From: Sasha Levin Date: Thu, 27 Aug 2020 16:38:44 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.4.235~75 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=22cb2e0b5b1915be6f22088d97fb5f6ac78d2278;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alpha-fix-annotation-of-io-read-write-16-32-be.patch b/queue-4.14/alpha-fix-annotation-of-io-read-write-16-32-be.patch new file mode 100644 index 00000000000..03c856780d8 --- /dev/null +++ b/queue-4.14/alpha-fix-annotation-of-io-read-write-16-32-be.patch @@ -0,0 +1,57 @@ +From c9f407da832ea0abb4a57297000756397fd68efe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 18:33:54 -0700 +Subject: alpha: fix annotation of io{read,write}{16,32}be() + +From: Luc Van Oostenryck + +[ Upstream commit bd72866b8da499e60633ff28f8a4f6e09ca78efe ] + +These accessors must be used to read/write a big-endian bus. The value +returned or written is native-endian. + +However, these accessors are defined using be{16,32}_to_cpu() or +cpu_to_be{16,32}() to make the endian conversion but these expect a +__be{16,32} when none is present. Keeping them would need a force cast +that would solve nothing at all. + +So, do the conversion using swab{16,32}, like done in asm-generic for +similar situations. + +Reported-by: kernel test robot +Signed-off-by: Luc Van Oostenryck +Signed-off-by: Andrew Morton +Cc: Richard Henderson +Cc: Ivan Kokshaysky +Cc: Matt Turner +Cc: Stephen Boyd +Cc: Arnd Bergmann +Link: http://lkml.kernel.org/r/20200622114232.80039-1-luc.vanoostenryck@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/alpha/include/asm/io.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h +index d123ff90f7a83..9995bed6e92e2 100644 +--- a/arch/alpha/include/asm/io.h ++++ b/arch/alpha/include/asm/io.h +@@ -493,10 +493,10 @@ extern inline void writeq(u64 b, volatile void __iomem *addr) + } + #endif + +-#define ioread16be(p) be16_to_cpu(ioread16(p)) +-#define ioread32be(p) be32_to_cpu(ioread32(p)) +-#define iowrite16be(v,p) iowrite16(cpu_to_be16(v), (p)) +-#define iowrite32be(v,p) iowrite32(cpu_to_be32(v), (p)) ++#define ioread16be(p) swab16(ioread16(p)) ++#define ioread32be(p) swab32(ioread32(p)) ++#define iowrite16be(v,p) iowrite16(swab16(v), (p)) ++#define iowrite32be(v,p) iowrite32(swab32(v), (p)) + + #define inb_p inb + #define inw_p inw +-- +2.25.1 + diff --git a/queue-4.14/alsa-pci-delete-repeated-words-in-comments.patch b/queue-4.14/alsa-pci-delete-repeated-words-in-comments.patch new file mode 100644 index 00000000000..d97918b7e82 --- /dev/null +++ b/queue-4.14/alsa-pci-delete-repeated-words-in-comments.patch @@ -0,0 +1,120 @@ +From f0c7b0aedc2de6e09c41a1ed9c0c64e57526fb9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 19:19:26 -0700 +Subject: ALSA: pci: delete repeated words in comments + +From: Randy Dunlap + +[ Upstream commit c7fabbc51352f50cc58242a6dc3b9c1a3599849b ] + +Drop duplicated words in sound/pci/. +{and, the, at} + +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20200806021926.32418-1-rdunlap@infradead.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/cs46xx/cs46xx_lib.c | 2 +- + sound/pci/cs46xx/dsp_spos_scb_lib.c | 2 +- + sound/pci/hda/hda_codec.c | 2 +- + sound/pci/hda/hda_generic.c | 2 +- + sound/pci/hda/patch_sigmatel.c | 2 +- + sound/pci/ice1712/prodigy192.c | 2 +- + sound/pci/oxygen/xonar_dg.c | 2 +- + 7 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/sound/pci/cs46xx/cs46xx_lib.c b/sound/pci/cs46xx/cs46xx_lib.c +index 0020fd0efc466..09c547f4cc186 100644 +--- a/sound/pci/cs46xx/cs46xx_lib.c ++++ b/sound/pci/cs46xx/cs46xx_lib.c +@@ -780,7 +780,7 @@ static void snd_cs46xx_set_capture_sample_rate(struct snd_cs46xx *chip, unsigned + rate = 48000 / 9; + + /* +- * We can not capture at at rate greater than the Input Rate (48000). ++ * We can not capture at a rate greater than the Input Rate (48000). + * Return an error if an attempt is made to stray outside that limit. + */ + if (rate > 48000) +diff --git a/sound/pci/cs46xx/dsp_spos_scb_lib.c b/sound/pci/cs46xx/dsp_spos_scb_lib.c +index 7488e1b7a7707..4e726d39b05d1 100644 +--- a/sound/pci/cs46xx/dsp_spos_scb_lib.c ++++ b/sound/pci/cs46xx/dsp_spos_scb_lib.c +@@ -1742,7 +1742,7 @@ int cs46xx_iec958_pre_open (struct snd_cs46xx *chip) + struct dsp_spos_instance * ins = chip->dsp_spos_instance; + + if ( ins->spdif_status_out & DSP_SPDIF_STATUS_OUTPUT_ENABLED ) { +- /* remove AsynchFGTxSCB and and PCMSerialInput_II */ ++ /* remove AsynchFGTxSCB and PCMSerialInput_II */ + cs46xx_dsp_disable_spdif_out (chip); + + /* save state */ +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 7d65fe31c8257..a56f018d586f5 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -3394,7 +3394,7 @@ EXPORT_SYMBOL_GPL(snd_hda_set_power_save); + * @nid: NID to check / update + * + * Check whether the given NID is in the amp list. If it's in the list, +- * check the current AMP status, and update the the power-status according ++ * check the current AMP status, and update the power-status according + * to the mute status. + * + * This function is supposed to be set or called from the check_power_status +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index 28ef409a9e6ae..9dee657ce9e27 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -823,7 +823,7 @@ static void activate_amp_in(struct hda_codec *codec, struct nid_path *path, + } + } + +-/* sync power of each widget in the the given path */ ++/* sync power of each widget in the given path */ + static hda_nid_t path_power_update(struct hda_codec *codec, + struct nid_path *path, + bool allow_powerdown) +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index 7cd147411b22d..f7896a9ae3d65 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -863,7 +863,7 @@ static int stac_auto_create_beep_ctls(struct hda_codec *codec, + static struct snd_kcontrol_new beep_vol_ctl = + HDA_CODEC_VOLUME(NULL, 0, 0, 0); + +- /* check for mute support for the the amp */ ++ /* check for mute support for the amp */ + if ((caps & AC_AMPCAP_MUTE) >> AC_AMPCAP_MUTE_SHIFT) { + const struct snd_kcontrol_new *temp; + if (spec->anabeep_nid == nid) +diff --git a/sound/pci/ice1712/prodigy192.c b/sound/pci/ice1712/prodigy192.c +index 3919aed39ca03..5e52086d7b986 100644 +--- a/sound/pci/ice1712/prodigy192.c ++++ b/sound/pci/ice1712/prodigy192.c +@@ -31,7 +31,7 @@ + * Experimentally I found out that only a combination of + * OCKS0=1, OCKS1=1 (128fs, 64fs output) and ice1724 - + * VT1724_MT_I2S_MCLK_128X=0 (256fs input) yields correct +- * sampling rate. That means the the FPGA doubles the ++ * sampling rate. That means that the FPGA doubles the + * MCK01 rate. + * + * Copyright (c) 2003 Takashi Iwai +diff --git a/sound/pci/oxygen/xonar_dg.c b/sound/pci/oxygen/xonar_dg.c +index 4cf3200e988b0..df44135e1b0c9 100644 +--- a/sound/pci/oxygen/xonar_dg.c ++++ b/sound/pci/oxygen/xonar_dg.c +@@ -39,7 +39,7 @@ + * GPIO 4 <- headphone detect + * GPIO 5 -> enable ADC analog circuit for the left channel + * GPIO 6 -> enable ADC analog circuit for the right channel +- * GPIO 7 -> switch green rear output jack between CS4245 and and the first ++ * GPIO 7 -> switch green rear output jack between CS4245 and the first + * channel of CS4361 (mechanical relay) + * GPIO 8 -> enable output to speakers + * +-- +2.25.1 + diff --git a/queue-4.14/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch b/queue-4.14/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch new file mode 100644 index 00000000000..6e8ed4634de --- /dev/null +++ b/queue-4.14/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch @@ -0,0 +1,44 @@ +From c22c392f3ef72eaaee8ed359a491000326ba3a33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 20:59:15 +0200 +Subject: arm64: dts: qcom: msm8916: Pull down PDM GPIOs during sleep + +From: Stephan Gerhold + +[ Upstream commit e2ee9edc282961783d519c760bbaa20fed4dec38 ] + +The original qcom kernel changed the PDM GPIOs to be pull-down +during sleep at some point. Reportedly this was done because +there was some "leakage at PDM outputs during sleep": + + https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0f87e08c1cd3e6484a6f7fb3e74e37340bdcdee0 + +I cannot say how effective this is, but everything seems to work +fine with this change so let's apply the same to mainline just +to be sure. + +Cc: Srinivas Kandagatla +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200605185916.318494-3-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916-pins.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +index 69ba1d79bcd5d..b24493ad44b0f 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +@@ -555,7 +555,7 @@ + pins = "gpio63", "gpio64", "gpio65", "gpio66", + "gpio67", "gpio68"; + drive-strength = <2>; +- bias-disable; ++ bias-pull-down; + }; + }; + }; +-- +2.25.1 + diff --git a/queue-4.14/asoc-intel-fix-memleak-in-sst_media_open.patch b/queue-4.14/asoc-intel-fix-memleak-in-sst_media_open.patch new file mode 100644 index 00000000000..049a4952c3d --- /dev/null +++ b/queue-4.14/asoc-intel-fix-memleak-in-sst_media_open.patch @@ -0,0 +1,50 @@ +From d09e5cecf689c704506497441a3448531165a41a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 16:41:10 +0800 +Subject: ASoC: intel: Fix memleak in sst_media_open + +From: Dinghao Liu + +[ Upstream commit 062fa09f44f4fb3776a23184d5d296b0c8872eb9 ] + +When power_up_sst() fails, stream needs to be freed +just like when try_module_get() fails. However, current +code is returning directly and ends up leaking memory. + +Fixes: 0121327c1a68b ("ASoC: Intel: mfld-pcm: add control for powering up/down dsp") +Signed-off-by: Dinghao Liu +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200813084112.26205-1-dinghao.liu@zju.edu.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/atom/sst-mfld-platform-pcm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +index 4558c8b930363..3a645fc425cd4 100644 +--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c ++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +@@ -339,7 +339,7 @@ static int sst_media_open(struct snd_pcm_substream *substream, + + ret_val = power_up_sst(stream); + if (ret_val < 0) +- return ret_val; ++ goto out_power_up; + + /* Make sure, that the period size is always even */ + snd_pcm_hw_constraint_step(substream->runtime, 0, +@@ -348,8 +348,9 @@ static int sst_media_open(struct snd_pcm_substream *substream, + return snd_pcm_hw_constraint_integer(runtime, + SNDRV_PCM_HW_PARAM_PERIODS); + out_ops: +- kfree(stream); + mutex_unlock(&sst_lock); ++out_power_up: ++ kfree(stream); + return ret_val; + } + +-- +2.25.1 + diff --git a/queue-4.14/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch b/queue-4.14/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch new file mode 100644 index 00000000000..0491c44e6a7 --- /dev/null +++ b/queue-4.14/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch @@ -0,0 +1,42 @@ +From bd90ef3f3c6c11eaac2014a2e200ac9dc413daf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 11:34:52 +0100 +Subject: ASoC: msm8916-wcd-analog: fix register Interrupt offset + +From: Srinivas Kandagatla + +[ Upstream commit ff69c97ef84c9f7795adb49e9f07c9adcdd0c288 ] + +For some reason interrupt set and clear register offsets are +not set correctly. +This patch corrects them! + +Fixes: 585e881e5b9e ("ASoC: codecs: Add msm8916-wcd analog codec") +Signed-off-by: Srinivas Kandagatla +Tested-by: Stephan Gerhold +Reviewed-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200811103452.20448-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/msm8916-wcd-analog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/msm8916-wcd-analog.c b/sound/soc/codecs/msm8916-wcd-analog.c +index 3633eb30dd135..4f949ad50d6a7 100644 +--- a/sound/soc/codecs/msm8916-wcd-analog.c ++++ b/sound/soc/codecs/msm8916-wcd-analog.c +@@ -16,8 +16,8 @@ + + #define CDC_D_REVISION1 (0xf000) + #define CDC_D_PERPH_SUBTYPE (0xf005) +-#define CDC_D_INT_EN_SET (0x015) +-#define CDC_D_INT_EN_CLR (0x016) ++#define CDC_D_INT_EN_SET (0xf015) ++#define CDC_D_INT_EN_CLR (0xf016) + #define MBHC_SWITCH_INT BIT(7) + #define MBHC_MIC_ELECTRICAL_INS_REM_DET BIT(6) + #define MBHC_BUTTON_PRESS_DET BIT(5) +-- +2.25.1 + diff --git a/queue-4.14/asoc-tegra-fix-reference-count-leaks.patch b/queue-4.14/asoc-tegra-fix-reference-count-leaks.patch new file mode 100644 index 00000000000..f75e5889029 --- /dev/null +++ b/queue-4.14/asoc-tegra-fix-reference-count-leaks.patch @@ -0,0 +1,58 @@ +From 7b793b348805e1b61b398d65ded92ad9ab48cf77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 15:44:19 -0500 +Subject: ASoC: tegra: Fix reference count leaks. + +From: Qiushi Wu + +[ Upstream commit deca195383a6085be62cb453079e03e04d618d6e ] + +Calling pm_runtime_get_sync increments the counter even in case of +failure, causing incorrect ref count if pm_runtime_put is not called in +error handling paths. Call pm_runtime_put if pm_runtime_get_sync fails. + +Signed-off-by: Qiushi Wu +Reviewed-by: Jon Hunter +Link: https://lore.kernel.org/r/20200613204422.24484-1-wu000273@umn.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/tegra/tegra30_ahub.c | 4 +++- + sound/soc/tegra/tegra30_i2s.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/tegra/tegra30_ahub.c b/sound/soc/tegra/tegra30_ahub.c +index 43679aeeb12be..88e838ac937dc 100644 +--- a/sound/soc/tegra/tegra30_ahub.c ++++ b/sound/soc/tegra/tegra30_ahub.c +@@ -655,8 +655,10 @@ static int tegra30_ahub_resume(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(dev); + return ret; ++ } + ret = regcache_sync(ahub->regmap_ahub); + ret |= regcache_sync(ahub->regmap_apbif); + pm_runtime_put(dev); +diff --git a/sound/soc/tegra/tegra30_i2s.c b/sound/soc/tegra/tegra30_i2s.c +index 0b176ea24914b..bf155c5092f06 100644 +--- a/sound/soc/tegra/tegra30_i2s.c ++++ b/sound/soc/tegra/tegra30_i2s.c +@@ -551,8 +551,10 @@ static int tegra30_i2s_resume(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(dev); + return ret; ++ } + ret = regcache_sync(i2s->regmap); + pm_runtime_put(dev); + +-- +2.25.1 + diff --git a/queue-4.14/blktrace-ensure-our-debugfs-dir-exists.patch b/queue-4.14/blktrace-ensure-our-debugfs-dir-exists.patch new file mode 100644 index 00000000000..fbd246b595a --- /dev/null +++ b/queue-4.14/blktrace-ensure-our-debugfs-dir-exists.patch @@ -0,0 +1,66 @@ +From 1a7507a949eeb5d763441aebddbf91661ef07960 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jun 2020 20:47:29 +0000 +Subject: blktrace: ensure our debugfs dir exists + +From: Luis Chamberlain + +[ Upstream commit b431ef837e3374da0db8ff6683170359aaa0859c ] + +We make an assumption that a debugfs directory exists, but since +this can fail ensure it exists before allowing blktrace setup to +complete. Otherwise we end up stuffing blktrace files on the debugfs +root directory. In the worst case scenario this *in theory* can create +an eventual panic *iff* in the future a similarly named file is created +prior on the debugfs root directory. This theoretical crash can happen +due to a recursive removal followed by a specific dentry removal. + +This doesn't fix any known crash, however I have seen the files +go into the main debugfs root directory in cases where the debugfs +directory was not created due to other internal bugs with blktrace +now fixed. + +blktrace is also completely useless without this directory, so +this ensures to userspace we only setup blktrace if the kernel +can stuff files where they are supposed to go into. + +debugfs directory creations typically aren't checked for, and we have +maintainers doing sweep removals of these checks, but since we need this +check to ensure proper userspace blktrace functionality we make sure +to annotate the justification for the check. + +Signed-off-by: Luis Chamberlain +Reviewed-by: Christoph Hellwig +Reviewed-by: Bart Van Assche +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index 9a55c5bc52434..987daf9cc6e54 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -541,6 +541,18 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, + if (!dir) + goto err; + ++ /* ++ * As blktrace relies on debugfs for its interface the debugfs directory ++ * is required, contrary to the usual mantra of not checking for debugfs ++ * files or directories. ++ */ ++ if (IS_ERR_OR_NULL(dir)) { ++ pr_warn("debugfs_dir not present for %s so skipping\n", ++ buts->name); ++ ret = -ENOENT; ++ goto err; ++ } ++ + bt->dev = dev; + atomic_set(&bt->dropped, 0); + INIT_LIST_HEAD(&bt->running_list); +-- +2.25.1 + diff --git a/queue-4.14/bonding-fix-a-potential-double-unregister.patch b/queue-4.14/bonding-fix-a-potential-double-unregister.patch new file mode 100644 index 00000000000..d5067d2f3ed --- /dev/null +++ b/queue-4.14/bonding-fix-a-potential-double-unregister.patch @@ -0,0 +1,48 @@ +From 826e04f5e664861265135aa519e283eeb74acd65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 20:05:58 -0700 +Subject: bonding: fix a potential double-unregister + +From: Cong Wang + +[ Upstream commit 832707021666411d04795c564a4adea5d6b94f17 ] + +When we tear down a network namespace, we unregister all +the netdevices within it. So we may queue a slave device +and a bonding device together in the same unregister queue. + +If the only slave device is non-ethernet, it would +automatically unregister the bonding device as well. Thus, +we may end up unregistering the bonding device twice. + +Workaround this special case by checking reg_state. + +Fixes: 9b5e383c11b0 ("net: Introduce unregister_netdevice_many()") +Reported-by: syzbot+af23e7f3e0a7e10c8b67@syzkaller.appspotmail.com +Cc: Eric Dumazet +Cc: Andy Gospodarek +Cc: Jay Vosburgh +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 9ddbafdca3b05..a6d8d3b3c903d 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2010,7 +2010,8 @@ static int bond_release_and_destroy(struct net_device *bond_dev, + int ret; + + ret = __bond_release_one(bond_dev, slave_dev, false, true); +- if (ret == 0 && !bond_has_slaves(bond)) { ++ if (ret == 0 && !bond_has_slaves(bond) && ++ bond_dev->reg_state != NETREG_UNREGISTERING) { + bond_dev->priv_flags |= IFF_DISABLE_NETPOLL; + netdev_info(bond_dev, "Destroying bond %s\n", + bond_dev->name); +-- +2.25.1 + diff --git a/queue-4.14/bonding-fix-active-backup-failover-for-current-arp-s.patch b/queue-4.14/bonding-fix-active-backup-failover-for-current-arp-s.patch new file mode 100644 index 00000000000..da8bb6cce22 --- /dev/null +++ b/queue-4.14/bonding-fix-active-backup-failover-for-current-arp-s.patch @@ -0,0 +1,90 @@ +From d7f87cb29c20358086693b07e1fa1d67dd52309b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Aug 2020 20:52:44 +0200 +Subject: bonding: fix active-backup failover for current ARP slave + +From: Jiri Wiesner + +[ Upstream commit 0410d07190961ac526f05085765a8d04d926545b ] + +When the ARP monitor is used for link detection, ARP replies are +validated for all slaves (arp_validate=3) and fail_over_mac is set to +active, two slaves of an active-backup bond may get stuck in a state +where both of them are active and pass packets that they receive to +the bond. This state makes IPv6 duplicate address detection fail. The +state is reached thus: +1. The current active slave goes down because the ARP target + is not reachable. +2. The current ARP slave is chosen and made active. +3. A new slave is enslaved. This new slave becomes the current active + slave and can reach the ARP target. +As a result, the current ARP slave stays active after the enslave +action has finished and the log is littered with "PROBE BAD" messages: +> bond0: PROBE: c_arp ens10 && cas ens11 BAD +The workaround is to remove the slave with "going back" status from +the bond and re-enslave it. This issue was encountered when DPDK PMD +interfaces were being enslaved to an active-backup bond. + +I would be possible to fix the issue in bond_enslave() or +bond_change_active_slave() but the ARP monitor was fixed instead to +keep most of the actions changing the current ARP slave in the ARP +monitor code. The current ARP slave is set as inactive and backup +during the commit phase. A new state, BOND_LINK_FAIL, has been +introduced for slaves in the context of the ARP monitor. This allows +administrators to see how slaves are rotated for sending ARP requests +and attempts are made to find a new active slave. + +Fixes: b2220cad583c9 ("bonding: refactor ARP active-backup monitor") +Signed-off-by: Jiri Wiesner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index a6d8d3b3c903d..861d2c0a521a4 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2753,6 +2753,9 @@ static int bond_ab_arp_inspect(struct bonding *bond) + if (bond_time_in_interval(bond, last_rx, 1)) { + bond_propose_link_state(slave, BOND_LINK_UP); + commit++; ++ } else if (slave->link == BOND_LINK_BACK) { ++ bond_propose_link_state(slave, BOND_LINK_FAIL); ++ commit++; + } + continue; + } +@@ -2863,6 +2866,19 @@ static void bond_ab_arp_commit(struct bonding *bond) + + continue; + ++ case BOND_LINK_FAIL: ++ bond_set_slave_link_state(slave, BOND_LINK_FAIL, ++ BOND_SLAVE_NOTIFY_NOW); ++ bond_set_slave_inactive_flags(slave, ++ BOND_SLAVE_NOTIFY_NOW); ++ ++ /* A slave has just been enslaved and has become ++ * the current active slave. ++ */ ++ if (rtnl_dereference(bond->curr_active_slave)) ++ RCU_INIT_POINTER(bond->current_arp_slave, NULL); ++ continue; ++ + default: + netdev_err(bond->dev, "impossible: new_link %d on slave %s\n", + slave->link_new_state, slave->dev->name); +@@ -2912,8 +2928,6 @@ static bool bond_ab_arp_probe(struct bonding *bond) + return should_notify_rtnl; + } + +- bond_set_slave_inactive_flags(curr_arp_slave, BOND_SLAVE_NOTIFY_LATER); +- + bond_for_each_slave_rcu(bond, slave, iter) { + if (!found && !before && bond_slave_is_up(slave)) + before = slave; +-- +2.25.1 + diff --git a/queue-4.14/bonding-show-saner-speed-for-broadcast-mode.patch b/queue-4.14/bonding-show-saner-speed-for-broadcast-mode.patch new file mode 100644 index 00000000000..7e9c92341cc --- /dev/null +++ b/queue-4.14/bonding-show-saner-speed-for-broadcast-mode.patch @@ -0,0 +1,79 @@ +From 35cb327b2d8cd278428e5e1bed456bd0fe144775 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 10:09:00 -0400 +Subject: bonding: show saner speed for broadcast mode + +From: Jarod Wilson + +[ Upstream commit 4ca0d9ac3fd8f9f90b72a15d8da2aca3ffb58418 ] + +Broadcast mode bonds transmit a copy of all traffic simultaneously out of +all interfaces, so the "speed" of the bond isn't really the aggregate of +all interfaces, but rather, the speed of the slowest active interface. + +Also, the type of the speed field is u32, not unsigned long, so adjust +that accordingly, as required to make min() function here without +complaining about mismatching types. + +Fixes: bb5b052f751b ("bond: add support to read speed and duplex via ethtool") +CC: Jay Vosburgh +CC: Veaceslav Falico +CC: Andy Gospodarek +CC: "David S. Miller" +CC: netdev@vger.kernel.org +Acked-by: Jay Vosburgh +Signed-off-by: Jarod Wilson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 1f867e275408e..9ddbafdca3b05 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4156,13 +4156,23 @@ static netdev_tx_t bond_start_xmit(struct sk_buff *skb, struct net_device *dev) + return ret; + } + ++static u32 bond_mode_bcast_speed(struct slave *slave, u32 speed) ++{ ++ if (speed == 0 || speed == SPEED_UNKNOWN) ++ speed = slave->speed; ++ else ++ speed = min(speed, slave->speed); ++ ++ return speed; ++} ++ + static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev, + struct ethtool_link_ksettings *cmd) + { + struct bonding *bond = netdev_priv(bond_dev); +- unsigned long speed = 0; + struct list_head *iter; + struct slave *slave; ++ u32 speed = 0; + + cmd->base.duplex = DUPLEX_UNKNOWN; + cmd->base.port = PORT_OTHER; +@@ -4174,8 +4184,13 @@ static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev, + */ + bond_for_each_slave(bond, slave, iter) { + if (bond_slave_can_tx(slave)) { +- if (slave->speed != SPEED_UNKNOWN) +- speed += slave->speed; ++ if (slave->speed != SPEED_UNKNOWN) { ++ if (BOND_MODE(bond) == BOND_MODE_BROADCAST) ++ speed = bond_mode_bcast_speed(slave, ++ speed); ++ else ++ speed += slave->speed; ++ } + if (cmd->base.duplex == DUPLEX_UNKNOWN && + slave->duplex != DUPLEX_UNKNOWN) + cmd->base.duplex = slave->duplex; +-- +2.25.1 + diff --git a/queue-4.14/btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch b/queue-4.14/btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch new file mode 100644 index 00000000000..8502ac0bee3 --- /dev/null +++ b/queue-4.14/btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch @@ -0,0 +1,67 @@ +From f218eb25c297457ab9d88c6029a0ea0a448041d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 11:12:46 -0400 +Subject: btrfs: don't show full path of bind mounts in subvol= + +From: Josef Bacik + +[ Upstream commit 3ef3959b29c4a5bd65526ab310a1a18ae533172a ] + +Chris Murphy reported a problem where rpm ostree will bind mount a bunch +of things for whatever voodoo it's doing. But when it does this +/proc/mounts shows something like + + /dev/sda /mnt/test btrfs rw,relatime,subvolid=256,subvol=/foo 0 0 + /dev/sda /mnt/test/baz btrfs rw,relatime,subvolid=256,subvol=/foo/bar 0 0 + +Despite subvolid=256 being subvol=/foo. This is because we're just +spitting out the dentry of the mount point, which in the case of bind +mounts is the source path for the mountpoint. Instead we should spit +out the path to the actual subvol. Fix this by looking up the name for +the subvolid we have mounted. With this fix the same test looks like +this + + /dev/sda /mnt/test btrfs rw,relatime,subvolid=256,subvol=/foo 0 0 + /dev/sda /mnt/test/baz btrfs rw,relatime,subvolid=256,subvol=/foo 0 0 + +Reported-by: Chris Murphy +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/super.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index ca95e57b60ee1..eb64d4b159e07 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1221,6 +1221,7 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry) + { + struct btrfs_fs_info *info = btrfs_sb(dentry->d_sb); + char *compress_type; ++ const char *subvol_name; + + if (btrfs_test_opt(info, DEGRADED)) + seq_puts(seq, ",degraded"); +@@ -1307,8 +1308,13 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry) + #endif + seq_printf(seq, ",subvolid=%llu", + BTRFS_I(d_inode(dentry))->root->root_key.objectid); +- seq_puts(seq, ",subvol="); +- seq_dentry(seq, dentry, " \t\n\\"); ++ subvol_name = btrfs_get_subvol_name_from_objectid(info, ++ BTRFS_I(d_inode(dentry))->root->root_key.objectid); ++ if (!IS_ERR(subvol_name)) { ++ seq_puts(seq, ",subvol="); ++ seq_escape(seq, subvol_name, " \t\n\\"); ++ kfree(subvol_name); ++ } + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.14/btrfs-export-helpers-for-subvolume-name-id-resolutio.patch b/queue-4.14/btrfs-export-helpers-for-subvolume-name-id-resolutio.patch new file mode 100644 index 00000000000..c37efefb5ea --- /dev/null +++ b/queue-4.14/btrfs-export-helpers-for-subvolume-name-id-resolutio.patch @@ -0,0 +1,107 @@ +From 5b7448789c99c27351cf22996ffd9797be2802b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2020 14:56:12 +0100 +Subject: btrfs: export helpers for subvolume name/id resolution + +From: Marcos Paulo de Souza + +[ Upstream commit c0c907a47dccf2cf26251a8fb4a8e7a3bf79ce84 ] + +The functions will be used outside of export.c and super.c to allow +resolving subvolume name from a given id, eg. for subvolume deletion by +id ioctl. + +Signed-off-by: Marcos Paulo de Souza +Reviewed-by: David Sterba +[ split from the next patch ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 2 ++ + fs/btrfs/export.c | 8 ++++---- + fs/btrfs/export.h | 5 +++++ + fs/btrfs/super.c | 8 ++++---- + 4 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 5412b12491cb8..de951987fd23d 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -3262,6 +3262,8 @@ ssize_t btrfs_listxattr(struct dentry *dentry, char *buffer, size_t size); + int btrfs_parse_options(struct btrfs_fs_info *info, char *options, + unsigned long new_flags); + int btrfs_sync_fs(struct super_block *sb, int wait); ++char *btrfs_get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, ++ u64 subvol_objectid); + + static inline __printf(2, 3) + void btrfs_no_printk(const struct btrfs_fs_info *fs_info, const char *fmt, ...) +diff --git a/fs/btrfs/export.c b/fs/btrfs/export.c +index 3aeb5770f8965..b6ce765aa7f33 100644 +--- a/fs/btrfs/export.c ++++ b/fs/btrfs/export.c +@@ -56,9 +56,9 @@ static int btrfs_encode_fh(struct inode *inode, u32 *fh, int *max_len, + return type; + } + +-static struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, +- u64 root_objectid, u32 generation, +- int check_generation) ++struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, ++ u64 root_objectid, u32 generation, ++ int check_generation) + { + struct btrfs_fs_info *fs_info = btrfs_sb(sb); + struct btrfs_root *root; +@@ -151,7 +151,7 @@ static struct dentry *btrfs_fh_to_dentry(struct super_block *sb, struct fid *fh, + return btrfs_get_dentry(sb, objectid, root_objectid, generation, 1); + } + +-static struct dentry *btrfs_get_parent(struct dentry *child) ++struct dentry *btrfs_get_parent(struct dentry *child) + { + struct inode *dir = d_inode(child); + struct btrfs_fs_info *fs_info = btrfs_sb(dir->i_sb); +diff --git a/fs/btrfs/export.h b/fs/btrfs/export.h +index 91b3908e7c549..15db024621414 100644 +--- a/fs/btrfs/export.h ++++ b/fs/btrfs/export.h +@@ -17,4 +17,9 @@ struct btrfs_fid { + u64 parent_root_objectid; + } __attribute__ ((packed)); + ++struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, ++ u64 root_objectid, u32 generation, ++ int check_generation); ++struct dentry *btrfs_get_parent(struct dentry *child); ++ + #endif +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index 17a8463ef35c1..ca95e57b60ee1 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -939,8 +939,8 @@ out: + return error; + } + +-static char *get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, +- u64 subvol_objectid) ++char *btrfs_get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, ++ u64 subvol_objectid) + { + struct btrfs_root *root = fs_info->tree_root; + struct btrfs_root *fs_root; +@@ -1427,8 +1427,8 @@ static struct dentry *mount_subvol(const char *subvol_name, u64 subvol_objectid, + goto out; + } + } +- subvol_name = get_subvol_name_from_objectid(btrfs_sb(mnt->mnt_sb), +- subvol_objectid); ++ subvol_name = btrfs_get_subvol_name_from_objectid( ++ btrfs_sb(mnt->mnt_sb), subvol_objectid); + if (IS_ERR(subvol_name)) { + root = ERR_CAST(subvol_name); + subvol_name = NULL; +-- +2.25.1 + diff --git a/queue-4.14/btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch b/queue-4.14/btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch new file mode 100644 index 00000000000..b750152d191 --- /dev/null +++ b/queue-4.14/btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch @@ -0,0 +1,109 @@ +From f562c9635a88bb006ee7503634aa38451adb1e28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jul 2020 16:39:26 +0800 +Subject: btrfs: inode: fix NULL pointer dereference if inode doesn't need + compression + +From: Qu Wenruo + +[ Upstream commit 1e6e238c3002ea3611465ce5f32777ddd6a40126 ] + +[BUG] +There is a bug report of NULL pointer dereference caused in +compress_file_extent(): + + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + Workqueue: btrfs-delalloc btrfs_delalloc_helper [btrfs] + NIP [c008000006dd4d34] compress_file_range.constprop.41+0x75c/0x8a0 [btrfs] + LR [c008000006dd4d1c] compress_file_range.constprop.41+0x744/0x8a0 [btrfs] + Call Trace: + [c000000c69093b00] [c008000006dd4d1c] compress_file_range.constprop.41+0x744/0x8a0 [btrfs] (unreliable) + [c000000c69093bd0] [c008000006dd4ebc] async_cow_start+0x44/0xa0 [btrfs] + [c000000c69093c10] [c008000006e14824] normal_work_helper+0xdc/0x598 [btrfs] + [c000000c69093c80] [c0000000001608c0] process_one_work+0x2c0/0x5b0 + [c000000c69093d10] [c000000000160c38] worker_thread+0x88/0x660 + [c000000c69093db0] [c00000000016b55c] kthread+0x1ac/0x1c0 + [c000000c69093e20] [c00000000000b660] ret_from_kernel_thread+0x5c/0x7c + ---[ end trace f16954aa20d822f6 ]--- + +[CAUSE] +For the following execution route of compress_file_range(), it's +possible to hit NULL pointer dereference: + + compress_file_extent() + |- pages = NULL; + |- start = async_chunk->start = 0; + |- end = async_chunk = 4095; + |- nr_pages = 1; + |- inode_need_compress() == false; <<< Possible, see later explanation + | Now, we have nr_pages = 1, pages = NULL + |- cont: + |- ret = cow_file_range_inline(); + |- if (ret <= 0) { + |- for (i = 0; i < nr_pages; i++) { + |- WARN_ON(pages[i]->mapping); <<< Crash + +To enter above call execution branch, we need the following race: + + Thread 1 (chattr) | Thread 2 (writeback) +--------------------------+------------------------------ + | btrfs_run_delalloc_range + | |- inode_need_compress = true + | |- cow_file_range_async() +btrfs_ioctl_set_flag() | +|- binode_flags |= | + BTRFS_INODE_NOCOMPRESS | + | compress_file_range() + | |- inode_need_compress = false + | |- nr_page = 1 while pages = NULL + | | Then hit the crash + +[FIX] +This patch will fix it by checking @pages before doing accessing it. +This patch is only designed as a hot fix and easy to backport. + +More elegant fix may make btrfs only check inode_need_compress() once to +avoid such race, but that would be another story. + +Reported-by: Luciano Chavez +Fixes: 4d3a800ebb12 ("btrfs: merge nr_pages input and output parameter in compress_pages") +CC: stable@vger.kernel.org # 4.14.x: cecc8d9038d16: btrfs: Move free_pages_out label in inline extent handling branch in compress_file_range +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index dc520749f51db..17856e92b93d1 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -630,11 +630,18 @@ cont: + start, + end - start + 1); + +- for (i = 0; i < nr_pages; i++) { +- WARN_ON(pages[i]->mapping); +- put_page(pages[i]); ++ /* ++ * Ensure we only free the compressed pages if we have ++ * them allocated, as we can still reach here with ++ * inode_need_compress() == false. ++ */ ++ if (pages) { ++ for (i = 0; i < nr_pages; i++) { ++ WARN_ON(pages[i]->mapping); ++ put_page(pages[i]); ++ } ++ kfree(pages); + } +- kfree(pages); + + return; + } +-- +2.25.1 + diff --git a/queue-4.14/btrfs-move-free_pages_out-label-in-inline-extent-han.patch b/queue-4.14/btrfs-move-free_pages_out-label-in-inline-extent-han.patch new file mode 100644 index 00000000000..1e64b0db948 --- /dev/null +++ b/queue-4.14/btrfs-move-free_pages_out-label-in-inline-extent-han.patch @@ -0,0 +1,59 @@ +From 265eeefd65a43f0c81d007bd6fb7ed350386fa73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jul 2019 14:41:45 +0300 +Subject: btrfs: Move free_pages_out label in inline extent handling branch in + compress_file_range + +From: Nikolay Borisov + +[ Upstream commit cecc8d9038d164eda61fbcd72520975a554ea63e ] + +This label is only executed if compress_file_range fails to create an +inline extent. So move its code in the semantically related inline +extent handling branch. No functional changes. + +Signed-off-by: Nikolay Borisov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 57908ee964a20..dc520749f51db 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -629,7 +629,14 @@ cont: + btrfs_free_reserved_data_space_noquota(inode, + start, + end - start + 1); +- goto free_pages_out; ++ ++ for (i = 0; i < nr_pages; i++) { ++ WARN_ON(pages[i]->mapping); ++ put_page(pages[i]); ++ } ++ kfree(pages); ++ ++ return; + } + } + +@@ -708,13 +715,6 @@ cleanup_and_bail_uncompressed: + *num_added += 1; + + return; +- +-free_pages_out: +- for (i = 0; i < nr_pages; i++) { +- WARN_ON(pages[i]->mapping); +- put_page(pages[i]); +- } +- kfree(pages); + } + + static void free_async_extent_pages(struct async_extent *async_extent) +-- +2.25.1 + diff --git a/queue-4.14/btrfs-sysfs-use-nofs-for-device-creation.patch b/queue-4.14/btrfs-sysfs-use-nofs-for-device-creation.patch new file mode 100644 index 00000000000..d291e2b6c28 --- /dev/null +++ b/queue-4.14/btrfs-sysfs-use-nofs-for-device-creation.patch @@ -0,0 +1,190 @@ +From 800c89a08bd5d15983e5135dd38e222d1f90a9d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 10:17:50 -0400 +Subject: btrfs: sysfs: use NOFS for device creation + +From: Josef Bacik + +Dave hit this splat during testing btrfs/078: + + ====================================================== + WARNING: possible circular locking dependency detected + 5.8.0-rc6-default+ #1191 Not tainted + ------------------------------------------------------ + kswapd0/75 is trying to acquire lock: + ffffa040e9d04ff8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + + but task is already holding lock: + ffffffff8b0c8040 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #2 (fs_reclaim){+.+.}-{0:0}: + __lock_acquire+0x56f/0xaa0 + lock_acquire+0xa3/0x440 + fs_reclaim_acquire.part.0+0x25/0x30 + __kmalloc_track_caller+0x49/0x330 + kstrdup+0x2e/0x60 + __kernfs_new_node.constprop.0+0x44/0x250 + kernfs_new_node+0x25/0x50 + kernfs_create_link+0x34/0xa0 + sysfs_do_create_link_sd+0x5e/0xd0 + btrfs_sysfs_add_devices_dir+0x65/0x100 [btrfs] + btrfs_init_new_device+0x44c/0x12b0 [btrfs] + btrfs_ioctl+0xc3c/0x25c0 [btrfs] + ksys_ioctl+0x68/0xa0 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x50/0xe0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + -> #1 (&fs_info->chunk_mutex){+.+.}-{3:3}: + __lock_acquire+0x56f/0xaa0 + lock_acquire+0xa3/0x440 + __mutex_lock+0xa0/0xaf0 + btrfs_chunk_alloc+0x137/0x3e0 [btrfs] + find_free_extent+0xb44/0xfb0 [btrfs] + btrfs_reserve_extent+0x9b/0x180 [btrfs] + btrfs_alloc_tree_block+0xc1/0x350 [btrfs] + alloc_tree_block_no_bg_flush+0x4a/0x60 [btrfs] + __btrfs_cow_block+0x143/0x7a0 [btrfs] + btrfs_cow_block+0x15f/0x310 [btrfs] + push_leaf_right+0x150/0x240 [btrfs] + split_leaf+0x3cd/0x6d0 [btrfs] + btrfs_search_slot+0xd14/0xf70 [btrfs] + btrfs_insert_empty_items+0x64/0xc0 [btrfs] + __btrfs_commit_inode_delayed_items+0xb2/0x840 [btrfs] + btrfs_async_run_delayed_root+0x10e/0x1d0 [btrfs] + btrfs_work_helper+0x2f9/0x650 [btrfs] + process_one_work+0x22c/0x600 + worker_thread+0x50/0x3b0 + kthread+0x137/0x150 + ret_from_fork+0x1f/0x30 + + -> #0 (&delayed_node->mutex){+.+.}-{3:3}: + check_prev_add+0x98/0xa20 + validate_chain+0xa8c/0x2a00 + __lock_acquire+0x56f/0xaa0 + lock_acquire+0xa3/0x440 + __mutex_lock+0xa0/0xaf0 + __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + btrfs_evict_inode+0x3bf/0x560 [btrfs] + evict+0xd6/0x1c0 + dispose_list+0x48/0x70 + prune_icache_sb+0x54/0x80 + super_cache_scan+0x121/0x1a0 + do_shrink_slab+0x175/0x420 + shrink_slab+0xb1/0x2e0 + shrink_node+0x192/0x600 + balance_pgdat+0x31f/0x750 + kswapd+0x206/0x510 + kthread+0x137/0x150 + ret_from_fork+0x1f/0x30 + + other info that might help us debug this: + + Chain exists of: + &delayed_node->mutex --> &fs_info->chunk_mutex --> fs_reclaim + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(fs_reclaim); + lock(&fs_info->chunk_mutex); + lock(fs_reclaim); + lock(&delayed_node->mutex); + + *** DEADLOCK *** + + 3 locks held by kswapd0/75: + #0: ffffffff8b0c8040 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30 + #1: ffffffff8b0b50b8 (shrinker_rwsem){++++}-{3:3}, at: shrink_slab+0x54/0x2e0 + #2: ffffa040e057c0e8 (&type->s_umount_key#26){++++}-{3:3}, at: trylock_super+0x16/0x50 + + stack backtrace: + CPU: 2 PID: 75 Comm: kswapd0 Not tainted 5.8.0-rc6-default+ #1191 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014 + Call Trace: + dump_stack+0x78/0xa0 + check_noncircular+0x16f/0x190 + check_prev_add+0x98/0xa20 + validate_chain+0xa8c/0x2a00 + __lock_acquire+0x56f/0xaa0 + lock_acquire+0xa3/0x440 + ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + __mutex_lock+0xa0/0xaf0 + ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + ? __lock_acquire+0x56f/0xaa0 + ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + ? lock_acquire+0xa3/0x440 + ? btrfs_evict_inode+0x138/0x560 [btrfs] + ? btrfs_evict_inode+0x2fe/0x560 [btrfs] + ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] + btrfs_evict_inode+0x3bf/0x560 [btrfs] + evict+0xd6/0x1c0 + dispose_list+0x48/0x70 + prune_icache_sb+0x54/0x80 + super_cache_scan+0x121/0x1a0 + do_shrink_slab+0x175/0x420 + shrink_slab+0xb1/0x2e0 + shrink_node+0x192/0x600 + balance_pgdat+0x31f/0x750 + kswapd+0x206/0x510 + ? _raw_spin_unlock_irqrestore+0x3e/0x50 + ? finish_wait+0x90/0x90 + ? balance_pgdat+0x750/0x750 + kthread+0x137/0x150 + ? kthread_stop+0x2a0/0x2a0 + ret_from_fork+0x1f/0x30 + +This is because we're holding the chunk_mutex while adding this device +and adding its sysfs entries. We actually hold different locks in +different places when calling this function, the dev_replace semaphore +for instance in dev replace, so instead of moving this call around +simply wrap it's operations in NOFS. + +CC: stable@vger.kernel.org # 4.14+ +Reported-by: David Sterba +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +--- + fs/btrfs/sysfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c +index f05341bda1d14..383546ff62f04 100644 +--- a/fs/btrfs/sysfs.c ++++ b/fs/btrfs/sysfs.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #include "ctree.h" + #include "disk-io.h" +@@ -749,7 +750,9 @@ int btrfs_sysfs_add_device_link(struct btrfs_fs_devices *fs_devices, + { + int error = 0; + struct btrfs_device *dev; ++ unsigned int nofs_flag; + ++ nofs_flag = memalloc_nofs_save(); + list_for_each_entry(dev, &fs_devices->devices, dev_list) { + struct hd_struct *disk; + struct kobject *disk_kobj; +@@ -768,6 +771,7 @@ int btrfs_sysfs_add_device_link(struct btrfs_fs_devices *fs_devices, + if (error) + break; + } ++ memalloc_nofs_restore(nofs_flag); + + return error; + } +-- +2.25.1 + diff --git a/queue-4.14/cec-api-prevent-leaking-memory-through-hole-in-struc.patch b/queue-4.14/cec-api-prevent-leaking-memory-through-hole-in-struc.patch new file mode 100644 index 00000000000..399c3151e51 --- /dev/null +++ b/queue-4.14/cec-api-prevent-leaking-memory-through-hole-in-struc.patch @@ -0,0 +1,43 @@ +From 050fde58298a0dbd0198e4c2c1b9f247a10431ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 12:44:26 +0200 +Subject: cec-api: prevent leaking memory through hole in structure + +From: Hans Verkuil + +[ Upstream commit 6c42227c3467549ddc65efe99c869021d2f4a570 ] + +Fix this smatch warning: + +drivers/media/cec/core/cec-api.c:156 cec_adap_g_log_addrs() warn: check that 'log_addrs' doesn't leak information (struct has a hole after +'features') + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/cec-api.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/cec/cec-api.c b/drivers/media/cec/cec-api.c +index 21a5f45e0259e..66ef06f4670c8 100644 +--- a/drivers/media/cec/cec-api.c ++++ b/drivers/media/cec/cec-api.c +@@ -159,7 +159,13 @@ static long cec_adap_g_log_addrs(struct cec_adapter *adap, + struct cec_log_addrs log_addrs; + + mutex_lock(&adap->lock); +- log_addrs = adap->log_addrs; ++ /* ++ * We use memcpy here instead of assignment since there is a ++ * hole at the end of struct cec_log_addrs that an assignment ++ * might ignore. So when we do copy_to_user() we could leak ++ * one byte of memory. ++ */ ++ memcpy(&log_addrs, &adap->log_addrs, sizeof(log_addrs)); + if (!adap->is_configured) + memset(log_addrs.log_addr, CEC_LOG_ADDR_INVALID, + sizeof(log_addrs.log_addr)); +-- +2.25.1 + diff --git a/queue-4.14/ceph-fix-potential-mdsc-use-after-free-crash.patch b/queue-4.14/ceph-fix-potential-mdsc-use-after-free-crash.patch new file mode 100644 index 00000000000..51c1a74d830 --- /dev/null +++ b/queue-4.14/ceph-fix-potential-mdsc-use-after-free-crash.patch @@ -0,0 +1,64 @@ +From 29e54ccc37b1be63cc7ba5939d3de2b510f353ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 01:52:48 -0400 +Subject: ceph: fix potential mdsc use-after-free crash + +From: Xiubo Li + +[ Upstream commit fa9967734227b44acb1b6918033f9122dc7825b9 ] + +Make sure the delayed work stopped before releasing the resources. + +cancel_delayed_work_sync() will only guarantee that the work finishes +executing if the work is already in the ->worklist. That means after +the cancel_delayed_work_sync() returns, it will leave the work requeued +if it was rearmed at the end. That can lead to a use after free once the +work struct is freed. + +Fix it by flushing the delayed work instead of trying to cancel it, and +ensure that the work doesn't rearm if the mdsc is stopping. + +URL: https://tracker.ceph.com/issues/46293 +Signed-off-by: Xiubo Li +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/mds_client.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index f36ddfea4997e..06109314d93c8 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -3518,6 +3518,9 @@ static void delayed_work(struct work_struct *work) + dout("mdsc delayed_work\n"); + ceph_check_delayed_caps(mdsc); + ++ if (mdsc->stopping) ++ return; ++ + mutex_lock(&mdsc->mutex); + renew_interval = mdsc->mdsmap->m_session_timeout >> 2; + renew_caps = time_after_eq(jiffies, HZ*renew_interval + +@@ -3851,7 +3854,16 @@ void ceph_mdsc_force_umount(struct ceph_mds_client *mdsc) + static void ceph_mdsc_stop(struct ceph_mds_client *mdsc) + { + dout("stop\n"); +- cancel_delayed_work_sync(&mdsc->delayed_work); /* cancel timer */ ++ /* ++ * Make sure the delayed work stopped before releasing ++ * the resources. ++ * ++ * Because the cancel_delayed_work_sync() will only ++ * guarantee that the work finishes executing. But the ++ * delayed work will re-arm itself again after that. ++ */ ++ flush_delayed_work(&mdsc->delayed_work); ++ + if (mdsc->mdsmap) + ceph_mdsmap_destroy(mdsc->mdsmap); + kfree(mdsc->sessions); +-- +2.25.1 + diff --git a/queue-4.14/clk-evict-unregistered-clks-from-parent-caches.patch b/queue-4.14/clk-evict-unregistered-clks-from-parent-caches.patch new file mode 100644 index 00000000000..dc343fcea09 --- /dev/null +++ b/queue-4.14/clk-evict-unregistered-clks-from-parent-caches.patch @@ -0,0 +1,134 @@ +From 166f501401faecdc70028c69a303d67b529f3c33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2019 11:19:59 -0700 +Subject: clk: Evict unregistered clks from parent caches + +From: Stephen Boyd + +commit bdcf1dc253248542537a742ae1e7ccafdd03f2d3 upstream. + +We leave a dangling pointer in each clk_core::parents array that has an +unregistered clk as a potential parent when that clk_core pointer is +freed by clk{_hw}_unregister(). It is impossible for the true parent of +a clk to be set with clk_set_parent() once the dangling pointer is left +in the cache because we compare parent pointers in +clk_fetch_parent_index() instead of checking for a matching clk name or +clk_hw pointer. + +Before commit ede77858473a ("clk: Remove global clk traversal on fetch +parent index"), we would check clk_hw pointers, which has a higher +chance of being the same between registration and unregistration, but it +can still be allocated and freed by the clk provider. In fact, this has +been a long standing problem since commit da0f0b2c3ad2 ("clk: Correct +lookup logic in clk_fetch_parent_index()") where we stopped trying to +compare clk names and skipped over entries in the cache that weren't +NULL. + +There are good (performance) reasons to not do the global tree lookup in +cases where the cache holds dangling pointers to parents that have been +unregistered. Let's take the performance hit on the uncommon +registration path instead. Loop through all the clk_core::parents arrays +when a clk is unregistered and set the entry to NULL when the parent +cache entry and clk being unregistered are the same pointer. This will +fix this problem and avoid the overhead for the "normal" case. + +Based on a patch by Bjorn Andersson. + +Fixes: da0f0b2c3ad2 ("clk: Correct lookup logic in clk_fetch_parent_index()") +Reviewed-by: Bjorn Andersson +Tested-by: Sai Prakash Ranjan +Signed-off-by: Stephen Boyd +Link: https://lkml.kernel.org/r/20190828181959.204401-1-sboyd@kernel.org +Tested-by: Naresh Kamboju +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk.c | 52 +++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 41 insertions(+), 11 deletions(-) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index 44b6f23cc851d..4289c519af1be 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -39,6 +39,17 @@ static HLIST_HEAD(clk_root_list); + static HLIST_HEAD(clk_orphan_list); + static LIST_HEAD(clk_notifier_list); + ++static struct hlist_head *all_lists[] = { ++ &clk_root_list, ++ &clk_orphan_list, ++ NULL, ++}; ++ ++static struct hlist_head *orphan_list[] = { ++ &clk_orphan_list, ++ NULL, ++}; ++ + /*** private data structures ***/ + + struct clk_core { +@@ -1993,17 +2004,6 @@ static int inited = 0; + static DEFINE_MUTEX(clk_debug_lock); + static HLIST_HEAD(clk_debug_list); + +-static struct hlist_head *all_lists[] = { +- &clk_root_list, +- &clk_orphan_list, +- NULL, +-}; +- +-static struct hlist_head *orphan_list[] = { +- &clk_orphan_list, +- NULL, +-}; +- + static void clk_summary_show_one(struct seq_file *s, struct clk_core *c, + int level) + { +@@ -2735,6 +2735,34 @@ static const struct clk_ops clk_nodrv_ops = { + .set_parent = clk_nodrv_set_parent, + }; + ++static void clk_core_evict_parent_cache_subtree(struct clk_core *root, ++ struct clk_core *target) ++{ ++ int i; ++ struct clk_core *child; ++ ++ for (i = 0; i < root->num_parents; i++) ++ if (root->parents[i] == target) ++ root->parents[i] = NULL; ++ ++ hlist_for_each_entry(child, &root->children, child_node) ++ clk_core_evict_parent_cache_subtree(child, target); ++} ++ ++/* Remove this clk from all parent caches */ ++static void clk_core_evict_parent_cache(struct clk_core *core) ++{ ++ struct hlist_head **lists; ++ struct clk_core *root; ++ ++ lockdep_assert_held(&prepare_lock); ++ ++ for (lists = all_lists; *lists; lists++) ++ hlist_for_each_entry(root, *lists, child_node) ++ clk_core_evict_parent_cache_subtree(root, core); ++ ++} ++ + /** + * clk_unregister - unregister a currently registered clock + * @clk: clock to unregister +@@ -2773,6 +2801,8 @@ void clk_unregister(struct clk *clk) + clk_core_set_parent(child, NULL); + } + ++ clk_core_evict_parent_cache(clk->core); ++ + hlist_del_init(&clk->core->child_node); + + if (clk->core->prepare_count) +-- +2.25.1 + diff --git a/queue-4.14/cpufreq-intel_pstate-fix-cpuinfo_max_freq-when-msr_t.patch b/queue-4.14/cpufreq-intel_pstate-fix-cpuinfo_max_freq-when-msr_t.patch new file mode 100644 index 00000000000..12ee5623cd5 --- /dev/null +++ b/queue-4.14/cpufreq-intel_pstate-fix-cpuinfo_max_freq-when-msr_t.patch @@ -0,0 +1,48 @@ +From 485c4298e720bd40ee378135638980713589adb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 11:37:20 -0700 +Subject: cpufreq: intel_pstate: Fix cpuinfo_max_freq when + MSR_TURBO_RATIO_LIMIT is 0 + +From: Srinivas Pandruvada + +[ Upstream commit 4daca379c703ff55edc065e8e5173dcfeecf0148 ] + +The MSR_TURBO_RATIO_LIMIT can be 0. This is not an error. User can update +this MSR via BIOS settings on some systems or can use msr tools to update. +Also some systems boot with value = 0. + +This results in display of cpufreq/cpuinfo_max_freq wrong. This value +will be equal to cpufreq/base_frequency, even though turbo is enabled. + +But platform will still function normally in HWP mode as we get max +1-core frequency from the MSR_HWP_CAPABILITIES. This MSR is already used +to calculate cpu->pstate.turbo_freq, which is used for to set +policy->cpuinfo.max_freq. But some other places cpu->pstate.turbo_pstate +is used. For example to set policy->max. + +To fix this, also update cpu->pstate.turbo_pstate when updating +cpu->pstate.turbo_freq. + +Signed-off-by: Srinivas Pandruvada +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 1aa0b05c8cbdf..5c41dc9aaa46d 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -1378,6 +1378,7 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) + + intel_pstate_get_hwp_max(cpu->cpu, &phy_max, ¤t_max); + cpu->pstate.turbo_freq = phy_max * cpu->pstate.scaling; ++ cpu->pstate.turbo_pstate = phy_max; + } else { + cpu->pstate.turbo_freq = cpu->pstate.turbo_pstate * cpu->pstate.scaling; + } +-- +2.25.1 + diff --git a/queue-4.14/do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch b/queue-4.14/do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch new file mode 100644 index 00000000000..4155f0edfc1 --- /dev/null +++ b/queue-4.14/do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch @@ -0,0 +1,56 @@ +From 3e96d14927153e634a5911002d837696baf809eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 18:25:52 -0400 +Subject: do_epoll_ctl(): clean the failure exits up a bit + +From: Al Viro + +commit 52c479697c9b73f628140dcdfcd39ea302d05482 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + fs/eventpoll.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 94f6c19dcf30a..00f0902e27e88 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -2099,10 +2099,8 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, + mutex_lock(&epmutex); + if (is_file_epoll(tf.file)) { + error = -ELOOP; +- if (ep_loop_check(ep, tf.file) != 0) { +- clear_tfile_check_list(); ++ if (ep_loop_check(ep, tf.file) != 0) + goto error_tgt_fput; +- } + } else { + get_file(tf.file); + list_add(&tf.file->f_tfile_llink, +@@ -2131,8 +2129,6 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, + error = ep_insert(ep, &epds, tf.file, fd, full_check); + } else + error = -EEXIST; +- if (full_check) +- clear_tfile_check_list(); + break; + case EPOLL_CTL_DEL: + if (epi) +@@ -2155,8 +2151,10 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, + mutex_unlock(&ep->mtx); + + error_tgt_fput: +- if (full_check) ++ if (full_check) { ++ clear_tfile_check_list(); + mutex_unlock(&epmutex); ++ } + + fdput(tf); + error_fput: +-- +2.25.1 + diff --git a/queue-4.14/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch b/queue-4.14/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch new file mode 100644 index 00000000000..52f2b456d72 --- /dev/null +++ b/queue-4.14/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch @@ -0,0 +1,41 @@ +From a81f72e983ab77db7de2c402e0bb22c8541d05e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 02:14:50 -0500 +Subject: drm/amd/display: fix ref count leak in amdgpu_drm_ioctl + +From: Navid Emamdoost + +[ Upstream commit 5509ac65f2fe5aa3c0003237ec629ca55024307c ] + +in amdgpu_drm_ioctl the call to pm_runtime_get_sync increments the +counter even in case of failure, leading to incorrect +ref count. In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +index ae23f7e0290c3..465ece90e63ab 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -801,11 +801,12 @@ long amdgpu_drm_ioctl(struct file *filp, + dev = file_priv->minor->dev; + ret = pm_runtime_get_sync(dev->dev); + if (ret < 0) +- return ret; ++ goto out; + + ret = drm_ioctl(filp, cmd, arg); + + pm_runtime_mark_last_busy(dev->dev); ++out: + pm_runtime_put_autosuspend(dev->dev); + return ret; + } +-- +2.25.1 + diff --git a/queue-4.14/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch b/queue-4.14/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch new file mode 100644 index 00000000000..a121b1b2ba5 --- /dev/null +++ b/queue-4.14/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch @@ -0,0 +1,75 @@ +From bf09e3337114740d249231fc137ab310986ecc5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 02:05:28 -0500 +Subject: drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails + +From: Navid Emamdoost + +[ Upstream commit f79f94765f8c39db0b7dec1d335ab046aac03f20 ] + +The call to pm_runtime_get_sync increments the counter even in case of +failure, leading to incorrect ref count. +In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index 1eff36a875958..3992e1cbb61ca 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -734,8 +734,10 @@ amdgpu_connector_lvds_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (encoder) { +@@ -872,8 +874,10 @@ amdgpu_connector_vga_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + encoder = amdgpu_connector_best_single_encoder(connector); +@@ -996,8 +1000,10 @@ amdgpu_connector_dvi_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) { +@@ -1371,8 +1377,10 @@ amdgpu_connector_dp_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) { +-- +2.25.1 + diff --git a/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch b/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch new file mode 100644 index 00000000000..a81dff9a39a --- /dev/null +++ b/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch @@ -0,0 +1,53 @@ +From 25db81a4dfd6cd8aafc03c312c42beddb46add70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 02:09:44 -0500 +Subject: drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config + +From: Navid Emamdoost + +[ Upstream commit e008fa6fb41544b63973a529b704ef342f47cc65 ] + +in amdgpu_display_crtc_set_config, the call to pm_runtime_get_sync +increments the counter even in case of failure, leading to incorrect +ref count. In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +index 6ad243293a78b..df24494299791 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +@@ -269,7 +269,7 @@ int amdgpu_crtc_set_config(struct drm_mode_set *set, + + ret = pm_runtime_get_sync(dev->dev); + if (ret < 0) +- return ret; ++ goto out; + + ret = drm_crtc_helper_set_config(set, ctx); + +@@ -284,7 +284,7 @@ int amdgpu_crtc_set_config(struct drm_mode_set *set, + take the current one */ + if (active && !adev->have_disp_power_ref) { + adev->have_disp_power_ref = true; +- return ret; ++ goto out; + } + /* if we have no active crtcs, then drop the power ref + we got before */ +@@ -293,6 +293,7 @@ int amdgpu_crtc_set_config(struct drm_mode_set *set, + adev->have_disp_power_ref = false; + } + ++out: + /* drop the power reference we got coming in here */ + pm_runtime_put_autosuspend(dev->dev); + return ret; +-- +2.25.1 + diff --git a/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch b/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch new file mode 100644 index 00000000000..09ea5e8b15d --- /dev/null +++ b/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch @@ -0,0 +1,44 @@ +From 655cb063e26974ee1780dce2c73d913e433b3b71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 02:12:29 -0500 +Subject: drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms + +From: Navid Emamdoost + +[ Upstream commit 9ba8923cbbe11564dd1bf9f3602add9a9cfbb5c6 ] + +in amdgpu_driver_open_kms the call to pm_runtime_get_sync increments the +counter even in case of failure, leading to incorrect +ref count. In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +index 22d9ec80a2ffd..b7ee5008b8a2a 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -785,7 +785,7 @@ int amdgpu_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + + r = pm_runtime_get_sync(dev->dev); + if (r < 0) +- return r; ++ goto pm_put; + + fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL); + if (unlikely(!fpriv)) { +@@ -824,6 +824,7 @@ int amdgpu_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + + out_suspend: + pm_runtime_mark_last_busy(dev->dev); ++pm_put: + pm_runtime_put_autosuspend(dev->dev); + + return r; +-- +2.25.1 + diff --git a/queue-4.14/drm-amdkfd-fix-reference-count-leaks.patch b/queue-4.14/drm-amdkfd-fix-reference-count-leaks.patch new file mode 100644 index 00000000000..896fda2bfdf --- /dev/null +++ b/queue-4.14/drm-amdkfd-fix-reference-count-leaks.patch @@ -0,0 +1,89 @@ +From 700cd3179835293104947739a2f1d8d831331836 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 14:32:26 -0500 +Subject: drm/amdkfd: Fix reference count leaks. + +From: Qiushi Wu + +[ Upstream commit 20eca0123a35305e38b344d571cf32768854168c ] + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. + +Signed-off-by: Qiushi Wu +Reviewed-by: Felix Kuehling +Signed-off-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +index e0b78fd9804de..ab79c1030f005 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +@@ -821,8 +821,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + + ret = kobject_init_and_add(dev->kobj_node, &node_type, + sys_props.kobj_nodes, "%d", id); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(dev->kobj_node); + return ret; ++ } + + dev->kobj_mem = kobject_create_and_add("mem_banks", dev->kobj_node); + if (!dev->kobj_mem) +@@ -865,8 +867,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + return -ENOMEM; + ret = kobject_init_and_add(mem->kobj, &mem_type, + dev->kobj_mem, "%d", i); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(mem->kobj); + return ret; ++ } + + mem->attr.name = "properties"; + mem->attr.mode = KFD_SYSFS_FILE_MODE; +@@ -884,8 +888,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + return -ENOMEM; + ret = kobject_init_and_add(cache->kobj, &cache_type, + dev->kobj_cache, "%d", i); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(cache->kobj); + return ret; ++ } + + cache->attr.name = "properties"; + cache->attr.mode = KFD_SYSFS_FILE_MODE; +@@ -903,8 +909,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + return -ENOMEM; + ret = kobject_init_and_add(iolink->kobj, &iolink_type, + dev->kobj_iolink, "%d", i); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(iolink->kobj); + return ret; ++ } + + iolink->attr.name = "properties"; + iolink->attr.mode = KFD_SYSFS_FILE_MODE; +@@ -956,8 +964,10 @@ static int kfd_topology_update_sysfs(void) + ret = kobject_init_and_add(sys_props.kobj_topology, + &sysprops_type, &kfd_device->kobj, + "topology"); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(sys_props.kobj_topology); + return ret; ++ } + + sys_props.kobj_nodes = kobject_create_and_add("nodes", + sys_props.kobj_topology); +-- +2.25.1 + diff --git a/queue-4.14/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch b/queue-4.14/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch new file mode 100644 index 00000000000..c72aa0fca81 --- /dev/null +++ b/queue-4.14/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch @@ -0,0 +1,40 @@ +From b429ee21e98e90414b341d7395ed16e952eb37c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:33:42 -0500 +Subject: drm/nouveau/drm/noveau: fix reference count leak in + nouveau_fbcon_open + +From: Aditya Pakki + +[ Upstream commit bfad51c7633325b5d4b32444efe04329d53297b2 ] + +nouveau_fbcon_open() calls calls pm_runtime_get_sync() that +increments the reference count. In case of failure, decrement the +ref count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fbcon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +index 9ffb09679cc4a..cae1beabcd05d 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +@@ -184,8 +184,10 @@ nouveau_fbcon_open(struct fb_info *info, int user) + struct nouveau_fbdev *fbcon = info->par; + struct nouveau_drm *drm = nouveau_drm(fbcon->helper.dev); + int ret = pm_runtime_get_sync(drm->dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put(drm->dev->dev); + return ret; ++ } + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.14/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch b/queue-4.14/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch new file mode 100644 index 00000000000..514c15f8313 --- /dev/null +++ b/queue-4.14/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch @@ -0,0 +1,39 @@ +From 1bed3ed68f2bfdd17b2dd3a4bff3e5ec2d9c348d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:22:23 -0500 +Subject: drm/nouveau: Fix reference count leak in nouveau_connector_detect + +From: Aditya Pakki + +[ Upstream commit 990a1162986e8eff7ca18cc5a0e03b4304392ae2 ] + +nouveau_connector_detect() calls pm_runtime_get_sync and in turn +increments the reference count. In case of failure, decrement the +ref count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c +index 4a7d50a96d36f..b5c8219c54557 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -580,8 +580,10 @@ nouveau_connector_detect(struct drm_connector *connector, bool force) + pm_runtime_get_noresume(dev->dev); + } else { + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return conn_status; ++ } + } + + nv_encoder = nouveau_connector_ddc_detect(connector); +-- +2.25.1 + diff --git a/queue-4.14/drm-radeon-fix-multiple-reference-count-leak.patch b/queue-4.14/drm-radeon-fix-multiple-reference-count-leak.patch new file mode 100644 index 00000000000..42fa9fdc461 --- /dev/null +++ b/queue-4.14/drm-radeon-fix-multiple-reference-count-leak.patch @@ -0,0 +1,87 @@ +From 4475db757621a2f5a62dd972801a44db08329c2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:55:39 -0500 +Subject: drm/radeon: fix multiple reference count leak + +From: Aditya Pakki + +[ Upstream commit 6f2e8acdb48ed166b65d47837c31b177460491ec ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_connectors.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c +index 48f752cf7a920..fc021b8e4077d 100644 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -895,8 +895,10 @@ radeon_lvds_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (encoder) { +@@ -1041,8 +1043,10 @@ radeon_vga_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + encoder = radeon_best_single_encoder(connector); +@@ -1179,8 +1183,10 @@ radeon_tv_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + encoder = radeon_best_single_encoder(connector); +@@ -1263,8 +1269,10 @@ radeon_dvi_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (radeon_connector->detected_hpd_without_ddc) { +@@ -1704,8 +1712,10 @@ radeon_dp_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (!force && radeon_check_hpd_status_unchanged(connector)) { +-- +2.25.1 + diff --git a/queue-4.14/drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch b/queue-4.14/drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch new file mode 100644 index 00000000000..8c1e15ed713 --- /dev/null +++ b/queue-4.14/drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch @@ -0,0 +1,83 @@ +From 5a7f8bd51e0859ca58088777e4a5ee0db0ba7de7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 16:49:11 +0100 +Subject: drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() + +From: Chris Wilson + +[ Upstream commit 119c53d2d4044c59c450c4f5a568d80b9d861856 ] + +drm_gem_dumb_map_offset() now exists and does everything +vgem_gem_dump_map does and *ought* to do. + +In particular, vgem_gem_dumb_map() was trying to reject mmapping an +imported dmabuf by checking the existence of obj->filp. Unfortunately, +we always allocated an obj->filp, even if unused for an imported dmabuf. +Instead, the drm_gem_dumb_map_offset(), since commit 90378e589192 +("drm/gem: drm_gem_dumb_map_offset(): reject dma-buf"), uses the +obj->import_attach to reject such invalid mmaps. + +This prevents vgem from allowing userspace mmapping the dumb handle and +attempting to incorrectly fault in remote pages belonging to another +device, where there may not even be a struct page. + +v2: Use the default drm_gem_dumb_map_offset() callback + +Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces") +Signed-off-by: Chris Wilson +Reviewed-by: Daniel Vetter +Cc: # v4.13+ +Link: https://patchwork.freedesktop.org/patch/msgid/20200708154911.21236-1-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vgem/vgem_drv.c | 27 --------------------------- + 1 file changed, 27 deletions(-) + +diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c +index aa592277d5108..67037eb9a80ee 100644 +--- a/drivers/gpu/drm/vgem/vgem_drv.c ++++ b/drivers/gpu/drm/vgem/vgem_drv.c +@@ -220,32 +220,6 @@ static int vgem_gem_dumb_create(struct drm_file *file, struct drm_device *dev, + return 0; + } + +-static int vgem_gem_dumb_map(struct drm_file *file, struct drm_device *dev, +- uint32_t handle, uint64_t *offset) +-{ +- struct drm_gem_object *obj; +- int ret; +- +- obj = drm_gem_object_lookup(file, handle); +- if (!obj) +- return -ENOENT; +- +- if (!obj->filp) { +- ret = -EINVAL; +- goto unref; +- } +- +- ret = drm_gem_create_mmap_offset(obj); +- if (ret) +- goto unref; +- +- *offset = drm_vma_node_offset_addr(&obj->vma_node); +-unref: +- drm_gem_object_put_unlocked(obj); +- +- return ret; +-} +- + static struct drm_ioctl_desc vgem_ioctls[] = { + DRM_IOCTL_DEF_DRV(VGEM_FENCE_ATTACH, vgem_fence_attach_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), + DRM_IOCTL_DEF_DRV(VGEM_FENCE_SIGNAL, vgem_fence_signal_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), +@@ -439,7 +413,6 @@ static struct drm_driver vgem_driver = { + .fops = &vgem_driver_fops, + + .dumb_create = vgem_gem_dumb_create, +- .dumb_map_offset = vgem_gem_dumb_map, + + .prime_handle_to_fd = drm_gem_prime_handle_to_fd, + .prime_fd_to_handle = drm_gem_prime_fd_to_handle, +-- +2.25.1 + diff --git a/queue-4.14/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch b/queue-4.14/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch new file mode 100644 index 00000000000..41d74b32f7e --- /dev/null +++ b/queue-4.14/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch @@ -0,0 +1,127 @@ +From 30e150b3bfa71a05be40dd3c5e099abd3656e650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 14:25:11 -0400 +Subject: EDAC/ie31200: Fallback if host bridge device is already initialized + +From: Jason Baron + +[ Upstream commit 709ed1bcef12398ac1a35c149f3e582db04456c2 ] + +The Intel uncore driver may claim some of the pci ids from ie31200 which +means that the ie31200 edac driver will not initialize them as part of +pci_register_driver(). + +Let's add a fallback for this case to 'pci_get_device()' to get a +reference on the device such that it can still be configured. This is +similar in approach to other edac drivers. + +Signed-off-by: Jason Baron +Cc: Borislav Petkov +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Signed-off-by: Tony Luck +Link: https://lore.kernel.org/r/1594923911-10885-1-git-send-email-jbaron@akamai.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ie31200_edac.c | 50 ++++++++++++++++++++++++++++++++++--- + 1 file changed, 47 insertions(+), 3 deletions(-) + +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index aac9b9b360b80..9e4781a807cfa 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -147,6 +147,8 @@ + (n << (28 + (2 * skl) - PAGE_SHIFT)) + + static int nr_channels; ++static struct pci_dev *mci_pdev; ++static int ie31200_registered = 1; + + struct ie31200_priv { + void __iomem *window; +@@ -518,12 +520,16 @@ fail_free: + static int ie31200_init_one(struct pci_dev *pdev, + const struct pci_device_id *ent) + { +- edac_dbg(0, "MC:\n"); ++ int rc; + ++ edac_dbg(0, "MC:\n"); + if (pci_enable_device(pdev) < 0) + return -EIO; ++ rc = ie31200_probe1(pdev, ent->driver_data); ++ if (rc == 0 && !mci_pdev) ++ mci_pdev = pci_dev_get(pdev); + +- return ie31200_probe1(pdev, ent->driver_data); ++ return rc; + } + + static void ie31200_remove_one(struct pci_dev *pdev) +@@ -532,6 +538,8 @@ static void ie31200_remove_one(struct pci_dev *pdev) + struct ie31200_priv *priv; + + edac_dbg(0, "\n"); ++ pci_dev_put(mci_pdev); ++ mci_pdev = NULL; + mci = edac_mc_del_mc(&pdev->dev); + if (!mci) + return; +@@ -583,17 +591,53 @@ static struct pci_driver ie31200_driver = { + + static int __init ie31200_init(void) + { ++ int pci_rc, i; ++ + edac_dbg(3, "MC:\n"); + /* Ensure that the OPSTATE is set correctly for POLL or NMI */ + opstate_init(); + +- return pci_register_driver(&ie31200_driver); ++ pci_rc = pci_register_driver(&ie31200_driver); ++ if (pci_rc < 0) ++ goto fail0; ++ ++ if (!mci_pdev) { ++ ie31200_registered = 0; ++ for (i = 0; ie31200_pci_tbl[i].vendor != 0; i++) { ++ mci_pdev = pci_get_device(ie31200_pci_tbl[i].vendor, ++ ie31200_pci_tbl[i].device, ++ NULL); ++ if (mci_pdev) ++ break; ++ } ++ if (!mci_pdev) { ++ edac_dbg(0, "ie31200 pci_get_device fail\n"); ++ pci_rc = -ENODEV; ++ goto fail1; ++ } ++ pci_rc = ie31200_init_one(mci_pdev, &ie31200_pci_tbl[i]); ++ if (pci_rc < 0) { ++ edac_dbg(0, "ie31200 init fail\n"); ++ pci_rc = -ENODEV; ++ goto fail1; ++ } ++ } ++ return 0; ++ ++fail1: ++ pci_unregister_driver(&ie31200_driver); ++fail0: ++ pci_dev_put(mci_pdev); ++ ++ return pci_rc; + } + + static void __exit ie31200_exit(void) + { + edac_dbg(3, "MC:\n"); + pci_unregister_driver(&ie31200_driver); ++ if (!ie31200_registered) ++ ie31200_remove_one(mci_pdev); + } + + module_init(ie31200_init); +-- +2.25.1 + diff --git a/queue-4.14/epoll-keep-a-reference-on-files-added-to-the-check-l.patch b/queue-4.14/epoll-keep-a-reference-on-files-added-to-the-check-l.patch new file mode 100644 index 00000000000..860f1515a8c --- /dev/null +++ b/queue-4.14/epoll-keep-a-reference-on-files-added-to-the-check-l.patch @@ -0,0 +1,70 @@ +From d038880a5c13b3dc05c96f534f646873998538d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 17:12:17 +0100 +Subject: epoll: Keep a reference on files added to the check list + +From: Marc Zyngier + +commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 upstream. + +When adding a new fd to an epoll, and that this new fd is an +epoll fd itself, we recursively scan the fds attached to it +to detect cycles, and add non-epool files to a "check list" +that gets subsequently parsed. + +However, this check list isn't completely safe when deletions +can happen concurrently. To sidestep the issue, make sure that +a struct file placed on the check list sees its f_count increased, +ensuring that a concurrent deletion won't result in the file +disapearing from under our feet. + +Cc: stable@vger.kernel.org +Signed-off-by: Marc Zyngier +Signed-off-by: Al Viro +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + fs/eventpoll.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index c291bf61afb9c..94f6c19dcf30a 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1900,9 +1900,11 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests) + * not already there, and calling reverse_path_check() + * during ep_insert(). + */ +- if (list_empty(&epi->ffd.file->f_tfile_llink)) ++ if (list_empty(&epi->ffd.file->f_tfile_llink)) { ++ get_file(epi->ffd.file); + list_add(&epi->ffd.file->f_tfile_llink, + &tfile_check_list); ++ } + } + } + mutex_unlock(&ep->mtx); +@@ -1946,6 +1948,7 @@ static void clear_tfile_check_list(void) + file = list_first_entry(&tfile_check_list, struct file, + f_tfile_llink); + list_del_init(&file->f_tfile_llink); ++ fput(file); + } + INIT_LIST_HEAD(&tfile_check_list); + } +@@ -2100,9 +2103,11 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, + clear_tfile_check_list(); + goto error_tgt_fput; + } +- } else ++ } else { ++ get_file(tf.file); + list_add(&tf.file->f_tfile_llink, + &tfile_check_list); ++ } + mutex_lock_nested(&ep->mtx, 0); + if (is_file_epoll(tf.file)) { + tep = tf.file->private_data; +-- +2.25.1 + diff --git a/queue-4.14/ext4-fix-checking-of-directory-entry-validity-for-in.patch b/queue-4.14/ext4-fix-checking-of-directory-entry-validity-for-in.patch new file mode 100644 index 00000000000..5d9d1d5e2d1 --- /dev/null +++ b/queue-4.14/ext4-fix-checking-of-directory-entry-validity-for-in.patch @@ -0,0 +1,60 @@ +From c79889720bbb267d42692ad58a7f6a1aea8e4aa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 18:21:35 +0200 +Subject: ext4: fix checking of directory entry validity for inline directories + +From: Jan Kara + +commit 7303cb5bfe845f7d43cd9b2dbd37dbb266efda9b upstream. + +ext4_search_dir() and ext4_generic_delete_entry() can be called both for +standard director blocks and for inline directories stored inside inode +or inline xattr space. For the second case we didn't call +ext4_check_dir_entry() with proper constraints that could result in +accepting corrupted directory entry as well as false positive filesystem +errors like: + +EXT4-fs error (device dm-0): ext4_search_dir:1395: inode #28320400: +block 113246792: comm dockerd: bad entry in directory: directory entry too +close to block end - offset=0, inode=28320403, rec_len=32, name_len=8, +size=4096 + +Fix the arguments passed to ext4_check_dir_entry(). + +Fixes: 109ba779d6cc ("ext4: check for directory entries too close to block end") +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20200731162135.8080-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 161099f39ab9c..ed17edb31e22f 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1308,8 +1308,8 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + ext4_match(fname, de)) { + /* found a match - just to be sure, do + * a full check */ +- if (ext4_check_dir_entry(dir, NULL, de, bh, bh->b_data, +- bh->b_size, offset)) ++ if (ext4_check_dir_entry(dir, NULL, de, bh, search_buf, ++ buf_size, offset)) + return -1; + *res_dir = de; + return 1; +@@ -2353,7 +2353,7 @@ int ext4_generic_delete_entry(handle_t *handle, + de = (struct ext4_dir_entry_2 *)entry_buf; + while (i < buf_size - csum_size) { + if (ext4_check_dir_entry(dir, NULL, de, bh, +- bh->b_data, bh->b_size, i)) ++ entry_buf, buf_size, i)) + return -EFSCORRUPTED; + if (de == de_del) { + if (pde) +-- +2.25.1 + diff --git a/queue-4.14/ext4-fix-potential-negative-array-index-in-do_split.patch b/queue-4.14/ext4-fix-potential-negative-array-index-in-do_split.patch new file mode 100644 index 00000000000..6b30ccacd3c --- /dev/null +++ b/queue-4.14/ext4-fix-potential-negative-array-index-in-do_split.patch @@ -0,0 +1,68 @@ +From 5c4fa6f17a46c4cf2ebb4c9bb0303fccfea753b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 14:19:04 -0500 +Subject: ext4: fix potential negative array index in do_split() + +From: Eric Sandeen + +[ Upstream commit 5872331b3d91820e14716632ebb56b1399b34fe1 ] + +If for any reason a directory passed to do_split() does not have enough +active entries to exceed half the size of the block, we can end up +iterating over all "count" entries without finding a split point. + +In this case, count == move, and split will be zero, and we will +attempt a negative index into map[]. + +Guard against this by detecting this case, and falling back to +split-to-half-of-count instead; in this case we will still have +plenty of space (> half blocksize) in each split block. + +Fixes: ef2b02d3e617 ("ext34: ensure do_split leaves enough free space in both blocks") +Signed-off-by: Eric Sandeen +Reviewed-by: Andreas Dilger +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/f53e246b-647c-64bb-16ec-135383c70ad7@redhat.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index ed17edb31e22f..3f999053457b6 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1741,7 +1741,7 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + blocksize, hinfo, map); + map -= count; + dx_sort_map(map, count); +- /* Split the existing block in the middle, size-wise */ ++ /* Ensure that neither split block is over half full */ + size = 0; + move = 0; + for (i = count-1; i >= 0; i--) { +@@ -1751,8 +1751,18 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + size += map[i].size; + move++; + } +- /* map index at which we will split */ +- split = count - move; ++ /* ++ * map index at which we will split ++ * ++ * If the sum of active entries didn't exceed half the block size, just ++ * split it in half by count; each resulting block will have at least ++ * half the space free. ++ */ ++ if (i > 0) ++ split = count - move; ++ else ++ split = count/2; ++ + hash2 = map[split].hash; + continued = hash2 == map[split - 1].hash; + dxtrace(printk(KERN_INFO "Split block %lu at %x, %i/%i\n", +-- +2.25.1 + diff --git a/queue-4.14/f2fs-fix-use-after-free-issue.patch b/queue-4.14/f2fs-fix-use-after-free-issue.patch new file mode 100644 index 00000000000..549dbd98902 --- /dev/null +++ b/queue-4.14/f2fs-fix-use-after-free-issue.patch @@ -0,0 +1,50 @@ +From c6b647d1593303b2343f64b7423377185b35fb68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 09:38:11 +0800 +Subject: f2fs: fix use-after-free issue + +From: Li Guifu + +[ Upstream commit 99c787cfd2bd04926f1f553b30bd7dcea2caaba1 ] + +During umount, f2fs_put_super() unregisters procfs entries after +f2fs_destroy_segment_manager(), it may cause use-after-free +issue when umount races with procfs accessing, fix it by relocating +f2fs_unregister_sysfs(). + +[Chao Yu: change commit title/message a bit] + +Signed-off-by: Li Guifu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 89319c3524061..990339c538b0a 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -782,6 +782,9 @@ static void f2fs_put_super(struct super_block *sb) + struct f2fs_sb_info *sbi = F2FS_SB(sb); + int i; + ++ /* unregister procfs/sysfs entries in advance to avoid race case */ ++ f2fs_unregister_sysfs(sbi); ++ + f2fs_quota_off_umount(sb); + + /* prevent remaining shrinker jobs */ +@@ -834,8 +837,6 @@ static void f2fs_put_super(struct super_block *sb) + + kfree(sbi->ckpt); + +- f2fs_unregister_sysfs(sbi); +- + sb->s_fs_info = NULL; + if (sbi->s_chksum_driver) + crypto_free_shash(sbi->s_chksum_driver); +-- +2.25.1 + diff --git a/queue-4.14/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch b/queue-4.14/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch new file mode 100644 index 00000000000..1638f831778 --- /dev/null +++ b/queue-4.14/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch @@ -0,0 +1,45 @@ +From 93c9d80475243c8768129d50edd386d2e391302b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:53:15 -0700 +Subject: hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haiyang Zhang + +[ Upstream commit c3d897e01aef8ddc43149e4d661b86f823e3aae7 ] + +netvsc_vf_xmit() / dev_queue_xmit() will call VF NIC’s ndo_select_queue +or netdev_pick_tx() again. They will use skb_get_rx_queue() to get the +queue number, so the “skb->queue_mapping - 1” will be used. This may +cause the last queue of VF not been used. + +Use skb_record_rx_queue() here, so that the skb_get_rx_queue() called +later will get the correct queue number, and VF will be able to use +all queues. + +Fixes: b3bf5666a510 ("hv_netvsc: defer queue selection to VF") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index 10c3480c2da89..dbc6c9ed1c8f8 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -500,7 +500,7 @@ static int netvsc_vf_xmit(struct net_device *net, struct net_device *vf_netdev, + int rc; + + skb->dev = vf_netdev; +- skb->queue_mapping = qdisc_skb_cb(skb)->slave_dev_queue_mapping; ++ skb_record_rx_queue(skb, qdisc_skb_cb(skb)->slave_dev_queue_mapping); + + rc = dev_queue_xmit(skb); + if (likely(rc == NET_XMIT_SUCCESS || rc == NET_XMIT_CN)) { +-- +2.25.1 + diff --git a/queue-4.14/i40e-fix-crash-during-removing-i40e-driver.patch b/queue-4.14/i40e-fix-crash-during-removing-i40e-driver.patch new file mode 100644 index 00000000000..3e78edc5a51 --- /dev/null +++ b/queue-4.14/i40e-fix-crash-during-removing-i40e-driver.patch @@ -0,0 +1,80 @@ +From 6df595adae5589f6d4e8a68ddba8483985292bbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 10:56:49 +0000 +Subject: i40e: Fix crash during removing i40e driver + +From: Grzegorz Szczurek + +[ Upstream commit 5b6d4a7f20b09c47ca598760f6dafd554af8b6d5 ] + +Fix the reason of crashing system by add waiting time to finish reset +recovery process before starting remove driver procedure. +Now VSI is releasing if VSI is not in reset recovery mode. +Without this fix it was possible to start remove driver if other +processing command need reset recovery procedure which resulted in +null pointer dereference. VSI used by the ethtool process has been +cleared by remove driver process. + +[ 6731.508665] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 6731.508668] #PF: supervisor read access in kernel mode +[ 6731.508670] #PF: error_code(0x0000) - not-present page +[ 6731.508671] PGD 0 P4D 0 +[ 6731.508674] Oops: 0000 [#1] SMP PTI +[ 6731.508679] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0021.032120170601 03/21/2017 +[ 6731.508694] RIP: 0010:i40e_down+0x252/0x310 [i40e] +[ 6731.508696] Code: c7 78 de fa c0 e8 61 02 3a c1 66 83 bb f6 0c 00 00 00 0f 84 bf 00 00 00 45 31 e4 45 31 ff eb 03 41 89 c7 48 8b 83 98 0c 00 00 <4a> 8b 3c 20 e8 a5 79 02 00 48 83 bb d0 0c 00 00 00 74 10 48 8b 83 +[ 6731.508698] RSP: 0018:ffffb75ac7b3faf0 EFLAGS: 00010246 +[ 6731.508700] RAX: 0000000000000000 RBX: ffff9c9874bd5000 RCX: 0000000000000007 +[ 6731.508701] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff9c987f4d9780 +[ 6731.508703] RBP: ffffb75ac7b3fb30 R08: 0000000000005b60 R09: 0000000000000004 +[ 6731.508704] R10: ffffb75ac64fbd90 R11: 0000000000000001 R12: 0000000000000000 +[ 6731.508706] R13: ffff9c97a08e0000 R14: ffff9c97a08e0a68 R15: 0000000000000000 +[ 6731.508708] FS: 00007f2617cd2740(0000) GS:ffff9c987f4c0000(0000) knlGS:0000000000000000 +[ 6731.508710] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 6731.508711] CR2: 0000000000000000 CR3: 0000001e765c4006 CR4: 00000000003606e0 +[ 6731.508713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 6731.508714] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 6731.508715] Call Trace: +[ 6731.508734] i40e_vsi_close+0x84/0x90 [i40e] +[ 6731.508742] i40e_quiesce_vsi.part.98+0x3c/0x40 [i40e] +[ 6731.508749] i40e_pf_quiesce_all_vsi+0x55/0x60 [i40e] +[ 6731.508757] i40e_prep_for_reset+0x59/0x130 [i40e] +[ 6731.508765] i40e_reconfig_rss_queues+0x5a/0x120 [i40e] +[ 6731.508774] i40e_set_channels+0xda/0x170 [i40e] +[ 6731.508778] ethtool_set_channels+0xe9/0x150 +[ 6731.508781] dev_ethtool+0x1b94/0x2920 +[ 6731.508805] dev_ioctl+0xc2/0x590 +[ 6731.508811] sock_do_ioctl+0xae/0x150 +[ 6731.508813] sock_ioctl+0x34f/0x3c0 +[ 6731.508821] ksys_ioctl+0x98/0xb0 +[ 6731.508828] __x64_sys_ioctl+0x1a/0x20 +[ 6731.508831] do_syscall_64+0x57/0x1c0 +[ 6731.508835] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 4b8164467b85 ("i40e: Add common function for finding VSI by type") +Signed-off-by: Grzegorz Szczurek +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Aaron Brown +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index aa2b446d6ad0f..f4475cbf8ce86 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -11822,6 +11822,9 @@ static void i40e_remove(struct pci_dev *pdev) + i40e_write_rx_ctl(hw, I40E_PFQF_HENA(0), 0); + i40e_write_rx_ctl(hw, I40E_PFQF_HENA(1), 0); + ++ while (test_bit(__I40E_RESET_RECOVERY_PENDING, pf->state)) ++ usleep_range(1000, 2000); ++ + /* no more scheduling of any task */ + set_bit(__I40E_SUSPENDED, pf->state); + set_bit(__I40E_DOWN, pf->state); +-- +2.25.1 + diff --git a/queue-4.14/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch b/queue-4.14/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch new file mode 100644 index 00000000000..a16e9bffd05 --- /dev/null +++ b/queue-4.14/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch @@ -0,0 +1,114 @@ +From a8393d89e49a3dde8afa3b3c89c35b25e3ab6a67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 13:40:59 +0000 +Subject: i40e: Set RX_ONLY mode for unicast promiscuous on VLAN + +From: Przemyslaw Patynowski + +[ Upstream commit 4bd5e02a2ed1575c2f65bd3c557a077dd399f0e8 ] + +Trusted VF with unicast promiscuous mode set, could listen to TX +traffic of other VFs. +Set unicast promiscuous mode to RX traffic, if VSI has port VLAN +configured. Rename misleading I40E_AQC_SET_VSI_PROMISC_TX bit to +I40E_AQC_SET_VSI_PROMISC_RX_ONLY. Aligned unicast promiscuous with +VLAN to the one without VLAN. + +Fixes: 6c41a7606967 ("i40e: Add promiscuous on VLAN support") +Fixes: 3b1200891b7f ("i40e: When in promisc mode apply promisc mode to Tx Traffic as well") +Signed-off-by: Przemyslaw Patynowski +Signed-off-by: Aleksandr Loktionov +Signed-off-by: Arkadiusz Kubalewski +Tested-by: Andrew Bowers +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/i40e/i40e_adminq_cmd.h | 2 +- + drivers/net/ethernet/intel/i40e/i40e_common.c | 35 ++++++++++++++----- + 2 files changed, 28 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +index 5d5f422cbae55..f82da2b47d9a5 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +@@ -1175,7 +1175,7 @@ struct i40e_aqc_set_vsi_promiscuous_modes { + #define I40E_AQC_SET_VSI_PROMISC_BROADCAST 0x04 + #define I40E_AQC_SET_VSI_DEFAULT 0x08 + #define I40E_AQC_SET_VSI_PROMISC_VLAN 0x10 +-#define I40E_AQC_SET_VSI_PROMISC_TX 0x8000 ++#define I40E_AQC_SET_VSI_PROMISC_RX_ONLY 0x8000 + __le16 seid; + #define I40E_AQC_VSI_PROM_CMD_SEID_MASK 0x3FF + __le16 vlan_tag; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c +index 111426ba5fbce..3fd2dfaf2bd53 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_common.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c +@@ -1914,6 +1914,21 @@ i40e_status i40e_aq_set_phy_debug(struct i40e_hw *hw, u8 cmd_flags, + return status; + } + ++/** ++ * i40e_is_aq_api_ver_ge ++ * @aq: pointer to AdminQ info containing HW API version to compare ++ * @maj: API major value ++ * @min: API minor value ++ * ++ * Assert whether current HW API version is greater/equal than provided. ++ **/ ++static bool i40e_is_aq_api_ver_ge(struct i40e_adminq_info *aq, u16 maj, ++ u16 min) ++{ ++ return (aq->api_maj_ver > maj || ++ (aq->api_maj_ver == maj && aq->api_min_ver >= min)); ++} ++ + /** + * i40e_aq_add_vsi + * @hw: pointer to the hw struct +@@ -2039,18 +2054,16 @@ i40e_status i40e_aq_set_vsi_unicast_promiscuous(struct i40e_hw *hw, + + if (set) { + flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST; +- if (rx_only_promisc && +- (((hw->aq.api_maj_ver == 1) && (hw->aq.api_min_ver >= 5)) || +- (hw->aq.api_maj_ver > 1))) +- flags |= I40E_AQC_SET_VSI_PROMISC_TX; ++ if (rx_only_promisc && i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY; + } + + cmd->promiscuous_flags = cpu_to_le16(flags); + + cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST); +- if (((hw->aq.api_maj_ver >= 1) && (hw->aq.api_min_ver >= 5)) || +- (hw->aq.api_maj_ver > 1)) +- cmd->valid_flags |= cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_TX); ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ cmd->valid_flags |= ++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY); + + cmd->seid = cpu_to_le16(seid); + status = i40e_asq_send_command(hw, &desc, NULL, 0, cmd_details); +@@ -2147,11 +2160,17 @@ enum i40e_status_code i40e_aq_set_vsi_uc_promisc_on_vlan(struct i40e_hw *hw, + i40e_fill_default_direct_cmd_desc(&desc, + i40e_aqc_opc_set_vsi_promiscuous_modes); + +- if (enable) ++ if (enable) { + flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST; ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY; ++ } + + cmd->promiscuous_flags = cpu_to_le16(flags); + cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST); ++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) ++ cmd->valid_flags |= ++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY); + cmd->seid = cpu_to_le16(seid); + cmd->vlan_tag = cpu_to_le16(vid | I40E_AQC_SET_VSI_VLAN_VALID); + +-- +2.25.1 + diff --git a/queue-4.14/input-psmouse-add-a-newline-when-printing-proto-by-s.patch b/queue-4.14/input-psmouse-add-a-newline-when-printing-proto-by-s.patch new file mode 100644 index 00000000000..aad4c226994 --- /dev/null +++ b/queue-4.14/input-psmouse-add-a-newline-when-printing-proto-by-s.patch @@ -0,0 +1,39 @@ +From e4e836f19bb71e825aa072530c7652ff158dbbbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 22:24:07 -0700 +Subject: Input: psmouse - add a newline when printing 'proto' by sysfs + +From: Xiongfeng Wang + +[ Upstream commit 4aec14de3a15cf9789a0e19c847f164776f49473 ] + +When I cat parameter 'proto' by sysfs, it displays as follows. It's +better to add a newline for easy reading. + +root@syzkaller:~# cat /sys/module/psmouse/parameters/proto +autoroot@syzkaller:~# + +Signed-off-by: Xiongfeng Wang +Link: https://lore.kernel.org/r/20200720073846.120724-1-wangxiongfeng2@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/mouse/psmouse-base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c +index 8ac9e03c05b45..ca8f726dab2e7 100644 +--- a/drivers/input/mouse/psmouse-base.c ++++ b/drivers/input/mouse/psmouse-base.c +@@ -2012,7 +2012,7 @@ static int psmouse_get_maxproto(char *buffer, const struct kernel_param *kp) + { + int type = *((unsigned int *)kp->arg); + +- return sprintf(buffer, "%s", psmouse_protocol_by_type(type)->name); ++ return sprintf(buffer, "%s\n", psmouse_protocol_by_type(type)->name); + } + + static int __init psmouse_init(void) +-- +2.25.1 + diff --git a/queue-4.14/iommu-iova-don-t-bug-on-invalid-pfns.patch b/queue-4.14/iommu-iova-don-t-bug-on-invalid-pfns.patch new file mode 100644 index 00000000000..602a656162e --- /dev/null +++ b/queue-4.14/iommu-iova-don-t-bug-on-invalid-pfns.patch @@ -0,0 +1,50 @@ +From e0171c8b499fcc36d4a9d34751b47aa026605ab9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 14:08:18 +0100 +Subject: iommu/iova: Don't BUG on invalid PFNs + +From: Robin Murphy + +[ Upstream commit d3e3d2be688b4b5864538de61e750721a311e4fc ] + +Unlike the other instances which represent a complete loss of +consistency within the rcache mechanism itself, or a fundamental +and obvious misconfiguration by an IOMMU driver, the BUG_ON() in +iova_magazine_free_pfns() can be provoked at more or less any time +in a "spooky action-at-a-distance" manner by any old device driver +passing nonsense to dma_unmap_*() which then propagates through to +queue_iova(). + +Not only is this well outside the IOVA layer's control, it's also +nowhere near fatal enough to justify panicking anyway - all that +really achieves is to make debugging the offending driver more +difficult. Let's simply WARN and otherwise ignore bogus PFNs. + +Reported-by: Prakash Gupta +Signed-off-by: Robin Murphy +Reviewed-by: Prakash Gupta +Link: https://lore.kernel.org/r/acbd2d092b42738a03a21b417ce64e27f8c91c86.1591103298.git.robin.murphy@arm.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iova.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c +index 4edf65dbbcab5..2c97d2552c5bd 100644 +--- a/drivers/iommu/iova.c ++++ b/drivers/iommu/iova.c +@@ -845,7 +845,9 @@ iova_magazine_free_pfns(struct iova_magazine *mag, struct iova_domain *iovad) + for (i = 0 ; i < mag->size; ++i) { + struct iova *iova = private_find_iova(iovad, mag->pfns[i]); + +- BUG_ON(!iova); ++ if (WARN_ON(!iova)) ++ continue; ++ + private_free_iova(iovad, iova); + } + +-- +2.25.1 + diff --git a/queue-4.14/jbd2-add-the-missing-unlock_buffer-in-the-error-path.patch b/queue-4.14/jbd2-add-the-missing-unlock_buffer-in-the-error-path.patch new file mode 100644 index 00000000000..a3dd8abd932 --- /dev/null +++ b/queue-4.14/jbd2-add-the-missing-unlock_buffer-in-the-error-path.patch @@ -0,0 +1,44 @@ +From 98663c355b7b1e2ebc089cb2d88d00244f8803b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Jun 2020 14:19:48 +0800 +Subject: jbd2: add the missing unlock_buffer() in the error path of + jbd2_write_superblock() + +From: zhangyi (F) + +commit ef3f5830b859604eda8723c26d90ab23edc027a4 upstream. + +jbd2_write_superblock() is under the buffer lock of journal superblock +before ending that superblock write, so add a missing unlock_buffer() in +in the error path before submitting buffer. + +Fixes: 742b06b5628f ("jbd2: check superblock mapped prior to committing") +Signed-off-by: zhangyi (F) +Reviewed-by: Ritesh Harjani +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20200620061948.2049579-1-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/journal.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 6e054b368b5fe..93a466cf58ba7 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1356,8 +1356,10 @@ static int jbd2_write_superblock(journal_t *journal, int write_flags) + int ret; + + /* Buffer got discarded which means block device got invalidated */ +- if (!buffer_mapped(bh)) ++ if (!buffer_mapped(bh)) { ++ unlock_buffer(bh); + return -EIO; ++ } + + trace_jbd2_write_superblock(journal, write_flags); + if (!(journal->j_flags & JBD2_BARRIER)) +-- +2.25.1 + diff --git a/queue-4.14/jffs2-fix-uaf-problem.patch b/queue-4.14/jffs2-fix-uaf-problem.patch new file mode 100644 index 00000000000..be8d499215c --- /dev/null +++ b/queue-4.14/jffs2-fix-uaf-problem.patch @@ -0,0 +1,80 @@ +From 58fe80de72143ab2519d6ebcf8d06c79c6472fdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jun 2020 17:06:35 +0800 +Subject: jffs2: fix UAF problem + +From: Zhe Li + +[ Upstream commit 798b7347e4f29553db4b996393caf12f5b233daf ] + +The log of UAF problem is listed below. +BUG: KASAN: use-after-free in jffs2_rmdir+0xa4/0x1cc [jffs2] at addr c1f165fc +Read of size 4 by task rm/8283 +============================================================================= +BUG kmalloc-32 (Tainted: P B O ): kasan: bad access detected +----------------------------------------------------------------------------- + +INFO: Allocated in 0xbbbbbbbb age=3054364 cpu=0 pid=0 + 0xb0bba6ef + jffs2_write_dirent+0x11c/0x9c8 [jffs2] + __slab_alloc.isra.21.constprop.25+0x2c/0x44 + __kmalloc+0x1dc/0x370 + jffs2_write_dirent+0x11c/0x9c8 [jffs2] + jffs2_do_unlink+0x328/0x5fc [jffs2] + jffs2_rmdir+0x110/0x1cc [jffs2] + vfs_rmdir+0x180/0x268 + do_rmdir+0x2cc/0x300 + ret_from_syscall+0x0/0x3c +INFO: Freed in 0x205b age=3054364 cpu=0 pid=0 + 0x2e9173 + jffs2_add_fd_to_list+0x138/0x1dc [jffs2] + jffs2_add_fd_to_list+0x138/0x1dc [jffs2] + jffs2_garbage_collect_dirent.isra.3+0x21c/0x288 [jffs2] + jffs2_garbage_collect_live+0x16bc/0x1800 [jffs2] + jffs2_garbage_collect_pass+0x678/0x11d4 [jffs2] + jffs2_garbage_collect_thread+0x1e8/0x3b0 [jffs2] + kthread+0x1a8/0x1b0 + ret_from_kernel_thread+0x5c/0x64 +Call Trace: +[c17ddd20] [c02452d4] kasan_report.part.0+0x298/0x72c (unreliable) +[c17ddda0] [d2509680] jffs2_rmdir+0xa4/0x1cc [jffs2] +[c17dddd0] [c026da04] vfs_rmdir+0x180/0x268 +[c17dde00] [c026f4e4] do_rmdir+0x2cc/0x300 +[c17ddf40] [c001a658] ret_from_syscall+0x0/0x3c + +The root cause is that we don't get "jffs2_inode_info.sem" before +we scan list "jffs2_inode_info.dents" in function jffs2_rmdir. +This patch add codes to get "jffs2_inode_info.sem" before we scan +"jffs2_inode_info.dents" to slove the UAF problem. + +Signed-off-by: Zhe Li +Reviewed-by: Hou Tao +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/dir.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/jffs2/dir.c b/fs/jffs2/dir.c +index e5a6deb38e1e1..f4a5ec92f5dc7 100644 +--- a/fs/jffs2/dir.c ++++ b/fs/jffs2/dir.c +@@ -590,10 +590,14 @@ static int jffs2_rmdir (struct inode *dir_i, struct dentry *dentry) + int ret; + uint32_t now = get_seconds(); + ++ mutex_lock(&f->sem); + for (fd = f->dents ; fd; fd = fd->next) { +- if (fd->ino) ++ if (fd->ino) { ++ mutex_unlock(&f->sem); + return -ENOTEMPTY; ++ } + } ++ mutex_unlock(&f->sem); + + ret = jffs2_do_unlink(c, dir_f, dentry->d_name.name, + dentry->d_name.len, f, now); +-- +2.25.1 + diff --git a/queue-4.14/kernel-relay.c-fix-memleak-on-destroy-relay-channel.patch b/queue-4.14/kernel-relay.c-fix-memleak-on-destroy-relay-channel.patch new file mode 100644 index 00000000000..08120a901f2 --- /dev/null +++ b/queue-4.14/kernel-relay.c-fix-memleak-on-destroy-relay-channel.patch @@ -0,0 +1,69 @@ +From 24bf8b16f00781ebbf369484bb4b0a84a0733ed6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 17:42:14 -0700 +Subject: kernel/relay.c: fix memleak on destroy relay channel + +From: Wei Yongjun + +commit 71e843295c680898959b22dc877ae3839cc22470 upstream. + +kmemleak report memory leak as follows: + + unreferenced object 0x607ee4e5f948 (size 8): + comm "syz-executor.1", pid 2098, jiffies 4295031601 (age 288.468s) + hex dump (first 8 bytes): + 00 00 00 00 00 00 00 00 ........ + backtrace: + relay_open kernel/relay.c:583 [inline] + relay_open+0xb6/0x970 kernel/relay.c:563 + do_blk_trace_setup+0x4a8/0xb20 kernel/trace/blktrace.c:557 + __blk_trace_setup+0xb6/0x150 kernel/trace/blktrace.c:597 + blk_trace_ioctl+0x146/0x280 kernel/trace/blktrace.c:738 + blkdev_ioctl+0xb2/0x6a0 block/ioctl.c:613 + block_ioctl+0xe5/0x120 fs/block_dev.c:1871 + vfs_ioctl fs/ioctl.c:48 [inline] + __do_sys_ioctl fs/ioctl.c:753 [inline] + __se_sys_ioctl fs/ioctl.c:739 [inline] + __x64_sys_ioctl+0x170/0x1ce fs/ioctl.c:739 + do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +'chan->buf' is malloced in relay_open() by alloc_percpu() but not free +while destroy the relay channel. Fix it by adding free_percpu() before +return from relay_destroy_channel(). + +Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Signed-off-by: Andrew Morton +Reviewed-by: Chris Wilson +Cc: Al Viro +Cc: Michael Ellerman +Cc: David Rientjes +Cc: Michel Lespinasse +Cc: Daniel Axtens +Cc: Thomas Gleixner +Cc: Akash Goel +Cc: +Link: http://lkml.kernel.org/r/20200817122826.48518-1-weiyongjun1@huawei.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/relay.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/relay.c b/kernel/relay.c +index b141ce697679f..53c2a1a4b057f 100644 +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -196,6 +196,7 @@ free_buf: + static void relay_destroy_channel(struct kref *kref) + { + struct rchan *chan = container_of(kref, struct rchan, kref); ++ free_percpu(chan->buf); + kfree(chan); + } + +-- +2.25.1 + diff --git a/queue-4.14/khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch b/queue-4.14/khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch new file mode 100644 index 00000000000..bde799149d9 --- /dev/null +++ b/queue-4.14/khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch @@ -0,0 +1,51 @@ +From 8e9dd098b36088c5f349aa17f3fe8136ee249ab1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 17:42:02 -0700 +Subject: khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter() + +From: Hugh Dickins + +[ Upstream commit f3f99d63a8156c7a4a6b20aac22b53c5579c7dc1 ] + +syzbot crashes on the VM_BUG_ON_MM(khugepaged_test_exit(mm), mm) in +__khugepaged_enter(): yes, when one thread is about to dump core, has set +core_state, and is waiting for others, another might do something calling +__khugepaged_enter(), which now crashes because I lumped the core_state +test (known as "mmget_still_valid") into khugepaged_test_exit(). I still +think it's best to lump them together, so just in this exceptional case, +check mm->mm_users directly instead of khugepaged_test_exit(). + +Fixes: bbe98f9cadff ("khugepaged: khugepaged_test_exit() check mmget_still_valid()") +Reported-by: syzbot +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Acked-by: Yang Shi +Cc: "Kirill A. Shutemov" +Cc: Andrea Arcangeli +Cc: Song Liu +Cc: Mike Kravetz +Cc: Eric Dumazet +Cc: [4.8+] +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008141503370.18085@eggly.anvils +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/khugepaged.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index a1b7475c05d04..9dfe364d4c0d1 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -407,7 +407,7 @@ int __khugepaged_enter(struct mm_struct *mm) + return -ENOMEM; + + /* __khugepaged_exit() must not run from under us */ +- VM_BUG_ON_MM(khugepaged_test_exit(mm), mm); ++ VM_BUG_ON_MM(atomic_read(&mm->mm_users) == 0, mm); + if (unlikely(test_and_set_bit(MMF_VM_HUGEPAGE, &mm->flags))) { + free_mm_slot(mm_slot); + return 0; +-- +2.25.1 + diff --git a/queue-4.14/khugepaged-khugepaged_test_exit-check-mmget_still_va.patch b/queue-4.14/khugepaged-khugepaged_test_exit-check-mmget_still_va.patch new file mode 100644 index 00000000000..1ad7167c9b2 --- /dev/null +++ b/queue-4.14/khugepaged-khugepaged_test_exit-check-mmget_still_va.patch @@ -0,0 +1,60 @@ +From 1490b4a5fd5b259b68c6fd44a20cea6d0601cb61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 23:26:25 -0700 +Subject: khugepaged: khugepaged_test_exit() check mmget_still_valid() + +From: Hugh Dickins + +[ Upstream commit bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 ] + +Move collapse_huge_page()'s mmget_still_valid() check into +khugepaged_test_exit() itself. collapse_huge_page() is used for anon THP +only, and earned its mmget_still_valid() check because it inserts a huge +pmd entry in place of the page table's pmd entry; whereas +collapse_file()'s retract_page_tables() or collapse_pte_mapped_thp() +merely clears the page table's pmd entry. But core dumping without mmap +lock must have been as open to mistaking a racily cleared pmd entry for a +page table at physical page 0, as exit_mmap() was. And we certainly have +no interest in mapping as a THP once dumping core. + +Fixes: 59ea6d06cfa9 ("coredump: fix race condition between collapse_huge_page() and core dumping") +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Cc: Andrea Arcangeli +Cc: Song Liu +Cc: Mike Kravetz +Cc: Kirill A. Shutemov +Cc: [4.8+] +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021217020.27773@eggly.anvils +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/khugepaged.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index 04b4c38d0c184..a1b7475c05d04 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -394,7 +394,7 @@ static void insert_to_mm_slots_hash(struct mm_struct *mm, + + static inline int khugepaged_test_exit(struct mm_struct *mm) + { +- return atomic_read(&mm->mm_users) == 0; ++ return atomic_read(&mm->mm_users) == 0 || !mmget_still_valid(mm); + } + + int __khugepaged_enter(struct mm_struct *mm) +@@ -1006,9 +1006,6 @@ static void collapse_huge_page(struct mm_struct *mm, + * handled by the anon_vma lock + PG_lock. + */ + down_write(&mm->mmap_sem); +- result = SCAN_ANY_PROCESS; +- if (!mmget_still_valid(mm)) +- goto out; + result = hugepage_vma_revalidate(mm, address, &vma); + if (result) + goto out; +-- +2.25.1 + diff --git a/queue-4.14/kvm-arm-arm64-don-t-reschedule-in-unmap_stage2_range.patch b/queue-4.14/kvm-arm-arm64-don-t-reschedule-in-unmap_stage2_range.patch new file mode 100644 index 00000000000..0c1d46fa119 --- /dev/null +++ b/queue-4.14/kvm-arm-arm64-don-t-reschedule-in-unmap_stage2_range.patch @@ -0,0 +1,50 @@ +From e755100091db3549d3f9d31ed0ba9136d311ac1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 12:29:54 +0100 +Subject: KVM: arm/arm64: Don't reschedule in unmap_stage2_range() + +From: Will Deacon + +Upstream commits fdfe7cbd5880 ("KVM: Pass MMU notifier range flags to +kvm_unmap_hva_range()") and b5331379bc62 ("KVM: arm64: Only reschedule +if MMU_NOTIFIER_RANGE_BLOCKABLE is not set") fix a "sleeping from invalid +context" BUG caused by unmap_stage2_range() attempting to reschedule when +called on the OOM path. + +Unfortunately, these patches rely on the MMU notifier callback being +passed knowledge about whether or not blocking is permitted, which was +introduced in 4.19. Rather than backport this considerable amount of +infrastructure just for KVM on arm, instead just remove the conditional +reschedule. + +Cc: # v4.14 only +Cc: Marc Zyngier +Cc: Suzuki K Poulose +Cc: James Morse +Signed-off-by: Will Deacon +Acked-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/arm/mmu.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c +index 3814cdad643a5..7fe673248e984 100644 +--- a/virt/kvm/arm/mmu.c ++++ b/virt/kvm/arm/mmu.c +@@ -307,12 +307,6 @@ static void unmap_stage2_range(struct kvm *kvm, phys_addr_t start, u64 size) + next = stage2_pgd_addr_end(addr, end); + if (!stage2_pgd_none(*pgd)) + unmap_stage2_puds(kvm, pgd, addr, next); +- /* +- * If the range is too large, release the kvm->mmu_lock +- * to prevent starvation and lockup detector warnings. +- */ +- if (next != end) +- cond_resched_lock(&kvm->mmu_lock); + } while (pgd++, addr = next, addr != end); + } + +-- +2.25.1 + diff --git a/queue-4.14/locking-lockdep-fix-overflow-in-presentation-of-aver.patch b/queue-4.14/locking-lockdep-fix-overflow-in-presentation-of-aver.patch new file mode 100644 index 00000000000..1d69de86a07 --- /dev/null +++ b/queue-4.14/locking-lockdep-fix-overflow-in-presentation-of-aver.patch @@ -0,0 +1,42 @@ +From 787158f092497f74c28b77956405f940a19de0f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jul 2020 19:51:10 +0100 +Subject: locking/lockdep: Fix overflow in presentation of average lock-time + +From: Chris Wilson + +[ Upstream commit a7ef9b28aa8d72a1656fa6f0a01bbd1493886317 ] + +Though the number of lock-acquisitions is tracked as unsigned long, this +is passed as the divisor to div_s64() which interprets it as a s32, +giving nonsense values with more than 2 billion acquisitons. E.g. + + acquisitions holdtime-min holdtime-max holdtime-total holdtime-avg + ------------------------------------------------------------------------- + 2350439395 0.07 353.38 649647067.36 0.-32 + +Signed-off-by: Chris Wilson +Signed-off-by: Ingo Molnar +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20200725185110.11588-1-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep_proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/locking/lockdep_proc.c b/kernel/locking/lockdep_proc.c +index 8b2ef15e35524..06c02cd0ff577 100644 +--- a/kernel/locking/lockdep_proc.c ++++ b/kernel/locking/lockdep_proc.c +@@ -430,7 +430,7 @@ static void seq_lock_time(struct seq_file *m, struct lock_time *lt) + seq_time(m, lt->min); + seq_time(m, lt->max); + seq_time(m, lt->total); +- seq_time(m, lt->nr ? div_s64(lt->total, lt->nr) : 0); ++ seq_time(m, lt->nr ? div64_u64(lt->total, lt->nr) : 0); + } + + static void seq_stats(struct seq_file *m, struct lock_stat_data *data) +-- +2.25.1 + diff --git a/queue-4.14/m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch b/queue-4.14/m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch new file mode 100644 index 00000000000..d2ec8112b32 --- /dev/null +++ b/queue-4.14/m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch @@ -0,0 +1,52 @@ +From dadd1be105bd1393b7e8f3bf9579b20329b88991 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 17:17:52 +1000 +Subject: m68knommu: fix overwriting of bits in ColdFire V3 cache control + +From: Greg Ungerer + +[ Upstream commit bdee0e793cea10c516ff48bf3ebb4ef1820a116b ] + +The Cache Control Register (CACR) of the ColdFire V3 has bits that +control high level caching functions, and also enable/disable the use +of the alternate stack pointer register (the EUSP bit) to provide +separate supervisor and user stack pointer registers. The code as +it is today will blindly clear the EUSP bit on cache actions like +invalidation. So it is broken for this case - and that will result +in failed booting (interrupt entry and exit processing will be +completely hosed). + +This only affects ColdFire V3 parts that support the alternate stack +register (like the 5329 for example) - generally speaking new parts do, +older parts don't. It has no impact on ColdFire V3 parts with the single +stack pointer, like the 5307 for example. + +Fix the cache bit defines used, so they maintain the EUSP bit when +carrying out cache actions through the CACR register. + +Signed-off-by: Greg Ungerer +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/m53xxacr.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/m68k/include/asm/m53xxacr.h b/arch/m68k/include/asm/m53xxacr.h +index 9138a624c5c81..692f90e7fecc1 100644 +--- a/arch/m68k/include/asm/m53xxacr.h ++++ b/arch/m68k/include/asm/m53xxacr.h +@@ -89,9 +89,9 @@ + * coherency though in all cases. And for copyback caches we will need + * to push cached data as well. + */ +-#define CACHE_INIT CACR_CINVA +-#define CACHE_INVALIDATE CACR_CINVA +-#define CACHE_INVALIDATED CACR_CINVA ++#define CACHE_INIT (CACHE_MODE + CACR_CINVA - CACR_EC) ++#define CACHE_INVALIDATE (CACHE_MODE + CACR_CINVA) ++#define CACHE_INVALIDATED (CACHE_MODE + CACR_CINVA) + + #define ACR0_MODE ((CONFIG_RAMBASE & 0xff000000) + \ + (0x000f0000) + \ +-- +2.25.1 + diff --git a/queue-4.14/media-budget-core-improve-exception-handling-in-budg.patch b/queue-4.14/media-budget-core-improve-exception-handling-in-budg.patch new file mode 100644 index 00000000000..682960a4cb6 --- /dev/null +++ b/queue-4.14/media-budget-core-improve-exception-handling-in-budg.patch @@ -0,0 +1,56 @@ +From befd30d3e97e880fff30fe9a702b2795fb9624ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 18:17:28 +0200 +Subject: media: budget-core: Improve exception handling in budget_register() + +From: Chuhong Yuan + +[ Upstream commit fc0456458df8b3421dba2a5508cd817fbc20ea71 ] + +budget_register() has no error handling after its failure. +Add the missed undo functions for error handling to fix it. + +Signed-off-by: Chuhong Yuan +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ttpci/budget-core.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/pci/ttpci/budget-core.c b/drivers/media/pci/ttpci/budget-core.c +index 97499b2af7144..20524376b83be 100644 +--- a/drivers/media/pci/ttpci/budget-core.c ++++ b/drivers/media/pci/ttpci/budget-core.c +@@ -383,20 +383,25 @@ static int budget_register(struct budget *budget) + ret = dvbdemux->dmx.add_frontend(&dvbdemux->dmx, &budget->hw_frontend); + + if (ret < 0) +- return ret; ++ goto err_release_dmx; + + budget->mem_frontend.source = DMX_MEMORY_FE; + ret = dvbdemux->dmx.add_frontend(&dvbdemux->dmx, &budget->mem_frontend); + if (ret < 0) +- return ret; ++ goto err_release_dmx; + + ret = dvbdemux->dmx.connect_frontend(&dvbdemux->dmx, &budget->hw_frontend); + if (ret < 0) +- return ret; ++ goto err_release_dmx; + + dvb_net_init(&budget->dvb_adapter, &budget->dvb_net, &dvbdemux->dmx); + + return 0; ++ ++err_release_dmx: ++ dvb_dmxdev_release(&budget->dmxdev); ++ dvb_dmx_release(&budget->demux); ++ return ret; + } + + static void budget_unregister(struct budget *budget) +-- +2.25.1 + diff --git a/queue-4.14/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch b/queue-4.14/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch new file mode 100644 index 00000000000..70816c787c1 --- /dev/null +++ b/queue-4.14/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch @@ -0,0 +1,52 @@ +From c2f2be3fac55be24540bde4ba1b111c5cb9ebf37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 May 2020 16:42:08 +0200 +Subject: media: pci: ttpci: av7110: fix possible buffer overflow caused by bad + DMA value in debiirq() + +From: Jia-Ju Bai + +[ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ] + +The value av7110->debi_virt is stored in DMA memory, and it is assigned +to data, and thus data[0] can be modified at any time by malicious +hardware. In this case, "if (data[0] < 2)" can be passed, but then +data[0] can be changed into a large number, which may cause buffer +overflow when the code "av7110->ci_slot[data[0]]" is used. + +To fix this possible bug, data[0] is assigned to a local variable, which +replaces the use of data[0]. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ttpci/av7110.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/pci/ttpci/av7110.c b/drivers/media/pci/ttpci/av7110.c +index f46947d8adf8f..fcc053d95ae49 100644 +--- a/drivers/media/pci/ttpci/av7110.c ++++ b/drivers/media/pci/ttpci/av7110.c +@@ -423,14 +423,15 @@ static void debiirq(unsigned long cookie) + case DATA_CI_GET: + { + u8 *data = av7110->debi_virt; ++ u8 data_0 = data[0]; + +- if ((data[0] < 2) && data[2] == 0xff) { ++ if (data_0 < 2 && data[2] == 0xff) { + int flags = 0; + if (data[5] > 0) + flags |= CA_CI_MODULE_PRESENT; + if (data[5] > 5) + flags |= CA_CI_MODULE_READY; +- av7110->ci_slot[data[0]].flags = flags; ++ av7110->ci_slot[data_0].flags = flags; + } else + ci_get_data(&av7110->ci_rbuffer, + av7110->debi_virt, +-- +2.25.1 + diff --git a/queue-4.14/media-vpss-clean-up-resources-in-init.patch b/queue-4.14/media-vpss-clean-up-resources-in-init.patch new file mode 100644 index 00000000000..7a722596f81 --- /dev/null +++ b/queue-4.14/media-vpss-clean-up-resources-in-init.patch @@ -0,0 +1,66 @@ +From 76760ce137d0541788b5d15e946c6f0299ada6d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 11:02:23 +0200 +Subject: media: vpss: clean up resources in init + +From: Evgeny Novikov + +[ Upstream commit 9c487b0b0ea7ff22127fe99a7f67657d8730ff94 ] + +If platform_driver_register() fails within vpss_init() resources are not +cleaned up. The patch fixes this issue by introducing the corresponding +error handling. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/davinci/vpss.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c +index 2ee4cd9e6d80f..d984f45c03149 100644 +--- a/drivers/media/platform/davinci/vpss.c ++++ b/drivers/media/platform/davinci/vpss.c +@@ -514,19 +514,31 @@ static void vpss_exit(void) + + static int __init vpss_init(void) + { ++ int ret; ++ + if (!request_mem_region(VPSS_CLK_CTRL, 4, "vpss_clock_control")) + return -EBUSY; + + oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4); + if (unlikely(!oper_cfg.vpss_regs_base2)) { +- release_mem_region(VPSS_CLK_CTRL, 4); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto err_ioremap; + } + + writel(VPSS_CLK_CTRL_VENCCLKEN | +- VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2); ++ VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2); ++ ++ ret = platform_driver_register(&vpss_driver); ++ if (ret) ++ goto err_pd_register; ++ ++ return 0; + +- return platform_driver_register(&vpss_driver); ++err_pd_register: ++ iounmap(oper_cfg.vpss_regs_base2); ++err_ioremap: ++ release_mem_region(VPSS_CLK_CTRL, 4); ++ return ret; + } + subsys_initcall(vpss_init); + module_exit(vpss_exit); +-- +2.25.1 + diff --git a/queue-4.14/mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch b/queue-4.14/mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch new file mode 100644 index 00000000000..5498cc4362f --- /dev/null +++ b/queue-4.14/mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch @@ -0,0 +1,36 @@ +From 732c3438960b0c5e24f4034ea1209725a0647055 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 19:10:32 +0300 +Subject: mfd: intel-lpss: Add Intel Emmitsburg PCH PCI IDs + +From: Andy Shevchenko + +[ Upstream commit 3ea2e4eab64cefa06055bb0541fcdedad4b48565 ] + +Intel Emmitsburg PCH has the same LPSS than Intel Ice Lake. +Add the new IDs to the list of supported devices. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/intel-lpss-pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mfd/intel-lpss-pci.c b/drivers/mfd/intel-lpss-pci.c +index 0504761516f7b..a12bb8ed20405 100644 +--- a/drivers/mfd/intel-lpss-pci.c ++++ b/drivers/mfd/intel-lpss-pci.c +@@ -176,6 +176,9 @@ static const struct pci_device_id intel_lpss_pci_ids[] = { + { PCI_VDEVICE(INTEL, 0x1ac4), (kernel_ulong_t)&bxt_info }, + { PCI_VDEVICE(INTEL, 0x1ac6), (kernel_ulong_t)&bxt_info }, + { PCI_VDEVICE(INTEL, 0x1aee), (kernel_ulong_t)&bxt_uart_info }, ++ /* EBG */ ++ { PCI_VDEVICE(INTEL, 0x1bad), (kernel_ulong_t)&bxt_uart_info }, ++ { PCI_VDEVICE(INTEL, 0x1bae), (kernel_ulong_t)&bxt_uart_info }, + /* GLK */ + { PCI_VDEVICE(INTEL, 0x31ac), (kernel_ulong_t)&glk_i2c_info }, + { PCI_VDEVICE(INTEL, 0x31ae), (kernel_ulong_t)&glk_i2c_info }, +-- +2.25.1 + diff --git a/queue-4.14/mips-vdso-fix-resource-leaks-in-genvdso.c.patch b/queue-4.14/mips-vdso-fix-resource-leaks-in-genvdso.c.patch new file mode 100644 index 00000000000..213e71ae8f8 --- /dev/null +++ b/queue-4.14/mips-vdso-fix-resource-leaks-in-genvdso.c.patch @@ -0,0 +1,98 @@ +From fe2626b53f42698b615f85e338255c3b9a85cc61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 20:30:18 +0800 +Subject: mips/vdso: Fix resource leaks in genvdso.c + +From: Peng Fan + +[ Upstream commit a859647b4e6bfeb192284d27d24b6a0c914cae1d ] + +Close "fd" before the return of map_vdso() and close "out_file" +in main(). + +Signed-off-by: Peng Fan +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/vdso/genvdso.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/mips/vdso/genvdso.c b/arch/mips/vdso/genvdso.c +index 530a36f465ced..afcc86726448e 100644 +--- a/arch/mips/vdso/genvdso.c ++++ b/arch/mips/vdso/genvdso.c +@@ -126,6 +126,7 @@ static void *map_vdso(const char *path, size_t *_size) + if (fstat(fd, &stat) != 0) { + fprintf(stderr, "%s: Failed to stat '%s': %s\n", program_name, + path, strerror(errno)); ++ close(fd); + return NULL; + } + +@@ -134,6 +135,7 @@ static void *map_vdso(const char *path, size_t *_size) + if (addr == MAP_FAILED) { + fprintf(stderr, "%s: Failed to map '%s': %s\n", program_name, + path, strerror(errno)); ++ close(fd); + return NULL; + } + +@@ -143,6 +145,7 @@ static void *map_vdso(const char *path, size_t *_size) + if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG) != 0) { + fprintf(stderr, "%s: '%s' is not an ELF file\n", program_name, + path); ++ close(fd); + return NULL; + } + +@@ -154,6 +157,7 @@ static void *map_vdso(const char *path, size_t *_size) + default: + fprintf(stderr, "%s: '%s' has invalid ELF class\n", + program_name, path); ++ close(fd); + return NULL; + } + +@@ -165,6 +169,7 @@ static void *map_vdso(const char *path, size_t *_size) + default: + fprintf(stderr, "%s: '%s' has invalid ELF data order\n", + program_name, path); ++ close(fd); + return NULL; + } + +@@ -172,15 +177,18 @@ static void *map_vdso(const char *path, size_t *_size) + fprintf(stderr, + "%s: '%s' has invalid ELF machine (expected EM_MIPS)\n", + program_name, path); ++ close(fd); + return NULL; + } else if (swap_uint16(ehdr->e_type) != ET_DYN) { + fprintf(stderr, + "%s: '%s' has invalid ELF type (expected ET_DYN)\n", + program_name, path); ++ close(fd); + return NULL; + } + + *_size = stat.st_size; ++ close(fd); + return addr; + } + +@@ -284,10 +292,12 @@ int main(int argc, char **argv) + /* Calculate and write symbol offsets to */ + if (!get_symbols(dbg_vdso_path, dbg_vdso)) { + unlink(out_path); ++ fclose(out_file); + return EXIT_FAILURE; + } + + fprintf(out_file, "};\n"); ++ fclose(out_file); + + return EXIT_SUCCESS; + } +-- +2.25.1 + diff --git a/queue-4.14/mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sh.patch b/queue-4.14/mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sh.patch new file mode 100644 index 00000000000..48be0eca389 --- /dev/null +++ b/queue-4.14/mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sh.patch @@ -0,0 +1,96 @@ +From 03e6f33ef4c786b8d61fba32d97d62300e3d7c6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 23:26:11 -0700 +Subject: mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible + +From: Peter Xu + +commit 75802ca66354a39ab8e35822747cd08b3384a99a upstream. + +This is found by code observation only. + +Firstly, the worst case scenario should assume the whole range was covered +by pmd sharing. The old algorithm might not work as expected for ranges +like (1g-2m, 1g+2m), where the adjusted range should be (0, 1g+2m) but the +expected range should be (0, 2g). + +Since at it, remove the loop since it should not be required. With that, +the new code should be faster too when the invalidating range is huge. + +Mike said: + +: With range (1g-2m, 1g+2m) within a vma (0, 2g) the existing code will only +: adjust to (0, 1g+2m) which is incorrect. +: +: We should cc stable. The original reason for adjusting the range was to +: prevent data corruption (getting wrong page). Since the range is not +: always adjusted correctly, the potential for corruption still exists. +: +: However, I am fairly confident that adjust_range_if_pmd_sharing_possible +: is only gong to be called in two cases: +: +: 1) for a single page +: 2) for range == entire vma +: +: In those cases, the current code should produce the correct results. +: +: To be safe, let's just cc stable. + +Fixes: 017b1660df89 ("mm: migration: fix migration of huge PMD shared pages") +Signed-off-by: Peter Xu +Signed-off-by: Andrew Morton +Reviewed-by: Mike Kravetz +Cc: Andrea Arcangeli +Cc: Matthew Wilcox +Cc: +Link: http://lkml.kernel.org/r/20200730201636.74778-1-peterx@redhat.com +Signed-off-by: Linus Torvalds +Signed-off-by: Mike Kravetz +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 24 ++++++++++-------------- + 1 file changed, 10 insertions(+), 14 deletions(-) + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index d6464045d3b97..194125cf2d2b9 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -4575,25 +4575,21 @@ static bool vma_shareable(struct vm_area_struct *vma, unsigned long addr) + void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma, + unsigned long *start, unsigned long *end) + { +- unsigned long check_addr = *start; ++ unsigned long a_start, a_end; + + if (!(vma->vm_flags & VM_MAYSHARE)) + return; + +- for (check_addr = *start; check_addr < *end; check_addr += PUD_SIZE) { +- unsigned long a_start = check_addr & PUD_MASK; +- unsigned long a_end = a_start + PUD_SIZE; ++ /* Extend the range to be PUD aligned for a worst case scenario */ ++ a_start = ALIGN_DOWN(*start, PUD_SIZE); ++ a_end = ALIGN(*end, PUD_SIZE); + +- /* +- * If sharing is possible, adjust start/end if necessary. +- */ +- if (range_in_vma(vma, a_start, a_end)) { +- if (a_start < *start) +- *start = a_start; +- if (a_end > *end) +- *end = a_end; +- } +- } ++ /* ++ * Intersect the range with the vma range, since pmd sharing won't be ++ * across vma after all ++ */ ++ *start = max(vma->vm_start, a_start); ++ *end = min(vma->vm_end, a_end); + } + + /* +-- +2.25.1 + diff --git a/queue-4.14/mm-include-cma-pages-in-lowmem_reserve-at-boot.patch b/queue-4.14/mm-include-cma-pages-in-lowmem_reserve-at-boot.patch new file mode 100644 index 00000000000..d4e0ae26f0a --- /dev/null +++ b/queue-4.14/mm-include-cma-pages-in-lowmem_reserve-at-boot.patch @@ -0,0 +1,89 @@ +From ccc38c6201fe825caf53194eff4cee570526250c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 17:42:24 -0700 +Subject: mm: include CMA pages in lowmem_reserve at boot + +From: Doug Berger + +commit e08d3fdfe2dafa0331843f70ce1ff6c1c4900bf4 upstream. + +The lowmem_reserve arrays provide a means of applying pressure against +allocations from lower zones that were targeted at higher zones. Its +values are a function of the number of pages managed by higher zones and +are assigned by a call to the setup_per_zone_lowmem_reserve() function. + +The function is initially called at boot time by the function +init_per_zone_wmark_min() and may be called later by accesses of the +/proc/sys/vm/lowmem_reserve_ratio sysctl file. + +The function init_per_zone_wmark_min() was moved up from a module_init to +a core_initcall to resolve a sequencing issue with khugepaged. +Unfortunately this created a sequencing issue with CMA page accounting. + +The CMA pages are added to the managed page count of a zone when +cma_init_reserved_areas() is called at boot also as a core_initcall. This +makes it uncertain whether the CMA pages will be added to the managed page +counts of their zones before or after the call to +init_per_zone_wmark_min() as it becomes dependent on link order. With the +current link order the pages are added to the managed count after the +lowmem_reserve arrays are initialized at boot. + +This means the lowmem_reserve values at boot may be lower than the values +used later if /proc/sys/vm/lowmem_reserve_ratio is accessed even if the +ratio values are unchanged. + +In many cases the difference is not significant, but for example +an ARM platform with 1GB of memory and the following memory layout + + cma: Reserved 256 MiB at 0x0000000030000000 + Zone ranges: + DMA [mem 0x0000000000000000-0x000000002fffffff] + Normal empty + HighMem [mem 0x0000000030000000-0x000000003fffffff] + +would result in 0 lowmem_reserve for the DMA zone. This would allow +userspace to deplete the DMA zone easily. + +Funnily enough + + $ cat /proc/sys/vm/lowmem_reserve_ratio + +would fix up the situation because as a side effect it forces +setup_per_zone_lowmem_reserve. + +This commit breaks the link order dependency by invoking +init_per_zone_wmark_min() as a postcore_initcall so that the CMA pages +have the chance to be properly accounted in their zone(s) and allowing +the lowmem_reserve arrays to receive consistent values. + +Fixes: bc22af74f271 ("mm: update min_free_kbytes from khugepaged after core initialization") +Signed-off-by: Doug Berger +Signed-off-by: Andrew Morton +Acked-by: Michal Hocko +Cc: Jason Baron +Cc: David Rientjes +Cc: "Kirill A. Shutemov" +Cc: +Link: http://lkml.kernel.org/r/1597423766-27849-1-git-send-email-opendmb@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index e992afe3a58e9..46ded8d77fb30 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -7018,7 +7018,7 @@ int __meminit init_per_zone_wmark_min(void) + + return 0; + } +-core_initcall(init_per_zone_wmark_min) ++postcore_initcall(init_per_zone_wmark_min) + + /* + * min_free_kbytes_sysctl_handler - just a wrapper around proc_dointvec() so +-- +2.25.1 + diff --git a/queue-4.14/mm-page_alloc-fix-core-hung-in-free_pcppages_bulk.patch b/queue-4.14/mm-page_alloc-fix-core-hung-in-free_pcppages_bulk.patch new file mode 100644 index 00000000000..ef993f3617e --- /dev/null +++ b/queue-4.14/mm-page_alloc-fix-core-hung-in-free_pcppages_bulk.patch @@ -0,0 +1,104 @@ +From 7749eb87a9c186c195a4ad952fda1c54c99a4da4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 17:42:27 -0700 +Subject: mm, page_alloc: fix core hung in free_pcppages_bulk() + +From: Charan Teja Reddy + +commit 88e8ac11d2ea3acc003cf01bb5a38c8aa76c3cfd upstream. + +The following race is observed with the repeated online, offline and a +delay between two successive online of memory blocks of movable zone. + +P1 P2 + +Online the first memory block in +the movable zone. The pcp struct +values are initialized to default +values,i.e., pcp->high = 0 & +pcp->batch = 1. + + Allocate the pages from the + movable zone. + +Try to Online the second memory +block in the movable zone thus it +entered the online_pages() but yet +to call zone_pcp_update(). + This process is entered into + the exit path thus it tries + to release the order-0 pages + to pcp lists through + free_unref_page_commit(). + As pcp->high = 0, pcp->count = 1 + proceed to call the function + free_pcppages_bulk(). +Update the pcp values thus the +new pcp values are like, say, +pcp->high = 378, pcp->batch = 63. + Read the pcp's batch value using + READ_ONCE() and pass the same to + free_pcppages_bulk(), pcp values + passed here are, batch = 63, + count = 1. + + Since num of pages in the pcp + lists are less than ->batch, + then it will stuck in + while(list_empty(list)) loop + with interrupts disabled thus + a core hung. + +Avoid this by ensuring free_pcppages_bulk() is called with proper count of +pcp list pages. + +The mentioned race is some what easily reproducible without [1] because +pcp's are not updated for the first memory block online and thus there is +a enough race window for P2 between alloc+free and pcp struct values +update through onlining of second memory block. + +With [1], the race still exists but it is very narrow as we update the pcp +struct values for the first memory block online itself. + +This is not limited to the movable zone, it could also happen in cases +with the normal zone (e.g., hotplug to a node that only has DMA memory, or +no other memory yet). + +[1]: https://patchwork.kernel.org/patch/11696389/ + +Fixes: 5f8dcc21211a ("page-allocator: split per-cpu list into one-list-per-migrate-type") +Signed-off-by: Charan Teja Reddy +Signed-off-by: Andrew Morton +Acked-by: David Hildenbrand +Acked-by: David Rientjes +Acked-by: Michal Hocko +Cc: Michal Hocko +Cc: Vlastimil Babka +Cc: Vinayak Menon +Cc: [2.6+] +Link: http://lkml.kernel.org/r/1597150703-19003-1-git-send-email-charante@codeaurora.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 46ded8d77fb30..a3958b4fec6cb 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1114,6 +1114,11 @@ static void free_pcppages_bulk(struct zone *zone, int count, + spin_lock(&zone->lock); + isolated_pageblocks = has_isolate_pageblock(zone); + ++ /* ++ * Ensure proper count is passed which otherwise would stuck in the ++ * below while (list_empty(list)) loop. ++ */ ++ count = min(pcp->count, count); + while (count) { + struct page *page; + struct list_head *list; +-- +2.25.1 + diff --git a/queue-4.14/net-dsa-b53-check-for-timeout.patch b/queue-4.14/net-dsa-b53-check-for-timeout.patch new file mode 100644 index 00000000000..3e17338588c --- /dev/null +++ b/queue-4.14/net-dsa-b53-check-for-timeout.patch @@ -0,0 +1,51 @@ +From 0b244d751d551558a6a661a580a007c80799eff4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 06:56:00 -0700 +Subject: net: dsa: b53: check for timeout + +From: Tom Rix + +[ Upstream commit 774d977abfd024e6f73484544b9abe5a5cd62de7 ] + +clang static analysis reports this problem + +b53_common.c:1583:13: warning: The left expression of the compound + assignment is an uninitialized value. The computed value will + also be garbage + ent.port &= ~BIT(port); + ~~~~~~~~ ^ + +ent is set by a successful call to b53_arl_read(). Unsuccessful +calls are caught by an switch statement handling specific returns. +b32_arl_read() calls b53_arl_op_wait() which fails with the +unhandled -ETIMEDOUT. + +So add -ETIMEDOUT to the switch statement. Because +b53_arl_op_wait() already prints out a message, do not add another +one. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Tom Rix +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 274d369151107..5c3fa0be8844e 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1160,6 +1160,8 @@ static int b53_arl_op(struct b53_device *dev, int op, int port, + return ret; + + switch (ret) { ++ case -ETIMEDOUT: ++ return ret; + case -ENOSPC: + dev_dbg(dev->dev, "{%pM,%.4d} no space left in ARL\n", + addr, vid); +-- +2.25.1 + diff --git a/queue-4.14/net-fec-correct-the-error-path-for-regulator-disable.patch b/queue-4.14/net-fec-correct-the-error-path-for-regulator-disable.patch new file mode 100644 index 00000000000..7fb0ebe131f --- /dev/null +++ b/queue-4.14/net-fec-correct-the-error-path-for-regulator-disable.patch @@ -0,0 +1,40 @@ +From cc85813c51965cc79b1d19dc292d5bb530679d33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 15:13:14 +0800 +Subject: net: fec: correct the error path for regulator disable in probe + +From: Fugang Duan + +[ Upstream commit c6165cf0dbb82ded90163dce3ac183fc7a913dc4 ] + +Correct the error path for regulator disable. + +Fixes: 9269e5560b26 ("net: fec: add phy-reset-gpios PROBE_DEFER check") +Signed-off-by: Fugang Duan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 8ba915cc4c2e4..22f964ef859e5 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3536,11 +3536,11 @@ failed_mii_init: + failed_irq: + failed_init: + fec_ptp_stop(pdev); +- if (fep->reg_phy) +- regulator_disable(fep->reg_phy); + failed_reset: + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); ++ if (fep->reg_phy) ++ regulator_disable(fep->reg_phy); + failed_regulator: + clk_disable_unprepare(fep->clk_ahb); + failed_clk_ahb: +-- +2.25.1 + diff --git a/queue-4.14/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch b/queue-4.14/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch new file mode 100644 index 00000000000..a98f4e72b43 --- /dev/null +++ b/queue-4.14/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch @@ -0,0 +1,145 @@ +From d151614033086a20e79aac5d7b8b881962daacee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 22:05:18 -0500 +Subject: omapfb: fix multiple reference count leaks due to pm_runtime_get_sync + +From: Aditya Pakki + +[ Upstream commit 78c2ce9bde70be5be7e3615a2ae7024ed8173087 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Aditya Pakki +Cc: kjlu@umn.edu +Cc: wu000273@umn.edu +Cc: Allison Randal +Cc: Thomas Gleixner +Cc: Enrico Weigelt +cc: "Andrew F. Davis" +Cc: Tomi Valkeinen +Cc: Alexios Zavras +Cc: Greg Kroah-Hartman +Cc: YueHaibing +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200614030528.128064-1-pakki001@umn.edu +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 7 +++++-- + drivers/video/fbdev/omap2/omapfb/dss/dsi.c | 7 +++++-- + drivers/video/fbdev/omap2/omapfb/dss/dss.c | 7 +++++-- + drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c | 5 +++-- + drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c | 5 +++-- + drivers/video/fbdev/omap2/omapfb/dss/venc.c | 7 +++++-- + 6 files changed, 26 insertions(+), 12 deletions(-) + +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c +index 7a75dfda98457..00f5a54aaf9b7 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c +@@ -531,8 +531,11 @@ int dispc_runtime_get(void) + DSSDBG("dispc_runtime_get\n"); + + r = pm_runtime_get_sync(&dispc.pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&dispc.pdev->dev); ++ return r; ++ } ++ return 0; + } + EXPORT_SYMBOL(dispc_runtime_get); + +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dsi.c b/drivers/video/fbdev/omap2/omapfb/dss/dsi.c +index 30d49f3800b33..2bfd9063cdfc3 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dsi.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dsi.c +@@ -1148,8 +1148,11 @@ static int dsi_runtime_get(struct platform_device *dsidev) + DSSDBG("dsi_runtime_get\n"); + + r = pm_runtime_get_sync(&dsi->pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&dsi->pdev->dev); ++ return r; ++ } ++ return 0; + } + + static void dsi_runtime_put(struct platform_device *dsidev) +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dss.c b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +index 4429ad37b64cd..acecee5b1c102 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +@@ -778,8 +778,11 @@ int dss_runtime_get(void) + DSSDBG("dss_runtime_get\n"); + + r = pm_runtime_get_sync(&dss.pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&dss.pdev->dev); ++ return r; ++ } ++ return 0; + } + + void dss_runtime_put(void) +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c b/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c +index ec78d61bc5512..e2d571ca8590a 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c +@@ -50,9 +50,10 @@ static int hdmi_runtime_get(void) + DSSDBG("hdmi_runtime_get\n"); + + r = pm_runtime_get_sync(&hdmi.pdev->dev); +- WARN_ON(r < 0); +- if (r < 0) ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&hdmi.pdev->dev); + return r; ++ } + + return 0; + } +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c b/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c +index 2e2fcc3d6d4f7..13f3a5ce55294 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c +@@ -54,9 +54,10 @@ static int hdmi_runtime_get(void) + DSSDBG("hdmi_runtime_get\n"); + + r = pm_runtime_get_sync(&hdmi.pdev->dev); +- WARN_ON(r < 0); +- if (r < 0) ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&hdmi.pdev->dev); + return r; ++ } + + return 0; + } +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/venc.c b/drivers/video/fbdev/omap2/omapfb/dss/venc.c +index 392464da12e41..96714b4596d2d 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/venc.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/venc.c +@@ -402,8 +402,11 @@ static int venc_runtime_get(void) + DSSDBG("venc_runtime_get\n"); + + r = pm_runtime_get_sync(&venc.pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&venc.pdev->dev); ++ return r; ++ } ++ return 0; + } + + static void venc_runtime_put(void) +-- +2.25.1 + diff --git a/queue-4.14/pci-fix-pci_create_slot-reference-count-leak.patch b/queue-4.14/pci-fix-pci_create_slot-reference-count-leak.patch new file mode 100644 index 00000000000..b701359d4a7 --- /dev/null +++ b/queue-4.14/pci-fix-pci_create_slot-reference-count-leak.patch @@ -0,0 +1,59 @@ +From 54974c683578c560058affd4458b2506fa88790c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 21:13:22 -0500 +Subject: PCI: Fix pci_create_slot() reference count leak + +From: Qiushi Wu + +[ Upstream commit 8a94644b440eef5a7b9c104ac8aa7a7f413e35e5 ] + +kobject_init_and_add() takes a reference even when it fails. If it returns +an error, kobject_put() must be called to clean up the memory associated +with the object. + +When kobject_init_and_add() fails, call kobject_put() instead of kfree(). + +b8eb718348b8 ("net-sysfs: Fix reference count leak in +rx|netdev_queue_add_kobject") fixed a similar problem. + +Link: https://lore.kernel.org/r/20200528021322.1984-1-wu000273@umn.edu +Signed-off-by: Qiushi Wu +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/slot.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/slot.c b/drivers/pci/slot.c +index e42909524deed..379925fc49d4e 100644 +--- a/drivers/pci/slot.c ++++ b/drivers/pci/slot.c +@@ -303,13 +303,16 @@ placeholder: + slot_name = make_slot_name(name); + if (!slot_name) { + err = -ENOMEM; ++ kfree(slot); + goto err; + } + + err = kobject_init_and_add(&slot->kobj, &pci_slot_ktype, NULL, + "%s", slot_name); +- if (err) ++ if (err) { ++ kobject_put(&slot->kobj); + goto err; ++ } + + INIT_LIST_HEAD(&slot->list); + list_add(&slot->list, &parent->slots); +@@ -328,7 +331,6 @@ out: + mutex_unlock(&pci_slot_mutex); + return slot; + err: +- kfree(slot); + slot = ERR_PTR(err); + goto out; + } +-- +2.25.1 + diff --git a/queue-4.14/perf-probe-fix-memory-leakage-when-the-probe-point-i.patch b/queue-4.14/perf-probe-fix-memory-leakage-when-the-probe-point-i.patch new file mode 100644 index 00000000000..f4ca7a2ecc7 --- /dev/null +++ b/queue-4.14/perf-probe-fix-memory-leakage-when-the-probe-point-i.patch @@ -0,0 +1,52 @@ +From 63f0d1dd7abc9ce105bb186d47cf86e9def18ff6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 22:11:23 +0900 +Subject: perf probe: Fix memory leakage when the probe point is not found + +From: Masami Hiramatsu + +[ Upstream commit 12d572e785b15bc764e956caaa8a4c846fd15694 ] + +Fix the memory leakage in debuginfo__find_trace_events() when the probe +point is not found in the debuginfo. If there is no probe point found in +the debuginfo, debuginfo__find_probes() will NOT return -ENOENT, but 0. + +Thus the caller of debuginfo__find_probes() must check the tf.ntevs and +release the allocated memory for the array of struct probe_trace_event. + +The current code releases the memory only if the debuginfo__find_probes() +hits an error but not checks tf.ntevs. In the result, the memory allocated +on *tevs are not released if tf.ntevs == 0. + +This fixes the memory leakage by checking tf.ntevs == 0 in addition to +ret < 0. + +Fixes: ff741783506c ("perf probe: Introduce debuginfo to encapsulate dwarf information") +Signed-off-by: Masami Hiramatsu +Reviewed-by: Srikar Dronamraju +Cc: Andi Kleen +Cc: Oleg Nesterov +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/159438668346.62703.10887420400718492503.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-finder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c +index 8f7f9d05f38c0..bfa6d9d215569 100644 +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -1354,7 +1354,7 @@ int debuginfo__find_trace_events(struct debuginfo *dbg, + tf.ntevs = 0; + + ret = debuginfo__find_probes(dbg, &tf.pf); +- if (ret < 0) { ++ if (ret < 0 || tf.ntevs == 0) { + for (i = 0; i < tf.ntevs; i++) + clear_probe_trace_event(&tf.tevs[i]); + zfree(tevs); +-- +2.25.1 + diff --git a/queue-4.14/powerpc-allow-4224-bytes-of-stack-expansion-for-the-.patch b/queue-4.14/powerpc-allow-4224-bytes-of-stack-expansion-for-the-.patch new file mode 100644 index 00000000000..dd7928baab1 --- /dev/null +++ b/queue-4.14/powerpc-allow-4224-bytes-of-stack-expansion-for-the-.patch @@ -0,0 +1,188 @@ +From d9ccf72df055806a6885146df3bf53c88b0b9a15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 19:25:25 +1000 +Subject: powerpc: Allow 4224 bytes of stack expansion for the signal frame + +From: Michael Ellerman + +[ Upstream commit 63dee5df43a31f3844efabc58972f0a206ca4534 ] + +We have powerpc specific logic in our page fault handling to decide if +an access to an unmapped address below the stack pointer should expand +the stack VMA. + +The code was originally added in 2004 "ported from 2.4". The rough +logic is that the stack is allowed to grow to 1MB with no extra +checking. Over 1MB the access must be within 2048 bytes of the stack +pointer, or be from a user instruction that updates the stack pointer. + +The 2048 byte allowance below the stack pointer is there to cover the +288 byte "red zone" as well as the "about 1.5kB" needed by the signal +delivery code. + +Unfortunately since then the signal frame has expanded, and is now +4224 bytes on 64-bit kernels with transactional memory enabled. This +means if a process has consumed more than 1MB of stack, and its stack +pointer lies less than 4224 bytes from the next page boundary, signal +delivery will fault when trying to expand the stack and the process +will see a SEGV. + +The total size of the signal frame is the size of struct rt_sigframe +(which includes the red zone) plus __SIGNAL_FRAMESIZE (128 bytes on +64-bit). + +The 2048 byte allowance was correct until 2008 as the signal frame +was: + +struct rt_sigframe { + struct ucontext uc; /* 0 1440 */ + /* --- cacheline 11 boundary (1408 bytes) was 32 bytes ago --- */ + long unsigned int _unused[2]; /* 1440 16 */ + unsigned int tramp[6]; /* 1456 24 */ + struct siginfo * pinfo; /* 1480 8 */ + void * puc; /* 1488 8 */ + struct siginfo info; /* 1496 128 */ + /* --- cacheline 12 boundary (1536 bytes) was 88 bytes ago --- */ + char abigap[288]; /* 1624 288 */ + + /* size: 1920, cachelines: 15, members: 7 */ + /* padding: 8 */ +}; + +1920 + 128 = 2048 + +Then in commit ce48b2100785 ("powerpc: Add VSX context save/restore, +ptrace and signal support") (Jul 2008) the signal frame expanded to +2304 bytes: + +struct rt_sigframe { + struct ucontext uc; /* 0 1696 */ <-- + /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */ + long unsigned int _unused[2]; /* 1696 16 */ + unsigned int tramp[6]; /* 1712 24 */ + struct siginfo * pinfo; /* 1736 8 */ + void * puc; /* 1744 8 */ + struct siginfo info; /* 1752 128 */ + /* --- cacheline 14 boundary (1792 bytes) was 88 bytes ago --- */ + char abigap[288]; /* 1880 288 */ + + /* size: 2176, cachelines: 17, members: 7 */ + /* padding: 8 */ +}; + +2176 + 128 = 2304 + +At this point we should have been exposed to the bug, though as far as +I know it was never reported. I no longer have a system old enough to +easily test on. + +Then in 2010 commit 320b2b8de126 ("mm: keep a guard page below a +grow-down stack segment") caused our stack expansion code to never +trigger, as there was always a VMA found for a write up to PAGE_SIZE +below r1. + +That meant the bug was hidden as we continued to expand the signal +frame in commit 2b0a576d15e0 ("powerpc: Add new transactional memory +state to the signal context") (Feb 2013): + +struct rt_sigframe { + struct ucontext uc; /* 0 1696 */ + /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */ + struct ucontext uc_transact; /* 1696 1696 */ <-- + /* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */ + long unsigned int _unused[2]; /* 3392 16 */ + unsigned int tramp[6]; /* 3408 24 */ + struct siginfo * pinfo; /* 3432 8 */ + void * puc; /* 3440 8 */ + struct siginfo info; /* 3448 128 */ + /* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */ + char abigap[288]; /* 3576 288 */ + + /* size: 3872, cachelines: 31, members: 8 */ + /* padding: 8 */ + /* last cacheline: 32 bytes */ +}; + +3872 + 128 = 4000 + +And commit 573ebfa6601f ("powerpc: Increase stack redzone for 64-bit +userspace to 512 bytes") (Feb 2014): + +struct rt_sigframe { + struct ucontext uc; /* 0 1696 */ + /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */ + struct ucontext uc_transact; /* 1696 1696 */ + /* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */ + long unsigned int _unused[2]; /* 3392 16 */ + unsigned int tramp[6]; /* 3408 24 */ + struct siginfo * pinfo; /* 3432 8 */ + void * puc; /* 3440 8 */ + struct siginfo info; /* 3448 128 */ + /* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */ + char abigap[512]; /* 3576 512 */ <-- + + /* size: 4096, cachelines: 32, members: 8 */ + /* padding: 8 */ +}; + +4096 + 128 = 4224 + +Then finally in 2017, commit 1be7107fbe18 ("mm: larger stack guard +gap, between vmas") exposed us to the existing bug, because it changed +the stack VMA to be the correct/real size, meaning our stack expansion +code is now triggered. + +Fix it by increasing the allowance to 4224 bytes. + +Hard-coding 4224 is obviously unsafe against future expansions of the +signal frame in the same way as the existing code. We can't easily use +sizeof() because the signal frame structure is not in a header. We +will either fix that, or rip out all the custom stack expansion +checking logic entirely. + +Fixes: ce48b2100785 ("powerpc: Add VSX context save/restore, ptrace and signal support") +Cc: stable@vger.kernel.org # v2.6.27+ +Reported-by: Tom Lane +Tested-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200724092528.1578671-2-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/fault.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c +index 998c77e600a43..ebe97e5500ee5 100644 +--- a/arch/powerpc/mm/fault.c ++++ b/arch/powerpc/mm/fault.c +@@ -224,6 +224,9 @@ static bool bad_kernel_fault(bool is_exec, unsigned long error_code, + return is_exec || (address >= TASK_SIZE); + } + ++// This comes from 64-bit struct rt_sigframe + __SIGNAL_FRAMESIZE ++#define SIGFRAME_MAX_SIZE (4096 + 128) ++ + static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, + struct vm_area_struct *vma, unsigned int flags, + bool *must_retry) +@@ -231,7 +234,7 @@ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, + /* + * N.B. The POWER/Open ABI allows programs to access up to + * 288 bytes below the stack pointer. +- * The kernel signal delivery code writes up to about 1.5kB ++ * The kernel signal delivery code writes a bit over 4KB + * below the stack pointer (r1) before decrementing it. + * The exec code can write slightly over 640kB to the stack + * before setting the user r1. Thus we allow the stack to +@@ -256,7 +259,7 @@ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, + * between the last mapped region and the stack will + * expand the stack rather than segfaulting. + */ +- if (address + 2048 >= uregs->gpr[1]) ++ if (address + SIGFRAME_MAX_SIZE >= uregs->gpr[1]) + return false; + + if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) && +-- +2.25.1 + diff --git a/queue-4.14/powerpc-mm-only-read-faulting-instruction-when-neces.patch b/queue-4.14/powerpc-mm-only-read-faulting-instruction-when-neces.patch new file mode 100644 index 00000000000..d121e8903e3 --- /dev/null +++ b/queue-4.14/powerpc-mm-only-read-faulting-instruction-when-neces.patch @@ -0,0 +1,180 @@ +From 97bc69821cb47fedda5ad696f9df2e1677284a26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 May 2018 10:53:22 +0200 +Subject: powerpc/mm: Only read faulting instruction when necessary in + do_page_fault() + +From: Christophe Leroy + +[ Upstream commit 0e36b0d12501e278686634712975b785bae11641 ] + +Commit a7a9dcd882a67 ("powerpc: Avoid taking a data miss on every +userspace instruction miss") has shown that limiting the read of +faulting instruction to likely cases improves performance. + +This patch goes further into this direction by limiting the read +of the faulting instruction to the only cases where it is likely +needed. + +On an MPC885, with the same benchmark app as in the commit referred +above, we see a reduction of about 3900 dTLB misses (approx 3%): + +Before the patch: + Performance counter stats for './fault 500' (10 runs): + + 683033312 cpu-cycles ( +- 0.03% ) + 134538 dTLB-load-misses ( +- 0.03% ) + 46099 iTLB-load-misses ( +- 0.02% ) + 19681 faults ( +- 0.02% ) + + 5.389747878 seconds time elapsed ( +- 0.06% ) + +With the patch: + + Performance counter stats for './fault 500' (10 runs): + + 682112862 cpu-cycles ( +- 0.03% ) + 130619 dTLB-load-misses ( +- 0.03% ) + 46073 iTLB-load-misses ( +- 0.05% ) + 19681 faults ( +- 0.01% ) + + 5.381342641 seconds time elapsed ( +- 0.07% ) + +The proper work of the huge stack expansion was tested with the +following app: + +int main(int argc, char **argv) +{ + char buf[1024 * 1025]; + + sprintf(buf, "Hello world !\n"); + printf(buf); + + exit(0); +} + +Signed-off-by: Christophe Leroy +Reviewed-by: Nicholas Piggin +[mpe: Add include of pagemap.h to fix build errors] +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/fault.c | 50 ++++++++++++++++++++++++++++------------- + 1 file changed, 34 insertions(+), 16 deletions(-) + +diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c +index 5fc8a010fdf07..998c77e600a43 100644 +--- a/arch/powerpc/mm/fault.c ++++ b/arch/powerpc/mm/fault.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -66,15 +67,11 @@ static inline bool notify_page_fault(struct pt_regs *regs) + } + + /* +- * Check whether the instruction at regs->nip is a store using ++ * Check whether the instruction inst is a store using + * an update addressing form which will update r1. + */ +-static bool store_updates_sp(struct pt_regs *regs) ++static bool store_updates_sp(unsigned int inst) + { +- unsigned int inst; +- +- if (get_user(inst, (unsigned int __user *)regs->nip)) +- return false; + /* check for 1 in the rA field */ + if (((inst >> 16) & 0x1f) != 1) + return false; +@@ -228,8 +225,8 @@ static bool bad_kernel_fault(bool is_exec, unsigned long error_code, + } + + static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, +- struct vm_area_struct *vma, +- bool store_update_sp) ++ struct vm_area_struct *vma, unsigned int flags, ++ bool *must_retry) + { + /* + * N.B. The POWER/Open ABI allows programs to access up to +@@ -241,6 +238,7 @@ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, + * expand to 1MB without further checks. + */ + if (address + 0x100000 < vma->vm_end) { ++ unsigned int __user *nip = (unsigned int __user *)regs->nip; + /* get user regs even if this fault is in kernel mode */ + struct pt_regs *uregs = current->thread.regs; + if (uregs == NULL) +@@ -258,8 +256,22 @@ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, + * between the last mapped region and the stack will + * expand the stack rather than segfaulting. + */ +- if (address + 2048 < uregs->gpr[1] && !store_update_sp) +- return true; ++ if (address + 2048 >= uregs->gpr[1]) ++ return false; ++ ++ if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) && ++ access_ok(VERIFY_READ, nip, sizeof(*nip))) { ++ unsigned int inst; ++ int res; ++ ++ pagefault_disable(); ++ res = __get_user_inatomic(inst, nip); ++ pagefault_enable(); ++ if (!res) ++ return !store_updates_sp(inst); ++ *must_retry = true; ++ } ++ return true; + } + return false; + } +@@ -392,7 +404,7 @@ static int __do_page_fault(struct pt_regs *regs, unsigned long address, + int is_user = user_mode(regs); + int is_write = page_fault_is_write(error_code); + int fault, major = 0; +- bool store_update_sp = false; ++ bool must_retry = false; + + if (notify_page_fault(regs)) + return 0; +@@ -439,9 +451,6 @@ static int __do_page_fault(struct pt_regs *regs, unsigned long address, + * can result in fault, which will cause a deadlock when called with + * mmap_sem held + */ +- if (is_write && is_user) +- store_update_sp = store_updates_sp(regs); +- + if (is_user) + flags |= FAULT_FLAG_USER; + if (is_write) +@@ -488,8 +497,17 @@ retry: + return bad_area(regs, address); + + /* The stack is being expanded, check if it's valid */ +- if (unlikely(bad_stack_expansion(regs, address, vma, store_update_sp))) +- return bad_area(regs, address); ++ if (unlikely(bad_stack_expansion(regs, address, vma, flags, ++ &must_retry))) { ++ if (!must_retry) ++ return bad_area(regs, address); ++ ++ up_read(&mm->mmap_sem); ++ if (fault_in_pages_readable((const char __user *)regs->nip, ++ sizeof(unsigned int))) ++ return bad_area_nosemaphore(regs, address); ++ goto retry; ++ } + + /* Try to expand it */ + if (unlikely(expand_stack(vma, address))) +-- +2.25.1 + diff --git a/queue-4.14/powerpc-pseries-do-not-initiate-shutdown-when-system.patch b/queue-4.14/powerpc-pseries-do-not-initiate-shutdown-when-system.patch new file mode 100644 index 00000000000..3565a08719f --- /dev/null +++ b/queue-4.14/powerpc-pseries-do-not-initiate-shutdown-when-system.patch @@ -0,0 +1,71 @@ +From 1d416946e66a28c77f806baab4fd1a60b82f76e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 11:48:44 +0530 +Subject: powerpc/pseries: Do not initiate shutdown when system is running on + UPS + +From: Vasant Hegde + +commit 90a9b102eddf6a3f987d15f4454e26a2532c1c98 upstream. + +As per PAPR we have to look for both EPOW sensor value and event +modifier to identify the type of event and take appropriate action. + +In LoPAPR v1.1 section 10.2.2 includes table 136 "EPOW Action Codes": + + SYSTEM_SHUTDOWN 3 + + The system must be shut down. An EPOW-aware OS logs the EPOW error + log information, then schedules the system to be shut down to begin + after an OS defined delay internal (default is 10 minutes.) + +Then in section 10.3.2.2.8 there is table 146 "Platform Event Log +Format, Version 6, EPOW Section", which includes the "EPOW Event +Modifier": + + For EPOW sensor value = 3 + 0x01 = Normal system shutdown with no additional delay + 0x02 = Loss of utility power, system is running on UPS/Battery + 0x03 = Loss of system critical functions, system should be shutdown + 0x04 = Ambient temperature too high + All other values = reserved + +We have a user space tool (rtas_errd) on LPAR to monitor for +EPOW_SHUTDOWN_ON_UPS. Once it gets an event it initiates shutdown +after predefined time. It also starts monitoring for any new EPOW +events. If it receives "Power restored" event before predefined time +it will cancel the shutdown. Otherwise after predefined time it will +shutdown the system. + +Commit 79872e35469b ("powerpc/pseries: All events of +EPOW_SYSTEM_SHUTDOWN must initiate shutdown") changed our handling of +the "on UPS/Battery" case, to immediately shutdown the system. This +breaks existing setups that rely on the userspace tool to delay +shutdown and let the system run on the UPS. + +Fixes: 79872e35469b ("powerpc/pseries: All events of EPOW_SYSTEM_SHUTDOWN must initiate shutdown") +Cc: stable@vger.kernel.org # v4.0+ +Signed-off-by: Vasant Hegde +[mpe: Massage change log and add PAPR references] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200820061844.306460-1-hegdevasant@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/ras.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c +index 5ec935521204a..8d20d49b252a0 100644 +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -115,7 +115,6 @@ static void handle_system_shutdown(char event_modifier) + case EPOW_SHUTDOWN_ON_UPS: + pr_emerg("Loss of system power detected. System is running on" + " UPS/battery. Check RTAS error log for details\n"); +- orderly_poweroff(true); + break; + + case EPOW_SHUTDOWN_LOSS_OF_CRITICAL_FUNCTIONS: +-- +2.25.1 + diff --git a/queue-4.14/powerpc-xive-ignore-kmemleak-false-positives.patch b/queue-4.14/powerpc-xive-ignore-kmemleak-false-positives.patch new file mode 100644 index 00000000000..5499ae92e2c --- /dev/null +++ b/queue-4.14/powerpc-xive-ignore-kmemleak-false-positives.patch @@ -0,0 +1,63 @@ +From d5c37299d5921037fb0509ce39229684db512471 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jun 2020 14:33:03 +1000 +Subject: powerpc/xive: Ignore kmemleak false positives + +From: Alexey Kardashevskiy + +[ Upstream commit f0993c839e95dd6c7f054a1015e693c87e33e4fb ] + +xive_native_provision_pages() allocates memory and passes the pointer to +OPAL so kmemleak cannot find the pointer usage in the kernel memory and +produces a false positive report (below) (even if the kernel did scan +OPAL memory, it is unable to deal with __pa() addresses anyway). + +This silences the warning. + +unreferenced object 0xc000200350c40000 (size 65536): + comm "qemu-system-ppc", pid 2725, jiffies 4294946414 (age 70776.530s) + hex dump (first 32 bytes): + 02 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 ....P........... + 01 00 08 07 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000081ff046c>] xive_native_alloc_vp_block+0x120/0x250 + [<00000000d555d524>] kvmppc_xive_compute_vp_id+0x248/0x350 [kvm] + [<00000000d69b9c9f>] kvmppc_xive_connect_vcpu+0xc0/0x520 [kvm] + [<000000006acbc81c>] kvm_arch_vcpu_ioctl+0x308/0x580 [kvm] + [<0000000089c69580>] kvm_vcpu_ioctl+0x19c/0xae0 [kvm] + [<00000000902ae91e>] ksys_ioctl+0x184/0x1b0 + [<00000000f3e68bd7>] sys_ioctl+0x48/0xb0 + [<0000000001b2c127>] system_call_exception+0x124/0x1f0 + [<00000000d2b2ee40>] system_call_common+0xe8/0x214 + +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200612043303.84894-1-aik@ozlabs.ru +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xive/native.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/sysdev/xive/native.c b/arch/powerpc/sysdev/xive/native.c +index 30cdcbfa1c04e..b0e96f4b728c1 100644 +--- a/arch/powerpc/sysdev/xive/native.c ++++ b/arch/powerpc/sysdev/xive/native.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -630,6 +631,7 @@ static bool xive_native_provision_pages(void) + pr_err("Failed to allocate provisioning page\n"); + return false; + } ++ kmemleak_ignore(p); + opal_xive_donate_page(chip, __pa(p)); + } + return true; +-- +2.25.1 + diff --git a/queue-4.14/romfs-fix-uninitialized-memory-leak-in-romfs_dev_rea.patch b/queue-4.14/romfs-fix-uninitialized-memory-leak-in-romfs_dev_rea.patch new file mode 100644 index 00000000000..0d11f81308b --- /dev/null +++ b/queue-4.14/romfs-fix-uninitialized-memory-leak-in-romfs_dev_rea.patch @@ -0,0 +1,59 @@ +From af364329998e3757517e7c5f01314b5ef61cd0c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 17:42:11 -0700 +Subject: romfs: fix uninitialized memory leak in romfs_dev_read() + +From: Jann Horn + +commit bcf85fcedfdd17911982a3e3564fcfec7b01eebd upstream. + +romfs has a superblock field that limits the size of the filesystem; data +beyond that limit is never accessed. + +romfs_dev_read() fetches a caller-supplied number of bytes from the +backing device. It returns 0 on success or an error code on failure; +therefore, its API can't represent short reads, it's all-or-nothing. + +However, when romfs_dev_read() detects that the requested operation would +cross the filesystem size limit, it currently silently truncates the +requested number of bytes. This e.g. means that when the content of a +file with size 0x1000 starts one byte before the filesystem size limit, +->readpage() will only fill a single byte of the supplied page while +leaving the rest uninitialized, leaking that uninitialized memory to +userspace. + +Fix it by returning an error code instead of truncating the read when the +requested read operation would go beyond the end of the filesystem. + +Fixes: da4458bda237 ("NOMMU: Make it possible for RomFS to use MTD devices directly") +Signed-off-by: Jann Horn +Signed-off-by: Andrew Morton +Reviewed-by: Greg Kroah-Hartman +Cc: David Howells +Cc: +Link: http://lkml.kernel.org/r/20200818013202.2246365-1-jannh@google.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/romfs/storage.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/fs/romfs/storage.c b/fs/romfs/storage.c +index f86f51f99aceb..1dcadd22b440d 100644 +--- a/fs/romfs/storage.c ++++ b/fs/romfs/storage.c +@@ -221,10 +221,8 @@ int romfs_dev_read(struct super_block *sb, unsigned long pos, + size_t limit; + + limit = romfs_maxsize(sb); +- if (pos >= limit) ++ if (pos >= limit || buflen > limit - pos) + return -EIO; +- if (buflen > limit - pos) +- buflen = limit - pos; + + #ifdef CONFIG_ROMFS_ON_MTD + if (sb->s_mtd) +-- +2.25.1 + diff --git a/queue-4.14/rtc-goldfish-enable-interrupt-in-set_alarm-when-nece.patch b/queue-4.14/rtc-goldfish-enable-interrupt-in-set_alarm-when-nece.patch new file mode 100644 index 00000000000..a017ed3ac7a --- /dev/null +++ b/queue-4.14/rtc-goldfish-enable-interrupt-in-set_alarm-when-nece.patch @@ -0,0 +1,39 @@ +From b193921e3d278603b0fd31f755a53e9a7cb82007 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Jun 2020 20:04:43 +0800 +Subject: rtc: goldfish: Enable interrupt in set_alarm() when necessary + +From: Huacai Chen + +[ Upstream commit 22f8d5a1bf230cf8567a4121fc3789babb46336d ] + +When use goldfish rtc, the "hwclock" command fails with "select() to +/dev/rtc to wait for clock tick timed out". This is because "hwclock" +need the set_alarm() hook to enable interrupt when alrm->enabled is +true. This operation is missing in goldfish rtc (but other rtc drivers, +such as cmos rtc, enable interrupt here), so add it. + +Signed-off-by: Huacai Chen +Signed-off-by: Jiaxun Yang +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/1592654683-31314-1-git-send-email-chenhc@lemote.com +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-goldfish.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rtc/rtc-goldfish.c b/drivers/rtc/rtc-goldfish.c +index a1c44d0c85578..30cbe22c57a8e 100644 +--- a/drivers/rtc/rtc-goldfish.c ++++ b/drivers/rtc/rtc-goldfish.c +@@ -87,6 +87,7 @@ static int goldfish_rtc_set_alarm(struct device *dev, + rtc_alarm64 = rtc_alarm * NSEC_PER_SEC; + writel((rtc_alarm64 >> 32), base + TIMER_ALARM_HIGH); + writel(rtc_alarm64, base + TIMER_ALARM_LOW); ++ writel(1, base + TIMER_IRQ_ENABLED); + } else { + /* + * if this function was called with enabled=0 +-- +2.25.1 + diff --git a/queue-4.14/rtlwifi-rtl8192cu-prevent-leaking-urb.patch b/queue-4.14/rtlwifi-rtl8192cu-prevent-leaking-urb.patch new file mode 100644 index 00000000000..44c59c1c722 --- /dev/null +++ b/queue-4.14/rtlwifi-rtl8192cu-prevent-leaking-urb.patch @@ -0,0 +1,40 @@ +From 033e75da45598d82cea3f88a32e862d545fa7170 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jun 2020 15:21:12 +0200 +Subject: rtlwifi: rtl8192cu: Prevent leaking urb + +From: Reto Schneider + +[ Upstream commit 03128643eb5453a798db5770952c73dc64fcaf00 ] + +If usb_submit_urb fails the allocated urb should be unanchored and +released. + +Signed-off-by: Reto Schneider +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200622132113.14508-3-code@reto-schneider.ch +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index 7a050a75bdcbb..4fa4d877f913b 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -739,8 +739,11 @@ static int _rtl_usb_receive(struct ieee80211_hw *hw) + + usb_anchor_urb(urb, &rtlusb->rx_submitted); + err = usb_submit_urb(urb, GFP_KERNEL); +- if (err) ++ if (err) { ++ usb_unanchor_urb(urb); ++ usb_free_urb(urb); + goto err_out; ++ } + usb_free_urb(urb); + } + return 0; +-- +2.25.1 + diff --git a/queue-4.14/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch b/queue-4.14/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch new file mode 100644 index 00000000000..09e9ffa6487 --- /dev/null +++ b/queue-4.14/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch @@ -0,0 +1,44 @@ +From dcf3758e12834d7a1fc58ffbdf9e0c2244427236 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 01:18:24 -0700 +Subject: scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del() + +From: Javed Hasan + +[ Upstream commit e95b4789ff4380733006836d28e554dc296b2298 ] + +In fcoe_sysfs_fcf_del(), we first deleted the fcf from the list and then +freed it if ctlr_dev was not NULL. This was causing a memory leak. + +Free the fcf even if ctlr_dev is NULL. + +Link: https://lore.kernel.org/r/20200729081824.30996-3-jhasan@marvell.com +Reviewed-by: Girish Basrur +Reviewed-by: Santosh Vernekar +Reviewed-by: Saurav Kashyap +Reviewed-by: Shyam Sundar +Signed-off-by: Javed Hasan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/fcoe/fcoe_ctlr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c +index d95ba1a07ba3b..eaab59afd90c7 100644 +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -267,9 +267,9 @@ static void fcoe_sysfs_fcf_del(struct fcoe_fcf *new) + WARN_ON(!fcf_dev); + new->fcf_dev = NULL; + fcoe_fcf_device_delete(fcf_dev); +- kfree(new); + mutex_unlock(&cdev->lock); + } ++ kfree(new); + } + + /** +-- +2.25.1 + diff --git a/queue-4.14/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch b/queue-4.14/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch new file mode 100644 index 00000000000..ba67143f72c --- /dev/null +++ b/queue-4.14/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch @@ -0,0 +1,37 @@ +From 3ad7edaa250ea2a84107de913d3cfe447917077b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 16:12:26 +0800 +Subject: scsi: iscsi: Do not put host in iscsi_set_flashnode_param() + +From: Jing Xiangfeng + +[ Upstream commit 68e12e5f61354eb42cfffbc20a693153fc39738e ] + +If scsi_host_lookup() fails we will jump to put_host which may cause a +panic. Jump to exit_set_fnode instead. + +Link: https://lore.kernel.org/r/20200615081226.183068-1-jingxiangfeng@huawei.com +Reviewed-by: Mike Christie +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 9589015234693..c3170500a1a1d 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -3172,7 +3172,7 @@ static int iscsi_set_flashnode_param(struct iscsi_transport *transport, + pr_err("%s could not find host no %u\n", + __func__, ev->u.set_flashnode.host_no); + err = -ENODEV; +- goto put_host; ++ goto exit_set_fnode; + } + + idx = ev->u.set_flashnode.flashnode_idx; +-- +2.25.1 + diff --git a/queue-4.14/scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch b/queue-4.14/scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch new file mode 100644 index 00000000000..f857ae705fb --- /dev/null +++ b/queue-4.14/scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch @@ -0,0 +1,66 @@ +From 651df0aef8219edc4706cefc976e67b03c253001 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 01:18:23 -0700 +Subject: scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases + +From: Javed Hasan + +[ Upstream commit ec007ef40abb6a164d148b0dc19789a7a2de2cc8 ] + +In fc_disc_gpn_id_resp(), skb is supposed to get freed in all cases except +for PTR_ERR. However, in some cases it didn't. + +This fix is to call fc_frame_free(fp) before function returns. + +Link: https://lore.kernel.org/r/20200729081824.30996-2-jhasan@marvell.com +Reviewed-by: Girish Basrur +Reviewed-by: Santosh Vernekar +Reviewed-by: Saurav Kashyap +Reviewed-by: Shyam Sundar +Signed-off-by: Javed Hasan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_disc.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/libfc/fc_disc.c b/drivers/scsi/libfc/fc_disc.c +index 28b50ab2fbb01..62f83cc151b22 100644 +--- a/drivers/scsi/libfc/fc_disc.c ++++ b/drivers/scsi/libfc/fc_disc.c +@@ -605,8 +605,12 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp, + + if (PTR_ERR(fp) == -FC_EX_CLOSED) + goto out; +- if (IS_ERR(fp)) +- goto redisc; ++ if (IS_ERR(fp)) { ++ mutex_lock(&disc->disc_mutex); ++ fc_disc_restart(disc); ++ mutex_unlock(&disc->disc_mutex); ++ goto out; ++ } + + cp = fc_frame_payload_get(fp, sizeof(*cp)); + if (!cp) +@@ -633,7 +637,7 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp, + new_rdata->disc_id = disc->disc_id; + fc_rport_login(new_rdata); + } +- goto out; ++ goto free_fp; + } + rdata->disc_id = disc->disc_id; + mutex_unlock(&rdata->rp_mutex); +@@ -650,6 +654,8 @@ redisc: + fc_disc_restart(disc); + mutex_unlock(&disc->disc_mutex); + } ++free_fp: ++ fc_frame_free(fp); + out: + kref_put(&rdata->kref, fc_rport_destroy); + if (!IS_ERR(fp)) +-- +2.25.1 + diff --git a/queue-4.14/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch b/queue-4.14/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch new file mode 100644 index 00000000000..b1bb39524e6 --- /dev/null +++ b/queue-4.14/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch @@ -0,0 +1,86 @@ +From 9166fa31987107b2d523e43f58f66158fa1963d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 14:49:54 -0700 +Subject: scsi: lpfc: Fix shost refcount mismatch when deleting vport + +From: Dick Kennedy + +[ Upstream commit 03dbfe0668e6692917ac278883e0586cd7f7d753 ] + +When vports are deleted, it is observed that there is memory/kthread +leakage as the vport isn't fully being released. + +There is a shost reference taken in scsi_add_host_dma that is not released +during scsi_remove_host. It was noticed that other drivers resolve this by +doing a scsi_host_put after calling scsi_remove_host. + +The vport_delete routine is taking two references one that corresponds to +an access to the scsi_host in the vport_delete routine and another that is +released after the adapter mailbox command completes that destroys the VPI +that corresponds to the vport. + +Remove one of the references taken such that the second reference that is +put will complete the missing scsi_add_host_dma reference and the shost +will be terminated. + +Link: https://lore.kernel.org/r/20200630215001.70793-8-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_vport.c | 26 ++++++++------------------ + 1 file changed, 8 insertions(+), 18 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c +index c714482bf4c55..9c738e201f462 100644 +--- a/drivers/scsi/lpfc/lpfc_vport.c ++++ b/drivers/scsi/lpfc/lpfc_vport.c +@@ -644,27 +644,16 @@ lpfc_vport_delete(struct fc_vport *fc_vport) + vport->port_state < LPFC_VPORT_READY) + return -EAGAIN; + } ++ + /* +- * This is a bit of a mess. We want to ensure the shost doesn't get +- * torn down until we're done with the embedded lpfc_vport structure. +- * +- * Beyond holding a reference for this function, we also need a +- * reference for outstanding I/O requests we schedule during delete +- * processing. But once we scsi_remove_host() we can no longer obtain +- * a reference through scsi_host_get(). +- * +- * So we take two references here. We release one reference at the +- * bottom of the function -- after delinking the vport. And we +- * release the other at the completion of the unreg_vpi that get's +- * initiated after we've disposed of all other resources associated +- * with the port. ++ * Take early refcount for outstanding I/O requests we schedule during ++ * delete processing for unreg_vpi. Always keep this before ++ * scsi_remove_host() as we can no longer obtain a reference through ++ * scsi_host_get() after scsi_host_remove as shost is set to SHOST_DEL. + */ + if (!scsi_host_get(shost)) + return VPORT_INVAL; +- if (!scsi_host_get(shost)) { +- scsi_host_put(shost); +- return VPORT_INVAL; +- } ++ + lpfc_free_sysfs_attr(vport); + + lpfc_debugfs_terminate(vport); +@@ -811,8 +800,9 @@ skip_logo: + if (!(vport->vpi_state & LPFC_VPI_REGISTERED) || + lpfc_mbx_unreg_vpi(vport)) + scsi_host_put(shost); +- } else ++ } else { + scsi_host_put(shost); ++ } + + lpfc_free_vpi(phba, vport->vpi); + vport->work_port_events = 0; +-- +2.25.1 + diff --git a/queue-4.14/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch b/queue-4.14/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch new file mode 100644 index 00000000000..253088ad774 --- /dev/null +++ b/queue-4.14/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch @@ -0,0 +1,57 @@ +From fc2c3a19b9f6aae193c47a44a77db9bd8f2dfb28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 11:37:56 +0200 +Subject: scsi: target: tcmu: Fix crash on ARM during cmd completion + +From: Bodo Stroesser + +[ Upstream commit 5a0c256d96f020e4771f6fd5524b80f89a2d3132 ] + +If tcmu_handle_completions() has to process a padding shorter than +sizeof(struct tcmu_cmd_entry), the current call to +tcmu_flush_dcache_range() with sizeof(struct tcmu_cmd_entry) as length +param is wrong and causes crashes on e.g. ARM, because +tcmu_flush_dcache_range() in this case calls +flush_dcache_page(vmalloc_to_page(start)); with start being an invalid +address above the end of the vmalloc'ed area. + +The fix is to use the minimum of remaining ring space and sizeof(struct +tcmu_cmd_entry) as the length param. + +The patch was tested on kernel 4.19.118. + +See https://bugzilla.kernel.org/show_bug.cgi?id=208045#c10 + +Link: https://lore.kernel.org/r/20200629093756.8947-1-bstroesser@ts.fujitsu.com +Tested-by: JiangYu +Acked-by: Mike Christie +Signed-off-by: Bodo Stroesser +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_user.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index c4a5fb6f038fc..96601fda47b18 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -997,7 +997,14 @@ static unsigned int tcmu_handle_completions(struct tcmu_dev *udev) + struct tcmu_cmd_entry *entry = (void *) mb + CMDR_OFF + udev->cmdr_last_cleaned; + struct tcmu_cmd *cmd; + +- tcmu_flush_dcache_range(entry, sizeof(*entry)); ++ /* ++ * Flush max. up to end of cmd ring since current entry might ++ * be a padding that is shorter than sizeof(*entry) ++ */ ++ size_t ring_left = head_to_end(udev->cmdr_last_cleaned, ++ udev->cmdr_size); ++ tcmu_flush_dcache_range(entry, ring_left < sizeof(*entry) ? ++ ring_left : sizeof(*entry)); + + if (tcmu_hdr_get_op(entry->hdr.len_op) == TCMU_OP_PAD) { + UPDATE_HEAD(udev->cmdr_last_cleaned, +-- +2.25.1 + diff --git a/queue-4.14/scsi-ufs-add-delay_before_lpm-quirk-for-micron-devic.patch b/queue-4.14/scsi-ufs-add-delay_before_lpm-quirk-for-micron-devic.patch new file mode 100644 index 00000000000..1e71b2f0afd --- /dev/null +++ b/queue-4.14/scsi-ufs-add-delay_before_lpm-quirk-for-micron-devic.patch @@ -0,0 +1,52 @@ +From b8ffc0d259c1109b12071cb2a8a94433801d4278 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jun 2020 09:26:24 +0800 +Subject: scsi: ufs: Add DELAY_BEFORE_LPM quirk for Micron devices + +From: Stanley Chu + +[ Upstream commit c0a18ee0ce78d7957ec1a53be35b1b3beba80668 ] + +It is confirmed that Micron device needs DELAY_BEFORE_LPM quirk to have a +delay before VCC is powered off. Sdd Micron vendor ID and this quirk for +Micron devices. + +Link: https://lore.kernel.org/r/20200612012625.6615-2-stanley.chu@mediatek.com +Reviewed-by: Bean Huo +Reviewed-by: Alim Akhtar +Signed-off-by: Stanley Chu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs_quirks.h | 1 + + drivers/scsi/ufs/ufshcd.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/drivers/scsi/ufs/ufs_quirks.h b/drivers/scsi/ufs/ufs_quirks.h +index 71f73d1d1ad1f..6c944fbefd40a 100644 +--- a/drivers/scsi/ufs/ufs_quirks.h ++++ b/drivers/scsi/ufs/ufs_quirks.h +@@ -21,6 +21,7 @@ + #define UFS_ANY_VENDOR 0xFFFF + #define UFS_ANY_MODEL "ANY_MODEL" + ++#define UFS_VENDOR_MICRON 0x12C + #define UFS_VENDOR_TOSHIBA 0x198 + #define UFS_VENDOR_SAMSUNG 0x1CE + #define UFS_VENDOR_SKHYNIX 0x1AD +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 1e2a97a10033b..11e917b44a0f1 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -189,6 +189,8 @@ ufs_get_desired_pm_lvl_for_dev_link_state(enum ufs_dev_pwr_mode dev_state, + + static struct ufs_dev_fix ufs_fixups[] = { + /* UFS cards deviations table */ ++ UFS_FIX(UFS_VENDOR_MICRON, UFS_ANY_MODEL, ++ UFS_DEVICE_QUIRK_DELAY_BEFORE_LPM), + UFS_FIX(UFS_VENDOR_SAMSUNG, UFS_ANY_MODEL, + UFS_DEVICE_QUIRK_DELAY_BEFORE_LPM), + UFS_FIX(UFS_VENDOR_SAMSUNG, UFS_ANY_MODEL, UFS_DEVICE_NO_VCCQ), +-- +2.25.1 + diff --git a/queue-4.14/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch b/queue-4.14/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch new file mode 100644 index 00000000000..339e844bc90 --- /dev/null +++ b/queue-4.14/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch @@ -0,0 +1,204 @@ +From 966a58855d804b1e9408f97a2689046fcf582df0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 13:47:37 -0300 +Subject: selftests/powerpc: Purge extra count_pmc() calls of ebb selftests + +From: Desnes A. Nunes do Rosario + +[ Upstream commit 3337bf41e0dd70b4064cdf60acdfcdc2d050066c ] + +An extra count on ebb_state.stats.pmc_count[PMC_INDEX(pmc)] is being per- +formed when count_pmc() is used to reset PMCs on a few selftests. This +extra pmc_count can occasionally invalidate results, such as the ones from +cycles_test shown hereafter. The ebb_check_count() failed with an above +the upper limit error due to the extra value on ebb_state.stats.pmc_count. + +Furthermore, this extra count is also indicated by extra PMC1 trace_log on +the output of the cycle test (as well as on pmc56_overflow_test): + +========== + ... + [21]: counter = 8 + [22]: register SPRN_MMCR0 = 0x0000000080000080 + [23]: register SPRN_PMC1 = 0x0000000080000004 + [24]: counter = 9 + [25]: register SPRN_MMCR0 = 0x0000000080000080 + [26]: register SPRN_PMC1 = 0x0000000080000004 + [27]: counter = 10 + [28]: register SPRN_MMCR0 = 0x0000000080000080 + [29]: register SPRN_PMC1 = 0x0000000080000004 +>> [30]: register SPRN_PMC1 = 0x000000004000051e +PMC1 count (0x280000546) above upper limit 0x2800003e8 (+0x15e) +[FAIL] Test FAILED on line 52 +failure: cycles +========== + +Signed-off-by: Desnes A. Nunes do Rosario +Tested-by: Sachin Sant +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200626164737.21943-1-desnesn@linux.ibm.com +Signed-off-by: Sasha Levin +--- + .../selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c | 2 -- + tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c | 2 -- + .../selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c | 2 -- + .../selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c | 2 -- + tools/testing/selftests/powerpc/pmu/ebb/ebb.c | 2 -- + .../selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c | 2 -- + .../selftests/powerpc/pmu/ebb/lost_exception_test.c | 1 - + .../testing/selftests/powerpc/pmu/ebb/multi_counter_test.c | 7 ------- + .../selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c | 2 -- + .../testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c | 2 -- + .../selftests/powerpc/pmu/ebb/pmc56_overflow_test.c | 2 -- + 11 files changed, 26 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c b/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c +index 94110b1dcd3d8..031baa43646fb 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c +@@ -91,8 +91,6 @@ int back_to_back_ebbs(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c b/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c +index 7c57a8d79535d..361e0be9df9ae 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c +@@ -42,8 +42,6 @@ int cycles(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c +index ecf5ee3283a3e..fe7d0dc2a1a26 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c +@@ -99,8 +99,6 @@ int cycles_with_freeze(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + printf("EBBs while frozen %d\n", ebbs_while_frozen); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c +index c0faba520b35c..b9b30f974b5ea 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c +@@ -71,8 +71,6 @@ int cycles_with_mmcr2(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/ebb.c b/tools/testing/selftests/powerpc/pmu/ebb/ebb.c +index 46681fec549b8..2694ae161a84a 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/ebb.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/ebb.c +@@ -396,8 +396,6 @@ int ebb_child(union pipe read_pipe, union pipe write_pipe) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c b/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c +index a991d2ea8d0a1..174e4f4dae6c0 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c +@@ -38,8 +38,6 @@ static int victim_child(union pipe read_pipe, union pipe write_pipe) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + FAIL_IF(ebb_state.stats.ebb_count == 0); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c b/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c +index eb8acb78bc6c1..531083accfcad 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c +@@ -75,7 +75,6 @@ static int test_body(void) + ebb_freeze_pmcs(); + ebb_global_disable(); + +- count_pmc(4, sample_period); + mtspr(SPRN_PMC4, 0xdead); + + dump_summary_ebb_state(); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c b/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c +index 6ff8c8ff27d66..035c02273cd49 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c +@@ -70,13 +70,6 @@ int multi_counter(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- count_pmc(2, sample_period); +- count_pmc(3, sample_period); +- count_pmc(4, sample_period); +- count_pmc(5, sample_period); +- count_pmc(6, sample_period); +- + dump_ebb_state(); + + for (i = 0; i < 6; i++) +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c b/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c +index 037cb6154f360..3e9d4ac965c85 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c +@@ -61,8 +61,6 @@ static int cycles_child(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_summary_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c b/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c +index c5fa64790c22e..d90891fe96a32 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c +@@ -82,8 +82,6 @@ static int test_body(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + if (mmcr0_mismatch) +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c b/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c +index 30e1ac62e8cb4..8ca92b9ee5b01 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c +@@ -76,8 +76,6 @@ int pmc56_overflow(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(2, sample_period); +- + dump_ebb_state(); + + printf("PMC5/6 overflow %d\n", pmc56_overflowed); +-- +2.25.1 + diff --git a/queue-4.14/series b/queue-4.14/series index c2e2cae64b2..189797333fe 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -3,3 +3,83 @@ net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch ipvlan-fix-device-features.patch gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch +drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch +perf-probe-fix-memory-leakage-when-the-probe-point-i.patch +khugepaged-khugepaged_test_exit-check-mmget_still_va.patch +khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch +powerpc-mm-only-read-faulting-instruction-when-neces.patch +powerpc-allow-4224-bytes-of-stack-expansion-for-the-.patch +btrfs-export-helpers-for-subvolume-name-id-resolutio.patch +btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch +btrfs-move-free_pages_out-label-in-inline-extent-han.patch +btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch +btrfs-sysfs-use-nofs-for-device-creation.patch +romfs-fix-uninitialized-memory-leak-in-romfs_dev_rea.patch +kernel-relay.c-fix-memleak-on-destroy-relay-channel.patch +mm-include-cma-pages-in-lowmem_reserve-at-boot.patch +mm-page_alloc-fix-core-hung-in-free_pcppages_bulk.patch +ext4-fix-checking-of-directory-entry-validity-for-in.patch +jbd2-add-the-missing-unlock_buffer-in-the-error-path.patch +spi-prevent-adding-devices-below-an-unregistering-co.patch +scsi-ufs-add-delay_before_lpm-quirk-for-micron-devic.patch +media-budget-core-improve-exception-handling-in-budg.patch +rtc-goldfish-enable-interrupt-in-set_alarm-when-nece.patch +media-vpss-clean-up-resources-in-init.patch +input-psmouse-add-a-newline-when-printing-proto-by-s.patch +m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch +xfs-fix-inode-quota-reservation-checks.patch +jffs2-fix-uaf-problem.patch +cpufreq-intel_pstate-fix-cpuinfo_max_freq-when-msr_t.patch +scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch +virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch +xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch +alpha-fix-annotation-of-io-read-write-16-32-be.patch +ext4-fix-potential-negative-array-index-in-do_split.patch +i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch +i40e-fix-crash-during-removing-i40e-driver.patch +net-fec-correct-the-error-path-for-regulator-disable.patch +bonding-show-saner-speed-for-broadcast-mode.patch +bonding-fix-a-potential-double-unregister.patch +asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch +asoc-intel-fix-memleak-in-sst_media_open.patch +vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch +bonding-fix-active-backup-failover-for-current-arp-s.patch +hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch +net-dsa-b53-check-for-timeout.patch +powerpc-pseries-do-not-initiate-shutdown-when-system.patch +epoll-keep-a-reference-on-files-added-to-the-check-l.patch +do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch +mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sh.patch +xen-don-t-reschedule-in-preemption-off-sections.patch +clk-evict-unregistered-clks-from-parent-caches.patch +kvm-arm-arm64-don-t-reschedule-in-unmap_stage2_range.patch +alsa-pci-delete-repeated-words-in-comments.patch +asoc-tegra-fix-reference-count-leaks.patch +mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch +arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch +powerpc-xive-ignore-kmemleak-false-positives.patch +media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch +blktrace-ensure-our-debugfs-dir-exists.patch +scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch +iommu-iova-don-t-bug-on-invalid-pfns.patch +drm-amdkfd-fix-reference-count-leaks.patch +drm-radeon-fix-multiple-reference-count-leak.patch +drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch +drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch +drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch +drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch +scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch +selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch +omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch +pci-fix-pci_create_slot-reference-count-leak.patch +rtlwifi-rtl8192cu-prevent-leaking-urb.patch +mips-vdso-fix-resource-leaks-in-genvdso.c.patch +cec-api-prevent-leaking-memory-through-hole-in-struc.patch +f2fs-fix-use-after-free-issue.patch +drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch +drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch +locking-lockdep-fix-overflow-in-presentation-of-aver.patch +scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch +ceph-fix-potential-mdsc-use-after-free-crash.patch +scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch +edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch diff --git a/queue-4.14/spi-prevent-adding-devices-below-an-unregistering-co.patch b/queue-4.14/spi-prevent-adding-devices-below-an-unregistering-co.patch new file mode 100644 index 00000000000..05502600476 --- /dev/null +++ b/queue-4.14/spi-prevent-adding-devices-below-an-unregistering-co.patch @@ -0,0 +1,115 @@ +From 96c244e7d55ffba7c7ec24497eab720dda33edd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 13:09:01 +0200 +Subject: spi: Prevent adding devices below an unregistering controller + +From: Lukas Wunner + +[ Upstream commit ddf75be47ca748f8b12d28ac64d624354fddf189 ] + +CONFIG_OF_DYNAMIC and CONFIG_ACPI allow adding SPI devices at runtime +using a DeviceTree overlay or DSDT patch. CONFIG_SPI_SLAVE allows the +same via sysfs. + +But there are no precautions to prevent adding a device below a +controller that's being removed. Such a device is unusable and may not +even be able to unbind cleanly as it becomes inaccessible once the +controller has been torn down. E.g. it is then impossible to quiesce +the device's interrupt. + +of_spi_notify() and acpi_spi_notify() do hold a ref on the controller, +but otherwise run lockless against spi_unregister_controller(). + +Fix by holding the spi_add_lock in spi_unregister_controller() and +bailing out of spi_add_device() if the controller has been unregistered +concurrently. + +Fixes: ce79d54ae447 ("spi/of: Add OF notifier handler") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v3.19+ +Cc: Geert Uytterhoeven +Cc: Octavian Purdila +Cc: Pantelis Antoniou +Link: https://lore.kernel.org/r/a8c3205088a969dc8410eec1eba9aface60f36af.1596451035.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/Kconfig | 3 +++ + drivers/spi/spi.c | 21 ++++++++++++++++++++- + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/Kconfig b/drivers/spi/Kconfig +index a75f2a2cf7805..4b6a1629969f3 100644 +--- a/drivers/spi/Kconfig ++++ b/drivers/spi/Kconfig +@@ -827,4 +827,7 @@ config SPI_SLAVE_SYSTEM_CONTROL + + endif # SPI_SLAVE + ++config SPI_DYNAMIC ++ def_bool ACPI || OF_DYNAMIC || SPI_SLAVE ++ + endif # SPI +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 49eee894f51d4..ab6a4f85bcde7 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -428,6 +428,12 @@ static LIST_HEAD(spi_controller_list); + */ + static DEFINE_MUTEX(board_lock); + ++/* ++ * Prevents addition of devices with same chip select and ++ * addition of devices below an unregistering controller. ++ */ ++static DEFINE_MUTEX(spi_add_lock); ++ + /** + * spi_alloc_device - Allocate a new SPI device + * @ctlr: Controller to which device is connected +@@ -506,7 +512,6 @@ static int spi_dev_check(struct device *dev, void *data) + */ + int spi_add_device(struct spi_device *spi) + { +- static DEFINE_MUTEX(spi_add_lock); + struct spi_controller *ctlr = spi->controller; + struct device *dev = ctlr->dev.parent; + int status; +@@ -534,6 +539,13 @@ int spi_add_device(struct spi_device *spi) + goto done; + } + ++ /* Controller may unregister concurrently */ ++ if (IS_ENABLED(CONFIG_SPI_DYNAMIC) && ++ !device_is_registered(&ctlr->dev)) { ++ status = -ENODEV; ++ goto done; ++ } ++ + if (ctlr->cs_gpios) + spi->cs_gpio = ctlr->cs_gpios[spi->chip_select]; + +@@ -2265,6 +2277,10 @@ void spi_unregister_controller(struct spi_controller *ctlr) + struct spi_controller *found; + int id = ctlr->bus_num; + ++ /* Prevent addition of new devices, unregister existing ones */ ++ if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) ++ mutex_lock(&spi_add_lock); ++ + device_for_each_child(&ctlr->dev, NULL, __unregister); + + /* First make sure that this controller was ever added */ +@@ -2285,6 +2301,9 @@ void spi_unregister_controller(struct spi_controller *ctlr) + if (found == ctlr) + idr_remove(&spi_master_idr, id); + mutex_unlock(&board_lock); ++ ++ if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) ++ mutex_unlock(&spi_add_lock); + } + EXPORT_SYMBOL_GPL(spi_unregister_controller); + +-- +2.25.1 + diff --git a/queue-4.14/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch b/queue-4.14/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch new file mode 100644 index 00000000000..f7feda42599 --- /dev/null +++ b/queue-4.14/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch @@ -0,0 +1,164 @@ +From d5c04cb64e98ccf201d33b50b53648861b73aac4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:09:13 -0600 +Subject: vfio/type1: Add proper error unwind for vfio_iommu_replay() + +From: Alex Williamson + +[ Upstream commit aae7a75a821a793ed6b8ad502a5890fb8e8f172d ] + +The vfio_iommu_replay() function does not currently unwind on error, +yet it does pin pages, perform IOMMU mapping, and modify the vfio_dma +structure to indicate IOMMU mapping. The IOMMU mappings are torn down +when the domain is destroyed, but the other actions go on to cause +trouble later. For example, the iommu->domain_list can be empty if we +only have a non-IOMMU backed mdev attached. We don't currently check +if the list is empty before getting the first entry in the list, which +leads to a bogus domain pointer. If a vfio_dma entry is erroneously +marked as iommu_mapped, we'll attempt to use that bogus pointer to +retrieve the existing physical page addresses. + +This is the scenario that uncovered this issue, attempting to hot-add +a vfio-pci device to a container with an existing mdev device and DMA +mappings, one of which could not be pinned, causing a failure adding +the new group to the existing container and setting the conditions +for a subsequent attempt to explode. + +To resolve this, we can first check if the domain_list is empty so +that we can reject replay of a bogus domain, should we ever encounter +this inconsistent state again in the future. The real fix though is +to add the necessary unwind support, which means cleaning up the +current pinning if an IOMMU mapping fails, then walking back through +the r-b tree of DMA entries, reading from the IOMMU which ranges are +mapped, and unmapping and unpinning those ranges. To be able to do +this, we also defer marking the DMA entry as IOMMU mapped until all +entries are processed, in order to allow the unwind to know the +disposition of each entry. + +Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices") +Reported-by: Zhiyi Guo +Tested-by: Zhiyi Guo +Reviewed-by: Cornelia Huck +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 71 ++++++++++++++++++++++++++++++--- + 1 file changed, 66 insertions(+), 5 deletions(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 35a3750a6ddd3..f22425501bc16 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -1086,13 +1086,16 @@ static int vfio_bus_type(struct device *dev, void *data) + static int vfio_iommu_replay(struct vfio_iommu *iommu, + struct vfio_domain *domain) + { +- struct vfio_domain *d; ++ struct vfio_domain *d = NULL; + struct rb_node *n; + unsigned long limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; + int ret; + + /* Arbitrarily pick the first domain in the list for lookups */ +- d = list_first_entry(&iommu->domain_list, struct vfio_domain, next); ++ if (!list_empty(&iommu->domain_list)) ++ d = list_first_entry(&iommu->domain_list, ++ struct vfio_domain, next); ++ + n = rb_first(&iommu->dma_list); + + for (; n; n = rb_next(n)) { +@@ -1110,6 +1113,11 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, + phys_addr_t p; + dma_addr_t i; + ++ if (WARN_ON(!d)) { /* mapped w/o a domain?! */ ++ ret = -EINVAL; ++ goto unwind; ++ } ++ + phys = iommu_iova_to_phys(d->domain, iova); + + if (WARN_ON(!phys)) { +@@ -1139,7 +1147,7 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, + if (npage <= 0) { + WARN_ON(!npage); + ret = (int)npage; +- return ret; ++ goto unwind; + } + + phys = pfn << PAGE_SHIFT; +@@ -1148,14 +1156,67 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, + + ret = iommu_map(domain->domain, iova, phys, + size, dma->prot | domain->prot); +- if (ret) +- return ret; ++ if (ret) { ++ if (!dma->iommu_mapped) ++ vfio_unpin_pages_remote(dma, iova, ++ phys >> PAGE_SHIFT, ++ size >> PAGE_SHIFT, ++ true); ++ goto unwind; ++ } + + iova += size; + } ++ } ++ ++ /* All dmas are now mapped, defer to second tree walk for unwind */ ++ for (n = rb_first(&iommu->dma_list); n; n = rb_next(n)) { ++ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node); ++ + dma->iommu_mapped = true; + } ++ + return 0; ++ ++unwind: ++ for (; n; n = rb_prev(n)) { ++ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node); ++ dma_addr_t iova; ++ ++ if (dma->iommu_mapped) { ++ iommu_unmap(domain->domain, dma->iova, dma->size); ++ continue; ++ } ++ ++ iova = dma->iova; ++ while (iova < dma->iova + dma->size) { ++ phys_addr_t phys, p; ++ size_t size; ++ dma_addr_t i; ++ ++ phys = iommu_iova_to_phys(domain->domain, iova); ++ if (!phys) { ++ iova += PAGE_SIZE; ++ continue; ++ } ++ ++ size = PAGE_SIZE; ++ p = phys + size; ++ i = iova + size; ++ while (i < dma->iova + dma->size && ++ p == iommu_iova_to_phys(domain->domain, i)) { ++ size += PAGE_SIZE; ++ p += PAGE_SIZE; ++ i += PAGE_SIZE; ++ } ++ ++ iommu_unmap(domain->domain, iova, size); ++ vfio_unpin_pages_remote(dma, iova, phys >> PAGE_SHIFT, ++ size >> PAGE_SHIFT, true); ++ } ++ } ++ ++ return ret; + } + + /* +-- +2.25.1 + diff --git a/queue-4.14/virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch b/queue-4.14/virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch new file mode 100644 index 00000000000..4b735f3d2ce --- /dev/null +++ b/queue-4.14/virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch @@ -0,0 +1,53 @@ +From 33d240f531b4774c51a39877edbcbebb3d8f86bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 15:44:09 +0800 +Subject: virtio_ring: Avoid loop when vq is broken in virtqueue_poll + +From: Mao Wenan + +[ Upstream commit 481a0d7422db26fb63e2d64f0652667a5c6d0f3e ] + +The loop may exist if vq->broken is true, +virtqueue_get_buf_ctx_packed or virtqueue_get_buf_ctx_split +will return NULL, so virtnet_poll will reschedule napi to +receive packet, it will lead cpu usage(si) to 100%. + +call trace as below: +virtnet_poll + virtnet_receive + virtqueue_get_buf_ctx + virtqueue_get_buf_ctx_packed + virtqueue_get_buf_ctx_split + virtqueue_napi_complete + virtqueue_poll //return true + virtqueue_napi_schedule //it will reschedule napi + +to fix this, return false if vq is broken in virtqueue_poll. + +Signed-off-by: Mao Wenan +Acked-by: Michael S. Tsirkin +Link: https://lore.kernel.org/r/1596354249-96204-1-git-send-email-wenan.mao@linux.alibaba.com +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_ring.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c +index b82bb0b081615..51278f8bd3ab3 100644 +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -829,6 +829,9 @@ bool virtqueue_poll(struct virtqueue *_vq, unsigned last_used_idx) + { + struct vring_virtqueue *vq = to_vvq(_vq); + ++ if (unlikely(vq->broken)) ++ return false; ++ + virtio_mb(vq->weak_barriers); + return (u16)last_used_idx != virtio16_to_cpu(_vq->vdev, vq->vring.used->idx); + } +-- +2.25.1 + diff --git a/queue-4.14/xen-don-t-reschedule-in-preemption-off-sections.patch b/queue-4.14/xen-don-t-reschedule-in-preemption-off-sections.patch new file mode 100644 index 00000000000..7c75fc37750 --- /dev/null +++ b/queue-4.14/xen-don-t-reschedule-in-preemption-off-sections.patch @@ -0,0 +1,98 @@ +From 616164b647a6eb135ead0b874234582ce38569c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 08:59:08 +0200 +Subject: xen: don't reschedule in preemption off sections + +From: Juergen Gross + +For support of long running hypercalls xen_maybe_preempt_hcall() is +calling cond_resched() in case a hypercall marked as preemptible has +been interrupted. + +Normally this is no problem, as only hypercalls done via some ioctl()s +are marked to be preemptible. In rare cases when during such a +preemptible hypercall an interrupt occurs and any softirq action is +started from irq_exit(), a further hypercall issued by the softirq +handler will be regarded to be preemptible, too. This might lead to +rescheduling in spite of the softirq handler potentially having set +preempt_disable(), leading to splats like: + +BUG: sleeping function called from invalid context at drivers/xen/preempt.c:37 +in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 20775, name: xl +INFO: lockdep is turned off. +CPU: 1 PID: 20775 Comm: xl Tainted: G D W 5.4.46-1_prgmr_debug.el7.x86_64 #1 +Call Trace: + +dump_stack+0x8f/0xd0 +___might_sleep.cold.76+0xb2/0x103 +xen_maybe_preempt_hcall+0x48/0x70 +xen_do_hypervisor_callback+0x37/0x40 +RIP: e030:xen_hypercall_xen_version+0xa/0x20 +Code: ... +RSP: e02b:ffffc900400dcc30 EFLAGS: 00000246 +RAX: 000000000004000d RBX: 0000000000000200 RCX: ffffffff8100122a +RDX: ffff88812e788000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffffff83ee3ad0 R08: 0000000000000001 R09: 0000000000000001 +R10: 0000000000000000 R11: 0000000000000246 R12: ffff8881824aa0b0 +R13: 0000000865496000 R14: 0000000865496000 R15: ffff88815d040000 +? xen_hypercall_xen_version+0xa/0x20 +? xen_force_evtchn_callback+0x9/0x10 +? check_events+0x12/0x20 +? xen_restore_fl_direct+0x1f/0x20 +? _raw_spin_unlock_irqrestore+0x53/0x60 +? debug_dma_sync_single_for_cpu+0x91/0xc0 +? _raw_spin_unlock_irqrestore+0x53/0x60 +? xen_swiotlb_sync_single_for_cpu+0x3d/0x140 +? mlx4_en_process_rx_cq+0x6b6/0x1110 [mlx4_en] +? mlx4_en_poll_rx_cq+0x64/0x100 [mlx4_en] +? net_rx_action+0x151/0x4a0 +? __do_softirq+0xed/0x55b +? irq_exit+0xea/0x100 +? xen_evtchn_do_upcall+0x2c/0x40 +? xen_do_hypervisor_callback+0x29/0x40 + +? xen_hypercall_domctl+0xa/0x20 +? xen_hypercall_domctl+0x8/0x20 +? privcmd_ioctl+0x221/0x990 [xen_privcmd] +? do_vfs_ioctl+0xa5/0x6f0 +? ksys_ioctl+0x60/0x90 +? trace_hardirqs_off_thunk+0x1a/0x20 +? __x64_sys_ioctl+0x16/0x20 +? do_syscall_64+0x62/0x250 +? entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fix that by testing preempt_count() before calling cond_resched(). + +In kernel 5.8 this can't happen any more due to the entry code rework +(more than 100 patches, so not a candidate for backporting). + +The issue was introduced in kernel 4.3, so this patch should go into +all stable kernels in [4.3 ... 5.7]. + +Reported-by: Sarah Newman +Fixes: 0fa2f5cb2b0ecd8 ("sched/preempt, xen: Use need_resched() instead of should_resched()") +Cc: Sarah Newman +Cc: stable@vger.kernel.org +Signed-off-by: Juergen Gross +Tested-by: Chris Brannon +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/preempt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/xen/preempt.c b/drivers/xen/preempt.c +index 5f6b77ea34fb5..128375ff80b8c 100644 +--- a/drivers/xen/preempt.c ++++ b/drivers/xen/preempt.c +@@ -31,7 +31,7 @@ EXPORT_SYMBOL_GPL(xen_in_preemptible_hcall); + asmlinkage __visible void xen_maybe_preempt_hcall(void) + { + if (unlikely(__this_cpu_read(xen_in_preemptible_hcall) +- && need_resched())) { ++ && need_resched() && !preempt_count())) { + /* + * Clear flag as we may be rescheduled on a different + * cpu. +-- +2.25.1 + diff --git a/queue-4.14/xfs-fix-inode-quota-reservation-checks.patch b/queue-4.14/xfs-fix-inode-quota-reservation-checks.patch new file mode 100644 index 00000000000..8e1828972b9 --- /dev/null +++ b/queue-4.14/xfs-fix-inode-quota-reservation-checks.patch @@ -0,0 +1,56 @@ +From 5d63365bb77f37631aa5171c58295a2cbe007347 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 10:36:09 -0700 +Subject: xfs: fix inode quota reservation checks + +From: Darrick J. Wong + +[ Upstream commit f959b5d037e71a4d69b5bf71faffa065d9269b4a ] + +xfs_trans_dqresv is the function that we use to make reservations +against resource quotas. Each resource contains two counters: the +q_core counter, which tracks resources allocated on disk; and the dquot +reservation counter, which tracks how much of that resource has either +been allocated or reserved by threads that are working on metadata +updates. + +For disk blocks, we compare the proposed reservation counter against the +hard and soft limits to decide if we're going to fail the operation. +However, for inodes we inexplicably compare against the q_core counter, +not the incore reservation count. + +Since the q_core counter is always lower than the reservation count and +we unlock the dquot between reservation and transaction commit, this +means that multiple threads can reserve the last inode count before we +hit the hard limit, and when they commit, we'll be well over the hard +limit. + +Fix this by checking against the incore inode reservation counter, since +we would appear to maintain that correctly (and that's what we report in +GETQUOTA). + +Signed-off-by: Darrick J. Wong +Reviewed-by: Allison Collins +Reviewed-by: Chandan Babu R +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_trans_dquot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/xfs/xfs_trans_dquot.c b/fs/xfs/xfs_trans_dquot.c +index c3d547211d160..9c42e50a5cb7e 100644 +--- a/fs/xfs/xfs_trans_dquot.c ++++ b/fs/xfs/xfs_trans_dquot.c +@@ -669,7 +669,7 @@ xfs_trans_dqresv( + } + } + if (ninos > 0) { +- total_count = be64_to_cpu(dqp->q_core.d_icount) + ninos; ++ total_count = dqp->q_res_icount + ninos; + timer = be32_to_cpu(dqp->q_core.d_itimer); + warns = be16_to_cpu(dqp->q_core.d_iwarns); + warnlimit = dqp->q_mount->m_quotainfo->qi_iwarnlimit; +-- +2.25.1 + diff --git a/queue-4.14/xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch b/queue-4.14/xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch new file mode 100644 index 00000000000..c725668d671 --- /dev/null +++ b/queue-4.14/xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch @@ -0,0 +1,59 @@ +From 9e6b5b95176f9966d09bf760665b91d92026ae53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 15:18:48 -0700 +Subject: xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init + +From: Eiichi Tsukata + +[ Upstream commit 96cf2a2c75567ff56195fe3126d497a2e7e4379f ] + +If xfs_sysfs_init is called with parent_kobj == NULL, UBSAN +shows the following warning: + + UBSAN: null-ptr-deref in ./fs/xfs/xfs_sysfs.h:37:23 + member access within null pointer of type 'struct xfs_kobj' + Call Trace: + dump_stack+0x10e/0x195 + ubsan_type_mismatch_common+0x241/0x280 + __ubsan_handle_type_mismatch_v1+0x32/0x40 + init_xfs_fs+0x12b/0x28f + do_one_initcall+0xdd/0x1d0 + do_initcall_level+0x151/0x1b6 + do_initcalls+0x50/0x8f + do_basic_setup+0x29/0x2b + kernel_init_freeable+0x19f/0x20b + kernel_init+0x11/0x1e0 + ret_from_fork+0x22/0x30 + +Fix it by checking parent_kobj before the code accesses its member. + +Signed-off-by: Eiichi Tsukata +Reviewed-by: Darrick J. Wong +[darrick: minor whitespace edits] +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_sysfs.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/xfs/xfs_sysfs.h b/fs/xfs/xfs_sysfs.h +index d04637181ef21..980c9429abec5 100644 +--- a/fs/xfs/xfs_sysfs.h ++++ b/fs/xfs/xfs_sysfs.h +@@ -44,9 +44,11 @@ xfs_sysfs_init( + struct xfs_kobj *parent_kobj, + const char *name) + { ++ struct kobject *parent; ++ ++ parent = parent_kobj ? &parent_kobj->kobject : NULL; + init_completion(&kobj->complete); +- return kobject_init_and_add(&kobj->kobject, ktype, +- &parent_kobj->kobject, "%s", name); ++ return kobject_init_and_add(&kobj->kobject, ktype, parent, "%s", name); + } + + static inline void +-- +2.25.1 +