strncmp(kbuf, "off", 3)) ++ } else if (!strncmp(kbuf, "off", 3)) { + stop_topology_update(); +- else ++ topology_updates_enabled = false; ++ } else + return -EINVAL; + + return count; +@@ -1598,9 +1606,7 @@ static const struct file_operations topology_ops = { + + static int topology_update_init(void) + { +- /* Do not poll for changes if disabled at boot */ +- if (topology_updates_enabled) +- start_topology_update(); ++ start_topology_update(); + + if (vphn_enabled) + topology_schedule_update(); +-- +2.20.1 + diff --git a/queue-4.19/powerpc-perf-fix-loop-exit-condition-in-nest_imc_eve.patch b/queue-4.19/powerpc-perf-fix-loop-exit-condition-in-nest_imc_eve.patch new file mode 100644 index 00000000000..89b74e22fa2 --- /dev/null +++ b/queue-4.19/powerpc-perf-fix-loop-exit-condition-in-nest_imc_eve.patch @@ -0,0 +1,60 @@ +From ea102473b32bc110145103793bfe96a41a74c07e Mon Sep 17 00:00:00 2001 +From: Anju T Sudhakar +Date: Tue, 18 Dec 2018 11:50:41 +0530 +Subject: powerpc/perf: Fix loop exit condition in nest_imc_event_init + +[ Upstream commit 860b7d2286236170a36f94946d03ca9888d32571 ] + +The data structure (i.e struct imc_mem_info) to hold the memory address +information for nest imc units is allocated based on the number of nodes +in the system. + +nest_imc_event_init() traverse this struct array to calculate the memory +base address for the event-cpu. If we fail to find a match for the event +cpu's chip-id in imc_mem_info struct array, then the do-while loop will +iterate until we crash. + +Fix this by changing the loop exit condition based on the number of +non zero vbase elements in the array, since the allocation is done for +nr_chips + 1. + +Reported-by: Dan Carpenter +Fixes: 885dcd709ba91 ("powerpc/perf: Add nest IMC PMU support") +Signed-off-by: Anju T Sudhakar +Reviewed-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/imc-pmu.c | 2 +- + arch/powerpc/platforms/powernv/opal-imc.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/perf/imc-pmu.c b/arch/powerpc/perf/imc-pmu.c +index 3cebfdf362116..5553226770748 100644 +--- a/arch/powerpc/perf/imc-pmu.c ++++ b/arch/powerpc/perf/imc-pmu.c +@@ -508,7 +508,7 @@ static int nest_imc_event_init(struct perf_event *event) + break; + } + pcni++; +- } while (pcni); ++ } while (pcni->vbase != 0); + + if (!flag) + return -ENODEV; +diff --git a/arch/powerpc/platforms/powernv/opal-imc.c b/arch/powerpc/platforms/powernv/opal-imc.c +index 58a07948c76e7..3d27f02695e41 100644 +--- a/arch/powerpc/platforms/powernv/opal-imc.c ++++ b/arch/powerpc/platforms/powernv/opal-imc.c +@@ -127,7 +127,7 @@ static int imc_get_mem_addr_nest(struct device_node *node, + nr_chips)) + goto error; + +- pmu_ptr->mem_info = kcalloc(nr_chips, sizeof(*pmu_ptr->mem_info), ++ pmu_ptr->mem_info = kcalloc(nr_chips + 1, sizeof(*pmu_ptr->mem_info), + GFP_KERNEL); + if (!pmu_ptr->mem_info) + goto error; +-- +2.20.1 + diff --git a/queue-4.19/powerpc-perf-return-accordingly-on-invalid-chip-id-i.patch b/queue-4.19/powerpc-perf-return-accordingly-on-invalid-chip-id-i.patch new file mode 100644 index 00000000000..88d1d7e41ad --- /dev/null +++ b/queue-4.19/powerpc-perf-return-accordingly-on-invalid-chip-id-i.patch @@ -0,0 +1,41 @@ +From 795ae8768d7e328d8872693f99331fd141eac3a6 Mon Sep 17 00:00:00 2001 +From: Anju T Sudhakar +Date: Tue, 27 Nov 2018 13:54:52 +0530 +Subject: powerpc/perf: Return accordingly on invalid chip-id in + +[ Upstream commit a913e5e8b43be1d3897a141ce61c1ec071cad89c ] + +Nest hardware counter memory resides in a per-chip reserve-memory. +During nest_imc_event_init(), chip-id of the event-cpu is considered to +calculate the base memory addresss for that cpu. Return, proper error +condition if the chip_id calculated is invalid. + +Reported-by: Dan Carpenter +Fixes: 885dcd709ba91 ("powerpc/perf: Add nest IMC PMU support") +Reviewed-by: Madhavan Srinivasan +Signed-off-by: Anju T Sudhakar +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/imc-pmu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/powerpc/perf/imc-pmu.c b/arch/powerpc/perf/imc-pmu.c +index 1fafc32b12a0f..3cebfdf362116 100644 +--- a/arch/powerpc/perf/imc-pmu.c ++++ b/arch/powerpc/perf/imc-pmu.c +@@ -496,6 +496,11 @@ static int nest_imc_event_init(struct perf_event *event) + * Get the base memory addresss for this cpu. + */ + chip_id = cpu_to_chip_id(event->cpu); ++ ++ /* Return, if chip_id is not valid */ ++ if (chip_id < 0) ++ return -ENODEV; ++ + pcni = pmu->mem_info; + do { + if (pcni->id == chip_id) { +-- +2.20.1 + diff --git a/queue-4.19/powerpc-watchdog-use-hrtimers-for-per-cpu-heartbeat.patch b/queue-4.19/powerpc-watchdog-use-hrtimers-for-per-cpu-heartbeat.patch new file mode 100644 index 00000000000..2f8852269f0 --- /dev/null +++ b/queue-4.19/powerpc-watchdog-use-hrtimers-for-per-cpu-heartbeat.patch @@ -0,0 +1,196 @@ +From 8f2083dacbcfdcbc0e0d8d63d29e8dae0c163300 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Tue, 9 Apr 2019 14:40:05 +1000 +Subject: powerpc/watchdog: Use hrtimers for per-CPU heartbeat + +[ Upstream commit 7ae3f6e130e8dc6188b59e3b4ebc2f16e9c8d053 ] + +Using a jiffies timer creates a dependency on the tick_do_timer_cpu +incrementing jiffies. If that CPU has locked up and jiffies is not +incrementing, the watchdog heartbeat timer for all CPUs stops and +creates false positives and confusing warnings on local CPUs, and +also causes the SMP detector to stop, so the root cause is never +detected. + +Fix this by using hrtimer based timers for the watchdog heartbeat, +like the generic kernel hardlockup detector. + +Cc: Gautham R. Shenoy +Reported-by: Ravikumar Bangoria +Signed-off-by: Nicholas Piggin +Tested-by: Ravi Bangoria +Reported-by: Ravi Bangoria +Reviewed-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/watchdog.c | 81 +++++++++++++++++----------------- + 1 file changed, 40 insertions(+), 41 deletions(-) + +diff --git a/arch/powerpc/kernel/watchdog.c b/arch/powerpc/kernel/watchdog.c +index 3c6ab22a0c4e3..af3c15a1d41eb 100644 +--- a/arch/powerpc/kernel/watchdog.c ++++ b/arch/powerpc/kernel/watchdog.c +@@ -77,7 +77,7 @@ static u64 wd_smp_panic_timeout_tb __read_mostly; /* panic other CPUs */ + + static u64 wd_timer_period_ms __read_mostly; /* interval between heartbeat */ + +-static DEFINE_PER_CPU(struct timer_list, wd_timer); ++static DEFINE_PER_CPU(struct hrtimer, wd_hrtimer); + static DEFINE_PER_CPU(u64, wd_timer_tb); + + /* SMP checker bits */ +@@ -293,21 +293,21 @@ void soft_nmi_interrupt(struct pt_regs *regs) + nmi_exit(); + } + +-static void wd_timer_reset(unsigned int cpu, struct timer_list *t) +-{ +- t->expires = jiffies + msecs_to_jiffies(wd_timer_period_ms); +- if (wd_timer_period_ms > 1000) +- t->expires = __round_jiffies_up(t->expires, cpu); +- add_timer_on(t, cpu); +-} +- +-static void wd_timer_fn(struct timer_list *t) ++static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer) + { + int cpu = smp_processor_id(); + ++ if (!(watchdog_enabled & NMI_WATCHDOG_ENABLED)) ++ return HRTIMER_NORESTART; ++ ++ if (!cpumask_test_cpu(cpu, &watchdog_cpumask)) ++ return HRTIMER_NORESTART; ++ + watchdog_timer_interrupt(cpu); + +- wd_timer_reset(cpu, t); ++ hrtimer_forward_now(hrtimer, ms_to_ktime(wd_timer_period_ms)); ++ ++ return HRTIMER_RESTART; + } + + void arch_touch_nmi_watchdog(void) +@@ -323,37 +323,22 @@ void arch_touch_nmi_watchdog(void) + } + EXPORT_SYMBOL(arch_touch_nmi_watchdog); + +-static void start_watchdog_timer_on(unsigned int cpu) +-{ +- struct timer_list *t = per_cpu_ptr(&wd_timer, cpu); +- +- per_cpu(wd_timer_tb, cpu) = get_tb(); +- +- timer_setup(t, wd_timer_fn, TIMER_PINNED); +- wd_timer_reset(cpu, t); +-} +- +-static void stop_watchdog_timer_on(unsigned int cpu) +-{ +- struct timer_list *t = per_cpu_ptr(&wd_timer, cpu); +- +- del_timer_sync(t); +-} +- +-static int start_wd_on_cpu(unsigned int cpu) ++static void start_watchdog(void *arg) + { ++ struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer); ++ int cpu = smp_processor_id(); + unsigned long flags; + + if (cpumask_test_cpu(cpu, &wd_cpus_enabled)) { + WARN_ON(1); +- return 0; ++ return; + } + + if (!(watchdog_enabled & NMI_WATCHDOG_ENABLED)) +- return 0; ++ return; + + if (!cpumask_test_cpu(cpu, &watchdog_cpumask)) +- return 0; ++ return; + + wd_smp_lock(&flags); + cpumask_set_cpu(cpu, &wd_cpus_enabled); +@@ -363,27 +348,40 @@ static int start_wd_on_cpu(unsigned int cpu) + } + wd_smp_unlock(&flags); + +- start_watchdog_timer_on(cpu); ++ *this_cpu_ptr(&wd_timer_tb) = get_tb(); + +- return 0; ++ hrtimer_init(hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); ++ hrtimer->function = watchdog_timer_fn; ++ hrtimer_start(hrtimer, ms_to_ktime(wd_timer_period_ms), ++ HRTIMER_MODE_REL_PINNED); + } + +-static int stop_wd_on_cpu(unsigned int cpu) ++static int start_watchdog_on_cpu(unsigned int cpu) + { ++ return smp_call_function_single(cpu, start_watchdog, NULL, true); ++} ++ ++static void stop_watchdog(void *arg) ++{ ++ struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer); ++ int cpu = smp_processor_id(); + unsigned long flags; + + if (!cpumask_test_cpu(cpu, &wd_cpus_enabled)) +- return 0; /* Can happen in CPU unplug case */ ++ return; /* Can happen in CPU unplug case */ + +- stop_watchdog_timer_on(cpu); ++ hrtimer_cancel(hrtimer); + + wd_smp_lock(&flags); + cpumask_clear_cpu(cpu, &wd_cpus_enabled); + wd_smp_unlock(&flags); + + wd_smp_clear_cpu_pending(cpu, get_tb()); ++} + +- return 0; ++static int stop_watchdog_on_cpu(unsigned int cpu) ++{ ++ return smp_call_function_single(cpu, stop_watchdog, NULL, true); + } + + static void watchdog_calc_timeouts(void) +@@ -402,7 +400,7 @@ void watchdog_nmi_stop(void) + int cpu; + + for_each_cpu(cpu, &wd_cpus_enabled) +- stop_wd_on_cpu(cpu); ++ stop_watchdog_on_cpu(cpu); + } + + void watchdog_nmi_start(void) +@@ -411,7 +409,7 @@ void watchdog_nmi_start(void) + + watchdog_calc_timeouts(); + for_each_cpu_and(cpu, cpu_online_mask, &watchdog_cpumask) +- start_wd_on_cpu(cpu); ++ start_watchdog_on_cpu(cpu); + } + + /* +@@ -423,7 +421,8 @@ int __init watchdog_nmi_probe(void) + + err = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN, + "powerpc/watchdog:online", +- start_wd_on_cpu, stop_wd_on_cpu); ++ start_watchdog_on_cpu, ++ stop_watchdog_on_cpu); + if (err < 0) { + pr_warn("could not be initialized"); + return err; +-- +2.20.1 + diff --git a/queue-4.19/qmi_wwan-add-quirk-for-quectel-dynamic-config.patch b/queue-4.19/qmi_wwan-add-quirk-for-quectel-dynamic-config.patch new file mode 100644 index 00000000000..2dd0538a779 --- /dev/null +++ b/queue-4.19/qmi_wwan-add-quirk-for-quectel-dynamic-config.patch @@ -0,0 +1,168 @@ +From db6d30596ef7b111248fe7c8e3f37df0fe057af9 Mon Sep 17 00:00:00 2001 +From: Kristian Evensen +Date: Sun, 7 Apr 2019 15:39:09 +0200 +Subject: qmi_wwan: Add quirk for Quectel dynamic config +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit e4bf63482c309287ca84d91770ffa7dcc18e37eb ] + +Most, if not all, Quectel devices use dynamic interface numbers, and +users are able to change the USB configuration at will. Matching on for +example interface number is therefore not possible. + +Instead, the QMI device can be identified by looking at the interface +class, subclass and protocol (all 0xff), as well as the number of +endpoints. The reason we need to look at the number of endpoints, is +that the diagnostic port interface has the same class, subclass and +protocol as QMI. However, the diagnostic port only has two endpoints, +while QMI has three. + +Until now, we have identified the QMI device by combining a match on +class, subclass and protocol, with a call to the function +quectel_diag_detect(). In quectel_diag_detect(), we check if the number +of endpoints matches for known Quectel vendor/product ids. + +Adding new vendor/product ids to quectel_diag_detect() is not a good +long-term solution. This commit replaces the function with a quirk, and +applies the quirk to affected Quectel devices that I have been able to +test the change with (EP06, EM12 and EC25). If the quirk is set and the +number of endpoints equal two, we return from qmi_wwan_probe() with +-ENODEV. + +Signed-off-by: Kristian Evensen +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 65 ++++++++++++++++++-------------------- + 1 file changed, 31 insertions(+), 34 deletions(-) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 366217263d704..d9a6699abe592 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -63,6 +63,7 @@ enum qmi_wwan_flags { + + enum qmi_wwan_quirks { + QMI_WWAN_QUIRK_DTR = 1 << 0, /* needs "set DTR" request */ ++ QMI_WWAN_QUIRK_QUECTEL_DYNCFG = 1 << 1, /* check num. endpoints */ + }; + + struct qmimux_hdr { +@@ -845,6 +846,16 @@ static const struct driver_info qmi_wwan_info_quirk_dtr = { + .data = QMI_WWAN_QUIRK_DTR, + }; + ++static const struct driver_info qmi_wwan_info_quirk_quectel_dyncfg = { ++ .description = "WWAN/QMI device", ++ .flags = FLAG_WWAN | FLAG_SEND_ZLP, ++ .bind = qmi_wwan_bind, ++ .unbind = qmi_wwan_unbind, ++ .manage_power = qmi_wwan_manage_power, ++ .rx_fixup = qmi_wwan_rx_fixup, ++ .data = QMI_WWAN_QUIRK_DTR | QMI_WWAN_QUIRK_QUECTEL_DYNCFG, ++}; ++ + #define HUAWEI_VENDOR_ID 0x12D1 + + /* map QMI/wwan function by a fixed interface number */ +@@ -865,6 +876,15 @@ static const struct driver_info qmi_wwan_info_quirk_dtr = { + #define QMI_GOBI_DEVICE(vend, prod) \ + QMI_FIXED_INTF(vend, prod, 0) + ++/* Quectel does not use fixed interface numbers on at least some of their ++ * devices. We need to check the number of endpoints to ensure that we bind to ++ * the correct interface. ++ */ ++#define QMI_QUIRK_QUECTEL_DYNCFG(vend, prod) \ ++ USB_DEVICE_AND_INTERFACE_INFO(vend, prod, USB_CLASS_VENDOR_SPEC, \ ++ USB_SUBCLASS_VENDOR_SPEC, 0xff), \ ++ .driver_info = (unsigned long)&qmi_wwan_info_quirk_quectel_dyncfg ++ + static const struct usb_device_id products[] = { + /* 1. CDC ECM like devices match on the control interface */ + { /* Huawei E392, E398 and possibly others sharing both device id and more... */ +@@ -969,20 +989,9 @@ static const struct usb_device_id products[] = { + USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x581d, USB_CLASS_VENDOR_SPEC, 1, 7), + .driver_info = (unsigned long)&qmi_wwan_info, + }, +- { /* Quectel EP06/EG06/EM06 */ +- USB_DEVICE_AND_INTERFACE_INFO(0x2c7c, 0x0306, +- USB_CLASS_VENDOR_SPEC, +- USB_SUBCLASS_VENDOR_SPEC, +- 0xff), +- .driver_info = (unsigned long)&qmi_wwan_info_quirk_dtr, +- }, +- { /* Quectel EG12/EM12 */ +- USB_DEVICE_AND_INTERFACE_INFO(0x2c7c, 0x0512, +- USB_CLASS_VENDOR_SPEC, +- USB_SUBCLASS_VENDOR_SPEC, +- 0xff), +- .driver_info = (unsigned long)&qmi_wwan_info_quirk_dtr, +- }, ++ {QMI_QUIRK_QUECTEL_DYNCFG(0x2c7c, 0x0125)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */ ++ {QMI_QUIRK_QUECTEL_DYNCFG(0x2c7c, 0x0306)}, /* Quectel EP06/EG06/EM06 */ ++ {QMI_QUIRK_QUECTEL_DYNCFG(0x2c7c, 0x0512)}, /* Quectel EG12/EM12 */ + + /* 3. Combined interface devices matching on interface number */ + {QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */ +@@ -1283,7 +1292,6 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */ + {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */ + {QMI_QUIRK_SET_DTR(0x1e0e, 0x9001, 5)}, /* SIMCom 7100E, 7230E, 7600E ++ */ +- {QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */ + {QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */ +@@ -1363,27 +1371,12 @@ static bool quectel_ec20_detected(struct usb_interface *intf) + return false; + } + +-static bool quectel_diag_detected(struct usb_interface *intf) +-{ +- struct usb_device *dev = interface_to_usbdev(intf); +- struct usb_interface_descriptor intf_desc = intf->cur_altsetting->desc; +- u16 id_vendor = le16_to_cpu(dev->descriptor.idVendor); +- u16 id_product = le16_to_cpu(dev->descriptor.idProduct); +- +- if (id_vendor != 0x2c7c || intf_desc.bNumEndpoints != 2) +- return false; +- +- if (id_product == 0x0306 || id_product == 0x0512) +- return true; +- else +- return false; +-} +- + static int qmi_wwan_probe(struct usb_interface *intf, + const struct usb_device_id *prod) + { + struct usb_device_id *id = (struct usb_device_id *)prod; + struct usb_interface_descriptor *desc = &intf->cur_altsetting->desc; ++ const struct driver_info *info; + + /* Workaround to enable dynamic IDs. This disables usbnet + * blacklisting functionality. Which, if required, can be +@@ -1417,10 +1410,14 @@ static int qmi_wwan_probe(struct usb_interface *intf, + * we need to match on class/subclass/protocol. These values are + * identical for the diagnostic- and QMI-interface, but bNumEndpoints is + * different. Ignore the current interface if the number of endpoints +- * the number for the diag interface (two). ++ * equals the number for the diag interface (two). + */ +- if (quectel_diag_detected(intf)) +- return -ENODEV; ++ info = (void *)&id->driver_info; ++ ++ if (info->data & QMI_WWAN_QUIRK_QUECTEL_DYNCFG) { ++ if (desc->bNumEndpoints == 2) ++ return -ENODEV; ++ } + + return usbnet_probe(intf, id); + } +-- +2.20.1 + diff --git a/queue-4.19/random-add-a-spinlock_t-to-struct-batched_entropy.patch b/queue-4.19/random-add-a-spinlock_t-to-struct-batched_entropy.patch new file mode 100644 index 00000000000..053aa6d8a61 --- /dev/null +++ b/queue-4.19/random-add-a-spinlock_t-to-struct-batched_entropy.patch @@ -0,0 +1,191 @@ +From 9652e860dec47d8dd5ec1611b30661b36868bd10 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Sat, 20 Apr 2019 00:09:51 -0400 +Subject: random: add a spinlock_t to struct batched_entropy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit b7d5dc21072cda7124d13eae2aefb7343ef94197 ] + +The per-CPU variable batched_entropy_uXX is protected by get_cpu_var(). +This is just a preempt_disable() which ensures that the variable is only +from the local CPU. It does not protect against users on the same CPU +from another context. It is possible that a preemptible context reads +slot 0 and then an interrupt occurs and the same value is read again. + +The above scenario is confirmed by lockdep if we add a spinlock: +| ================================ +| WARNING: inconsistent lock state +| 5.1.0-rc3+ #42 Not tainted +| -------------------------------- +| inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. +| ksoftirqd/9/56 [HC0[0]:SC1[1]:HE0:SE0] takes: +| (____ptrval____) (batched_entropy_u32.lock){+.?.}, at: get_random_u32+0x3e/0xe0 +| {SOFTIRQ-ON-W} state was registered at: +| _raw_spin_lock+0x2a/0x40 +| get_random_u32+0x3e/0xe0 +| new_slab+0x15c/0x7b0 +| ___slab_alloc+0x492/0x620 +| __slab_alloc.isra.73+0x53/0xa0 +| kmem_cache_alloc_node+0xaf/0x2a0 +| copy_process.part.41+0x1e1/0x2370 +| _do_fork+0xdb/0x6d0 +| kernel_thread+0x20/0x30 +| kthreadd+0x1ba/0x220 +| ret_from_fork+0x3a/0x50 +… +| other info that might help us debug this: +| Possible unsafe locking scenario: +| +| CPU0 +| ---- +| lock(batched_entropy_u32.lock); +| +| lock(batched_entropy_u32.lock); +| +| *** DEADLOCK *** +| +| stack backtrace: +| Call Trace: +… +| kmem_cache_alloc_trace+0x20e/0x270 +| ipmi_alloc_recv_msg+0x16/0x40 +… +| __do_softirq+0xec/0x48d +| run_ksoftirqd+0x37/0x60 +| smpboot_thread_fn+0x191/0x290 +| kthread+0xfe/0x130 +| ret_from_fork+0x3a/0x50 + +Add a spinlock_t to the batched_entropy data structure and acquire the +lock while accessing it. Acquire the lock with disabled interrupts +because this function may be used from interrupt context. + +Remove the batched_entropy_reset_lock lock. Now that we have a lock for +the data scructure, we can access it from a remote CPU. + +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + drivers/char/random.c | 52 ++++++++++++++++++++++--------------------- + 1 file changed, 27 insertions(+), 25 deletions(-) + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index a4515703cfcdd..0a84b7f468ad0 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -2215,8 +2215,8 @@ struct batched_entropy { + u32 entropy_u32[CHACHA20_BLOCK_SIZE / sizeof(u32)]; + }; + unsigned int position; ++ spinlock_t batch_lock; + }; +-static rwlock_t batched_entropy_reset_lock = __RW_LOCK_UNLOCKED(batched_entropy_reset_lock); + + /* + * Get a random word for internal kernel use only. The quality of the random +@@ -2226,12 +2226,14 @@ static rwlock_t batched_entropy_reset_lock = __RW_LOCK_UNLOCKED(batched_entropy_ + * wait_for_random_bytes() should be called and return 0 at least once + * at any point prior. + */ +-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64); ++static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = { ++ .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock), ++}; ++ + u64 get_random_u64(void) + { + u64 ret; +- bool use_lock; +- unsigned long flags = 0; ++ unsigned long flags; + struct batched_entropy *batch; + static void *previous; + +@@ -2246,28 +2248,25 @@ u64 get_random_u64(void) + + warn_unseeded_randomness(&previous); + +- use_lock = READ_ONCE(crng_init) < 2; +- batch = &get_cpu_var(batched_entropy_u64); +- if (use_lock) +- read_lock_irqsave(&batched_entropy_reset_lock, flags); ++ batch = raw_cpu_ptr(&batched_entropy_u64); ++ spin_lock_irqsave(&batch->batch_lock, flags); + if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) { + extract_crng((__u32 *)batch->entropy_u64); + batch->position = 0; + } + ret = batch->entropy_u64[batch->position++]; +- if (use_lock) +- read_unlock_irqrestore(&batched_entropy_reset_lock, flags); +- put_cpu_var(batched_entropy_u64); ++ spin_unlock_irqrestore(&batch->batch_lock, flags); + return ret; + } + EXPORT_SYMBOL(get_random_u64); + +-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32); ++static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = { ++ .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u32.lock), ++}; + u32 get_random_u32(void) + { + u32 ret; +- bool use_lock; +- unsigned long flags = 0; ++ unsigned long flags; + struct batched_entropy *batch; + static void *previous; + +@@ -2276,18 +2275,14 @@ u32 get_random_u32(void) + + warn_unseeded_randomness(&previous); + +- use_lock = READ_ONCE(crng_init) < 2; +- batch = &get_cpu_var(batched_entropy_u32); +- if (use_lock) +- read_lock_irqsave(&batched_entropy_reset_lock, flags); ++ batch = raw_cpu_ptr(&batched_entropy_u32); ++ spin_lock_irqsave(&batch->batch_lock, flags); + if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) { + extract_crng(batch->entropy_u32); + batch->position = 0; + } + ret = batch->entropy_u32[batch->position++]; +- if (use_lock) +- read_unlock_irqrestore(&batched_entropy_reset_lock, flags); +- put_cpu_var(batched_entropy_u32); ++ spin_unlock_irqrestore(&batch->batch_lock, flags); + return ret; + } + EXPORT_SYMBOL(get_random_u32); +@@ -2301,12 +2296,19 @@ static void invalidate_batched_entropy(void) + int cpu; + unsigned long flags; + +- write_lock_irqsave(&batched_entropy_reset_lock, flags); + for_each_possible_cpu (cpu) { +- per_cpu_ptr(&batched_entropy_u32, cpu)->position = 0; +- per_cpu_ptr(&batched_entropy_u64, cpu)->position = 0; ++ struct batched_entropy *batched_entropy; ++ ++ batched_entropy = per_cpu_ptr(&batched_entropy_u32, cpu); ++ spin_lock_irqsave(&batched_entropy->batch_lock, flags); ++ batched_entropy->position = 0; ++ spin_unlock(&batched_entropy->batch_lock); ++ ++ batched_entropy = per_cpu_ptr(&batched_entropy_u64, cpu); ++ spin_lock(&batched_entropy->batch_lock); ++ batched_entropy->position = 0; ++ spin_unlock_irqrestore(&batched_entropy->batch_lock, flags); + } +- write_unlock_irqrestore(&batched_entropy_reset_lock, flags); + } + + /** +-- +2.20.1 + diff --git a/queue-4.19/random-fix-crng-initialization-when-random.trust_cpu.patch b/queue-4.19/random-fix-crng-initialization-when-random.trust_cpu.patch new file mode 100644 index 00000000000..80dabff7b88 --- /dev/null +++ b/queue-4.19/random-fix-crng-initialization-when-random.trust_cpu.patch @@ -0,0 +1,65 @@ +From c9e072b794592c3ea075ed9f05c235f8982ef1c8 Mon Sep 17 00:00:00 2001 +From: Jon DeVree +Date: Fri, 19 Apr 2019 23:35:16 -0400 +Subject: random: fix CRNG initialization when random.trust_cpu=1 + +[ Upstream commit fe6f1a6a8eedc1aa538fee0baa612b6a59639cf8 ] + +When the system boots with random.trust_cpu=1 it doesn't initialize the +per-NUMA CRNGs because it skips the rest of the CRNG startup code. This +means that the code from 1e7f583af67b ("random: make /dev/urandom scalable +for silly userspace programs") is not used when random.trust_cpu=1. + +crash> dmesg | grep random: +[ 0.000000] random: get_random_bytes called from start_kernel+0x94/0x530 with crng_init=0 +[ 0.314029] random: crng done (trusting CPU's manufacturer) +crash> print crng_node_pool +$6 = (struct crng_state **) 0x0 + +After adding the missing call to numa_crng_init() the per-NUMA CRNGs are +initialized again: + +crash> dmesg | grep random: +[ 0.000000] random: get_random_bytes called from start_kernel+0x94/0x530 with crng_init=0 +[ 0.314031] random: crng done (trusting CPU's manufacturer) +crash> print crng_node_pool +$1 = (struct crng_state **) 0xffff9a915f4014a0 + +The call to invalidate_batched_entropy() was also missing. This is +important for architectures like PPC and S390 which only have the +arch_get_random_seed_* functions. + +Fixes: 39a8883a2b98 ("random: add a config option to trust the CPU's hwrng") +Signed-off-by: Jon DeVree +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + drivers/char/random.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index c75b6cdf00533..a4515703cfcdd 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -778,6 +778,7 @@ static struct crng_state **crng_node_pool __read_mostly; + #endif + + static void invalidate_batched_entropy(void); ++static void numa_crng_init(void); + + static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU); + static int __init parse_trust_cpu(char *arg) +@@ -806,7 +807,9 @@ static void crng_initialize(struct crng_state *crng) + } + crng->state[i] ^= rv; + } +- if (trust_cpu && arch_init) { ++ if (trust_cpu && arch_init && crng == &primary_crng) { ++ invalidate_batched_entropy(); ++ numa_crng_init(); + crng_init = 2; + pr_notice("random: crng done (trusting CPU's manufacturer)\n"); + } +-- +2.20.1 + diff --git a/queue-4.19/rcuperf-fix-cleanup-path-for-invalid-perf_type-strin.patch b/queue-4.19/rcuperf-fix-cleanup-path-for-invalid-perf_type-strin.patch new file mode 100644 index 00000000000..68ffe3a809c --- /dev/null +++ b/queue-4.19/rcuperf-fix-cleanup-path-for-invalid-perf_type-strin.patch @@ -0,0 +1,52 @@ +From 54eb45629aae49b382714de50ae9c35f597e83dd Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Thu, 21 Mar 2019 10:26:41 -0700 +Subject: rcuperf: Fix cleanup path for invalid perf_type strings + +[ Upstream commit ad092c027713a68a34168942a5ef422e42e039f4 ] + +If the specified rcuperf.perf_type is not in the rcu_perf_init() +function's perf_ops[] array, rcuperf prints some console messages and +then invokes rcu_perf_cleanup() to set state so that a future torture +test can run. However, rcu_perf_cleanup() also attempts to end the +test that didn't actually start, and in doing so relies on the value +of cur_ops, a value that is not particularly relevant in this case. +This can result in confusing output or even follow-on failures due to +attempts to use facilities that have not been properly initialized. + +This commit therefore sets the value of cur_ops to NULL in this case and +inserts a check near the beginning of rcu_perf_cleanup(), thus avoiding +relying on an irrelevant cur_ops value. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcuperf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/rcu/rcuperf.c b/kernel/rcu/rcuperf.c +index 34244523550e1..19249b86fb33e 100644 +--- a/kernel/rcu/rcuperf.c ++++ b/kernel/rcu/rcuperf.c +@@ -561,6 +561,10 @@ rcu_perf_cleanup(void) + + if (torture_cleanup_begin()) + return; ++ if (!cur_ops) { ++ torture_cleanup_end(); ++ return; ++ } + + if (reader_tasks) { + for (i = 0; i < nrealreaders; i++) +@@ -681,6 +685,7 @@ rcu_perf_init(void) + pr_cont(" %s", perf_ops[i]->name); + pr_cont("\n"); + firsterr = -EINVAL; ++ cur_ops = NULL; + goto unwind; + } + if (cur_ops->init) +-- +2.20.1 + diff --git a/queue-4.19/rcutorture-fix-cleanup-path-for-invalid-torture_type.patch b/queue-4.19/rcutorture-fix-cleanup-path-for-invalid-torture_type.patch new file mode 100644 index 00000000000..88a13c42f04 --- /dev/null +++ b/queue-4.19/rcutorture-fix-cleanup-path-for-invalid-torture_type.patch @@ -0,0 +1,53 @@ +From 7ad538c610307f853c64f46fb8e6d481421daf41 Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Thu, 21 Mar 2019 09:27:28 -0700 +Subject: rcutorture: Fix cleanup path for invalid torture_type strings + +[ Upstream commit b813afae7ab6a5e91b4e16cc567331d9c2ae1f04 ] + +If the specified rcutorture.torture_type is not in the rcu_torture_init() +function's torture_ops[] array, rcutorture prints some console messages +and then invokes rcu_torture_cleanup() to set state so that a future +torture test can run. However, rcu_torture_cleanup() also attempts to +end the test that didn't actually start, and in doing so relies on the +value of cur_ops, a value that is not particularly relevant in this case. +This can result in confusing output or even follow-on failures due to +attempts to use facilities that have not been properly initialized. + +This commit therefore sets the value of cur_ops to NULL in this case +and inserts a check near the beginning of rcu_torture_cleanup(), +thus avoiding relying on an irrelevant cur_ops value. + +Reported-by: kernel test robot +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcutorture.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c +index c596c6f1e4571..0b7af7e2bcbb1 100644 +--- a/kernel/rcu/rcutorture.c ++++ b/kernel/rcu/rcutorture.c +@@ -1826,6 +1826,10 @@ rcu_torture_cleanup(void) + cur_ops->cb_barrier(); + return; + } ++ if (!cur_ops) { ++ torture_cleanup_end(); ++ return; ++ } + + rcu_torture_barrier_cleanup(); + torture_stop_kthread(rcu_torture_stall, stall_task); +@@ -1964,6 +1968,7 @@ rcu_torture_init(void) + pr_cont(" %s", torture_ops[i]->name); + pr_cont("\n"); + firsterr = -EINVAL; ++ cur_ops = NULL; + goto unwind; + } + if (cur_ops->fqs == NULL && fqs_duration != 0) { +-- +2.20.1 + diff --git a/queue-4.19/rdma-cma-consider-scope_id-while-binding-to-ipv6-ll-.patch b/queue-4.19/rdma-cma-consider-scope_id-while-binding-to-ipv6-ll-.patch new file mode 100644 index 00000000000..7b149e5d6cd --- /dev/null +++ b/queue-4.19/rdma-cma-consider-scope_id-while-binding-to-ipv6-ll-.patch @@ -0,0 +1,82 @@ +From 4db302056204d2f0eb144e3373e4a903b613f869 Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Wed, 10 Apr 2019 11:23:04 +0300 +Subject: RDMA/cma: Consider scope_id while binding to ipv6 ll address + +[ Upstream commit 5d7ed2f27bbd482fd29e6b2e204b1a1ee8a0b268 ] + +When two netdev have same link local addresses (such as vlan and non +vlan), two rdma cm listen id should be able to bind to following different +addresses. + +listener-1: addr=lla, scope_id=A, port=X +listener-2: addr=lla, scope_id=B, port=X + +However while comparing the addresses only addr and port are considered, +due to which 2nd listener fails to listen. + +In below example of two listeners, 2nd listener is failing with address in +use error. + +$ rping -sv -a fe80::268a:7ff:feb3:d113%ens2f1 -p 4545& + +$ rping -sv -a fe80::268a:7ff:feb3:d113%ens2f1.200 -p 4545 +rdma_bind_addr: Address already in use + +To overcome this, consider the scope_ids as well which forms the accurate +IPv6 link local address. + +Signed-off-by: Parav Pandit +Reviewed-by: Daniel Jurgens +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 6f5be78024762..39dc7be56884a 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1078,18 +1078,31 @@ static inline bool cma_any_addr(const struct sockaddr *addr) + return cma_zero_addr(addr) || cma_loopback_addr(addr); + } + +-static int cma_addr_cmp(struct sockaddr *src, struct sockaddr *dst) ++static int cma_addr_cmp(const struct sockaddr *src, const struct sockaddr *dst) + { + if (src->sa_family != dst->sa_family) + return -1; + + switch (src->sa_family) { + case AF_INET: +- return ((struct sockaddr_in *) src)->sin_addr.s_addr != +- ((struct sockaddr_in *) dst)->sin_addr.s_addr; +- case AF_INET6: +- return ipv6_addr_cmp(&((struct sockaddr_in6 *) src)->sin6_addr, +- &((struct sockaddr_in6 *) dst)->sin6_addr); ++ return ((struct sockaddr_in *)src)->sin_addr.s_addr != ++ ((struct sockaddr_in *)dst)->sin_addr.s_addr; ++ case AF_INET6: { ++ struct sockaddr_in6 *src_addr6 = (struct sockaddr_in6 *)src; ++ struct sockaddr_in6 *dst_addr6 = (struct sockaddr_in6 *)dst; ++ bool link_local; ++ ++ if (ipv6_addr_cmp(&src_addr6->sin6_addr, ++ &dst_addr6->sin6_addr)) ++ return 1; ++ link_local = ipv6_addr_type(&dst_addr6->sin6_addr) & ++ IPV6_ADDR_LINKLOCAL; ++ /* Link local must match their scope_ids */ ++ return link_local ? (src_addr6->sin6_scope_id != ++ dst_addr6->sin6_scope_id) : ++ 0; ++ } ++ + default: + return ib_addr_cmp(&((struct sockaddr_ib *) src)->sib_addr, + &((struct sockaddr_ib *) dst)->sib_addr); +-- +2.20.1 + diff --git a/queue-4.19/rdma-cxgb4-fix-null-pointer-dereference-on-alloc_skb.patch b/queue-4.19/rdma-cxgb4-fix-null-pointer-dereference-on-alloc_skb.patch new file mode 100644 index 00000000000..772aaa596c5 --- /dev/null +++ b/queue-4.19/rdma-cxgb4-fix-null-pointer-dereference-on-alloc_skb.patch @@ -0,0 +1,38 @@ +From c89c5f312f50cea89007292d58233beeb40bb56e Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sat, 13 Apr 2019 17:00:26 +0100 +Subject: RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure + +[ Upstream commit a6d2a5a92e67d151c98886babdc86d530d27111c ] + +Currently if alloc_skb fails to allocate the skb a null skb is passed to +t4_set_arp_err_handler and this ends up dereferencing the null skb. Avoid +the NULL pointer dereference by checking for a NULL skb and returning +early. + +Addresses-Coverity: ("Dereference null return") +Fixes: b38a0ad8ec11 ("RDMA/cxgb4: Set arp error handler for PASS_ACCEPT_RPL messages") +Signed-off-by: Colin Ian King +Acked-by: Potnuri Bharat Teja +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index a68569ec86bf9..3be6405d9855e 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -458,6 +458,8 @@ static struct sk_buff *get_skb(struct sk_buff *skb, int len, gfp_t gfp) + skb_reset_transport_header(skb); + } else { + skb = alloc_skb(len, gfp); ++ if (!skb) ++ return NULL; + } + t4_set_arp_err_handler(skb, NULL, NULL); + return skb; +-- +2.20.1 + diff --git a/queue-4.19/rdma-hns-fix-bad-endianess-of-port_pd-variable.patch b/queue-4.19/rdma-hns-fix-bad-endianess-of-port_pd-variable.patch new file mode 100644 index 00000000000..497124c6a0f --- /dev/null +++ b/queue-4.19/rdma-hns-fix-bad-endianess-of-port_pd-variable.patch @@ -0,0 +1,41 @@ +From ddc8176bd1cc0d3c2d495df51fac15f32f2c7faf Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 19 Mar 2019 11:10:08 +0200 +Subject: RDMA/hns: Fix bad endianess of port_pd variable + +[ Upstream commit 6734b2973565e36659e97e12ab0d0faf1d9f3fbe ] + +port_pd is treated as le32 in declaration and read, fix assignment to be +in le32 too. This change fixes the following compilation warnings. + +drivers/infiniband/hw/hns/hns_roce_ah.c:67:24: warning: incorrect type +in assignment (different base types) +drivers/infiniband/hw/hns/hns_roce_ah.c:67:24: expected restricted __le32 [usertype] port_pd +drivers/infiniband/hw/hns/hns_roce_ah.c:67:24: got restricted __be32 [usertype] + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Signed-off-by: Leon Romanovsky +Reviewed-by: Gal Pressman +Reviewed-by: Lijun Ou +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_ah.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_ah.c b/drivers/infiniband/hw/hns/hns_roce_ah.c +index 0d96c5bb38cdf..d2d4ab9ab071c 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_ah.c ++++ b/drivers/infiniband/hw/hns/hns_roce_ah.c +@@ -66,7 +66,7 @@ struct ib_ah *hns_roce_create_ah(struct ib_pd *ibpd, + HNS_ROCE_VLAN_SL_BIT_MASK) << + HNS_ROCE_VLAN_SL_SHIFT; + +- ah->av.port_pd = cpu_to_be32(to_hr_pd(ibpd)->pdn | ++ ah->av.port_pd = cpu_to_le32(to_hr_pd(ibpd)->pdn | + (rdma_ah_get_port_num(ah_attr) << + HNS_ROCE_PORT_NUM_SHIFT)); + ah->av.gid_index = grh->sgid_index; +-- +2.20.1 + diff --git a/queue-4.19/rsi-fix-null-pointer-dereference-in-kmalloc.patch b/queue-4.19/rsi-fix-null-pointer-dereference-in-kmalloc.patch new file mode 100644 index 00000000000..8148fee5081 --- /dev/null +++ b/queue-4.19/rsi-fix-null-pointer-dereference-in-kmalloc.patch @@ -0,0 +1,90 @@ +From 191d9cf28b147fd343d7184674b4dc6aa7bb3143 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Sat, 23 Mar 2019 15:49:16 -0500 +Subject: rsi: Fix NULL pointer dereference in kmalloc + +[ Upstream commit d5414c2355b20ea8201156d2e874265f1cb0d775 ] + +kmalloc can fail in rsi_register_rates_channels but memcpy still attempts +to write to channels. The patch replaces these calls with kmemdup and +passes the error upstream. + +Signed-off-by: Aditya Pakki +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_mac80211.c | 30 ++++++++++++--------- + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_mac80211.c b/drivers/net/wireless/rsi/rsi_91x_mac80211.c +index 4e510cbe0a89f..be59d66585d6d 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c ++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c +@@ -188,27 +188,27 @@ bool rsi_is_cipher_wep(struct rsi_common *common) + * @adapter: Pointer to the adapter structure. + * @band: Operating band to be set. + * +- * Return: None. ++ * Return: int - 0 on success, negative error on failure. + */ +-static void rsi_register_rates_channels(struct rsi_hw *adapter, int band) ++static int rsi_register_rates_channels(struct rsi_hw *adapter, int band) + { + struct ieee80211_supported_band *sbands = &adapter->sbands[band]; + void *channels = NULL; + + if (band == NL80211_BAND_2GHZ) { +- channels = kmalloc(sizeof(rsi_2ghz_channels), GFP_KERNEL); +- memcpy(channels, +- rsi_2ghz_channels, +- sizeof(rsi_2ghz_channels)); ++ channels = kmemdup(rsi_2ghz_channels, sizeof(rsi_2ghz_channels), ++ GFP_KERNEL); ++ if (!channels) ++ return -ENOMEM; + sbands->band = NL80211_BAND_2GHZ; + sbands->n_channels = ARRAY_SIZE(rsi_2ghz_channels); + sbands->bitrates = rsi_rates; + sbands->n_bitrates = ARRAY_SIZE(rsi_rates); + } else { +- channels = kmalloc(sizeof(rsi_5ghz_channels), GFP_KERNEL); +- memcpy(channels, +- rsi_5ghz_channels, +- sizeof(rsi_5ghz_channels)); ++ channels = kmemdup(rsi_5ghz_channels, sizeof(rsi_5ghz_channels), ++ GFP_KERNEL); ++ if (!channels) ++ return -ENOMEM; + sbands->band = NL80211_BAND_5GHZ; + sbands->n_channels = ARRAY_SIZE(rsi_5ghz_channels); + sbands->bitrates = &rsi_rates[4]; +@@ -227,6 +227,7 @@ static void rsi_register_rates_channels(struct rsi_hw *adapter, int band) + sbands->ht_cap.mcs.rx_mask[0] = 0xff; + sbands->ht_cap.mcs.tx_params = IEEE80211_HT_MCS_TX_DEFINED; + /* sbands->ht_cap.mcs.rx_highest = 0x82; */ ++ return 0; + } + + /** +@@ -1985,11 +1986,16 @@ int rsi_mac80211_attach(struct rsi_common *common) + wiphy->available_antennas_rx = 1; + wiphy->available_antennas_tx = 1; + +- rsi_register_rates_channels(adapter, NL80211_BAND_2GHZ); ++ status = rsi_register_rates_channels(adapter, NL80211_BAND_2GHZ); ++ if (status) ++ return status; + wiphy->bands[NL80211_BAND_2GHZ] = + &adapter->sbands[NL80211_BAND_2GHZ]; + if (common->num_supp_bands > 1) { +- rsi_register_rates_channels(adapter, NL80211_BAND_5GHZ); ++ status = rsi_register_rates_channels(adapter, ++ NL80211_BAND_5GHZ); ++ if (status) ++ return status; + wiphy->bands[NL80211_BAND_5GHZ] = + &adapter->sbands[NL80211_BAND_5GHZ]; + } +-- +2.20.1 + diff --git a/queue-4.19/rtc-88pm860x-prevent-use-after-free-on-device-remove.patch b/queue-4.19/rtc-88pm860x-prevent-use-after-free-on-device-remove.patch new file mode 100644 index 00000000000..9a3f8ebb4cd --- /dev/null +++ b/queue-4.19/rtc-88pm860x-prevent-use-after-free-on-device-remove.patch @@ -0,0 +1,44 @@ +From 417d586dbad50e257ff55b6266e68cb9b97b13d3 Mon Sep 17 00:00:00 2001 +From: Sven Van Asbroeck +Date: Fri, 26 Apr 2019 14:36:35 -0400 +Subject: rtc: 88pm860x: prevent use-after-free on device remove + +[ Upstream commit f22b1ba15ee5785aa028384ebf77dd39e8e47b70 ] + +The device's remove() attempts to shut down the delayed_work scheduled +on the kernel-global workqueue by calling flush_scheduled_work(). + +Unfortunately, flush_scheduled_work() does not prevent the delayed_work +from re-scheduling itself. The delayed_work might run after the device +has been removed, and touch the already de-allocated info structure. +This is a potential use-after-free. + +Fix by calling cancel_delayed_work_sync() during remove(): this ensures +that the delayed work is properly cancelled, is no longer running, and +is not able to re-schedule itself. + +This issue was detected with the help of Coccinelle. + +Signed-off-by: Sven Van Asbroeck +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-88pm860x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-88pm860x.c b/drivers/rtc/rtc-88pm860x.c +index 01ffc0ef8033f..fbcf13bbbd8d1 100644 +--- a/drivers/rtc/rtc-88pm860x.c ++++ b/drivers/rtc/rtc-88pm860x.c +@@ -414,7 +414,7 @@ static int pm860x_rtc_remove(struct platform_device *pdev) + struct pm860x_rtc_info *info = platform_get_drvdata(pdev); + + #ifdef VRTC_CALIBRATION +- flush_scheduled_work(); ++ cancel_delayed_work_sync(&info->calib_work); + /* disable measurement */ + pm860x_set_bits(info->i2c, PM8607_MEAS_EN2, MEAS2_VRTC, 0); + #endif /* VRTC_CALIBRATION */ +-- +2.20.1 + diff --git a/queue-4.19/rtc-stm32-manage-the-get_irq-probe-defer-case.patch b/queue-4.19/rtc-stm32-manage-the-get_irq-probe-defer-case.patch new file mode 100644 index 00000000000..00585e966f3 --- /dev/null +++ b/queue-4.19/rtc-stm32-manage-the-get_irq-probe-defer-case.patch @@ -0,0 +1,42 @@ +From 49b9097b58134757d821aca7578e62892aeb130f Mon Sep 17 00:00:00 2001 +From: Fabien Dessenne +Date: Wed, 24 Apr 2019 14:26:48 +0200 +Subject: rtc: stm32: manage the get_irq probe defer case + +[ Upstream commit cf612c5949aca2bd81a1e28688957c8149ea2693 ] + +Manage the -EPROBE_DEFER error case for the wake IRQ. + +Signed-off-by: Fabien Dessenne +Acked-by: Amelie Delaunay +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-stm32.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/rtc/rtc-stm32.c b/drivers/rtc/rtc-stm32.c +index c5908cfea2340..8e6c9b3bcc29a 100644 +--- a/drivers/rtc/rtc-stm32.c ++++ b/drivers/rtc/rtc-stm32.c +@@ -788,11 +788,14 @@ static int stm32_rtc_probe(struct platform_device *pdev) + ret = device_init_wakeup(&pdev->dev, true); + if (rtc->data->has_wakeirq) { + rtc->wakeirq_alarm = platform_get_irq(pdev, 1); +- if (rtc->wakeirq_alarm <= 0) +- ret = rtc->wakeirq_alarm; +- else ++ if (rtc->wakeirq_alarm > 0) { + ret = dev_pm_set_dedicated_wake_irq(&pdev->dev, + rtc->wakeirq_alarm); ++ } else { ++ ret = rtc->wakeirq_alarm; ++ if (rtc->wakeirq_alarm == -EPROBE_DEFER) ++ goto err; ++ } + } + if (ret) + dev_warn(&pdev->dev, "alarm can't wake up the system: %d", ret); +-- +2.20.1 + diff --git a/queue-4.19/rtc-xgene-fix-possible-race-condition.patch b/queue-4.19/rtc-xgene-fix-possible-race-condition.patch new file mode 100644 index 00000000000..c7a8f27779d --- /dev/null +++ b/queue-4.19/rtc-xgene-fix-possible-race-condition.patch @@ -0,0 +1,61 @@ +From 02381e64d089071aee7b1be743b242ac10fac579 Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Wed, 20 Mar 2019 13:32:27 +0100 +Subject: rtc: xgene: fix possible race condition + +[ Upstream commit a652e00ee1233e251a337c28e18a1da59224e5ce ] + +The IRQ is requested before the struct rtc is allocated and registered, but +this struct is used in the IRQ handler. This may lead to a NULL pointer +dereference. + +Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc +struct before requesting the IRQ. + +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-xgene.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/rtc/rtc-xgene.c b/drivers/rtc/rtc-xgene.c +index 153820876a820..2f741f455c30a 100644 +--- a/drivers/rtc/rtc-xgene.c ++++ b/drivers/rtc/rtc-xgene.c +@@ -168,6 +168,10 @@ static int xgene_rtc_probe(struct platform_device *pdev) + if (IS_ERR(pdata->csr_base)) + return PTR_ERR(pdata->csr_base); + ++ pdata->rtc = devm_rtc_allocate_device(&pdev->dev); ++ if (IS_ERR(pdata->rtc)) ++ return PTR_ERR(pdata->rtc); ++ + irq = platform_get_irq(pdev, 0); + if (irq < 0) { + dev_err(&pdev->dev, "No IRQ resource\n"); +@@ -198,15 +202,15 @@ static int xgene_rtc_probe(struct platform_device *pdev) + return ret; + } + +- pdata->rtc = devm_rtc_device_register(&pdev->dev, pdev->name, +- &xgene_rtc_ops, THIS_MODULE); +- if (IS_ERR(pdata->rtc)) { +- clk_disable_unprepare(pdata->clk); +- return PTR_ERR(pdata->rtc); +- } +- + /* HW does not support update faster than 1 seconds */ + pdata->rtc->uie_unsupported = 1; ++ pdata->rtc->ops = &xgene_rtc_ops; ++ ++ ret = rtc_register_device(pdata->rtc); ++ if (ret) { ++ clk_disable_unprepare(pdata->clk); ++ return ret; ++ } + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.19/rtlwifi-fix-a-potential-null-pointer-dereference.patch b/queue-4.19/rtlwifi-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..20701e33e42 --- /dev/null +++ b/queue-4.19/rtlwifi-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,36 @@ +From 774877005f4e9455c51bcf880847c0b75d3d28e8 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 12 Mar 2019 02:56:33 -0500 +Subject: rtlwifi: fix a potential NULL pointer dereference + +[ Upstream commit 765976285a8c8db3f0eb7f033829a899d0c2786e ] + +In case alloc_workqueue fails, the fix reports the error and +returns to avoid NULL pointer dereference. + +Signed-off-by: Kangjie Lu +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/base.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c +index ef9b502ce576b..a3189294ecb80 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/base.c ++++ b/drivers/net/wireless/realtek/rtlwifi/base.c +@@ -469,6 +469,11 @@ static void _rtl_init_deferred_work(struct ieee80211_hw *hw) + /* <2> work queue */ + rtlpriv->works.hw = hw; + rtlpriv->works.rtl_wq = alloc_workqueue("%s", 0, 0, rtlpriv->cfg->name); ++ if (unlikely(!rtlpriv->works.rtl_wq)) { ++ pr_err("Failed to allocate work queue\n"); ++ return; ++ } ++ + INIT_DELAYED_WORK(&rtlpriv->works.watchdog_wq, + (void *)rtl_watchdog_wq_callback); + INIT_DELAYED_WORK(&rtlpriv->works.ips_nic_off_wq, +-- +2.20.1 + diff --git a/queue-4.19/rtlwifi-fix-potential-null-pointer-dereference.patch b/queue-4.19/rtlwifi-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..a5a300fdb2c --- /dev/null +++ b/queue-4.19/rtlwifi-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,112 @@ +From 7b0bc326d70ce783ee541de429d2ce6a8bdecc6f Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Tue, 12 Mar 2019 17:06:48 +0800 +Subject: rtlwifi: fix potential NULL pointer dereference + +[ Upstream commit 60209d482b97743915883d293c8b85226d230c19 ] + +In case dev_alloc_skb fails, the fix safely returns to avoid +potential NULL pointer dereference. + +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c | 2 ++ + drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c | 2 ++ + drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c | 2 ++ + drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c | 2 ++ + drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c | 2 ++ + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c | 4 ++++ + 6 files changed, 14 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c +index 63874512598bb..b5f91c994c798 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c +@@ -622,6 +622,8 @@ void rtl88e_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished) + u1rsvdpageloc, 3); + + skb = dev_alloc_skb(totalpacketlen); ++ if (!skb) ++ return; + skb_put_data(skb, &reserved_page_packet, totalpacketlen); + + rtstatus = rtl_cmd_send_packet(hw, skb); +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c +index f3bff66e85d0c..81ec0e6e07c1f 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c +@@ -646,6 +646,8 @@ void rtl92c_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, + + + skb = dev_alloc_skb(totalpacketlen); ++ if (!skb) ++ return; + skb_put_data(skb, &reserved_page_packet, totalpacketlen); + + if (cmd_send_packet) +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c +index 84a0d0eb72e1e..a933490928ba9 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c +@@ -766,6 +766,8 @@ void rtl92ee_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished) + u1rsvdpageloc, 3); + + skb = dev_alloc_skb(totalpacketlen); ++ if (!skb) ++ return; + skb_put_data(skb, &reserved_page_packet, totalpacketlen); + + rtstatus = rtl_cmd_send_packet(hw, skb); +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c +index bf9859f74b6f5..52f108744e969 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c +@@ -470,6 +470,8 @@ void rtl8723e_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished) + u1rsvdpageloc, 3); + + skb = dev_alloc_skb(totalpacketlen); ++ if (!skb) ++ return; + skb_put_data(skb, &reserved_page_packet, totalpacketlen); + + rtstatus = rtl_cmd_send_packet(hw, skb); +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c +index f2441fbb92f1e..307c2bd77f060 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c +@@ -584,6 +584,8 @@ void rtl8723be_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, + u1rsvdpageloc, sizeof(u1rsvdpageloc)); + + skb = dev_alloc_skb(totalpacketlen); ++ if (!skb) ++ return; + skb_put_data(skb, &reserved_page_packet, totalpacketlen); + + rtstatus = rtl_cmd_send_packet(hw, skb); +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c +index d868a034659fb..d7235f6165fdf 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c +@@ -1645,6 +1645,8 @@ void rtl8812ae_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, + &reserved_page_packet_8812[0], totalpacketlen); + + skb = dev_alloc_skb(totalpacketlen); ++ if (!skb) ++ return; + skb_put_data(skb, &reserved_page_packet_8812, totalpacketlen); + + rtstatus = rtl_cmd_send_packet(hw, skb); +@@ -1781,6 +1783,8 @@ void rtl8821ae_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, + &reserved_page_packet_8821[0], totalpacketlen); + + skb = dev_alloc_skb(totalpacketlen); ++ if (!skb) ++ return; + skb_put_data(skb, &reserved_page_packet_8821, totalpacketlen); + + rtstatus = rtl_cmd_send_packet(hw, skb); +-- +2.20.1 + diff --git a/queue-4.19/s390-cio-fix-cio_irb-declaration.patch b/queue-4.19/s390-cio-fix-cio_irb-declaration.patch new file mode 100644 index 00000000000..8e3c21be541 --- /dev/null +++ b/queue-4.19/s390-cio-fix-cio_irb-declaration.patch @@ -0,0 +1,61 @@ +From 894d53481dd36f2dbacca39619fdaf343cb42282 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 8 Apr 2019 23:26:20 +0200 +Subject: s390: cio: fix cio_irb declaration + +[ Upstream commit e91012ee855ad9f5ef2ab106a3de51db93fe4d0c ] + +clang points out that the declaration of cio_irb does not match the +definition exactly, it is missing the alignment attribute: + +../drivers/s390/cio/cio.c:50:1: warning: section does not match previous declaration [-Wsection] +DEFINE_PER_CPU_ALIGNED(struct irb, cio_irb); +^ +../include/linux/percpu-defs.h:150:2: note: expanded from macro 'DEFINE_PER_CPU_ALIGNED' + DEFINE_PER_CPU_SECTION(type, name, PER_CPU_ALIGNED_SECTION) \ + ^ +../include/linux/percpu-defs.h:93:9: note: expanded from macro 'DEFINE_PER_CPU_SECTION' + extern __PCPU_ATTRS(sec) __typeof__(type) name; \ + ^ +../include/linux/percpu-defs.h:49:26: note: expanded from macro '__PCPU_ATTRS' + __percpu __attribute__((section(PER_CPU_BASE_SECTION sec))) \ + ^ +../drivers/s390/cio/cio.h:118:1: note: previous attribute is here +DECLARE_PER_CPU(struct irb, cio_irb); +^ +../include/linux/percpu-defs.h:111:2: note: expanded from macro 'DECLARE_PER_CPU' + DECLARE_PER_CPU_SECTION(type, name, "") + ^ +../include/linux/percpu-defs.h:87:9: note: expanded from macro 'DECLARE_PER_CPU_SECTION' + extern __PCPU_ATTRS(sec) __typeof__(type) name + ^ +../include/linux/percpu-defs.h:49:26: note: expanded from macro '__PCPU_ATTRS' + __percpu __attribute__((section(PER_CPU_BASE_SECTION sec))) \ + ^ +Use DECLARE_PER_CPU_ALIGNED() here, to make the two match. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Signed-off-by: Sebastian Ott +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/cio.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/cio.h b/drivers/s390/cio/cio.h +index 9811fd8a0c731..92eabbb5f18d4 100644 +--- a/drivers/s390/cio/cio.h ++++ b/drivers/s390/cio/cio.h +@@ -115,7 +115,7 @@ struct subchannel { + struct schib_config config; + } __attribute__ ((aligned(8))); + +-DECLARE_PER_CPU(struct irb, cio_irb); ++DECLARE_PER_CPU_ALIGNED(struct irb, cio_irb); + + #define to_subchannel(n) container_of(n, struct subchannel, dev) + +-- +2.20.1 + diff --git a/queue-4.19/s390-kexec_file-fix-detection-of-text-segment-in-elf.patch b/queue-4.19/s390-kexec_file-fix-detection-of-text-segment-in-elf.patch new file mode 100644 index 00000000000..d3db208aad5 --- /dev/null +++ b/queue-4.19/s390-kexec_file-fix-detection-of-text-segment-in-elf.patch @@ -0,0 +1,53 @@ +From d1be2fd235569b02b820d8951c2adbf94ba2771d Mon Sep 17 00:00:00 2001 +From: Philipp Rudo +Date: Mon, 1 Apr 2019 12:48:43 +0200 +Subject: s390/kexec_file: Fix detection of text segment in ELF loader + +[ Upstream commit 729829d775c9a5217abc784b2f16087d79c4eec8 ] + +To register data for the next kernel (command line, oldmem_base, etc.) the +current kernel needs to find the ELF segment that contains head.S. This is +currently done by checking ifor 'phdr->p_paddr == 0'. This works fine for +the current kernel build but in theory the first few pages could be +skipped. Make the detection more robust by checking if the entry point lies +within the segment. + +Signed-off-by: Philipp Rudo +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/kexec_elf.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/kexec_elf.c b/arch/s390/kernel/kexec_elf.c +index 5a286b012043b..602e7cc26d118 100644 +--- a/arch/s390/kernel/kexec_elf.c ++++ b/arch/s390/kernel/kexec_elf.c +@@ -19,10 +19,15 @@ static int kexec_file_add_elf_kernel(struct kimage *image, + struct kexec_buf buf; + const Elf_Ehdr *ehdr; + const Elf_Phdr *phdr; ++ Elf_Addr entry; + int i, ret; + + ehdr = (Elf_Ehdr *)kernel; + buf.image = image; ++ if (image->type == KEXEC_TYPE_CRASH) ++ entry = STARTUP_KDUMP_OFFSET; ++ else ++ entry = ehdr->e_entry; + + phdr = (void *)ehdr + ehdr->e_phoff; + for (i = 0; i < ehdr->e_phnum; i++, phdr++) { +@@ -35,7 +40,7 @@ static int kexec_file_add_elf_kernel(struct kimage *image, + buf.mem = ALIGN(phdr->p_paddr, phdr->p_align); + buf.memsz = phdr->p_memsz; + +- if (phdr->p_paddr == 0) { ++ if (entry - phdr->p_paddr < phdr->p_memsz) { + data->kernel_buf = buf.buffer; + data->memsz += STARTUP_NORMAL_OFFSET; + +-- +2.20.1 + diff --git a/queue-4.19/s390-mm-silence-compiler-warning-when-compiling-with.patch b/queue-4.19/s390-mm-silence-compiler-warning-when-compiling-with.patch new file mode 100644 index 00000000000..838be115dca --- /dev/null +++ b/queue-4.19/s390-mm-silence-compiler-warning-when-compiling-with.patch @@ -0,0 +1,52 @@ +From a1e39b5c5ca244e0954f3146f14d9c1ef1fbb130 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Sun, 7 Apr 2019 14:55:09 +0200 +Subject: s390/mm: silence compiler warning when compiling without CONFIG_PGSTE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 81a8f2beb32a5951ecf04385301f50879abc092b ] + +If CONFIG_PGSTE is not set (e.g. when compiling without KVM), GCC complains: + + CC arch/s390/mm/pgtable.o +arch/s390/mm/pgtable.c:413:15: warning: ‘pmd_alloc_map’ defined but not + used [-Wunused-function] + static pmd_t *pmd_alloc_map(struct mm_struct *mm, unsigned long addr) + ^~~~~~~~~~~~~ + +Wrap the function with "#ifdef CONFIG_PGSTE" to silence the warning. + +Signed-off-by: Thomas Huth +Reviewed-by: David Hildenbrand +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + arch/s390/mm/pgtable.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c +index f2cc7da473e4e..ae894ac83fd61 100644 +--- a/arch/s390/mm/pgtable.c ++++ b/arch/s390/mm/pgtable.c +@@ -410,6 +410,7 @@ static inline pmd_t pmdp_flush_lazy(struct mm_struct *mm, + return old; + } + ++#ifdef CONFIG_PGSTE + static pmd_t *pmd_alloc_map(struct mm_struct *mm, unsigned long addr) + { + pgd_t *pgd; +@@ -427,6 +428,7 @@ static pmd_t *pmd_alloc_map(struct mm_struct *mm, unsigned long addr) + pmd = pmd_alloc(mm, pud, addr); + return pmd; + } ++#endif + + pmd_t pmdp_xchg_direct(struct mm_struct *mm, unsigned long addr, + pmd_t *pmdp, pmd_t new) +-- +2.20.1 + diff --git a/queue-4.19/s390-qeth-address-type-mismatch-warning.patch b/queue-4.19/s390-qeth-address-type-mismatch-warning.patch new file mode 100644 index 00000000000..4f27db53703 --- /dev/null +++ b/queue-4.19/s390-qeth-address-type-mismatch-warning.patch @@ -0,0 +1,62 @@ +From efe516ea63241b5b8b425aa1b923dfc09781f38e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 25 Apr 2019 18:25:54 +0200 +Subject: s390: qeth: address type mismatch warning + +[ Upstream commit 46b83629dede262315aa82179d105581f11763b6 ] + +clang produces a harmless warning for each use for the qeth_adp_supported +macro: + +drivers/s390/net/qeth_l2_main.c:559:31: warning: implicit conversion from enumeration type 'enum qeth_ipa_setadp_cmd' to + different enumeration type 'enum qeth_ipa_funcs' [-Wenum-conversion] + if (qeth_adp_supported(card, IPA_SETADP_SET_PROMISC_MODE)) + ~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/s390/net/qeth_core.h:179:41: note: expanded from macro 'qeth_adp_supported' + qeth_is_ipa_supported(&c->options.adp, f) + ~~~~~~~~~~~~~~~~~~~~~ ^ + +Add a version of this macro that uses the correct types, and +remove the unused qeth_adp_enabled() macro that has the same +problem. + +Reviewed-by: Nathan Chancellor +Signed-off-by: Arnd Bergmann +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_core.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h +index 2d1f6a583641b..b2657582cfcfd 100644 +--- a/drivers/s390/net/qeth_core.h ++++ b/drivers/s390/net/qeth_core.h +@@ -201,6 +201,12 @@ struct qeth_vnicc_info { + bool rx_bcast_enabled; + }; + ++static inline int qeth_is_adp_supported(struct qeth_ipa_info *ipa, ++ enum qeth_ipa_setadp_cmd func) ++{ ++ return (ipa->supported_funcs & func); ++} ++ + static inline int qeth_is_ipa_supported(struct qeth_ipa_info *ipa, + enum qeth_ipa_funcs func) + { +@@ -214,9 +220,7 @@ static inline int qeth_is_ipa_enabled(struct qeth_ipa_info *ipa, + } + + #define qeth_adp_supported(c, f) \ +- qeth_is_ipa_supported(&c->options.adp, f) +-#define qeth_adp_enabled(c, f) \ +- qeth_is_ipa_enabled(&c->options.adp, f) ++ qeth_is_adp_supported(&c->options.adp, f) + #define qeth_is_supported(c, f) \ + qeth_is_ipa_supported(&c->options.ipa4, f) + #define qeth_is_enabled(c, f) \ +-- +2.20.1 + diff --git a/queue-4.19/s390-qeth-handle-error-from-qeth_update_from_chp_des.patch b/queue-4.19/s390-qeth-handle-error-from-qeth_update_from_chp_des.patch new file mode 100644 index 00000000000..5ae2dc7c7e0 --- /dev/null +++ b/queue-4.19/s390-qeth-handle-error-from-qeth_update_from_chp_des.patch @@ -0,0 +1,81 @@ +From 382f0ca109095d22a1a3cfd828a486b8f30968bc Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Wed, 17 Apr 2019 18:17:29 +0200 +Subject: s390/qeth: handle error from qeth_update_from_chp_desc() + +[ Upstream commit a4cdc9baee0740748f16e50cd70c2607510df492 ] + +Subsequent code relies on the values that qeth_update_from_chp_desc() +reads from the CHP descriptor. Rather than dealing with weird errors +later on, just handle it properly here. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_core_main.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 56aacf32f71b0..461afc276db72 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -1370,7 +1370,7 @@ static void qeth_set_multiple_write_queues(struct qeth_card *card) + card->qdio.no_out_queues = 4; + } + +-static void qeth_update_from_chp_desc(struct qeth_card *card) ++static int qeth_update_from_chp_desc(struct qeth_card *card) + { + struct ccw_device *ccwdev; + struct channel_path_desc_fmt0 *chp_dsc; +@@ -1380,7 +1380,7 @@ static void qeth_update_from_chp_desc(struct qeth_card *card) + ccwdev = card->data.ccwdev; + chp_dsc = ccw_device_get_chp_desc(ccwdev, 0); + if (!chp_dsc) +- goto out; ++ return -ENOMEM; + + card->info.func_level = 0x4100 + chp_dsc->desc; + if (card->info.type == QETH_CARD_TYPE_IQD) +@@ -1395,6 +1395,7 @@ static void qeth_update_from_chp_desc(struct qeth_card *card) + kfree(chp_dsc); + QETH_DBF_TEXT_(SETUP, 2, "nr:%x", card->qdio.no_out_queues); + QETH_DBF_TEXT_(SETUP, 2, "lvl:%02x", card->info.func_level); ++ return 0; + } + + static void qeth_init_qdio_info(struct qeth_card *card) +@@ -5090,7 +5091,9 @@ int qeth_core_hardsetup_card(struct qeth_card *card) + + QETH_DBF_TEXT(SETUP, 2, "hrdsetup"); + atomic_set(&card->force_alloc_skb, 0); +- qeth_update_from_chp_desc(card); ++ rc = qeth_update_from_chp_desc(card); ++ if (rc) ++ return rc; + retry: + if (retries < 3) + QETH_DBF_MESSAGE(2, "%s Retrying to do IDX activates.\n", +@@ -5768,7 +5771,9 @@ static int qeth_core_probe_device(struct ccwgroup_device *gdev) + gdev->cdev[2]->handler = qeth_irq; + + qeth_setup_card(card); +- qeth_update_from_chp_desc(card); ++ rc = qeth_update_from_chp_desc(card); ++ if (rc) ++ goto err_chp_desc; + + card->dev = qeth_alloc_netdev(card); + if (!card->dev) { +@@ -5806,6 +5811,7 @@ static int qeth_core_probe_device(struct ccwgroup_device *gdev) + qeth_core_free_discipline(card); + err_load: + free_netdev(card->dev); ++err_chp_desc: + err_card: + qeth_core_free_card(card); + err_dev: +-- +2.20.1 + diff --git a/queue-4.19/s390-zcrypt-initialize-variables-before_use.patch b/queue-4.19/s390-zcrypt-initialize-variables-before_use.patch new file mode 100644 index 00000000000..cc9fc8d0ee1 --- /dev/null +++ b/queue-4.19/s390-zcrypt-initialize-variables-before_use.patch @@ -0,0 +1,74 @@ +From 630a645f1b686d3072cf4e35aed3df0d11e29faa Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 8 Apr 2019 23:26:18 +0200 +Subject: s390: zcrypt: initialize variables before_use + +[ Upstream commit 913140e221567b3ecd21b4242257a7e3fa279026 ] + +The 'func_code' variable gets printed in debug statements without +a prior initialization in multiple functions, as reported when building +with clang: + +drivers/s390/crypto/zcrypt_api.c:659:6: warning: variable 'func_code' is used uninitialized whenever 'if' condition is true + [-Wsometimes-uninitialized] + if (mex->outputdatalength < mex->inputdatalength) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/s390/crypto/zcrypt_api.c:725:29: note: uninitialized use occurs here + trace_s390_zcrypt_rep(mex, func_code, rc, + ^~~~~~~~~ +drivers/s390/crypto/zcrypt_api.c:659:2: note: remove the 'if' if its condition is always false + if (mex->outputdatalength < mex->inputdatalength) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/s390/crypto/zcrypt_api.c:654:24: note: initialize the variable 'func_code' to silence this warning + unsigned int func_code; + ^ + +Add initializations to all affected code paths to shut up the warning +and make the warning output consistent. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/zcrypt_api.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c +index e6854127b4343..b2737bfeb8bb6 100644 +--- a/drivers/s390/crypto/zcrypt_api.c ++++ b/drivers/s390/crypto/zcrypt_api.c +@@ -224,6 +224,7 @@ static long zcrypt_rsa_modexpo(struct ica_rsa_modexpo *mex) + trace_s390_zcrypt_req(mex, TP_ICARSAMODEXPO); + + if (mex->outputdatalength < mex->inputdatalength) { ++ func_code = 0; + rc = -EINVAL; + goto out; + } +@@ -298,6 +299,7 @@ static long zcrypt_rsa_crt(struct ica_rsa_modexpo_crt *crt) + trace_s390_zcrypt_req(crt, TP_ICARSACRT); + + if (crt->outputdatalength < crt->inputdatalength) { ++ func_code = 0; + rc = -EINVAL; + goto out; + } +@@ -483,6 +485,7 @@ static long zcrypt_send_ep11_cprb(struct ep11_urb *xcrb) + + targets = kcalloc(target_num, sizeof(*targets), GFP_KERNEL); + if (!targets) { ++ func_code = 0; + rc = -ENOMEM; + goto out; + } +@@ -490,6 +493,7 @@ static long zcrypt_send_ep11_cprb(struct ep11_urb *xcrb) + uptr = (struct ep11_target_dev __force __user *) xcrb->targets; + if (copy_from_user(targets, uptr, + target_num * sizeof(*targets))) { ++ func_code = 0; + rc = -EFAULT; + goto out_free; + } +-- +2.20.1 + diff --git a/queue-4.19/sched-core-check-quota-and-period-overflow-at-usec-t.patch b/queue-4.19/sched-core-check-quota-and-period-overflow-at-usec-t.patch new file mode 100644 index 00000000000..84cf4c802bb --- /dev/null +++ b/queue-4.19/sched-core-check-quota-and-period-overflow-at-usec-t.patch @@ -0,0 +1,61 @@ +From 83a5faa31cc5b741a062479736b3c59086c36792 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Wed, 27 Feb 2019 11:10:20 +0300 +Subject: sched/core: Check quota and period overflow at usec to nsec + conversion + +[ Upstream commit 1a8b4540db732ca16c9e43ac7c08b1b8f0b252d8 ] + +Large values could overflow u64 and pass following sanity checks. + + # echo 18446744073750000 > cpu.cfs_period_us + # cat cpu.cfs_period_us + 40448 + + # echo 18446744073750000 > cpu.cfs_quota_us + # cat cpu.cfs_quota_us + 40448 + +After this patch they will fail with -EINVAL. + +Signed-off-by: Konstantin Khlebnikov +Acked-by: Peter Zijlstra +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/155125502079.293431.3947497929372138600.stgit@buzz +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index d7f409866cdf5..bd5ae34c20c0b 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -6593,8 +6593,10 @@ int tg_set_cfs_quota(struct task_group *tg, long cfs_quota_us) + period = ktime_to_ns(tg->cfs_bandwidth.period); + if (cfs_quota_us < 0) + quota = RUNTIME_INF; +- else ++ else if ((u64)cfs_quota_us <= U64_MAX / NSEC_PER_USEC) + quota = (u64)cfs_quota_us * NSEC_PER_USEC; ++ else ++ return -EINVAL; + + return tg_set_cfs_bandwidth(tg, period, quota); + } +@@ -6616,6 +6618,9 @@ int tg_set_cfs_period(struct task_group *tg, long cfs_period_us) + { + u64 quota, period; + ++ if ((u64)cfs_period_us > U64_MAX / NSEC_PER_USEC) ++ return -EINVAL; ++ + period = (u64)cfs_period_us * NSEC_PER_USEC; + quota = tg->cfs_bandwidth.quota; + +-- +2.20.1 + diff --git a/queue-4.19/sched-core-handle-overflow-in-cpu_shares_write_u64.patch b/queue-4.19/sched-core-handle-overflow-in-cpu_shares_write_u64.patch new file mode 100644 index 00000000000..8d40cba947a --- /dev/null +++ b/queue-4.19/sched-core-handle-overflow-in-cpu_shares_write_u64.patch @@ -0,0 +1,46 @@ +From b96bda50d1548131d1a3ba38af29f52e2722eb4a Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Wed, 27 Feb 2019 11:10:18 +0300 +Subject: sched/core: Handle overflow in cpu_shares_write_u64 + +[ Upstream commit 5b61d50ab4ef590f5e1d4df15cd2cea5f5715308 ] + +Bit shift in scale_load() could overflow shares. This patch saturates +it to MAX_SHARES like following sched_group_set_shares(). + +Example: + + # echo 9223372036854776832 > cpu.shares + # cat cpu.shares + +Before patch: 1024 +After pattch: 262144 + +Signed-off-by: Konstantin Khlebnikov +Acked-by: Peter Zijlstra +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/155125501891.293431.3345233332801109696.stgit@buzz +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index bd5ae34c20c0b..6138754e5030f 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -6491,6 +6491,8 @@ static void cpu_cgroup_attach(struct cgroup_taskset *tset) + static int cpu_shares_write_u64(struct cgroup_subsys_state *css, + struct cftype *cftype, u64 shareval) + { ++ if (shareval > scale_load_down(ULONG_MAX)) ++ shareval = MAX_SHARES; + return sched_group_set_shares(css_tg(css), scale_load(shareval)); + } + +-- +2.20.1 + diff --git a/queue-4.19/sched-cpufreq-fix-kobject-memleak.patch b/queue-4.19/sched-cpufreq-fix-kobject-memleak.patch new file mode 100644 index 00000000000..9f3aec41e17 --- /dev/null +++ b/queue-4.19/sched-cpufreq-fix-kobject-memleak.patch @@ -0,0 +1,59 @@ +From 6b1917550a8395d3fae5de7e29118a9b21039129 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Tue, 30 Apr 2019 11:35:52 +0530 +Subject: sched/cpufreq: Fix kobject memleak + +[ Upstream commit 9a4f26cc98d81b67ecc23b890c28e2df324e29f3 ] + +Currently the error return path from kobject_init_and_add() is not +followed by a call to kobject_put() - which means we are leaking +the kobject. + +Fix it by adding a call to kobject_put() in the error path of +kobject_init_and_add(). + +Signed-off-by: Tobin C. Harding +Cc: Greg Kroah-Hartman +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Rafael J. Wysocki +Cc: Thomas Gleixner +Cc: Tobin C. Harding +Cc: Vincent Guittot +Cc: Viresh Kumar +Link: http://lkml.kernel.org/r/20190430001144.24890-1-tobin@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 1 + + drivers/cpufreq/cpufreq_governor.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 505c9a55d5551..d3213594d1a7a 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1103,6 +1103,7 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu) + cpufreq_global_kobject, "policy%u", cpu); + if (ret) { + pr_err("%s: failed to init policy->kobj: %d\n", __func__, ret); ++ kobject_put(&policy->kobj); + goto err_free_real_cpus; + } + +diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c +index 6d53f7d9fc7a9..69fc5cf4782fb 100644 +--- a/drivers/cpufreq/cpufreq_governor.c ++++ b/drivers/cpufreq/cpufreq_governor.c +@@ -459,6 +459,8 @@ int cpufreq_dbs_governor_init(struct cpufreq_policy *policy) + /* Failure, so roll back. */ + pr_err("initialization failed (dbs_data kobject init error %d)\n", ret); + ++ kobject_put(&dbs_data->attr_set.kobj); ++ + policy->governor_data = NULL; + + if (!have_governor_per_policy()) +-- +2.20.1 + diff --git a/queue-4.19/sched-nohz-run-nohz-idle-load-balancer-on-hk_flag_mi.patch b/queue-4.19/sched-nohz-run-nohz-idle-load-balancer-on-hk_flag_mi.patch new file mode 100644 index 00000000000..6328e1b4fe1 --- /dev/null +++ b/queue-4.19/sched-nohz-run-nohz-idle-load-balancer-on-hk_flag_mi.patch @@ -0,0 +1,72 @@ +From d01ae753d0e3fd7fb71d35e1a09c4273c4b3267c Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 12 Apr 2019 14:26:13 +1000 +Subject: sched/nohz: Run NOHZ idle load balancer on HK_FLAG_MISC CPUs + +[ Upstream commit 9b019acb72e4b5741d88e8936d6f200ed44b66b2 ] + +The NOHZ idle balancer runs on the lowest idle CPU. This can +interfere with isolated CPUs, so confine it to HK_FLAG_MISC +housekeeping CPUs. + +HK_FLAG_SCHED is not used for this because it is not set anywhere +at the moment. This could be folded into HK_FLAG_SCHED once that +option is fixed. + +The problem was observed with increased jitter on an application +running on CPU0, caused by NOHZ idle load balancing being run on +CPU1 (an SMT sibling). + +Signed-off-by: Nicholas Piggin +Signed-off-by: Peter Zijlstra (Intel) +Cc: Frederic Weisbecker +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190412042613.28930-1-npiggin@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index d31916366d39c..7a1e9db617f76 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -9083,22 +9083,26 @@ static inline int on_null_domain(struct rq *rq) + * - When one of the busy CPUs notice that there may be an idle rebalancing + * needed, they will kick the idle load balancer, which then does idle + * load balancing for all the idle CPUs. ++ * - HK_FLAG_MISC CPUs are used for this task, because HK_FLAG_SCHED not set ++ * anywhere yet. + */ + + static inline int find_new_ilb(void) + { +- int ilb = cpumask_first(nohz.idle_cpus_mask); ++ int ilb; + +- if (ilb < nr_cpu_ids && idle_cpu(ilb)) +- return ilb; ++ for_each_cpu_and(ilb, nohz.idle_cpus_mask, ++ housekeeping_cpumask(HK_FLAG_MISC)) { ++ if (idle_cpu(ilb)) ++ return ilb; ++ } + + return nr_cpu_ids; + } + + /* +- * Kick a CPU to do the nohz balancing, if it is time for it. We pick the +- * nohz_load_balancer CPU (if there is one) otherwise fallback to any idle +- * CPU (if there is one). ++ * Kick a CPU to do the nohz balancing, if it is time for it. We pick any ++ * idle CPU in the HK_FLAG_MISC housekeeping set (if there is one). + */ + static void kick_ilb(unsigned int flags) + { +-- +2.20.1 + diff --git a/queue-4.19/sched-rt-check-integer-overflow-at-usec-to-nsec-conv.patch b/queue-4.19/sched-rt-check-integer-overflow-at-usec-to-nsec-conv.patch new file mode 100644 index 00000000000..3a663cafa24 --- /dev/null +++ b/queue-4.19/sched-rt-check-integer-overflow-at-usec-to-nsec-conv.patch @@ -0,0 +1,57 @@ +From 74ab2142cf4b6ccb8b8b242b9535f31d56f33156 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Wed, 27 Feb 2019 11:10:17 +0300 +Subject: sched/rt: Check integer overflow at usec to nsec conversion + +[ Upstream commit 1a010e29cfa00fee2888fd2fd4983f848cbafb58 ] + +Example of unhandled overflows: + + # echo 18446744073709651 > cpu.rt_runtime_us + # cat cpu.rt_runtime_us + 99 + + # echo 18446744073709900 > cpu.rt_period_us + # cat cpu.rt_period_us + 348 + +After this patch they will fail with -EINVAL. + +Signed-off-by: Konstantin Khlebnikov +Acked-by: Peter Zijlstra +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/155125501739.293431.5252197504404771496.stgit@buzz +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/rt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c +index 2e2955a8cf8fe..b980cc96604fa 100644 +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -2559,6 +2559,8 @@ int sched_group_set_rt_runtime(struct task_group *tg, long rt_runtime_us) + rt_runtime = (u64)rt_runtime_us * NSEC_PER_USEC; + if (rt_runtime_us < 0) + rt_runtime = RUNTIME_INF; ++ else if ((u64)rt_runtime_us > U64_MAX / NSEC_PER_USEC) ++ return -EINVAL; + + return tg_set_rt_bandwidth(tg, rt_period, rt_runtime); + } +@@ -2579,6 +2581,9 @@ int sched_group_set_rt_period(struct task_group *tg, u64 rt_period_us) + { + u64 rt_runtime, rt_period; + ++ if (rt_period_us > U64_MAX / NSEC_PER_USEC) ++ return -EINVAL; ++ + rt_period = rt_period_us * NSEC_PER_USEC; + rt_runtime = tg->rt_bandwidth.rt_runtime; + +-- +2.20.1 + diff --git a/queue-4.19/scsi-libsas-do-discovery-on-empty-phy-to-update-phy-.patch b/queue-4.19/scsi-libsas-do-discovery-on-empty-phy-to-update-phy-.patch new file mode 100644 index 00000000000..16252b074b6 --- /dev/null +++ b/queue-4.19/scsi-libsas-do-discovery-on-empty-phy-to-update-phy-.patch @@ -0,0 +1,55 @@ +From e2c30fc194b2de85237058794c20106bcdc7c090 Mon Sep 17 00:00:00 2001 +From: John Garry +Date: Fri, 12 Apr 2019 16:57:56 +0800 +Subject: scsi: libsas: Do discovery on empty PHY to update PHY info + +[ Upstream commit d8649fc1c5e40e691d589ed825998c36a947491c ] + +When we discover the PHY is empty in sas_rediscover_dev(), the PHY +information (like negotiated linkrate) is not updated. + +As such, for a user examining sysfs for that PHY, they would see +incorrect values: + +root@(none)$ cd /sys/class/sas_phy/phy-0:0:20 +root@(none)$ more negotiated_linkrate +3.0 Gbit +root@(none)$ echo 0 > enable +root@(none)$ more negotiated_linkrate +3.0 Gbit + +So fix this, simply discover the PHY again, even though we know it's empty; +in the above example, this gives us: + +root@(none)$ more negotiated_linkrate +Phy disabled + +We must do this after unregistering the device associated with the PHY +(in sas_unregister_devs_sas_addr()). + +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libsas/sas_expander.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index e9ecc667e3fb4..231eb79efa320 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -2040,6 +2040,11 @@ static int sas_rediscover_dev(struct domain_device *dev, int phy_id, bool last) + if ((SAS_ADDR(sas_addr) == 0) || (res == -ECOMM)) { + phy->phy_state = PHY_EMPTY; + sas_unregister_devs_sas_addr(dev, phy_id, last); ++ /* ++ * Even though the PHY is empty, for convenience we discover ++ * the PHY to update the PHY info, like negotiated linkrate. ++ */ ++ sas_ex_phy_discover(dev, phy_id); + return res; + } else if (SAS_ADDR(sas_addr) == SAS_ADDR(phy->attached_sas_addr) && + dev_type_flutter(type, phy->attached_dev_type)) { +-- +2.20.1 + diff --git a/queue-4.19/scsi-lpfc-avoid-uninitialized-variable-warning.patch b/queue-4.19/scsi-lpfc-avoid-uninitialized-variable-warning.patch new file mode 100644 index 00000000000..5c39900937f --- /dev/null +++ b/queue-4.19/scsi-lpfc-avoid-uninitialized-variable-warning.patch @@ -0,0 +1,62 @@ +From c3c872af2729858b97ab2b1e71175d62c0343f5f Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 22 Mar 2019 15:25:49 +0100 +Subject: scsi: lpfc: avoid uninitialized variable warning + +[ Upstream commit faf5a744f4f8d76e7c03912b5cd381ac8045f6ec ] + +clang -Wuninitialized incorrectly sees a variable being used without +initialization: + +drivers/scsi/lpfc/lpfc_nvme.c:2102:37: error: variable 'localport' is uninitialized when used here + [-Werror,-Wuninitialized] + lport = (struct lpfc_nvme_lport *)localport->private; + ^~~~~~~~~ +drivers/scsi/lpfc/lpfc_nvme.c:2059:38: note: initialize the variable 'localport' to silence this warning + struct nvme_fc_local_port *localport; + ^ + = NULL +1 error generated. + +This is clearly in dead code, as the condition leading up to it is always +false when CONFIG_NVME_FC is disabled, and the variable is always +initialized when nvme_fc_register_localport() got called successfully. + +Change the preprocessor conditional to the equivalent C construct, which +makes the code more readable and gets rid of the warning. + +Signed-off-by: Arnd Bergmann +Acked-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nvme.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c +index ca62117a2d131..099f70798fdda 100644 +--- a/drivers/scsi/lpfc/lpfc_nvme.c ++++ b/drivers/scsi/lpfc/lpfc_nvme.c +@@ -2482,15 +2482,15 @@ lpfc_nvme_create_localport(struct lpfc_vport *vport) + if (!cstat) + return -ENOMEM; + ++ if (!IS_ENABLED(CONFIG_NVME_FC)) ++ return ret; ++ + /* localport is allocated from the stack, but the registration + * call allocates heap memory as well as the private area. + */ +-#if (IS_ENABLED(CONFIG_NVME_FC)) ++ + ret = nvme_fc_register_localport(&nfcp_info, &lpfc_nvme_template, + &vport->phba->pcidev->dev, &localport); +-#else +- ret = -ENOMEM; +-#endif + if (!ret) { + lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME | LOG_NVME_DISC, + "6005 Successfully registered local " +-- +2.20.1 + diff --git a/queue-4.19/scsi-lpfc-fix-fc4type-information-for-fdmi.patch b/queue-4.19/scsi-lpfc-fix-fc4type-information-for-fdmi.patch new file mode 100644 index 00000000000..dba6a6d738e --- /dev/null +++ b/queue-4.19/scsi-lpfc-fix-fc4type-information-for-fdmi.patch @@ -0,0 +1,58 @@ +From f74a649027535221da90fa78c608e37670fda90a Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Tue, 12 Mar 2019 16:30:21 -0700 +Subject: scsi: lpfc: Fix fc4type information for FDMI + +[ Upstream commit 32a80c093b524a0682f1c6166c910387b116ffce ] + +The driver is reporting support for NVME even when not configured for NVME +operation. + +Fix (and make more readable) when NVME protocol support is indicated. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_ct.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c +index 06621a438cade..d909d90035bb2 100644 +--- a/drivers/scsi/lpfc/lpfc_ct.c ++++ b/drivers/scsi/lpfc/lpfc_ct.c +@@ -2120,10 +2120,11 @@ lpfc_fdmi_port_attr_fc4type(struct lpfc_vport *vport, + ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; + memset(ae, 0, 32); + +- ae->un.AttrTypes[3] = 0x02; /* Type 1 - ELS */ +- ae->un.AttrTypes[2] = 0x01; /* Type 8 - FCP */ +- ae->un.AttrTypes[6] = 0x01; /* Type 40 - NVME */ +- ae->un.AttrTypes[7] = 0x01; /* Type 32 - CT */ ++ ae->un.AttrTypes[3] = 0x02; /* Type 0x1 - ELS */ ++ ae->un.AttrTypes[2] = 0x01; /* Type 0x8 - FCP */ ++ if (vport->nvmei_support || vport->phba->nvmet_support) ++ ae->un.AttrTypes[6] = 0x01; /* Type 0x28 - NVME */ ++ ae->un.AttrTypes[7] = 0x01; /* Type 0x20 - CT */ + size = FOURBYTES + 32; + ad->AttrLen = cpu_to_be16(size); + ad->AttrType = cpu_to_be16(RPRT_SUPPORTED_FC4_TYPES); +@@ -2428,9 +2429,11 @@ lpfc_fdmi_port_attr_active_fc4type(struct lpfc_vport *vport, + ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; + memset(ae, 0, 32); + +- ae->un.AttrTypes[3] = 0x02; /* Type 1 - ELS */ +- ae->un.AttrTypes[2] = 0x01; /* Type 8 - FCP */ +- ae->un.AttrTypes[7] = 0x01; /* Type 32 - CT */ ++ ae->un.AttrTypes[3] = 0x02; /* Type 0x1 - ELS */ ++ ae->un.AttrTypes[2] = 0x01; /* Type 0x8 - FCP */ ++ if (vport->phba->cfg_enable_fc4_type & LPFC_ENABLE_NVME) ++ ae->un.AttrTypes[6] = 0x1; /* Type 0x28 - NVME */ ++ ae->un.AttrTypes[7] = 0x01; /* Type 0x20 - CT */ + size = FOURBYTES + 32; + ad->AttrLen = cpu_to_be16(size); + ad->AttrType = cpu_to_be16(RPRT_ACTIVE_FC4_TYPES); +-- +2.20.1 + diff --git a/queue-4.19/scsi-lpfc-fix-fdmi-manufacturer-attribute-value.patch b/queue-4.19/scsi-lpfc-fix-fdmi-manufacturer-attribute-value.patch new file mode 100644 index 00000000000..45264fcac84 --- /dev/null +++ b/queue-4.19/scsi-lpfc-fix-fdmi-manufacturer-attribute-value.patch @@ -0,0 +1,37 @@ +From e178f164e95d164108cca4ec87f1df4c81f5548d Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Tue, 12 Mar 2019 16:30:20 -0700 +Subject: scsi: lpfc: Fix FDMI manufacturer attribute value + +[ Upstream commit d67f935b79a76ac9d86dde1a27bdd413feb5d987 ] + +The FDMI manufacturer value being reported on Linux is inconsistent with +other OS's. + +Set the value to "Emulex Corporation" for consistency. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_ct.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c +index 1a964e71582f4..06621a438cade 100644 +--- a/drivers/scsi/lpfc/lpfc_ct.c ++++ b/drivers/scsi/lpfc/lpfc_ct.c +@@ -1762,6 +1762,9 @@ lpfc_fdmi_hba_attr_manufacturer(struct lpfc_vport *vport, + ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; + memset(ae, 0, 256); + ++ /* This string MUST be consistent with other FC platforms ++ * supported by Broadcom. ++ */ + strncpy(ae->un.AttrString, + "Emulex Corporation", + sizeof(ae->un.AttrString)); +-- +2.20.1 + diff --git a/queue-4.19/scsi-lpfc-fix-sli3-commands-being-issued-on-sli4-dev.patch b/queue-4.19/scsi-lpfc-fix-sli3-commands-being-issued-on-sli4-dev.patch new file mode 100644 index 00000000000..749d9bdd6ff --- /dev/null +++ b/queue-4.19/scsi-lpfc-fix-sli3-commands-being-issued-on-sli4-dev.patch @@ -0,0 +1,60 @@ +From f52ae54669925e5d23818b2adbe16fb6b97f883e Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Tue, 12 Mar 2019 16:30:07 -0700 +Subject: scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices + +[ Upstream commit c95a3b4b0fb8d351e2329a96f87c4fc96a149505 ] + +During debug, it was seen that the driver is issuing commands specific to +SLI3 on SLI4 devices. Although the adapter correctly rejected the command, +this should not be done. + +Revise the code to stop sending these commands on a SLI4 adapter. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index eb71877f12f8b..ccdd82b1123f7 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -921,7 +921,11 @@ lpfc_linkdown(struct lpfc_hba *phba) + } + } + lpfc_destroy_vport_work_array(phba, vports); +- /* Clean up any firmware default rpi's */ ++ ++ /* Clean up any SLI3 firmware default rpi's */ ++ if (phba->sli_rev > LPFC_SLI_REV3) ++ goto skip_unreg_did; ++ + mb = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); + if (mb) { + lpfc_unreg_did(phba, 0xffff, LPFC_UNREG_ALL_DFLT_RPIS, mb); +@@ -933,6 +937,7 @@ lpfc_linkdown(struct lpfc_hba *phba) + } + } + ++ skip_unreg_did: + /* Setup myDID for link up if we are in pt2pt mode */ + if (phba->pport->fc_flag & FC_PT2PT) { + mb = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); +@@ -4855,6 +4860,10 @@ lpfc_unreg_default_rpis(struct lpfc_vport *vport) + LPFC_MBOXQ_t *mbox; + int rc; + ++ /* Unreg DID is an SLI3 operation. */ ++ if (phba->sli_rev > LPFC_SLI_REV3) ++ return; ++ + mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); + if (mbox) { + lpfc_unreg_did(phba, vport->vpi, LPFC_UNREG_ALL_DFLT_RPIS, +-- +2.20.1 + diff --git a/queue-4.19/scsi-qedf-add-missing-return-in-qedf_post_io_req-in-.patch b/queue-4.19/scsi-qedf-add-missing-return-in-qedf_post_io_req-in-.patch new file mode 100644 index 00000000000..473f0a2104c --- /dev/null +++ b/queue-4.19/scsi-qedf-add-missing-return-in-qedf_post_io_req-in-.patch @@ -0,0 +1,80 @@ +From b09d65cae9d0a8564c75f24c77dfdfd4e828c52c Mon Sep 17 00:00:00 2001 +From: Chad Dupuis +Date: Tue, 26 Mar 2019 00:38:35 -0700 +Subject: scsi: qedf: Add missing return in qedf_post_io_req() in the fcport + offload check + +[ Upstream commit c5e06ba2f76809ad1492fdad312e81335df46bc5 ] + +Fixes the following crash as the return was missing from the check if an +fcport is offloaded. If we hit this code we continue to try to post an +invalid task which can lead to the crash: + +[30259.616411] [0000:61:00.3]:[qedf_post_io_req:989]:3: Session not offloaded yet. +[30259.616413] [0000:61:00.3]:[qedf_upload_connection:1340]:3: Uploading connection port_id=490020. +[30259.623769] BUG: unable to handle kernel NULL pointer dereference at 0000000000000198 +[30259.631645] IP: [] qedf_init_task.isra.16+0x3d/0x450 [qedf] +[30259.638816] PGD 0 +[30259.640841] Oops: 0000 [#1] SMP +[30259.644098] Modules linked in: fuse xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables devlink ip6table_filter ip6_tables iptable_filter vfat fat ib_isert iscsi_target_mod ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib ib_ucm ib_umad dm_service_time skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel rpcrdma sunrpc rdma_ucm ib_uverbs lrw gf128mul ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi qedr(OE) glue_helper ablk_helper cryptd ib_core dm_round_robin joydev pcspkr ipmi_ssif ses enclosure ipmi_si ipmi_devintf ipmi_msghandler mei_me +[30259.715529] mei sg hpilo hpwdt shpchp wmi lpc_ich acpi_power_meter dm_multipath ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic uas usb_storage mgag200 qedf(OE) i2c_algo_bit libfcoe drm_kms_helper libfc syscopyarea sysfillrect scsi_transport_fc qede(OE) sysimgblt fb_sys_fops ptp ttm pps_core drm qed(OE) smartpqi crct10dif_pclmul crct10dif_common crc32c_intel i2c_core scsi_transport_sas scsi_tgt dm_mirror dm_region_hash dm_log dm_mod +[30259.754237] CPU: 9 PID: 977 Comm: kdmwork-253:7 Kdump: loaded Tainted: G W OE ------------ 3.10.0-862.el7.x86_64 #1 +[30259.765664] Hardware name: HPE Synergy 480 Gen10/Synergy 480 Gen10 Compute Module, BIOS I42 04/04/2018 +[30259.775000] task: ffff8c801efd0000 ti: ffff8c801efd8000 task.ti: ffff8c801efd8000 +[30259.782505] RIP: 0010:[] [] qedf_init_task.isra.16+0x3d/0x450 [qedf] +[30259.792116] RSP: 0018:ffff8c801efdbbb0 EFLAGS: 00010046 +[30259.797444] RAX: 0000000000000000 RBX: ffffa7f1450948d8 RCX: ffff8c7fe5bc40c8 +[30259.804600] RDX: ffff8c800715b300 RSI: ffffa7f1450948d8 RDI: ffff8c80169c2480 +[30259.811755] RBP: ffff8c801efdbc30 R08: 00000000000000ae R09: ffff8c800a314540 +[30259.818911] R10: ffff8c7fe5bc40c8 R11: ffff8c801efdb8ae R12: 0000000000000000 +[30259.826068] R13: ffff8c800715b300 R14: ffff8c80169c2480 R15: ffff8c8005da28e0 +[30259.833223] FS: 0000000000000000(0000) GS:ffff8c803f840000(0000) knlGS:0000000000000000 +[30259.841338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[30259.847100] CR2: 0000000000000198 CR3: 000000081242e000 CR4: 00000000007607e0 +[30259.854256] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[30259.861412] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[30259.868568] PKRU: 00000000 +[30259.871278] Call Trace: +[30259.873737] [] qedf_post_io_req+0x148/0x680 [qedf] +[30259.880201] [] qedf_queuecommand+0x1f0/0x240 [qedf] +[30259.886749] [] scsi_dispatch_cmd+0xb0/0x240 +[30259.892600] [] scsi_request_fn+0x4cc/0x680 +[30259.898364] [] __blk_run_queue+0x39/0x50 +[30259.903954] [] __elv_add_request+0xd3/0x260 +[30259.909805] [] blk_insert_cloned_request+0xf0/0x1b0 +[30259.916358] [] map_request+0x142/0x220 [dm_mod] +[30259.922560] [] map_tio_request+0x16/0x40 [dm_mod] +[30259.928932] [] kthread_worker_fn+0x85/0x180 +[30259.934782] [] ? kthread_stop+0xf0/0xf0 +[30259.940284] [] kthread+0xd1/0xe0 +[30259.945176] [] ? insert_kthread_work+0x40/0x40 +[30259.951290] [] ret_from_fork_nospec_begin+0x7/0x21 +[30259.957750] [] ? insert_kthread_work+0x40/0x40 +[30259.963860] Code: fe 41 55 49 89 d5 41 54 53 48 89 f3 48 83 ec 58 4c 8b 67 28 4c 8b 4e 18 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 4c 8b 7e 58 <49> 8b 84 24 98 01 00 00 48 8b 00 f6 80 31 01 00 00 10 0f 85 0b +[30259.983372] RIP [] qedf_init_task.isra.16+0x3d/0x450 [qedf] +[30259.990630] RSP +[30259.994127] CR2: 0000000000000198 + +Signed-off-by: Chad Dupuis +Signed-off-by: Saurav Kashyap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_io.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c +index 6bbc38b1b4654..a17c13846d1eb 100644 +--- a/drivers/scsi/qedf/qedf_io.c ++++ b/drivers/scsi/qedf/qedf_io.c +@@ -902,6 +902,7 @@ int qedf_post_io_req(struct qedf_rport *fcport, struct qedf_ioreq *io_req) + if (!test_bit(QEDF_RPORT_SESSION_READY, &fcport->flags)) { + QEDF_ERR(&(qedf->dbg_ctx), "Session not offloaded yet.\n"); + kref_put(&io_req->refcount, qedf_release_cmd); ++ return -EINVAL; + } + + /* Obtain free SQE */ +-- +2.20.1 + diff --git a/queue-4.19/scsi-qedi-abort-ep-termination-if-offload-not-schedu.patch b/queue-4.19/scsi-qedi-abort-ep-termination-if-offload-not-schedu.patch new file mode 100644 index 00000000000..f6071d477b6 --- /dev/null +++ b/queue-4.19/scsi-qedi-abort-ep-termination-if-offload-not-schedu.patch @@ -0,0 +1,74 @@ +From 90b534df084847af92d56d9bc7e36338984d2ecf Mon Sep 17 00:00:00 2001 +From: Manish Rangankar +Date: Fri, 26 Apr 2019 03:55:45 -0700 +Subject: scsi: qedi: Abort ep termination if offload not scheduled + +[ Upstream commit f848bfd8e167210a29374e8a678892bed591684f ] + +Sometimes during connection recovery when there is a failure to resolve +ARP, and offload connection was not issued, driver tries to flush pending +offload connection work which was not queued up. + +kernel: WARNING: CPU: 19 PID: 10110 at kernel/workqueue.c:3030 __flush_work.isra.34+0x19c/0x1b0 +kernel: CPU: 19 PID: 10110 Comm: iscsid Tainted: G W 5.1.0-rc4 #11 +kernel: Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 2.9.1 12/04/2018 +kernel: RIP: 0010:__flush_work.isra.34+0x19c/0x1b0 +kernel: Code: 8b fb 66 0f 1f 44 00 00 31 c0 eb ab 48 89 ef c6 07 00 0f 1f 40 00 fb 66 0f 1f 44 00 00 31 c0 eb 96 e8 08 16 fe ff 0f 0b eb 8d <0f> 0b 31 c0 eb 87 0f 1f 40 00 66 2e 0f 1 +f 84 00 00 00 00 00 0f 1f +kernel: RSP: 0018:ffffa6b4054dba68 EFLAGS: 00010246 +kernel: RAX: 0000000000000000 RBX: ffff91df21c36fc0 RCX: 0000000000000000 +kernel: RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff91df21c36fc0 +kernel: RBP: ffff91df21c36ef0 R08: 0000000000000000 R09: 0000000000000000 +kernel: R10: 0000000000000038 R11: ffffa6b4054dbd60 R12: ffffffffc05e72c0 +kernel: R13: ffff91db10280820 R14: 0000000000000048 R15: 0000000000000000 +kernel: FS: 00007f5d83cc1740(0000) GS:ffff91df2f840000(0000) knlGS:0000000000000000 +kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +kernel: CR2: 0000000001cc5000 CR3: 0000000465450002 CR4: 00000000001606e0 +kernel: Call Trace: +kernel: ? try_to_del_timer_sync+0x4d/0x80 +kernel: qedi_ep_disconnect+0x3b/0x410 [qedi] +kernel: ? 0xffffffffc083c000 +kernel: ? klist_iter_exit+0x14/0x20 +kernel: ? class_find_device+0x93/0xf0 +kernel: iscsi_if_ep_disconnect.isra.18+0x58/0x70 [scsi_transport_iscsi] +kernel: iscsi_if_recv_msg+0x10e2/0x1510 [scsi_transport_iscsi] +kernel: ? copyout+0x22/0x30 +kernel: ? _copy_to_iter+0xa0/0x430 +kernel: ? _cond_resched+0x15/0x30 +kernel: ? __kmalloc_node_track_caller+0x1f9/0x270 +kernel: iscsi_if_rx+0xa5/0x1e0 [scsi_transport_iscsi] +kernel: netlink_unicast+0x17f/0x230 +kernel: netlink_sendmsg+0x2d2/0x3d0 +kernel: sock_sendmsg+0x36/0x50 +kernel: ___sys_sendmsg+0x280/0x2a0 +kernel: ? timerqueue_add+0x54/0x80 +kernel: ? enqueue_hrtimer+0x38/0x90 +kernel: ? hrtimer_start_range_ns+0x19f/0x2c0 +kernel: __sys_sendmsg+0x58/0xa0 +kernel: do_syscall_64+0x5b/0x180 +kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_iscsi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c +index d4821b9dea45d..4130b9117055f 100644 +--- a/drivers/scsi/qedi/qedi_iscsi.c ++++ b/drivers/scsi/qedi/qedi_iscsi.c +@@ -1001,6 +1001,9 @@ static void qedi_ep_disconnect(struct iscsi_endpoint *ep) + qedi_ep = ep->dd_data; + qedi = qedi_ep->qedi; + ++ if (qedi_ep->state == EP_STATE_OFLDCONN_START) ++ goto ep_exit_recover; ++ + flush_work(&qedi_ep->offload_work); + + if (qedi_ep->conn) { +-- +2.20.1 + diff --git a/queue-4.19/scsi-qla2xxx-avoid-that-lockdep-complains-about-unsa.patch b/queue-4.19/scsi-qla2xxx-avoid-that-lockdep-complains-about-unsa.patch new file mode 100644 index 00000000000..4b710ea09da --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-avoid-that-lockdep-complains-about-unsa.patch @@ -0,0 +1,261 @@ +From 09d66c9909bd8384c31ab19ddd555a1e77516a0c Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 17 Apr 2019 14:44:43 -0700 +Subject: scsi: qla2xxx: Avoid that lockdep complains about unsafe locking in + tcm_qla2xxx_close_session() + +[ Upstream commit d4023db71108375e4194e92730ba0d32d7f07813 ] + +This patch avoids that lockdep reports the following warning: + +===================================================== +WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected +5.1.0-rc1-dbg+ #11 Tainted: G W +----------------------------------------------------- +rmdir/1478 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: +00000000e7ac4607 (&(&k->k_lock)->rlock){+.+.}, at: klist_next+0x43/0x1d0 + +and this task is already holding: +00000000cf0baf5e (&(&ha->tgt.sess_lock)->rlock){-...}, at: tcm_qla2xxx_close_session+0x57/0xb0 [tcm_qla2xxx] +which would create a new lock dependency: + (&(&ha->tgt.sess_lock)->rlock){-...} -> (&(&k->k_lock)->rlock){+.+.} + +but this new dependency connects a HARDIRQ-irq-safe lock: + (&(&ha->tgt.sess_lock)->rlock){-...} + +... which became HARDIRQ-irq-safe at: + lock_acquire+0xe3/0x200 + _raw_spin_lock_irqsave+0x3d/0x60 + qla2x00_fcport_event_handler+0x1f3d/0x22b0 [qla2xxx] + qla2x00_async_login_sp_done+0x1dc/0x1f0 [qla2xxx] + qla24xx_process_response_queue+0xa37/0x10e0 [qla2xxx] + qla24xx_msix_rsp_q+0x79/0xf0 [qla2xxx] + __handle_irq_event_percpu+0x79/0x3c0 + handle_irq_event_percpu+0x70/0xf0 + handle_irq_event+0x5a/0x8b + handle_edge_irq+0x12c/0x310 + handle_irq+0x192/0x20a + do_IRQ+0x73/0x160 + ret_from_intr+0x0/0x1d + default_idle+0x23/0x1f0 + arch_cpu_idle+0x15/0x20 + default_idle_call+0x35/0x40 + do_idle+0x2bb/0x2e0 + cpu_startup_entry+0x1d/0x20 + start_secondary+0x24d/0x2d0 + secondary_startup_64+0xa4/0xb0 + +to a HARDIRQ-irq-unsafe lock: + (&(&k->k_lock)->rlock){+.+.} + +... which became HARDIRQ-irq-unsafe at: +... + lock_acquire+0xe3/0x200 + _raw_spin_lock+0x32/0x50 + klist_add_tail+0x33/0xb0 + device_add+0x7f4/0xb60 + device_create_groups_vargs+0x11c/0x150 + device_create_with_groups+0x89/0xb0 + vtconsole_class_init+0xb2/0x124 + do_one_initcall+0xc5/0x3ce + kernel_init_freeable+0x295/0x32e + kernel_init+0x11/0x11b + ret_from_fork+0x3a/0x50 + +other info that might help us debug this: + + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&(&k->k_lock)->rlock); + local_irq_disable(); + lock(&(&ha->tgt.sess_lock)->rlock); + lock(&(&k->k_lock)->rlock); + + lock(&(&ha->tgt.sess_lock)->rlock); + + *** DEADLOCK *** + +4 locks held by rmdir/1478: + #0: 000000002c7f1ba4 (sb_writers#10){.+.+}, at: mnt_want_write+0x32/0x70 + #1: 00000000c85eb147 (&default_group_class[depth - 1]#2/1){+.+.}, at: do_rmdir+0x217/0x2d0 + #2: 000000002b164d6f (&sb->s_type->i_mutex_key#13){++++}, at: vfs_rmdir+0x7e/0x1d0 + #3: 00000000cf0baf5e (&(&ha->tgt.sess_lock)->rlock){-...}, at: tcm_qla2xxx_close_session+0x57/0xb0 [tcm_qla2xxx] + +the dependencies between HARDIRQ-irq-safe lock and the holding lock: +-> (&(&ha->tgt.sess_lock)->rlock){-...} ops: 127 { + IN-HARDIRQ-W at: + lock_acquire+0xe3/0x200 + _raw_spin_lock_irqsave+0x3d/0x60 + qla2x00_fcport_event_handler+0x1f3d/0x22b0 [qla2xxx] + qla2x00_async_login_sp_done+0x1dc/0x1f0 [qla2xxx] + qla24xx_process_response_queue+0xa37/0x10e0 [qla2xxx] + qla24xx_msix_rsp_q+0x79/0xf0 [qla2xxx] + __handle_irq_event_percpu+0x79/0x3c0 + handle_irq_event_percpu+0x70/0xf0 + handle_irq_event+0x5a/0x8b + handle_edge_irq+0x12c/0x310 + handle_irq+0x192/0x20a + do_IRQ+0x73/0x160 + ret_from_intr+0x0/0x1d + default_idle+0x23/0x1f0 + arch_cpu_idle+0x15/0x20 + default_idle_call+0x35/0x40 + do_idle+0x2bb/0x2e0 + cpu_startup_entry+0x1d/0x20 + start_secondary+0x24d/0x2d0 + secondary_startup_64+0xa4/0xb0 + INITIAL USE at: + lock_acquire+0xe3/0x200 + _raw_spin_lock_irqsave+0x3d/0x60 + qla2x00_loop_resync+0xb3d/0x2690 [qla2xxx] + qla2x00_do_dpc+0xcee/0xf30 [qla2xxx] + kthread+0x1d2/0x1f0 + ret_from_fork+0x3a/0x50 + } + ... key at: [] __key.62804+0x0/0xfffffffffff7e900 [qla2xxx] + ... acquired at: + __lock_acquire+0x11ed/0x1b60 + lock_acquire+0xe3/0x200 + _raw_spin_lock_irqsave+0x3d/0x60 + klist_next+0x43/0x1d0 + device_for_each_child+0x96/0x110 + scsi_target_block+0x3c/0x40 [scsi_mod] + fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc] + qla2x00_mark_device_lost+0x4d3/0x500 [qla2xxx] + qlt_unreg_sess+0x104/0x2c0 [qla2xxx] + tcm_qla2xxx_close_session+0xa2/0xb0 [tcm_qla2xxx] + target_shutdown_sessions+0x17b/0x190 [target_core_mod] + core_tpg_del_initiator_node_acl+0xf3/0x1f0 [target_core_mod] + target_fabric_nacl_base_release+0x25/0x30 [target_core_mod] + config_item_release+0x9f/0x120 [configfs] + config_item_put+0x29/0x2b [configfs] + configfs_rmdir+0x3d2/0x520 [configfs] + vfs_rmdir+0xb3/0x1d0 + do_rmdir+0x25c/0x2d0 + __x64_sys_rmdir+0x24/0x30 + do_syscall_64+0x77/0x220 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +the dependencies between the lock to be acquired + and HARDIRQ-irq-unsafe lock: +-> (&(&k->k_lock)->rlock){+.+.} ops: 14568 { + HARDIRQ-ON-W at: + lock_acquire+0xe3/0x200 + _raw_spin_lock+0x32/0x50 + klist_add_tail+0x33/0xb0 + device_add+0x7f4/0xb60 + device_create_groups_vargs+0x11c/0x150 + device_create_with_groups+0x89/0xb0 + vtconsole_class_init+0xb2/0x124 + do_one_initcall+0xc5/0x3ce + kernel_init_freeable+0x295/0x32e + kernel_init+0x11/0x11b + ret_from_fork+0x3a/0x50 + SOFTIRQ-ON-W at: + lock_acquire+0xe3/0x200 + _raw_spin_lock+0x32/0x50 + klist_add_tail+0x33/0xb0 + device_add+0x7f4/0xb60 + device_create_groups_vargs+0x11c/0x150 + device_create_with_groups+0x89/0xb0 + vtconsole_class_init+0xb2/0x124 + do_one_initcall+0xc5/0x3ce + kernel_init_freeable+0x295/0x32e + kernel_init+0x11/0x11b + ret_from_fork+0x3a/0x50 + INITIAL USE at: + lock_acquire+0xe3/0x200 + _raw_spin_lock+0x32/0x50 + klist_add_tail+0x33/0xb0 + device_add+0x7f4/0xb60 + device_create_groups_vargs+0x11c/0x150 + device_create_with_groups+0x89/0xb0 + vtconsole_class_init+0xb2/0x124 + do_one_initcall+0xc5/0x3ce + kernel_init_freeable+0x295/0x32e + kernel_init+0x11/0x11b + ret_from_fork+0x3a/0x50 + } + ... key at: [] __key.15805+0x0/0x40 + ... acquired at: + __lock_acquire+0x11ed/0x1b60 + lock_acquire+0xe3/0x200 + _raw_spin_lock_irqsave+0x3d/0x60 + klist_next+0x43/0x1d0 + device_for_each_child+0x96/0x110 + scsi_target_block+0x3c/0x40 [scsi_mod] + fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc] + qla2x00_mark_device_lost+0x4d3/0x500 [qla2xxx] + qlt_unreg_sess+0x104/0x2c0 [qla2xxx] + tcm_qla2xxx_close_session+0xa2/0xb0 [tcm_qla2xxx] + target_shutdown_sessions+0x17b/0x190 [target_core_mod] + core_tpg_del_initiator_node_acl+0xf3/0x1f0 [target_core_mod] + target_fabric_nacl_base_release+0x25/0x30 [target_core_mod] + config_item_release+0x9f/0x120 [configfs] + config_item_put+0x29/0x2b [configfs] + configfs_rmdir+0x3d2/0x520 [configfs] + vfs_rmdir+0xb3/0x1d0 + do_rmdir+0x25c/0x2d0 + __x64_sys_rmdir+0x24/0x30 + do_syscall_64+0x77/0x220 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +stack backtrace: +CPU: 7 PID: 1478 Comm: rmdir Tainted: G W 5.1.0-rc1-dbg+ #11 +Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +Call Trace: + dump_stack+0x86/0xca + check_usage.cold.59+0x473/0x563 + check_prev_add.constprop.43+0x1f1/0x1170 + __lock_acquire+0x11ed/0x1b60 + lock_acquire+0xe3/0x200 + _raw_spin_lock_irqsave+0x3d/0x60 + klist_next+0x43/0x1d0 + device_for_each_child+0x96/0x110 + scsi_target_block+0x3c/0x40 [scsi_mod] + fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc] + qla2x00_mark_device_lost+0x4d3/0x500 [qla2xxx] + qlt_unreg_sess+0x104/0x2c0 [qla2xxx] + tcm_qla2xxx_close_session+0xa2/0xb0 [tcm_qla2xxx] + target_shutdown_sessions+0x17b/0x190 [target_core_mod] + core_tpg_del_initiator_node_acl+0xf3/0x1f0 [target_core_mod] + target_fabric_nacl_base_release+0x25/0x30 [target_core_mod] + config_item_release+0x9f/0x120 [configfs] + config_item_put+0x29/0x2b [configfs] + configfs_rmdir+0x3d2/0x520 [configfs] + vfs_rmdir+0xb3/0x1d0 + do_rmdir+0x25c/0x2d0 + __x64_sys_rmdir+0x24/0x30 + do_syscall_64+0x77/0x220 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Cc: Himanshu Madhani +Cc: Giridhar Malavali +Signed-off-by: Bart Van Assche +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/tcm_qla2xxx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +index 7ef549903124d..f425a9e5056bf 100644 +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -365,8 +365,9 @@ static void tcm_qla2xxx_close_session(struct se_session *se_sess) + + spin_lock_irqsave(&vha->hw->tgt.sess_lock, flags); + target_sess_cmd_list_set_waiting(se_sess); +- tcm_qla2xxx_put_sess(sess); + spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags); ++ ++ tcm_qla2xxx_put_sess(sess); + } + + static u32 tcm_qla2xxx_sess_get_index(struct se_session *se_sess) +-- +2.20.1 + diff --git a/queue-4.19/scsi-qla2xxx-fix-a-qla24xx_enable_msix-error-path.patch b/queue-4.19/scsi-qla2xxx-fix-a-qla24xx_enable_msix-error-path.patch new file mode 100644 index 00000000000..3eeae313f42 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-a-qla24xx_enable_msix-error-path.patch @@ -0,0 +1,47 @@ +From f034034ad2a7ea0ce324dcea1119c7ca74d420bf Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 17 Apr 2019 14:44:24 -0700 +Subject: scsi: qla2xxx: Fix a qla24xx_enable_msix() error path + +[ Upstream commit 24afabdbd0b3553963a2bbf465895492b14d1107 ] + +Make sure that the allocated interrupts are freed if allocating memory for +the msix_entries array fails. + +Cc: Himanshu Madhani +Cc: Giridhar Malavali +Signed-off-by: Bart Van Assche +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_isr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index 36cbb29c84f63..88d8acf86a2a4 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -3449,7 +3449,7 @@ qla24xx_enable_msix(struct qla_hw_data *ha, struct rsp_que *rsp) + ql_log(ql_log_fatal, vha, 0x00c8, + "Failed to allocate memory for ha->msix_entries.\n"); + ret = -ENOMEM; +- goto msix_out; ++ goto free_irqs; + } + ha->flags.msix_enabled = 1; + +@@ -3532,6 +3532,10 @@ qla24xx_enable_msix(struct qla_hw_data *ha, struct rsp_que *rsp) + + msix_out: + return ret; ++ ++free_irqs: ++ pci_free_irq_vectors(ha->pdev); ++ goto msix_out; + } + + int +-- +2.20.1 + diff --git a/queue-4.19/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write.patch b/queue-4.19/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write.patch new file mode 100644 index 00000000000..da5083114fb --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write.patch @@ -0,0 +1,42 @@ +From 291e75bc53ca7b80a02555115e952e411edf7c16 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 17 Apr 2019 14:44:28 -0700 +Subject: scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending() + +[ Upstream commit e209783d66bca04b5fce4429e59338517ffc1a0b ] + +Implementations of the .write_pending() callback functions must guarantee +that an appropriate LIO core callback function will be called immediately or +at a later time. Make sure that this guarantee is met for aborted SCSI +commands. + +[mkp: typo] + +Cc: Himanshu Madhani +Cc: Giridhar Malavali +Fixes: 694833ee00c4 ("scsi: tcm_qla2xxx: Do not allow aborted cmd to advance.") # v4.13. +Fixes: a07100e00ac4 ("qla2xxx: Fix TMR ABORT interaction issue between qla2xxx and TCM") # v4.5. +Signed-off-by: Bart Van Assche +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +index 64e2d859f6332..7ef549903124d 100644 +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -390,6 +390,8 @@ static int tcm_qla2xxx_write_pending(struct se_cmd *se_cmd) + cmd->se_cmd.transport_state, + cmd->se_cmd.t_state, + cmd->se_cmd.se_cmd_flags); ++ transport_generic_request_failure(&cmd->se_cmd, ++ TCM_CHECK_CONDITION_ABORT_CMD); + return 0; + } + cmd->trc_flags |= TRC_XFR_RDY; +-- +2.20.1 + diff --git a/queue-4.19/scsi-qla2xxx-fix-hardirq-unsafe-locking.patch b/queue-4.19/scsi-qla2xxx-fix-hardirq-unsafe-locking.patch new file mode 100644 index 00000000000..30abbe9faed --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-hardirq-unsafe-locking.patch @@ -0,0 +1,370 @@ +From a965d0e1ca4912d3a9609913854ee2f809465280 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 17 Apr 2019 14:44:41 -0700 +Subject: scsi: qla2xxx: Fix hardirq-unsafe locking + +[ Upstream commit 300ec7415c1fed5c73660f50c8e14a67e236dc0a ] + +Since fc_remote_port_delete() must be called with interrupts enabled, do +not disable interrupts when calling that function. Remove the lockin calls +from around the put_sess() call. This is safe because the function that is +called when the final reference is dropped, qlt_unreg_sess(), grabs the +proper locks. This patch avoids that lockdep reports the following: + +WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected +kworker/2:1/62 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: +0000000009e679b3 (&(&k->k_lock)->rlock){+.+.}, at: klist_next+0x43/0x1d0 + +and this task is already holding: +00000000a033b71c (&(&ha->tgt.sess_lock)->rlock){-...}, at: qla24xx_delete_sess_fn+0x55/0xf0 [qla2xxx_scst] +which would create a new lock dependency: + (&(&ha->tgt.sess_lock)->rlock){-...} -> (&(&k->k_lock)->rlock){+.+.} + +but this new dependency connects a HARDIRQ-irq-safe lock: + (&(&ha->tgt.sess_lock)->rlock){-...} + +... which became HARDIRQ-irq-safe at: + lock_acquire+0xe3/0x200 + _raw_spin_lock_irqsave+0x3d/0x60 + qla24xx_report_id_acquisition+0xa69/0xe30 [qla2xxx_scst] + qla24xx_process_response_queue+0x69e/0x1270 [qla2xxx_scst] + qla24xx_msix_rsp_q+0x79/0xf0 [qla2xxx_scst] + __handle_irq_event_percpu+0x79/0x3c0 + handle_irq_event_percpu+0x70/0xf0 + handle_irq_event+0x5a/0x8b + handle_edge_irq+0x12c/0x310 + handle_irq+0x192/0x20a + do_IRQ+0x73/0x160 + ret_from_intr+0x0/0x1d + default_idle+0x23/0x1f0 + arch_cpu_idle+0x15/0x20 + default_idle_call+0x35/0x40 + do_idle+0x2bb/0x2e0 + cpu_startup_entry+0x1d/0x20 + start_secondary+0x2a8/0x320 + secondary_startup_64+0xa4/0xb0 + +to a HARDIRQ-irq-unsafe lock: + (&(&k->k_lock)->rlock){+.+.} + +... which became HARDIRQ-irq-unsafe at: +... + lock_acquire+0xe3/0x200 + _raw_spin_lock+0x32/0x50 + klist_add_tail+0x33/0xb0 + device_add+0x7e1/0xb50 + device_create_groups_vargs+0x11c/0x150 + device_create_with_groups+0x89/0xb0 + vtconsole_class_init+0xb2/0x124 + do_one_initcall+0xc5/0x3ce + kernel_init_freeable+0x295/0x32e + kernel_init+0x11/0x11b + ret_from_fork+0x3a/0x50 + +other info that might help us debug this: + + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&(&k->k_lock)->rlock); + local_irq_disable(); + lock(&(&ha->tgt.sess_lock)->rlock); + lock(&(&k->k_lock)->rlock); + + lock(&(&ha->tgt.sess_lock)->rlock); + + *** DEADLOCK *** + +3 locks held by kworker/2:1/62: + #0: 00000000a4319c16 ((wq_completion)"qla2xxx_wq"){+.+.}, at: process_one_work+0x437/0xa80 + #1: 00000000ffa34c42 ((work_completion)(&sess->del_work)){+.+.}, at: process_one_work+0x437/0xa80 + #2: 00000000a033b71c (&(&ha->tgt.sess_lock)->rlock){-...}, at: qla24xx_delete_sess_fn+0x55/0xf0 [qla2xxx_scst] + +the dependencies between HARDIRQ-irq-safe lock and the holding lock: +-> (&(&ha->tgt.sess_lock)->rlock){-...} ops: 8 { + IN-HARDIRQ-W at: + lock_acquire+0xe3/0x200 + _raw_spin_lock_irqsave+0x3d/0x60 + qla24xx_report_id_acquisition+0xa69/0xe30 [qla2xxx_scst] + qla24xx_process_response_queue+0x69e/0x1270 [qla2xxx_scst] + qla24xx_msix_rsp_q+0x79/0xf0 [qla2xxx_scst] + __handle_irq_event_percpu+0x79/0x3c0 + handle_irq_event_percpu+0x70/0xf0 + handle_irq_event+0x5a/0x8b + handle_edge_irq+0x12c/0x310 + handle_irq+0x192/0x20a + do_IRQ+0x73/0x160 + ret_from_intr+0x0/0x1d + default_idle+0x23/0x1f0 + arch_cpu_idle+0x15/0x20 + default_idle_call+0x35/0x40 + do_idle+0x2bb/0x2e0 + cpu_startup_entry+0x1d/0x20 + start_secondary+0x2a8/0x320 + secondary_startup_64+0xa4/0xb0 + INITIAL USE at: + lock_acquire+0xe3/0x200 + _raw_spin_lock_irqsave+0x3d/0x60 + qla24xx_report_id_acquisition+0xa69/0xe30 [qla2xxx_scst] + qla24xx_process_response_queue+0x69e/0x1270 [qla2xxx_scst] + qla24xx_msix_rsp_q+0x79/0xf0 [qla2xxx_scst] + __handle_irq_event_percpu+0x79/0x3c0 + handle_irq_event_percpu+0x70/0xf0 + handle_irq_event+0x5a/0x8b + handle_edge_irq+0x12c/0x310 + handle_irq+0x192/0x20a + do_IRQ+0x73/0x160 + ret_from_intr+0x0/0x1d + default_idle+0x23/0x1f0 + arch_cpu_idle+0x15/0x20 + default_idle_call+0x35/0x40 + do_idle+0x2bb/0x2e0 + cpu_startup_entry+0x1d/0x20 + start_secondary+0x2a8/0x320 + secondary_startup_64+0xa4/0xb0 + } + ... key at: [] __key.85462+0x0/0xfffffffffff7df80 [qla2xxx_scst] + ... acquired at: + lock_acquire+0xe3/0x200 + _raw_spin_lock_irqsave+0x3d/0x60 + klist_next+0x43/0x1d0 + device_for_each_child+0x96/0x110 + scsi_target_block+0x3c/0x40 [scsi_mod] + fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc] + qla2x00_mark_device_lost+0xa0b/0xa30 [qla2xxx_scst] + qlt_unreg_sess+0x1c6/0x380 [qla2xxx_scst] + qla24xx_delete_sess_fn+0xe6/0xf0 [qla2xxx_scst] + process_one_work+0x511/0xa80 + worker_thread+0x67/0x5b0 + kthread+0x1d2/0x1f0 + ret_from_fork+0x3a/0x50 + +the dependencies between the lock to be acquired + and HARDIRQ-irq-unsafe lock: +-> (&(&k->k_lock)->rlock){+.+.} ops: 13831 { + HARDIRQ-ON-W at: + lock_acquire+0xe3/0x200 + _raw_spin_lock+0x32/0x50 + klist_add_tail+0x33/0xb0 + device_add+0x7e1/0xb50 + device_create_groups_vargs+0x11c/0x150 + device_create_with_groups+0x89/0xb0 + vtconsole_class_init+0xb2/0x124 + do_one_initcall+0xc5/0x3ce + kernel_init_freeable+0x295/0x32e + kernel_init+0x11/0x11b + ret_from_fork+0x3a/0x50 + SOFTIRQ-ON-W at: + lock_acquire+0xe3/0x200 + _raw_spin_lock+0x32/0x50 + klist_add_tail+0x33/0xb0 + device_add+0x7e1/0xb50 + device_create_groups_vargs+0x11c/0x150 + device_create_with_groups+0x89/0xb0 + vtconsole_class_init+0xb2/0x124 + do_one_initcall+0xc5/0x3ce + kernel_init_freeable+0x295/0x32e + kernel_init+0x11/0x11b + ret_from_fork+0x3a/0x50 + INITIAL USE at: + lock_acquire+0xe3/0x200 + _raw_spin_lock+0x32/0x50 + klist_add_tail+0x33/0xb0 + device_add+0x7e1/0xb50 + device_create_groups_vargs+0x11c/0x150 + device_create_with_groups+0x89/0xb0 + vtconsole_class_init+0xb2/0x124 + do_one_initcall+0xc5/0x3ce + kernel_init_freeable+0x295/0x32e + kernel_init+0x11/0x11b + ret_from_fork+0x3a/0x50 + } + ... key at: [] __key.15491+0x0/0x40 + ... acquired at: + lock_acquire+0xe3/0x200 + _raw_spin_lock_irqsave+0x3d/0x60 + klist_next+0x43/0x1d0 + device_for_each_child+0x96/0x110 + scsi_target_block+0x3c/0x40 [scsi_mod] + fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc] + qla2x00_mark_device_lost+0xa0b/0xa30 [qla2xxx_scst] + qlt_unreg_sess+0x1c6/0x380 [qla2xxx_scst] + qla24xx_delete_sess_fn+0xe6/0xf0 [qla2xxx_scst] + process_one_work+0x511/0xa80 + worker_thread+0x67/0x5b0 + kthread+0x1d2/0x1f0 + ret_from_fork+0x3a/0x50 + +stack backtrace: +CPU: 2 PID: 62 Comm: kworker/2:1 Tainted: G O 5.0.7-dbg+ #8 +Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +Workqueue: qla2xxx_wq qla24xx_delete_sess_fn [qla2xxx_scst] +Call Trace: + dump_stack+0x86/0xca + check_usage.cold.52+0x473/0x563 + __lock_acquire+0x11c0/0x23e0 + lock_acquire+0xe3/0x200 + _raw_spin_lock_irqsave+0x3d/0x60 + klist_next+0x43/0x1d0 + device_for_each_child+0x96/0x110 + scsi_target_block+0x3c/0x40 [scsi_mod] + fc_remote_port_delete+0xe7/0x1c0 [scsi_transport_fc] + qla2x00_mark_device_lost+0xa0b/0xa30 [qla2xxx_scst] + qlt_unreg_sess+0x1c6/0x380 [qla2xxx_scst] + qla24xx_delete_sess_fn+0xe6/0xf0 [qla2xxx_scst] + process_one_work+0x511/0xa80 + worker_thread+0x67/0x5b0 + kthread+0x1d2/0x1f0 + ret_from_fork+0x3a/0x50 + +Cc: Himanshu Madhani +Cc: Giridhar Malavali +Signed-off-by: Bart Van Assche +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_target.c | 25 ++++++++----------------- + drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 -- + 2 files changed, 8 insertions(+), 19 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index a8c67cd176256..9d7feb005acfd 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -684,7 +684,6 @@ int qla24xx_async_notify_ack(scsi_qla_host_t *vha, fc_port_t *fcport, + void qla24xx_do_nack_work(struct scsi_qla_host *vha, struct qla_work_evt *e) + { + fc_port_t *t; +- unsigned long flags; + + switch (e->u.nack.type) { + case SRB_NACK_PRLI: +@@ -694,10 +693,8 @@ void qla24xx_do_nack_work(struct scsi_qla_host *vha, struct qla_work_evt *e) + if (t) { + ql_log(ql_log_info, vha, 0xd034, + "%s create sess success %p", __func__, t); +- spin_lock_irqsave(&vha->hw->tgt.sess_lock, flags); + /* create sess has an extra kref */ + vha->hw->tgt.tgt_ops->put_sess(e->u.nack.fcport); +- spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags); + } + break; + } +@@ -709,9 +706,6 @@ void qla24xx_delete_sess_fn(struct work_struct *work) + { + fc_port_t *fcport = container_of(work, struct fc_port, del_work); + struct qla_hw_data *ha = fcport->vha->hw; +- unsigned long flags; +- +- spin_lock_irqsave(&ha->tgt.sess_lock, flags); + + if (fcport->se_sess) { + ha->tgt.tgt_ops->shutdown_sess(fcport); +@@ -719,7 +713,6 @@ void qla24xx_delete_sess_fn(struct work_struct *work) + } else { + qlt_unreg_sess(fcport); + } +- spin_unlock_irqrestore(&ha->tgt.sess_lock, flags); + } + + /* +@@ -788,8 +781,9 @@ void qlt_fc_port_added(struct scsi_qla_host *vha, fc_port_t *fcport) + fcport->port_name, sess->loop_id); + sess->local = 0; + } +- ha->tgt.tgt_ops->put_sess(sess); + spin_unlock_irqrestore(&ha->tgt.sess_lock, flags); ++ ++ ha->tgt.tgt_ops->put_sess(sess); + } + + /* +@@ -4135,9 +4129,7 @@ static void __qlt_do_work(struct qla_tgt_cmd *cmd) + /* + * Drop extra session reference from qla_tgt_handle_cmd_for_atio*( + */ +- spin_lock_irqsave(&ha->tgt.sess_lock, flags); + ha->tgt.tgt_ops->put_sess(sess); +- spin_unlock_irqrestore(&ha->tgt.sess_lock, flags); + return; + + out_term: +@@ -4154,9 +4146,7 @@ static void __qlt_do_work(struct qla_tgt_cmd *cmd) + target_free_tag(sess->se_sess, &cmd->se_cmd); + spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); + +- spin_lock_irqsave(&ha->tgt.sess_lock, flags); + ha->tgt.tgt_ops->put_sess(sess); +- spin_unlock_irqrestore(&ha->tgt.sess_lock, flags); + } + + static void qlt_do_work(struct work_struct *work) +@@ -4365,9 +4355,7 @@ static int qlt_handle_cmd_for_atio(struct scsi_qla_host *vha, + if (!cmd) { + ql_dbg(ql_dbg_io, vha, 0x3062, + "qla_target(%d): Allocation of cmd failed\n", vha->vp_idx); +- spin_lock_irqsave(&ha->tgt.sess_lock, flags); + ha->tgt.tgt_ops->put_sess(sess); +- spin_unlock_irqrestore(&ha->tgt.sess_lock, flags); + return -EBUSY; + } + +@@ -6105,17 +6093,19 @@ static void qlt_abort_work(struct qla_tgt *tgt, + } + + rc = __qlt_24xx_handle_abts(vha, &prm->abts, sess); +- ha->tgt.tgt_ops->put_sess(sess); + spin_unlock_irqrestore(&ha->tgt.sess_lock, flags2); + ++ ha->tgt.tgt_ops->put_sess(sess); ++ + if (rc != 0) + goto out_term; + return; + + out_term2: ++ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags2); ++ + if (sess) + ha->tgt.tgt_ops->put_sess(sess); +- spin_unlock_irqrestore(&ha->tgt.sess_lock, flags2); + + out_term: + spin_lock_irqsave(&ha->hardware_lock, flags); +@@ -6175,9 +6165,10 @@ static void qlt_tmr_work(struct qla_tgt *tgt, + scsilun_to_int((struct scsi_lun *)&a->u.isp24.fcp_cmnd.lun); + + rc = qlt_issue_task_mgmt(sess, unpacked_lun, fn, iocb, 0); +- ha->tgt.tgt_ops->put_sess(sess); + spin_unlock_irqrestore(&ha->tgt.sess_lock, flags); + ++ ha->tgt.tgt_ops->put_sess(sess); ++ + if (rc != 0) + goto out_term; + return; +diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +index f425a9e5056bf..b8c1a739dfbd1 100644 +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -350,7 +350,6 @@ static void tcm_qla2xxx_put_sess(struct fc_port *sess) + if (!sess) + return; + +- assert_spin_locked(&sess->vha->hw->tgt.sess_lock); + kref_put(&sess->sess_kref, tcm_qla2xxx_release_session); + } + +@@ -832,7 +831,6 @@ static void tcm_qla2xxx_clear_nacl_from_fcport_map(struct fc_port *sess) + + static void tcm_qla2xxx_shutdown_sess(struct fc_port *sess) + { +- assert_spin_locked(&sess->vha->hw->tgt.sess_lock); + target_sess_cmd_list_set_waiting(sess->se_sess); + } + +-- +2.20.1 + diff --git a/queue-4.19/scsi-qla4xxx-avoid-freeing-unallocated-dma-memory.patch b/queue-4.19/scsi-qla4xxx-avoid-freeing-unallocated-dma-memory.patch new file mode 100644 index 00000000000..ea9e982dd85 --- /dev/null +++ b/queue-4.19/scsi-qla4xxx-avoid-freeing-unallocated-dma-memory.patch @@ -0,0 +1,52 @@ +From 4b4a0723ea32bfe69b4b6356fd67357bdc3e488b Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 22 Mar 2019 15:25:03 +0100 +Subject: scsi: qla4xxx: avoid freeing unallocated dma memory + +[ Upstream commit 608f729c31d4caf52216ea00d20092a80959256d ] + +Clang -Wuninitialized notices that on is_qla40XX we never allocate any DMA +memory in get_fw_boot_info() but attempt to free it anyway: + +drivers/scsi/qla4xxx/ql4_os.c:5915:7: error: variable 'buf_dma' is used uninitialized whenever 'if' condition is false + [-Werror,-Wsometimes-uninitialized] + if (!(val & 0x07)) { + ^~~~~~~~~~~~~ +drivers/scsi/qla4xxx/ql4_os.c:5985:47: note: uninitialized use occurs here + dma_free_coherent(&ha->pdev->dev, size, buf, buf_dma); + ^~~~~~~ +drivers/scsi/qla4xxx/ql4_os.c:5915:3: note: remove the 'if' if its condition is always true + if (!(val & 0x07)) { + ^~~~~~~~~~~~~~~~~~~ +drivers/scsi/qla4xxx/ql4_os.c:5885:20: note: initialize the variable 'buf_dma' to silence this warning + dma_addr_t buf_dma; + ^ + = 0 + +Skip the call to dma_free_coherent() here. + +Fixes: 2a991c215978 ("[SCSI] qla4xxx: Boot from SAN support for open-iscsi") +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index 5dd3e4e01b109..25c8ce54a976d 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -5935,7 +5935,7 @@ static int get_fw_boot_info(struct scsi_qla_host *ha, uint16_t ddb_index[]) + val = rd_nvram_byte(ha, sec_addr); + if (val & BIT_7) + ddb_index[1] = (val & 0x7f); +- ++ goto exit_boot_info; + } else if (is_qla80XX(ha)) { + buf = dma_alloc_coherent(&ha->pdev->dev, size, + &buf_dma, GFP_KERNEL); +-- +2.20.1 + diff --git a/queue-4.19/scsi-ufs-avoid-configuring-regulator-with-undefined-.patch b/queue-4.19/scsi-ufs-avoid-configuring-regulator-with-undefined-.patch new file mode 100644 index 00000000000..44c192b2245 --- /dev/null +++ b/queue-4.19/scsi-ufs-avoid-configuring-regulator-with-undefined-.patch @@ -0,0 +1,59 @@ +From 4927fc5912a9d7f28ea346760d0061a92cce1060 Mon Sep 17 00:00:00 2001 +From: Stanley Chu +Date: Thu, 28 Mar 2019 17:16:24 +0800 +Subject: scsi: ufs: Avoid configuring regulator with undefined voltage range + +[ Upstream commit 3b141e8cfd54ba3e5c610717295b2a02aab26a05 ] + +For regulators used by UFS, vcc, vccq and vccq2 will have voltage range +initialized by ufshcd_populate_vreg(), however other regulators may have +undefined voltage range if dt-bindings have no such definition. + +In above undefined case, both "min_uV" and "max_uV" fields in ufs_vreg +struct will be zero values and these values will be configured on +regulators in different power modes. + +Currently this may have no harm if both "min_uV" and "max_uV" always keep +"zero values" because regulator_set_voltage() will always bypass such +invalid values and return "good" results. + +However improper values shall be fixed to avoid potential bugs. Simply +bypass voltage configuration if voltage range is not defined. + +Signed-off-by: Stanley Chu +Reviewed-by: Avri Altman +Acked-by: Alim Akhtar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 73156579e9885..3183fa8c58578 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -6822,12 +6822,15 @@ static int ufshcd_config_vreg(struct device *dev, + name = vreg->name; + + if (regulator_count_voltages(reg) > 0) { +- min_uV = on ? vreg->min_uV : 0; +- ret = regulator_set_voltage(reg, min_uV, vreg->max_uV); +- if (ret) { +- dev_err(dev, "%s: %s set voltage failed, err=%d\n", ++ if (vreg->min_uV && vreg->max_uV) { ++ min_uV = on ? vreg->min_uV : 0; ++ ret = regulator_set_voltage(reg, min_uV, vreg->max_uV); ++ if (ret) { ++ dev_err(dev, ++ "%s: %s set voltage failed, err=%d\n", + __func__, name, ret); +- goto out; ++ goto out; ++ } + } + + uA_load = on ? vreg->max_uA : 0; +-- +2.20.1 + diff --git a/queue-4.19/scsi-ufs-fix-a-missing-check-of-devm_reset_control_g.patch b/queue-4.19/scsi-ufs-fix-a-missing-check-of-devm_reset_control_g.patch new file mode 100644 index 00000000000..4437a59ba82 --- /dev/null +++ b/queue-4.19/scsi-ufs-fix-a-missing-check-of-devm_reset_control_g.patch @@ -0,0 +1,36 @@ +From 3ebf5c5ae58c9f2ae8a18d60afa12141a29248f5 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Fri, 15 Mar 2019 02:11:56 -0500 +Subject: scsi: ufs: fix a missing check of devm_reset_control_get + +[ Upstream commit 63a06181d7ce169d09843645c50fea1901bc9f0a ] + +devm_reset_control_get could fail, so the fix checks its return value and +passes the error code upstream in case it fails. + +Signed-off-by: Kangjie Lu +Acked-by: Avri Altman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs-hisi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/ufs/ufs-hisi.c b/drivers/scsi/ufs/ufs-hisi.c +index 452e19f8fb470..c2cee73a8560d 100644 +--- a/drivers/scsi/ufs/ufs-hisi.c ++++ b/drivers/scsi/ufs/ufs-hisi.c +@@ -544,6 +544,10 @@ static int ufs_hisi_init_common(struct ufs_hba *hba) + ufshcd_set_variant(hba, host); + + host->rst = devm_reset_control_get(dev, "rst"); ++ if (IS_ERR(host->rst)) { ++ dev_err(dev, "%s: failed to get reset control\n", __func__); ++ return PTR_ERR(host->rst); ++ } + + ufs_hisi_set_pm_lvl(hba); + +-- +2.20.1 + diff --git a/queue-4.19/scsi-ufs-fix-regulator-load-and-icc-level-configurat.patch b/queue-4.19/scsi-ufs-fix-regulator-load-and-icc-level-configurat.patch new file mode 100644 index 00000000000..cdd9f2b6a31 --- /dev/null +++ b/queue-4.19/scsi-ufs-fix-regulator-load-and-icc-level-configurat.patch @@ -0,0 +1,76 @@ +From e74755e16a39642c6cbb99de9158e7e543bae297 Mon Sep 17 00:00:00 2001 +From: Stanley Chu +Date: Thu, 28 Mar 2019 17:16:25 +0800 +Subject: scsi: ufs: Fix regulator load and icc-level configuration + +[ Upstream commit 0487fff76632ec023d394a05b82e87a971db8c03 ] + +Currently if a regulator has "-fixed-regulator" property in device +tree, it will skip current limit initialization. This lead to a zero +"max_uA" value in struct ufs_vreg. + +However, "regulator_set_load" operation shall be required on regulators +which have valid current limits, otherwise a zero "max_uA" set by +"regulator_set_load" may cause unexpected behavior when this regulator is +enabled or set as high power mode. + +Similarly, in device's icc_level configuration flow, the target icc_level +shall be updated if regulator also has valid current limit, otherwise a +wrong icc_level will be calculated by zero "max_uA" and thus causes +unexpected results after it is written to device. + +Signed-off-by: Stanley Chu +Reviewed-by: Avri Altman +Acked-by: Alim Akhtar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 6e80dfe4fa979..73156579e9885 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -6130,19 +6130,19 @@ static u32 ufshcd_find_max_sup_active_icc_level(struct ufs_hba *hba, + goto out; + } + +- if (hba->vreg_info.vcc) ++ if (hba->vreg_info.vcc && hba->vreg_info.vcc->max_uA) + icc_level = ufshcd_get_max_icc_level( + hba->vreg_info.vcc->max_uA, + POWER_DESC_MAX_ACTV_ICC_LVLS - 1, + &desc_buf[PWR_DESC_ACTIVE_LVLS_VCC_0]); + +- if (hba->vreg_info.vccq) ++ if (hba->vreg_info.vccq && hba->vreg_info.vccq->max_uA) + icc_level = ufshcd_get_max_icc_level( + hba->vreg_info.vccq->max_uA, + icc_level, + &desc_buf[PWR_DESC_ACTIVE_LVLS_VCCQ_0]); + +- if (hba->vreg_info.vccq2) ++ if (hba->vreg_info.vccq2 && hba->vreg_info.vccq2->max_uA) + icc_level = ufshcd_get_max_icc_level( + hba->vreg_info.vccq2->max_uA, + icc_level, +@@ -6767,6 +6767,15 @@ static int ufshcd_config_vreg_load(struct device *dev, struct ufs_vreg *vreg, + if (!vreg) + return 0; + ++ /* ++ * "set_load" operation shall be required on those regulators ++ * which specifically configured current limitation. Otherwise ++ * zero max_uA may cause unexpected behavior when regulator is ++ * enabled or set as high power mode. ++ */ ++ if (!vreg->max_uA) ++ return 0; ++ + ret = regulator_set_load(vreg->reg, ua); + if (ret < 0) { + dev_err(dev, "%s: %s set load (ua=%d) failed, err=%d\n", +-- +2.20.1 + diff --git a/queue-4.19/selftests-bpf-ksym_search-won-t-check-symbols-exists.patch b/queue-4.19/selftests-bpf-ksym_search-won-t-check-symbols-exists.patch new file mode 100644 index 00000000000..fe8a307dff3 --- /dev/null +++ b/queue-4.19/selftests-bpf-ksym_search-won-t-check-symbols-exists.patch @@ -0,0 +1,42 @@ +From 1b1abbb47b9eaca1202ab3877423731779dbb424 Mon Sep 17 00:00:00 2001 +From: "Daniel T. Lee" +Date: Thu, 4 Apr 2019 07:17:55 +0900 +Subject: selftests/bpf: ksym_search won't check symbols exists + +[ Upstream commit 0979ff7992fb6f4eb837995b12f4071dcafebd2d ] + +Currently, ksym_search located at trace_helpers won't check symbols are +existing or not. + +In ksym_search, when symbol is not found, it will return &syms[0](_stext). +But when the kernel symbols are not loaded, it will return NULL, which is +not a desired action. + +This commit will add verification logic whether symbols are loaded prior +to the symbol search. + +Signed-off-by: Daniel T. Lee +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/trace_helpers.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/bpf/trace_helpers.c b/tools/testing/selftests/bpf/trace_helpers.c +index cabe2a3a3b300..cf156b3536798 100644 +--- a/tools/testing/selftests/bpf/trace_helpers.c ++++ b/tools/testing/selftests/bpf/trace_helpers.c +@@ -51,6 +51,10 @@ struct ksym *ksym_search(long key) + int start = 0, end = sym_cnt; + int result; + ++ /* kallsyms not loaded. return NULL */ ++ if (sym_cnt <= 0) ++ return NULL; ++ + while (start < end) { + size_t mid = start + (end - start) / 2; + +-- +2.20.1 + diff --git a/queue-4.19/selftests-bpf-set-rlimit_memlock-properly-for-test_l.patch b/queue-4.19/selftests-bpf-set-rlimit_memlock-properly-for-test_l.patch new file mode 100644 index 00000000000..d4b67b91cdf --- /dev/null +++ b/queue-4.19/selftests-bpf-set-rlimit_memlock-properly-for-test_l.patch @@ -0,0 +1,43 @@ +From 9993d121b100a7147b60339e5f90118f3cefe71a Mon Sep 17 00:00:00 2001 +From: Yonghong Song +Date: Mon, 29 Apr 2019 16:59:38 -0700 +Subject: selftests/bpf: set RLIMIT_MEMLOCK properly for test_libbpf_open.c + +[ Upstream commit 6cea33701eb024bc6c920ab83940ee22afd29139 ] + +Test test_libbpf.sh failed on my development server with failure + -bash-4.4$ sudo ./test_libbpf.sh + [0] libbpf: Error in bpf_object__probe_name():Operation not permitted(1). + Couldn't load basic 'r0 = 0' BPF program. + test_libbpf: failed at file test_l4lb.o + selftests: test_libbpf [FAILED] + -bash-4.4$ + +The reason is because my machine has 64KB locked memory by default which +is not enough for this program to get locked memory. +Similar to other bpf selftests, let us increase RLIMIT_MEMLOCK +to infinity, which fixed the issue. + +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_libbpf_open.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/bpf/test_libbpf_open.c b/tools/testing/selftests/bpf/test_libbpf_open.c +index 8fcd1c076add0..cbd55f5f8d598 100644 +--- a/tools/testing/selftests/bpf/test_libbpf_open.c ++++ b/tools/testing/selftests/bpf/test_libbpf_open.c +@@ -11,6 +11,8 @@ static const char *__doc__ = + #include + #include + ++#include "bpf_rlimit.h" ++ + static const struct option long_options[] = { + {"help", no_argument, NULL, 'h' }, + {"debug", no_argument, NULL, 'D' }, +-- +2.20.1 + diff --git a/queue-4.19/selftests-cgroup-fix-cleanup-path-in-test_memcg_subt.patch b/queue-4.19/selftests-cgroup-fix-cleanup-path-in-test_memcg_subt.patch new file mode 100644 index 00000000000..42170a01d67 --- /dev/null +++ b/queue-4.19/selftests-cgroup-fix-cleanup-path-in-test_memcg_subt.patch @@ -0,0 +1,115 @@ +From c72be612c4a388ced330763c9d86ad3ab76f1d39 Mon Sep 17 00:00:00 2001 +From: Roman Gushchin +Date: Mon, 8 Apr 2019 15:12:30 -0700 +Subject: selftests: cgroup: fix cleanup path in test_memcg_subtree_control() + +[ Upstream commit e14d314c7a489f060d6d691866fef5f131281718 ] + +Dan reported, that cleanup path in test_memcg_subtree_control() +triggers a static checker warning: + ./tools/testing/selftests/cgroup/test_memcontrol.c:76 \ + test_memcg_subtree_control() + error: uninitialized symbol 'child2'. + +Fix this by initializing child2 and parent2 variables and +split the cleanup path into few stages. + +Signed-off-by: Roman Gushchin +Fixes: 84092dbcf901 ("selftests: cgroup: add memory controller self-tests") +Reported-by: Dan Carpenter +Cc: Dan Carpenter +Cc: Shuah Khan (Samsung OSG) +Cc: Mike Rapoport +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../selftests/cgroup/test_memcontrol.c | 38 ++++++++++--------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +diff --git a/tools/testing/selftests/cgroup/test_memcontrol.c b/tools/testing/selftests/cgroup/test_memcontrol.c +index 28d321ba311b4..6f339882a6ca1 100644 +--- a/tools/testing/selftests/cgroup/test_memcontrol.c ++++ b/tools/testing/selftests/cgroup/test_memcontrol.c +@@ -26,7 +26,7 @@ + */ + static int test_memcg_subtree_control(const char *root) + { +- char *parent, *child, *parent2, *child2; ++ char *parent, *child, *parent2 = NULL, *child2 = NULL; + int ret = KSFT_FAIL; + char buf[PAGE_SIZE]; + +@@ -34,50 +34,54 @@ static int test_memcg_subtree_control(const char *root) + parent = cg_name(root, "memcg_test_0"); + child = cg_name(root, "memcg_test_0/memcg_test_1"); + if (!parent || !child) +- goto cleanup; ++ goto cleanup_free; + + if (cg_create(parent)) +- goto cleanup; ++ goto cleanup_free; + + if (cg_write(parent, "cgroup.subtree_control", "+memory")) +- goto cleanup; ++ goto cleanup_parent; + + if (cg_create(child)) +- goto cleanup; ++ goto cleanup_parent; + + if (cg_read_strstr(child, "cgroup.controllers", "memory")) +- goto cleanup; ++ goto cleanup_child; + + /* Create two nested cgroups without enabling memory controller */ + parent2 = cg_name(root, "memcg_test_1"); + child2 = cg_name(root, "memcg_test_1/memcg_test_1"); + if (!parent2 || !child2) +- goto cleanup; ++ goto cleanup_free2; + + if (cg_create(parent2)) +- goto cleanup; ++ goto cleanup_free2; + + if (cg_create(child2)) +- goto cleanup; ++ goto cleanup_parent2; + + if (cg_read(child2, "cgroup.controllers", buf, sizeof(buf))) +- goto cleanup; ++ goto cleanup_all; + + if (!cg_read_strstr(child2, "cgroup.controllers", "memory")) +- goto cleanup; ++ goto cleanup_all; + + ret = KSFT_PASS; + +-cleanup: +- cg_destroy(child); +- cg_destroy(parent); +- free(parent); +- free(child); +- ++cleanup_all: + cg_destroy(child2); ++cleanup_parent2: + cg_destroy(parent2); ++cleanup_free2: + free(parent2); + free(child2); ++cleanup_child: ++ cg_destroy(child); ++cleanup_parent: ++ cg_destroy(parent); ++cleanup_free: ++ free(parent); ++ free(child); + + return ret; + } +-- +2.20.1 + diff --git a/queue-4.19/selinux-avoid-uninitialized-variable-warning.patch b/queue-4.19/selinux-avoid-uninitialized-variable-warning.patch new file mode 100644 index 00000000000..10b48d33a3f --- /dev/null +++ b/queue-4.19/selinux-avoid-uninitialized-variable-warning.patch @@ -0,0 +1,78 @@ +From 85f629c9102622c42f9abb2f8e4e7fad11d35621 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 25 Mar 2019 15:23:11 +0100 +Subject: selinux: avoid uninitialized variable warning + +[ Upstream commit 98bbbb76f2edcfb8fb2b8f4b3ccc7b6e99d64bd8 ] + +clang correctly points out a code path that would lead +to an uninitialized variable use: + +security/selinux/netlabel.c:310:6: error: variable 'addr' is used uninitialized whenever 'if' condition is false + [-Werror,-Wsometimes-uninitialized] + if (ip_hdr(skb)->version == 4) { + ^~~~~~~~~~~~~~~~~~~~~~~~~ +security/selinux/netlabel.c:322:40: note: uninitialized use occurs here + rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr); + ^~~~ +security/selinux/netlabel.c:310:2: note: remove the 'if' if its condition is always true + if (ip_hdr(skb)->version == 4) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +security/selinux/netlabel.c:291:23: note: initialize the variable 'addr' to silence this warning + struct sockaddr *addr; + ^ + = NULL + +This is probably harmless since we should not see ipv6 packets +of CONFIG_IPV6 is disabled, but it's better to rearrange the code +so this cannot happen. + +Signed-off-by: Arnd Bergmann +[PM: removed old patchwork link, fixed checkpatch.pl style errors] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/netlabel.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c +index 186e727b737b9..6fd9954e1c085 100644 +--- a/security/selinux/netlabel.c ++++ b/security/selinux/netlabel.c +@@ -288,11 +288,8 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep, + int rc; + struct netlbl_lsm_secattr secattr; + struct sk_security_struct *sksec = ep->base.sk->sk_security; +- struct sockaddr *addr; + struct sockaddr_in addr4; +-#if IS_ENABLED(CONFIG_IPV6) + struct sockaddr_in6 addr6; +-#endif + + if (ep->base.sk->sk_family != PF_INET && + ep->base.sk->sk_family != PF_INET6) +@@ -310,16 +307,15 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep, + if (ip_hdr(skb)->version == 4) { + addr4.sin_family = AF_INET; + addr4.sin_addr.s_addr = ip_hdr(skb)->saddr; +- addr = (struct sockaddr *)&addr4; +-#if IS_ENABLED(CONFIG_IPV6) +- } else { ++ rc = netlbl_conn_setattr(ep->base.sk, (void *)&addr4, &secattr); ++ } else if (IS_ENABLED(CONFIG_IPV6) && ip_hdr(skb)->version == 6) { + addr6.sin6_family = AF_INET6; + addr6.sin6_addr = ipv6_hdr(skb)->saddr; +- addr = (struct sockaddr *)&addr6; +-#endif ++ rc = netlbl_conn_setattr(ep->base.sk, (void *)&addr6, &secattr); ++ } else { ++ rc = -EAFNOSUPPORT; + } + +- rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr); + if (rc == 0) + sksec->nlbl_state = NLBL_LABELED; + +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 92511781a85..ba4b477b152 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -41,3 +41,236 @@ batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch acct_on-don-t-mess-with-freeze-protection.patch revert-btrfs-honour-fitrim-range-constraints-during-free-space-trim.patch +gfs2-fix-lru_count-going-negative.patch +cxgb4-fix-error-path-in-cxgb4_init_module.patch +nfs-make-nfs_match_client-killable.patch +ib-hfi1-fix-wq_mem_reclaim-warning.patch +gfs2-fix-occasional-glock-use-after-free.patch +mmc-core-verify-sd-bus-width.patch +tools-bpf-fix-perf-build-error-with-uclibc-seen-on-a.patch +selftests-bpf-set-rlimit_memlock-properly-for-test_l.patch +bpftool-exclude-bash-completion-bpftool-from-.gitign.patch +dmaengine-tegra210-dma-free-dma-controller-in-remove.patch +net-ena-gcc-8-fix-compilation-warning.patch +hv_netvsc-fix-race-that-may-miss-tx-queue-wakeup.patch +bluetooth-ignore-cc-events-not-matching-the-last-hci.patch +pinctrl-zte-fix-leaked-of_node-references.patch +asoc-intel-kbl_da7219_max98357a-map-btn_0-to-key_pla.patch +usb-dwc2-gadget-increase-descriptors-count-for-isoc-.patch +usb-dwc3-move-synchronize_irq-out-of-the-spinlock-pr.patch +asoc-hdmi-codec-unlock-the-device-on-startup-errors.patch +powerpc-perf-return-accordingly-on-invalid-chip-id-i.patch +powerpc-boot-fix-missing-check-of-lseek-return-value.patch +powerpc-perf-fix-loop-exit-condition-in-nest_imc_eve.patch +asoc-imx-fix-fiq-dependencies.patch +spi-pxa2xx-fix-scr-divisor-calculation.patch +brcm80211-potential-null-dereference-in-brcmf_cfg802.patch +acpi-property-fix-handling-of-data_nodes-in-acpi_get.patch +drm-nouveau-bar-nv50-ensure-bar-is-mapped.patch +media-stm32-dcmi-return-appropriate-error-codes-duri.patch +arm-vdso-remove-dependency-with-the-arch_timer-drive.patch +arm64-fix-compiler-warning-from-pte_unmap-with-wunus.patch +powerpc-watchdog-use-hrtimers-for-per-cpu-heartbeat.patch +sched-cpufreq-fix-kobject-memleak.patch +scsi-qla2xxx-fix-a-qla24xx_enable_msix-error-path.patch +scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write.patch +scsi-qla2xxx-avoid-that-lockdep-complains-about-unsa.patch +scsi-qla2xxx-fix-hardirq-unsafe-locking.patch +x86-modules-avoid-breaking-w-x-while-loading-modules.patch +btrfs-fix-data-bytes_may_use-underflow-with-fallocat.patch +btrfs-fix-panic-during-relocation-after-enospc-befor.patch +btrfs-don-t-panic-when-we-can-t-find-a-root-key.patch +iwlwifi-pcie-don-t-crash-on-invalid-rx-interrupt.patch +rtc-88pm860x-prevent-use-after-free-on-device-remove.patch +rtc-stm32-manage-the-get_irq-probe-defer-case.patch +scsi-qedi-abort-ep-termination-if-offload-not-schedu.patch +s390-kexec_file-fix-detection-of-text-segment-in-elf.patch +sched-nohz-run-nohz-idle-load-balancer-on-hk_flag_mi.patch +w1-fix-the-resume-command-api.patch +s390-qeth-address-type-mismatch-warning.patch +dmaengine-pl330-_stop-clear-interrupt-status.patch +mac80211-cfg80211-update-bss-channel-on-channel-swit.patch +libbpf-fix-samples-bpf-build-failure-due-to-undefine.patch +slimbus-fix-a-potential-null-pointer-dereference-in-.patch +asoc-fsl_sai-update-is_slave_mode-with-correct-value.patch +mwifiex-prevent-an-array-overflow.patch +rsi-fix-null-pointer-dereference-in-kmalloc.patch +net-cw1200-fix-a-null-pointer-dereference.patch +nvme-set-0-capacity-if-namespace-block-size-exceeds-.patch +nvme-rdma-fix-a-null-deref-when-an-admin-connect-tim.patch +crypto-sun4i-ss-fix-invalid-calculation-of-hash-end.patch +bcache-avoid-potential-memleak-of-list-of-journal_re.patch +bcache-return-error-immediately-in-bch_journal_repla.patch +bcache-fix-failure-in-journal-relplay.patch +bcache-add-failure-check-to-run_cache_set-for-journa.patch +bcache-avoid-clang-wunintialized-warning.patch +rdma-cma-consider-scope_id-while-binding-to-ipv6-ll-.patch +vfio-ccw-do-not-call-flush_workqueue-while-holding-t.patch +vfio-ccw-release-any-channel-program-when-releasing-.patch +x86-build-move-_etext-to-actual-end-of-.text.patch +smpboot-place-the-__percpu-annotation-correctly.patch +x86-mm-remove-in_nmi-warning-from-64-bit-implementat.patch +mm-uaccess-use-unsigned-long-to-placate-ubsan-warnin.patch +bluetooth-hci_qca-give-enough-time-to-rome-controlle.patch +hid-logitech-hidpp-use-rap-instead-of-fap-to-get-the.patch +pinctrl-pistachio-fix-leaked-of_node-references.patch +pinctrl-samsung-fix-leaked-of_node-references.patch +clk-rockchip-undo-several-noc-and-special-clocks-as-.patch +perf-arm-cci-remove-broken-race-mitigation.patch +dmaengine-at_xdmac-remove-bug_on-macro-in-tasklet.patch +media-coda-clear-error-return-value-before-picture-r.patch +media-ov6650-move-v4l2_clk_get-to-ov6650_video_probe.patch +media-au0828-stop-video-streaming-only-when-last-use.patch +media-ov2659-make-s_fmt-succeed-even-if-requested-fo.patch +audit-fix-a-memory-leak-bug.patch +media-stm32-dcmi-fix-crash-when-subdev-do-not-expose.patch +media-au0828-fix-null-pointer-dereference-in-au0828_.patch +media-pvrusb2-prevent-a-buffer-overflow.patch +iio-adc-stm32-dfsdm-fix-unmet-direct-dependencies-de.patch +block-fix-use-after-free-on-gendisk.patch +powerpc-numa-improve-control-of-topology-updates.patch +powerpc-64-fix-booting-large-kernels-with-strict_ker.patch +random-fix-crng-initialization-when-random.trust_cpu.patch +random-add-a-spinlock_t-to-struct-batched_entropy.patch +cgroup-protect-cgroup-nr_-dying_-descendants-by-css_.patch +sched-core-check-quota-and-period-overflow-at-usec-t.patch +sched-rt-check-integer-overflow-at-usec-to-nsec-conv.patch +sched-core-handle-overflow-in-cpu_shares_write_u64.patch +staging-vc04_services-handle-kzalloc-failure.patch +drm-msm-a5xx-fix-possible-object-reference-leak.patch +irq_work-do-not-raise-an-ipi-when-queueing-work-on-t.patch +thunderbolt-take-domain-lock-in-switch-sysfs-attribu.patch +s390-qeth-handle-error-from-qeth_update_from_chp_des.patch +usb-core-don-t-unbind-interfaces-following-device-re.patch +x86-irq-64-limit-ist-stack-overflow-check-to-db-stac.patch +drm-etnaviv-avoid-dma-api-warning-when-importing-buf.patch +phy-sun4i-usb-make-sure-to-disable-phy0-passby-for-p.patch +phy-mapphone-mdm6600-add-gpiolib-dependency.patch +i40e-able-to-add-up-to-16-mac-filters-on-an-untruste.patch +i40e-don-t-allow-changes-to-hw-vlan-stripping-on-act.patch +acpi-iort-reject-platform-device-creation-on-numa-no.patch +arm64-vdso-fix-clock_getres-for-clock_realtime.patch +rdma-cxgb4-fix-null-pointer-dereference-on-alloc_skb.patch +perf-x86-msr-add-icelake-support.patch +perf-x86-intel-rapl-add-icelake-support.patch +perf-x86-intel-cstate-add-icelake-support.patch +hwmon-vt1211-use-request_muxed_region-for-super-io-a.patch +hwmon-smsc47m1-use-request_muxed_region-for-super-io.patch +hwmon-smsc47b397-use-request_muxed_region-for-super-.patch +hwmon-pc87427-use-request_muxed_region-for-super-io-.patch +hwmon-f71805f-use-request_muxed_region-for-super-io-.patch +scsi-libsas-do-discovery-on-empty-phy-to-update-phy-.patch +mmc-core-make-pwrseq_emmc-partially-support-sleepy-g.patch +mmc_spi-add-a-status-check-for-spi_sync_locked.patch +mmc-sdhci-of-esdhc-add-erratum-esdhc5-support.patch +mmc-sdhci-of-esdhc-add-erratum-a-009204-support.patch +mmc-sdhci-of-esdhc-add-erratum-esdhc-a001-and-a-0083.patch +drm-amdgpu-fix-old-fence-check-in-amdgpu_fence_emit.patch +pm-core-propagate-dev-power.wakeup_path-when-no-call.patch +clk-rockchip-fix-video-codec-clocks-on-rk3288.patch +extcon-arizona-disable-mic-detect-if-running-when-dr.patch +clk-rockchip-make-rkpwm-a-critical-clock-on-rk3288.patch +s390-zcrypt-initialize-variables-before_use.patch +x86-microcode-fix-the-ancient-deprecated-microcode-l.patch +s390-mm-silence-compiler-warning-when-compiling-with.patch +s390-cio-fix-cio_irb-declaration.patch +selftests-cgroup-fix-cleanup-path-in-test_memcg_subt.patch +qmi_wwan-add-quirk-for-quectel-dynamic-config.patch +cpufreq-ppc_cbe-fix-possible-object-reference-leak.patch +cpufreq-pasemi-fix-possible-object-reference-leak.patch +cpufreq-pmac32-fix-possible-object-reference-leak.patch +cpufreq-kirkwood-fix-possible-object-reference-leak.patch +block-sed-opal-fix-ioc_opal_enable_disable_mbr.patch +x86-build-keep-local-relocations-with-ld.lld.patch +drm-pl111-fix-possible-object-reference-leak.patch +iio-ad_sigma_delta-properly-handle-spi-bus-locking-v.patch +iio-hmc5843-fix-potential-null-pointer-dereferences.patch +iio-common-ssp_sensors-initialize-calculated_time-in.patch +iio-adc-ti-ads7950-fix-improper-use-of-mlock.patch +selftests-bpf-ksym_search-won-t-check-symbols-exists.patch +rtlwifi-fix-a-potential-null-pointer-dereference.patch +mwifiex-fix-mem-leak-in-mwifiex_tm_cmd.patch +brcmfmac-fix-missing-checks-for-kmemdup.patch +b43-shut-up-clang-wuninitialized-variable-warning.patch +brcmfmac-convert-dev_init_lock-mutex-to-completion.patch +brcmfmac-fix-warning-during-usb-disconnect-in-case-o.patch +brcmfmac-fix-race-during-disconnect-when-usb-complet.patch +brcmfmac-fix-oops-when-bringing-up-interface-during-.patch +rtc-xgene-fix-possible-race-condition.patch +rtlwifi-fix-potential-null-pointer-dereference.patch +scsi-ufs-fix-regulator-load-and-icc-level-configurat.patch +scsi-ufs-avoid-configuring-regulator-with-undefined-.patch +drm-panel-otm8009a-add-delay-at-the-end-of-initializ.patch +arm64-cpu_ops-fix-a-leaked-reference-by-adding-missi.patch +wil6210-fix-return-code-of-wmi_mgmt_tx-and-wmi_mgmt_.patch +x86-uaccess-ftrace-fix-ftrace_likely_update-vs.-smap.patch +x86-uaccess-signal-fix-ac-1-bloat.patch +x86-ia32-fix-ia32_restore_sigcontext-ac-leak.patch +x86-uaccess-fix-up-the-fixup.patch +chardev-add-additional-check-for-minor-range-overlap.patch +rdma-hns-fix-bad-endianess-of-port_pd-variable.patch +sh-sh7786-add-explicit-i-o-cast-to-sh7786_mm_sel.patch +hid-core-move-usage-page-concatenation-to-main-item.patch +asoc-eukrea-tlv320-fix-a-leaked-reference-by-adding-.patch +asoc-fsl_utils-fix-a-leaked-reference-by-adding-miss.patch +cxgb3-l2t-fix-undefined-behaviour.patch +hid-logitech-hidpp-change-low-battery-level-threshol.patch +spi-tegra114-reset-controller-on-probe.patch +kobject-don-t-trigger-kobject_uevent-kobj_remove-twi.patch +media-video-mux-fix-null-pointer-dereferences.patch +media-wl128x-prevent-two-potential-buffer-overflows.patch +media-gspca-kill-urbs-on-usb-device-disconnect.patch +efifb-omit-memory-map-check-on-legacy-boot.patch +thunderbolt-property-fix-a-missing-check-of-kzalloc.patch +thunderbolt-fix-to-check-the-return-value-of-kmemdup.patch +timekeeping-force-upper-bound-for-setting-clock_real.patch +scsi-qedf-add-missing-return-in-qedf_post_io_req-in-.patch +virtio_console-initialize-vtermno-value-for-ports.patch +tty-ipwireless-fix-missing-checks-for-ioremap.patch +overflow-fix-wtype-limits-compilation-warnings.patch +x86-mce-fix-machine_check_poll-tests-for-error-types.patch +rcutorture-fix-cleanup-path-for-invalid-torture_type.patch +x86-mce-handle-varying-mca-bank-counts.patch +rcuperf-fix-cleanup-path-for-invalid-perf_type-strin.patch +usb-core-add-pm-runtime-calls-to-usb_hcd_platform_sh.patch +scsi-qla4xxx-avoid-freeing-unallocated-dma-memory.patch +scsi-lpfc-avoid-uninitialized-variable-warning.patch +selinux-avoid-uninitialized-variable-warning.patch +batman-adv-allow-updating-dat-entry-timeouts-on-inco.patch +dmaengine-tegra210-adma-use-devm_clk_-helpers.patch +hwrng-omap-set-default-quality.patch +thunderbolt-fix-to-check-return-value-of-ida_simple_.patch +thunderbolt-fix-to-check-for-kmemdup-failure.patch +drm-amd-display-fix-releasing-planes-when-exiting-od.patch +thunderbolt-property-fix-a-null-pointer-dereference.patch +e1000e-disable-runtime-pm-on-cnp.patch +tinydrm-mipi-dbi-use-dma-safe-buffers-for-all-spi-tr.patch +igb-exclude-device-from-suspend-direct-complete-opti.patch +media-si2165-fix-a-missing-check-of-return-value.patch +media-dvbsky-avoid-leaking-dvb-frontend.patch +media-m88ds3103-serialize-reset-messages-in-m88ds310.patch +media-staging-davinci_vpfe-disallow-building-with-co.patch +drm-amd-display-fix-divide-by-0-in-memory-calculatio.patch +drm-amd-display-set-stream-mode_changed-when-connect.patch +scsi-ufs-fix-a-missing-check-of-devm_reset_control_g.patch +media-vimc-stream-fix-thread-state-before-sleep.patch +media-gspca-do-not-resubmit-urbs-when-streaming-has-.patch +media-go7007-avoid-clang-frame-overflow-warning-with.patch +media-vimc-zero-the-media_device-on-probe.patch +scsi-lpfc-fix-fdmi-manufacturer-attribute-value.patch +scsi-lpfc-fix-fc4type-information-for-fdmi.patch +media-saa7146-avoid-high-stack-usage-with-clang.patch +scsi-lpfc-fix-sli3-commands-being-issued-on-sli4-dev.patch +spi-spi-topcliff-pch-fix-to-handle-empty-dma-buffers.patch +drm-omap-dsi-fix-pm-for-display-blank-with-paired-ds.patch +spi-rspi-fix-sequencer-reset-during-initialization.patch +spi-imx-stop-buffer-overflow-in-rx-fifo-flush.patch +spi-fix-zero-length-xfer-bug.patch +asoc-davinci-mcasp-fix-clang-warning-without-config_.patch +drm-v3d-handle-errors-from-irq-setup.patch +drm-drv-hold-ref-on-parent-device-during-drm_device-.patch +drm-wake-up-next-in-drm_read-chain-if-we-are-forced-.patch +drm-sun4i-dsi-change-the-start-delay-calculation.patch +vfio-ccw-prevent-quiesce-function-going-into-an-infi.patch +drm-sun4i-dsi-enforce-boundaries-on-the-start-delay.patch +nfs-fix-a-double-unlock-from-nfs_match-get_client.patch diff --git a/queue-4.19/sh-sh7786-add-explicit-i-o-cast-to-sh7786_mm_sel.patch b/queue-4.19/sh-sh7786-add-explicit-i-o-cast-to-sh7786_mm_sel.patch new file mode 100644 index 00000000000..bd46dd406e0 --- /dev/null +++ b/queue-4.19/sh-sh7786-add-explicit-i-o-cast-to-sh7786_mm_sel.patch @@ -0,0 +1,61 @@ +From a61aa887c661cf61c57b835b7b66a233fcbc6e0b Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 11 Feb 2019 13:58:43 +0100 +Subject: sh: sh7786: Add explicit I/O cast to sh7786_mm_sel() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 8440bb9b944c02222c7a840d406141ed42e945cd ] + +When compile-testing on arm: + + arch/sh/include/cpu-sh4/cpu/sh7786.h: In function ‘sh7786_mm_sel’: + arch/sh/include/cpu-sh4/cpu/sh7786.h:135:21: warning: passing argument 1 of ‘__raw_readl’ makes pointer from integer without a cast [-Wint-conversion] + return __raw_readl(0xFC400020) & 0x7; + ^~~~~~~~~~ + In file included from include/linux/io.h:25:0, + from arch/sh/include/cpu-sh4/cpu/sh7786.h:14, + from drivers/pinctrl/sh-pfc/pfc-sh7786.c:15: + arch/arm/include/asm/io.h:113:21: note: expected ‘const volatile void *’ but argument is of type ‘unsigned int’ + #define __raw_readl __raw_readl + ^ + arch/arm/include/asm/io.h:114:19: note: in expansion of macro ‘__raw_readl’ + static inline u32 __raw_readl(const volatile void __iomem *addr) + ^~~~~~~~~~~ + +__raw_readl() on SuperH is a macro that casts the passed I/O address to +the correct type, while the implementations on most other architectures +expect to be passed the correct pointer type. + +Add an explicit cast to fix this. + +Note that this also gets rid of a sparse warning on SuperH: + + arch/sh/include/cpu-sh4/cpu/sh7786.h:135:16: warning: incorrect type in argument 1 (different base types) + arch/sh/include/cpu-sh4/cpu/sh7786.h:135:16: expected void const volatile [noderef] * + arch/sh/include/cpu-sh4/cpu/sh7786.h:135:16: got unsigned int + +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Simon Horman +Signed-off-by: Sasha Levin +--- + arch/sh/include/cpu-sh4/cpu/sh7786.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/sh/include/cpu-sh4/cpu/sh7786.h b/arch/sh/include/cpu-sh4/cpu/sh7786.h +index 96b8cb1f754a9..029bbadaf7ab5 100644 +--- a/arch/sh/include/cpu-sh4/cpu/sh7786.h ++++ b/arch/sh/include/cpu-sh4/cpu/sh7786.h +@@ -135,7 +135,7 @@ enum { + + static inline u32 sh7786_mm_sel(void) + { +- return __raw_readl(0xFC400020) & 0x7; ++ return __raw_readl((const volatile void __iomem *)0xFC400020) & 0x7; + } + + #endif /* __CPU_SH7786_H__ */ +-- +2.20.1 + diff --git a/queue-4.19/slimbus-fix-a-potential-null-pointer-dereference-in-.patch b/queue-4.19/slimbus-fix-a-potential-null-pointer-dereference-in-.patch new file mode 100644 index 00000000000..598513bd9d7 --- /dev/null +++ b/queue-4.19/slimbus-fix-a-potential-null-pointer-dereference-in-.patch @@ -0,0 +1,37 @@ +From 634579075e38292b49fdacfc2455681382bf585f Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Sat, 13 Apr 2019 11:34:47 +0100 +Subject: slimbus: fix a potential NULL pointer dereference in + of_qcom_slim_ngd_register + +[ Upstream commit 06d5d6b7f9948a89543e1160ef852d57892c750d ] + +In case platform_device_alloc fails, the fix returns an error +code to avoid the NULL pointer dereference. + +Signed-off-by: Kangjie Lu +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/qcom-ngd-ctrl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c +index 14a9d18306cbf..f63d1b8a09335 100644 +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1331,6 +1331,10 @@ static int of_qcom_slim_ngd_register(struct device *parent, + return -ENOMEM; + + ngd->pdev = platform_device_alloc(QCOM_SLIM_NGD_DRV_NAME, id); ++ if (!ngd->pdev) { ++ kfree(ngd); ++ return -ENOMEM; ++ } + ngd->id = id; + ngd->pdev->dev.parent = parent; + ngd->pdev->driver_override = QCOM_SLIM_NGD_DRV_NAME; +-- +2.20.1 + diff --git a/queue-4.19/smpboot-place-the-__percpu-annotation-correctly.patch b/queue-4.19/smpboot-place-the-__percpu-annotation-correctly.patch new file mode 100644 index 00000000000..a9eda62b2dd --- /dev/null +++ b/queue-4.19/smpboot-place-the-__percpu-annotation-correctly.patch @@ -0,0 +1,47 @@ +From 3f0f1502cabccc0859f43d1e558c238c31826f38 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Wed, 24 Apr 2019 10:52:53 +0200 +Subject: smpboot: Place the __percpu annotation correctly + +[ Upstream commit d4645d30b50d1691c26ff0f8fa4e718b08f8d3bb ] + +The test robot reported a wrong assignment of a per-CPU variable which +it detected by using sparse and sent a report. The assignment itself is +correct. The annotation for sparse was wrong and hence the report. +The first pointer is a "normal" pointer and points to the per-CPU memory +area. That means that the __percpu annotation has to be moved. + +Move the __percpu annotation to pointer which points to the per-CPU +area. This change affects only the sparse tool (and is ignored by the +compiler). + +Reported-by: kbuild test robot +Signed-off-by: Sebastian Andrzej Siewior +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: f97f8f06a49fe ("smpboot: Provide infrastructure for percpu hotplug threads") +Link: http://lkml.kernel.org/r/20190424085253.12178-1-bigeasy@linutronix.de +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + include/linux/smpboot.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/smpboot.h b/include/linux/smpboot.h +index d0884b5250010..9d1bc65d226cc 100644 +--- a/include/linux/smpboot.h ++++ b/include/linux/smpboot.h +@@ -29,7 +29,7 @@ struct smpboot_thread_data; + * @thread_comm: The base name of the thread + */ + struct smp_hotplug_thread { +- struct task_struct __percpu **store; ++ struct task_struct * __percpu *store; + struct list_head list; + int (*thread_should_run)(unsigned int cpu); + void (*thread_fn)(unsigned int cpu); +-- +2.20.1 + diff --git a/queue-4.19/spi-fix-zero-length-xfer-bug.patch b/queue-4.19/spi-fix-zero-length-xfer-bug.patch new file mode 100644 index 00000000000..9a3fc960305 --- /dev/null +++ b/queue-4.19/spi-fix-zero-length-xfer-bug.patch @@ -0,0 +1,48 @@ +From da6b39fc884d4d49aff73bc4f9fae1b0c7537776 Mon Sep 17 00:00:00 2001 +From: Chris Lesiak +Date: Thu, 7 Mar 2019 20:39:00 +0000 +Subject: spi: Fix zero length xfer bug + +[ Upstream commit 5442dcaa0d90fc376bdfc179a018931a8f43dea4 ] + +This fixes a bug for messages containing both zero length and +unidirectional xfers. + +The function spi_map_msg will allocate dummy tx and/or rx buffers +for use with unidirectional transfers when the hardware can only do +a bidirectional transfer. That dummy buffer will be used in place +of a NULL buffer even when the xfer length is 0. + +Then in the function __spi_map_msg, if he hardware can dma, +the zero length xfer will have spi_map_buf called on the dummy +buffer. + +Eventually, __sg_alloc_table is called and returns -EINVAL +because nents == 0. + +This fix prevents the error by not using the dummy buffer when +the xfer length is zero. + +Signed-off-by: Chris Lesiak +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 9da0bc5a036cf..88a8a8edd44be 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -982,6 +982,8 @@ static int spi_map_msg(struct spi_controller *ctlr, struct spi_message *msg) + if (max_tx || max_rx) { + list_for_each_entry(xfer, &msg->transfers, + transfer_list) { ++ if (!xfer->len) ++ continue; + if (!xfer->tx_buf) + xfer->tx_buf = ctlr->dummy_tx; + if (!xfer->rx_buf) +-- +2.20.1 + diff --git a/queue-4.19/spi-imx-stop-buffer-overflow-in-rx-fifo-flush.patch b/queue-4.19/spi-imx-stop-buffer-overflow-in-rx-fifo-flush.patch new file mode 100644 index 00000000000..46b4041d42c --- /dev/null +++ b/queue-4.19/spi-imx-stop-buffer-overflow-in-rx-fifo-flush.patch @@ -0,0 +1,57 @@ +From 7b234ef086cab29eb0c940217fecdadcc2167558 Mon Sep 17 00:00:00 2001 +From: Trent Piepho +Date: Mon, 4 Mar 2019 20:18:49 +0000 +Subject: spi: imx: stop buffer overflow in RX FIFO flush + +[ Upstream commit c842749ea1d32513f9e603c074d60d7aa07cb2ef ] + +Commit 71abd29057cb ("spi: imx: Add support for SPI Slave mode") added +an RX FIFO flush before start of a transfer. In slave mode, the master +may have sent more data than expected and this data will still be in the +RX FIFO at the start of the next transfer, and so needs to be flushed. + +However, the code to do the flush was accidentally saving this data into +the previous transfer's RX buffer, clobbering the contents of whatever +followed that buffer. + +Change it to empty the FIFO and throw away the data. Every one of the +RX functions for the different eCSPI versions and modes reads the RX +FIFO data using the same readl() call, so just use that, rather than +using the spi_imx->rx function pointer and making sure all the different +rx functions have a working "throw away" mode. + +There is another issue, which affects master mode when switching from +DMA to PIO. There can be extra data in the RX FIFO which triggers this +flush code, causing memory corruption in the same manner. I don't know +why this data is unexpectedly in the FIFO. It's likely there is a +different bug or erratum responsible for that. But regardless of that, +I think this is proper fix the for bug at hand here. + +Fixes: 71abd29057cb ("spi: imx: Add support for SPI Slave mode") +Cc: Jiada Wang +Cc: Fabio Estevam +Cc: Stefan Agner +Cc: Shawn Guo +Signed-off-by: Trent Piepho +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 08dd3a31a3e5f..5b6f3655c366a 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -1427,7 +1427,7 @@ static int spi_imx_transfer(struct spi_device *spi, + + /* flush rxfifo before transfer */ + while (spi_imx->devtype_data->rx_available(spi_imx)) +- spi_imx->rx(spi_imx); ++ readl(spi_imx->base + MXC_CSPIRXDATA); + + if (spi_imx->slave_mode) + return spi_imx_pio_transfer_slave(spi, transfer); +-- +2.20.1 + diff --git a/queue-4.19/spi-pxa2xx-fix-scr-divisor-calculation.patch b/queue-4.19/spi-pxa2xx-fix-scr-divisor-calculation.patch new file mode 100644 index 00000000000..5fec185de9d --- /dev/null +++ b/queue-4.19/spi-pxa2xx-fix-scr-divisor-calculation.patch @@ -0,0 +1,61 @@ +From 681ed2a799373924fb23ab95dc4d1f19b1384d85 Mon Sep 17 00:00:00 2001 +From: Flavio Suligoi +Date: Fri, 12 Apr 2019 09:32:19 +0200 +Subject: spi: pxa2xx: fix SCR (divisor) calculation + +[ Upstream commit 29f2133717c527f492933b0622a4aafe0b3cbe9e ] + +Calculate the divisor for the SCR (Serial Clock Rate), avoiding +that the SSP transmission rate can be greater than the device rate. + +When the division between the SSP clock and the device rate generates +a reminder, we have to increment by one the divisor. +In this way the resulting SSP clock will never be greater than the +device SPI max frequency. + +For example, with: + + - ssp_clk = 50 MHz + - dev freq = 15 MHz + +without this patch the SSP clock will be greater than 15 MHz: + + - 25 MHz for PXA25x_SSP and CE4100_SSP + - 16,56 MHz for the others + +Instead, with this patch, we have in both case an SSP clock of 12.5MHz, +so the max rate of the SPI device clock is respected. + +Signed-off-by: Flavio Suligoi +Reviewed-by: Jarkko Nikula +Reviewed-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-pxa2xx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c +index b624f6fb04ce5..729be74621e37 100644 +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -876,10 +876,14 @@ static unsigned int ssp_get_clk_div(struct driver_data *drv_data, int rate) + + rate = min_t(int, ssp_clk, rate); + ++ /* ++ * Calculate the divisor for the SCR (Serial Clock Rate), avoiding ++ * that the SSP transmission rate can be greater than the device rate ++ */ + if (ssp->type == PXA25x_SSP || ssp->type == CE4100_SSP) +- return (ssp_clk / (2 * rate) - 1) & 0xff; ++ return (DIV_ROUND_UP(ssp_clk, 2 * rate) - 1) & 0xff; + else +- return (ssp_clk / rate - 1) & 0xfff; ++ return (DIV_ROUND_UP(ssp_clk, rate) - 1) & 0xfff; + } + + static unsigned int pxa2xx_ssp_get_clk_div(struct driver_data *drv_data, +-- +2.20.1 + diff --git a/queue-4.19/spi-rspi-fix-sequencer-reset-during-initialization.patch b/queue-4.19/spi-rspi-fix-sequencer-reset-during-initialization.patch new file mode 100644 index 00000000000..771c2029842 --- /dev/null +++ b/queue-4.19/spi-rspi-fix-sequencer-reset-during-initialization.patch @@ -0,0 +1,59 @@ +From 237715c32cdfde7e20dd618841d15bc2995d6bc6 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Tue, 12 Mar 2019 19:45:13 +0100 +Subject: spi: rspi: Fix sequencer reset during initialization + +[ Upstream commit 26843bb128590edd7eba1ad7ce22e4b9f1066ce3 ] + +While the sequencer is reset after each SPI message since commit +880c6d114fd79a69 ("spi: rspi: Add support for Quad and Dual SPI +Transfers on QSPI"), it was never reset for the first message, thus +relying on reset state or bootloader settings. + +Fix this by initializing it explicitly during configuration. + +Fixes: 0b2182ddac4b8837 ("spi: add support for Renesas RSPI") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-rspi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c +index b37de1d991d6a..d61120822f026 100644 +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -279,7 +279,8 @@ static int rspi_set_config_register(struct rspi_data *rspi, int access_size) + /* Sets parity, interrupt mask */ + rspi_write8(rspi, 0x00, RSPI_SPCR2); + +- /* Sets SPCMD */ ++ /* Resets sequencer */ ++ rspi_write8(rspi, 0, RSPI_SPSCR); + rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size); + rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0); + +@@ -323,7 +324,8 @@ static int rspi_rz_set_config_register(struct rspi_data *rspi, int access_size) + rspi_write8(rspi, 0x00, RSPI_SSLND); + rspi_write8(rspi, 0x00, RSPI_SPND); + +- /* Sets SPCMD */ ++ /* Resets sequencer */ ++ rspi_write8(rspi, 0, RSPI_SPSCR); + rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size); + rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0); + +@@ -374,7 +376,8 @@ static int qspi_set_config_register(struct rspi_data *rspi, int access_size) + /* Sets buffer to allow normal operation */ + rspi_write8(rspi, 0x00, QSPI_SPBFCR); + +- /* Sets SPCMD */ ++ /* Resets sequencer */ ++ rspi_write8(rspi, 0, RSPI_SPSCR); + rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0); + + /* Sets RSPI mode */ +-- +2.20.1 + diff --git a/queue-4.19/spi-spi-topcliff-pch-fix-to-handle-empty-dma-buffers.patch b/queue-4.19/spi-spi-topcliff-pch-fix-to-handle-empty-dma-buffers.patch new file mode 100644 index 00000000000..df83074a934 --- /dev/null +++ b/queue-4.19/spi-spi-topcliff-pch-fix-to-handle-empty-dma-buffers.patch @@ -0,0 +1,65 @@ +From 65e05d7f34bdef46a26c8ed4abb6ba1870c0a518 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Wed, 13 Mar 2019 11:55:41 -0500 +Subject: spi : spi-topcliff-pch: Fix to handle empty DMA buffers + +[ Upstream commit f37d8e67f39e6d3eaf4cc5471e8a3d21209843c6 ] + +pch_alloc_dma_buf allocated tx, rx DMA buffers which can fail. Further, +these buffers are used without a check. The patch checks for these +failures and sends the error upstream. + +Signed-off-by: Aditya Pakki +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-topcliff-pch.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c +index 97d137591b18d..4389ab80c23e6 100644 +--- a/drivers/spi/spi-topcliff-pch.c ++++ b/drivers/spi/spi-topcliff-pch.c +@@ -1294,18 +1294,27 @@ static void pch_free_dma_buf(struct pch_spi_board_data *board_dat, + dma->rx_buf_virt, dma->rx_buf_dma); + } + +-static void pch_alloc_dma_buf(struct pch_spi_board_data *board_dat, ++static int pch_alloc_dma_buf(struct pch_spi_board_data *board_dat, + struct pch_spi_data *data) + { + struct pch_spi_dma_ctrl *dma; ++ int ret; + + dma = &data->dma; ++ ret = 0; + /* Get Consistent memory for Tx DMA */ + dma->tx_buf_virt = dma_alloc_coherent(&board_dat->pdev->dev, + PCH_BUF_SIZE, &dma->tx_buf_dma, GFP_KERNEL); ++ if (!dma->tx_buf_virt) ++ ret = -ENOMEM; ++ + /* Get Consistent memory for Rx DMA */ + dma->rx_buf_virt = dma_alloc_coherent(&board_dat->pdev->dev, + PCH_BUF_SIZE, &dma->rx_buf_dma, GFP_KERNEL); ++ if (!dma->rx_buf_virt) ++ ret = -ENOMEM; ++ ++ return ret; + } + + static int pch_spi_pd_probe(struct platform_device *plat_dev) +@@ -1382,7 +1391,9 @@ static int pch_spi_pd_probe(struct platform_device *plat_dev) + + if (use_dma) { + dev_info(&plat_dev->dev, "Use DMA for data transfers\n"); +- pch_alloc_dma_buf(board_dat, data); ++ ret = pch_alloc_dma_buf(board_dat, data); ++ if (ret) ++ goto err_spi_register_master; + } + + ret = spi_register_master(master); +-- +2.20.1 + diff --git a/queue-4.19/spi-tegra114-reset-controller-on-probe.patch b/queue-4.19/spi-tegra114-reset-controller-on-probe.patch new file mode 100644 index 00000000000..ec5f453b0c9 --- /dev/null +++ b/queue-4.19/spi-tegra114-reset-controller-on-probe.patch @@ -0,0 +1,106 @@ +From 788fa67270f0f0c4bb4aeff3f18846ce113e46cc Mon Sep 17 00:00:00 2001 +From: Sowjanya Komatineni +Date: Tue, 26 Mar 2019 22:56:32 -0700 +Subject: spi: tegra114: reset controller on probe + +[ Upstream commit 019194933339b3e9b486639c8cb3692020844d65 ] + +Fixes: SPI driver can be built as module so perform SPI controller reset +on probe to make sure it is in valid state before initiating transfer. + +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra114.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c +index a76acedd7e2f4..a1888dc6a938a 100644 +--- a/drivers/spi/spi-tegra114.c ++++ b/drivers/spi/spi-tegra114.c +@@ -1067,27 +1067,19 @@ static int tegra_spi_probe(struct platform_device *pdev) + + spi_irq = platform_get_irq(pdev, 0); + tspi->irq = spi_irq; +- ret = request_threaded_irq(tspi->irq, tegra_spi_isr, +- tegra_spi_isr_thread, IRQF_ONESHOT, +- dev_name(&pdev->dev), tspi); +- if (ret < 0) { +- dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n", +- tspi->irq); +- goto exit_free_master; +- } + + tspi->clk = devm_clk_get(&pdev->dev, "spi"); + if (IS_ERR(tspi->clk)) { + dev_err(&pdev->dev, "can not get clock\n"); + ret = PTR_ERR(tspi->clk); +- goto exit_free_irq; ++ goto exit_free_master; + } + + tspi->rst = devm_reset_control_get_exclusive(&pdev->dev, "spi"); + if (IS_ERR(tspi->rst)) { + dev_err(&pdev->dev, "can not get reset\n"); + ret = PTR_ERR(tspi->rst); +- goto exit_free_irq; ++ goto exit_free_master; + } + + tspi->max_buf_size = SPI_FIFO_DEPTH << 2; +@@ -1095,7 +1087,7 @@ static int tegra_spi_probe(struct platform_device *pdev) + + ret = tegra_spi_init_dma_param(tspi, true); + if (ret < 0) +- goto exit_free_irq; ++ goto exit_free_master; + ret = tegra_spi_init_dma_param(tspi, false); + if (ret < 0) + goto exit_rx_dma_free; +@@ -1117,18 +1109,32 @@ static int tegra_spi_probe(struct platform_device *pdev) + dev_err(&pdev->dev, "pm runtime get failed, e = %d\n", ret); + goto exit_pm_disable; + } ++ ++ reset_control_assert(tspi->rst); ++ udelay(2); ++ reset_control_deassert(tspi->rst); + tspi->def_command1_reg = SPI_M_S; + tegra_spi_writel(tspi, tspi->def_command1_reg, SPI_COMMAND1); + pm_runtime_put(&pdev->dev); ++ ret = request_threaded_irq(tspi->irq, tegra_spi_isr, ++ tegra_spi_isr_thread, IRQF_ONESHOT, ++ dev_name(&pdev->dev), tspi); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n", ++ tspi->irq); ++ goto exit_pm_disable; ++ } + + master->dev.of_node = pdev->dev.of_node; + ret = devm_spi_register_master(&pdev->dev, master); + if (ret < 0) { + dev_err(&pdev->dev, "can not register to master err %d\n", ret); +- goto exit_pm_disable; ++ goto exit_free_irq; + } + return ret; + ++exit_free_irq: ++ free_irq(spi_irq, tspi); + exit_pm_disable: + pm_runtime_disable(&pdev->dev); + if (!pm_runtime_status_suspended(&pdev->dev)) +@@ -1136,8 +1142,6 @@ static int tegra_spi_probe(struct platform_device *pdev) + tegra_spi_deinit_dma_param(tspi, false); + exit_rx_dma_free: + tegra_spi_deinit_dma_param(tspi, true); +-exit_free_irq: +- free_irq(spi_irq, tspi); + exit_free_master: + spi_master_put(master); + return ret; +-- +2.20.1 + diff --git a/queue-4.19/staging-vc04_services-handle-kzalloc-failure.patch b/queue-4.19/staging-vc04_services-handle-kzalloc-failure.patch new file mode 100644 index 00000000000..b496bc5b786 --- /dev/null +++ b/queue-4.19/staging-vc04_services-handle-kzalloc-failure.patch @@ -0,0 +1,54 @@ +From 1dcdc31df6cc8d28dd6d907106a44de60dcc4dc0 Mon Sep 17 00:00:00 2001 +From: Nicholas Mc Guire +Date: Fri, 19 Apr 2019 01:31:08 +0200 +Subject: staging: vc04_services: handle kzalloc failure + +[ Upstream commit a5112277872a56017b777770e2fd4324d4a6c866 ] + +The kzalloc here was being used without checking the return - if the +kzalloc fails return VCHIQ_ERROR. The call-site of +vchiq_platform_init_state() vchiq_init_state() was not responding +to an allocation failure so checks for != VCHIQ_SUCCESS +and pass VCHIQ_ERROR up to vchiq_platform_init() which then +will fail with -EINVAL. + +Signed-off-by: Nicholas Mc Guire +Reported-by: kbuild test robot +Acked-By: Stefan Wahren +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + .../staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | 3 +++ + drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c +index e767209030642..c7c8ef67b67fa 100644 +--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c ++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c +@@ -208,6 +208,9 @@ vchiq_platform_init_state(VCHIQ_STATE_T *state) + struct vchiq_2835_state *platform_state; + + state->platform_state = kzalloc(sizeof(*platform_state), GFP_KERNEL); ++ if (!state->platform_state) ++ return VCHIQ_ERROR; ++ + platform_state = (struct vchiq_2835_state *)state->platform_state; + + platform_state->inited = 1; +diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c +index 7642ced314364..63ce567eb6b75 100644 +--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c ++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c +@@ -2537,6 +2537,8 @@ vchiq_init_state(VCHIQ_STATE_T *state, VCHIQ_SLOT_ZERO_T *slot_zero, + local->debug[DEBUG_ENTRIES] = DEBUG_MAX; + + status = vchiq_platform_init_state(state); ++ if (status != VCHIQ_SUCCESS) ++ return VCHIQ_ERROR; + + /* + bring up slot handler thread +-- +2.20.1 + diff --git a/queue-4.19/thunderbolt-fix-to-check-for-kmemdup-failure.patch b/queue-4.19/thunderbolt-fix-to-check-for-kmemdup-failure.patch new file mode 100644 index 00000000000..c50c5bd1398 --- /dev/null +++ b/queue-4.19/thunderbolt-fix-to-check-for-kmemdup-failure.patch @@ -0,0 +1,87 @@ +From 36cf30a5fd1a294687cb0f837e46afaf562e4d08 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Wed, 20 Mar 2019 10:57:54 -0500 +Subject: thunderbolt: Fix to check for kmemdup failure + +[ Upstream commit 2cc12751cf464a722ff57b54d17d30c84553f9c0 ] + +Memory allocated via kmemdup might fail and return a NULL pointer. +This patch adds a check on the return value of kmemdup and passes the +error upstream. + +Signed-off-by: Aditya Pakki +Reviewed-by: Mukesh Ojha +Signed-off-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/switch.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/drivers/thunderbolt/switch.c b/drivers/thunderbolt/switch.c +index ed572c82a91be..bc7efa6e515d0 100644 +--- a/drivers/thunderbolt/switch.c ++++ b/drivers/thunderbolt/switch.c +@@ -1289,13 +1289,14 @@ int tb_switch_configure(struct tb_switch *sw) + return tb_plug_events_active(sw, true); + } + +-static void tb_switch_set_uuid(struct tb_switch *sw) ++static int tb_switch_set_uuid(struct tb_switch *sw) + { + u32 uuid[4]; +- int cap; ++ int cap, ret; + ++ ret = 0; + if (sw->uuid) +- return; ++ return ret; + + /* + * The newer controllers include fused UUID as part of link +@@ -1303,7 +1304,9 @@ static void tb_switch_set_uuid(struct tb_switch *sw) + */ + cap = tb_switch_find_vse_cap(sw, TB_VSE_CAP_LINK_CONTROLLER); + if (cap > 0) { +- tb_sw_read(sw, uuid, TB_CFG_SWITCH, cap + 3, 4); ++ ret = tb_sw_read(sw, uuid, TB_CFG_SWITCH, cap + 3, 4); ++ if (ret) ++ return ret; + } else { + /* + * ICM generates UUID based on UID and fills the upper +@@ -1318,6 +1321,9 @@ static void tb_switch_set_uuid(struct tb_switch *sw) + } + + sw->uuid = kmemdup(uuid, sizeof(uuid), GFP_KERNEL); ++ if (!sw->uuid) ++ ret = -ENOMEM; ++ return ret; + } + + static int tb_switch_add_dma_port(struct tb_switch *sw) +@@ -1367,7 +1373,9 @@ static int tb_switch_add_dma_port(struct tb_switch *sw) + + if (status) { + tb_sw_info(sw, "switch flash authentication failed\n"); +- tb_switch_set_uuid(sw); ++ ret = tb_switch_set_uuid(sw); ++ if (ret) ++ return ret; + nvm_set_auth_status(sw, status); + } + +@@ -1417,7 +1425,9 @@ int tb_switch_add(struct tb_switch *sw) + } + tb_sw_info(sw, "uid: %#llx\n", sw->uid); + +- tb_switch_set_uuid(sw); ++ ret = tb_switch_set_uuid(sw); ++ if (ret) ++ return ret; + + for (i = 0; i <= sw->config.max_port_number; i++) { + if (sw->ports[i].disabled) { +-- +2.20.1 + diff --git a/queue-4.19/thunderbolt-fix-to-check-return-value-of-ida_simple_.patch b/queue-4.19/thunderbolt-fix-to-check-return-value-of-ida_simple_.patch new file mode 100644 index 00000000000..b9d81973702 --- /dev/null +++ b/queue-4.19/thunderbolt-fix-to-check-return-value-of-ida_simple_.patch @@ -0,0 +1,47 @@ +From da64ecbb249c8d434bd8d2a6e5dc7ee5e390815b Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Wed, 20 Mar 2019 11:34:09 -0500 +Subject: thunderbolt: Fix to check return value of ida_simple_get + +[ Upstream commit 9aabb68568b473bf2f0b179d053b403961e42e4d ] + +In enumerate_services, ida_simple_get on failure can return an error and +leaks memory. The patch ensures that the dev_set_name is set on non +failure cases, and releases memory during failure. + +Signed-off-by: Aditya Pakki +Signed-off-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/xdomain.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/thunderbolt/xdomain.c b/drivers/thunderbolt/xdomain.c +index db8bece633270..befe754906979 100644 +--- a/drivers/thunderbolt/xdomain.c ++++ b/drivers/thunderbolt/xdomain.c +@@ -743,6 +743,7 @@ static void enumerate_services(struct tb_xdomain *xd) + struct tb_service *svc; + struct tb_property *p; + struct device *dev; ++ int id; + + /* + * First remove all services that are not available anymore in +@@ -771,7 +772,12 @@ static void enumerate_services(struct tb_xdomain *xd) + break; + } + +- svc->id = ida_simple_get(&xd->service_ids, 0, 0, GFP_KERNEL); ++ id = ida_simple_get(&xd->service_ids, 0, 0, GFP_KERNEL); ++ if (id < 0) { ++ kfree(svc); ++ break; ++ } ++ svc->id = id; + svc->dev.bus = &tb_bus_type; + svc->dev.type = &tb_service_type; + svc->dev.parent = &xd->dev; +-- +2.20.1 + diff --git a/queue-4.19/thunderbolt-fix-to-check-the-return-value-of-kmemdup.patch b/queue-4.19/thunderbolt-fix-to-check-the-return-value-of-kmemdup.patch new file mode 100644 index 00000000000..9065ce65279 --- /dev/null +++ b/queue-4.19/thunderbolt-fix-to-check-the-return-value-of-kmemdup.patch @@ -0,0 +1,37 @@ +From 905cd35d52d2a8246fbbd11d9068e2aa44650cca Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Mon, 25 Mar 2019 16:25:22 -0500 +Subject: thunderbolt: Fix to check the return value of kmemdup + +[ Upstream commit fd21b79e541e4666c938a344f3ad2df74b4f5120 ] + +uuid in add_switch is allocted via kmemdup which can fail. The patch +logs the error and cleans up the allocated memory for switch. + +Signed-off-by: Aditya Pakki +Reviewed-by: Mukesh Ojha +Signed-off-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/icm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/thunderbolt/icm.c b/drivers/thunderbolt/icm.c +index 28fc4ce75edb4..8490a1b6b6156 100644 +--- a/drivers/thunderbolt/icm.c ++++ b/drivers/thunderbolt/icm.c +@@ -476,6 +476,11 @@ static void add_switch(struct tb_switch *parent_sw, u64 route, + goto out; + + sw->uuid = kmemdup(uuid, sizeof(*uuid), GFP_KERNEL); ++ if (!sw->uuid) { ++ tb_sw_warn(sw, "cannot allocate memory for switch\n"); ++ tb_switch_put(sw); ++ goto out; ++ } + sw->connection_id = connection_id; + sw->connection_key = connection_key; + sw->link = link; +-- +2.20.1 + diff --git a/queue-4.19/thunderbolt-property-fix-a-missing-check-of-kzalloc.patch b/queue-4.19/thunderbolt-property-fix-a-missing-check-of-kzalloc.patch new file mode 100644 index 00000000000..cebf822beb0 --- /dev/null +++ b/queue-4.19/thunderbolt-property-fix-a-missing-check-of-kzalloc.patch @@ -0,0 +1,41 @@ +From 086c45ddf42d1b3837f1fd9867e2d5aaab1ff5ee Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Mon, 25 Mar 2019 15:23:08 -0500 +Subject: thunderbolt: property: Fix a missing check of kzalloc + +[ Upstream commit 6183d5a51866f3acdeeb66b75e87d44025b01a55 ] + +No check is enforced for the return value of kzalloc, +which may lead to NULL-pointer dereference. + +The patch fixes this issue. + +Signed-off-by: Kangjie Lu +Reviewed-by: Mukesh Ojha +Signed-off-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/property.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c +index 8fe913a95b4ad..67fd0b5551ded 100644 +--- a/drivers/thunderbolt/property.c ++++ b/drivers/thunderbolt/property.c +@@ -581,7 +581,12 @@ int tb_property_add_text(struct tb_property_dir *parent, const char *key, + return -ENOMEM; + + property->length = size / 4; +- property->value.data = kzalloc(size, GFP_KERNEL); ++ property->value.text = kzalloc(size, GFP_KERNEL); ++ if (!property->value.text) { ++ kfree(property); ++ return -ENOMEM; ++ } ++ + strcpy(property->value.text, text); + + list_add_tail(&property->list, &parent->properties); +-- +2.20.1 + diff --git a/queue-4.19/thunderbolt-property-fix-a-null-pointer-dereference.patch b/queue-4.19/thunderbolt-property-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..b54ca7a371b --- /dev/null +++ b/queue-4.19/thunderbolt-property-fix-a-null-pointer-dereference.patch @@ -0,0 +1,36 @@ +From 5a5c3ae1f82743c49d7d2391a8970ce92aa9ae20 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 12 Mar 2019 03:33:28 -0500 +Subject: thunderbolt: property: Fix a NULL pointer dereference + +[ Upstream commit 106204b56f60abf1bead7dceb88f2be3e34433da ] + +In case kzalloc fails, the fix releases resources and returns +-ENOMEM to avoid the NULL pointer dereference. + +Signed-off-by: Kangjie Lu +Signed-off-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/property.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c +index 67fd0b5551ded..be3f8b592b05b 100644 +--- a/drivers/thunderbolt/property.c ++++ b/drivers/thunderbolt/property.c +@@ -551,6 +551,11 @@ int tb_property_add_data(struct tb_property_dir *parent, const char *key, + + property->length = size / 4; + property->value.data = kzalloc(size, GFP_KERNEL); ++ if (!property->value.data) { ++ kfree(property); ++ return -ENOMEM; ++ } ++ + memcpy(property->value.data, buf, buflen); + + list_add_tail(&property->list, &parent->properties); +-- +2.20.1 + diff --git a/queue-4.19/thunderbolt-take-domain-lock-in-switch-sysfs-attribu.patch b/queue-4.19/thunderbolt-take-domain-lock-in-switch-sysfs-attribu.patch new file mode 100644 index 00000000000..36b433b5996 --- /dev/null +++ b/queue-4.19/thunderbolt-take-domain-lock-in-switch-sysfs-attribu.patch @@ -0,0 +1,244 @@ +From efdda40ab26efc26a70af5a62aec8ad2e55a8916 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Tue, 19 Mar 2019 16:48:41 +0200 +Subject: thunderbolt: Take domain lock in switch sysfs attribute callbacks + +[ Upstream commit 09f11b6c99feaf86a26444bca85dc693b3f58f8b ] + +switch_lock was introduced because it allowed serialization of device +authorization requests from userspace without need to take the big +domain lock (tb->lock). This was fine because device authorization with +ICM is just one command that is sent to the firmware. Now that we start +to handle all tunneling in the driver switch_lock is not enough because +we need to walk over the topology to establish paths. + +For this reason drop switch_lock from the driver completely in favour of +big domain lock. + +There is one complication, though. If userspace is waiting for the lock +in tb_switch_set_authorized(), it keeps the device_del() from removing +the sysfs attribute because it waits for active users to release the +attribute first which leads into following splat: + + INFO: task kworker/u8:3:73 blocked for more than 61 seconds. + Tainted: G W 5.1.0-rc1+ #244 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + kworker/u8:3 D12976 73 2 0x80000000 + Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt] + Call Trace: + ? __schedule+0x2e5/0x740 + ? _raw_spin_lock_irqsave+0x12/0x40 + ? prepare_to_wait_event+0xc5/0x160 + schedule+0x2d/0x80 + __kernfs_remove.part.17+0x183/0x1f0 + ? finish_wait+0x80/0x80 + kernfs_remove_by_name_ns+0x4a/0x90 + remove_files.isra.1+0x2b/0x60 + sysfs_remove_group+0x38/0x80 + sysfs_remove_groups+0x24/0x40 + device_remove_attrs+0x3d/0x70 + device_del+0x14c/0x360 + device_unregister+0x15/0x50 + tb_switch_remove+0x9e/0x1d0 [thunderbolt] + tb_handle_hotplug+0x119/0x5a0 [thunderbolt] + ? process_one_work+0x1b7/0x420 + process_one_work+0x1b7/0x420 + worker_thread+0x37/0x380 + ? _raw_spin_unlock_irqrestore+0xf/0x30 + ? process_one_work+0x420/0x420 + kthread+0x118/0x130 + ? kthread_create_on_node+0x60/0x60 + ret_from_fork+0x35/0x40 + +We deal this by following what network stack did for some of their +attributes and use mutex_trylock() with restart_syscall(). This makes +userspace release the attribute allowing sysfs attribute removal to +progress before the write is restarted and eventually fail when the +attribute is removed. + +Signed-off-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/switch.c | 45 +++++++++++++++--------------------- + drivers/thunderbolt/tb.h | 3 +-- + 2 files changed, 20 insertions(+), 28 deletions(-) + +diff --git a/drivers/thunderbolt/switch.c b/drivers/thunderbolt/switch.c +index dd9ae6f5d19ce..ed572c82a91be 100644 +--- a/drivers/thunderbolt/switch.c ++++ b/drivers/thunderbolt/switch.c +@@ -9,15 +9,13 @@ + #include + #include + #include ++#include + #include + #include + #include + + #include "tb.h" + +-/* Switch authorization from userspace is serialized by this lock */ +-static DEFINE_MUTEX(switch_lock); +- + /* Switch NVM support */ + + #define NVM_DEVID 0x05 +@@ -253,8 +251,8 @@ static int tb_switch_nvm_write(void *priv, unsigned int offset, void *val, + struct tb_switch *sw = priv; + int ret = 0; + +- if (mutex_lock_interruptible(&switch_lock)) +- return -ERESTARTSYS; ++ if (!mutex_trylock(&sw->tb->lock)) ++ return restart_syscall(); + + /* + * Since writing the NVM image might require some special steps, +@@ -274,7 +272,7 @@ static int tb_switch_nvm_write(void *priv, unsigned int offset, void *val, + memcpy(sw->nvm->buf + offset, val, bytes); + + unlock: +- mutex_unlock(&switch_lock); ++ mutex_unlock(&sw->tb->lock); + + return ret; + } +@@ -363,10 +361,7 @@ static int tb_switch_nvm_add(struct tb_switch *sw) + } + nvm->non_active = nvm_dev; + +- mutex_lock(&switch_lock); + sw->nvm = nvm; +- mutex_unlock(&switch_lock); +- + return 0; + + err_nvm_active: +@@ -383,10 +378,8 @@ static void tb_switch_nvm_remove(struct tb_switch *sw) + { + struct tb_switch_nvm *nvm; + +- mutex_lock(&switch_lock); + nvm = sw->nvm; + sw->nvm = NULL; +- mutex_unlock(&switch_lock); + + if (!nvm) + return; +@@ -717,8 +710,8 @@ static int tb_switch_set_authorized(struct tb_switch *sw, unsigned int val) + { + int ret = -EINVAL; + +- if (mutex_lock_interruptible(&switch_lock)) +- return -ERESTARTSYS; ++ if (!mutex_trylock(&sw->tb->lock)) ++ return restart_syscall(); + + if (sw->authorized) + goto unlock; +@@ -761,7 +754,7 @@ static int tb_switch_set_authorized(struct tb_switch *sw, unsigned int val) + } + + unlock: +- mutex_unlock(&switch_lock); ++ mutex_unlock(&sw->tb->lock); + return ret; + } + +@@ -818,15 +811,15 @@ static ssize_t key_show(struct device *dev, struct device_attribute *attr, + struct tb_switch *sw = tb_to_switch(dev); + ssize_t ret; + +- if (mutex_lock_interruptible(&switch_lock)) +- return -ERESTARTSYS; ++ if (!mutex_trylock(&sw->tb->lock)) ++ return restart_syscall(); + + if (sw->key) + ret = sprintf(buf, "%*phN\n", TB_SWITCH_KEY_SIZE, sw->key); + else + ret = sprintf(buf, "\n"); + +- mutex_unlock(&switch_lock); ++ mutex_unlock(&sw->tb->lock); + return ret; + } + +@@ -843,8 +836,8 @@ static ssize_t key_store(struct device *dev, struct device_attribute *attr, + else if (hex2bin(key, buf, sizeof(key))) + return -EINVAL; + +- if (mutex_lock_interruptible(&switch_lock)) +- return -ERESTARTSYS; ++ if (!mutex_trylock(&sw->tb->lock)) ++ return restart_syscall(); + + if (sw->authorized) { + ret = -EBUSY; +@@ -859,7 +852,7 @@ static ssize_t key_store(struct device *dev, struct device_attribute *attr, + } + } + +- mutex_unlock(&switch_lock); ++ mutex_unlock(&sw->tb->lock); + return ret; + } + static DEVICE_ATTR(key, 0600, key_show, key_store); +@@ -905,8 +898,8 @@ static ssize_t nvm_authenticate_store(struct device *dev, + bool val; + int ret; + +- if (mutex_lock_interruptible(&switch_lock)) +- return -ERESTARTSYS; ++ if (!mutex_trylock(&sw->tb->lock)) ++ return restart_syscall(); + + /* If NVMem devices are not yet added */ + if (!sw->nvm) { +@@ -954,7 +947,7 @@ static ssize_t nvm_authenticate_store(struct device *dev, + } + + exit_unlock: +- mutex_unlock(&switch_lock); ++ mutex_unlock(&sw->tb->lock); + + if (ret) + return ret; +@@ -968,8 +961,8 @@ static ssize_t nvm_version_show(struct device *dev, + struct tb_switch *sw = tb_to_switch(dev); + int ret; + +- if (mutex_lock_interruptible(&switch_lock)) +- return -ERESTARTSYS; ++ if (!mutex_trylock(&sw->tb->lock)) ++ return restart_syscall(); + + if (sw->safe_mode) + ret = -ENODATA; +@@ -978,7 +971,7 @@ static ssize_t nvm_version_show(struct device *dev, + else + ret = sprintf(buf, "%x.%x\n", sw->nvm->major, sw->nvm->minor); + +- mutex_unlock(&switch_lock); ++ mutex_unlock(&sw->tb->lock); + + return ret; + } +diff --git a/drivers/thunderbolt/tb.h b/drivers/thunderbolt/tb.h +index 5067d69d05018..7a0ee9836a8a7 100644 +--- a/drivers/thunderbolt/tb.h ++++ b/drivers/thunderbolt/tb.h +@@ -79,8 +79,7 @@ struct tb_switch_nvm { + * @depth: Depth in the chain this switch is connected (ICM only) + * + * When the switch is being added or removed to the domain (other +- * switches) you need to have domain lock held. For switch authorization +- * internal switch_lock is enough. ++ * switches) you need to have domain lock held. + */ + struct tb_switch { + struct device dev; +-- +2.20.1 + diff --git a/queue-4.19/timekeeping-force-upper-bound-for-setting-clock_real.patch b/queue-4.19/timekeeping-force-upper-bound-for-setting-clock_real.patch new file mode 100644 index 00000000000..52282626051 --- /dev/null +++ b/queue-4.19/timekeeping-force-upper-bound-for-setting-clock_real.patch @@ -0,0 +1,131 @@ +From 4dde4c5f21f93ee6cc076b447a5cbeeed7e6357c Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Sat, 23 Mar 2019 11:36:19 +0100 +Subject: timekeeping: Force upper bound for setting CLOCK_REALTIME + +[ Upstream commit 7a8e61f8478639072d402a26789055a4a4de8f77 ] + +Several people reported testing failures after setting CLOCK_REALTIME close +to the limits of the kernel internal representation in nanoseconds, +i.e. year 2262. + +The failures are exposed in subsequent operations, i.e. when arming timers +or when the advancing CLOCK_MONOTONIC makes the calculation of +CLOCK_REALTIME overflow into negative space. + +Now people start to paper over the underlying problem by clamping +calculations to the valid range, but that's just wrong because such +workarounds will prevent detection of real issues as well. + +It is reasonable to force an upper bound for the various methods of setting +CLOCK_REALTIME. Year 2262 is the absolute upper bound. Assume a maximum +uptime of 30 years which is plenty enough even for esoteric embedded +systems. That results in an upper bound of year 2232 for setting the time. + +Once that limit is reached in reality this limit is only a small part of +the problem space. But until then this stops people from trying to paper +over the problem at the wrong places. + +Reported-by: Xiongfeng Wang +Reported-by: Hongbo Yao +Signed-off-by: Thomas Gleixner +Cc: John Stultz +Cc: Stephen Boyd +Cc: Miroslav Lichvar +Cc: Arnd Bergmann +Cc: Richard Cochran +Cc: Peter Zijlstra +Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1903231125480.2157@nanos.tec.linutronix.de +Signed-off-by: Sasha Levin +--- + include/linux/time64.h | 21 +++++++++++++++++++++ + kernel/time/time.c | 2 +- + kernel/time/timekeeping.c | 6 +++--- + 3 files changed, 25 insertions(+), 4 deletions(-) + +diff --git a/include/linux/time64.h b/include/linux/time64.h +index 05634afba0db6..4a45aea0f96e9 100644 +--- a/include/linux/time64.h ++++ b/include/linux/time64.h +@@ -41,6 +41,17 @@ struct itimerspec64 { + #define KTIME_MAX ((s64)~((u64)1 << 63)) + #define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC) + ++/* ++ * Limits for settimeofday(): ++ * ++ * To prevent setting the time close to the wraparound point time setting ++ * is limited so a reasonable uptime can be accomodated. Uptime of 30 years ++ * should be really sufficient, which means the cutoff is 2232. At that ++ * point the cutoff is just a small part of the larger problem. ++ */ ++#define TIME_UPTIME_SEC_MAX (30LL * 365 * 24 *3600) ++#define TIME_SETTOD_SEC_MAX (KTIME_SEC_MAX - TIME_UPTIME_SEC_MAX) ++ + static inline int timespec64_equal(const struct timespec64 *a, + const struct timespec64 *b) + { +@@ -108,6 +119,16 @@ static inline bool timespec64_valid_strict(const struct timespec64 *ts) + return true; + } + ++static inline bool timespec64_valid_settod(const struct timespec64 *ts) ++{ ++ if (!timespec64_valid(ts)) ++ return false; ++ /* Disallow values which cause overflow issues vs. CLOCK_REALTIME */ ++ if ((unsigned long long)ts->tv_sec >= TIME_SETTOD_SEC_MAX) ++ return false; ++ return true; ++} ++ + /** + * timespec64_to_ns - Convert timespec64 to nanoseconds + * @ts: pointer to the timespec64 variable to be converted +diff --git a/kernel/time/time.c b/kernel/time/time.c +index ccdb351277eec..be057d6579f13 100644 +--- a/kernel/time/time.c ++++ b/kernel/time/time.c +@@ -172,7 +172,7 @@ int do_sys_settimeofday64(const struct timespec64 *tv, const struct timezone *tz + static int firsttime = 1; + int error = 0; + +- if (tv && !timespec64_valid(tv)) ++ if (tv && !timespec64_valid_settod(tv)) + return -EINVAL; + + error = security_settime64(tv, tz); +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index 7846ce24ecc03..9a6bfcd22dc66 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -1242,7 +1242,7 @@ int do_settimeofday64(const struct timespec64 *ts) + unsigned long flags; + int ret = 0; + +- if (!timespec64_valid_strict(ts)) ++ if (!timespec64_valid_settod(ts)) + return -EINVAL; + + raw_spin_lock_irqsave(&timekeeper_lock, flags); +@@ -1299,7 +1299,7 @@ static int timekeeping_inject_offset(const struct timespec64 *ts) + /* Make sure the proposed value is valid */ + tmp = timespec64_add(tk_xtime(tk), *ts); + if (timespec64_compare(&tk->wall_to_monotonic, ts) > 0 || +- !timespec64_valid_strict(&tmp)) { ++ !timespec64_valid_settod(&tmp)) { + ret = -EINVAL; + goto error; + } +@@ -1556,7 +1556,7 @@ void __init timekeeping_init(void) + unsigned long flags; + + read_persistent_wall_and_boot_offset(&wall_time, &boot_offset); +- if (timespec64_valid_strict(&wall_time) && ++ if (timespec64_valid_settod(&wall_time) && + timespec64_to_ns(&wall_time) > 0) { + persistent_clock_exists = true; + } else if (timespec64_to_ns(&wall_time) != 0) { +-- +2.20.1 + diff --git a/queue-4.19/tinydrm-mipi-dbi-use-dma-safe-buffers-for-all-spi-tr.patch b/queue-4.19/tinydrm-mipi-dbi-use-dma-safe-buffers-for-all-spi-tr.patch new file mode 100644 index 00000000000..def6440f806 --- /dev/null +++ b/queue-4.19/tinydrm-mipi-dbi-use-dma-safe-buffers-for-all-spi-tr.patch @@ -0,0 +1,256 @@ +From 08d2a047e41b035b9db0c9242b97aa17dbbe81d7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= +Date: Fri, 22 Feb 2019 13:43:29 +0100 +Subject: tinydrm/mipi-dbi: Use dma-safe buffers for all SPI transfers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a89bfc5d9a0732d84b4de311e27133daa0586316 ] + +Buffers passed to spi_sync() must be dma-safe even for tiny buffers since +some SPI controllers use DMA for all transfers. + +Example splat with CONFIG_DMA_API_DEBUG enabled: + +[ 23.750467] DMA-API: dw_dmac_pci 0000:00:15.0: device driver maps memory from stack [probable addr=000000001e49185d] +[ 23.750529] WARNING: CPU: 1 PID: 1296 at kernel/dma/debug.c:1161 check_for_stack+0xb7/0x190 +[ 23.750533] Modules linked in: mmc_block(+) spi_pxa2xx_platform(+) pwm_lpss_pci pwm_lpss spi_pxa2xx_pci sdhci_pci cqhci intel_mrfld_pwrbtn extcon_intel_mrfld sdhci intel_mrfld_adc led_class mmc_core ili9341 mipi_dbi tinydrm backlight ti_ads7950 industrialio_triggered_buffer kfifo_buf intel_soc_pmic_mrfld hci_uart btbcm +[ 23.750599] CPU: 1 PID: 1296 Comm: modprobe Not tainted 5.0.0-rc7+ #236 +[ 23.750605] Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48 +[ 23.750620] RIP: 0010:check_for_stack+0xb7/0x190 +[ 23.750630] Code: 8b 6d 50 4d 85 ed 75 04 4c 8b 6d 10 48 89 ef e8 2f 8b 44 00 48 89 c6 4a 8d 0c 23 4c 89 ea 48 c7 c7 88 d0 82 b4 e8 40 7c f9 ff <0f> 0b 8b 05 79 00 4b 01 85 c0 74 07 5b 5d 41 5c 41 5d c3 8b 05 54 +[ 23.750637] RSP: 0000:ffff97bbc0292fa0 EFLAGS: 00010286 +[ 23.750646] RAX: 0000000000000000 RBX: ffff97bbc0290000 RCX: 0000000000000006 +[ 23.750652] RDX: 0000000000000007 RSI: 0000000000000002 RDI: ffff94b33e115450 +[ 23.750658] RBP: ffff94b33c8578b0 R08: 0000000000000002 R09: 00000000000201c0 +[ 23.750664] R10: 00000006ecb0ccc6 R11: 0000000000034f38 R12: 000000000000316c +[ 23.750670] R13: ffff94b33c84b250 R14: ffff94b33dedd5a0 R15: 0000000000000001 +[ 23.750679] FS: 0000000000000000(0000) GS:ffff94b33e100000(0063) knlGS:00000000f7faf690 +[ 23.750686] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 +[ 23.750691] CR2: 00000000f7f54faf CR3: 000000000722c000 CR4: 00000000001006e0 +[ 23.750696] Call Trace: +[ 23.750713] debug_dma_map_sg+0x100/0x340 +[ 23.750727] ? dma_direct_map_sg+0x3b/0xb0 +[ 23.750739] spi_map_buf+0x25a/0x300 +[ 23.750751] __spi_pump_messages+0x2a4/0x680 +[ 23.750762] __spi_sync+0x1dd/0x1f0 +[ 23.750773] spi_sync+0x26/0x40 +[ 23.750790] mipi_dbi_typec3_command_read+0x14d/0x240 [mipi_dbi] +[ 23.750802] ? spi_finalize_current_transfer+0x10/0x10 +[ 23.750821] mipi_dbi_typec3_command+0x1bc/0x1d0 [mipi_dbi] + +Reported-by: Andy Shevchenko +Signed-off-by: Noralf Trønnes +Tested-by: Andy Shevchenko +Acked-by: Andy Shevchenko +Link: https://patchwork.freedesktop.org/patch/msgid/20190222124329.23046-1-noralf@tronnes.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tinydrm/ili9225.c | 6 ++-- + drivers/gpu/drm/tinydrm/mipi-dbi.c | 58 +++++++++++++++++++++--------- + include/drm/tinydrm/mipi-dbi.h | 5 +-- + 3 files changed, 48 insertions(+), 21 deletions(-) + +diff --git a/drivers/gpu/drm/tinydrm/ili9225.c b/drivers/gpu/drm/tinydrm/ili9225.c +index 455fefe012f59..6044a01069ce2 100644 +--- a/drivers/gpu/drm/tinydrm/ili9225.c ++++ b/drivers/gpu/drm/tinydrm/ili9225.c +@@ -278,7 +278,7 @@ static void ili9225_pipe_disable(struct drm_simple_display_pipe *pipe) + mipi->enabled = false; + } + +-static int ili9225_dbi_command(struct mipi_dbi *mipi, u8 cmd, u8 *par, ++static int ili9225_dbi_command(struct mipi_dbi *mipi, u8 *cmd, u8 *par, + size_t num) + { + struct spi_device *spi = mipi->spi; +@@ -288,11 +288,11 @@ static int ili9225_dbi_command(struct mipi_dbi *mipi, u8 cmd, u8 *par, + + gpiod_set_value_cansleep(mipi->dc, 0); + speed_hz = mipi_dbi_spi_cmd_max_speed(spi, 1); +- ret = tinydrm_spi_transfer(spi, speed_hz, NULL, 8, &cmd, 1); ++ ret = tinydrm_spi_transfer(spi, speed_hz, NULL, 8, cmd, 1); + if (ret || !num) + return ret; + +- if (cmd == ILI9225_WRITE_DATA_TO_GRAM && !mipi->swap_bytes) ++ if (*cmd == ILI9225_WRITE_DATA_TO_GRAM && !mipi->swap_bytes) + bpw = 16; + + gpiod_set_value_cansleep(mipi->dc, 1); +diff --git a/drivers/gpu/drm/tinydrm/mipi-dbi.c b/drivers/gpu/drm/tinydrm/mipi-dbi.c +index cb3441e51d5f0..e772a8a9da80e 100644 +--- a/drivers/gpu/drm/tinydrm/mipi-dbi.c ++++ b/drivers/gpu/drm/tinydrm/mipi-dbi.c +@@ -144,16 +144,42 @@ EXPORT_SYMBOL(mipi_dbi_command_read); + */ + int mipi_dbi_command_buf(struct mipi_dbi *mipi, u8 cmd, u8 *data, size_t len) + { ++ u8 *cmdbuf; + int ret; + ++ /* SPI requires dma-safe buffers */ ++ cmdbuf = kmemdup(&cmd, 1, GFP_KERNEL); ++ if (!cmdbuf) ++ return -ENOMEM; ++ + mutex_lock(&mipi->cmdlock); +- ret = mipi->command(mipi, cmd, data, len); ++ ret = mipi->command(mipi, cmdbuf, data, len); + mutex_unlock(&mipi->cmdlock); + ++ kfree(cmdbuf); ++ + return ret; + } + EXPORT_SYMBOL(mipi_dbi_command_buf); + ++/* This should only be used by mipi_dbi_command() */ ++int mipi_dbi_command_stackbuf(struct mipi_dbi *mipi, u8 cmd, u8 *data, size_t len) ++{ ++ u8 *buf; ++ int ret; ++ ++ buf = kmemdup(data, len, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ ret = mipi_dbi_command_buf(mipi, cmd, buf, len); ++ ++ kfree(buf); ++ ++ return ret; ++} ++EXPORT_SYMBOL(mipi_dbi_command_stackbuf); ++ + /** + * mipi_dbi_buf_copy - Copy a framebuffer, transforming it if necessary + * @dst: The destination buffer +@@ -741,18 +767,18 @@ static int mipi_dbi_spi1_transfer(struct mipi_dbi *mipi, int dc, + return 0; + } + +-static int mipi_dbi_typec1_command(struct mipi_dbi *mipi, u8 cmd, ++static int mipi_dbi_typec1_command(struct mipi_dbi *mipi, u8 *cmd, + u8 *parameters, size_t num) + { +- unsigned int bpw = (cmd == MIPI_DCS_WRITE_MEMORY_START) ? 16 : 8; ++ unsigned int bpw = (*cmd == MIPI_DCS_WRITE_MEMORY_START) ? 16 : 8; + int ret; + +- if (mipi_dbi_command_is_read(mipi, cmd)) ++ if (mipi_dbi_command_is_read(mipi, *cmd)) + return -ENOTSUPP; + +- MIPI_DBI_DEBUG_COMMAND(cmd, parameters, num); ++ MIPI_DBI_DEBUG_COMMAND(*cmd, parameters, num); + +- ret = mipi_dbi_spi1_transfer(mipi, 0, &cmd, 1, 8); ++ ret = mipi_dbi_spi1_transfer(mipi, 0, cmd, 1, 8); + if (ret || !num) + return ret; + +@@ -761,7 +787,7 @@ static int mipi_dbi_typec1_command(struct mipi_dbi *mipi, u8 cmd, + + /* MIPI DBI Type C Option 3 */ + +-static int mipi_dbi_typec3_command_read(struct mipi_dbi *mipi, u8 cmd, ++static int mipi_dbi_typec3_command_read(struct mipi_dbi *mipi, u8 *cmd, + u8 *data, size_t len) + { + struct spi_device *spi = mipi->spi; +@@ -770,7 +796,7 @@ static int mipi_dbi_typec3_command_read(struct mipi_dbi *mipi, u8 cmd, + struct spi_transfer tr[2] = { + { + .speed_hz = speed_hz, +- .tx_buf = &cmd, ++ .tx_buf = cmd, + .len = 1, + }, { + .speed_hz = speed_hz, +@@ -788,8 +814,8 @@ static int mipi_dbi_typec3_command_read(struct mipi_dbi *mipi, u8 cmd, + * Support non-standard 24-bit and 32-bit Nokia read commands which + * start with a dummy clock, so we need to read an extra byte. + */ +- if (cmd == MIPI_DCS_GET_DISPLAY_ID || +- cmd == MIPI_DCS_GET_DISPLAY_STATUS) { ++ if (*cmd == MIPI_DCS_GET_DISPLAY_ID || ++ *cmd == MIPI_DCS_GET_DISPLAY_STATUS) { + if (!(len == 3 || len == 4)) + return -EINVAL; + +@@ -819,7 +845,7 @@ static int mipi_dbi_typec3_command_read(struct mipi_dbi *mipi, u8 cmd, + data[i] = (buf[i] << 1) | !!(buf[i + 1] & BIT(7)); + } + +- MIPI_DBI_DEBUG_COMMAND(cmd, data, len); ++ MIPI_DBI_DEBUG_COMMAND(*cmd, data, len); + + err_free: + kfree(buf); +@@ -827,7 +853,7 @@ static int mipi_dbi_typec3_command_read(struct mipi_dbi *mipi, u8 cmd, + return ret; + } + +-static int mipi_dbi_typec3_command(struct mipi_dbi *mipi, u8 cmd, ++static int mipi_dbi_typec3_command(struct mipi_dbi *mipi, u8 *cmd, + u8 *par, size_t num) + { + struct spi_device *spi = mipi->spi; +@@ -835,18 +861,18 @@ static int mipi_dbi_typec3_command(struct mipi_dbi *mipi, u8 cmd, + u32 speed_hz; + int ret; + +- if (mipi_dbi_command_is_read(mipi, cmd)) ++ if (mipi_dbi_command_is_read(mipi, *cmd)) + return mipi_dbi_typec3_command_read(mipi, cmd, par, num); + +- MIPI_DBI_DEBUG_COMMAND(cmd, par, num); ++ MIPI_DBI_DEBUG_COMMAND(*cmd, par, num); + + gpiod_set_value_cansleep(mipi->dc, 0); + speed_hz = mipi_dbi_spi_cmd_max_speed(spi, 1); +- ret = tinydrm_spi_transfer(spi, speed_hz, NULL, 8, &cmd, 1); ++ ret = tinydrm_spi_transfer(spi, speed_hz, NULL, 8, cmd, 1); + if (ret || !num) + return ret; + +- if (cmd == MIPI_DCS_WRITE_MEMORY_START && !mipi->swap_bytes) ++ if (*cmd == MIPI_DCS_WRITE_MEMORY_START && !mipi->swap_bytes) + bpw = 16; + + gpiod_set_value_cansleep(mipi->dc, 1); +diff --git a/include/drm/tinydrm/mipi-dbi.h b/include/drm/tinydrm/mipi-dbi.h +index b8ba588619867..bcc98bd447f7a 100644 +--- a/include/drm/tinydrm/mipi-dbi.h ++++ b/include/drm/tinydrm/mipi-dbi.h +@@ -42,7 +42,7 @@ struct mipi_dbi { + struct spi_device *spi; + bool enabled; + struct mutex cmdlock; +- int (*command)(struct mipi_dbi *mipi, u8 cmd, u8 *param, size_t num); ++ int (*command)(struct mipi_dbi *mipi, u8 *cmd, u8 *param, size_t num); + const u8 *read_commands; + struct gpio_desc *dc; + u16 *tx_buf; +@@ -79,6 +79,7 @@ u32 mipi_dbi_spi_cmd_max_speed(struct spi_device *spi, size_t len); + + int mipi_dbi_command_read(struct mipi_dbi *mipi, u8 cmd, u8 *val); + int mipi_dbi_command_buf(struct mipi_dbi *mipi, u8 cmd, u8 *data, size_t len); ++int mipi_dbi_command_stackbuf(struct mipi_dbi *mipi, u8 cmd, u8 *data, size_t len); + int mipi_dbi_buf_copy(void *dst, struct drm_framebuffer *fb, + struct drm_clip_rect *clip, bool swap); + /** +@@ -96,7 +97,7 @@ int mipi_dbi_buf_copy(void *dst, struct drm_framebuffer *fb, + #define mipi_dbi_command(mipi, cmd, seq...) \ + ({ \ + u8 d[] = { seq }; \ +- mipi_dbi_command_buf(mipi, cmd, d, ARRAY_SIZE(d)); \ ++ mipi_dbi_command_stackbuf(mipi, cmd, d, ARRAY_SIZE(d)); \ + }) + + #ifdef CONFIG_DEBUG_FS +-- +2.20.1 + diff --git a/queue-4.19/tools-bpf-fix-perf-build-error-with-uclibc-seen-on-a.patch b/queue-4.19/tools-bpf-fix-perf-build-error-with-uclibc-seen-on-a.patch new file mode 100644 index 00000000000..78b63f6d31e --- /dev/null +++ b/queue-4.19/tools-bpf-fix-perf-build-error-with-uclibc-seen-on-a.patch @@ -0,0 +1,47 @@ +From 2b17a3d78d5b956360c5ef8e831163842452e58d Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Thu, 2 May 2019 08:56:50 -0700 +Subject: tools/bpf: fix perf build error with uClibc (seen on ARC) + +[ Upstream commit ca31ca8247e2d3807ff5fa1d1760616a2292001c ] + +When build perf for ARC recently, there was a build failure due to lack +of __NR_bpf. + +| Auto-detecting system features: +| +| ... get_cpuid: [ OFF ] +| ... bpf: [ on ] +| +| # error __NR_bpf not defined. libbpf does not support your arch. + ^~~~~ +| bpf.c: In function 'sys_bpf': +| bpf.c:66:17: error: '__NR_bpf' undeclared (first use in this function) +| return syscall(__NR_bpf, cmd, attr, size); +| ^~~~~~~~ +| sys_bpf + +Signed-off-by: Vineet Gupta +Acked-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c +index 7a0014794bff7..dd0b68d1f4be0 100644 +--- a/tools/lib/bpf/bpf.c ++++ b/tools/lib/bpf/bpf.c +@@ -53,6 +53,8 @@ + # define __NR_bpf 349 + # elif defined(__s390__) + # define __NR_bpf 351 ++# elif defined(__arc__) ++# define __NR_bpf 280 + # else + # error __NR_bpf not defined. libbpf does not support your arch. + # endif +-- +2.20.1 + diff --git a/queue-4.19/tty-ipwireless-fix-missing-checks-for-ioremap.patch b/queue-4.19/tty-ipwireless-fix-missing-checks-for-ioremap.patch new file mode 100644 index 00000000000..d2a06dd3b43 --- /dev/null +++ b/queue-4.19/tty-ipwireless-fix-missing-checks-for-ioremap.patch @@ -0,0 +1,49 @@ +From 95d6b19235c3f64da94fc70caf59607a5cb70c1d Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Fri, 15 Mar 2019 02:07:12 -0500 +Subject: tty: ipwireless: fix missing checks for ioremap + +[ Upstream commit 1bbb1c318cd8a3a39e8c3e2e83d5e90542d6c3e3 ] + +ipw->attr_memory and ipw->common_memory are assigned with the +return value of ioremap. ioremap may fail, but no checks +are enforced. The fix inserts the checks to avoid potential +NULL pointer dereferences. + +Signed-off-by: Kangjie Lu +Reviewed-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/ipwireless/main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/tty/ipwireless/main.c b/drivers/tty/ipwireless/main.c +index 3475e841ef5c1..4c18bbfe1a92e 100644 +--- a/drivers/tty/ipwireless/main.c ++++ b/drivers/tty/ipwireless/main.c +@@ -114,6 +114,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data) + + ipw->common_memory = ioremap(p_dev->resource[2]->start, + resource_size(p_dev->resource[2])); ++ if (!ipw->common_memory) { ++ ret = -ENOMEM; ++ goto exit1; ++ } + if (!request_mem_region(p_dev->resource[2]->start, + resource_size(p_dev->resource[2]), + IPWIRELESS_PCCARD_NAME)) { +@@ -134,6 +138,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data) + + ipw->attr_memory = ioremap(p_dev->resource[3]->start, + resource_size(p_dev->resource[3])); ++ if (!ipw->attr_memory) { ++ ret = -ENOMEM; ++ goto exit3; ++ } + if (!request_mem_region(p_dev->resource[3]->start, + resource_size(p_dev->resource[3]), + IPWIRELESS_PCCARD_NAME)) { +-- +2.20.1 + diff --git a/queue-4.19/usb-core-add-pm-runtime-calls-to-usb_hcd_platform_sh.patch b/queue-4.19/usb-core-add-pm-runtime-calls-to-usb_hcd_platform_sh.patch new file mode 100644 index 00000000000..75602035ba8 --- /dev/null +++ b/queue-4.19/usb-core-add-pm-runtime-calls-to-usb_hcd_platform_sh.patch @@ -0,0 +1,38 @@ +From 521df4bcbc5ad74cd0c9aea6511d17aa02e3cb5e Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Fri, 22 Mar 2019 14:54:05 -0700 +Subject: usb: core: Add PM runtime calls to usb_hcd_platform_shutdown + +[ Upstream commit 8ead7e817224d7832fe51a19783cb8fcadc79467 ] + +If ohci-platform is runtime suspended, we can currently get an "imprecise +external abort" on reboot with ohci-platform loaded when PM runtime +is implemented for the SoC. + +Let's fix this by adding PM runtime support to usb_hcd_platform_shutdown. + +Signed-off-by: Tony Lindgren +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hcd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 1c21955fe7c00..b82a7d787add8 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -3017,6 +3017,9 @@ usb_hcd_platform_shutdown(struct platform_device *dev) + { + struct usb_hcd *hcd = platform_get_drvdata(dev); + ++ /* No need for pm_runtime_put(), we're shutting down */ ++ pm_runtime_get_sync(&dev->dev); ++ + if (hcd->driver->shutdown) + hcd->driver->shutdown(hcd); + } +-- +2.20.1 + diff --git a/queue-4.19/usb-core-don-t-unbind-interfaces-following-device-re.patch b/queue-4.19/usb-core-don-t-unbind-interfaces-following-device-re.patch new file mode 100644 index 00000000000..535446b377e --- /dev/null +++ b/queue-4.19/usb-core-don-t-unbind-interfaces-following-device-re.patch @@ -0,0 +1,71 @@ +From 1237dd8af569fd23cb440e2f746ea94b633d6ced Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Tue, 16 Apr 2019 10:50:01 -0400 +Subject: USB: core: Don't unbind interfaces following device reset failure + +[ Upstream commit 381419fa720060ba48b7bbc483be787d5b1dca6f ] + +The SCSI core does not like to have devices or hosts unregistered +while error recovery is in progress. Trying to do so can lead to +self-deadlock: Part of the removal code tries to obtain a lock already +held by the error handler. + +This can cause problems for the usb-storage and uas drivers, because +their error handler routines perform a USB reset, and if the reset +fails then the USB core automatically goes on to unbind all drivers +from the device's interfaces -- all while still in the context of the +SCSI error handler. + +As it turns out, practically all the scenarios leading to a USB reset +failure end up causing a device disconnect (the main error pathway in +usb_reset_and_verify_device(), at the end of the routine, calls +hub_port_logical_disconnect() before returning). As a result, the +hub_wq thread will soon become aware of the problem and will unbind +all the device's drivers in its own context, not in the +error-handler's context. + +This means that usb_reset_device() does not need to call +usb_unbind_and_rebind_marked_interfaces() in cases where +usb_reset_and_verify_device() has returned an error, because hub_wq +will take care of everything anyway. + +This particular problem was observed in somewhat artificial +circumstances, by using usbfs to tell a hub to power-down a port +connected to a USB-3 mass storage device using the UAS protocol. With +the port turned off, the currently executing command timed out and the +error handler started running. The USB reset naturally failed, +because the hub port was off, and the error handler deadlocked as +described above. Not carrying out the call to +usb_unbind_and_rebind_marked_interfaces() fixes this issue. + +Signed-off-by: Alan Stern +Reported-by: Kento Kobayashi +Tested-by: Kento Kobayashi +CC: Bart Van Assche +CC: Martin K. Petersen +CC: Jacky Cao +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index bbcfa63d0233b..eb24ec0e160d4 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5823,7 +5823,10 @@ int usb_reset_device(struct usb_device *udev) + cintf->needs_binding = 1; + } + } +- usb_unbind_and_rebind_marked_interfaces(udev); ++ ++ /* If the reset failed, hub_wq will unbind drivers later */ ++ if (ret == 0) ++ usb_unbind_and_rebind_marked_interfaces(udev); + } + + usb_autosuspend_device(udev); +-- +2.20.1 + diff --git a/queue-4.19/usb-dwc2-gadget-increase-descriptors-count-for-isoc-.patch b/queue-4.19/usb-dwc2-gadget-increase-descriptors-count-for-isoc-.patch new file mode 100644 index 00000000000..9eb37f9f0e5 --- /dev/null +++ b/queue-4.19/usb-dwc2-gadget-increase-descriptors-count-for-isoc-.patch @@ -0,0 +1,106 @@ +From fcfba77948908028835d072fafc0c4abfd3998c1 Mon Sep 17 00:00:00 2001 +From: Minas Harutyunyan +Date: Mon, 18 Mar 2019 14:24:30 +0400 +Subject: usb: dwc2: gadget: Increase descriptors count for ISOC's + +[ Upstream commit 54f37f56631747075f1f9a2f0edf6ba405e3e66c ] + +Some function drivers queueing more than 128 ISOC requests at a time. +To avoid "descriptor chain full" cases, increasing descriptors count +from MAX_DMA_DESC_NUM_GENERIC to MAX_DMA_DESC_NUM_HS_ISOC for ISOC's +only. + +Signed-off-by: Minas Harutyunyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/gadget.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c +index 220c0f9b89b0b..03614ef64ca47 100644 +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -675,13 +675,11 @@ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep) + unsigned int maxsize; + + if (is_isoc) +- maxsize = hs_ep->dir_in ? DEV_DMA_ISOC_TX_NBYTES_LIMIT : +- DEV_DMA_ISOC_RX_NBYTES_LIMIT; ++ maxsize = (hs_ep->dir_in ? DEV_DMA_ISOC_TX_NBYTES_LIMIT : ++ DEV_DMA_ISOC_RX_NBYTES_LIMIT) * ++ MAX_DMA_DESC_NUM_HS_ISOC; + else +- maxsize = DEV_DMA_NBYTES_LIMIT; +- +- /* Above size of one descriptor was chosen, multiple it */ +- maxsize *= MAX_DMA_DESC_NUM_GENERIC; ++ maxsize = DEV_DMA_NBYTES_LIMIT * MAX_DMA_DESC_NUM_GENERIC; + + return maxsize; + } +@@ -864,7 +862,7 @@ static int dwc2_gadget_fill_isoc_desc(struct dwc2_hsotg_ep *hs_ep, + + /* Update index of last configured entry in the chain */ + hs_ep->next_desc++; +- if (hs_ep->next_desc >= MAX_DMA_DESC_NUM_GENERIC) ++ if (hs_ep->next_desc >= MAX_DMA_DESC_NUM_HS_ISOC) + hs_ep->next_desc = 0; + + return 0; +@@ -896,7 +894,7 @@ static void dwc2_gadget_start_isoc_ddma(struct dwc2_hsotg_ep *hs_ep) + } + + /* Initialize descriptor chain by Host Busy status */ +- for (i = 0; i < MAX_DMA_DESC_NUM_GENERIC; i++) { ++ for (i = 0; i < MAX_DMA_DESC_NUM_HS_ISOC; i++) { + desc = &hs_ep->desc_list[i]; + desc->status = 0; + desc->status |= (DEV_DMA_BUFF_STS_HBUSY +@@ -2083,7 +2081,7 @@ static void dwc2_gadget_complete_isoc_request_ddma(struct dwc2_hsotg_ep *hs_ep) + dwc2_hsotg_complete_request(hsotg, hs_ep, hs_req, 0); + + hs_ep->compl_desc++; +- if (hs_ep->compl_desc > (MAX_DMA_DESC_NUM_GENERIC - 1)) ++ if (hs_ep->compl_desc > (MAX_DMA_DESC_NUM_HS_ISOC - 1)) + hs_ep->compl_desc = 0; + desc_sts = hs_ep->desc_list[hs_ep->compl_desc].status; + } +@@ -3779,6 +3777,7 @@ static int dwc2_hsotg_ep_enable(struct usb_ep *ep, + unsigned int i, val, size; + int ret = 0; + unsigned char ep_type; ++ int desc_num; + + dev_dbg(hsotg->dev, + "%s: ep %s: a 0x%02x, attr 0x%02x, mps 0x%04x, intr %d\n", +@@ -3825,11 +3824,15 @@ static int dwc2_hsotg_ep_enable(struct usb_ep *ep, + dev_dbg(hsotg->dev, "%s: read DxEPCTL=0x%08x from 0x%08x\n", + __func__, epctrl, epctrl_reg); + ++ if (using_desc_dma(hsotg) && ep_type == USB_ENDPOINT_XFER_ISOC) ++ desc_num = MAX_DMA_DESC_NUM_HS_ISOC; ++ else ++ desc_num = MAX_DMA_DESC_NUM_GENERIC; ++ + /* Allocate DMA descriptor chain for non-ctrl endpoints */ + if (using_desc_dma(hsotg) && !hs_ep->desc_list) { + hs_ep->desc_list = dmam_alloc_coherent(hsotg->dev, +- MAX_DMA_DESC_NUM_GENERIC * +- sizeof(struct dwc2_dma_desc), ++ desc_num * sizeof(struct dwc2_dma_desc), + &hs_ep->desc_list_dma, GFP_ATOMIC); + if (!hs_ep->desc_list) { + ret = -ENOMEM; +@@ -3971,7 +3974,7 @@ static int dwc2_hsotg_ep_enable(struct usb_ep *ep, + + error2: + if (ret && using_desc_dma(hsotg) && hs_ep->desc_list) { +- dmam_free_coherent(hsotg->dev, MAX_DMA_DESC_NUM_GENERIC * ++ dmam_free_coherent(hsotg->dev, desc_num * + sizeof(struct dwc2_dma_desc), + hs_ep->desc_list, hs_ep->desc_list_dma); + hs_ep->desc_list = NULL; +-- +2.20.1 + diff --git a/queue-4.19/usb-dwc3-move-synchronize_irq-out-of-the-spinlock-pr.patch b/queue-4.19/usb-dwc3-move-synchronize_irq-out-of-the-spinlock-pr.patch new file mode 100644 index 00000000000..10c6218b63f --- /dev/null +++ b/queue-4.19/usb-dwc3-move-synchronize_irq-out-of-the-spinlock-pr.patch @@ -0,0 +1,100 @@ +From 2c9e39e6bad425c66c7ddc1b8d09a32e15340164 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Wed, 27 Mar 2019 10:56:08 +0100 +Subject: usb: dwc3: move synchronize_irq() out of the spinlock protected block + +[ Upstream commit 41a91c606e7d2b74358a944525267cc451c271e8 ] + +dwc3_gadget_suspend() is called under dwc->lock spinlock. In such context +calling synchronize_irq() is not allowed. Move the problematic call out +of the protected block to fix the following kernel BUG during system +suspend: + +BUG: sleeping function called from invalid context at kernel/irq/manage.c:112 +in_atomic(): 1, irqs_disabled(): 128, pid: 1601, name: rtcwake +6 locks held by rtcwake/1601: + #0: f70ac2a2 (sb_writers#7){.+.+}, at: vfs_write+0x130/0x16c + #1: b5fe1270 (&of->mutex){+.+.}, at: kernfs_fop_write+0xc0/0x1e4 + #2: 7e597705 (kn->count#60){.+.+}, at: kernfs_fop_write+0xc8/0x1e4 + #3: 8b3527d0 (system_transition_mutex){+.+.}, at: pm_suspend+0xc4/0xc04 + #4: fc7f1c42 (&dev->mutex){....}, at: __device_suspend+0xd8/0x74c + #5: 4b36507e (&(&dwc->lock)->rlock){....}, at: dwc3_gadget_suspend+0x24/0x3c +irq event stamp: 11252 +hardirqs last enabled at (11251): [] _raw_spin_unlock_irqrestore+0x6c/0x74 +hardirqs last disabled at (11252): [] _raw_spin_lock_irqsave+0x1c/0x5c +softirqs last enabled at (9744): [] __do_softirq+0x3a4/0x66c +softirqs last disabled at (9737): [] irq_exit+0x140/0x168 +Preemption disabled at: +[<00000000>] (null) +CPU: 7 PID: 1601 Comm: rtcwake Not tainted +5.0.0-rc3-next-20190122-00039-ga3f4ee4f8a52 #5252 +Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x90/0xc8) +[] (dump_stack) from [] (___might_sleep+0x22c/0x2c8) +[] (___might_sleep) from [] (synchronize_irq+0x28/0x84) +[] (synchronize_irq) from [] (dwc3_gadget_suspend+0x34/0x3c) +[] (dwc3_gadget_suspend) from [] (dwc3_suspend_common+0x154/0x410) +[] (dwc3_suspend_common) from [] (dwc3_suspend+0x14/0x2c) +[] (dwc3_suspend) from [] (platform_pm_suspend+0x2c/0x54) +[] (platform_pm_suspend) from [] (dpm_run_callback+0xa4/0x3dc) +[] (dpm_run_callback) from [] (__device_suspend+0x134/0x74c) +[] (__device_suspend) from [] (dpm_suspend+0x174/0x588) +[] (dpm_suspend) from [] (suspend_devices_and_enter+0xc0/0xe74) +[] (suspend_devices_and_enter) from [] (pm_suspend+0x770/0xc04) +[] (pm_suspend) from [] (state_store+0x6c/0xcc) +[] (state_store) from [] (kobj_attr_store+0x14/0x20) +[] (kobj_attr_store) from [] (sysfs_kf_write+0x4c/0x50) +[] (sysfs_kf_write) from [] (kernfs_fop_write+0xfc/0x1e4) +[] (kernfs_fop_write) from [] (__vfs_write+0x2c/0x160) +[] (__vfs_write) from [] (vfs_write+0xa4/0x16c) +[] (vfs_write) from [] (ksys_write+0x40/0x8c) +[] (ksys_write) from [] (ret_fast_syscall+0x0/0x28) +Exception stack(0xed55ffa8 to 0xed55fff0) +... + +Fixes: 01c10880d242 ("usb: dwc3: gadget: synchronize_irq dwc irq in suspend") +Signed-off-by: Marek Szyprowski +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 2 ++ + drivers/usb/dwc3/gadget.c | 2 -- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 4d5c7dda8f54d..05b9ccff7447a 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1591,6 +1591,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) + spin_lock_irqsave(&dwc->lock, flags); + dwc3_gadget_suspend(dwc); + spin_unlock_irqrestore(&dwc->lock, flags); ++ synchronize_irq(dwc->irq_gadget); + dwc3_core_exit(dwc); + break; + case DWC3_GCTL_PRTCAP_HOST: +@@ -1623,6 +1624,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) + spin_lock_irqsave(&dwc->lock, flags); + dwc3_gadget_suspend(dwc); + spin_unlock_irqrestore(&dwc->lock, flags); ++ synchronize_irq(dwc->irq_gadget); + } + + dwc3_otg_exit(dwc); +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 524104eed8a71..65ba1038b1111 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3277,8 +3277,6 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) + dwc3_disconnect_gadget(dwc); + __dwc3_gadget_stop(dwc); + +- synchronize_irq(dwc->irq_gadget); +- + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.19/vfio-ccw-do-not-call-flush_workqueue-while-holding-t.patch b/queue-4.19/vfio-ccw-do-not-call-flush_workqueue-while-holding-t.patch new file mode 100644 index 00000000000..2f080dfe5ea --- /dev/null +++ b/queue-4.19/vfio-ccw-do-not-call-flush_workqueue-while-holding-t.patch @@ -0,0 +1,69 @@ +From 868d22b733f358e0f8ca35f9ae152ebe2d8f813b Mon Sep 17 00:00:00 2001 +From: Farhan Ali +Date: Mon, 8 Apr 2019 17:05:31 -0400 +Subject: vfio-ccw: Do not call flush_workqueue while holding the spinlock + +[ Upstream commit cea5dde42a83b5f0a039da672f8686455936b8d8 ] + +Currently we call flush_workqueue while holding the subchannel +spinlock. But flush_workqueue function can go to sleep, so +do not call the function while holding the spinlock. + +Fixes the following bug: + +[ 285.203430] BUG: scheduling while atomic: bash/14193/0x00000002 +[ 285.203434] INFO: lockdep is turned off. +.... +[ 285.203485] Preemption disabled at: +[ 285.203488] [<000003ff80243e5c>] vfio_ccw_sch_quiesce+0xbc/0x120 [vfio_ccw] +[ 285.203496] CPU: 7 PID: 14193 Comm: bash Tainted: G W +.... +[ 285.203504] Call Trace: +[ 285.203510] ([<0000000000113772>] show_stack+0x82/0xd0) +[ 285.203514] [<0000000000b7a102>] dump_stack+0x92/0xd0 +[ 285.203518] [<000000000017b8be>] __schedule_bug+0xde/0xf8 +[ 285.203524] [<0000000000b95b5a>] __schedule+0x7a/0xc38 +[ 285.203528] [<0000000000b9678a>] schedule+0x72/0xb0 +[ 285.203533] [<0000000000b9bfbc>] schedule_timeout+0x34/0x528 +[ 285.203538] [<0000000000b97608>] wait_for_common+0x118/0x1b0 +[ 285.203544] [<0000000000166d6a>] flush_workqueue+0x182/0x548 +[ 285.203550] [<000003ff80243e6e>] vfio_ccw_sch_quiesce+0xce/0x120 [vfio_ccw] +[ 285.203556] [<000003ff80245278>] vfio_ccw_mdev_reset+0x38/0x70 [vfio_ccw] +[ 285.203562] [<000003ff802458b0>] vfio_ccw_mdev_remove+0x40/0x78 [vfio_ccw] +[ 285.203567] [<000003ff801a499c>] mdev_device_remove_ops+0x3c/0x80 [mdev] +[ 285.203573] [<000003ff801a4d5c>] mdev_device_remove+0xc4/0x130 [mdev] +[ 285.203578] [<000003ff801a5074>] remove_store+0x6c/0xa8 [mdev] +[ 285.203582] [<000000000046f494>] kernfs_fop_write+0x14c/0x1f8 +[ 285.203588] [<00000000003c1530>] __vfs_write+0x38/0x1a8 +[ 285.203593] [<00000000003c187c>] vfs_write+0xb4/0x198 +[ 285.203597] [<00000000003c1af2>] ksys_write+0x5a/0xb0 +[ 285.203601] [<0000000000b9e270>] system_call+0xdc/0x2d8 + +Signed-off-by: Farhan Ali +Reviewed-by: Eric Farman +Reviewed-by: Pierre Morel +Message-Id: <626bab8bb2958ae132452e1ddaf1b20882ad5a9d.1554756534.git.alifm@linux.ibm.com> +Signed-off-by: Cornelia Huck +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/vfio_ccw_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c +index fabd9798e4c47..0e0a743aeaf69 100644 +--- a/drivers/s390/cio/vfio_ccw_drv.c ++++ b/drivers/s390/cio/vfio_ccw_drv.c +@@ -54,9 +54,9 @@ int vfio_ccw_sch_quiesce(struct subchannel *sch) + + wait_for_completion_timeout(&completion, 3*HZ); + +- spin_lock_irq(sch->lock); + private->completion = NULL; + flush_workqueue(vfio_ccw_work_q); ++ spin_lock_irq(sch->lock); + ret = cio_cancel_halt_clear(sch, &iretry); + }; + +-- +2.20.1 + diff --git a/queue-4.19/vfio-ccw-prevent-quiesce-function-going-into-an-infi.patch b/queue-4.19/vfio-ccw-prevent-quiesce-function-going-into-an-infi.patch new file mode 100644 index 00000000000..1a851a09ce6 --- /dev/null +++ b/queue-4.19/vfio-ccw-prevent-quiesce-function-going-into-an-infi.patch @@ -0,0 +1,89 @@ +From 7798c38bebd4d316d9a6f4bf6b7422c43b4daf8d Mon Sep 17 00:00:00 2001 +From: Farhan Ali +Date: Tue, 16 Apr 2019 17:23:14 -0400 +Subject: vfio-ccw: Prevent quiesce function going into an infinite loop + +[ Upstream commit d1ffa760d22aa1d8190478e5ef555c59a771db27 ] + +The quiesce function calls cio_cancel_halt_clear() and if we +get an -EBUSY we go into a loop where we: + - wait for any interrupts + - flush all I/O in the workqueue + - retry cio_cancel_halt_clear + +During the period where we are waiting for interrupts or +flushing all I/O, the channel subsystem could have completed +a halt/clear action and turned off the corresponding activity +control bits in the subchannel status word. This means the next +time we call cio_cancel_halt_clear(), we will again start by +calling cancel subchannel and so we can be stuck between calling +cancel and halt forever. + +Rather than calling cio_cancel_halt_clear() immediately after +waiting, let's try to disable the subchannel. If we succeed in +disabling the subchannel then we know nothing else can happen +with the device. + +Suggested-by: Eric Farman +Signed-off-by: Farhan Ali +Message-Id: <4d5a4b98ab1b41ac6131b5c36de18b76c5d66898.1555449329.git.alifm@linux.ibm.com> +Reviewed-by: Eric Farman +Acked-by: Halil Pasic +Signed-off-by: Cornelia Huck +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/vfio_ccw_drv.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c +index 0e0a743aeaf69..7a06cdff6572d 100644 +--- a/drivers/s390/cio/vfio_ccw_drv.c ++++ b/drivers/s390/cio/vfio_ccw_drv.c +@@ -40,26 +40,30 @@ int vfio_ccw_sch_quiesce(struct subchannel *sch) + if (ret != -EBUSY) + goto out_unlock; + ++ iretry = 255; + do { +- iretry = 255; + + ret = cio_cancel_halt_clear(sch, &iretry); +- while (ret == -EBUSY) { +- /* +- * Flush all I/O and wait for +- * cancel/halt/clear completion. +- */ +- private->completion = &completion; +- spin_unlock_irq(sch->lock); + +- wait_for_completion_timeout(&completion, 3*HZ); ++ if (ret == -EIO) { ++ pr_err("vfio_ccw: could not quiesce subchannel 0.%x.%04x!\n", ++ sch->schid.ssid, sch->schid.sch_no); ++ break; ++ } ++ ++ /* ++ * Flush all I/O and wait for ++ * cancel/halt/clear completion. ++ */ ++ private->completion = &completion; ++ spin_unlock_irq(sch->lock); + +- private->completion = NULL; +- flush_workqueue(vfio_ccw_work_q); +- spin_lock_irq(sch->lock); +- ret = cio_cancel_halt_clear(sch, &iretry); +- }; ++ if (ret == -EBUSY) ++ wait_for_completion_timeout(&completion, 3*HZ); + ++ private->completion = NULL; ++ flush_workqueue(vfio_ccw_work_q); ++ spin_lock_irq(sch->lock); + ret = cio_disable_subchannel(sch); + } while (ret == -EBUSY); + out_unlock: +-- +2.20.1 + diff --git a/queue-4.19/vfio-ccw-release-any-channel-program-when-releasing-.patch b/queue-4.19/vfio-ccw-release-any-channel-program-when-releasing-.patch new file mode 100644 index 00000000000..0425ded28eb --- /dev/null +++ b/queue-4.19/vfio-ccw-release-any-channel-program-when-releasing-.patch @@ -0,0 +1,95 @@ +From 06165d7d2fb61dda4c41b6408b70f942a7f109af Mon Sep 17 00:00:00 2001 +From: Farhan Ali +Date: Mon, 8 Apr 2019 17:05:33 -0400 +Subject: vfio-ccw: Release any channel program when releasing/removing + vfio-ccw mdev + +[ Upstream commit b49bdc8602b7c9c7a977758bee4125683f73e59f ] + +When releasing the vfio-ccw mdev, we currently do not release +any existing channel program and its pinned pages. This can +lead to the following warning: + +[1038876.561565] WARNING: CPU: 2 PID: 144727 at drivers/vfio/vfio_iommu_type1.c:1494 vfio_sanity_check_pfn_list+0x40/0x70 [vfio_iommu_type1] + +.... + +1038876.561921] Call Trace: +[1038876.561935] ([<00000009897fb870>] 0x9897fb870) +[1038876.561949] [<000003ff8013bf62>] vfio_iommu_type1_detach_group+0xda/0x2f0 [vfio_iommu_type1] +[1038876.561965] [<000003ff8007b634>] __vfio_group_unset_container+0x64/0x190 [vfio] +[1038876.561978] [<000003ff8007b87e>] vfio_group_put_external_user+0x26/0x38 [vfio] +[1038876.562024] [<000003ff806fc608>] kvm_vfio_group_put_external_user+0x40/0x60 [kvm] +[1038876.562045] [<000003ff806fcb9e>] kvm_vfio_destroy+0x5e/0xd0 [kvm] +[1038876.562065] [<000003ff806f63fc>] kvm_put_kvm+0x2a4/0x3d0 [kvm] +[1038876.562083] [<000003ff806f655e>] kvm_vm_release+0x36/0x48 [kvm] +[1038876.562098] [<00000000003c2dc4>] __fput+0x144/0x228 +[1038876.562113] [<000000000016ee82>] task_work_run+0x8a/0xd8 +[1038876.562125] [<000000000014c7a8>] do_exit+0x5d8/0xd90 +[1038876.562140] [<000000000014d084>] do_group_exit+0xc4/0xc8 +[1038876.562155] [<000000000015c046>] get_signal+0x9ae/0xa68 +[1038876.562169] [<0000000000108d66>] do_signal+0x66/0x768 +[1038876.562185] [<0000000000b9e37e>] system_call+0x1ea/0x2d8 +[1038876.562195] 2 locks held by qemu-system-s39/144727: +[1038876.562205] #0: 00000000537abaf9 (&container->group_lock){++++}, at: __vfio_group_unset_container+0x3c/0x190 [vfio] +[1038876.562230] #1: 00000000670008b5 (&iommu->lock){+.+.}, at: vfio_iommu_type1_detach_group+0x36/0x2f0 [vfio_iommu_type1] +[1038876.562250] Last Breaking-Event-Address: +[1038876.562262] [<000003ff8013aa24>] vfio_sanity_check_pfn_list+0x3c/0x70 [vfio_iommu_type1] +[1038876.562272] irq event stamp: 4236481 +[1038876.562287] hardirqs last enabled at (4236489): [<00000000001cee7a>] console_unlock+0x6d2/0x740 +[1038876.562299] hardirqs last disabled at (4236496): [<00000000001ce87e>] console_unlock+0xd6/0x740 +[1038876.562311] softirqs last enabled at (4234162): [<0000000000b9fa1e>] __do_softirq+0x556/0x598 +[1038876.562325] softirqs last disabled at (4234153): [<000000000014e4cc>] irq_exit+0xac/0x108 +[1038876.562337] ---[ end trace 6c96d467b1c3ca06 ]--- + +Similarly we do not free the channel program when we are removing +the vfio-ccw device. Let's fix this by resetting the device and freeing +the channel program and pinned pages in the release path. For the remove +path we can just quiesce the device, since in the remove path the mediated +device is going away for good and so we don't need to do a full reset. + +Signed-off-by: Farhan Ali +Message-Id: +Acked-by: Eric Farman +Signed-off-by: Cornelia Huck +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/vfio_ccw_ops.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/vfio_ccw_ops.c b/drivers/s390/cio/vfio_ccw_ops.c +index f673e106c0415..dc5ff47de3fee 100644 +--- a/drivers/s390/cio/vfio_ccw_ops.c ++++ b/drivers/s390/cio/vfio_ccw_ops.c +@@ -130,11 +130,12 @@ static int vfio_ccw_mdev_remove(struct mdev_device *mdev) + + if ((private->state != VFIO_CCW_STATE_NOT_OPER) && + (private->state != VFIO_CCW_STATE_STANDBY)) { +- if (!vfio_ccw_mdev_reset(mdev)) ++ if (!vfio_ccw_sch_quiesce(private->sch)) + private->state = VFIO_CCW_STATE_STANDBY; + /* The state will be NOT_OPER on error. */ + } + ++ cp_free(&private->cp); + private->mdev = NULL; + atomic_inc(&private->avail); + +@@ -158,6 +159,14 @@ static void vfio_ccw_mdev_release(struct mdev_device *mdev) + struct vfio_ccw_private *private = + dev_get_drvdata(mdev_parent_dev(mdev)); + ++ if ((private->state != VFIO_CCW_STATE_NOT_OPER) && ++ (private->state != VFIO_CCW_STATE_STANDBY)) { ++ if (!vfio_ccw_mdev_reset(mdev)) ++ private->state = VFIO_CCW_STATE_STANDBY; ++ /* The state will be NOT_OPER on error. */ ++ } ++ ++ cp_free(&private->cp); + vfio_unregister_notifier(mdev_dev(mdev), VFIO_IOMMU_NOTIFY, + &private->nb); + } +-- +2.20.1 + diff --git a/queue-4.19/virtio_console-initialize-vtermno-value-for-ports.patch b/queue-4.19/virtio_console-initialize-vtermno-value-for-ports.patch new file mode 100644 index 00000000000..2cbd1a03772 --- /dev/null +++ b/queue-4.19/virtio_console-initialize-vtermno-value-for-ports.patch @@ -0,0 +1,48 @@ +From 0e7ff7ea28e4087cd3c2e2413dff1098d75e2dce Mon Sep 17 00:00:00 2001 +From: Pankaj Gupta +Date: Tue, 19 Mar 2019 11:34:06 +0530 +Subject: virtio_console: initialize vtermno value for ports + +[ Upstream commit 4b0a2c5ff7215206ea6135a405f17c5f6fca7d00 ] + +For regular serial ports we do not initialize value of vtermno +variable. A garbage value is assigned for non console ports. +The value can be observed as a random integer with [1]. + +[1] vim /sys/kernel/debug/virtio-ports/vport*p* + +This patch initialize the value of vtermno for console serial +ports to '1' and regular serial ports are initiaized to '0'. + +Reported-by: siliu@redhat.com +Signed-off-by: Pankaj Gupta +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/char/virtio_console.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index 5b5b5d72eab7f..c55f6aeb4227a 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -75,7 +75,7 @@ struct ports_driver_data { + /* All the console devices handled by this driver */ + struct list_head consoles; + }; +-static struct ports_driver_data pdrvdata; ++static struct ports_driver_data pdrvdata = { .next_vtermno = 1}; + + static DEFINE_SPINLOCK(pdrvdata_lock); + static DECLARE_COMPLETION(early_console_added); +@@ -1405,6 +1405,7 @@ static int add_port(struct ports_device *portdev, u32 id) + port->async_queue = NULL; + + port->cons.ws.ws_row = port->cons.ws.ws_col = 0; ++ port->cons.vtermno = 0; + + port->host_connected = port->guest_connected = false; + port->stats = (struct port_stats) { 0 }; +-- +2.20.1 + diff --git a/queue-4.19/w1-fix-the-resume-command-api.patch b/queue-4.19/w1-fix-the-resume-command-api.patch new file mode 100644 index 00000000000..9d2fc2ad05f --- /dev/null +++ b/queue-4.19/w1-fix-the-resume-command-api.patch @@ -0,0 +1,51 @@ +From caa6031c0e8e14b9dd72714cb575c21363e5c951 Mon Sep 17 00:00:00 2001 +From: Mariusz Bialonczyk +Date: Thu, 21 Mar 2019 11:52:55 +0100 +Subject: w1: fix the resume command API + +[ Upstream commit 62909da8aca048ecf9fbd7e484e5100608f40a63 ] + +>From the DS2408 datasheet [1]: +"Resume Command function checks the status of the RC flag and, if it is set, + directly transfers control to the control functions, similar to a Skip ROM + command. The only way to set the RC flag is through successfully executing + the Match ROM, Search ROM, Conditional Search ROM, or Overdrive-Match ROM + command" + +The function currently works perfectly fine in a multidrop bus, but when we +have only a single slave connected, then only a Skip ROM is used and Match +ROM is not called at all. This is leading to problems e.g. with single one +DS2408 connected, as the Resume Command is not working properly and the +device is responding with failing results after the Resume Command. + +This commit is fixing this by using a Skip ROM instead in those cases. +The bandwidth / performance advantage is exactly the same. + +Refs: +[1] https://datasheets.maximintegrated.com/en/ds/DS2408.pdf + +Signed-off-by: Mariusz Bialonczyk +Reviewed-by: Jean-Francois Dagenais +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/w1/w1_io.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/w1/w1_io.c b/drivers/w1/w1_io.c +index 0364d3329c526..3516ce6718d94 100644 +--- a/drivers/w1/w1_io.c ++++ b/drivers/w1/w1_io.c +@@ -432,8 +432,7 @@ int w1_reset_resume_command(struct w1_master *dev) + if (w1_reset_bus(dev)) + return -1; + +- /* This will make only the last matched slave perform a skip ROM. */ +- w1_write_8(dev, W1_RESUME_CMD); ++ w1_write_8(dev, dev->slave_count > 1 ? W1_RESUME_CMD : W1_SKIP_ROM); + return 0; + } + EXPORT_SYMBOL_GPL(w1_reset_resume_command); +-- +2.20.1 + diff --git a/queue-4.19/wil6210-fix-return-code-of-wmi_mgmt_tx-and-wmi_mgmt_.patch b/queue-4.19/wil6210-fix-return-code-of-wmi_mgmt_tx-and-wmi_mgmt_.patch new file mode 100644 index 00000000000..7666ea2f2c8 --- /dev/null +++ b/queue-4.19/wil6210-fix-return-code-of-wmi_mgmt_tx-and-wmi_mgmt_.patch @@ -0,0 +1,71 @@ +From 6fa91d35248bd5c1b64cfcc4ad10395bd23ae2ff Mon Sep 17 00:00:00 2001 +From: Lior David +Date: Thu, 28 Feb 2019 11:35:01 +0200 +Subject: wil6210: fix return code of wmi_mgmt_tx and wmi_mgmt_tx_ext + +[ Upstream commit 49122ec42634f73babb1dc96f170023e5228d080 ] + +The functions that send management TX frame have 3 possible +results: success and other side acknowledged receive (ACK=1), +success and other side did not acknowledge receive(ACK=0) and +failure to send the frame. The current implementation +incorrectly reports the ACK=0 case as failure. + +Signed-off-by: Lior David +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/cfg80211.c | 5 +++++ + drivers/net/wireless/ath/wil6210/wmi.c | 11 ++++++----- + 2 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c +index 2daf33342b23d..1fc2bf66845c7 100644 +--- a/drivers/net/wireless/ath/wil6210/cfg80211.c ++++ b/drivers/net/wireless/ath/wil6210/cfg80211.c +@@ -1131,7 +1131,12 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev, + params->wait); + + out: ++ /* when the sent packet was not acked by receiver(ACK=0), rc will ++ * be -EAGAIN. In this case this function needs to return success, ++ * the ACK=0 will be reflected in tx_status. ++ */ + tx_status = (rc == 0); ++ rc = (rc == -EAGAIN) ? 0 : rc; + cfg80211_mgmt_tx_status(wdev, cookie ? *cookie : 0, buf, len, + tx_status, GFP_KERNEL); + +diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c +index 42c02a20ec97c..6e3b3031f29bd 100644 +--- a/drivers/net/wireless/ath/wil6210/wmi.c ++++ b/drivers/net/wireless/ath/wil6210/wmi.c +@@ -3107,8 +3107,9 @@ int wmi_mgmt_tx(struct wil6210_vif *vif, const u8 *buf, size_t len) + rc = wmi_call(wil, WMI_SW_TX_REQ_CMDID, vif->mid, cmd, total, + WMI_SW_TX_COMPLETE_EVENTID, &evt, sizeof(evt), 2000); + if (!rc && evt.evt.status != WMI_FW_STATUS_SUCCESS) { +- wil_err(wil, "mgmt_tx failed with status %d\n", evt.evt.status); +- rc = -EINVAL; ++ wil_dbg_wmi(wil, "mgmt_tx failed with status %d\n", ++ evt.evt.status); ++ rc = -EAGAIN; + } + + kfree(cmd); +@@ -3160,9 +3161,9 @@ int wmi_mgmt_tx_ext(struct wil6210_vif *vif, const u8 *buf, size_t len, + rc = wmi_call(wil, WMI_SW_TX_REQ_EXT_CMDID, vif->mid, cmd, total, + WMI_SW_TX_COMPLETE_EVENTID, &evt, sizeof(evt), 2000); + if (!rc && evt.evt.status != WMI_FW_STATUS_SUCCESS) { +- wil_err(wil, "mgmt_tx_ext failed with status %d\n", +- evt.evt.status); +- rc = -EINVAL; ++ wil_dbg_wmi(wil, "mgmt_tx_ext failed with status %d\n", ++ evt.evt.status); ++ rc = -EAGAIN; + } + + kfree(cmd); +-- +2.20.1 + diff --git a/queue-4.19/x86-build-keep-local-relocations-with-ld.lld.patch b/queue-4.19/x86-build-keep-local-relocations-with-ld.lld.patch new file mode 100644 index 00000000000..39ee5134f1c --- /dev/null +++ b/queue-4.19/x86-build-keep-local-relocations-with-ld.lld.patch @@ -0,0 +1,44 @@ +From 6da663fc68ee0fbbccf9894399d2d4bccff2e1b3 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 4 Apr 2019 14:40:27 -0700 +Subject: x86/build: Keep local relocations with ld.lld + +[ Upstream commit 7c21383f3429dd70da39c0c7f1efa12377a47ab6 ] + +The LLVM linker (ld.lld) defaults to removing local relocations, which +causes KASLR boot failures. ld.bfd and ld.gold already handle this +correctly. This adds the explicit instruction "--discard-none" during +the link phase. There is no change in output for ld.bfd and ld.gold, +but ld.lld now produces an image with all the needed relocations. + +Signed-off-by: Kees Cook +Signed-off-by: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Nick Desaulniers +Cc: Thomas Gleixner +Cc: clang-built-linux@googlegroups.com +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190404214027.GA7324@beast +Link: https://github.com/ClangBuiltLinux/linux/issues/404 +Signed-off-by: Sasha Levin +--- + arch/x86/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index ffc823a8312fb..ab2071e40efe3 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -47,7 +47,7 @@ export REALMODE_CFLAGS + export BITS + + ifdef CONFIG_X86_NEED_RELOCS +- LDFLAGS_vmlinux := --emit-relocs ++ LDFLAGS_vmlinux := --emit-relocs --discard-none + endif + + # +-- +2.20.1 + diff --git a/queue-4.19/x86-build-move-_etext-to-actual-end-of-.text.patch b/queue-4.19/x86-build-move-_etext-to-actual-end-of-.text.patch new file mode 100644 index 00000000000..bb12454f482 --- /dev/null +++ b/queue-4.19/x86-build-move-_etext-to-actual-end-of-.text.patch @@ -0,0 +1,51 @@ +From 0935d01e221626e08bf345c520e953ba0207ff3d Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 23 Apr 2019 11:38:27 -0700 +Subject: x86/build: Move _etext to actual end of .text + +[ Upstream commit 392bef709659abea614abfe53cf228e7a59876a4 ] + +When building x86 with Clang LTO and CFI, CFI jump regions are +automatically added to the end of the .text section late in linking. As a +result, the _etext position was being labelled before the appended jump +regions, causing confusion about where the boundaries of the executable +region actually are in the running kernel, and broke at least the fault +injection code. This moves the _etext mark to outside (and immediately +after) the .text area, as it already the case on other architectures +(e.g. arm64, arm). + +Reported-and-tested-by: Sami Tolvanen +Signed-off-by: Kees Cook +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20190423183827.GA4012@beast +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/vmlinux.lds.S | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index 85e6d5620188e..2fb152d813c17 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -151,11 +151,11 @@ SECTIONS + *(.text.__x86.indirect_thunk) + __indirect_thunk_end = .; + #endif +- +- /* End of text section */ +- _etext = .; + } :text = 0x9090 + ++ /* End of text section */ ++ _etext = .; ++ + NOTES :text :note + + EXCEPTION_TABLE(16) :text = 0x9090 +-- +2.20.1 + diff --git a/queue-4.19/x86-ia32-fix-ia32_restore_sigcontext-ac-leak.patch b/queue-4.19/x86-ia32-fix-ia32_restore_sigcontext-ac-leak.patch new file mode 100644 index 00000000000..613bda84970 --- /dev/null +++ b/queue-4.19/x86-ia32-fix-ia32_restore_sigcontext-ac-leak.patch @@ -0,0 +1,87 @@ +From bbd6079920082f941c16f41ef54298992ad052d5 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Mon, 25 Feb 2019 12:56:35 +0100 +Subject: x86/ia32: Fix ia32_restore_sigcontext() AC leak + +[ Upstream commit 67a0514afdbb8b2fc70b771b8c77661a9cb9d3a9 ] + +Objtool spotted that we call native_load_gs_index() with AC set. +Re-arrange the code to avoid that. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Borislav Petkov +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/ia32/ia32_signal.c | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c +index 86b1341cba9ac..513ba49c204fe 100644 +--- a/arch/x86/ia32/ia32_signal.c ++++ b/arch/x86/ia32/ia32_signal.c +@@ -61,9 +61,8 @@ + } while (0) + + #define RELOAD_SEG(seg) { \ +- unsigned int pre = GET_SEG(seg); \ ++ unsigned int pre = (seg) | 3; \ + unsigned int cur = get_user_seg(seg); \ +- pre |= 3; \ + if (pre != cur) \ + set_user_seg(seg, pre); \ + } +@@ -72,6 +71,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, + struct sigcontext_32 __user *sc) + { + unsigned int tmpflags, err = 0; ++ u16 gs, fs, es, ds; + void __user *buf; + u32 tmp; + +@@ -79,16 +79,10 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, + current->restart_block.fn = do_no_restart_syscall; + + get_user_try { +- /* +- * Reload fs and gs if they have changed in the signal +- * handler. This does not handle long fs/gs base changes in +- * the handler, but does not clobber them at least in the +- * normal case. +- */ +- RELOAD_SEG(gs); +- RELOAD_SEG(fs); +- RELOAD_SEG(ds); +- RELOAD_SEG(es); ++ gs = GET_SEG(gs); ++ fs = GET_SEG(fs); ++ ds = GET_SEG(ds); ++ es = GET_SEG(es); + + COPY(di); COPY(si); COPY(bp); COPY(sp); COPY(bx); + COPY(dx); COPY(cx); COPY(ip); COPY(ax); +@@ -106,6 +100,17 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, + buf = compat_ptr(tmp); + } get_user_catch(err); + ++ /* ++ * Reload fs and gs if they have changed in the signal ++ * handler. This does not handle long fs/gs base changes in ++ * the handler, but does not clobber them at least in the ++ * normal case. ++ */ ++ RELOAD_SEG(gs); ++ RELOAD_SEG(fs); ++ RELOAD_SEG(ds); ++ RELOAD_SEG(es); ++ + err |= fpu__restore_sig(buf, 1); + + force_iret(); +-- +2.20.1 + diff --git a/queue-4.19/x86-irq-64-limit-ist-stack-overflow-check-to-db-stac.patch b/queue-4.19/x86-irq-64-limit-ist-stack-overflow-check-to-db-stac.patch new file mode 100644 index 00000000000..e3f85219a21 --- /dev/null +++ b/queue-4.19/x86-irq-64-limit-ist-stack-overflow-check-to-db-stac.patch @@ -0,0 +1,82 @@ +From 4b471e5d3313f7a6c393d5248bf250c0f8a8eaa8 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Sun, 14 Apr 2019 17:59:38 +0200 +Subject: x86/irq/64: Limit IST stack overflow check to #DB stack + +[ Upstream commit 7dbcf2b0b770eeb803a416ee8dcbef78e6389d40 ] + +Commit + + 37fe6a42b343 ("x86: Check stack overflow in detail") + +added a broad check for the full exception stack area, i.e. it considers +the full exception stack area as valid. + +That's wrong in two aspects: + + 1) It does not check the individual areas one by one + + 2) #DF, NMI and #MCE are not enabling interrupts which means that a + regular device interrupt cannot happen in their context. In fact if a + device interrupt hits one of those IST stacks that's a bug because some + code path enabled interrupts while handling the exception. + +Limit the check to the #DB stack and consider all other IST stacks as +'overflow' or invalid. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Borislav Petkov +Cc: Andy Lutomirski +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Josh Poimboeuf +Cc: Mitsuo Hayasaka +Cc: Nicolai Stange +Cc: Sean Christopherson +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190414160143.682135110@linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/irq_64.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c +index 0469cd078db15..b50ac9c7397bb 100644 +--- a/arch/x86/kernel/irq_64.c ++++ b/arch/x86/kernel/irq_64.c +@@ -26,9 +26,18 @@ int sysctl_panic_on_stackoverflow; + /* + * Probabilistic stack overflow check: + * +- * Only check the stack in process context, because everything else +- * runs on the big interrupt stacks. Checking reliably is too expensive, +- * so we just check from interrupts. ++ * Regular device interrupts can enter on the following stacks: ++ * ++ * - User stack ++ * ++ * - Kernel task stack ++ * ++ * - Interrupt stack if a device driver reenables interrupts ++ * which should only happen in really old drivers. ++ * ++ * - Debug IST stack ++ * ++ * All other contexts are invalid. + */ + static inline void stack_overflow_check(struct pt_regs *regs) + { +@@ -53,8 +62,8 @@ static inline void stack_overflow_check(struct pt_regs *regs) + return; + + oist = this_cpu_ptr(&orig_ist); +- estack_top = (u64)oist->ist[0] - EXCEPTION_STKSZ + STACK_TOP_MARGIN; +- estack_bottom = (u64)oist->ist[N_EXCEPTION_STACKS - 1]; ++ estack_bottom = (u64)oist->ist[DEBUG_STACK]; ++ estack_top = estack_bottom - DEBUG_STKSZ + STACK_TOP_MARGIN; + if (regs->sp >= estack_top && regs->sp <= estack_bottom) + return; + +-- +2.20.1 + diff --git a/queue-4.19/x86-mce-fix-machine_check_poll-tests-for-error-types.patch b/queue-4.19/x86-mce-fix-machine_check_poll-tests-for-error-types.patch new file mode 100644 index 00000000000..79d4e9f0fe0 --- /dev/null +++ b/queue-4.19/x86-mce-fix-machine_check_poll-tests-for-error-types.patch @@ -0,0 +1,106 @@ +From 7a6dad8dca23991974fb21504f85d0bb24f3fae2 Mon Sep 17 00:00:00 2001 +From: Tony Luck +Date: Tue, 12 Mar 2019 10:09:38 -0700 +Subject: x86/mce: Fix machine_check_poll() tests for error types + +[ Upstream commit f19501aa07f18268ab14f458b51c1c6b7f72a134 ] + +There has been a lurking "TBD" in the machine check poll routine ever +since it was first split out from the machine check handler. The +potential issue is that the poll routine may have just begun a read from +the STATUS register in a machine check bank when the hardware logs an +error in that bank and signals a machine check. + +That race used to be pretty small back when machine checks were +broadcast, but the addition of local machine check means that the poll +code could continue running and clear the error from the bank before the +local machine check handler on another CPU gets around to reading it. + +Fix the code to be sure to only process errors that need to be processed +in the poll code, leaving other logged errors alone for the machine +check handler to find and process. + + [ bp: Massage a bit and flip the "== 0" check to the usual !(..) test. ] + +Fixes: b79109c3bbcf ("x86, mce: separate correct machine check poller and fatal exception handler") +Fixes: ed7290d0ee8f ("x86, mce: implement new status bits") +Reported-by: Ashok Raj +Signed-off-by: Tony Luck +Signed-off-by: Borislav Petkov +Cc: Ashok Raj +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: linux-edac +Cc: Thomas Gleixner +Cc: x86-ml +Cc: Yazen Ghannam +Link: https://lkml.kernel.org/r/20190312170938.GA23035@agluck-desk +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mcheck/mce.c | 44 +++++++++++++++++++++++++++----- + 1 file changed, 37 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index f9e7096b1804d..45bd926359f62 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -711,19 +711,49 @@ bool machine_check_poll(enum mcp_flags flags, mce_banks_t *b) + + barrier(); + m.status = mce_rdmsrl(msr_ops.status(i)); ++ ++ /* If this entry is not valid, ignore it */ + if (!(m.status & MCI_STATUS_VAL)) + continue; + + /* +- * Uncorrected or signalled events are handled by the exception +- * handler when it is enabled, so don't process those here. +- * +- * TBD do the same check for MCI_STATUS_EN here? ++ * If we are logging everything (at CPU online) or this ++ * is a corrected error, then we must log it. + */ +- if (!(flags & MCP_UC) && +- (m.status & (mca_cfg.ser ? MCI_STATUS_S : MCI_STATUS_UC))) +- continue; ++ if ((flags & MCP_UC) || !(m.status & MCI_STATUS_UC)) ++ goto log_it; ++ ++ /* ++ * Newer Intel systems that support software error ++ * recovery need to make additional checks. Other ++ * CPUs should skip over uncorrected errors, but log ++ * everything else. ++ */ ++ if (!mca_cfg.ser) { ++ if (m.status & MCI_STATUS_UC) ++ continue; ++ goto log_it; ++ } ++ ++ /* Log "not enabled" (speculative) errors */ ++ if (!(m.status & MCI_STATUS_EN)) ++ goto log_it; ++ ++ /* ++ * Log UCNA (SDM: 15.6.3 "UCR Error Classification") ++ * UC == 1 && PCC == 0 && S == 0 ++ */ ++ if (!(m.status & MCI_STATUS_PCC) && !(m.status & MCI_STATUS_S)) ++ goto log_it; ++ ++ /* ++ * Skip anything else. Presumption is that our read of this ++ * bank is racing with a machine check. Leave the log alone ++ * for do_machine_check() to deal with it. ++ */ ++ continue; + ++log_it: + error_seen = true; + + mce_read_aux(&m, i); +-- +2.20.1 + diff --git a/queue-4.19/x86-mce-handle-varying-mca-bank-counts.patch b/queue-4.19/x86-mce-handle-varying-mca-bank-counts.patch new file mode 100644 index 00000000000..1ba2da4b617 --- /dev/null +++ b/queue-4.19/x86-mce-handle-varying-mca-bank-counts.patch @@ -0,0 +1,172 @@ +From 49b1f6e140cc0be99c489b3e7d989985e8e2d52d Mon Sep 17 00:00:00 2001 +From: Yazen Ghannam +Date: Fri, 27 Jul 2018 16:40:09 -0500 +Subject: x86/mce: Handle varying MCA bank counts + +[ Upstream commit 006c077041dc73b9490fffc4c6af5befe0687110 ] + +Linux reads MCG_CAP[Count] to find the number of MCA banks visible to a +CPU. Currently, this number is the same for all CPUs and a warning is +shown if there is a difference. The number of banks is overwritten with +the MCG_CAP[Count] value of each following CPU that boots. + +According to the Intel SDM and AMD APM, the MCG_CAP[Count] value gives +the number of banks that are available to a "processor implementation". +The AMD BKDGs/PPRs further clarify that this value is per core. This +value has historically been the same for every core in the system, but +that is not an architectural requirement. + +Future AMD systems may have different MCG_CAP[Count] values per core, +so the assumption that all CPUs will have the same MCG_CAP[Count] value +will no longer be valid. + +Also, the first CPU to boot will allocate the struct mce_banks[] array +using the number of banks based on its MCG_CAP[Count] value. The machine +check handler and other functions use the global number of banks to +iterate and index into the mce_banks[] array. So it's possible to use an +out-of-bounds index on an asymmetric system where a following CPU sees a +MCG_CAP[Count] value greater than its predecessors. + +Thus, allocate the mce_banks[] array to the maximum number of banks. +This will avoid the potential out-of-bounds index since the value of +mca_cfg.banks is capped to MAX_NR_BANKS. + +Set the value of mca_cfg.banks equal to the max of the previous value +and the value for the current CPU. This way mca_cfg.banks will always +represent the max number of banks detected on any CPU in the system. + +This will ensure that all CPUs will access all the banks that are +visible to them. A CPU that can access fewer than the max number of +banks will find the registers of the extra banks to be read-as-zero. + +Furthermore, print the resulting number of MCA banks in use. Do this in +mcheck_late_init() so that the final value is printed after all CPUs +have been initialized. + +Finally, get bank count from target CPU when doing injection with mce-inject +module. + + [ bp: Remove out-of-bounds example, passify and cleanup commit message. ] + +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: linux-edac +Cc: Pu Wen +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: Vishal Verma +Cc: x86-ml +Link: https://lkml.kernel.org/r/20180727214009.78289-1-Yazen.Ghannam@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mcheck/mce-inject.c | 14 +++++++------- + arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++--------------- + 2 files changed, 14 insertions(+), 22 deletions(-) + +diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c +index c805a06e14c38..ff1c00b695aed 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c ++++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c +@@ -46,8 +46,6 @@ + static struct mce i_mce; + static struct dentry *dfs_inj; + +-static u8 n_banks; +- + #define MAX_FLAG_OPT_SIZE 4 + #define NBCFG 0x44 + +@@ -567,9 +565,15 @@ static void do_inject(void) + static int inj_bank_set(void *data, u64 val) + { + struct mce *m = (struct mce *)data; ++ u8 n_banks; ++ u64 cap; ++ ++ /* Get bank count on target CPU so we can handle non-uniform values. */ ++ rdmsrl_on_cpu(m->extcpu, MSR_IA32_MCG_CAP, &cap); ++ n_banks = cap & MCG_BANKCNT_MASK; + + if (val >= n_banks) { +- pr_err("Non-existent MCE bank: %llu\n", val); ++ pr_err("MCA bank %llu non-existent on CPU%d\n", val, m->extcpu); + return -EINVAL; + } + +@@ -659,10 +663,6 @@ static struct dfs_node { + static int __init debugfs_init(void) + { + unsigned int i; +- u64 cap; +- +- rdmsrl(MSR_IA32_MCG_CAP, cap); +- n_banks = cap & MCG_BANKCNT_MASK; + + dfs_inj = debugfs_create_dir("mce-inject", NULL); + if (!dfs_inj) +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index 45bd926359f62..fee118b3b69fd 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -1480,13 +1480,12 @@ EXPORT_SYMBOL_GPL(mce_notify_irq); + static int __mcheck_cpu_mce_banks_init(void) + { + int i; +- u8 num_banks = mca_cfg.banks; + +- mce_banks = kcalloc(num_banks, sizeof(struct mce_bank), GFP_KERNEL); ++ mce_banks = kcalloc(MAX_NR_BANKS, sizeof(struct mce_bank), GFP_KERNEL); + if (!mce_banks) + return -ENOMEM; + +- for (i = 0; i < num_banks; i++) { ++ for (i = 0; i < MAX_NR_BANKS; i++) { + struct mce_bank *b = &mce_banks[i]; + + b->ctl = -1ULL; +@@ -1500,28 +1499,19 @@ static int __mcheck_cpu_mce_banks_init(void) + */ + static int __mcheck_cpu_cap_init(void) + { +- unsigned b; + u64 cap; ++ u8 b; + + rdmsrl(MSR_IA32_MCG_CAP, cap); + + b = cap & MCG_BANKCNT_MASK; +- if (!mca_cfg.banks) +- pr_info("CPU supports %d MCE banks\n", b); +- +- if (b > MAX_NR_BANKS) { +- pr_warn("Using only %u machine check banks out of %u\n", +- MAX_NR_BANKS, b); ++ if (WARN_ON_ONCE(b > MAX_NR_BANKS)) + b = MAX_NR_BANKS; +- } + +- /* Don't support asymmetric configurations today */ +- WARN_ON(mca_cfg.banks != 0 && b != mca_cfg.banks); +- mca_cfg.banks = b; ++ mca_cfg.banks = max(mca_cfg.banks, b); + + if (!mce_banks) { + int err = __mcheck_cpu_mce_banks_init(); +- + if (err) + return err; + } +@@ -2503,6 +2493,8 @@ EXPORT_SYMBOL_GPL(mcsafe_key); + + static int __init mcheck_late_init(void) + { ++ pr_info("Using %d MCE banks\n", mca_cfg.banks); ++ + if (mca_cfg.recovery) + static_branch_inc(&mcsafe_key); + +-- +2.20.1 + diff --git a/queue-4.19/x86-microcode-fix-the-ancient-deprecated-microcode-l.patch b/queue-4.19/x86-microcode-fix-the-ancient-deprecated-microcode-l.patch new file mode 100644 index 00000000000..530b8f2d275 --- /dev/null +++ b/queue-4.19/x86-microcode-fix-the-ancient-deprecated-microcode-l.patch @@ -0,0 +1,45 @@ +From 69b84740e0c097b5fa345028f296895ee0af6f53 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Thu, 4 Apr 2019 22:14:07 +0200 +Subject: x86/microcode: Fix the ancient deprecated microcode loading method + +[ Upstream commit 24613a04ad1c0588c10f4b5403ca60a73d164051 ] + +Commit + + 2613f36ed965 ("x86/microcode: Attempt late loading only when new microcode is present") + +added the new define UCODE_NEW to denote that an update should happen +only when newer microcode (than installed on the system) has been found. + +But it missed adjusting that for the old /dev/cpu/microcode loading +interface. Fix it. + +Fixes: 2613f36ed965 ("x86/microcode: Attempt late loading only when new microcode is present") +Signed-off-by: Borislav Petkov +Reviewed-by: Thomas Gleixner +Cc: Jann Horn +Link: https://lkml.kernel.org/r/20190405133010.24249-3-bp@alien8.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/microcode/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c +index b9bc8a1a584e3..b43ddefd77f45 100644 +--- a/arch/x86/kernel/cpu/microcode/core.c ++++ b/arch/x86/kernel/cpu/microcode/core.c +@@ -418,8 +418,9 @@ static int do_microcode_update(const void __user *buf, size_t size) + if (ustate == UCODE_ERROR) { + error = -1; + break; +- } else if (ustate == UCODE_OK) ++ } else if (ustate == UCODE_NEW) { + apply_microcode_on_target(cpu); ++ } + } + + return error; +-- +2.20.1 + diff --git a/queue-4.19/x86-mm-remove-in_nmi-warning-from-64-bit-implementat.patch b/queue-4.19/x86-mm-remove-in_nmi-warning-from-64-bit-implementat.patch new file mode 100644 index 00000000000..1d3cbde8e5a --- /dev/null +++ b/queue-4.19/x86-mm-remove-in_nmi-warning-from-64-bit-implementat.patch @@ -0,0 +1,62 @@ +From c117a5195c74c1512524ab55e6fa79c171721a95 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Wed, 24 Apr 2019 09:04:57 +0200 +Subject: x86/mm: Remove in_nmi() warning from 64-bit implementation of + vmalloc_fault() + +[ Upstream commit a65c88e16f32aa9ef2e8caa68ea5c29bd5eb0ff0 ] + +In-NMI warnings have been added to vmalloc_fault() via: + + ebc8827f75 ("x86: Barf when vmalloc and kmemcheck faults happen in NMI") + +back in the time when our NMI entry code could not cope with nested NMIs. + +These days, it's perfectly fine to take a fault in NMI context and we +don't have to care about the fact that IRET from the fault handler might +cause NMI nesting. + +This warning has already been removed from 32-bit implementation of +vmalloc_fault() in: + + 6863ea0cda8 ("x86/mm: Remove in_nmi() warning from vmalloc_fault()") + +but the 64-bit version was omitted. + +Remove the bogus warning also from 64-bit implementation of vmalloc_fault(). + +Reported-by: Nicolai Stange +Signed-off-by: Jiri Kosina +Acked-by: Peter Zijlstra (Intel) +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Frederic Weisbecker +Cc: Joerg Roedel +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 6863ea0cda8 ("x86/mm: Remove in_nmi() warning from vmalloc_fault()") +Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1904240902280.9803@cbobk.fhfr.pm +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/mm/fault.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index 47bebfe6efa70..9d9765e4d1ef1 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -427,8 +427,6 @@ static noinline int vmalloc_fault(unsigned long address) + if (!(address >= VMALLOC_START && address < VMALLOC_END)) + return -1; + +- WARN_ON_ONCE(in_nmi()); +- + /* + * Copy kernel mappings over when needed. This can also + * happen within a race in page table update. In the later +-- +2.20.1 + diff --git a/queue-4.19/x86-modules-avoid-breaking-w-x-while-loading-modules.patch b/queue-4.19/x86-modules-avoid-breaking-w-x-while-loading-modules.patch new file mode 100644 index 00000000000..71732114d09 --- /dev/null +++ b/queue-4.19/x86-modules-avoid-breaking-w-x-while-loading-modules.patch @@ -0,0 +1,142 @@ +From ad907d60ea813d54a3dd0304fea99fb6ca1223f4 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Thu, 25 Apr 2019 17:11:31 -0700 +Subject: x86/modules: Avoid breaking W^X while loading modules + +[ Upstream commit f2c65fb3221adc6b73b0549fc7ba892022db9797 ] + +When modules and BPF filters are loaded, there is a time window in +which some memory is both writable and executable. An attacker that has +already found another vulnerability (e.g., a dangling pointer) might be +able to exploit this behavior to overwrite kernel code. Prevent having +writable executable PTEs in this stage. + +In addition, avoiding having W+X mappings can also slightly simplify the +patching of modules code on initialization (e.g., by alternatives and +static-key), as would be done in the next patch. This was actually the +main motivation for this patch. + +To avoid having W+X mappings, set them initially as RW (NX) and after +they are set as RO set them as X as well. Setting them as executable is +done as a separate step to avoid one core in which the old PTE is cached +(hence writable), and another which sees the updated PTE (executable), +which would break the W^X protection. + +Suggested-by: Thomas Gleixner +Suggested-by: Andy Lutomirski +Signed-off-by: Nadav Amit +Signed-off-by: Rick Edgecombe +Signed-off-by: Peter Zijlstra (Intel) +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: H. Peter Anvin +Cc: Jessica Yu +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Masami Hiramatsu +Cc: Rik van Riel +Link: https://lkml.kernel.org/r/20190426001143.4983-12-namit@vmware.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/alternative.c | 28 +++++++++++++++++++++------- + arch/x86/kernel/module.c | 2 +- + include/linux/filter.h | 1 + + kernel/module.c | 5 +++++ + 4 files changed, 28 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c +index b9d5e7c9ef43e..918a23704c0c5 100644 +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -662,15 +662,29 @@ void __init alternative_instructions(void) + * handlers seeing an inconsistent instruction while you patch. + */ + void *__init_or_module text_poke_early(void *addr, const void *opcode, +- size_t len) ++ size_t len) + { + unsigned long flags; +- local_irq_save(flags); +- memcpy(addr, opcode, len); +- local_irq_restore(flags); +- sync_core(); +- /* Could also do a CLFLUSH here to speed up CPU recovery; but +- that causes hangs on some VIA CPUs. */ ++ ++ if (boot_cpu_has(X86_FEATURE_NX) && ++ is_module_text_address((unsigned long)addr)) { ++ /* ++ * Modules text is marked initially as non-executable, so the ++ * code cannot be running and speculative code-fetches are ++ * prevented. Just change the code. ++ */ ++ memcpy(addr, opcode, len); ++ } else { ++ local_irq_save(flags); ++ memcpy(addr, opcode, len); ++ local_irq_restore(flags); ++ sync_core(); ++ ++ /* ++ * Could also do a CLFLUSH here to speed up CPU recovery; but ++ * that causes hangs on some VIA CPUs. ++ */ ++ } + return addr; + } + +diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c +index f58336af095c9..6645f123419c6 100644 +--- a/arch/x86/kernel/module.c ++++ b/arch/x86/kernel/module.c +@@ -87,7 +87,7 @@ void *module_alloc(unsigned long size) + p = __vmalloc_node_range(size, MODULE_ALIGN, + MODULES_VADDR + get_module_load_offset(), + MODULES_END, GFP_KERNEL, +- PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, ++ PAGE_KERNEL, 0, NUMA_NO_NODE, + __builtin_return_address(0)); + if (p && (kasan_module_alloc(p, size) < 0)) { + vfree(p); +diff --git a/include/linux/filter.h b/include/linux/filter.h +index 6ecef32fd8bcd..d52a7484aeb2d 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -684,6 +684,7 @@ static inline void bpf_prog_unlock_ro(struct bpf_prog *fp) + static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr) + { + set_memory_ro((unsigned long)hdr, hdr->pages); ++ set_memory_x((unsigned long)hdr, hdr->pages); + } + + static inline void bpf_jit_binary_unlock_ro(struct bpf_binary_header *hdr) +diff --git a/kernel/module.c b/kernel/module.c +index 38bf28b5cc202..f797c6ace7121 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -1949,8 +1949,13 @@ void module_enable_ro(const struct module *mod, bool after_init) + return; + + frob_text(&mod->core_layout, set_memory_ro); ++ frob_text(&mod->core_layout, set_memory_x); ++ + frob_rodata(&mod->core_layout, set_memory_ro); ++ + frob_text(&mod->init_layout, set_memory_ro); ++ frob_text(&mod->init_layout, set_memory_x); ++ + frob_rodata(&mod->init_layout, set_memory_ro); + + if (after_init) +-- +2.20.1 + diff --git a/queue-4.19/x86-uaccess-fix-up-the-fixup.patch b/queue-4.19/x86-uaccess-fix-up-the-fixup.patch new file mode 100644 index 00000000000..c517e8bdc29 --- /dev/null +++ b/queue-4.19/x86-uaccess-fix-up-the-fixup.patch @@ -0,0 +1,53 @@ +From 8498dc1daa4fa9fe4c043aa21c0a99a7b90ca388 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 3 Apr 2019 09:39:45 +0200 +Subject: x86/uaccess: Fix up the fixup + +[ Upstream commit b69656fa7ea2f75e47d7bd5b9430359fa46488af ] + +New tooling got confused about this: + + arch/x86/lib/memcpy_64.o: warning: objtool: .fixup+0x7: return with UACCESS enabled + +While the code isn't wrong, it is tedious (if at all possible) to +figure out what function a particular chunk of .fixup belongs to. + +This then confuses the objtool uaccess validation. Instead of +returning directly from the .fixup, jump back into the right function. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Borislav Petkov +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/lib/memcpy_64.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S +index 3b24dc05251c7..9d05572370edc 100644 +--- a/arch/x86/lib/memcpy_64.S ++++ b/arch/x86/lib/memcpy_64.S +@@ -257,6 +257,7 @@ ENTRY(__memcpy_mcsafe) + /* Copy successful. Return zero */ + .L_done_memcpy_trap: + xorl %eax, %eax ++.L_done: + ret + ENDPROC(__memcpy_mcsafe) + EXPORT_SYMBOL_GPL(__memcpy_mcsafe) +@@ -273,7 +274,7 @@ EXPORT_SYMBOL_GPL(__memcpy_mcsafe) + addl %edx, %ecx + .E_trailing_bytes: + mov %ecx, %eax +- ret ++ jmp .L_done + + /* + * For write fault handling, given the destination is unaligned, +-- +2.20.1 + diff --git a/queue-4.19/x86-uaccess-ftrace-fix-ftrace_likely_update-vs.-smap.patch b/queue-4.19/x86-uaccess-ftrace-fix-ftrace_likely_update-vs.-smap.patch new file mode 100644 index 00000000000..d961781f7f6 --- /dev/null +++ b/queue-4.19/x86-uaccess-ftrace-fix-ftrace_likely_update-vs.-smap.patch @@ -0,0 +1,51 @@ +From fd94a5bfd75d35fa2d81013c82904f389266159c Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 7 Mar 2019 11:09:13 +0100 +Subject: x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP + +[ Upstream commit 4a6c91fbdef846ec7250b82f2eeeb87ac5f18cf9 ] + +For CONFIG_TRACE_BRANCH_PROFILING=y the likely/unlikely things get +overloaded and generate callouts to this code, and thus also when +AC=1. + +Make it safe. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Borislav Petkov +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_branch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/trace/trace_branch.c b/kernel/trace/trace_branch.c +index 4ad967453b6fb..3ea65cdff30d5 100644 +--- a/kernel/trace/trace_branch.c ++++ b/kernel/trace/trace_branch.c +@@ -205,6 +205,8 @@ void trace_likely_condition(struct ftrace_likely_data *f, int val, int expect) + void ftrace_likely_update(struct ftrace_likely_data *f, int val, + int expect, int is_constant) + { ++ unsigned long flags = user_access_save(); ++ + /* A constant is always correct */ + if (is_constant) { + f->constant++; +@@ -223,6 +225,8 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val, + f->data.correct++; + else + f->data.incorrect++; ++ ++ user_access_restore(flags); + } + EXPORT_SYMBOL(ftrace_likely_update); + +-- +2.20.1 + diff --git a/queue-4.19/x86-uaccess-signal-fix-ac-1-bloat.patch b/queue-4.19/x86-uaccess-signal-fix-ac-1-bloat.patch new file mode 100644 index 00000000000..9ac6eec425d --- /dev/null +++ b/queue-4.19/x86-uaccess-signal-fix-ac-1-bloat.patch @@ -0,0 +1,111 @@ +From d80557c2ab07302830cdf1e66138f24fbe1a31c5 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 3 Apr 2019 09:39:48 +0200 +Subject: x86/uaccess, signal: Fix AC=1 bloat + +[ Upstream commit 88e4718275c1bddca6f61f300688b4553dc8584b ] + +Occasionally GCC is less agressive with inlining and the following is +observed: + + arch/x86/kernel/signal.o: warning: objtool: restore_sigcontext()+0x3cc: call to force_valid_ss.isra.5() with UACCESS enabled + arch/x86/kernel/signal.o: warning: objtool: do_signal()+0x384: call to frame_uc_flags.isra.0() with UACCESS enabled + +Cure this by moving this code out of the AC=1 region, since it really +isn't needed for the user access. + +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/signal.c | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c +index 92a3b312a53c4..44e647a65de88 100644 +--- a/arch/x86/kernel/signal.c ++++ b/arch/x86/kernel/signal.c +@@ -132,16 +132,6 @@ static int restore_sigcontext(struct pt_regs *regs, + COPY_SEG_CPL3(cs); + COPY_SEG_CPL3(ss); + +-#ifdef CONFIG_X86_64 +- /* +- * Fix up SS if needed for the benefit of old DOSEMU and +- * CRIU. +- */ +- if (unlikely(!(uc_flags & UC_STRICT_RESTORE_SS) && +- user_64bit_mode(regs))) +- force_valid_ss(regs); +-#endif +- + get_user_ex(tmpflags, &sc->flags); + regs->flags = (regs->flags & ~FIX_EFLAGS) | (tmpflags & FIX_EFLAGS); + regs->orig_ax = -1; /* disable syscall checks */ +@@ -150,6 +140,15 @@ static int restore_sigcontext(struct pt_regs *regs, + buf = (void __user *)buf_val; + } get_user_catch(err); + ++#ifdef CONFIG_X86_64 ++ /* ++ * Fix up SS if needed for the benefit of old DOSEMU and ++ * CRIU. ++ */ ++ if (unlikely(!(uc_flags & UC_STRICT_RESTORE_SS) && user_64bit_mode(regs))) ++ force_valid_ss(regs); ++#endif ++ + err |= fpu__restore_sig(buf, IS_ENABLED(CONFIG_X86_32)); + + force_iret(); +@@ -461,6 +460,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, + { + struct rt_sigframe __user *frame; + void __user *fp = NULL; ++ unsigned long uc_flags; + int err = 0; + + frame = get_sigframe(&ksig->ka, regs, sizeof(struct rt_sigframe), &fp); +@@ -473,9 +473,11 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, + return -EFAULT; + } + ++ uc_flags = frame_uc_flags(regs); ++ + put_user_try { + /* Create the ucontext. */ +- put_user_ex(frame_uc_flags(regs), &frame->uc.uc_flags); ++ put_user_ex(uc_flags, &frame->uc.uc_flags); + put_user_ex(0, &frame->uc.uc_link); + save_altstack_ex(&frame->uc.uc_stack, regs->sp); + +@@ -541,6 +543,7 @@ static int x32_setup_rt_frame(struct ksignal *ksig, + { + #ifdef CONFIG_X86_X32_ABI + struct rt_sigframe_x32 __user *frame; ++ unsigned long uc_flags; + void __user *restorer; + int err = 0; + void __user *fpstate = NULL; +@@ -555,9 +558,11 @@ static int x32_setup_rt_frame(struct ksignal *ksig, + return -EFAULT; + } + ++ uc_flags = frame_uc_flags(regs); ++ + put_user_try { + /* Create the ucontext. */ +- put_user_ex(frame_uc_flags(regs), &frame->uc.uc_flags); ++ put_user_ex(uc_flags, &frame->uc.uc_flags); + put_user_ex(0, &frame->uc.uc_link); + compat_save_altstack_ex(&frame->uc.uc_stack, regs->sp); + put_user_ex(0, &frame->uc.uc__pad0); +-- +2.20.1 +