From: Greg Kroah-Hartman Date: Sun, 27 Oct 2019 16:00:58 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.198~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28fdb09857f2ea389f9905d27466d1537fa736d6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: blk-rq-qos-fix-first-node-deletion-of-rq_qos_del.patch btrfs-add-missing-extents-release-on-file-extent-cluster-relocation-error.patch btrfs-block-group-fix-a-memory-leak-due-to-missing-btrfs_put_block_group.patch btrfs-check-for-the-full-sync-flag-while-holding-the-inode-lock-during-fsync.patch btrfs-tracepoints-fix-bad-entry-members-of-qgroup-events.patch cifs-avoid-using-mid-0xffff.patch cifs-fix-use-after-free-of-file-info-structures.patch cpufreq-avoid-cpufreq_suspend-deadlock-on-system-shutdown.patch dm-cache-fix-bugs-when-a-gfp_nowait-allocation-fails.patch memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch pci-pm-fix-pci_power_up.patch perf-aux-fix-aux-output-stopping.patch pinctrl-armada-37xx-fix-control-of-pins-32-and-up.patch pinctrl-armada-37xx-swap-polarity-on-led-group.patch pinctrl-cherryview-restore-strago-dmi-workaround-for-all-versions.patch tracing-fix-race-in-perf_trace_buf-initialization.patch x86-apic-x2apic-fix-a-null-pointer-deref-when-handling-a-dying-cpu.patch x86-boot-64-make-level2_kernel_pgt-pages-invalid-outside-kernel-area.patch x86-hyperv-make-vapic-support-x2apic-mode.patch xen-netback-fix-error-path-of-xenvif_connect_data.patch --- diff --git a/queue-4.19/blk-rq-qos-fix-first-node-deletion-of-rq_qos_del.patch b/queue-4.19/blk-rq-qos-fix-first-node-deletion-of-rq_qos_del.patch new file mode 100644 index 00000000000..a7be7ac3463 --- /dev/null +++ b/queue-4.19/blk-rq-qos-fix-first-node-deletion-of-rq_qos_del.patch @@ -0,0 +1,48 @@ +From 307f4065b9d7c1e887e8bdfb2487e4638559fea1 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 15 Oct 2019 08:49:27 -0700 +Subject: blk-rq-qos: fix first node deletion of rq_qos_del() + +From: Tejun Heo + +commit 307f4065b9d7c1e887e8bdfb2487e4638559fea1 upstream. + +rq_qos_del() incorrectly assigns the node being deleted to the head if +it was the first on the list in the !prev path. Fix it by iterating +with ** instead. + +Signed-off-by: Tejun Heo +Cc: Josef Bacik +Fixes: a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt") +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-rq-qos.h | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/block/blk-rq-qos.h ++++ b/block/blk-rq-qos.h +@@ -80,16 +80,13 @@ static inline void rq_qos_add(struct req + + static inline void rq_qos_del(struct request_queue *q, struct rq_qos *rqos) + { +- struct rq_qos *cur, *prev = NULL; +- for (cur = q->rq_qos; cur; cur = cur->next) { +- if (cur == rqos) { +- if (prev) +- prev->next = rqos->next; +- else +- q->rq_qos = cur; ++ struct rq_qos **cur; ++ ++ for (cur = &q->rq_qos; *cur; cur = &(*cur)->next) { ++ if (*cur == rqos) { ++ *cur = rqos->next; + break; + } +- prev = cur; + } + } + diff --git a/queue-4.19/btrfs-add-missing-extents-release-on-file-extent-cluster-relocation-error.patch b/queue-4.19/btrfs-add-missing-extents-release-on-file-extent-cluster-relocation-error.patch new file mode 100644 index 00000000000..6da582a7143 --- /dev/null +++ b/queue-4.19/btrfs-add-missing-extents-release-on-file-extent-cluster-relocation-error.patch @@ -0,0 +1,38 @@ +From 44db1216efe37bf670f8d1019cdc41658d84baf5 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Wed, 9 Oct 2019 17:43:45 +0100 +Subject: Btrfs: add missing extents release on file extent cluster relocation error + +From: Filipe Manana + +commit 44db1216efe37bf670f8d1019cdc41658d84baf5 upstream. + +If we error out when finding a page at relocate_file_extent_cluster(), we +need to release the outstanding extents counter on the relocation inode, +set by the previous call to btrfs_delalloc_reserve_metadata(), otherwise +the inode's block reserve size can never decrease to zero and metadata +space is leaked. Therefore add a call to btrfs_delalloc_release_extents() +in case we can't find the target page. + +Fixes: 8b62f87bad9c ("Btrfs: rework outstanding_extents") +CC: stable@vger.kernel.org # 4.19+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/relocation.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -3187,6 +3187,8 @@ static int relocate_file_extent_cluster( + if (!page) { + btrfs_delalloc_release_metadata(BTRFS_I(inode), + PAGE_SIZE, true); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), ++ PAGE_SIZE, true); + ret = -ENOMEM; + goto out; + } diff --git a/queue-4.19/btrfs-block-group-fix-a-memory-leak-due-to-missing-btrfs_put_block_group.patch b/queue-4.19/btrfs-block-group-fix-a-memory-leak-due-to-missing-btrfs_put_block_group.patch new file mode 100644 index 00000000000..cc1437cc926 --- /dev/null +++ b/queue-4.19/btrfs-block-group-fix-a-memory-leak-due-to-missing-btrfs_put_block_group.patch @@ -0,0 +1,42 @@ +From 4b654acdae850f48b8250b9a578a4eaa518c7a6f Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Thu, 10 Oct 2019 10:39:26 +0800 +Subject: btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() + +From: Qu Wenruo + +commit 4b654acdae850f48b8250b9a578a4eaa518c7a6f upstream. + +In btrfs_read_block_groups(), if we have an invalid block group which +has mixed type (DATA|METADATA) while the fs doesn't have MIXED_GROUPS +feature, we error out without freeing the block group cache. + +This patch will add the missing btrfs_put_block_group() to prevent +memory leak. + +Note for stable backports: the file to patch in versions <= 5.3 is +fs/btrfs/extent-tree.c + +Fixes: 49303381f19a ("Btrfs: bail out if block group has different mixed flag") +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Anand Jain +Reviewed-by: Johannes Thumshirn +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -10000,6 +10000,7 @@ int btrfs_read_block_groups(struct btrfs + btrfs_err(info, + "bg %llu is a mixed block group but filesystem hasn't enabled mixed block groups", + cache->key.objectid); ++ btrfs_put_block_group(cache); + ret = -EINVAL; + goto error; + } diff --git a/queue-4.19/btrfs-check-for-the-full-sync-flag-while-holding-the-inode-lock-during-fsync.patch b/queue-4.19/btrfs-check-for-the-full-sync-flag-while-holding-the-inode-lock-during-fsync.patch new file mode 100644 index 00000000000..3f689fab09c --- /dev/null +++ b/queue-4.19/btrfs-check-for-the-full-sync-flag-while-holding-the-inode-lock-during-fsync.patch @@ -0,0 +1,97 @@ +From ba0b084ac309283db6e329785c1dc4f45fdbd379 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Wed, 16 Oct 2019 16:28:52 +0100 +Subject: Btrfs: check for the full sync flag while holding the inode lock during fsync + +From: Filipe Manana + +commit ba0b084ac309283db6e329785c1dc4f45fdbd379 upstream. + +We were checking for the full fsync flag in the inode before locking the +inode, which is racy, since at that that time it might not be set but +after we acquire the inode lock some other task set it. One case where +this can happen is on a system low on memory and some concurrent task +failed to allocate an extent map and therefore set the full sync flag on +the inode, to force the next fsync to work in full mode. + +A consequence of missing the full fsync flag set is hitting the problems +fixed by commit 0c713cbab620 ("Btrfs: fix race between ranged fsync and +writeback of adjacent ranges"), BUG_ON() when dropping extents from a log +tree, hitting assertion failures at tree-log.c:copy_items() or all sorts +of weird inconsistencies after replaying a log due to file extents items +representing ranges that overlap. + +So just move the check such that it's done after locking the inode and +before starting writeback again. + +Fixes: 0c713cbab620 ("Btrfs: fix race between ranged fsync and writeback of adjacent ranges") +CC: stable@vger.kernel.org # 5.2+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/file.c | 36 +++++++++++++++++------------------- + 1 file changed, 17 insertions(+), 19 deletions(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -2056,25 +2056,7 @@ int btrfs_sync_file(struct file *file, l + struct btrfs_trans_handle *trans; + struct btrfs_log_ctx ctx; + int ret = 0, err; +- u64 len; + +- /* +- * If the inode needs a full sync, make sure we use a full range to +- * avoid log tree corruption, due to hole detection racing with ordered +- * extent completion for adjacent ranges, and assertion failures during +- * hole detection. +- */ +- if (test_bit(BTRFS_INODE_NEEDS_FULL_SYNC, +- &BTRFS_I(inode)->runtime_flags)) { +- start = 0; +- end = LLONG_MAX; +- } +- +- /* +- * The range length can be represented by u64, we have to do the typecasts +- * to avoid signed overflow if it's [0, LLONG_MAX] eg. from fsync() +- */ +- len = (u64)end - (u64)start + 1; + trace_btrfs_sync_file(file, datasync); + + btrfs_init_log_ctx(&ctx, inode); +@@ -2101,6 +2083,19 @@ int btrfs_sync_file(struct file *file, l + atomic_inc(&root->log_batch); + + /* ++ * If the inode needs a full sync, make sure we use a full range to ++ * avoid log tree corruption, due to hole detection racing with ordered ++ * extent completion for adjacent ranges, and assertion failures during ++ * hole detection. Do this while holding the inode lock, to avoid races ++ * with other tasks. ++ */ ++ if (test_bit(BTRFS_INODE_NEEDS_FULL_SYNC, ++ &BTRFS_I(inode)->runtime_flags)) { ++ start = 0; ++ end = LLONG_MAX; ++ } ++ ++ /* + * Before we acquired the inode's lock, someone may have dirtied more + * pages in the target range. We need to make sure that writeback for + * any such pages does not start while we are logging the inode, because +@@ -2127,8 +2122,11 @@ int btrfs_sync_file(struct file *file, l + /* + * We have to do this here to avoid the priority inversion of waiting on + * IO of a lower priority task while holding a transaciton open. ++ * ++ * Also, the range length can be represented by u64, we have to do the ++ * typecasts to avoid signed overflow if it's [0, LLONG_MAX]. + */ +- ret = btrfs_wait_ordered_range(inode, start, len); ++ ret = btrfs_wait_ordered_range(inode, start, (u64)end - (u64)start + 1); + if (ret) { + up_write(&BTRFS_I(inode)->dio_sem); + inode_unlock(inode); diff --git a/queue-4.19/btrfs-tracepoints-fix-bad-entry-members-of-qgroup-events.patch b/queue-4.19/btrfs-tracepoints-fix-bad-entry-members-of-qgroup-events.patch new file mode 100644 index 00000000000..c586e1a4de2 --- /dev/null +++ b/queue-4.19/btrfs-tracepoints-fix-bad-entry-members-of-qgroup-events.patch @@ -0,0 +1,66 @@ +From 1b2442b4ae0f234daeadd90e153b466332c466d8 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Thu, 17 Oct 2019 10:38:37 +0800 +Subject: btrfs: tracepoints: Fix bad entry members of qgroup events + +From: Qu Wenruo + +commit 1b2442b4ae0f234daeadd90e153b466332c466d8 upstream. + +[BUG] +For btrfs:qgroup_meta_reserve event, the trace event can output garbage: + + qgroup_meta_reserve: 9c7f6acc-b342-4037-bc47-7f6e4d2232d7: refroot=5(FS_TREE) type=DATA diff=2 + qgroup_meta_reserve: 9c7f6acc-b342-4037-bc47-7f6e4d2232d7: refroot=5(FS_TREE) type=0x258792 diff=2 + +The @type can be completely garbage, as DATA type is not possible for +trace_qgroup_meta_reserve() trace event. + +[CAUSE] +Ther are several problems related to qgroup trace events: +- Unassigned entry member + Member entry::type of trace_qgroup_update_reserve() and + trace_qgourp_meta_reserve() is not assigned + +- Redundant entry member + Member entry::type is completely useless in + trace_qgroup_meta_convert() + +Fixes: 4ee0d8832c2e ("btrfs: qgroup: Update trace events for metadata reservation") +CC: stable@vger.kernel.org # 4.10+ +Reviewed-by: Nikolay Borisov +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/btrfs.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/trace/events/btrfs.h ++++ b/include/trace/events/btrfs.h +@@ -1655,6 +1655,7 @@ TRACE_EVENT(qgroup_update_reserve, + __entry->qgid = qgroup->qgroupid; + __entry->cur_reserved = qgroup->rsv.values[type]; + __entry->diff = diff; ++ __entry->type = type; + ), + + TP_printk_btrfs("qgid=%llu type=%s cur_reserved=%llu diff=%lld", +@@ -1677,6 +1678,7 @@ TRACE_EVENT(qgroup_meta_reserve, + TP_fast_assign_btrfs(root->fs_info, + __entry->refroot = root->objectid; + __entry->diff = diff; ++ __entry->type = type; + ), + + TP_printk_btrfs("refroot=%llu(%s) type=%s diff=%lld", +@@ -1693,7 +1695,6 @@ TRACE_EVENT(qgroup_meta_convert, + TP_STRUCT__entry_btrfs( + __field( u64, refroot ) + __field( s64, diff ) +- __field( int, type ) + ), + + TP_fast_assign_btrfs(root->fs_info, diff --git a/queue-4.19/cifs-avoid-using-mid-0xffff.patch b/queue-4.19/cifs-avoid-using-mid-0xffff.patch new file mode 100644 index 00000000000..92053dfb812 --- /dev/null +++ b/queue-4.19/cifs-avoid-using-mid-0xffff.patch @@ -0,0 +1,38 @@ +From 03d9a9fe3f3aec508e485dd3dcfa1e99933b4bdb Mon Sep 17 00:00:00 2001 +From: Roberto Bergantinos Corpas +Date: Mon, 14 Oct 2019 10:59:23 +0200 +Subject: CIFS: avoid using MID 0xFFFF + +From: Roberto Bergantinos Corpas + +commit 03d9a9fe3f3aec508e485dd3dcfa1e99933b4bdb upstream. + +According to MS-CIFS specification MID 0xFFFF should not be used by the +CIFS client, but we actually do. Besides, this has proven to cause races +leading to oops between SendReceive2/cifs_demultiplex_thread. On SMB1, +MID is a 2 byte value easy to reach in CurrentMid which may conflict with +an oplock break notification request coming from server + +Signed-off-by: Roberto Bergantinos Corpas +Reviewed-by: Ronnie Sahlberg +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb1ops.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -183,6 +183,9 @@ cifs_get_next_mid(struct TCP_Server_Info + /* we do not want to loop forever */ + last_mid = cur_mid; + cur_mid++; ++ /* avoid 0xFFFF MID */ ++ if (cur_mid == 0xffff) ++ cur_mid++; + + /* + * This nested loop looks more expensive than it is. diff --git a/queue-4.19/cifs-fix-use-after-free-of-file-info-structures.patch b/queue-4.19/cifs-fix-use-after-free-of-file-info-structures.patch new file mode 100644 index 00000000000..578fc4476d3 --- /dev/null +++ b/queue-4.19/cifs-fix-use-after-free-of-file-info-structures.patch @@ -0,0 +1,65 @@ +From 1a67c415965752879e2e9fad407bc44fc7f25f23 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Wed, 23 Oct 2019 15:37:19 -0700 +Subject: CIFS: Fix use after free of file info structures + +From: Pavel Shilovsky + +commit 1a67c415965752879e2e9fad407bc44fc7f25f23 upstream. + +Currently the code assumes that if a file info entry belongs +to lists of open file handles of an inode and a tcon then +it has non-zero reference. The recent changes broke that +assumption when putting the last reference of the file info. +There may be a situation when a file is being deleted but +nothing prevents another thread to reference it again +and start using it. This happens because we do not hold +the inode list lock while checking the number of references +of the file info structure. Fix this by doing the proper +locking when doing the check. + +Fixes: 487317c99477d ("cifs: add spinlock for the openFileList to cifsInodeInfo") +Fixes: cb248819d209d ("cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic") +Cc: Stable +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -403,10 +403,11 @@ void _cifsFileInfo_put(struct cifsFileIn + bool oplock_break_cancelled; + + spin_lock(&tcon->open_file_lock); +- ++ spin_lock(&cifsi->open_file_lock); + spin_lock(&cifs_file->file_info_lock); + if (--cifs_file->count > 0) { + spin_unlock(&cifs_file->file_info_lock); ++ spin_unlock(&cifsi->open_file_lock); + spin_unlock(&tcon->open_file_lock); + return; + } +@@ -419,9 +420,7 @@ void _cifsFileInfo_put(struct cifsFileIn + cifs_add_pending_open_locked(&fid, cifs_file->tlink, &open); + + /* remove it from the lists */ +- spin_lock(&cifsi->open_file_lock); + list_del(&cifs_file->flist); +- spin_unlock(&cifsi->open_file_lock); + list_del(&cifs_file->tlist); + + if (list_empty(&cifsi->openFileList)) { +@@ -437,6 +436,7 @@ void _cifsFileInfo_put(struct cifsFileIn + cifs_set_oplock_level(cifsi, 0); + } + ++ spin_unlock(&cifsi->open_file_lock); + spin_unlock(&tcon->open_file_lock); + + oplock_break_cancelled = wait_oplock_handler ? diff --git a/queue-4.19/cpufreq-avoid-cpufreq_suspend-deadlock-on-system-shutdown.patch b/queue-4.19/cpufreq-avoid-cpufreq_suspend-deadlock-on-system-shutdown.patch new file mode 100644 index 00000000000..4968927ae33 --- /dev/null +++ b/queue-4.19/cpufreq-avoid-cpufreq_suspend-deadlock-on-system-shutdown.patch @@ -0,0 +1,88 @@ +From 65650b35133ff20f0c9ef0abd5c3c66dbce3ae57 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Wed, 9 Oct 2019 01:29:10 +0200 +Subject: cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafael J. Wysocki + +commit 65650b35133ff20f0c9ef0abd5c3c66dbce3ae57 upstream. + +It is incorrect to set the cpufreq syscore shutdown callback pointer +to cpufreq_suspend(), because that function cannot be run in the +syscore stage of system shutdown for two reasons: (a) it may attempt +to carry out actions depending on devices that have already been shut +down at that point and (b) the RCU synchronization carried out by it +may not be able to make progress then. + +The latter issue has been present since commit 45975c7d21a1 ("rcu: +Define RCU-sched API in terms of RCU for Tree RCU PREEMPT builds"), +but the former one has been there since commit 90de2a4aa9f3 ("cpufreq: +suspend cpufreq governors on shutdown") regardless. + +Fix that by dropping cpufreq_syscore_ops altogether and making +device_shutdown() call cpufreq_suspend() directly before shutting +down devices, which is along the lines of what system-wide power +management does. + +Fixes: 45975c7d21a1 ("rcu: Define RCU-sched API in terms of RCU for Tree RCU PREEMPT builds") +Fixes: 90de2a4aa9f3 ("cpufreq: suspend cpufreq governors on shutdown") +Reported-by: Ville Syrjälä +Tested-by: Ville Syrjälä +Signed-off-by: Rafael J. Wysocki +Acked-by: Viresh Kumar +Cc: 4.0+ # 4.0+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/core.c | 3 +++ + drivers/cpufreq/cpufreq.c | 10 ---------- + 2 files changed, 3 insertions(+), 10 deletions(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -8,6 +8,7 @@ + * Copyright (c) 2006 Novell, Inc. + */ + ++#include + #include + #include + #include +@@ -2943,6 +2944,8 @@ void device_shutdown(void) + wait_for_device_probe(); + device_block_probing(); + ++ cpufreq_suspend(); ++ + spin_lock(&devices_kset->list_lock); + /* + * Walk the devices list backward, shutting down each in turn. +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -2578,14 +2578,6 @@ int cpufreq_unregister_driver(struct cpu + } + EXPORT_SYMBOL_GPL(cpufreq_unregister_driver); + +-/* +- * Stop cpufreq at shutdown to make sure it isn't holding any locks +- * or mutexes when secondary CPUs are halted. +- */ +-static struct syscore_ops cpufreq_syscore_ops = { +- .shutdown = cpufreq_suspend, +-}; +- + struct kobject *cpufreq_global_kobject; + EXPORT_SYMBOL(cpufreq_global_kobject); + +@@ -2597,8 +2589,6 @@ static int __init cpufreq_core_init(void + cpufreq_global_kobject = kobject_create_and_add("cpufreq", &cpu_subsys.dev_root->kobj); + BUG_ON(!cpufreq_global_kobject); + +- register_syscore_ops(&cpufreq_syscore_ops); +- + return 0; + } + module_param(off, int, 0444); diff --git a/queue-4.19/dm-cache-fix-bugs-when-a-gfp_nowait-allocation-fails.patch b/queue-4.19/dm-cache-fix-bugs-when-a-gfp_nowait-allocation-fails.patch new file mode 100644 index 00000000000..72eb8e8ea17 --- /dev/null +++ b/queue-4.19/dm-cache-fix-bugs-when-a-gfp_nowait-allocation-fails.patch @@ -0,0 +1,118 @@ +From 13bd677a472d534bf100bab2713efc3f9e3f5978 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 16 Oct 2019 09:21:50 -0400 +Subject: dm cache: fix bugs when a GFP_NOWAIT allocation fails + +From: Mikulas Patocka + +commit 13bd677a472d534bf100bab2713efc3f9e3f5978 upstream. + +GFP_NOWAIT allocation can fail anytime - it doesn't wait for memory being +available and it fails if the mempool is exhausted and there is not enough +memory. + +If we go down this path: + map_bio -> mg_start -> alloc_migration -> mempool_alloc(GFP_NOWAIT) +we can see that map_bio() doesn't check the return value of mg_start(), +and the bio is leaked. + +If we go down this path: + map_bio -> mg_start -> mg_lock_writes -> alloc_prison_cell -> + dm_bio_prison_alloc_cell_v2 -> mempool_alloc(GFP_NOWAIT) -> + mg_lock_writes -> mg_complete +the bio is ended with an error - it is unacceptable because it could +cause filesystem corruption if the machine ran out of memory +temporarily. + +Change GFP_NOWAIT to GFP_NOIO, so that the mempool code will properly +wait until memory becomes available. mempool_alloc with GFP_NOIO can't +fail, so remove the code paths that deal with allocation failure. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-cache-target.c | 28 ++-------------------------- + 1 file changed, 2 insertions(+), 26 deletions(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -541,7 +541,7 @@ static void wake_migration_worker(struct + + static struct dm_bio_prison_cell_v2 *alloc_prison_cell(struct cache *cache) + { +- return dm_bio_prison_alloc_cell_v2(cache->prison, GFP_NOWAIT); ++ return dm_bio_prison_alloc_cell_v2(cache->prison, GFP_NOIO); + } + + static void free_prison_cell(struct cache *cache, struct dm_bio_prison_cell_v2 *cell) +@@ -553,9 +553,7 @@ static struct dm_cache_migration *alloc_ + { + struct dm_cache_migration *mg; + +- mg = mempool_alloc(&cache->migration_pool, GFP_NOWAIT); +- if (!mg) +- return NULL; ++ mg = mempool_alloc(&cache->migration_pool, GFP_NOIO); + + memset(mg, 0, sizeof(*mg)); + +@@ -663,10 +661,6 @@ static bool bio_detain_shared(struct cac + struct dm_bio_prison_cell_v2 *cell_prealloc, *cell; + + cell_prealloc = alloc_prison_cell(cache); /* FIXME: allow wait if calling from worker */ +- if (!cell_prealloc) { +- defer_bio(cache, bio); +- return false; +- } + + build_key(oblock, end, &key); + r = dm_cell_get_v2(cache->prison, &key, lock_level(bio), bio, cell_prealloc, &cell); +@@ -1492,11 +1486,6 @@ static int mg_lock_writes(struct dm_cach + struct dm_bio_prison_cell_v2 *prealloc; + + prealloc = alloc_prison_cell(cache); +- if (!prealloc) { +- DMERR_LIMIT("%s: alloc_prison_cell failed", cache_device_name(cache)); +- mg_complete(mg, false); +- return -ENOMEM; +- } + + /* + * Prevent writes to the block, but allow reads to continue. +@@ -1534,11 +1523,6 @@ static int mg_start(struct cache *cache, + } + + mg = alloc_migration(cache); +- if (!mg) { +- policy_complete_background_work(cache->policy, op, false); +- background_work_end(cache); +- return -ENOMEM; +- } + + mg->op = op; + mg->overwrite_bio = bio; +@@ -1627,10 +1611,6 @@ static int invalidate_lock(struct dm_cac + struct dm_bio_prison_cell_v2 *prealloc; + + prealloc = alloc_prison_cell(cache); +- if (!prealloc) { +- invalidate_complete(mg, false); +- return -ENOMEM; +- } + + build_key(mg->invalidate_oblock, oblock_succ(mg->invalidate_oblock), &key); + r = dm_cell_lock_v2(cache->prison, &key, +@@ -1668,10 +1648,6 @@ static int invalidate_start(struct cache + return -EPERM; + + mg = alloc_migration(cache); +- if (!mg) { +- background_work_end(cache); +- return -ENOMEM; +- } + + mg->overwrite_bio = bio; + mg->invalidate_cblock = cblock; diff --git a/queue-4.19/memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch b/queue-4.19/memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch new file mode 100644 index 00000000000..7432e8402e9 --- /dev/null +++ b/queue-4.19/memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch @@ -0,0 +1,35 @@ +From 28c9fac09ab0147158db0baeec630407a5e9b892 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 5 Oct 2019 13:21:01 +0200 +Subject: memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' + +From: Christophe JAILLET + +commit 28c9fac09ab0147158db0baeec630407a5e9b892 upstream. + +If 'jmb38x_ms_count_slots()' returns 0, we must undo the previous +'pci_request_regions()' call. + +Goto 'err_out_int' to fix it. + +Fixes: 60fdd931d577 ("memstick: add support for JMicron jmb38x MemoryStick host controller") +Cc: stable@vger.kernel.org +Signed-off-by: Christophe JAILLET +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/memstick/host/jmb38x_ms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/memstick/host/jmb38x_ms.c ++++ b/drivers/memstick/host/jmb38x_ms.c +@@ -949,7 +949,7 @@ static int jmb38x_ms_probe(struct pci_de + if (!cnt) { + rc = -ENODEV; + pci_dev_busy = 1; +- goto err_out; ++ goto err_out_int; + } + + jm = kzalloc(sizeof(struct jmb38x_ms) diff --git a/queue-4.19/pci-pm-fix-pci_power_up.patch b/queue-4.19/pci-pm-fix-pci_power_up.patch new file mode 100644 index 00000000000..b6c6d1c1306 --- /dev/null +++ b/queue-4.19/pci-pm-fix-pci_power_up.patch @@ -0,0 +1,81 @@ +From 45144d42f299455911cc29366656c7324a3a7c97 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Mon, 14 Oct 2019 13:25:00 +0200 +Subject: PCI: PM: Fix pci_power_up() + +From: Rafael J. Wysocki + +commit 45144d42f299455911cc29366656c7324a3a7c97 upstream. + +There is an arbitrary difference between the system resume and +runtime resume code paths for PCI devices regarding the delay to +apply when switching the devices from D3cold to D0. + +Namely, pci_restore_standard_config() used in the runtime resume +code path calls pci_set_power_state() which in turn invokes +__pci_start_power_transition() to power up the device through the +platform firmware and that function applies the transition delay +(as per PCI Express Base Specification Revision 2.0, Section 6.6.1). +However, pci_pm_default_resume_early() used in the system resume +code path calls pci_power_up() which doesn't apply the delay at +all and that causes issues to occur during resume from +suspend-to-idle on some systems where the delay is required. + +Since there is no reason for that difference to exist, modify +pci_power_up() to follow pci_set_power_state() more closely and +invoke __pci_start_power_transition() from there to call the +platform firmware to power up the device (in case that's necessary). + +Fixes: db288c9c5f9d ("PCI / PM: restore the original behavior of pci_set_power_state()") +Reported-by: Daniel Drake +Tested-by: Daniel Drake +Link: https://lore.kernel.org/linux-pm/CAD8Lp44TYxrMgPLkHCqF9hv6smEurMXvmmvmtyFhZ6Q4SE+dig@mail.gmail.com/T/#m21be74af263c6a34f36e0fc5c77c5449d9406925 +Signed-off-by: Rafael J. Wysocki +Acked-by: Bjorn Helgaas +Cc: 3.10+ # 3.10+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -926,19 +926,6 @@ void pci_update_current_state(struct pci + } + + /** +- * pci_power_up - Put the given device into D0 forcibly +- * @dev: PCI device to power up +- */ +-void pci_power_up(struct pci_dev *dev) +-{ +- if (platform_pci_power_manageable(dev)) +- platform_pci_set_power_state(dev, PCI_D0); +- +- pci_raw_set_power_state(dev, PCI_D0); +- pci_update_current_state(dev, PCI_D0); +-} +- +-/** + * pci_platform_power_transition - Use platform to change device power state + * @dev: PCI device to handle. + * @state: State to put the device into. +@@ -1117,6 +1104,17 @@ int pci_set_power_state(struct pci_dev * + EXPORT_SYMBOL(pci_set_power_state); + + /** ++ * pci_power_up - Put the given device into D0 forcibly ++ * @dev: PCI device to power up ++ */ ++void pci_power_up(struct pci_dev *dev) ++{ ++ __pci_start_power_transition(dev, PCI_D0); ++ pci_raw_set_power_state(dev, PCI_D0); ++ pci_update_current_state(dev, PCI_D0); ++} ++ ++/** + * pci_choose_state - Choose the power state of a PCI device + * @dev: PCI device to be suspended + * @state: target sleep state for the whole system. This is the value diff --git a/queue-4.19/perf-aux-fix-aux-output-stopping.patch b/queue-4.19/perf-aux-fix-aux-output-stopping.patch new file mode 100644 index 00000000000..bb7a5dc6fe4 --- /dev/null +++ b/queue-4.19/perf-aux-fix-aux-output-stopping.patch @@ -0,0 +1,55 @@ +From f3a519e4add93b7b31a6616f0b09635ff2e6a159 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 22 Oct 2019 10:39:40 +0300 +Subject: perf/aux: Fix AUX output stopping + +From: Alexander Shishkin + +commit f3a519e4add93b7b31a6616f0b09635ff2e6a159 upstream. + +Commit: + + 8a58ddae2379 ("perf/core: Fix exclusive events' grouping") + +allows CAP_EXCLUSIVE events to be grouped with other events. Since all +of those also happen to be AUX events (which is not the case the other +way around, because arch/s390), this changes the rules for stopping the +output: the AUX event may not be on its PMU's context any more, if it's +grouped with a HW event, in which case it will be on that HW event's +context instead. If that's the case, munmap() of the AUX buffer can't +find and stop the AUX event, potentially leaving the last reference with +the atomic context, which will then end up freeing the AUX buffer. This +will then trip warnings: + +Fix this by using the context's PMU context when looking for events +to stop, instead of the event's PMU context. + +Signed-off-by: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20191022073940.61814-1-alexander.shishkin@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -6813,7 +6813,7 @@ static void __perf_event_output_stop(str + static int __perf_pmu_output_stop(void *info) + { + struct perf_event *event = info; +- struct pmu *pmu = event->pmu; ++ struct pmu *pmu = event->ctx->pmu; + struct perf_cpu_context *cpuctx = this_cpu_ptr(pmu->pmu_cpu_context); + struct remote_output ro = { + .rb = event->rb, diff --git a/queue-4.19/pinctrl-armada-37xx-fix-control-of-pins-32-and-up.patch b/queue-4.19/pinctrl-armada-37xx-fix-control-of-pins-32-and-up.patch new file mode 100644 index 00000000000..bce93c4a41f --- /dev/null +++ b/queue-4.19/pinctrl-armada-37xx-fix-control-of-pins-32-and-up.patch @@ -0,0 +1,100 @@ +From 20504fa1d2ffd5d03cdd9dc9c9dd4ed4579b97ef Mon Sep 17 00:00:00 2001 +From: Patrick Williams +Date: Tue, 1 Oct 2019 10:46:31 -0500 +Subject: pinctrl: armada-37xx: fix control of pins 32 and up + +From: Patrick Williams + +commit 20504fa1d2ffd5d03cdd9dc9c9dd4ed4579b97ef upstream. + +The 37xx configuration registers are only 32 bits long, so +pins 32-35 spill over into the next register. The calculation +for the register address was done, but the bitmask was not, so +any configuration to pin 32 or above resulted in a bitmask that +overflowed and performed no action. + +Fix the register / offset calculation to also adjust the offset. + +Fixes: 5715092a458c ("pinctrl: armada-37xx: Add gpio support") +Signed-off-by: Patrick Williams +Acked-by: Gregory CLEMENT +Cc: +Link: https://lore.kernel.org/r/20191001154634.96165-1-alpawi@amazon.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -218,11 +218,11 @@ static const struct armada_37xx_pin_data + }; + + static inline void armada_37xx_update_reg(unsigned int *reg, +- unsigned int offset) ++ unsigned int *offset) + { + /* We never have more than 2 registers */ +- if (offset >= GPIO_PER_REG) { +- offset -= GPIO_PER_REG; ++ if (*offset >= GPIO_PER_REG) { ++ *offset -= GPIO_PER_REG; + *reg += sizeof(u32); + } + } +@@ -373,7 +373,7 @@ static inline void armada_37xx_irq_updat + { + int offset = irqd_to_hwirq(d); + +- armada_37xx_update_reg(reg, offset); ++ armada_37xx_update_reg(reg, &offset); + } + + static int armada_37xx_gpio_direction_input(struct gpio_chip *chip, +@@ -383,7 +383,7 @@ static int armada_37xx_gpio_direction_in + unsigned int reg = OUTPUT_EN; + unsigned int mask; + +- armada_37xx_update_reg(®, offset); ++ armada_37xx_update_reg(®, &offset); + mask = BIT(offset); + + return regmap_update_bits(info->regmap, reg, mask, 0); +@@ -396,7 +396,7 @@ static int armada_37xx_gpio_get_directio + unsigned int reg = OUTPUT_EN; + unsigned int val, mask; + +- armada_37xx_update_reg(®, offset); ++ armada_37xx_update_reg(®, &offset); + mask = BIT(offset); + regmap_read(info->regmap, reg, &val); + +@@ -410,7 +410,7 @@ static int armada_37xx_gpio_direction_ou + unsigned int reg = OUTPUT_EN; + unsigned int mask, val, ret; + +- armada_37xx_update_reg(®, offset); ++ armada_37xx_update_reg(®, &offset); + mask = BIT(offset); + + ret = regmap_update_bits(info->regmap, reg, mask, mask); +@@ -431,7 +431,7 @@ static int armada_37xx_gpio_get(struct g + unsigned int reg = INPUT_VAL; + unsigned int val, mask; + +- armada_37xx_update_reg(®, offset); ++ armada_37xx_update_reg(®, &offset); + mask = BIT(offset); + + regmap_read(info->regmap, reg, &val); +@@ -446,7 +446,7 @@ static void armada_37xx_gpio_set(struct + unsigned int reg = OUTPUT_VAL; + unsigned int mask, val; + +- armada_37xx_update_reg(®, offset); ++ armada_37xx_update_reg(®, &offset); + mask = BIT(offset); + val = value ? mask : 0; + diff --git a/queue-4.19/pinctrl-armada-37xx-swap-polarity-on-led-group.patch b/queue-4.19/pinctrl-armada-37xx-swap-polarity-on-led-group.patch new file mode 100644 index 00000000000..d41ace0075a --- /dev/null +++ b/queue-4.19/pinctrl-armada-37xx-swap-polarity-on-led-group.patch @@ -0,0 +1,41 @@ +From b835d6953009dc350d61402a854b5a7178d8c615 Mon Sep 17 00:00:00 2001 +From: Patrick Williams +Date: Tue, 1 Oct 2019 10:51:38 -0500 +Subject: pinctrl: armada-37xx: swap polarity on LED group + +From: Patrick Williams + +commit b835d6953009dc350d61402a854b5a7178d8c615 upstream. + +The configuration registers for the LED group have inverted +polarity, which puts the GPIO into open-drain state when used in +GPIO mode. Switch to '0' for GPIO and '1' for LED modes. + +Fixes: 87466ccd9401 ("pinctrl: armada-37xx: Add pin controller support for Armada 37xx") +Signed-off-by: Patrick Williams +Cc: +Link: https://lore.kernel.org/r/20191001155154.99710-1-alpawi@amazon.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -183,10 +183,10 @@ static struct armada_37xx_pin_group arma + PIN_GRP_EXTRA("uart2", 9, 2, BIT(1) | BIT(13) | BIT(14) | BIT(19), + BIT(1) | BIT(13) | BIT(14), BIT(1) | BIT(19), + 18, 2, "gpio", "uart"), +- PIN_GRP_GPIO("led0_od", 11, 1, BIT(20), "led"), +- PIN_GRP_GPIO("led1_od", 12, 1, BIT(21), "led"), +- PIN_GRP_GPIO("led2_od", 13, 1, BIT(22), "led"), +- PIN_GRP_GPIO("led3_od", 14, 1, BIT(23), "led"), ++ PIN_GRP_GPIO_2("led0_od", 11, 1, BIT(20), BIT(20), 0, "led"), ++ PIN_GRP_GPIO_2("led1_od", 12, 1, BIT(21), BIT(21), 0, "led"), ++ PIN_GRP_GPIO_2("led2_od", 13, 1, BIT(22), BIT(22), 0, "led"), ++ PIN_GRP_GPIO_2("led3_od", 14, 1, BIT(23), BIT(23), 0, "led"), + + }; + diff --git a/queue-4.19/pinctrl-cherryview-restore-strago-dmi-workaround-for-all-versions.patch b/queue-4.19/pinctrl-cherryview-restore-strago-dmi-workaround-for-all-versions.patch new file mode 100644 index 00000000000..6a933ca774e --- /dev/null +++ b/queue-4.19/pinctrl-cherryview-restore-strago-dmi-workaround-for-all-versions.patch @@ -0,0 +1,69 @@ +From 260996c30f4f3a732f45045e3e0efe27017615e4 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 23 Sep 2019 19:49:58 -0700 +Subject: pinctrl: cherryview: restore Strago DMI workaround for all versions + +From: Dmitry Torokhov + +commit 260996c30f4f3a732f45045e3e0efe27017615e4 upstream. + +This is essentially a revert of: + +e3f72b749da2 pinctrl: cherryview: fix Strago DMI workaround +86c5dd6860a6 pinctrl: cherryview: limit Strago DMI workarounds to version 1.0 + +because even with 1.1 versions of BIOS there are some pins that are +configured as interrupts but not claimed by any driver, and they +sometimes fire up and result in interrupt storms that cause touchpad +stop functioning and other issues. + +Given that we are unlikely to qualify another firmware version for a +while it is better to keep the workaround active on all Strago boards. + +Reported-by: Alex Levin +Fixes: 86c5dd6860a6 ("pinctrl: cherryview: limit Strago DMI workarounds to version 1.0") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Reviewed-by: Andy Shevchenko +Tested-by: Alex Levin +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1524,7 +1524,6 @@ static const struct dmi_system_id chv_no + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"), + DMI_MATCH(DMI_PRODUCT_FAMILY, "Intel_Strago"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"), + }, + }, + { +@@ -1532,7 +1531,6 @@ static const struct dmi_system_id chv_no + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "HP"), + DMI_MATCH(DMI_PRODUCT_NAME, "Setzer"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"), + }, + }, + { +@@ -1540,7 +1538,6 @@ static const struct dmi_system_id chv_no + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"), + DMI_MATCH(DMI_PRODUCT_NAME, "Cyan"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"), + }, + }, + { +@@ -1548,7 +1545,6 @@ static const struct dmi_system_id chv_no + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"), + DMI_MATCH(DMI_PRODUCT_NAME, "Celes"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"), + }, + }, + {} diff --git a/queue-4.19/series b/queue-4.19/series index f7b0570c366..baefc48006d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -71,3 +71,23 @@ xtensa-drop-export_symbol-for-outs-ins.patch parisc-fix-vmap-memory-leak-in-ioremap-iounmap.patch edac-ghes-fix-use-after-free-in-ghes_edac-remove-path.patch arm64-enable-workaround-for-cavium-tx2-erratum-219-when-running-smt.patch +cifs-avoid-using-mid-0xffff.patch +cifs-fix-use-after-free-of-file-info-structures.patch +perf-aux-fix-aux-output-stopping.patch +tracing-fix-race-in-perf_trace_buf-initialization.patch +dm-cache-fix-bugs-when-a-gfp_nowait-allocation-fails.patch +x86-boot-64-make-level2_kernel_pgt-pages-invalid-outside-kernel-area.patch +x86-apic-x2apic-fix-a-null-pointer-deref-when-handling-a-dying-cpu.patch +x86-hyperv-make-vapic-support-x2apic-mode.patch +pinctrl-cherryview-restore-strago-dmi-workaround-for-all-versions.patch +pinctrl-armada-37xx-fix-control-of-pins-32-and-up.patch +pinctrl-armada-37xx-swap-polarity-on-led-group.patch +btrfs-block-group-fix-a-memory-leak-due-to-missing-btrfs_put_block_group.patch +btrfs-add-missing-extents-release-on-file-extent-cluster-relocation-error.patch +btrfs-check-for-the-full-sync-flag-while-holding-the-inode-lock-during-fsync.patch +btrfs-tracepoints-fix-bad-entry-members-of-qgroup-events.patch +memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch +cpufreq-avoid-cpufreq_suspend-deadlock-on-system-shutdown.patch +xen-netback-fix-error-path-of-xenvif_connect_data.patch +pci-pm-fix-pci_power_up.patch +blk-rq-qos-fix-first-node-deletion-of-rq_qos_del.patch diff --git a/queue-4.19/tracing-fix-race-in-perf_trace_buf-initialization.patch b/queue-4.19/tracing-fix-race-in-perf_trace_buf-initialization.patch new file mode 100644 index 00000000000..463ad193aa5 --- /dev/null +++ b/queue-4.19/tracing-fix-race-in-perf_trace_buf-initialization.patch @@ -0,0 +1,115 @@ +From 6b1340cc00edeadd52ebd8a45171f38c8de2a387 Mon Sep 17 00:00:00 2001 +From: Prateek Sood +Date: Tue, 15 Oct 2019 11:47:25 +0530 +Subject: tracing: Fix race in perf_trace_buf initialization + +From: Prateek Sood + +commit 6b1340cc00edeadd52ebd8a45171f38c8de2a387 upstream. + +A race condition exists while initialiazing perf_trace_buf from +perf_trace_init() and perf_kprobe_init(). + + CPU0 CPU1 +perf_trace_init() + mutex_lock(&event_mutex) + perf_trace_event_init() + perf_trace_event_reg() + total_ref_count == 0 + buf = alloc_percpu() + perf_trace_buf[i] = buf + tp_event->class->reg() //fails perf_kprobe_init() + goto fail perf_trace_event_init() + perf_trace_event_reg() + fail: + total_ref_count == 0 + + total_ref_count == 0 + buf = alloc_percpu() + perf_trace_buf[i] = buf + tp_event->class->reg() + total_ref_count++ + + free_percpu(perf_trace_buf[i]) + perf_trace_buf[i] = NULL + +Any subsequent call to perf_trace_event_reg() will observe total_ref_count > 0, +causing the perf_trace_buf to be always NULL. This can result in perf_trace_buf +getting accessed from perf_trace_buf_alloc() without being initialized. Acquiring +event_mutex in perf_kprobe_init() before calling perf_trace_event_init() should +fix this race. + +The race caused the following bug: + + Unable to handle kernel paging request at virtual address 0000003106f2003c + Mem abort info: + ESR = 0x96000045 + Exception class = DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + Data abort info: + ISV = 0, ISS = 0x00000045 + CM = 0, WnR = 1 + user pgtable: 4k pages, 39-bit VAs, pgdp = ffffffc034b9b000 + [0000003106f2003c] pgd=0000000000000000, pud=0000000000000000 + Internal error: Oops: 96000045 [#1] PREEMPT SMP + Process syz-executor (pid: 18393, stack limit = 0xffffffc093190000) + pstate: 80400005 (Nzcv daif +PAN -UAO) + pc : __memset+0x20/0x1ac + lr : memset+0x3c/0x50 + sp : ffffffc09319fc50 + + __memset+0x20/0x1ac + perf_trace_buf_alloc+0x140/0x1a0 + perf_trace_sys_enter+0x158/0x310 + syscall_trace_enter+0x348/0x7c0 + el0_svc_common+0x11c/0x368 + el0_svc_handler+0x12c/0x198 + el0_svc+0x8/0xc + +Ramdumps showed the following: + total_ref_count = 3 + perf_trace_buf = ( + 0x0 -> NULL, + 0x0 -> NULL, + 0x0 -> NULL, + 0x0 -> NULL) + +Link: http://lkml.kernel.org/r/1571120245-4186-1-git-send-email-prsood@codeaurora.org + +Cc: stable@vger.kernel.org +Fixes: e12f03d7031a9 ("perf/core: Implement the 'perf_kprobe' PMU") +Acked-by: Song Liu +Signed-off-by: Prateek Sood +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_event_perf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/trace_event_perf.c ++++ b/kernel/trace/trace_event_perf.c +@@ -272,9 +272,11 @@ int perf_kprobe_init(struct perf_event * + goto out; + } + ++ mutex_lock(&event_mutex); + ret = perf_trace_event_init(tp_event, p_event); + if (ret) + destroy_local_trace_kprobe(tp_event); ++ mutex_unlock(&event_mutex); + out: + kfree(func); + return ret; +@@ -282,8 +284,10 @@ out: + + void perf_kprobe_destroy(struct perf_event *p_event) + { ++ mutex_lock(&event_mutex); + perf_trace_event_close(p_event); + perf_trace_event_unreg(p_event); ++ mutex_unlock(&event_mutex); + + destroy_local_trace_kprobe(p_event->tp_event); + } diff --git a/queue-4.19/x86-apic-x2apic-fix-a-null-pointer-deref-when-handling-a-dying-cpu.patch b/queue-4.19/x86-apic-x2apic-fix-a-null-pointer-deref-when-handling-a-dying-cpu.patch new file mode 100644 index 00000000000..07eb851d216 --- /dev/null +++ b/queue-4.19/x86-apic-x2apic-fix-a-null-pointer-deref-when-handling-a-dying-cpu.patch @@ -0,0 +1,53 @@ +From 7a22e03b0c02988e91003c505b34d752a51de344 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 1 Oct 2019 13:50:19 -0700 +Subject: x86/apic/x2apic: Fix a NULL pointer deref when handling a dying cpu + +From: Sean Christopherson + +commit 7a22e03b0c02988e91003c505b34d752a51de344 upstream. + +Check that the per-cpu cluster mask pointer has been set prior to +clearing a dying cpu's bit. The per-cpu pointer is not set until the +target cpu reaches smp_callin() during CPUHP_BRINGUP_CPU, whereas the +teardown function, x2apic_dead_cpu(), is associated with the earlier +CPUHP_X2APIC_PREPARE. If an error occurs before the cpu is awakened, +e.g. if do_boot_cpu() itself fails, x2apic_dead_cpu() will dereference +the NULL pointer and cause a panic. + + smpboot: do_boot_cpu failed(-22) to wakeup CPU#1 + BUG: kernel NULL pointer dereference, address: 0000000000000008 + RIP: 0010:x2apic_dead_cpu+0x1a/0x30 + Call Trace: + cpuhp_invoke_callback+0x9a/0x580 + _cpu_up+0x10d/0x140 + do_cpu_up+0x69/0xb0 + smp_init+0x63/0xa9 + kernel_init_freeable+0xd7/0x229 + ? rest_init+0xa0/0xa0 + kernel_init+0xa/0x100 + ret_from_fork+0x35/0x40 + +Fixes: 023a611748fd5 ("x86/apic/x2apic: Simplify cluster management") +Signed-off-by: Sean Christopherson +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20191001205019.5789-1-sean.j.christopherson@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/x2apic_cluster.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/apic/x2apic_cluster.c ++++ b/arch/x86/kernel/apic/x2apic_cluster.c +@@ -158,7 +158,8 @@ static int x2apic_dead_cpu(unsigned int + { + struct cluster_mask *cmsk = per_cpu(cluster_masks, dead_cpu); + +- cpumask_clear_cpu(dead_cpu, &cmsk->mask); ++ if (cmsk) ++ cpumask_clear_cpu(dead_cpu, &cmsk->mask); + free_cpumask_var(per_cpu(ipi_mask, dead_cpu)); + return 0; + } diff --git a/queue-4.19/x86-boot-64-make-level2_kernel_pgt-pages-invalid-outside-kernel-area.patch b/queue-4.19/x86-boot-64-make-level2_kernel_pgt-pages-invalid-outside-kernel-area.patch new file mode 100644 index 00000000000..623939e668b --- /dev/null +++ b/queue-4.19/x86-boot-64-make-level2_kernel_pgt-pages-invalid-outside-kernel-area.patch @@ -0,0 +1,107 @@ +From 2aa85f246c181b1fa89f27e8e20c5636426be624 Mon Sep 17 00:00:00 2001 +From: Steve Wahl +Date: Tue, 24 Sep 2019 16:03:55 -0500 +Subject: x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area + +From: Steve Wahl + +commit 2aa85f246c181b1fa89f27e8e20c5636426be624 upstream. + +Our hardware (UV aka Superdome Flex) has address ranges marked +reserved by the BIOS. Access to these ranges is caught as an error, +causing the BIOS to halt the system. + +Initial page tables mapped a large range of physical addresses that +were not checked against the list of BIOS reserved addresses, and +sometimes included reserved addresses in part of the mapped range. +Including the reserved range in the map allowed processor speculative +accesses to the reserved range, triggering a BIOS halt. + +Used early in booting, the page table level2_kernel_pgt addresses 1 +GiB divided into 2 MiB pages, and it was set up to linearly map a full + 1 GiB of physical addresses that included the physical address range +of the kernel image, as chosen by KASLR. But this also included a +large range of unused addresses on either side of the kernel image. +And unlike the kernel image's physical address range, this extra +mapped space was not checked against the BIOS tables of usable RAM +addresses. So there were times when the addresses chosen by KASLR +would result in processor accessible mappings of BIOS reserved +physical addresses. + +The kernel code did not directly access any of this extra mapped +space, but having it mapped allowed the processor to issue speculative +accesses into reserved memory, causing system halts. + +This was encountered somewhat rarely on a normal system boot, and much +more often when starting the crash kernel if "crashkernel=512M,high" +was specified on the command line (this heavily restricts the physical +address of the crash kernel, in our case usually within 1 GiB of +reserved space). + +The solution is to invalidate the pages of this table outside the kernel +image's space before the page table is activated. It fixes this problem +on our hardware. + + [ bp: Touchups. ] + +Signed-off-by: Steve Wahl +Signed-off-by: Borislav Petkov +Acked-by: Dave Hansen +Acked-by: Kirill A. Shutemov +Cc: Baoquan He +Cc: Brijesh Singh +Cc: dimitri.sivanich@hpe.com +Cc: Feng Tang +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Jordan Borgner +Cc: Juergen Gross +Cc: mike.travis@hpe.com +Cc: russ.anderson@hpe.com +Cc: stable@vger.kernel.org +Cc: Thomas Gleixner +Cc: x86-ml +Cc: Zhenzhong Duan +Link: https://lkml.kernel.org/r/9c011ee51b081534a7a15065b1681d200298b530.1569358539.git.steve.wahl@hpe.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/head64.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/head64.c ++++ b/arch/x86/kernel/head64.c +@@ -222,13 +222,31 @@ unsigned long __head __startup_64(unsign + * we might write invalid pmds, when the kernel is relocated + * cleanup_highmap() fixes this up along with the mappings + * beyond _end. ++ * ++ * Only the region occupied by the kernel image has so far ++ * been checked against the table of usable memory regions ++ * provided by the firmware, so invalidate pages outside that ++ * region. A page table entry that maps to a reserved area of ++ * memory would allow processor speculation into that area, ++ * and on some hardware (particularly the UV platform) even ++ * speculative access to some reserved areas is caught as an ++ * error, causing the BIOS to halt the system. + */ + + pmd = fixup_pointer(level2_kernel_pgt, physaddr); +- for (i = 0; i < PTRS_PER_PMD; i++) { ++ ++ /* invalidate pages before the kernel image */ ++ for (i = 0; i < pmd_index((unsigned long)_text); i++) ++ pmd[i] &= ~_PAGE_PRESENT; ++ ++ /* fixup pages that are part of the kernel image */ ++ for (; i <= pmd_index((unsigned long)_end); i++) + if (pmd[i] & _PAGE_PRESENT) + pmd[i] += load_delta; +- } ++ ++ /* invalidate pages after the kernel image */ ++ for (; i < PTRS_PER_PMD; i++) ++ pmd[i] &= ~_PAGE_PRESENT; + + /* + * Fixup phys_base - remove the memory encryption mask to obtain diff --git a/queue-4.19/x86-hyperv-make-vapic-support-x2apic-mode.patch b/queue-4.19/x86-hyperv-make-vapic-support-x2apic-mode.patch new file mode 100644 index 00000000000..82e7ab81c5c --- /dev/null +++ b/queue-4.19/x86-hyperv-make-vapic-support-x2apic-mode.patch @@ -0,0 +1,69 @@ +From e211288b72f15259da86eed6eca680758dbe9e74 Mon Sep 17 00:00:00 2001 +From: Roman Kagan +Date: Thu, 10 Oct 2019 12:33:05 +0000 +Subject: x86/hyperv: Make vapic support x2apic mode + +From: Roman Kagan + +commit e211288b72f15259da86eed6eca680758dbe9e74 upstream. + +Now that there's Hyper-V IOMMU driver, Linux can switch to x2apic mode +when supported by the vcpus. + +However, the apic access functions for Hyper-V enlightened apic assume +xapic mode only. + +As a result, Linux fails to bring up secondary cpus when run as a guest +in QEMU/KVM with both hv_apic and x2apic enabled. + +According to Michael Kelley, when in x2apic mode, the Hyper-V synthetic +apic MSRs behave exactly the same as the corresponding architectural +x2apic MSRs, so there's no need to override the apic accessors. The +only exception is hv_apic_eoi_write, which benefits from lazy EOI when +available; however, its implementation works for both xapic and x2apic +modes. + +Fixes: 29217a474683 ("iommu/hyper-v: Add Hyper-V stub IOMMU driver") +Fixes: 6b48cb5f8347 ("X86/Hyper-V: Enlighten APIC access") +Suggested-by: Michael Kelley +Signed-off-by: Roman Kagan +Signed-off-by: Thomas Gleixner +Reviewed-by: Vitaly Kuznetsov +Reviewed-by: Michael Kelley +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20191010123258.16919-1-rkagan@virtuozzo.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/hyperv/hv_apic.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/arch/x86/hyperv/hv_apic.c ++++ b/arch/x86/hyperv/hv_apic.c +@@ -256,11 +256,21 @@ void __init hv_apic_init(void) + } + + if (ms_hyperv.hints & HV_X64_APIC_ACCESS_RECOMMENDED) { +- pr_info("Hyper-V: Using MSR based APIC access\n"); ++ pr_info("Hyper-V: Using enlightened APIC (%s mode)", ++ x2apic_enabled() ? "x2apic" : "xapic"); ++ /* ++ * With x2apic, architectural x2apic MSRs are equivalent to the ++ * respective synthetic MSRs, so there's no need to override ++ * the apic accessors. The only exception is ++ * hv_apic_eoi_write, because it benefits from lazy EOI when ++ * available, but it works for both xapic and x2apic modes. ++ */ + apic_set_eoi_write(hv_apic_eoi_write); +- apic->read = hv_apic_read; +- apic->write = hv_apic_write; +- apic->icr_write = hv_apic_icr_write; +- apic->icr_read = hv_apic_icr_read; ++ if (!x2apic_enabled()) { ++ apic->read = hv_apic_read; ++ apic->write = hv_apic_write; ++ apic->icr_write = hv_apic_icr_write; ++ apic->icr_read = hv_apic_icr_read; ++ } + } + } diff --git a/queue-4.19/xen-netback-fix-error-path-of-xenvif_connect_data.patch b/queue-4.19/xen-netback-fix-error-path-of-xenvif_connect_data.patch new file mode 100644 index 00000000000..b7c20baa185 --- /dev/null +++ b/queue-4.19/xen-netback-fix-error-path-of-xenvif_connect_data.patch @@ -0,0 +1,36 @@ +From 3d5c1a037d37392a6859afbde49be5ba6a70a6b3 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 18 Oct 2019 09:45:49 +0200 +Subject: xen/netback: fix error path of xenvif_connect_data() + +From: Juergen Gross + +commit 3d5c1a037d37392a6859afbde49be5ba6a70a6b3 upstream. + +xenvif_connect_data() calls module_put() in case of error. This is +wrong as there is no related module_get(). + +Remove the superfluous module_put(). + +Fixes: 279f438e36c0a7 ("xen-netback: Don't destroy the netdev until the vif is shut down") +Cc: # 3.12 +Signed-off-by: Juergen Gross +Reviewed-by: Paul Durrant +Reviewed-by: Wei Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/xen-netback/interface.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -718,7 +718,6 @@ err_unmap: + xenvif_unmap_frontend_data_rings(queue); + netif_napi_del(&queue->napi); + err: +- module_put(THIS_MODULE); + return err; + } +