From: Sasha Levin Date: Tue, 19 Mar 2019 22:13:50 +0000 (-0400) Subject: patches for 4.19 X-Git-Tag: v3.18.137~85 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=36e3f50432585477a4700e83c4a807ac2eae3359;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/af_key-unconditionally-clone-on-broadcast.patch b/queue-4.19/af_key-unconditionally-clone-on-broadcast.patch new file mode 100644 index 00000000000..90691156139 --- /dev/null +++ b/queue-4.19/af_key-unconditionally-clone-on-broadcast.patch @@ -0,0 +1,130 @@ +From 255776ca65596b371b872f317aa5966bb007b17f Mon Sep 17 00:00:00 2001 +From: Sean Tranchetti +Date: Thu, 7 Feb 2019 13:33:21 -0700 +Subject: af_key: unconditionally clone on broadcast + +[ Upstream commit fc2d5cfdcfe2ab76b263d91429caa22451123085 ] + +Attempting to avoid cloning the skb when broadcasting by inflating +the refcount with sock_hold/sock_put while under RCU lock is dangerous +and violates RCU principles. It leads to subtle race conditions when +attempting to free the SKB, as we may reference sockets that have +already been freed by the stack. + +Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c4b +[006b6b6b6b6b6c4b] address between user and kernel address ranges +Internal error: Oops: 96000004 [#1] PREEMPT SMP +task: fffffff78f65b380 task.stack: ffffff8049a88000 +pc : sock_rfree+0x38/0x6c +lr : skb_release_head_state+0x6c/0xcc +Process repro (pid: 7117, stack limit = 0xffffff8049a88000) +Call trace: + sock_rfree+0x38/0x6c + skb_release_head_state+0x6c/0xcc + skb_release_all+0x1c/0x38 + __kfree_skb+0x1c/0x30 + kfree_skb+0xd0/0xf4 + pfkey_broadcast+0x14c/0x18c + pfkey_sendmsg+0x1d8/0x408 + sock_sendmsg+0x44/0x60 + ___sys_sendmsg+0x1d0/0x2a8 + __sys_sendmsg+0x64/0xb4 + SyS_sendmsg+0x34/0x4c + el0_svc_naked+0x34/0x38 +Kernel panic - not syncing: Fatal exception + +Suggested-by: Eric Dumazet +Signed-off-by: Sean Tranchetti +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 40 +++++++++++++++------------------------- + 1 file changed, 15 insertions(+), 25 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 9d61266526e7..7da629d59717 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -196,30 +196,22 @@ static int pfkey_release(struct socket *sock) + return 0; + } + +-static int pfkey_broadcast_one(struct sk_buff *skb, struct sk_buff **skb2, +- gfp_t allocation, struct sock *sk) ++static int pfkey_broadcast_one(struct sk_buff *skb, gfp_t allocation, ++ struct sock *sk) + { + int err = -ENOBUFS; + +- sock_hold(sk); +- if (*skb2 == NULL) { +- if (refcount_read(&skb->users) != 1) { +- *skb2 = skb_clone(skb, allocation); +- } else { +- *skb2 = skb; +- refcount_inc(&skb->users); +- } +- } +- if (*skb2 != NULL) { +- if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf) { +- skb_set_owner_r(*skb2, sk); +- skb_queue_tail(&sk->sk_receive_queue, *skb2); +- sk->sk_data_ready(sk); +- *skb2 = NULL; +- err = 0; +- } ++ if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) ++ return err; ++ ++ skb = skb_clone(skb, allocation); ++ ++ if (skb) { ++ skb_set_owner_r(skb, sk); ++ skb_queue_tail(&sk->sk_receive_queue, skb); ++ sk->sk_data_ready(sk); ++ err = 0; + } +- sock_put(sk); + return err; + } + +@@ -234,7 +226,6 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation, + { + struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id); + struct sock *sk; +- struct sk_buff *skb2 = NULL; + int err = -ESRCH; + + /* XXX Do we need something like netlink_overrun? I think +@@ -253,7 +244,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation, + * socket. + */ + if (pfk->promisc) +- pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk); ++ pfkey_broadcast_one(skb, GFP_ATOMIC, sk); + + /* the exact target will be processed later */ + if (sk == one_sk) +@@ -268,7 +259,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation, + continue; + } + +- err2 = pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk); ++ err2 = pfkey_broadcast_one(skb, GFP_ATOMIC, sk); + + /* Error is cleared after successful sending to at least one + * registered KM */ +@@ -278,9 +269,8 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation, + rcu_read_unlock(); + + if (one_sk != NULL) +- err = pfkey_broadcast_one(skb, &skb2, allocation, one_sk); ++ err = pfkey_broadcast_one(skb, allocation, one_sk); + +- kfree_skb(skb2); + kfree_skb(skb); + return err; + } +-- +2.19.1 + diff --git a/queue-4.19/arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch b/queue-4.19/arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch new file mode 100644 index 00000000000..c967e92d603 --- /dev/null +++ b/queue-4.19/arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch @@ -0,0 +1,59 @@ +From 77ce17114652f5079966be33d66c81f10bc3e731 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Tue, 5 Feb 2019 10:07:07 -0800 +Subject: ARC: uacces: remove lp_start, lp_end from clobber list + +[ Upstream commit d5e3c55e01d8b1774b37b4647c30fb22f1d39077 ] + +Newer ARC gcc handles lp_start, lp_end in a different way and doesn't +like them in the clobber list. + +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/uaccess.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h +index c9173c02081c..eabc3efa6c6d 100644 +--- a/arch/arc/include/asm/uaccess.h ++++ b/arch/arc/include/asm/uaccess.h +@@ -207,7 +207,7 @@ raw_copy_from_user(void *to, const void __user *from, unsigned long n) + */ + "=&r" (tmp), "+r" (to), "+r" (from) + : +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return n; + } +@@ -433,7 +433,7 @@ raw_copy_to_user(void __user *to, const void *from, unsigned long n) + */ + "=&r" (tmp), "+r" (to), "+r" (from) + : +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return n; + } +@@ -653,7 +653,7 @@ static inline unsigned long __arc_clear_user(void __user *to, unsigned long n) + " .previous \n" + : "+r"(d_char), "+r"(res) + : "i"(0) +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return res; + } +@@ -686,7 +686,7 @@ __arc_strncpy_from_user(char *dst, const char __user *src, long count) + " .previous \n" + : "+r"(res), "+r"(dst), "+r"(src), "=r"(val) + : "g"(-EFAULT), "r"(count) +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return res; + } +-- +2.19.1 + diff --git a/queue-4.19/arcv2-don-t-assume-core-0x54-has-dual-issue.patch b/queue-4.19/arcv2-don-t-assume-core-0x54-has-dual-issue.patch new file mode 100644 index 00000000000..d70745a5553 --- /dev/null +++ b/queue-4.19/arcv2-don-t-assume-core-0x54-has-dual-issue.patch @@ -0,0 +1,82 @@ +From f13974aca313083542ea0f95d4a7b8abcdb2face Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Thu, 21 Feb 2019 13:44:49 -0800 +Subject: ARCv2: don't assume core 0x54 has dual issue + +[ Upstream commit 7b2e932f633bcb7b190fc7031ce6dac75f8c3472 ] + +The first release of core4 (0x54) was dual issue only (HS4x). +Newer releases allow hardware to be configured as single issue (HS3x) +or dual issue. + +Prevent accessing a HS4x only aux register in HS3x, which otherwise +leads to illegal instruction exceptions + +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/arcregs.h | 8 ++++++++ + arch/arc/kernel/setup.c | 26 +++++++++++++++++++++----- + 2 files changed, 29 insertions(+), 5 deletions(-) + +diff --git a/arch/arc/include/asm/arcregs.h b/arch/arc/include/asm/arcregs.h +index 49bfbd879caa..bdbdaef902eb 100644 +--- a/arch/arc/include/asm/arcregs.h ++++ b/arch/arc/include/asm/arcregs.h +@@ -151,6 +151,14 @@ struct bcr_isa_arcv2 { + #endif + }; + ++struct bcr_uarch_build_arcv2 { ++#ifdef CONFIG_CPU_BIG_ENDIAN ++ unsigned int pad:8, prod:8, maj:8, min:8; ++#else ++ unsigned int min:8, maj:8, prod:8, pad:8; ++#endif ++}; ++ + struct bcr_mpy { + #ifdef CONFIG_CPU_BIG_ENDIAN + unsigned int pad:8, x1616:8, dsp:4, cycles:2, type:2, ver:8; +diff --git a/arch/arc/kernel/setup.c b/arch/arc/kernel/setup.c +index 62a30e58441c..3320ca2fe20f 100644 +--- a/arch/arc/kernel/setup.c ++++ b/arch/arc/kernel/setup.c +@@ -196,13 +196,29 @@ static void read_arc_build_cfg_regs(void) + cpu->bpu.num_pred = 2048 << bpu.pte; + + if (cpu->core.family >= 0x54) { +- unsigned int exec_ctrl; + +- READ_BCR(AUX_EXEC_CTRL, exec_ctrl); +- cpu->extn.dual_enb = !(exec_ctrl & 1); ++ struct bcr_uarch_build_arcv2 uarch; + +- /* dual issue always present for this core */ +- cpu->extn.dual = 1; ++ /* ++ * The first 0x54 core (uarch maj:min 0:1 or 0:2) was ++ * dual issue only (HS4x). But next uarch rev (1:0) ++ * allows it be configured for single issue (HS3x) ++ * Ensure we fiddle with dual issue only on HS4x ++ */ ++ READ_BCR(ARC_REG_MICRO_ARCH_BCR, uarch); ++ ++ if (uarch.prod == 4) { ++ unsigned int exec_ctrl; ++ ++ /* dual issue hardware always present */ ++ cpu->extn.dual = 1; ++ ++ READ_BCR(AUX_EXEC_CTRL, exec_ctrl); ++ ++ /* dual issue hardware enabled ? */ ++ cpu->extn.dual_enb = !(exec_ctrl & 1); ++ ++ } + } + } + +-- +2.19.1 + diff --git a/queue-4.19/arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch b/queue-4.19/arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch new file mode 100644 index 00000000000..ffd3a3707e6 --- /dev/null +++ b/queue-4.19/arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch @@ -0,0 +1,102 @@ +From 2273366d2143c4ce2b792878f764a40c76b573e6 Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Wed, 30 Jan 2019 19:32:40 +0300 +Subject: ARCv2: lib: memcpy: fix doing prefetchw outside of buffer + +[ Upstream commit f8a15f97664178f27dfbf86a38f780a532cb6df0 ] + +ARCv2 optimized memcpy uses PREFETCHW instruction for prefetching the +next cache line but doesn't ensure that the line is not past the end of +the buffer. PRETECHW changes the line ownership and marks it dirty, +which can cause data corruption if this area is used for DMA IO. + +Fix the issue by avoiding the PREFETCHW. This leads to performance +degradation but it is OK as we'll introduce new memcpy implementation +optimized for unaligned memory access using. + +We also cut off all PREFETCH instructions at they are quite useless +here: + * we call PREFETCH right before LOAD instruction call. + * we copy 16 or 32 bytes of data (depending on CONFIG_ARC_HAS_LL64) + in a main logical loop. so we call PREFETCH 4 times (or 2 times) + for each L1 cache line (in case of 64B L1 cache Line which is + default case). Obviously this is not optimal. + +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/lib/memcpy-archs.S | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/arch/arc/lib/memcpy-archs.S b/arch/arc/lib/memcpy-archs.S +index d61044dd8b58..ea14b0bf3116 100644 +--- a/arch/arc/lib/memcpy-archs.S ++++ b/arch/arc/lib/memcpy-archs.S +@@ -25,15 +25,11 @@ + #endif + + #ifdef CONFIG_ARC_HAS_LL64 +-# define PREFETCH_READ(RX) prefetch [RX, 56] +-# define PREFETCH_WRITE(RX) prefetchw [RX, 64] + # define LOADX(DST,RX) ldd.ab DST, [RX, 8] + # define STOREX(SRC,RX) std.ab SRC, [RX, 8] + # define ZOLSHFT 5 + # define ZOLAND 0x1F + #else +-# define PREFETCH_READ(RX) prefetch [RX, 28] +-# define PREFETCH_WRITE(RX) prefetchw [RX, 32] + # define LOADX(DST,RX) ld.ab DST, [RX, 4] + # define STOREX(SRC,RX) st.ab SRC, [RX, 4] + # define ZOLSHFT 4 +@@ -41,8 +37,6 @@ + #endif + + ENTRY_CFI(memcpy) +- prefetch [r1] ; Prefetch the read location +- prefetchw [r0] ; Prefetch the write location + mov.f 0, r2 + ;;; if size is zero + jz.d [blink] +@@ -72,8 +66,6 @@ ENTRY_CFI(memcpy) + lpnz @.Lcopy32_64bytes + ;; LOOP START + LOADX (r6, r1) +- PREFETCH_READ (r1) +- PREFETCH_WRITE (r3) + LOADX (r8, r1) + LOADX (r10, r1) + LOADX (r4, r1) +@@ -117,9 +109,7 @@ ENTRY_CFI(memcpy) + lpnz @.Lcopy8bytes_1 + ;; LOOP START + ld.ab r6, [r1, 4] +- prefetch [r1, 28] ;Prefetch the next read location + ld.ab r8, [r1,4] +- prefetchw [r3, 32] ;Prefetch the next write location + + SHIFT_1 (r7, r6, 24) + or r7, r7, r5 +@@ -162,9 +152,7 @@ ENTRY_CFI(memcpy) + lpnz @.Lcopy8bytes_2 + ;; LOOP START + ld.ab r6, [r1, 4] +- prefetch [r1, 28] ;Prefetch the next read location + ld.ab r8, [r1,4] +- prefetchw [r3, 32] ;Prefetch the next write location + + SHIFT_1 (r7, r6, 16) + or r7, r7, r5 +@@ -204,9 +192,7 @@ ENTRY_CFI(memcpy) + lpnz @.Lcopy8bytes_3 + ;; LOOP START + ld.ab r6, [r1, 4] +- prefetch [r1, 28] ;Prefetch the next read location + ld.ab r8, [r1,4] +- prefetchw [r3, 32] ;Prefetch the next write location + + SHIFT_1 (r7, r6, 8) + or r7, r7, r5 +-- +2.19.1 + diff --git a/queue-4.19/arcv2-support-manual-regfile-save-on-interrupts.patch b/queue-4.19/arcv2-support-manual-regfile-save-on-interrupts.patch new file mode 100644 index 00000000000..ccb3d20f8bc --- /dev/null +++ b/queue-4.19/arcv2-support-manual-regfile-save-on-interrupts.patch @@ -0,0 +1,160 @@ +From e3f16c67527e970e029fda10084bbffb744259ef Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Wed, 6 Jun 2018 10:20:37 -0700 +Subject: ARCv2: support manual regfile save on interrupts + +[ Upstream commit e494239a007e601448110ac304fe055951f9de3b ] + +There's a hardware bug which affects the HSDK platform, triggered by +micro-ops for auto-saving regfile on taken interrupt. The workaround is +to inhibit autosave. + +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/Kconfig | 8 +++++ + arch/arc/include/asm/entry-arcv2.h | 54 ++++++++++++++++++++++++++++++ + arch/arc/kernel/entry-arcv2.S | 4 ++- + arch/arc/kernel/intc-arcv2.c | 2 ++ + arch/arc/plat-hsdk/Kconfig | 1 + + 5 files changed, 68 insertions(+), 1 deletion(-) + +diff --git a/arch/arc/Kconfig b/arch/arc/Kconfig +index ac69f307dcfe..74953e76a57d 100644 +--- a/arch/arc/Kconfig ++++ b/arch/arc/Kconfig +@@ -420,6 +420,14 @@ config ARC_HAS_ACCL_REGS + (also referred to as r58:r59). These can also be used by gcc as GPR so + kernel needs to save/restore per process + ++config ARC_IRQ_NO_AUTOSAVE ++ bool "Disable hardware autosave regfile on interrupts" ++ default n ++ help ++ On HS cores, taken interrupt auto saves the regfile on stack. ++ This is programmable and can be optionally disabled in which case ++ software INTERRUPT_PROLOGUE/EPILGUE do the needed work ++ + endif # ISA_ARCV2 + + endmenu # "ARC CPU Configuration" +diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h +index 309f4e6721b3..225e7df2d8ed 100644 +--- a/arch/arc/include/asm/entry-arcv2.h ++++ b/arch/arc/include/asm/entry-arcv2.h +@@ -17,6 +17,33 @@ + ; + ; Now manually save: r12, sp, fp, gp, r25 + ++#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE ++.ifnc \called_from, exception ++ st.as r9, [sp, -10] ; save r9 in it's final stack slot ++ sub sp, sp, 12 ; skip JLI, LDI, EI ++ ++ PUSH lp_count ++ PUSHAX lp_start ++ PUSHAX lp_end ++ PUSH blink ++ ++ PUSH r11 ++ PUSH r10 ++ ++ sub sp, sp, 4 ; skip r9 ++ ++ PUSH r8 ++ PUSH r7 ++ PUSH r6 ++ PUSH r5 ++ PUSH r4 ++ PUSH r3 ++ PUSH r2 ++ PUSH r1 ++ PUSH r0 ++.endif ++#endif ++ + #ifdef CONFIG_ARC_HAS_ACCL_REGS + PUSH r59 + PUSH r58 +@@ -86,6 +113,33 @@ + POP r59 + #endif + ++#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE ++.ifnc \called_from, exception ++ POP r0 ++ POP r1 ++ POP r2 ++ POP r3 ++ POP r4 ++ POP r5 ++ POP r6 ++ POP r7 ++ POP r8 ++ POP r9 ++ POP r10 ++ POP r11 ++ ++ POP blink ++ POPAX lp_end ++ POPAX lp_start ++ ++ POP r9 ++ mov lp_count, r9 ++ ++ add sp, sp, 12 ; skip JLI, LDI, EI ++ ld.as r9, [sp, -10] ; reload r9 which got clobbered ++.endif ++#endif ++ + .endm + + /*------------------------------------------------------------------------*/ +diff --git a/arch/arc/kernel/entry-arcv2.S b/arch/arc/kernel/entry-arcv2.S +index cc558a25b8fa..562089d62d9d 100644 +--- a/arch/arc/kernel/entry-arcv2.S ++++ b/arch/arc/kernel/entry-arcv2.S +@@ -209,7 +209,9 @@ restore_regs: + ;####### Return from Intr ####### + + debug_marker_l1: +- bbit1.nt r0, STATUS_DE_BIT, .Lintr_ret_to_delay_slot ++ ; bbit1.nt r0, STATUS_DE_BIT, .Lintr_ret_to_delay_slot ++ btst r0, STATUS_DE_BIT ; Z flag set if bit clear ++ bnz .Lintr_ret_to_delay_slot ; branch if STATUS_DE_BIT set + + .Lisr_ret_fast_path: + ; Handle special case #1: (Entry via Exception, Return via IRQ) +diff --git a/arch/arc/kernel/intc-arcv2.c b/arch/arc/kernel/intc-arcv2.c +index 067ea362fb3e..cf18b3e5a934 100644 +--- a/arch/arc/kernel/intc-arcv2.c ++++ b/arch/arc/kernel/intc-arcv2.c +@@ -49,11 +49,13 @@ void arc_init_IRQ(void) + + *(unsigned int *)&ictrl = 0; + ++#ifndef CONFIG_ARC_IRQ_NO_AUTOSAVE + ictrl.save_nr_gpr_pairs = 6; /* r0 to r11 (r12 saved manually) */ + ictrl.save_blink = 1; + ictrl.save_lp_regs = 1; /* LP_COUNT, LP_START, LP_END */ + ictrl.save_u_to_u = 0; /* user ctxt saved on kernel stack */ + ictrl.save_idx_regs = 1; /* JLI, LDI, EI */ ++#endif + + WRITE_AUX(AUX_IRQ_CTRL, ictrl); + +diff --git a/arch/arc/plat-hsdk/Kconfig b/arch/arc/plat-hsdk/Kconfig +index 9356753c2ed8..c285a83cbf08 100644 +--- a/arch/arc/plat-hsdk/Kconfig ++++ b/arch/arc/plat-hsdk/Kconfig +@@ -9,6 +9,7 @@ menuconfig ARC_SOC_HSDK + bool "ARC HS Development Kit SOC" + depends on ISA_ARCV2 + select ARC_HAS_ACCL_REGS ++ select ARC_IRQ_NO_AUTOSAVE + select CLK_HSDK + select RESET_HSDK + select MIGHT_HAVE_PCI +-- +2.19.1 + diff --git a/queue-4.19/arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch b/queue-4.19/arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch new file mode 100644 index 00000000000..e70bee9a97c --- /dev/null +++ b/queue-4.19/arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch @@ -0,0 +1,156 @@ +From 3aa4a4b9d30d001b67bb35113cf0fbb9d433c6f5 Mon Sep 17 00:00:00 2001 +From: Dietmar Eggemann +Date: Mon, 21 Jan 2019 14:42:42 +0100 +Subject: ARM: 8824/1: fix a migrating irq bug when hotplug cpu + +[ Upstream commit 1b5ba350784242eb1f899bcffd95d2c7cff61e84 ] + +Arm TC2 fails cpu hotplug stress test. + +This issue was tracked down to a missing copy of the new affinity +cpumask for the vexpress-spc interrupt into struct +irq_common_data.affinity when the interrupt is migrated in +migrate_one_irq(). + +Fix it by replacing the arm specific hotplug cpu migration with the +generic irq code. + +This is the counterpart implementation to commit 217d453d473c ("arm64: +fix a migrating irq bug when hotplug cpu"). + +Tested with cpu hotplug stress test on Arm TC2 (multi_v7_defconfig plus +CONFIG_ARM_BIG_LITTLE_CPUFREQ=y and CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=y). +The vexpress-spc interrupt (irq=22) on this board is affine to CPU0. +Its affinity cpumask now changes correctly e.g. from 0 to 1-4 when +CPU0 is hotplugged out. + +Suggested-by: Marc Zyngier +Signed-off-by: Dietmar Eggemann +Acked-by: Marc Zyngier +Reviewed-by: Linus Walleij +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig | 1 + + arch/arm/include/asm/irq.h | 1 - + arch/arm/kernel/irq.c | 62 -------------------------------------- + arch/arm/kernel/smp.c | 2 +- + 4 files changed, 2 insertions(+), 64 deletions(-) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index e8cd55a5b04c..cd4c74daf71e 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -1444,6 +1444,7 @@ config NR_CPUS + config HOTPLUG_CPU + bool "Support for hot-pluggable CPUs" + depends on SMP ++ select GENERIC_IRQ_MIGRATION + help + Say Y here to experiment with turning CPUs off and on. CPUs + can be controlled through /sys/devices/system/cpu. +diff --git a/arch/arm/include/asm/irq.h b/arch/arm/include/asm/irq.h +index c883fcbe93b6..46d41140df27 100644 +--- a/arch/arm/include/asm/irq.h ++++ b/arch/arm/include/asm/irq.h +@@ -25,7 +25,6 @@ + #ifndef __ASSEMBLY__ + struct irqaction; + struct pt_regs; +-extern void migrate_irqs(void); + + extern void asm_do_IRQ(unsigned int, struct pt_regs *); + void handle_IRQ(unsigned int, struct pt_regs *); +diff --git a/arch/arm/kernel/irq.c b/arch/arm/kernel/irq.c +index 9908dacf9229..844861368cd5 100644 +--- a/arch/arm/kernel/irq.c ++++ b/arch/arm/kernel/irq.c +@@ -31,7 +31,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -109,64 +108,3 @@ int __init arch_probe_nr_irqs(void) + return nr_irqs; + } + #endif +- +-#ifdef CONFIG_HOTPLUG_CPU +-static bool migrate_one_irq(struct irq_desc *desc) +-{ +- struct irq_data *d = irq_desc_get_irq_data(desc); +- const struct cpumask *affinity = irq_data_get_affinity_mask(d); +- struct irq_chip *c; +- bool ret = false; +- +- /* +- * If this is a per-CPU interrupt, or the affinity does not +- * include this CPU, then we have nothing to do. +- */ +- if (irqd_is_per_cpu(d) || !cpumask_test_cpu(smp_processor_id(), affinity)) +- return false; +- +- if (cpumask_any_and(affinity, cpu_online_mask) >= nr_cpu_ids) { +- affinity = cpu_online_mask; +- ret = true; +- } +- +- c = irq_data_get_irq_chip(d); +- if (!c->irq_set_affinity) +- pr_debug("IRQ%u: unable to set affinity\n", d->irq); +- else if (c->irq_set_affinity(d, affinity, false) == IRQ_SET_MASK_OK && ret) +- cpumask_copy(irq_data_get_affinity_mask(d), affinity); +- +- return ret; +-} +- +-/* +- * The current CPU has been marked offline. Migrate IRQs off this CPU. +- * If the affinity settings do not allow other CPUs, force them onto any +- * available CPU. +- * +- * Note: we must iterate over all IRQs, whether they have an attached +- * action structure or not, as we need to get chained interrupts too. +- */ +-void migrate_irqs(void) +-{ +- unsigned int i; +- struct irq_desc *desc; +- unsigned long flags; +- +- local_irq_save(flags); +- +- for_each_irq_desc(i, desc) { +- bool affinity_broken; +- +- raw_spin_lock(&desc->lock); +- affinity_broken = migrate_one_irq(desc); +- raw_spin_unlock(&desc->lock); +- +- if (affinity_broken) +- pr_warn_ratelimited("IRQ%u no longer affine to CPU%u\n", +- i, smp_processor_id()); +- } +- +- local_irq_restore(flags); +-} +-#endif /* CONFIG_HOTPLUG_CPU */ +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index 3bf82232b1be..1d6f5ea522f4 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -254,7 +254,7 @@ int __cpu_disable(void) + /* + * OK - migrate IRQs away from this CPU + */ +- migrate_irqs(); ++ irq_migrate_all_off_this_cpu(); + + /* + * Flush user cache and TLB mappings, and then remove this CPU +-- +2.19.1 + diff --git a/queue-4.19/arm-8835-1-dma-mapping-clear-dma-ops-on-teardown.patch b/queue-4.19/arm-8835-1-dma-mapping-clear-dma-ops-on-teardown.patch new file mode 100644 index 00000000000..e2493d9473b --- /dev/null +++ b/queue-4.19/arm-8835-1-dma-mapping-clear-dma-ops-on-teardown.patch @@ -0,0 +1,43 @@ +From e2888f86feca5a2050d8181869d2b8287ad10358 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Wed, 6 Feb 2019 18:43:24 +0100 +Subject: ARM: 8835/1: dma-mapping: Clear DMA ops on teardown + +[ Upstream commit fc67e6f120a388b611d94cc40baf99a5cc56b283 ] + +Installing the appropriate non-IOMMU DMA ops in arm_iommu_detch_device() +serves the case where IOMMU-aware drivers choose to control their own +mapping but still make DMA API calls, however it also affects the case +when the arch code itself tears down the mapping upon driver unbinding, +where the ops now get left in place and can inhibit arch_setup_dma_ops() +on subsequent re-probe attempts. + +Fix the latter case by making sure that arch_teardown_dma_ops() cleans +up whenever the ops were automatically installed by its counterpart. + +Reported-by: Tobias Jakobi +Reported-by: Marek Szyprowski +Fixes: 1874619a7df4 "ARM: dma-mapping: Set proper DMA ops in arm_iommu_detach_device()" +Tested-by: Tobias Jakobi +Tested-by: Thierry Reding +Signed-off-by: Robin Murphy +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/dma-mapping.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c +index 1cb9c0f9b5d6..8211cf45ece1 100644 +--- a/arch/arm/mm/dma-mapping.c ++++ b/arch/arm/mm/dma-mapping.c +@@ -2400,4 +2400,6 @@ void arch_teardown_dma_ops(struct device *dev) + return; + + arm_teardown_iommu_dma_ops(dev); ++ /* Let arch_setup_dma_ops() start again from scratch upon re-probe */ ++ set_dma_ops(dev, NULL); + } +-- +2.19.1 + diff --git a/queue-4.19/arm-arm64-kvm-allow-a-vcpu-to-fully-reset-itself.patch b/queue-4.19/arm-arm64-kvm-allow-a-vcpu-to-fully-reset-itself.patch new file mode 100644 index 00000000000..79e68e37c58 --- /dev/null +++ b/queue-4.19/arm-arm64-kvm-allow-a-vcpu-to-fully-reset-itself.patch @@ -0,0 +1,282 @@ +From 59202e39d1dffd879c920aa4779b15114e9436e8 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 20 Dec 2018 11:36:07 +0000 +Subject: arm/arm64: KVM: Allow a VCPU to fully reset itself + +[ Upstream commit 358b28f09f0ab074d781df72b8a671edb1547789 ] + +The current kvm_psci_vcpu_on implementation will directly try to +manipulate the state of the VCPU to reset it. However, since this is +not done on the thread that runs the VCPU, we can end up in a strangely +corrupted state when the source and target VCPUs are running at the same +time. + +Fix this by factoring out all reset logic from the PSCI implementation +and forwarding the required information along with a request to the +target VCPU. + +Reviewed-by: Andrew Jones +Signed-off-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/kvm_host.h | 10 +++++++++ + arch/arm/kvm/reset.c | 24 +++++++++++++++++++++ + arch/arm64/include/asm/kvm_host.h | 11 ++++++++++ + arch/arm64/kvm/reset.c | 24 +++++++++++++++++++++ + virt/kvm/arm/arm.c | 10 +++++++++ + virt/kvm/arm/psci.c | 36 ++++++++++++++----------------- + 6 files changed, 95 insertions(+), 20 deletions(-) + +diff --git a/arch/arm/include/asm/kvm_host.h b/arch/arm/include/asm/kvm_host.h +index 3ad482d2f1eb..d0d0227fc70d 100644 +--- a/arch/arm/include/asm/kvm_host.h ++++ b/arch/arm/include/asm/kvm_host.h +@@ -48,6 +48,7 @@ + #define KVM_REQ_SLEEP \ + KVM_ARCH_REQ_FLAGS(0, KVM_REQUEST_WAIT | KVM_REQUEST_NO_WAKEUP) + #define KVM_REQ_IRQ_PENDING KVM_ARCH_REQ(1) ++#define KVM_REQ_VCPU_RESET KVM_ARCH_REQ(2) + + DECLARE_STATIC_KEY_FALSE(userspace_irqchip_in_use); + +@@ -147,6 +148,13 @@ struct kvm_cpu_context { + + typedef struct kvm_cpu_context kvm_cpu_context_t; + ++struct vcpu_reset_state { ++ unsigned long pc; ++ unsigned long r0; ++ bool be; ++ bool reset; ++}; ++ + struct kvm_vcpu_arch { + struct kvm_cpu_context ctxt; + +@@ -186,6 +194,8 @@ struct kvm_vcpu_arch { + /* Cache some mmu pages needed inside spinlock regions */ + struct kvm_mmu_memory_cache mmu_page_cache; + ++ struct vcpu_reset_state reset_state; ++ + /* Detect first run of a vcpu */ + bool has_run_once; + }; +diff --git a/arch/arm/kvm/reset.c b/arch/arm/kvm/reset.c +index 5ed0c3ee33d6..e53327912adc 100644 +--- a/arch/arm/kvm/reset.c ++++ b/arch/arm/kvm/reset.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + #include + +@@ -69,6 +70,29 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu) + /* Reset CP15 registers */ + kvm_reset_coprocs(vcpu); + ++ /* ++ * Additional reset state handling that PSCI may have imposed on us. ++ * Must be done after all the sys_reg reset. ++ */ ++ if (READ_ONCE(vcpu->arch.reset_state.reset)) { ++ unsigned long target_pc = vcpu->arch.reset_state.pc; ++ ++ /* Gracefully handle Thumb2 entry point */ ++ if (target_pc & 1) { ++ target_pc &= ~1UL; ++ vcpu_set_thumb(vcpu); ++ } ++ ++ /* Propagate caller endianness */ ++ if (vcpu->arch.reset_state.be) ++ kvm_vcpu_set_be(vcpu); ++ ++ *vcpu_pc(vcpu) = target_pc; ++ vcpu_set_reg(vcpu, 0, vcpu->arch.reset_state.r0); ++ ++ vcpu->arch.reset_state.reset = false; ++ } ++ + /* Reset arch_timer context */ + return kvm_timer_vcpu_reset(vcpu); + } +diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h +index 3d6d7336f871..6abe4002945f 100644 +--- a/arch/arm64/include/asm/kvm_host.h ++++ b/arch/arm64/include/asm/kvm_host.h +@@ -48,6 +48,7 @@ + #define KVM_REQ_SLEEP \ + KVM_ARCH_REQ_FLAGS(0, KVM_REQUEST_WAIT | KVM_REQUEST_NO_WAKEUP) + #define KVM_REQ_IRQ_PENDING KVM_ARCH_REQ(1) ++#define KVM_REQ_VCPU_RESET KVM_ARCH_REQ(2) + + DECLARE_STATIC_KEY_FALSE(userspace_irqchip_in_use); + +@@ -206,6 +207,13 @@ struct kvm_cpu_context { + + typedef struct kvm_cpu_context kvm_cpu_context_t; + ++struct vcpu_reset_state { ++ unsigned long pc; ++ unsigned long r0; ++ bool be; ++ bool reset; ++}; ++ + struct kvm_vcpu_arch { + struct kvm_cpu_context ctxt; + +@@ -295,6 +303,9 @@ struct kvm_vcpu_arch { + /* Virtual SError ESR to restore when HCR_EL2.VSE is set */ + u64 vsesr_el2; + ++ /* Additional reset state */ ++ struct vcpu_reset_state reset_state; ++ + /* True when deferrable sysregs are loaded on the physical CPU, + * see kvm_vcpu_load_sysregs and kvm_vcpu_put_sysregs. */ + bool sysregs_loaded_on_cpu; +diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c +index 644dd0050766..18b9a522a2b3 100644 +--- a/arch/arm64/kvm/reset.c ++++ b/arch/arm64/kvm/reset.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + + /* +@@ -140,6 +141,29 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu) + /* Reset system registers */ + kvm_reset_sys_regs(vcpu); + ++ /* ++ * Additional reset state handling that PSCI may have imposed on us. ++ * Must be done after all the sys_reg reset. ++ */ ++ if (vcpu->arch.reset_state.reset) { ++ unsigned long target_pc = vcpu->arch.reset_state.pc; ++ ++ /* Gracefully handle Thumb2 entry point */ ++ if (vcpu_mode_is_32bit(vcpu) && (target_pc & 1)) { ++ target_pc &= ~1UL; ++ vcpu_set_thumb(vcpu); ++ } ++ ++ /* Propagate caller endianness */ ++ if (vcpu->arch.reset_state.be) ++ kvm_vcpu_set_be(vcpu); ++ ++ *vcpu_pc(vcpu) = target_pc; ++ vcpu_set_reg(vcpu, 0, vcpu->arch.reset_state.r0); ++ ++ vcpu->arch.reset_state.reset = false; ++ } ++ + /* Reset PMU */ + kvm_pmu_vcpu_reset(vcpu); + +diff --git a/virt/kvm/arm/arm.c b/virt/kvm/arm/arm.c +index 91495045ad5a..1415e36fed3d 100644 +--- a/virt/kvm/arm/arm.c ++++ b/virt/kvm/arm/arm.c +@@ -624,6 +624,13 @@ static void vcpu_req_sleep(struct kvm_vcpu *vcpu) + /* Awaken to handle a signal, request we sleep again later. */ + kvm_make_request(KVM_REQ_SLEEP, vcpu); + } ++ ++ /* ++ * Make sure we will observe a potential reset request if we've ++ * observed a change to the power state. Pairs with the smp_wmb() in ++ * kvm_psci_vcpu_on(). ++ */ ++ smp_rmb(); + } + + static int kvm_vcpu_initialized(struct kvm_vcpu *vcpu) +@@ -637,6 +644,9 @@ static void check_vcpu_requests(struct kvm_vcpu *vcpu) + if (kvm_check_request(KVM_REQ_SLEEP, vcpu)) + vcpu_req_sleep(vcpu); + ++ if (kvm_check_request(KVM_REQ_VCPU_RESET, vcpu)) ++ kvm_reset_vcpu(vcpu); ++ + /* + * Clear IRQ_PENDING requests that were made to guarantee + * that a VCPU sees new virtual interrupts. +diff --git a/virt/kvm/arm/psci.c b/virt/kvm/arm/psci.c +index 9b73d3ad918a..34d08ee63747 100644 +--- a/virt/kvm/arm/psci.c ++++ b/virt/kvm/arm/psci.c +@@ -104,12 +104,10 @@ static void kvm_psci_vcpu_off(struct kvm_vcpu *vcpu) + + static unsigned long kvm_psci_vcpu_on(struct kvm_vcpu *source_vcpu) + { ++ struct vcpu_reset_state *reset_state; + struct kvm *kvm = source_vcpu->kvm; + struct kvm_vcpu *vcpu = NULL; +- struct swait_queue_head *wq; + unsigned long cpu_id; +- unsigned long context_id; +- phys_addr_t target_pc; + + cpu_id = smccc_get_arg1(source_vcpu) & MPIDR_HWID_BITMASK; + if (vcpu_mode_is_32bit(source_vcpu)) +@@ -130,32 +128,30 @@ static unsigned long kvm_psci_vcpu_on(struct kvm_vcpu *source_vcpu) + return PSCI_RET_INVALID_PARAMS; + } + +- target_pc = smccc_get_arg2(source_vcpu); +- context_id = smccc_get_arg3(source_vcpu); ++ reset_state = &vcpu->arch.reset_state; + +- kvm_reset_vcpu(vcpu); +- +- /* Gracefully handle Thumb2 entry point */ +- if (vcpu_mode_is_32bit(vcpu) && (target_pc & 1)) { +- target_pc &= ~((phys_addr_t) 1); +- vcpu_set_thumb(vcpu); +- } ++ reset_state->pc = smccc_get_arg2(source_vcpu); + + /* Propagate caller endianness */ +- if (kvm_vcpu_is_be(source_vcpu)) +- kvm_vcpu_set_be(vcpu); ++ reset_state->be = kvm_vcpu_is_be(source_vcpu); + +- *vcpu_pc(vcpu) = target_pc; + /* + * NOTE: We always update r0 (or x0) because for PSCI v0.1 + * the general puspose registers are undefined upon CPU_ON. + */ +- smccc_set_retval(vcpu, context_id, 0, 0, 0); +- vcpu->arch.power_off = false; +- smp_mb(); /* Make sure the above is visible */ ++ reset_state->r0 = smccc_get_arg3(source_vcpu); ++ ++ WRITE_ONCE(reset_state->reset, true); ++ kvm_make_request(KVM_REQ_VCPU_RESET, vcpu); + +- wq = kvm_arch_vcpu_wq(vcpu); +- swake_up_one(wq); ++ /* ++ * Make sure the reset request is observed if the change to ++ * power_state is observed. ++ */ ++ smp_wmb(); ++ ++ vcpu->arch.power_off = false; ++ kvm_vcpu_wake_up(vcpu); + + return PSCI_RET_SUCCESS; + } +-- +2.19.1 + diff --git a/queue-4.19/arm-arm64-kvm-don-t-panic-on-failure-to-properly-res.patch b/queue-4.19/arm-arm64-kvm-don-t-panic-on-failure-to-properly-res.patch new file mode 100644 index 00000000000..59e043faad7 --- /dev/null +++ b/queue-4.19/arm-arm64-kvm-don-t-panic-on-failure-to-properly-res.patch @@ -0,0 +1,53 @@ +From dd5c81225d49e0d638a29d6a70cf772a125bdc81 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 20 Dec 2018 13:07:40 +0000 +Subject: arm/arm64: KVM: Don't panic on failure to properly reset system + registers + +[ Upstream commit 20589c8cc47dce5854c8bf1b44a9fc63d798d26d ] + +Failing to properly reset system registers is pretty bad. But not +quite as bad as bringing the whole machine down... So warn loudly, +but slightly more gracefully. + +Signed-off-by: Marc Zyngier +Acked-by: Christoffer Dall +Signed-off-by: Sasha Levin +--- + arch/arm/kvm/coproc.c | 4 ++-- + arch/arm64/kvm/sys_regs.c | 8 +++++--- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c +index cb094e55dc5f..fd6cde23bb5d 100644 +--- a/arch/arm/kvm/coproc.c ++++ b/arch/arm/kvm/coproc.c +@@ -1450,6 +1450,6 @@ void kvm_reset_coprocs(struct kvm_vcpu *vcpu) + reset_coproc_regs(vcpu, table, num); + + for (num = 1; num < NR_CP15_REGS; num++) +- if (vcpu_cp15(vcpu, num) == 0x42424242) +- panic("Didn't reset vcpu_cp15(vcpu, %zi)", num); ++ WARN(vcpu_cp15(vcpu, num) == 0x42424242, ++ "Didn't reset vcpu_cp15(vcpu, %zi)", num); + } +diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c +index 22fbbdbece3c..fe18e68f9a20 100644 +--- a/arch/arm64/kvm/sys_regs.c ++++ b/arch/arm64/kvm/sys_regs.c +@@ -2586,7 +2586,9 @@ void kvm_reset_sys_regs(struct kvm_vcpu *vcpu) + table = get_target_table(vcpu->arch.target, true, &num); + reset_sys_reg_descs(vcpu, table, num); + +- for (num = 1; num < NR_SYS_REGS; num++) +- if (__vcpu_sys_reg(vcpu, num) == 0x4242424242424242) +- panic("Didn't reset __vcpu_sys_reg(%zi)", num); ++ for (num = 1; num < NR_SYS_REGS; num++) { ++ if (WARN(__vcpu_sys_reg(vcpu, num) == 0x4242424242424242, ++ "Didn't reset __vcpu_sys_reg(%zi)\n", num)) ++ break; ++ } + } +-- +2.19.1 + diff --git a/queue-4.19/arm-dts-armada-xp-fix-armada-xp-boards-nand-descript.patch b/queue-4.19/arm-dts-armada-xp-fix-armada-xp-boards-nand-descript.patch new file mode 100644 index 00000000000..d2a2046afe5 --- /dev/null +++ b/queue-4.19/arm-dts-armada-xp-fix-armada-xp-boards-nand-descript.patch @@ -0,0 +1,214 @@ +From bd986a92087a551993ec6911ac116fa9df085628 Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Fri, 15 Feb 2019 16:30:42 +0100 +Subject: ARM: dts: armada-xp: fix Armada XP boards NAND description + +[ Upstream commit 6fc979179c98d2591784937d5618edc3e5cd31c1 ] + +Commit 3b79919946cd2cf4dac47842afc9a893acec4ed7 ("ARM: dts: +armada-370-xp: update NAND node with new bindings") updated some +Marvell Armada DT description to use the new NAND controller bindings, +but did it incorrectly for a number of boards: armada-xp-gp, +armada-xp-db and armada-xp-lenovo-ix4-300d. Due to this, the NAND is +no longer detected on those platforms. + +This commit fixes that by properly using the new NAND DT binding. This +commit was runtime-tested on Armada XP GP, the two other platforms are +only compile-tested. + +Fixes: 3b79919946cd2 ("ARM: dts: armada-370-xp: update NAND node with new bindings") +Cc: Miquel Raynal +Signed-off-by: Thomas Petazzoni +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-xp-db.dts | 46 +++++----- + arch/arm/boot/dts/armada-xp-gp.dts | 13 +-- + .../boot/dts/armada-xp-lenovo-ix4-300d.dts | 85 ++++++++++--------- + 3 files changed, 76 insertions(+), 68 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-xp-db.dts b/arch/arm/boot/dts/armada-xp-db.dts +index f3ac7483afed..5d04dc68cf57 100644 +--- a/arch/arm/boot/dts/armada-xp-db.dts ++++ b/arch/arm/boot/dts/armada-xp-db.dts +@@ -144,30 +144,32 @@ + status = "okay"; + }; + +- nand@d0000 { ++ nand-controller@d0000 { + status = "okay"; +- label = "pxa3xx_nand-0"; +- num-cs = <1>; +- marvell,nand-keep-config; +- nand-on-flash-bbt; +- +- partitions { +- compatible = "fixed-partitions"; +- #address-cells = <1>; +- #size-cells = <1>; +- +- partition@0 { +- label = "U-Boot"; +- reg = <0 0x800000>; +- }; +- partition@800000 { +- label = "Linux"; +- reg = <0x800000 0x800000>; +- }; +- partition@1000000 { +- label = "Filesystem"; +- reg = <0x1000000 0x3f000000>; + ++ nand@0 { ++ reg = <0>; ++ label = "pxa3xx_nand-0"; ++ nand-rb = <0>; ++ nand-on-flash-bbt; ++ ++ partitions { ++ compatible = "fixed-partitions"; ++ #address-cells = <1>; ++ #size-cells = <1>; ++ ++ partition@0 { ++ label = "U-Boot"; ++ reg = <0 0x800000>; ++ }; ++ partition@800000 { ++ label = "Linux"; ++ reg = <0x800000 0x800000>; ++ }; ++ partition@1000000 { ++ label = "Filesystem"; ++ reg = <0x1000000 0x3f000000>; ++ }; + }; + }; + }; +diff --git a/arch/arm/boot/dts/armada-xp-gp.dts b/arch/arm/boot/dts/armada-xp-gp.dts +index 1139e9469a83..b4cca507cf13 100644 +--- a/arch/arm/boot/dts/armada-xp-gp.dts ++++ b/arch/arm/boot/dts/armada-xp-gp.dts +@@ -160,12 +160,15 @@ + status = "okay"; + }; + +- nand@d0000 { ++ nand-controller@d0000 { + status = "okay"; +- label = "pxa3xx_nand-0"; +- num-cs = <1>; +- marvell,nand-keep-config; +- nand-on-flash-bbt; ++ ++ nand@0 { ++ reg = <0>; ++ label = "pxa3xx_nand-0"; ++ nand-rb = <0>; ++ nand-on-flash-bbt; ++ }; + }; + }; + +diff --git a/arch/arm/boot/dts/armada-xp-lenovo-ix4-300d.dts b/arch/arm/boot/dts/armada-xp-lenovo-ix4-300d.dts +index bbbb38888bb8..87dcb502f72d 100644 +--- a/arch/arm/boot/dts/armada-xp-lenovo-ix4-300d.dts ++++ b/arch/arm/boot/dts/armada-xp-lenovo-ix4-300d.dts +@@ -81,49 +81,52 @@ + + }; + +- nand@d0000 { ++ nand-controller@d0000 { + status = "okay"; +- label = "pxa3xx_nand-0"; +- num-cs = <1>; +- marvell,nand-keep-config; +- nand-on-flash-bbt; +- +- partitions { +- compatible = "fixed-partitions"; +- #address-cells = <1>; +- #size-cells = <1>; +- +- partition@0 { +- label = "u-boot"; +- reg = <0x00000000 0x000e0000>; +- read-only; +- }; +- +- partition@e0000 { +- label = "u-boot-env"; +- reg = <0x000e0000 0x00020000>; +- read-only; +- }; +- +- partition@100000 { +- label = "u-boot-env2"; +- reg = <0x00100000 0x00020000>; +- read-only; +- }; +- +- partition@120000 { +- label = "zImage"; +- reg = <0x00120000 0x00400000>; +- }; +- +- partition@520000 { +- label = "initrd"; +- reg = <0x00520000 0x00400000>; +- }; + +- partition@e00000 { +- label = "boot"; +- reg = <0x00e00000 0x3f200000>; ++ nand@0 { ++ reg = <0>; ++ label = "pxa3xx_nand-0"; ++ nand-rb = <0>; ++ nand-on-flash-bbt; ++ ++ partitions { ++ compatible = "fixed-partitions"; ++ #address-cells = <1>; ++ #size-cells = <1>; ++ ++ partition@0 { ++ label = "u-boot"; ++ reg = <0x00000000 0x000e0000>; ++ read-only; ++ }; ++ ++ partition@e0000 { ++ label = "u-boot-env"; ++ reg = <0x000e0000 0x00020000>; ++ read-only; ++ }; ++ ++ partition@100000 { ++ label = "u-boot-env2"; ++ reg = <0x00100000 0x00020000>; ++ read-only; ++ }; ++ ++ partition@120000 { ++ label = "zImage"; ++ reg = <0x00120000 0x00400000>; ++ }; ++ ++ partition@520000 { ++ label = "initrd"; ++ reg = <0x00520000 0x00400000>; ++ }; ++ ++ partition@e00000 { ++ label = "boot"; ++ reg = <0x00e00000 0x3f200000>; ++ }; + }; + }; + }; +-- +2.19.1 + diff --git a/queue-4.19/arm-dts-configure-clock-parent-for-pwm-vibra.patch b/queue-4.19/arm-dts-configure-clock-parent-for-pwm-vibra.patch new file mode 100644 index 00000000000..734aa2d9f4c --- /dev/null +++ b/queue-4.19/arm-dts-configure-clock-parent-for-pwm-vibra.patch @@ -0,0 +1,58 @@ +From d7bbf52fb81049d5a8dae2f4083bc5c99bf54aed Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 22 Jan 2019 08:21:01 -0800 +Subject: ARM: dts: Configure clock parent for pwm vibra + +[ Upstream commit 0840242e887586268f665bf58d5e1a7d6ebf35ed ] + +Commit 84badc5ec5fc ("ARM: dts: omap4: Move l4 child devices to probe +them with ti-sysc") moved some omap4 timers to probe with ti-sysc +interconnect target module. Turns out this broke pwm-omap-dmtimer +for reparenting of the timer clock. + +With ti-sysc, we can now configure the clock sources in the dts with +assigned-clocks and assigned-clock-parents. + +Fixes: 84badc5ec5fc ("ARM: dts: omap4: Move l4 child devices to probe them with ti-sysc") +Cc: Bartosz Golaszewski +Cc: Daniel Lezcano +Cc: H. Nikolaus Schaller +Cc: Keerthy +Cc: Ladislav Michl +Cc: Pavel Machek +Cc: Sebastian Reichel +Cc: Tero Kristo +Cc: Thierry Reding +Cc: Thomas Gleixner +Reported-by: H. Nikolaus Schaller +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap4-droid4-xt894.dts | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/arch/arm/boot/dts/omap4-droid4-xt894.dts b/arch/arm/boot/dts/omap4-droid4-xt894.dts +index 04758a2a87f0..67d77eee9433 100644 +--- a/arch/arm/boot/dts/omap4-droid4-xt894.dts ++++ b/arch/arm/boot/dts/omap4-droid4-xt894.dts +@@ -644,6 +644,17 @@ + }; + }; + ++/* Configure pwm clock source for timers 8 & 9 */ ++&timer8 { ++ assigned-clocks = <&abe_clkctrl OMAP4_TIMER8_CLKCTRL 24>; ++ assigned-clock-parents = <&sys_clkin_ck>; ++}; ++ ++&timer9 { ++ assigned-clocks = <&l4_per_clkctrl OMAP4_TIMER9_CLKCTRL 24>; ++ assigned-clock-parents = <&sys_clkin_ck>; ++}; ++ + /* + * As uart1 is wired to mdm6600 with rts and cts, we can use the cts pin for + * uart1 wakeirq. +-- +2.19.1 + diff --git a/queue-4.19/arm-omap2-fix-lack-of-timer-interrupts-on-cpu1-after.patch b/queue-4.19/arm-omap2-fix-lack-of-timer-interrupts-on-cpu1-after.patch new file mode 100644 index 00000000000..1bdc93eeba5 --- /dev/null +++ b/queue-4.19/arm-omap2-fix-lack-of-timer-interrupts-on-cpu1-after.patch @@ -0,0 +1,79 @@ +From 55d27a9d7932c1fdd318ab0c33745c087506ad6b Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Wed, 12 Dec 2018 11:49:47 +0000 +Subject: ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug + +[ Upstream commit 50d6b3cf9403879911e06d69c7ef41e43f8f7b4b ] + +If we have a kernel configured for periodic timer interrupts, and we +have cpuidle enabled, then we end up with CPU1 losing timer interupts +after a hotplug. + +This can manifest itself in RCU stall warnings, or userspace becoming +unresponsive. + +The problem is that the kernel initially wants to use the TWD timer +for interrupts, but the TWD loses context when we enter the C3 cpuidle +state. Nothing reprograms the TWD after idle. + +We have solved this in the past by switching to broadcast timer ticks, +and cpuidle44xx switches to that mode at boot time. However, there is +nothing to switch from periodic mode local timers after a hotplug +operation. + +We call tick_broadcast_enter() in omap_enter_idle_coupled(), which one +would expect would take care of the issue, but internally this only +deals with one-shot local timers - tick_broadcast_enable() on the other +hand only deals with periodic local timers. So, we need to call both. + +Signed-off-by: Russell King +[tony@atomide.com: just standardized the subject line] +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/cpuidle44xx.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/arch/arm/mach-omap2/cpuidle44xx.c b/arch/arm/mach-omap2/cpuidle44xx.c +index a8b291f00109..dae514c8276a 100644 +--- a/arch/arm/mach-omap2/cpuidle44xx.c ++++ b/arch/arm/mach-omap2/cpuidle44xx.c +@@ -152,6 +152,10 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev, + mpuss_can_lose_context = (cx->mpu_state == PWRDM_POWER_RET) && + (cx->mpu_logic_state == PWRDM_POWER_OFF); + ++ /* Enter broadcast mode for periodic timers */ ++ tick_broadcast_enable(); ++ ++ /* Enter broadcast mode for one-shot timers */ + tick_broadcast_enter(); + + /* +@@ -218,15 +222,6 @@ fail: + return index; + } + +-/* +- * For each cpu, setup the broadcast timer because local timers +- * stops for the states above C1. +- */ +-static void omap_setup_broadcast_timer(void *arg) +-{ +- tick_broadcast_enable(); +-} +- + static struct cpuidle_driver omap4_idle_driver = { + .name = "omap4_idle", + .owner = THIS_MODULE, +@@ -319,8 +314,5 @@ int __init omap4_idle_init(void) + if (!cpu_clkdm[0] || !cpu_clkdm[1]) + return -ENODEV; + +- /* Configure the broadcast timer on each cpu */ +- on_each_cpu(omap_setup_broadcast_timer, NULL, 1); +- + return cpuidle_register(idle_driver, cpu_online_mask); + } +-- +2.19.1 + diff --git a/queue-4.19/arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch b/queue-4.19/arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch new file mode 100644 index 00000000000..d1edfaf59c2 --- /dev/null +++ b/queue-4.19/arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch @@ -0,0 +1,48 @@ +From 78db7670892ab5c82d4fc4c1ebf2f1db1691a679 Mon Sep 17 00:00:00 2001 +From: Yizhuo +Date: Fri, 25 Jan 2019 22:32:20 -0800 +Subject: ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be + uninitialized + +[ Upstream commit dc30e70391376ba3987aeb856ae6d9c0706534f1 ] + +In function omap4_dsi_mux_pads(), local variable "reg" could +be uninitialized if function regmap_read() returns -EINVAL. +However, it will be used directly in the later context, which +is potentially unsafe. + +Signed-off-by: Yizhuo +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/display.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/display.c b/arch/arm/mach-omap2/display.c +index 9500b6e27380..5d73f2c0b117 100644 +--- a/arch/arm/mach-omap2/display.c ++++ b/arch/arm/mach-omap2/display.c +@@ -83,6 +83,7 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes) + u32 enable_mask, enable_shift; + u32 pipd_mask, pipd_shift; + u32 reg; ++ int ret; + + if (dsi_id == 0) { + enable_mask = OMAP4_DSI1_LANEENABLE_MASK; +@@ -98,7 +99,11 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes) + return -ENODEV; + } + +- regmap_read(omap4_dsi_mux_syscon, OMAP4_DSIPHY_SYSCON_OFFSET, ®); ++ ret = regmap_read(omap4_dsi_mux_syscon, ++ OMAP4_DSIPHY_SYSCON_OFFSET, ++ ®); ++ if (ret) ++ return ret; + + reg &= ~enable_mask; + reg &= ~pipd_mask; +-- +2.19.1 + diff --git a/queue-4.19/arm-tegra-restore-dt-abi-on-tegra124-chromebooks.patch b/queue-4.19/arm-tegra-restore-dt-abi-on-tegra124-chromebooks.patch new file mode 100644 index 00000000000..644ec2df9b5 --- /dev/null +++ b/queue-4.19/arm-tegra-restore-dt-abi-on-tegra124-chromebooks.patch @@ -0,0 +1,67 @@ +From 284329b9394625fa618451d90fe37a359a090325 Mon Sep 17 00:00:00 2001 +From: Thierry Reding +Date: Mon, 11 Feb 2019 12:09:19 +0100 +Subject: ARM: tegra: Restore DT ABI on Tegra124 Chromebooks + +[ Upstream commit 94d9b9337d09bdd27735005b3251d97ab29f7273 ] + +Commit 482997699ef0 ("ARM: tegra: Fix unit_address_vs_reg DTC warnings +for /memory") inadventently broke device tree ABI by adding a unit- +address to the "/memory" node because the device tree compiler flagged +the missing unit-address as a warning. + +Tegra124 Chromebooks (a.k.a. Nyan) use a bootloader that relies on the +full name of the memory node in device tree being exactly "/memory". It +can be argued whether this was a good decision or not, and some other +bootloaders (such as U-Boot) do accept a unit-address in the name of the +node, but the device tree is an ABI and we can't break existing setups +just because the device tree compiler considers it bad practice to omit +the unit-address nowadays. + +This partially reverts the offending commit and restores device tree ABI +compatibility. + +Fixes: 482997699ef0 ("ARM: tegra: Fix unit_address_vs_reg DTC warnings for /memory") +Reported-by: Tristan Bastian +Signed-off-by: Thierry Reding +Tested-by: Tristan Bastian +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/tegra124-nyan.dtsi | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/tegra124-nyan.dtsi b/arch/arm/boot/dts/tegra124-nyan.dtsi +index d5f11d6d987e..bc85b6a166c7 100644 +--- a/arch/arm/boot/dts/tegra124-nyan.dtsi ++++ b/arch/arm/boot/dts/tegra124-nyan.dtsi +@@ -13,10 +13,25 @@ + stdout-path = "serial0:115200n8"; + }; + +- memory@80000000 { ++ /* ++ * Note that recent version of the device tree compiler (starting with ++ * version 1.4.2) warn about this node containing a reg property, but ++ * missing a unit-address. However, the bootloader on these Chromebook ++ * devices relies on the full name of this node to be exactly /memory. ++ * Adding the unit-address causes the bootloader to create a /memory ++ * node and write the memory bank configuration to that node, which in ++ * turn leads the kernel to believe that the device has 2 GiB of ++ * memory instead of the amount detected by the bootloader. ++ * ++ * The name of this node is effectively ABI and must not be changed. ++ */ ++ memory { ++ device_type = "memory"; + reg = <0x0 0x80000000 0x0 0x80000000>; + }; + ++ /delete-node/ memory@80000000; ++ + host1x@50000000 { + hdmi@54280000 { + status = "okay"; +-- +2.19.1 + diff --git a/queue-4.19/arm64-dts-rockchip-fix-graph_port-warning-on-rk3399-.patch b/queue-4.19/arm64-dts-rockchip-fix-graph_port-warning-on-rk3399-.patch new file mode 100644 index 00000000000..8a90c546b6d --- /dev/null +++ b/queue-4.19/arm64-dts-rockchip-fix-graph_port-warning-on-rk3399-.patch @@ -0,0 +1,69 @@ +From 77b9ad1a2dd63249f25502a883f919ca852c157d Mon Sep 17 00:00:00 2001 +From: Enric Balletbo i Serra +Date: Sat, 26 Jan 2019 11:37:28 +0100 +Subject: arm64: dts: rockchip: fix graph_port warning on rk3399 bob kevin and + excavator + +[ Upstream commit 26cd8657c7e745686a4c54a5cccf721ede208a25 ] + +Ports are described by child 'port' nodes contained in the device node. +'ports' is optional and is used to group all 'port' nodes which is not +the case here. + +This patch fixes the following warnings: + +arch/arm64/boot/dts/rockchip/rk3399-gru-bob.dts:25.9-29.5: Warning (graph_port): /edp-panel/ports: graph port node name should be 'port' +arch/arm64/boot/dts/rockchip/rk3399-gru-kevin.dts:46.9-50.5: Warningi (graph_port): /edp-panel/ports: graph port node name should be 'port' +arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts:94.9-98.5: Warning (graph_port): /edp-panel/ports: graph port node name should be 'port' + +Signed-off-by: Enric Balletbo i Serra +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-gru-bob.dts | 2 +- + arch/arm64/boot/dts/rockchip/rk3399-gru-kevin.dts | 2 +- + arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-gru-bob.dts b/arch/arm64/boot/dts/rockchip/rk3399-gru-bob.dts +index 1ee0dc0d9f10..d1cf404b8708 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-gru-bob.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-gru-bob.dts +@@ -22,7 +22,7 @@ + backlight = <&backlight>; + power-supply = <&pp3300_disp>; + +- ports { ++ port { + panel_in_edp: endpoint { + remote-endpoint = <&edp_out_panel>; + }; +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-gru-kevin.dts b/arch/arm64/boot/dts/rockchip/rk3399-gru-kevin.dts +index 2cc7c47d6a85..65637a5a4b21 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-gru-kevin.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-gru-kevin.dts +@@ -43,7 +43,7 @@ + backlight = <&backlight>; + power-supply = <&pp3300_disp>; + +- ports { ++ port { + panel_in_edp: endpoint { + remote-endpoint = <&edp_out_panel>; + }; +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts b/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts +index fef2c0608999..b14d83919f14 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts +@@ -50,7 +50,7 @@ + pinctrl-0 = <&lcd_panel_reset>; + power-supply = <&vcc3v3_s0>; + +- ports { ++ port { + panel_in_edp: endpoint { + remote-endpoint = <&edp_out_panel>; + }; +-- +2.19.1 + diff --git a/queue-4.19/arm64-relax-gic-version-check-during-early-boot.patch b/queue-4.19/arm64-relax-gic-version-check-during-early-boot.patch new file mode 100644 index 00000000000..a4f622703b0 --- /dev/null +++ b/queue-4.19/arm64-relax-gic-version-check-during-early-boot.patch @@ -0,0 +1,40 @@ +From 5f600ab14ea73001aa9d4541c0a61f57dbd81a7b Mon Sep 17 00:00:00 2001 +From: Vladimir Murzin +Date: Wed, 20 Feb 2019 11:43:05 +0000 +Subject: arm64: Relax GIC version check during early boot + +[ Upstream commit 74698f6971f25d045301139413578865fc2bd8f9 ] + +Updates to the GIC architecture allow ID_AA64PFR0_EL1.GIC to have +values other than 0 or 1. At the moment, Linux is quite strict in the +way it handles this field at early boot stage (cpufeature is fine) and +will refuse to use the system register CPU interface if it doesn't +find the value 1. + +Fixes: 021f653791ad17e03f98aaa7fb933816ae16f161 ("irqchip: gic-v3: Initial support for GICv3") +Reported-by: Chase Conklin +Reviewed-by: Marc Zyngier +Signed-off-by: Vladimir Murzin +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/head.S | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S +index 651a06b1980f..77ca59598c8b 100644 +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -522,8 +522,7 @@ set_hcr: + /* GICv3 system register access */ + mrs x0, id_aa64pfr0_el1 + ubfx x0, x0, #24, #4 +- cmp x0, #1 +- b.ne 3f ++ cbz x0, 3f + + mrs_s x0, SYS_ICC_SRE_EL2 + orr x0, x0, #ICC_SRE_EL2_SRE // Set ICC_SRE_EL2.SRE==1 +-- +2.19.1 + diff --git a/queue-4.19/asoc-dapm-fix-out-of-bounds-accesses-to-dapm-lookup-.patch b/queue-4.19/asoc-dapm-fix-out-of-bounds-accesses-to-dapm-lookup-.patch new file mode 100644 index 00000000000..c41370cfd3d --- /dev/null +++ b/queue-4.19/asoc-dapm-fix-out-of-bounds-accesses-to-dapm-lookup-.patch @@ -0,0 +1,101 @@ +From 452de0a1049ce242339e5b48ad0111765a5d38ee Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Tue, 5 Feb 2019 10:22:27 -0600 +Subject: ASoC: dapm: fix out-of-bounds accesses to DAPM lookup tables + +[ Upstream commit c16e12010060c6c7a31f08b4a99513064cb53b7d ] + +KASAN reports and additional traces point to out-of-bounds accesses to +the dapm_up_seq and dapm_down_seq lookup tables. The indices used are +larger than the array definition. + +Fix by adding missing entries for the new widget types in these two +lookup tables, and align them with PGA values. + +Also the sequences for the following widgets were not defined. Since +their values defaulted to zero, assign them explicitly + + snd_soc_dapm_input + snd_soc_dapm_output + snd_soc_dapm_vmid + snd_soc_dapm_siggen + snd_soc_dapm_sink + +Fixes: 8a70b4544ef4 ('ASoC: dapm: Add new widget type for constructing DAPM graphs on DSPs.'). +Signed-off-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dapm.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 653706945222..9b78fb3daa7b 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -71,12 +71,16 @@ static int dapm_up_seq[] = { + [snd_soc_dapm_clock_supply] = 1, + [snd_soc_dapm_supply] = 2, + [snd_soc_dapm_micbias] = 3, ++ [snd_soc_dapm_vmid] = 3, + [snd_soc_dapm_dai_link] = 2, + [snd_soc_dapm_dai_in] = 4, + [snd_soc_dapm_dai_out] = 4, + [snd_soc_dapm_aif_in] = 4, + [snd_soc_dapm_aif_out] = 4, + [snd_soc_dapm_mic] = 5, ++ [snd_soc_dapm_siggen] = 5, ++ [snd_soc_dapm_input] = 5, ++ [snd_soc_dapm_output] = 5, + [snd_soc_dapm_mux] = 6, + [snd_soc_dapm_demux] = 6, + [snd_soc_dapm_dac] = 7, +@@ -84,11 +88,19 @@ static int dapm_up_seq[] = { + [snd_soc_dapm_mixer] = 8, + [snd_soc_dapm_mixer_named_ctl] = 8, + [snd_soc_dapm_pga] = 9, ++ [snd_soc_dapm_buffer] = 9, ++ [snd_soc_dapm_scheduler] = 9, ++ [snd_soc_dapm_effect] = 9, ++ [snd_soc_dapm_src] = 9, ++ [snd_soc_dapm_asrc] = 9, ++ [snd_soc_dapm_encoder] = 9, ++ [snd_soc_dapm_decoder] = 9, + [snd_soc_dapm_adc] = 10, + [snd_soc_dapm_out_drv] = 11, + [snd_soc_dapm_hp] = 11, + [snd_soc_dapm_spk] = 11, + [snd_soc_dapm_line] = 11, ++ [snd_soc_dapm_sink] = 11, + [snd_soc_dapm_kcontrol] = 12, + [snd_soc_dapm_post] = 13, + }; +@@ -101,13 +113,25 @@ static int dapm_down_seq[] = { + [snd_soc_dapm_spk] = 3, + [snd_soc_dapm_line] = 3, + [snd_soc_dapm_out_drv] = 3, ++ [snd_soc_dapm_sink] = 3, + [snd_soc_dapm_pga] = 4, ++ [snd_soc_dapm_buffer] = 4, ++ [snd_soc_dapm_scheduler] = 4, ++ [snd_soc_dapm_effect] = 4, ++ [snd_soc_dapm_src] = 4, ++ [snd_soc_dapm_asrc] = 4, ++ [snd_soc_dapm_encoder] = 4, ++ [snd_soc_dapm_decoder] = 4, + [snd_soc_dapm_switch] = 5, + [snd_soc_dapm_mixer_named_ctl] = 5, + [snd_soc_dapm_mixer] = 5, + [snd_soc_dapm_dac] = 6, + [snd_soc_dapm_mic] = 7, ++ [snd_soc_dapm_siggen] = 7, ++ [snd_soc_dapm_input] = 7, ++ [snd_soc_dapm_output] = 7, + [snd_soc_dapm_micbias] = 8, ++ [snd_soc_dapm_vmid] = 8, + [snd_soc_dapm_mux] = 9, + [snd_soc_dapm_demux] = 9, + [snd_soc_dapm_aif_in] = 10, +-- +2.19.1 + diff --git a/queue-4.19/asoc-rsnd-fixup-rsnd_ssi_master_clk_start-user-count.patch b/queue-4.19/asoc-rsnd-fixup-rsnd_ssi_master_clk_start-user-count.patch new file mode 100644 index 00000000000..9f7bef0e7ad --- /dev/null +++ b/queue-4.19/asoc-rsnd-fixup-rsnd_ssi_master_clk_start-user-count.patch @@ -0,0 +1,44 @@ +From 3f1945f0e6c3a01d06bad76998b4ffe9e4aa40d4 Mon Sep 17 00:00:00 2001 +From: Kuninori Morimoto +Date: Tue, 5 Feb 2019 09:46:43 +0900 +Subject: ASoC: rsnd: fixup rsnd_ssi_master_clk_start() user count check + +[ Upstream commit d9111d36024de07784f2e1ba2ccf70b16035f378 ] + +commit 4d230d1271064 ("ASoC: rsnd: fixup not to call clk_get/set +under non-atomic") added new rsnd_ssi_prepare() and moved +rsnd_ssi_master_clk_start() to .prepare. +But, ssi user count (= ssi->usrcnt) is incremented at .init +(= rsnd_ssi_init()). +Because of these timing exchange, ssi->usrcnt check at +rsnd_ssi_master_clk_start() should be adjusted. +Otherwise, 2nd master clock setup will be no check. +This patch fixup this issue. + +Fixes: commit 4d230d1271064 ("ASoC: rsnd: fixup not to call clk_get/set under non-atomic") +Reported-by: Yusuke Goda +Reported-by: Valentine Barshak +Signed-off-by: Kuninori Morimoto +Tested-by: Yusuke Goda +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/ssi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c +index a566dae3ec8a..9410e0a9b14b 100644 +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -283,7 +283,7 @@ static int rsnd_ssi_master_clk_start(struct rsnd_mod *mod, + if (rsnd_ssi_is_multi_slave(mod, io)) + return 0; + +- if (ssi->usrcnt > 1) { ++ if (ssi->usrcnt > 0) { + if (ssi->rate != rate) { + dev_err(dev, "SSI parent/child should use same rate\n"); + return -EINVAL; +-- +2.19.1 + diff --git a/queue-4.19/asoc-rt5682-correct-the-setting-while-select-asrc-cl.patch b/queue-4.19/asoc-rt5682-correct-the-setting-while-select-asrc-cl.patch new file mode 100644 index 00000000000..fdb84289552 --- /dev/null +++ b/queue-4.19/asoc-rt5682-correct-the-setting-while-select-asrc-cl.patch @@ -0,0 +1,36 @@ +From 33918f1c3acfc6a49e7a51e94d48cbf86539dbbc Mon Sep 17 00:00:00 2001 +From: Shuming Fan +Date: Tue, 22 Jan 2019 15:50:09 +0800 +Subject: ASoC: rt5682: Correct the setting while select ASRC clk for AD/DA + filter + +[ Upstream commit 8077ec011b1ea26abb7ca786f28ecccfb352717f ] + +AD/DA ASRC function control two ASRC clock sources separately. +Whether AD/DA filter select which clock source, we enable AD/DA ASRC +function for all cases. + +Signed-off-by: Shuming Fan +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5682.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/rt5682.c b/sound/soc/codecs/rt5682.c +index afe7d5b19313..79ebcc239786 100644 +--- a/sound/soc/codecs/rt5682.c ++++ b/sound/soc/codecs/rt5682.c +@@ -1757,7 +1757,9 @@ static const struct snd_soc_dapm_route rt5682_dapm_routes[] = { + {"ADC Stereo1 Filter", NULL, "ADC STO1 ASRC", is_using_asrc}, + {"DAC Stereo1 Filter", NULL, "DAC STO1 ASRC", is_using_asrc}, + {"ADC STO1 ASRC", NULL, "AD ASRC"}, ++ {"ADC STO1 ASRC", NULL, "DA ASRC"}, + {"ADC STO1 ASRC", NULL, "CLKDET"}, ++ {"DAC STO1 ASRC", NULL, "AD ASRC"}, + {"DAC STO1 ASRC", NULL, "DA ASRC"}, + {"DAC STO1 ASRC", NULL, "CLKDET"}, + +-- +2.19.1 + diff --git a/queue-4.19/asoc-samsung-prevent-clk_get_rate-calls-in-atomic-co.patch b/queue-4.19/asoc-samsung-prevent-clk_get_rate-calls-in-atomic-co.patch new file mode 100644 index 00000000000..36550b1749a --- /dev/null +++ b/queue-4.19/asoc-samsung-prevent-clk_get_rate-calls-in-atomic-co.patch @@ -0,0 +1,162 @@ +From 111b7a5a02dca5284607349c587379186e4fd663 Mon Sep 17 00:00:00 2001 +From: Sylwester Nawrocki +Date: Thu, 7 Feb 2019 15:20:41 +0100 +Subject: ASoC: samsung: Prevent clk_get_rate() calls in atomic context +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 860b454c2c0cbda6892954f5cdbbb48931b3c8db ] + +This patch moves clk_get_rate() call from trigger() to hw_params() +callback to avoid calling sleeping clk API from atomic context +and prevent deadlock as indicated below. + +Before this change clk_get_rate() was being called with same +spinlock held as the one passed to the clk API when registering +clocks exposed by the I2S driver. + +[ 82.109780] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908 +[ 82.117009] in_atomic(): 1, irqs_disabled(): 128, pid: 1554, name: speaker-test +[ 82.124235] 3 locks held by speaker-test/1554: +[ 82.128653] #0: cc8c5328 (snd_pcm_link_rwlock){...-}, at: snd_pcm_stream_lock_irq+0x20/0x38 +[ 82.137058] #1: ec9eda17 (&(&substream->self_group.lock)->rlock){..-.}, at: snd_pcm_ioctl+0x900/0x1268 +[ 82.146417] #2: 6ac279bf (&(&pri_dai->spinlock)->rlock){..-.}, at: i2s_trigger+0x64/0x6d4 +[ 82.154650] irq event stamp: 8144 +[ 82.157949] hardirqs last enabled at (8143): [] _raw_read_unlock_irq+0x24/0x5c +[ 82.166089] hardirqs last disabled at (8144): [] _raw_read_lock_irq+0x18/0x58 +[ 82.174063] softirqs last enabled at (8004): [] __do_softirq+0x3a4/0x66c +[ 82.181688] softirqs last disabled at (7997): [] irq_exit+0x140/0x168 +[ 82.188964] Preemption disabled at: +[ 82.188967] [<00000000>] (null) +[ 82.195728] CPU: 6 PID: 1554 Comm: speaker-test Not tainted 5.0.0-rc5-00192-ga6e6caca8f03 #191 +[ 82.204302] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) +[ 82.210376] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[ 82.218084] [] (show_stack) from [] (dump_stack+0x90/0xc8) +[ 82.225278] [] (dump_stack) from [] (___might_sleep+0x22c/0x2c8) +[ 82.232990] [] (___might_sleep) from [] (__mutex_lock+0x28/0xa3c) +[ 82.240788] [] (__mutex_lock) from [] (mutex_lock_nested+0x1c/0x24) +[ 82.248763] [] (mutex_lock_nested) from [] (clk_prepare_lock+0x78/0xec) +[ 82.257079] [] (clk_prepare_lock) from [] (clk_core_get_rate+0xc/0x5c) +[ 82.265309] [] (clk_core_get_rate) from [] (i2s_trigger+0x490/0x6d4) +[ 82.273369] [] (i2s_trigger) from [] (soc_pcm_trigger+0x100/0x140) +[ 82.281254] [] (soc_pcm_trigger) from [] (snd_pcm_do_start+0x2c/0x30) +[ 82.289400] [] (snd_pcm_do_start) from [] (snd_pcm_action_single+0x38/0x78) +[ 82.298065] [] (snd_pcm_action_single) from [] (snd_pcm_ioctl+0x910/0x1268) +[ 82.306734] [] (snd_pcm_ioctl) from [] (do_vfs_ioctl+0x90/0x9ec) +[ 82.314443] [] (do_vfs_ioctl) from [] (ksys_ioctl+0x34/0x60) +[ 82.321808] [] (ksys_ioctl) from [] (ret_fast_syscall+0x0/0x28) +[ 82.329431] Exception stack(0xeb875fa8 to 0xeb875ff0) +[ 82.334459] 5fa0: 00033c18 b6e31000 00000004 00004142 00033d80 00033d80 +[ 82.342605] 5fc0: 00033c18 b6e31000 00008000 00000036 00008000 00000000 beea38a8 00008000 +[ 82.350748] 5fe0: b6e3142c beea384c b6da9a30 b6c9212c +[ 82.355789] +[ 82.357245] ====================================================== +[ 82.363397] WARNING: possible circular locking dependency detected +[ 82.369551] 5.0.0-rc5-00192-ga6e6caca8f03 #191 Tainted: G W +[ 82.376395] ------------------------------------------------------ +[ 82.382548] speaker-test/1554 is trying to acquire lock: +[ 82.387834] 6d2007f4 (prepare_lock){+.+.}, at: clk_prepare_lock+0x78/0xec +[ 82.394593] +[ 82.394593] but task is already holding lock: +[ 82.400398] 6ac279bf (&(&pri_dai->spinlock)->rlock){..-.}, at: i2s_trigger+0x64/0x6d4 +[ 82.408197] +[ 82.408197] which lock already depends on the new lock. +[ 82.416343] +[ 82.416343] the existing dependency chain (in reverse order) is: +[ 82.423795] +[ 82.423795] -> #1 (&(&pri_dai->spinlock)->rlock){..-.}: +[ 82.430472] clk_mux_set_parent+0x34/0xb8 +[ 82.434975] clk_core_set_parent_nolock+0x1c4/0x52c +[ 82.440347] clk_set_parent+0x38/0x6c +[ 82.444509] of_clk_set_defaults+0xc8/0x308 +[ 82.449186] of_clk_add_provider+0x84/0xd0 +[ 82.453779] samsung_i2s_probe+0x408/0x5f8 +[ 82.458376] platform_drv_probe+0x48/0x98 +[ 82.462879] really_probe+0x224/0x3f4 +[ 82.467037] driver_probe_device+0x70/0x1c4 +[ 82.471716] bus_for_each_drv+0x44/0x8c +[ 82.476049] __device_attach+0xa0/0x138 +[ 82.480382] bus_probe_device+0x88/0x90 +[ 82.484715] deferred_probe_work_func+0x6c/0xbc +[ 82.489741] process_one_work+0x200/0x740 +[ 82.494246] worker_thread+0x2c/0x4c8 +[ 82.498408] kthread+0x128/0x164 +[ 82.502131] ret_from_fork+0x14/0x20 +[ 82.506204] (null) +[ 82.508976] +[ 82.508976] -> #0 (prepare_lock){+.+.}: +[ 82.514264] __mutex_lock+0x60/0xa3c +[ 82.518336] mutex_lock_nested+0x1c/0x24 +[ 82.522756] clk_prepare_lock+0x78/0xec +[ 82.527088] clk_core_get_rate+0xc/0x5c +[ 82.531421] i2s_trigger+0x490/0x6d4 +[ 82.535494] soc_pcm_trigger+0x100/0x140 +[ 82.539913] snd_pcm_do_start+0x2c/0x30 +[ 82.544246] snd_pcm_action_single+0x38/0x78 +[ 82.549012] snd_pcm_ioctl+0x910/0x1268 +[ 82.553345] do_vfs_ioctl+0x90/0x9ec +[ 82.557417] ksys_ioctl+0x34/0x60 +[ 82.561229] ret_fast_syscall+0x0/0x28 +[ 82.565477] 0xbeea384c +[ 82.568421] +[ 82.568421] other info that might help us debug this: +[ 82.568421] +[ 82.576394] Possible unsafe locking scenario: +[ 82.576394] +[ 82.582285] CPU0 CPU1 +[ 82.586792] ---- ---- +[ 82.591297] lock(&(&pri_dai->spinlock)->rlock); +[ 82.595977] lock(prepare_lock); +[ 82.601782] lock(&(&pri_dai->spinlock)->rlock); +[ 82.608975] lock(prepare_lock); +[ 82.612268] +[ 82.612268] *** DEADLOCK *** + +Fixes: 647d04f8e07a ("ASoC: samsung: i2s: Ensure the RCLK rate is properly determined") +Reported-by: Krzysztof Kozłowski +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/samsung/i2s.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/samsung/i2s.c b/sound/soc/samsung/i2s.c +index d6c62aa13041..ce00fe2f6aae 100644 +--- a/sound/soc/samsung/i2s.c ++++ b/sound/soc/samsung/i2s.c +@@ -700,6 +700,7 @@ static int i2s_hw_params(struct snd_pcm_substream *substream, + { + struct i2s_dai *i2s = to_info(dai); + u32 mod, mask = 0, val = 0; ++ struct clk *rclksrc; + unsigned long flags; + + WARN_ON(!pm_runtime_active(dai->dev)); +@@ -782,6 +783,10 @@ static int i2s_hw_params(struct snd_pcm_substream *substream, + + i2s->frmclk = params_rate(params); + ++ rclksrc = i2s->clk_table[CLK_I2S_RCLK_SRC]; ++ if (rclksrc && !IS_ERR(rclksrc)) ++ i2s->rclk_srcrate = clk_get_rate(rclksrc); ++ + return 0; + } + +@@ -886,11 +891,6 @@ static int config_setup(struct i2s_dai *i2s) + return 0; + + if (!(i2s->quirks & QUIRK_NO_MUXPSR)) { +- struct clk *rclksrc = i2s->clk_table[CLK_I2S_RCLK_SRC]; +- +- if (rclksrc && !IS_ERR(rclksrc)) +- i2s->rclk_srcrate = clk_get_rate(rclksrc); +- + psr = i2s->rclk_srcrate / i2s->frmclk / rfs; + writel(((psr - 1) << 8) | PSR_PSREN, i2s->addr + I2SPSR); + dev_dbg(&i2s->pdev->dev, +-- +2.19.1 + diff --git a/queue-4.19/asoc-topology-free-created-components-in-tplg-load-e.patch b/queue-4.19/asoc-topology-free-created-components-in-tplg-load-e.patch new file mode 100644 index 00000000000..e74d532d9b3 --- /dev/null +++ b/queue-4.19/asoc-topology-free-created-components-in-tplg-load-e.patch @@ -0,0 +1,45 @@ +From 7c91c214141c74c160df9588f3012947d8e4cbb3 Mon Sep 17 00:00:00 2001 +From: Bard liao +Date: Sun, 17 Feb 2019 21:23:47 +0800 +Subject: ASoC: topology: free created components in tplg load error + +[ Upstream commit 304017d31df36fb61eb2ed3ebf65fb6870b3c731 ] + +Topology resources are no longer needed if any element failed to load. + +Signed-off-by: Bard liao +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-topology.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c +index 66e77e020745..88a7e860b175 100644 +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -2493,6 +2493,7 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp, + struct snd_soc_tplg_ops *ops, const struct firmware *fw, u32 id) + { + struct soc_tplg tplg; ++ int ret; + + /* setup parsing context */ + memset(&tplg, 0, sizeof(tplg)); +@@ -2506,7 +2507,12 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp, + tplg.bytes_ext_ops = ops->bytes_ext_ops; + tplg.bytes_ext_ops_count = ops->bytes_ext_ops_count; + +- return soc_tplg_load(&tplg); ++ ret = soc_tplg_load(&tplg); ++ /* free the created components if fail to load topology */ ++ if (ret) ++ snd_soc_tplg_component_remove(comp, SND_SOC_TPLG_INDEX_ALL); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(snd_soc_tplg_component_load); + +-- +2.19.1 + diff --git a/queue-4.19/assoc_array-fix-shortcut-creation.patch b/queue-4.19/assoc_array-fix-shortcut-creation.patch new file mode 100644 index 00000000000..68aca860bf8 --- /dev/null +++ b/queue-4.19/assoc_array-fix-shortcut-creation.patch @@ -0,0 +1,57 @@ +From 9863f35dc72aae9495b3646714c056e48247a0e9 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 14 Feb 2019 16:20:15 +0000 +Subject: assoc_array: Fix shortcut creation + +[ Upstream commit bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08 ] + +Fix the creation of shortcuts for which the length of the index key value +is an exact multiple of the machine word size. The problem is that the +code that blanks off the unused bits of the shortcut value malfunctions if +the number of bits in the last word equals machine word size. This is due +to the "<<" operator being given a shift of zero in this case, and so the +mask that should be all zeros is all ones instead. This causes the +subsequent masking operation to clear everything rather than clearing +nothing. + +Ordinarily, the presence of the hash at the beginning of the tree index key +makes the issue very hard to test for, but in this case, it was encountered +due to a development mistake that caused the hash output to be either 0 +(keyring) or 1 (non-keyring) only. This made it susceptible to the +keyctl/unlink/valid test in the keyutils package. + +The fix is simply to skip the blanking if the shift would be 0. For +example, an index key that is 64 bits long would produce a 0 shift and thus +a 'blank' of all 1s. This would then be inverted and AND'd onto the +index_key, incorrectly clearing the entire last word. + +Fixes: 3cb989501c26 ("Add a generic associative array implementation.") +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +--- + lib/assoc_array.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/assoc_array.c b/lib/assoc_array.c +index c6659cb37033..59875eb278ea 100644 +--- a/lib/assoc_array.c ++++ b/lib/assoc_array.c +@@ -768,9 +768,11 @@ all_leaves_cluster_together: + new_s0->index_key[i] = + ops->get_key_chunk(index_key, i * ASSOC_ARRAY_KEY_CHUNK_SIZE); + +- blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK); +- pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank); +- new_s0->index_key[keylen - 1] &= ~blank; ++ if (level & ASSOC_ARRAY_KEY_CHUNK_MASK) { ++ blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK); ++ pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank); ++ new_s0->index_key[keylen - 1] &= ~blank; ++ } + + /* This now reduces to a node splitting exercise for which we'll need + * to regenerate the disparity table. +-- +2.19.1 + diff --git a/queue-4.19/auxdisplay-ht16k33-fix-potential-user-after-free-on-.patch b/queue-4.19/auxdisplay-ht16k33-fix-potential-user-after-free-on-.patch new file mode 100644 index 00000000000..f9cbc9e4961 --- /dev/null +++ b/queue-4.19/auxdisplay-ht16k33-fix-potential-user-after-free-on-.patch @@ -0,0 +1,44 @@ +From f0d882a2e20103dc4213985c6c8c0e70e68b60b4 Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Sat, 9 Feb 2019 00:38:45 +0100 +Subject: auxdisplay: ht16k33: fix potential user-after-free on module unload + +[ Upstream commit 69ef9bc54715fb1cb7786ada15774e469e822209 ] + +On module unload/remove, we need to ensure that work does not run +after we have freed resources. Concretely, cancel_delayed_work() +may return while the callback function is still running. + +From kernel/workqueue.c: + + The work callback function may still be running on return, + unless it returns true and the work doesn't re-arm itself. + Explicitly flush or use cancel_delayed_work_sync() to wait on it. + +Link: https://lore.kernel.org/lkml/20190204220952.30761-1-TheSven73@googlemail.com/ +Reported-by: Sven Van Asbroeck +Reviewed-by: Dmitry Torokhov +Reviewed-by: Sven Van Asbroeck +Acked-by: Robin van der Gracht +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/ht16k33.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c +index a43276c76fc6..21393ec3b9a4 100644 +--- a/drivers/auxdisplay/ht16k33.c ++++ b/drivers/auxdisplay/ht16k33.c +@@ -509,7 +509,7 @@ static int ht16k33_remove(struct i2c_client *client) + struct ht16k33_priv *priv = i2c_get_clientdata(client); + struct ht16k33_fbdev *fbdev = &priv->fbdev; + +- cancel_delayed_work(&fbdev->work); ++ cancel_delayed_work_sync(&fbdev->work); + unregister_framebuffer(fbdev->info); + framebuffer_release(fbdev->info); + free_page((unsigned long) fbdev->buffer); +-- +2.19.1 + diff --git a/queue-4.19/blk-mq-insert-rq-with-dontprep-to-hctx-dispatch-list.patch b/queue-4.19/blk-mq-insert-rq-with-dontprep-to-hctx-dispatch-list.patch new file mode 100644 index 00000000000..cf97685d63e --- /dev/null +++ b/queue-4.19/blk-mq-insert-rq-with-dontprep-to-hctx-dispatch-list.patch @@ -0,0 +1,67 @@ +From 6e200e68783b777a955161cbcd03360b8487b4e5 Mon Sep 17 00:00:00 2001 +From: Jianchao Wang +Date: Tue, 12 Feb 2019 09:56:25 +0800 +Subject: blk-mq: insert rq with DONTPREP to hctx dispatch list when requeue + +[ Upstream commit aef1897cd36dcf5e296f1d2bae7e0d268561b685 ] + +When requeue, if RQF_DONTPREP, rq has contained some driver +specific data, so insert it to hctx dispatch list to avoid any +merge. Take scsi as example, here is the trace event log (no +io scheduler, because RQF_STARTED would prevent merging), + + kworker/0:1H-339 [000] ...1 2037.209289: block_rq_insert: 8,0 R 4096 () 32768 + 8 [kworker/0:1H] +scsi_inert_test-1987 [000] .... 2037.220465: block_bio_queue: 8,0 R 32776 + 8 [scsi_inert_test] +scsi_inert_test-1987 [000] ...2 2037.220466: block_bio_backmerge: 8,0 R 32776 + 8 [scsi_inert_test] + kworker/0:1H-339 [000] .... 2047.220913: block_rq_issue: 8,0 R 8192 () 32768 + 16 [kworker/0:1H] +scsi_inert_test-1996 [000] ..s1 2047.221007: block_rq_complete: 8,0 R () 32768 + 8 [0] +scsi_inert_test-1996 [000] .Ns1 2047.221045: block_rq_requeue: 8,0 R () 32776 + 8 [0] + kworker/0:1H-339 [000] ...1 2047.221054: block_rq_insert: 8,0 R 4096 () 32776 + 8 [kworker/0:1H] + kworker/0:1H-339 [000] ...1 2047.221056: block_rq_issue: 8,0 R 4096 () 32776 + 8 [kworker/0:1H] +scsi_inert_test-1986 [000] ..s1 2047.221119: block_rq_complete: 8,0 R () 32776 + 8 [0] + +(32768 + 8) was requeued by scsi_queue_insert and had RQF_DONTPREP. +Then it was merged with (32776 + 8) and issued. Due to RQF_DONTPREP, +the sdb only contained the part of (32768 + 8), then only that part +was completed. The lucky thing was that scsi_io_completion detected +it and requeued the remaining part. So we didn't get corrupted data. +However, the requeue of (32776 + 8) is not expected. + +Suggested-by: Jens Axboe +Signed-off-by: Jianchao Wang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 23a53b67cf0d..7d53f2314d7c 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -701,12 +701,20 @@ static void blk_mq_requeue_work(struct work_struct *work) + spin_unlock_irq(&q->requeue_lock); + + list_for_each_entry_safe(rq, next, &rq_list, queuelist) { +- if (!(rq->rq_flags & RQF_SOFTBARRIER)) ++ if (!(rq->rq_flags & (RQF_SOFTBARRIER | RQF_DONTPREP))) + continue; + + rq->rq_flags &= ~RQF_SOFTBARRIER; + list_del_init(&rq->queuelist); +- blk_mq_sched_insert_request(rq, true, false, false); ++ /* ++ * If RQF_DONTPREP, rq has contained some driver specific ++ * data, so insert it to hctx dispatch list to avoid any ++ * merge. ++ */ ++ if (rq->rq_flags & RQF_DONTPREP) ++ blk_mq_request_bypass_insert(rq, false); ++ else ++ blk_mq_sched_insert_request(rq, true, false, false); + } + + while (!list_empty(&rq_list)) { +-- +2.19.1 + diff --git a/queue-4.19/bnxt_en-fix-typo-in-firmware-message-timeout-logic.patch b/queue-4.19/bnxt_en-fix-typo-in-firmware-message-timeout-logic.patch new file mode 100644 index 00000000000..23cf6cb7e87 --- /dev/null +++ b/queue-4.19/bnxt_en-fix-typo-in-firmware-message-timeout-logic.patch @@ -0,0 +1,37 @@ +From 1d497f2a09e7e82ddd1e6d44d042caf678c74795 Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Wed, 20 Feb 2019 19:07:31 -0500 +Subject: bnxt_en: Fix typo in firmware message timeout logic. + +[ Upstream commit 67681d02aaa1db9044a16df4ca9c77cde1221a3e ] + +The logic that polls for the firmware message response uses a shorter +sleep interval for the first few passes. But there was a typo so it +was using the wrong counter (larger counter) for these short sleep +passes. The result is a slightly shorter timeout period for these +firmware messages than intended. Fix it by using the proper counter. + +Fixes: 9751e8e71487 ("bnxt_en: reduce timeout on initial HWRM calls") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 1fdaf86bbe8f..63b97289f4fe 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -3542,7 +3542,7 @@ static int bnxt_hwrm_do_send_msg(struct bnxt *bp, void *msg, u32 msg_len, + if (len) + break; + /* on first few passes, just barely sleep */ +- if (i < DFLT_HWRM_CMD_TIMEOUT) ++ if (i < HWRM_SHORT_TIMEOUT_COUNTER) + usleep_range(HWRM_SHORT_MIN_TIMEOUT, + HWRM_SHORT_MAX_TIMEOUT); + else +-- +2.19.1 + diff --git a/queue-4.19/bnxt_en-wait-longer-for-the-firmware-message-respons.patch b/queue-4.19/bnxt_en-wait-longer-for-the-firmware-message-respons.patch new file mode 100644 index 00000000000..0440ce323f5 --- /dev/null +++ b/queue-4.19/bnxt_en-wait-longer-for-the-firmware-message-respons.patch @@ -0,0 +1,50 @@ +From 28c332c024e5d13d5bb5469a6e7e7fca43caecf1 Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Wed, 20 Feb 2019 19:07:32 -0500 +Subject: bnxt_en: Wait longer for the firmware message response to complete. + +[ Upstream commit 0000b81a063b5f3ab82fa18041c28327ce72c312 ] + +The code waits up to 20 usec for the firmware response to complete +once we've seen the valid response header in the buffer. It turns +out that in some scenarios, this wait time is not long enough. +Extend it to 150 usec and use usleep_range() instead of udelay(). + +Fixes: 9751e8e71487 ("bnxt_en: reduce timeout on initial HWRM calls") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 63b97289f4fe..0bd93bb7d1a2 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -3565,7 +3565,7 @@ static int bnxt_hwrm_do_send_msg(struct bnxt *bp, void *msg, u32 msg_len, + dma_rmb(); + if (*valid) + break; +- udelay(1); ++ usleep_range(1, 5); + } + + if (j >= HWRM_VALID_BIT_DELAY_USEC) { +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index bde384630a75..cf2d4a6583d5 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -548,7 +548,7 @@ struct rx_tpa_end_cmp_ext { + (HWRM_SHORT_TIMEOUT_COUNTER * HWRM_SHORT_MIN_TIMEOUT + \ + ((n) - HWRM_SHORT_TIMEOUT_COUNTER) * HWRM_MIN_TIMEOUT)) + +-#define HWRM_VALID_BIT_DELAY_USEC 20 ++#define HWRM_VALID_BIT_DELAY_USEC 150 + + #define BNXT_RX_EVENT 1 + #define BNXT_AGG_EVENT 2 +-- +2.19.1 + diff --git a/queue-4.19/bpf-fix-lockdep-false-positive-in-stackmap.patch b/queue-4.19/bpf-fix-lockdep-false-positive-in-stackmap.patch new file mode 100644 index 00000000000..f2acc5e989b --- /dev/null +++ b/queue-4.19/bpf-fix-lockdep-false-positive-in-stackmap.patch @@ -0,0 +1,64 @@ +From 702f8b1cebabfea0ab46550a1c60665d7b86e4e4 Mon Sep 17 00:00:00 2001 +From: Alexei Starovoitov +Date: Sun, 10 Feb 2019 12:52:35 -0800 +Subject: bpf: fix lockdep false positive in stackmap + +[ Upstream commit 3defaf2f15b2bfd86c6664181ac009e91985f8ac ] + +Lockdep warns about false positive: +[ 11.211460] ------------[ cut here ]------------ +[ 11.211936] DEBUG_LOCKS_WARN_ON(depth <= 0) +[ 11.211985] WARNING: CPU: 0 PID: 141 at ../kernel/locking/lockdep.c:3592 lock_release+0x1ad/0x280 +[ 11.213134] Modules linked in: +[ 11.214954] RIP: 0010:lock_release+0x1ad/0x280 +[ 11.223508] Call Trace: +[ 11.223705] +[ 11.223874] ? __local_bh_enable+0x7a/0x80 +[ 11.224199] up_read+0x1c/0xa0 +[ 11.224446] do_up_read+0x12/0x20 +[ 11.224713] irq_work_run_list+0x43/0x70 +[ 11.225030] irq_work_run+0x26/0x50 +[ 11.225310] smp_irq_work_interrupt+0x57/0x1f0 +[ 11.225662] irq_work_interrupt+0xf/0x20 + +since rw_semaphore is released in a different task vs task that locked the sema. +It is expected behavior. +Fix the warning with up_read_non_owner() and rwsem_release() annotation. + +Fixes: bae77c5eb5b2 ("bpf: enable stackmap with build_id in nmi context") +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/bpf/stackmap.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c +index 6a32933cae4f..7cb7a7f98a37 100644 +--- a/kernel/bpf/stackmap.c ++++ b/kernel/bpf/stackmap.c +@@ -44,7 +44,7 @@ static void do_up_read(struct irq_work *entry) + struct stack_map_irq_work *work; + + work = container_of(entry, struct stack_map_irq_work, irq_work); +- up_read(work->sem); ++ up_read_non_owner(work->sem); + work->sem = NULL; + } + +@@ -338,6 +338,12 @@ static void stack_map_get_build_id_offset(struct bpf_stack_build_id *id_offs, + } else { + work->sem = ¤t->mm->mmap_sem; + irq_work_queue(&work->irq_work); ++ /* ++ * The irq_work will release the mmap_sem with ++ * up_read_non_owner(). The rwsem_release() is called ++ * here to release the lock from lockdep's perspective. ++ */ ++ rwsem_release(¤t->mm->mmap_sem.dep_map, 1, _RET_IP_); + } + } + +-- +2.19.1 + diff --git a/queue-4.19/bpf-lpm-fix-lookup-bug-in-map_delete_elem.patch b/queue-4.19/bpf-lpm-fix-lookup-bug-in-map_delete_elem.patch new file mode 100644 index 00000000000..9e7cabd6c43 --- /dev/null +++ b/queue-4.19/bpf-lpm-fix-lookup-bug-in-map_delete_elem.patch @@ -0,0 +1,80 @@ +From b767f332f8defabc623af4217793f028897be730 Mon Sep 17 00:00:00 2001 +From: Alban Crequy +Date: Fri, 22 Feb 2019 14:19:08 +0100 +Subject: bpf, lpm: fix lookup bug in map_delete_elem + +[ Upstream commit 7c0cdf0b3940f63d9777c3fcf250a2f83859ca54 ] + +trie_delete_elem() was deleting an entry even though it was not matching +if the prefixlen was correct. This patch adds a check on matchlen. + +Reproducer: + +$ sudo bpftool map create /sys/fs/bpf/mylpm type lpm_trie key 8 value 1 entries 128 name mylpm flags 1 +$ sudo bpftool map update pinned /sys/fs/bpf/mylpm key hex 10 00 00 00 aa bb cc dd value hex 01 +$ sudo bpftool map dump pinned /sys/fs/bpf/mylpm +key: 10 00 00 00 aa bb cc dd value: 01 +Found 1 element +$ sudo bpftool map delete pinned /sys/fs/bpf/mylpm key hex 10 00 00 00 ff ff ff ff +$ echo $? +0 +$ sudo bpftool map dump pinned /sys/fs/bpf/mylpm +Found 0 elements + +A similar reproducer is added in the selftests. + +Without the patch: + +$ sudo ./tools/testing/selftests/bpf/test_lpm_map +test_lpm_map: test_lpm_map.c:485: test_lpm_delete: Assertion `bpf_map_delete_elem(map_fd, key) == -1 && errno == ENOENT' failed. +Aborted + +With the patch: test_lpm_map runs without errors. + +Fixes: e454cf595853 ("bpf: Implement map_delete_elem for BPF_MAP_TYPE_LPM_TRIE") +Cc: Craig Gallek +Signed-off-by: Alban Crequy +Acked-by: Craig Gallek +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 1 + + tools/testing/selftests/bpf/test_lpm_map.c | 10 ++++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index 9058317ba9de..4f3138e6ecb2 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -432,6 +432,7 @@ static int trie_delete_elem(struct bpf_map *map, void *_key) + } + + if (!node || node->prefixlen != key->prefixlen || ++ node->prefixlen != matchlen || + (node->flags & LPM_TREE_NODE_FLAG_IM)) { + ret = -ENOENT; + goto out; +diff --git a/tools/testing/selftests/bpf/test_lpm_map.c b/tools/testing/selftests/bpf/test_lpm_map.c +index 147e34cfceb7..02d7c871862a 100644 +--- a/tools/testing/selftests/bpf/test_lpm_map.c ++++ b/tools/testing/selftests/bpf/test_lpm_map.c +@@ -474,6 +474,16 @@ static void test_lpm_delete(void) + assert(bpf_map_lookup_elem(map_fd, key, &value) == -1 && + errno == ENOENT); + ++ key->prefixlen = 30; // unused prefix so far ++ inet_pton(AF_INET, "192.255.0.0", key->data); ++ assert(bpf_map_delete_elem(map_fd, key) == -1 && ++ errno == ENOENT); ++ ++ key->prefixlen = 16; // same prefix as the root node ++ inet_pton(AF_INET, "192.255.0.0", key->data); ++ assert(bpf_map_delete_elem(map_fd, key) == -1 && ++ errno == ENOENT); ++ + /* assert initial lookup */ + key->prefixlen = 32; + inet_pton(AF_INET, "192.168.0.1", key->data); +-- +2.19.1 + diff --git a/queue-4.19/bpf-only-adjust-gso_size-on-bytestream-protocols.patch b/queue-4.19/bpf-only-adjust-gso_size-on-bytestream-protocols.patch new file mode 100644 index 00000000000..f996dc0fec0 --- /dev/null +++ b/queue-4.19/bpf-only-adjust-gso_size-on-bytestream-protocols.patch @@ -0,0 +1,93 @@ +From d5d7f1b0e4deeb07d147a8123a3f663cb83d938c Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Thu, 7 Feb 2019 14:54:16 -0500 +Subject: bpf: only adjust gso_size on bytestream protocols + +[ Upstream commit b90efd2258749e04e1b3f71ef0d716f2ac2337e0 ] + +bpf_skb_change_proto and bpf_skb_adjust_room change skb header length. +For GSO packets they adjust gso_size to maintain the same MTU. + +The gso size can only be safely adjusted on bytestream protocols. +Commit d02f51cbcf12 ("bpf: fix bpf_skb_adjust_net/bpf_skb_proto_xlat +to deal with gso sctp skbs") excluded SKB_GSO_SCTP. + +Since then type SKB_GSO_UDP_L4 has been added, whose contents are one +gso_size unit per datagram. Also exclude these. + +Move from a blacklist to a whitelist check to future proof against +additional such new GSO types, e.g., for fraglist based GRO. + +Fixes: bec1f6f69736 ("udp: generate gso with UDP_SEGMENT") +Signed-off-by: Willem de Bruijn +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 6 ++++++ + net/core/filter.c | 12 ++++-------- + 2 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index a404d475acee..3b0a25bb7c6f 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -4086,6 +4086,12 @@ static inline bool skb_is_gso_sctp(const struct sk_buff *skb) + return skb_shinfo(skb)->gso_type & SKB_GSO_SCTP; + } + ++static inline bool skb_is_gso_tcp(const struct sk_buff *skb) ++{ ++ return skb_is_gso(skb) && ++ skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6); ++} ++ + static inline void skb_gso_reset(struct sk_buff *skb) + { + skb_shinfo(skb)->gso_size = 0; +diff --git a/net/core/filter.c b/net/core/filter.c +index bed9061102f4..b1369edce113 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2614,8 +2614,7 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb) + u32 off = skb_mac_header_len(skb); + int ret; + +- /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */ +- if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb))) ++ if (!skb_is_gso_tcp(skb)) + return -ENOTSUPP; + + ret = skb_cow(skb, len_diff); +@@ -2656,8 +2655,7 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb) + u32 off = skb_mac_header_len(skb); + int ret; + +- /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */ +- if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb))) ++ if (!skb_is_gso_tcp(skb)) + return -ENOTSUPP; + + ret = skb_unclone(skb, GFP_ATOMIC); +@@ -2782,8 +2780,7 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 len_diff) + u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb); + int ret; + +- /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */ +- if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb))) ++ if (!skb_is_gso_tcp(skb)) + return -ENOTSUPP; + + ret = skb_cow(skb, len_diff); +@@ -2812,8 +2809,7 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 len_diff) + u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb); + int ret; + +- /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */ +- if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb))) ++ if (!skb_is_gso_tcp(skb)) + return -ENOTSUPP; + + ret = skb_unclone(skb, GFP_ATOMIC); +-- +2.19.1 + diff --git a/queue-4.19/clk-sunxi-a31-fix-wrong-ahb-gate-number.patch b/queue-4.19/clk-sunxi-a31-fix-wrong-ahb-gate-number.patch new file mode 100644 index 00000000000..60723dcedd3 --- /dev/null +++ b/queue-4.19/clk-sunxi-a31-fix-wrong-ahb-gate-number.patch @@ -0,0 +1,39 @@ +From 0221ed8b0b7d667426042d4ce134581308f8d44d Mon Sep 17 00:00:00 2001 +From: Andre Przywara +Date: Wed, 23 Jan 2019 00:59:11 +0000 +Subject: clk: sunxi: A31: Fix wrong AHB gate number + +[ Upstream commit ee0b27a3a4da0b0ed2318aa092f8856896e9450b ] + +According to the manual the gate clock for MMC3 is at bit 11, and NAND1 +is controlled by bit 12. + +Fix the gate bit definitions in the clock driver. + +Fixes: c6e6c96d8fa6 ("clk: sunxi-ng: Add A31/A31s clocks") +Signed-off-by: Andre Przywara +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu-sun6i-a31.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun6i-a31.c b/drivers/clk/sunxi-ng/ccu-sun6i-a31.c +index 3b97f60540ad..609970c0b666 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun6i-a31.c ++++ b/drivers/clk/sunxi-ng/ccu-sun6i-a31.c +@@ -264,9 +264,9 @@ static SUNXI_CCU_GATE(ahb1_mmc1_clk, "ahb1-mmc1", "ahb1", + static SUNXI_CCU_GATE(ahb1_mmc2_clk, "ahb1-mmc2", "ahb1", + 0x060, BIT(10), 0); + static SUNXI_CCU_GATE(ahb1_mmc3_clk, "ahb1-mmc3", "ahb1", +- 0x060, BIT(12), 0); ++ 0x060, BIT(11), 0); + static SUNXI_CCU_GATE(ahb1_nand1_clk, "ahb1-nand1", "ahb1", +- 0x060, BIT(13), 0); ++ 0x060, BIT(12), 0); + static SUNXI_CCU_GATE(ahb1_nand0_clk, "ahb1-nand0", "ahb1", + 0x060, BIT(13), 0); + static SUNXI_CCU_GATE(ahb1_sdram_clk, "ahb1-sdram", "ahb1", +-- +2.19.1 + diff --git a/queue-4.19/clk-sunxi-ng-v3s-fix-tcon-reset-de-assert-bit.patch b/queue-4.19/clk-sunxi-ng-v3s-fix-tcon-reset-de-assert-bit.patch new file mode 100644 index 00000000000..8bfa1a38e32 --- /dev/null +++ b/queue-4.19/clk-sunxi-ng-v3s-fix-tcon-reset-de-assert-bit.patch @@ -0,0 +1,35 @@ +From aa27fe4dadfe30764416e24eea8320cca6fabbf6 Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Tue, 22 Jan 2019 09:16:19 +0100 +Subject: clk: sunxi-ng: v3s: Fix TCON reset de-assert bit + +[ Upstream commit 5c59801f7018acba11b12de59017a3fcdcf7421d ] + +According to the datasheet and the reference code from Allwinner, the +bit used to de-assert the TCON reset is bit 4, not bit 3. + +Fix it in the V3s CCU driver. + +Signed-off-by: Paul Kocialkowski +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c +index 621b1cd996db..ac12f261f8ca 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c ++++ b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c +@@ -542,7 +542,7 @@ static struct ccu_reset_map sun8i_v3s_ccu_resets[] = { + [RST_BUS_OHCI0] = { 0x2c0, BIT(29) }, + + [RST_BUS_VE] = { 0x2c4, BIT(0) }, +- [RST_BUS_TCON0] = { 0x2c4, BIT(3) }, ++ [RST_BUS_TCON0] = { 0x2c4, BIT(4) }, + [RST_BUS_CSI] = { 0x2c4, BIT(8) }, + [RST_BUS_DE] = { 0x2c4, BIT(12) }, + [RST_BUS_DBG] = { 0x2c4, BIT(31) }, +-- +2.19.1 + diff --git a/queue-4.19/clocksource-timer-ti-dm-fix-pwm-dmtimer-usage-of-fck.patch b/queue-4.19/clocksource-timer-ti-dm-fix-pwm-dmtimer-usage-of-fck.patch new file mode 100644 index 00000000000..0c0510f8724 --- /dev/null +++ b/queue-4.19/clocksource-timer-ti-dm-fix-pwm-dmtimer-usage-of-fck.patch @@ -0,0 +1,58 @@ +From 3bb88457dd0e4d039b1c8a7debf4cd6ae187c87f Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 22 Jan 2019 09:03:08 -0800 +Subject: clocksource: timer-ti-dm: Fix pwm dmtimer usage of fck reparenting + +[ Upstream commit 983a5a43ec254cd5ddf3254db80ca96e8f8bb2a4 ] + +Commit 84badc5ec5fc ("ARM: dts: omap4: Move l4 child devices to probe +them with ti-sysc") moved some omap4 timers to probe with ti-sysc +interconnect target module. Turns out this broke pwm-omap-dmtimer +where we now try to reparent the clock to itself with the following: + +omap_dm_timer_of_set_source: failed to set parent + +With ti-sysc, we can now configure the clock sources in the dts +with assigned-clocks and assigned-clock-parents. So we should be able +to remove omap_dm_timer_of_set_source with clean-up patches later on. +But for now, let's just fix it first by checking if parent and fck +are the same and bail out of so. + +Fixes: 84badc5ec5fc ("ARM: dts: omap4: Move l4 child devices to probe them with ti-sysc") +Cc: Bartosz Golaszewski +Cc: Daniel Lezcano +Cc: H. Nikolaus Schaller +Cc: Keerthy +Cc: Ladislav Michl +Cc: Pavel Machek +Cc: Sebastian Reichel +Cc: Tero Kristo +Cc: Thierry Reding +Cc: Thomas Gleixner +Reported-by: H. Nikolaus Schaller +Tested-By: Andreas Kemnade +Tested-By: H. Nikolaus Schaller +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-ti-dm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/clocksource/timer-ti-dm.c b/drivers/clocksource/timer-ti-dm.c +index 4cce6b224b87..3ecf84706640 100644 +--- a/drivers/clocksource/timer-ti-dm.c ++++ b/drivers/clocksource/timer-ti-dm.c +@@ -154,6 +154,10 @@ static int omap_dm_timer_of_set_source(struct omap_dm_timer *timer) + if (IS_ERR(parent)) + return -ENODEV; + ++ /* Bail out if both clocks point to fck */ ++ if (clk_is_match(parent, timer->fclk)) ++ return 0; ++ + ret = clk_set_parent(timer->fclk, parent); + if (ret < 0) + pr_err("%s: failed to set parent\n", __func__); +-- +2.19.1 + diff --git a/queue-4.19/drm-imx-ignore-plane-updates-on-disabled-crtcs.patch b/queue-4.19/drm-imx-ignore-plane-updates-on-disabled-crtcs.patch new file mode 100644 index 00000000000..0d40aa49eb3 --- /dev/null +++ b/queue-4.19/drm-imx-ignore-plane-updates-on-disabled-crtcs.patch @@ -0,0 +1,41 @@ +From dae674986904dc99941f2d5767ca1c633a3605ca Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Mon, 5 Nov 2018 16:36:07 +0100 +Subject: drm/imx: ignore plane updates on disabled crtcs + +[ Upstream commit 4fb873c9648e383206e0a91cef9b03aa54066aca ] + +This patch fixes backtraces like the following when sending SIGKILL to a +process with a currently pending plane update: + + [drm:ipu_plane_atomic_check] CRTC should be enabled + [drm:drm_framebuffer_remove] *ERROR* failed to commit + ------------[ cut here ]------------ + WARNING: CPU: 3 PID: 63 at drivers/gpu/drm/drm_framebuffer.c:926 drm_framebuffer_remove+0x47c/0x498 + atomic remove_fb failed with -22 + +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/ipuv3-plane.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/imx/ipuv3-plane.c b/drivers/gpu/drm/imx/ipuv3-plane.c +index 203f247d4854..a323a0db2fc1 100644 +--- a/drivers/gpu/drm/imx/ipuv3-plane.c ++++ b/drivers/gpu/drm/imx/ipuv3-plane.c +@@ -375,9 +375,9 @@ static int ipu_plane_atomic_check(struct drm_plane *plane, + if (ret) + return ret; + +- /* CRTC should be enabled */ ++ /* nothing to check when disabling or disabled */ + if (!crtc_state->enable) +- return -EINVAL; ++ return 0; + + switch (plane->type) { + case DRM_PLANE_TYPE_PRIMARY: +-- +2.19.1 + diff --git a/queue-4.19/drm-imx-imx-ldb-add-missing-of_node_puts.patch b/queue-4.19/drm-imx-imx-ldb-add-missing-of_node_puts.patch new file mode 100644 index 00000000000..dfdcae47ed9 --- /dev/null +++ b/queue-4.19/drm-imx-imx-ldb-add-missing-of_node_puts.patch @@ -0,0 +1,118 @@ +From fa273e562ea7c78c0575598e66eff1d68715a39c Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Sun, 13 Jan 2019 09:47:42 +0100 +Subject: drm/imx: imx-ldb: add missing of_node_puts + +[ Upstream commit aa3312012f103f91f123600bbf768b11c8f431bc ] + +The device node iterators perform an of_node_get on each +iteration, so a jump out of the loop requires an of_node_put. + +Move the initialization channel->child = child; down to just +before the call to imx_ldb_register so that intervening failures +don't need to clear it. Add a label at the end of the function to +do all the of_node_puts. + +The semantic patch that finds part of this problem is as follows +(http://coccinelle.lip6.fr): + +// +@@ +expression root,e; +local idexpression child; +iterator name for_each_child_of_node; +@@ + + for_each_child_of_node(root, child) { + ... when != of_node_put(child) + when != e = child +( + return child; +| +* return ...; +) + ... + } +// + +Signed-off-by: Julia Lawall +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/imx-ldb.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/imx/imx-ldb.c b/drivers/gpu/drm/imx/imx-ldb.c +index 3bd0f8a18e74..42daa5c9ff8e 100644 +--- a/drivers/gpu/drm/imx/imx-ldb.c ++++ b/drivers/gpu/drm/imx/imx-ldb.c +@@ -651,8 +651,10 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data) + int bus_format; + + ret = of_property_read_u32(child, "reg", &i); +- if (ret || i < 0 || i > 1) +- return -EINVAL; ++ if (ret || i < 0 || i > 1) { ++ ret = -EINVAL; ++ goto free_child; ++ } + + if (!of_device_is_available(child)) + continue; +@@ -665,7 +667,6 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data) + channel = &imx_ldb->channel[i]; + channel->ldb = imx_ldb; + channel->chno = i; +- channel->child = child; + + /* + * The output port is port@4 with an external 4-port mux or +@@ -675,13 +676,13 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data) + imx_ldb->lvds_mux ? 4 : 2, 0, + &channel->panel, &channel->bridge); + if (ret && ret != -ENODEV) +- return ret; ++ goto free_child; + + /* panel ddc only if there is no bridge */ + if (!channel->bridge) { + ret = imx_ldb_panel_ddc(dev, channel, child); + if (ret) +- return ret; ++ goto free_child; + } + + bus_format = of_get_bus_format(dev, child); +@@ -697,18 +698,26 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data) + if (bus_format < 0) { + dev_err(dev, "could not determine data mapping: %d\n", + bus_format); +- return bus_format; ++ ret = bus_format; ++ goto free_child; + } + channel->bus_format = bus_format; ++ channel->child = child; + + ret = imx_ldb_register(drm, channel); +- if (ret) +- return ret; ++ if (ret) { ++ channel->child = NULL; ++ goto free_child; ++ } + } + + dev_set_drvdata(dev, imx_ldb); + + return 0; ++ ++free_child: ++ of_node_put(child); ++ return ret; + } + + static void imx_ldb_unbind(struct device *dev, struct device *master, +-- +2.19.1 + diff --git a/queue-4.19/esp-skip-tx-bytes-accounting-when-sending-from-a-req.patch b/queue-4.19/esp-skip-tx-bytes-accounting-when-sending-from-a-req.patch new file mode 100644 index 00000000000..a1546e70d28 --- /dev/null +++ b/queue-4.19/esp-skip-tx-bytes-accounting-when-sending-from-a-req.patch @@ -0,0 +1,75 @@ +From 1fb0e86a632aaa2793c07328e642d1945d3a9c3b Mon Sep 17 00:00:00 2001 +From: Martin Willi +Date: Mon, 28 Jan 2019 09:35:35 +0100 +Subject: esp: Skip TX bytes accounting when sending from a request socket + +[ Upstream commit 09db51241118aeb06e1c8cd393b45879ce099b36 ] + +On ESP output, sk_wmem_alloc is incremented for the added padding if a +socket is associated to the skb. When replying with TCP SYNACKs over +IPsec, the associated sk is a casted request socket, only. Increasing +sk_wmem_alloc on a request socket results in a write at an arbitrary +struct offset. In the best case, this produces the following WARNING: + +WARNING: CPU: 1 PID: 0 at lib/refcount.c:102 esp_output_head+0x2e4/0x308 [esp4] +refcount_t: addition on 0; use-after-free. +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.0.0-rc3 #2 +Hardware name: Marvell Armada 380/385 (Device Tree) +[...] +[] (esp_output_head [esp4]) from [] (esp_output+0xb8/0x180 [esp4]) +[] (esp_output [esp4]) from [] (xfrm_output_resume+0x558/0x664) +[] (xfrm_output_resume) from [] (xfrm4_output+0x44/0xc4) +[] (xfrm4_output) from [] (tcp_v4_send_synack+0xa8/0xe8) +[] (tcp_v4_send_synack) from [] (tcp_conn_request+0x7f4/0x948) +[] (tcp_conn_request) from [] (tcp_rcv_state_process+0x2a0/0xe64) +[] (tcp_rcv_state_process) from [] (tcp_v4_do_rcv+0xf0/0x1f4) +[] (tcp_v4_do_rcv) from [] (tcp_v4_rcv+0xdb8/0xe20) +[] (tcp_v4_rcv) from [] (ip_protocol_deliver_rcu+0x2c/0x2dc) +[] (ip_protocol_deliver_rcu) from [] (ip_local_deliver_finish+0x48/0x54) +[] (ip_local_deliver_finish) from [] (ip_local_deliver+0x54/0xec) +[] (ip_local_deliver) from [] (ip_rcv+0x48/0xb8) +[] (ip_rcv) from [] (__netif_receive_skb_one_core+0x50/0x6c) +[...] + +The issue triggers only when not using TCP syncookies, as for syncookies +no socket is associated. + +Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") +Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") +Signed-off-by: Martin Willi +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4.c | 2 +- + net/ipv6/esp6.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index 97689012b357..12a43a5369a5 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -325,7 +325,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * + skb->len += tailen; + skb->data_len += tailen; + skb->truesize += tailen; +- if (sk) ++ if (sk && sk_fullsock(sk)) + refcount_add(tailen, &sk->sk_wmem_alloc); + + goto out; +diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c +index 88a7579c23bd..a7d996148eed 100644 +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -293,7 +293,7 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info + skb->len += tailen; + skb->data_len += tailen; + skb->truesize += tailen; +- if (sk) ++ if (sk && sk_fullsock(sk)) + refcount_add(tailen, &sk->sk_wmem_alloc); + + goto out; +-- +2.19.1 + diff --git a/queue-4.19/floppy-check_events-callback-should-not-return-a-neg.patch b/queue-4.19/floppy-check_events-callback-should-not-return-a-neg.patch new file mode 100644 index 00000000000..74a74597146 --- /dev/null +++ b/queue-4.19/floppy-check_events-callback-should-not-return-a-neg.patch @@ -0,0 +1,41 @@ +From 17aaefea3ff0fc6994030632b9ca9332fb174f7f Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Tue, 29 Jan 2019 16:34:04 +0800 +Subject: floppy: check_events callback should not return a negative number + +[ Upstream commit 96d7cb932e826219ec41ac02e5af037ffae6098c ] + +floppy_check_events() is supposed to return bit flags to say which +events occured. We should return zero to say that no event flags are +set. Only BIT(0) and BIT(1) are used in the caller. And .check_events +interface also expect to return an unsigned int value. + +However, after commit a0c80efe5956, it may return -EINTR (-4u). +Here, both BIT(0) and BIT(1) are cleared. So this patch shouldn't +affect runtime, but it obviously is still worth fixing. + +Reviewed-by: Dan Carpenter +Fixes: a0c80efe5956 ("floppy: fix lock_fdc() signal handling") +Signed-off-by: Yufen Yu +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index fdabd0b74492..a8de56f1936d 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -4084,7 +4084,7 @@ static unsigned int floppy_check_events(struct gendisk *disk, + + if (time_after(jiffies, UDRS->last_checked + UDP->checkfreq)) { + if (lock_fdc(drive)) +- return -EINTR; ++ return 0; + poll_drive(false, 0); + process_fd_request(); + } +-- +2.19.1 + diff --git a/queue-4.19/gpu-ipu-v3-fix-csi-offsets-for-imx53.patch b/queue-4.19/gpu-ipu-v3-fix-csi-offsets-for-imx53.patch new file mode 100644 index 00000000000..eb7fef72766 --- /dev/null +++ b/queue-4.19/gpu-ipu-v3-fix-csi-offsets-for-imx53.patch @@ -0,0 +1,37 @@ +From 00815bee14d100fd9f3ee5314ce6bc2579bcd6f1 Mon Sep 17 00:00:00 2001 +From: Steve Longerbeam +Date: Tue, 16 Oct 2018 17:31:40 -0700 +Subject: gpu: ipu-v3: Fix CSI offsets for imx53 + +[ Upstream commit bb867d219fda7fbaabea3314702474c4eac2b91d ] + +The CSI offsets are wrong for both CSI0 and CSI1. They are at +physical address 0x1e030000 and 0x1e038000 respectively. + +Fixes: 2ffd48f2e7 ("gpu: ipu-v3: Add Camera Sensor Interface unit") + +Signed-off-by: Steve Longerbeam +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index 5b7cdbfe062f..0a7d4395d427 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -914,8 +914,8 @@ static struct ipu_devtype ipu_type_imx53 = { + .cpmem_ofs = 0x07000000, + .srm_ofs = 0x07040000, + .tpm_ofs = 0x07060000, +- .csi0_ofs = 0x07030000, +- .csi1_ofs = 0x07038000, ++ .csi0_ofs = 0x06030000, ++ .csi1_ofs = 0x06038000, + .ic_ofs = 0x06020000, + .disp0_ofs = 0x06040000, + .disp1_ofs = 0x06048000, +-- +2.19.1 + diff --git a/queue-4.19/gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch b/queue-4.19/gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch new file mode 100644 index 00000000000..31644f7f55e --- /dev/null +++ b/queue-4.19/gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch @@ -0,0 +1,38 @@ +From 61a9edef81cc614a40ecff344488fec2b551bd96 Mon Sep 17 00:00:00 2001 +From: Alexander Shiyan +Date: Thu, 20 Dec 2018 11:06:38 +0300 +Subject: gpu: ipu-v3: Fix i.MX51 CSI control registers offset + +[ Upstream commit 2c0408dd0d8906b26fe8023889af7adf5e68b2c2 ] + +The CSI0/CSI1 registers offset is at +0xe030000/+0xe038000 relative +to the control module registers on IPUv3EX. +This patch fixes wrong values for i.MX51 CSI0/CSI1. + +Fixes: 2ffd48f2e7 ("gpu: ipu-v3: Add Camera Sensor Interface unit") + +Signed-off-by: Alexander Shiyan +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index 474b00e19697..5b7cdbfe062f 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -898,8 +898,8 @@ static struct ipu_devtype ipu_type_imx51 = { + .cpmem_ofs = 0x1f000000, + .srm_ofs = 0x1f040000, + .tpm_ofs = 0x1f060000, +- .csi0_ofs = 0x1f030000, +- .csi1_ofs = 0x1f038000, ++ .csi0_ofs = 0x1e030000, ++ .csi1_ofs = 0x1e038000, + .ic_ofs = 0x1e020000, + .disp0_ofs = 0x1e040000, + .disp1_ofs = 0x1e048000, +-- +2.19.1 + diff --git a/queue-4.19/i2c-bcm2835-clear-current-buffer-pointers-and-counts.patch b/queue-4.19/i2c-bcm2835-clear-current-buffer-pointers-and-counts.patch new file mode 100644 index 00000000000..659a162bad8 --- /dev/null +++ b/queue-4.19/i2c-bcm2835-clear-current-buffer-pointers-and-counts.patch @@ -0,0 +1,70 @@ +From 48935f64c1e4da1cdfc183059110fe05dd9cc68c Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Thu, 27 Dec 2018 16:42:25 +0100 +Subject: i2c: bcm2835: Clear current buffer pointers and counts after a + transfer + +[ Upstream commit f275a4659484716259cc46268d9043424e51cf0f ] + +The driver's interrupt handler checks whether a message is currently +being handled with the curr_msg pointer. When it is NULL, the interrupt +is considered to be unexpected. Similarly, the i2c_start_transfer +routine checks for the remaining number of messages to handle in +num_msgs. + +However, these values are never cleared and always keep the message and +number relevant to the latest transfer (which might be done already and +the underlying message memory might have been freed). + +When an unexpected interrupt hits with the DONE bit set, the isr will +then try to access the flags field of the curr_msg structure, leading +to a fatal page fault. + +The msg_buf and msg_buf_remaining fields are also never cleared at the +end of the transfer, which can lead to similar pitfalls. + +Fix these issues by introducing a cleanup function and always calling +it after a transfer is finished. + +Fixes: e2474541032d ("i2c: bcm2835: Fix hang for writing messages larger than 16 bytes") +Signed-off-by: Paul Kocialkowski +Acked-by: Stefan Wahren +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-bcm2835.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-bcm2835.c b/drivers/i2c/busses/i2c-bcm2835.c +index 44deae78913e..4d19254f78c8 100644 +--- a/drivers/i2c/busses/i2c-bcm2835.c ++++ b/drivers/i2c/busses/i2c-bcm2835.c +@@ -191,6 +191,15 @@ static void bcm2835_i2c_start_transfer(struct bcm2835_i2c_dev *i2c_dev) + bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_C, c); + } + ++static void bcm2835_i2c_finish_transfer(struct bcm2835_i2c_dev *i2c_dev) ++{ ++ i2c_dev->curr_msg = NULL; ++ i2c_dev->num_msgs = 0; ++ ++ i2c_dev->msg_buf = NULL; ++ i2c_dev->msg_buf_remaining = 0; ++} ++ + /* + * Note about I2C_C_CLEAR on error: + * The I2C_C_CLEAR on errors will take some time to resolve -- if you were in +@@ -291,6 +300,9 @@ static int bcm2835_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], + + time_left = wait_for_completion_timeout(&i2c_dev->completion, + adap->timeout); ++ ++ bcm2835_i2c_finish_transfer(i2c_dev); ++ + if (!time_left) { + bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_C, + BCM2835_I2C_C_CLEAR); +-- +2.19.1 + diff --git a/queue-4.19/i2c-cadence-fix-the-hold-bit-setting.patch b/queue-4.19/i2c-cadence-fix-the-hold-bit-setting.patch new file mode 100644 index 00000000000..e9b6f7092fb --- /dev/null +++ b/queue-4.19/i2c-cadence-fix-the-hold-bit-setting.patch @@ -0,0 +1,56 @@ +From 4bddcfa82d1ef25384495eed0c8d54c1077ff1c6 Mon Sep 17 00:00:00 2001 +From: Shubhrajyoti Datta +Date: Tue, 5 Feb 2019 16:42:53 +0530 +Subject: i2c: cadence: Fix the hold bit setting + +[ Upstream commit d358def706880defa4c9e87381c5bf086a97d5f9 ] + +In case the hold bit is not needed we are carrying the old values. +Fix the same by resetting the bit when not needed. + +Fixes the sporadic i2c bus lockups on National Instruments +Zynq-based devices. + +Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller") +Reported-by: Kyle Roeschley +Acked-by: Michal Simek +Signed-off-by: Shubhrajyoti Datta +Tested-by: Kyle Roeschley +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-cadence.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c +index b13605718291..d917cefc5a19 100644 +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -382,8 +382,10 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if (id->recv_count > CDNS_I2C_FIFO_DEPTH) ++ if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) + ctrl_reg |= CDNS_I2C_CR_HOLD; ++ else ++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; + + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + +@@ -440,8 +442,11 @@ static void cdns_i2c_msend(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if (id->send_count > CDNS_I2C_FIFO_DEPTH) ++ if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) + ctrl_reg |= CDNS_I2C_CR_HOLD; ++ else ++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; ++ + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + + /* Clear the interrupts in interrupt status register. */ +-- +2.19.1 + diff --git a/queue-4.19/input-cap11xx-switch-to-using-set_brightness_blockin.patch b/queue-4.19/input-cap11xx-switch-to-using-set_brightness_blockin.patch new file mode 100644 index 00000000000..7e19aa10812 --- /dev/null +++ b/queue-4.19/input-cap11xx-switch-to-using-set_brightness_blockin.patch @@ -0,0 +1,101 @@ +From e8607574ce925b5a1042a41777e74a80aeddae08 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 5 Feb 2019 13:52:26 -0800 +Subject: Input: cap11xx - switch to using set_brightness_blocking() + +[ Upstream commit 628442880af8c201d307a45f3862a7a17df8a189 ] + +Updating LED state requires access to regmap and therefore we may sleep, +so we could not do that directly form set_brightness() method. +Historically we used private work to adjust the brightness, but with the +introduction of set_brightness_blocking() we no longer need it. + +As a bonus, not having our own work item means we do not have +use-after-free issue as we neglected to cancel outstanding work on +driver unbind. + +Reported-by: Sven Van Asbroeck +Reviewed-by: Sven Van Asbroeck +Acked-by: Jacek Anaszewski +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/cap11xx.c | 35 ++++++++++---------------------- + 1 file changed, 11 insertions(+), 24 deletions(-) + +diff --git a/drivers/input/keyboard/cap11xx.c b/drivers/input/keyboard/cap11xx.c +index 312916f99597..73686c2460ce 100644 +--- a/drivers/input/keyboard/cap11xx.c ++++ b/drivers/input/keyboard/cap11xx.c +@@ -75,9 +75,7 @@ + struct cap11xx_led { + struct cap11xx_priv *priv; + struct led_classdev cdev; +- struct work_struct work; + u32 reg; +- enum led_brightness new_brightness; + }; + #endif + +@@ -233,30 +231,21 @@ static void cap11xx_input_close(struct input_dev *idev) + } + + #ifdef CONFIG_LEDS_CLASS +-static void cap11xx_led_work(struct work_struct *work) ++static int cap11xx_led_set(struct led_classdev *cdev, ++ enum led_brightness value) + { +- struct cap11xx_led *led = container_of(work, struct cap11xx_led, work); ++ struct cap11xx_led *led = container_of(cdev, struct cap11xx_led, cdev); + struct cap11xx_priv *priv = led->priv; +- int value = led->new_brightness; + + /* +- * All LEDs share the same duty cycle as this is a HW limitation. +- * Brightness levels per LED are either 0 (OFF) and 1 (ON). ++ * All LEDs share the same duty cycle as this is a HW ++ * limitation. Brightness levels per LED are either ++ * 0 (OFF) and 1 (ON). + */ +- regmap_update_bits(priv->regmap, CAP11XX_REG_LED_OUTPUT_CONTROL, +- BIT(led->reg), value ? BIT(led->reg) : 0); +-} +- +-static void cap11xx_led_set(struct led_classdev *cdev, +- enum led_brightness value) +-{ +- struct cap11xx_led *led = container_of(cdev, struct cap11xx_led, cdev); +- +- if (led->new_brightness == value) +- return; +- +- led->new_brightness = value; +- schedule_work(&led->work); ++ return regmap_update_bits(priv->regmap, ++ CAP11XX_REG_LED_OUTPUT_CONTROL, ++ BIT(led->reg), ++ value ? BIT(led->reg) : 0); + } + + static int cap11xx_init_leds(struct device *dev, +@@ -299,7 +288,7 @@ static int cap11xx_init_leds(struct device *dev, + led->cdev.default_trigger = + of_get_property(child, "linux,default-trigger", NULL); + led->cdev.flags = 0; +- led->cdev.brightness_set = cap11xx_led_set; ++ led->cdev.brightness_set_blocking = cap11xx_led_set; + led->cdev.max_brightness = 1; + led->cdev.brightness = LED_OFF; + +@@ -312,8 +301,6 @@ static int cap11xx_init_leds(struct device *dev, + led->reg = reg; + led->priv = priv; + +- INIT_WORK(&led->work, cap11xx_led_work); +- + error = devm_led_classdev_register(dev, &led->cdev); + if (error) { + of_node_put(child); +-- +2.19.1 + diff --git a/queue-4.19/input-matrix_keypad-use-flush_delayed_work.patch b/queue-4.19/input-matrix_keypad-use-flush_delayed_work.patch new file mode 100644 index 00000000000..099116d2fa1 --- /dev/null +++ b/queue-4.19/input-matrix_keypad-use-flush_delayed_work.patch @@ -0,0 +1,34 @@ +From 0639ac1cd4087f1d37df387fedff14f40f9858ae Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Thu, 7 Feb 2019 14:39:40 -0800 +Subject: Input: matrix_keypad - use flush_delayed_work() + +[ Upstream commit a342083abe576db43594a32d458a61fa81f7cb32 ] + +We should be using flush_delayed_work() instead of flush_work() in +matrix_keypad_stop() to ensure that we are not missing work that is +scheduled but not yet put in the workqueue (i.e. its delay timer has not +expired yet). + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/matrix_keypad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/keyboard/matrix_keypad.c b/drivers/input/keyboard/matrix_keypad.c +index 403452ef00e6..3d1cb7bf5e35 100644 +--- a/drivers/input/keyboard/matrix_keypad.c ++++ b/drivers/input/keyboard/matrix_keypad.c +@@ -222,7 +222,7 @@ static void matrix_keypad_stop(struct input_dev *dev) + keypad->stopped = true; + spin_unlock_irq(&keypad->lock); + +- flush_work(&keypad->work.work); ++ flush_delayed_work(&keypad->work); + /* + * matrix_keypad_scan() will leave IRQs enabled; + * we should disable them now. +-- +2.19.1 + diff --git a/queue-4.19/input-ps2-gpio-flush-tx-work-when-closing-port.patch b/queue-4.19/input-ps2-gpio-flush-tx-work-when-closing-port.patch new file mode 100644 index 00000000000..81d2443081f --- /dev/null +++ b/queue-4.19/input-ps2-gpio-flush-tx-work-when-closing-port.patch @@ -0,0 +1,34 @@ +From 16b5acd3ecfdb2b19e4d98386da17dcf0f92c28a Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Thu, 7 Feb 2019 14:22:42 -0800 +Subject: Input: ps2-gpio - flush TX work when closing port + +[ Upstream commit 33a841ce5cef4ca6c18ad333248b6d273f54c839 ] + +To ensure that TX work is not running after serio port has been torn down, +let's flush it when closing the port. + +Reported-by: Sven Van Asbroeck +Acked-by: Danilo Krummrich +Reviewed-by: Sven Van Asbroeck +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/ps2-gpio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/serio/ps2-gpio.c b/drivers/input/serio/ps2-gpio.c +index c62cceb97bb1..5e8d8384aa2a 100644 +--- a/drivers/input/serio/ps2-gpio.c ++++ b/drivers/input/serio/ps2-gpio.c +@@ -76,6 +76,7 @@ static void ps2_gpio_close(struct serio *serio) + { + struct ps2_gpio_data *drvdata = serio->port_data; + ++ flush_delayed_work(&drvdata->tx_work); + disable_irq(drvdata->irq); + } + +-- +2.19.1 + diff --git a/queue-4.19/input-pwm-vibra-prevent-unbalanced-regulator.patch b/queue-4.19/input-pwm-vibra-prevent-unbalanced-regulator.patch new file mode 100644 index 00000000000..bf818a14ac1 --- /dev/null +++ b/queue-4.19/input-pwm-vibra-prevent-unbalanced-regulator.patch @@ -0,0 +1,67 @@ +From a1b958551a9e326ba93e6d6c15db3992ee09f9db Mon Sep 17 00:00:00 2001 +From: Jonathan Bakker +Date: Mon, 28 Jan 2019 11:13:01 -0800 +Subject: Input: pwm-vibra - prevent unbalanced regulator +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3ca232df9921f083c3b37ba5fbc76f4d9046268b ] + +pwm_vibrator_stop disables the regulator, but it can be called from +multiple places, even when the regulator is already disabled. Fix this +by using regulator_is_enabled check when starting and stopping device. + +Signed-off-by: Jonathan Bakker +Signed-off-by: Paweł Chmiel +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/pwm-vibra.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/input/misc/pwm-vibra.c b/drivers/input/misc/pwm-vibra.c +index 55da191ae550..9df87431d7d4 100644 +--- a/drivers/input/misc/pwm-vibra.c ++++ b/drivers/input/misc/pwm-vibra.c +@@ -34,6 +34,7 @@ struct pwm_vibrator { + struct work_struct play_work; + u16 level; + u32 direction_duty_cycle; ++ bool vcc_on; + }; + + static int pwm_vibrator_start(struct pwm_vibrator *vibrator) +@@ -42,10 +43,13 @@ static int pwm_vibrator_start(struct pwm_vibrator *vibrator) + struct pwm_state state; + int err; + +- err = regulator_enable(vibrator->vcc); +- if (err) { +- dev_err(pdev, "failed to enable regulator: %d", err); +- return err; ++ if (!vibrator->vcc_on) { ++ err = regulator_enable(vibrator->vcc); ++ if (err) { ++ dev_err(pdev, "failed to enable regulator: %d", err); ++ return err; ++ } ++ vibrator->vcc_on = true; + } + + pwm_get_state(vibrator->pwm, &state); +@@ -76,7 +80,10 @@ static int pwm_vibrator_start(struct pwm_vibrator *vibrator) + + static void pwm_vibrator_stop(struct pwm_vibrator *vibrator) + { +- regulator_disable(vibrator->vcc); ++ if (vibrator->vcc_on) { ++ regulator_disable(vibrator->vcc); ++ vibrator->vcc_on = false; ++ } + + if (vibrator->pwm_dir) + pwm_disable(vibrator->pwm_dir); +-- +2.19.1 + diff --git a/queue-4.19/input-pwm-vibra-stop-regulator-after-disabling-pwm-n.patch b/queue-4.19/input-pwm-vibra-stop-regulator-after-disabling-pwm-n.patch new file mode 100644 index 00000000000..578c738505c --- /dev/null +++ b/queue-4.19/input-pwm-vibra-stop-regulator-after-disabling-pwm-n.patch @@ -0,0 +1,49 @@ +From 6f08ef83e07c6604bfb21e2a42c546fe81adb7bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Chmiel?= +Date: Mon, 28 Jan 2019 11:13:34 -0800 +Subject: Input: pwm-vibra - stop regulator after disabling pwm, not before +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 94803aef3533676194c772383472636c453e3147 ] + +This patch fixes order of disable calls in pwm_vibrator_stop. +Currently when starting device, we first enable vcc regulator and then +setup and enable pwm. When stopping, we should do this in oposite order, +so first disable pwm and then disable regulator. +Previously order was the same as in start. + +Signed-off-by: Paweł Chmiel +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/pwm-vibra.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/misc/pwm-vibra.c b/drivers/input/misc/pwm-vibra.c +index 9df87431d7d4..dbb6d9e1b947 100644 +--- a/drivers/input/misc/pwm-vibra.c ++++ b/drivers/input/misc/pwm-vibra.c +@@ -80,14 +80,14 @@ static int pwm_vibrator_start(struct pwm_vibrator *vibrator) + + static void pwm_vibrator_stop(struct pwm_vibrator *vibrator) + { ++ if (vibrator->pwm_dir) ++ pwm_disable(vibrator->pwm_dir); ++ pwm_disable(vibrator->pwm); ++ + if (vibrator->vcc_on) { + regulator_disable(vibrator->vcc); + vibrator->vcc_on = false; + } +- +- if (vibrator->pwm_dir) +- pwm_disable(vibrator->pwm_dir); +- pwm_disable(vibrator->pwm); + } + + static void pwm_vibrator_play_work(struct work_struct *work) +-- +2.19.1 + diff --git a/queue-4.19/input-st-keyscan-fix-potential-zalloc-null-dereferen.patch b/queue-4.19/input-st-keyscan-fix-potential-zalloc-null-dereferen.patch new file mode 100644 index 00000000000..40b16358c98 --- /dev/null +++ b/queue-4.19/input-st-keyscan-fix-potential-zalloc-null-dereferen.patch @@ -0,0 +1,45 @@ +From ee88433878c904af74cd1605f108f7621e1f66a9 Mon Sep 17 00:00:00 2001 +From: Gabriel Fernandez +Date: Sat, 16 Feb 2019 21:10:16 -0800 +Subject: Input: st-keyscan - fix potential zalloc NULL dereference + +[ Upstream commit 2439d37e1bf8a34d437573c086572abe0f3f1b15 ] + +This patch fixes the following static checker warning: + +drivers/input/keyboard/st-keyscan.c:156 keyscan_probe() +error: potential zalloc NULL dereference: 'keypad_data->input_dev' + +Reported-by: Dan Carpenter +Signed-off-by: Gabriel Fernandez +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/st-keyscan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/keyboard/st-keyscan.c b/drivers/input/keyboard/st-keyscan.c +index babcfb165e4f..3b85631fde91 100644 +--- a/drivers/input/keyboard/st-keyscan.c ++++ b/drivers/input/keyboard/st-keyscan.c +@@ -153,6 +153,8 @@ static int keyscan_probe(struct platform_device *pdev) + + input_dev->id.bustype = BUS_HOST; + ++ keypad_data->input_dev = input_dev; ++ + error = keypad_matrix_key_parse_dt(keypad_data); + if (error) + return error; +@@ -168,8 +170,6 @@ static int keyscan_probe(struct platform_device *pdev) + + input_set_drvdata(input_dev, keypad_data); + +- keypad_data->input_dev = input_dev; +- + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + keypad_data->base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(keypad_data->base)) +-- +2.19.1 + diff --git a/queue-4.19/ipvs-fix-dependency-on-nf_defrag_ipv6.patch b/queue-4.19/ipvs-fix-dependency-on-nf_defrag_ipv6.patch new file mode 100644 index 00000000000..e5fa849c775 --- /dev/null +++ b/queue-4.19/ipvs-fix-dependency-on-nf_defrag_ipv6.patch @@ -0,0 +1,109 @@ +From 69c4571e9ff6e3573fedab4c14a4f7f33f3cf52b Mon Sep 17 00:00:00 2001 +From: Andrea Claudi +Date: Mon, 11 Feb 2019 16:14:39 +0100 +Subject: ipvs: fix dependency on nf_defrag_ipv6 + +[ Upstream commit 098e13f5b21d3398065fce8780f07a3ef62f4812 ] + +ipvs relies on nf_defrag_ipv6 module to manage IPv6 fragmentation, +but lacks proper Kconfig dependencies and does not explicitly +request defrag features. + +As a result, if netfilter hooks are not loaded, when IPv6 fragmented +packet are handled by ipvs only the first fragment makes through. + +Fix it properly declaring the dependency on Kconfig and registering +netfilter hooks on ip_vs_add_service() and ip_vs_new_dest(). + +Reported-by: Li Shuang +Signed-off-by: Andrea Claudi +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/Kconfig | 1 + + net/netfilter/ipvs/ip_vs_core.c | 10 ++++------ + net/netfilter/ipvs/ip_vs_ctl.c | 10 ++++++++++ + 3 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig +index cad48d07c818..8401cefd9f65 100644 +--- a/net/netfilter/ipvs/Kconfig ++++ b/net/netfilter/ipvs/Kconfig +@@ -29,6 +29,7 @@ config IP_VS_IPV6 + bool "IPv6 support for IPVS" + depends on IPV6 = y || IP_VS = IPV6 + select IP6_NF_IPTABLES ++ select NF_DEFRAG_IPV6 + ---help--- + Add IPv6 support to IPVS. + +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index 7ca926a03b81..3f963ea22277 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -1536,14 +1536,12 @@ ip_vs_try_to_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb, + /* sorry, all this trouble for a no-hit :) */ + IP_VS_DBG_PKT(12, af, pp, skb, iph->off, + "ip_vs_in: packet continues traversal as normal"); +- if (iph->fragoffs) { +- /* Fragment that couldn't be mapped to a conn entry +- * is missing module nf_defrag_ipv6 +- */ +- IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n"); ++ ++ /* Fragment couldn't be mapped to a conn entry */ ++ if (iph->fragoffs) + IP_VS_DBG_PKT(7, af, pp, skb, iph->off, + "unhandled fragment"); +- } ++ + *verdict = NF_ACCEPT; + return 0; + } +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 55a77314340a..8fd8d06454d6 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -43,6 +43,7 @@ + #ifdef CONFIG_IP_VS_IPV6 + #include + #include ++#include + #endif + #include + #include +@@ -895,6 +896,7 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest, + { + struct ip_vs_dest *dest; + unsigned int atype, i; ++ int ret = 0; + + EnterFunction(2); + +@@ -905,6 +907,10 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest, + atype & IPV6_ADDR_LINKLOCAL) && + !__ip_vs_addr_is_local_v6(svc->ipvs->net, &udest->addr.in6)) + return -EINVAL; ++ ++ ret = nf_defrag_ipv6_enable(svc->ipvs->net); ++ if (ret) ++ return ret; + } else + #endif + { +@@ -1228,6 +1234,10 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, + ret = -EINVAL; + goto out_err; + } ++ ++ ret = nf_defrag_ipv6_enable(ipvs->net); ++ if (ret) ++ goto out_err; + } + #endif + +-- +2.19.1 + diff --git a/queue-4.19/ixgbe-fix-older-devices-that-do-not-support-ixgbe_mr.patch b/queue-4.19/ixgbe-fix-older-devices-that-do-not-support-ixgbe_mr.patch new file mode 100644 index 00000000000..3f6d2682d2b --- /dev/null +++ b/queue-4.19/ixgbe-fix-older-devices-that-do-not-support-ixgbe_mr.patch @@ -0,0 +1,41 @@ +From 6845dea6d24928857b9c2740ed20aa73e1d07635 Mon Sep 17 00:00:00 2001 +From: Jeff Kirsher +Date: Mon, 28 Jan 2019 09:45:01 -0800 +Subject: ixgbe: fix older devices that do not support IXGBE_MRQC_L3L4TXSWEN + +[ Upstream commit 156a67a9065e3339be85f811d1b13b920e50d73b ] + +The enabling L3/L4 filtering for transmit switched packets for all +devices caused unforeseen issue on older devices when trying to send UDP +traffic in an ordered sequence. This bit was originally intended for X550 +devices, which supported this feature, so limit the scope of this bit to +only X550 devices. + +Signed-off-by: Jeff Kirsher +Tested-by: Andrew Bowers +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 6cdd58d9d461..410d5d3aa393 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -3924,8 +3924,11 @@ static void ixgbe_setup_mrqc(struct ixgbe_adapter *adapter) + else + mrqc = IXGBE_MRQC_VMDQRSS64EN; + +- /* Enable L3/L4 for Tx Switched packets */ +- mrqc |= IXGBE_MRQC_L3L4TXSWEN; ++ /* Enable L3/L4 for Tx Switched packets only for X550, ++ * older devices do not support this feature ++ */ ++ if (hw->mac.type >= ixgbe_mac_X550) ++ mrqc |= IXGBE_MRQC_L3L4TXSWEN; + } else { + if (tcs > 4) + mrqc = IXGBE_MRQC_RTRSS8TCEN; +-- +2.19.1 + diff --git a/queue-4.19/kallsyms-handle-too-long-symbols-in-kallsyms.c.patch b/queue-4.19/kallsyms-handle-too-long-symbols-in-kallsyms.c.patch new file mode 100644 index 00000000000..6b12c21b921 --- /dev/null +++ b/queue-4.19/kallsyms-handle-too-long-symbols-in-kallsyms.c.patch @@ -0,0 +1,37 @@ +From 9cf4ceebcf06a336d33666e6120b11afe2613eb3 Mon Sep 17 00:00:00 2001 +From: Eugene Loh +Date: Thu, 17 Jan 2019 14:46:00 -0800 +Subject: kallsyms: Handle too long symbols in kallsyms.c + +[ Upstream commit 6db2983cd8064808141ccefd75218f5b4345ffae ] + +When checking for symbols with excessively long names, +account for null terminating character. + +Fixes: f3462aa952cf ("Kbuild: Handle longer symbols in kallsyms.c") +Signed-off-by: Eugene Loh +Acked-by: Ard Biesheuvel +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kallsyms.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c +index a9186a98a37d..0c9c54b57515 100644 +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -120,8 +120,8 @@ static int read_symbol(FILE *in, struct sym_entry *s) + fprintf(stderr, "Read error or end of file.\n"); + return -1; + } +- if (strlen(sym) > KSYM_NAME_LEN) { +- fprintf(stderr, "Symbol %s too long for kallsyms (%zu vs %d).\n" ++ if (strlen(sym) >= KSYM_NAME_LEN) { ++ fprintf(stderr, "Symbol %s too long for kallsyms (%zu >= %d).\n" + "Please increase KSYM_NAME_LEN both in kernel and kallsyms.c\n", + sym, strlen(sym), KSYM_NAME_LEN); + return -1; +-- +2.19.1 + diff --git a/queue-4.19/kasan-slab-fix-conflicts-with-config_hardened_userco.patch b/queue-4.19/kasan-slab-fix-conflicts-with-config_hardened_userco.patch new file mode 100644 index 00000000000..fd37bcff49f --- /dev/null +++ b/queue-4.19/kasan-slab-fix-conflicts-with-config_hardened_userco.patch @@ -0,0 +1,44 @@ +From e59823590ea9e0081abaf0816ea774bed96757ac Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Wed, 20 Feb 2019 22:20:25 -0800 +Subject: kasan, slab: fix conflicts with CONFIG_HARDENED_USERCOPY + +[ Upstream commit 219667c23c68eb3dbc0d5662b9246f28477fe529 ] + +Similarly to commit 96fedce27e13 ("kasan: make tag based mode work with +CONFIG_HARDENED_USERCOPY"), we need to reset pointer tags in +__check_heap_object() in mm/slab.c before doing any pointer math. + +Link: http://lkml.kernel.org/r/9a5c0f958db10e69df5ff9f2b997866b56b7effc.1550602886.git.andreyknvl@google.com +Signed-off-by: Andrey Konovalov +Tested-by: Qian Cai +Cc: Alexander Potapenko +Cc: Andrey Ryabinin +Cc: Catalin Marinas +Cc: Dmitry Vyukov +Cc: Evgeniy Stepanov +Cc: Kostya Serebryany +Cc: Vincenzo Frascino +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/slab.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/mm/slab.c b/mm/slab.c +index fad6839e8eab..813bd89c263b 100644 +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -4421,6 +4421,8 @@ void __check_heap_object(const void *ptr, unsigned long n, struct page *page, + unsigned int objnr; + unsigned long offset; + ++ ptr = kasan_reset_tag(ptr); ++ + /* Find and validate object. */ + cachep = page->slab_cache; + objnr = obj_to_index(cachep, page, (void *)ptr); +-- +2.19.1 + diff --git a/queue-4.19/kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch b/queue-4.19/kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch new file mode 100644 index 00000000000..6cb0e179768 --- /dev/null +++ b/queue-4.19/kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch @@ -0,0 +1,86 @@ +From 84986e6bcd937ac6402c7061f4d0cd28f73e6087 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Wed, 20 Feb 2019 22:19:23 -0800 +Subject: kasan, slub: move kasan_poison_slab hook before page_address + +[ Upstream commit a71012242837fe5e67d8c999cfc357174ed5dba0 ] + +With tag based KASAN page_address() looks at the page flags to see whether +the resulting pointer needs to have a tag set. Since we don't want to set +a tag when page_address() is called on SLAB pages, we call +page_kasan_tag_reset() in kasan_poison_slab(). However in allocate_slab() +page_address() is called before kasan_poison_slab(). Fix it by changing +the order. + +[andreyknvl@google.com: fix compilation error when CONFIG_SLUB_DEBUG=n] + Link: http://lkml.kernel.org/r/ac27cc0bbaeb414ed77bcd6671a877cf3546d56e.1550066133.git.andreyknvl@google.com +Link: http://lkml.kernel.org/r/cd895d627465a3f1c712647072d17f10883be2a1.1549921721.git.andreyknvl@google.com +Signed-off-by: Andrey Konovalov +Cc: Alexander Potapenko +Cc: Andrey Ryabinin +Cc: Catalin Marinas +Cc: Christoph Lameter +Cc: David Rientjes +Cc: Dmitry Vyukov +Cc: Evgeniy Stepanov +Cc: Joonsoo Kim +Cc: Kostya Serebryany +Cc: Pekka Enberg +Cc: Qian Cai +Cc: Vincenzo Frascino +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/slub.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index 8da34a8af53d..7666cff34bfb 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1075,6 +1075,16 @@ static void setup_object_debug(struct kmem_cache *s, struct page *page, + init_tracking(s, object); + } + ++static void setup_page_debug(struct kmem_cache *s, void *addr, int order) ++{ ++ if (!(s->flags & SLAB_POISON)) ++ return; ++ ++ metadata_access_enable(); ++ memset(addr, POISON_INUSE, PAGE_SIZE << order); ++ metadata_access_disable(); ++} ++ + static inline int alloc_consistency_checks(struct kmem_cache *s, + struct page *page, + void *object, unsigned long addr) +@@ -1292,6 +1302,8 @@ slab_flags_t kmem_cache_flags(unsigned int object_size, + #else /* !CONFIG_SLUB_DEBUG */ + static inline void setup_object_debug(struct kmem_cache *s, + struct page *page, void *object) {} ++static inline void setup_page_debug(struct kmem_cache *s, ++ void *addr, int order) {} + + static inline int alloc_debug_processing(struct kmem_cache *s, + struct page *page, void *object, unsigned long addr) { return 0; } +@@ -1602,12 +1614,11 @@ static struct page *allocate_slab(struct kmem_cache *s, gfp_t flags, int node) + if (page_is_pfmemalloc(page)) + SetPageSlabPfmemalloc(page); + +- start = page_address(page); ++ kasan_poison_slab(page); + +- if (unlikely(s->flags & SLAB_POISON)) +- memset(start, POISON_INUSE, PAGE_SIZE << order); ++ start = page_address(page); + +- kasan_poison_slab(page); ++ setup_page_debug(s, start, order); + + shuffle = shuffle_freelist(s, page); + +-- +2.19.1 + diff --git a/queue-4.19/keys-fix-dependency-loop-between-construction-record.patch b/queue-4.19/keys-fix-dependency-loop-between-construction-record.patch new file mode 100644 index 00000000000..afcb750b3a8 --- /dev/null +++ b/queue-4.19/keys-fix-dependency-loop-between-construction-record.patch @@ -0,0 +1,531 @@ +From 18d32b3ab53bcfe7ed9240ccbba9621112d11d9f Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 14 Feb 2019 16:20:25 +0000 +Subject: keys: Fix dependency loop between construction record and auth key + +[ Upstream commit 822ad64d7e46a8e2c8b8a796738d7b657cbb146d ] + +In the request_key() upcall mechanism there's a dependency loop by which if +a key type driver overrides the ->request_key hook and the userspace side +manages to lose the authorisation key, the auth key and the internal +construction record (struct key_construction) can keep each other pinned. + +Fix this by the following changes: + + (1) Killing off the construction record and using the auth key instead. + + (2) Including the operation name in the auth key payload and making the + payload available outside of security/keys/. + + (3) The ->request_key hook is given the authkey instead of the cons + record and operation name. + +Changes (2) and (3) allow the auth key to naturally be cleaned up if the +keyring it is in is destroyed or cleared or the auth key is unlinked. + +Fixes: 7ee02a316600 ("keys: Fix dependency loop between construction record and auth key") +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4idmap.c | 31 ++++++------ + include/keys/request_key_auth-type.h | 36 ++++++++++++++ + include/linux/key-type.h | 22 +++------ + security/keys/internal.h | 13 +---- + security/keys/keyctl.c | 1 + + security/keys/process_keys.c | 1 + + security/keys/request_key.c | 72 +++++++++++----------------- + security/keys/request_key_auth.c | 16 ++++--- + 8 files changed, 100 insertions(+), 92 deletions(-) + create mode 100644 include/keys/request_key_auth-type.h + +diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c +index 3f23b6840547..bf34ddaa2ad7 100644 +--- a/fs/nfs/nfs4idmap.c ++++ b/fs/nfs/nfs4idmap.c +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + #include + + #include "internal.h" +@@ -59,7 +60,7 @@ static struct key_type key_type_id_resolver_legacy; + struct idmap_legacy_upcalldata { + struct rpc_pipe_msg pipe_msg; + struct idmap_msg idmap_msg; +- struct key_construction *key_cons; ++ struct key *authkey; + struct idmap *idmap; + }; + +@@ -384,7 +385,7 @@ static const match_table_t nfs_idmap_tokens = { + { Opt_find_err, NULL } + }; + +-static int nfs_idmap_legacy_upcall(struct key_construction *, const char *, void *); ++static int nfs_idmap_legacy_upcall(struct key *, void *); + static ssize_t idmap_pipe_downcall(struct file *, const char __user *, + size_t); + static void idmap_release_pipe(struct inode *); +@@ -549,11 +550,12 @@ nfs_idmap_prepare_pipe_upcall(struct idmap *idmap, + static void + nfs_idmap_complete_pipe_upcall_locked(struct idmap *idmap, int ret) + { +- struct key_construction *cons = idmap->idmap_upcall_data->key_cons; ++ struct key *authkey = idmap->idmap_upcall_data->authkey; + + kfree(idmap->idmap_upcall_data); + idmap->idmap_upcall_data = NULL; +- complete_request_key(cons, ret); ++ complete_request_key(authkey, ret); ++ key_put(authkey); + } + + static void +@@ -563,15 +565,14 @@ nfs_idmap_abort_pipe_upcall(struct idmap *idmap, int ret) + nfs_idmap_complete_pipe_upcall_locked(idmap, ret); + } + +-static int nfs_idmap_legacy_upcall(struct key_construction *cons, +- const char *op, +- void *aux) ++static int nfs_idmap_legacy_upcall(struct key *authkey, void *aux) + { + struct idmap_legacy_upcalldata *data; ++ struct request_key_auth *rka = get_request_key_auth(authkey); + struct rpc_pipe_msg *msg; + struct idmap_msg *im; + struct idmap *idmap = (struct idmap *)aux; +- struct key *key = cons->key; ++ struct key *key = rka->target_key; + int ret = -ENOKEY; + + if (!aux) +@@ -586,7 +587,7 @@ static int nfs_idmap_legacy_upcall(struct key_construction *cons, + msg = &data->pipe_msg; + im = &data->idmap_msg; + data->idmap = idmap; +- data->key_cons = cons; ++ data->authkey = key_get(authkey); + + ret = nfs_idmap_prepare_message(key->description, idmap, im, msg); + if (ret < 0) +@@ -604,7 +605,7 @@ static int nfs_idmap_legacy_upcall(struct key_construction *cons, + out2: + kfree(data); + out1: +- complete_request_key(cons, ret); ++ complete_request_key(authkey, ret); + return ret; + } + +@@ -651,9 +652,10 @@ out: + static ssize_t + idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) + { ++ struct request_key_auth *rka; + struct rpc_inode *rpci = RPC_I(file_inode(filp)); + struct idmap *idmap = (struct idmap *)rpci->private; +- struct key_construction *cons; ++ struct key *authkey; + struct idmap_msg im; + size_t namelen_in; + int ret = -ENOKEY; +@@ -665,7 +667,8 @@ idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) + if (idmap->idmap_upcall_data == NULL) + goto out_noupcall; + +- cons = idmap->idmap_upcall_data->key_cons; ++ authkey = idmap->idmap_upcall_data->authkey; ++ rka = get_request_key_auth(authkey); + + if (mlen != sizeof(im)) { + ret = -ENOSPC; +@@ -690,9 +693,9 @@ idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) + + ret = nfs_idmap_read_and_verify_message(&im, + &idmap->idmap_upcall_data->idmap_msg, +- cons->key, cons->authkey); ++ rka->target_key, authkey); + if (ret >= 0) { +- key_set_timeout(cons->key, nfs_idmap_cache_timeout); ++ key_set_timeout(rka->target_key, nfs_idmap_cache_timeout); + ret = mlen; + } + +diff --git a/include/keys/request_key_auth-type.h b/include/keys/request_key_auth-type.h +new file mode 100644 +index 000000000000..a726dd3f1dc6 +--- /dev/null ++++ b/include/keys/request_key_auth-type.h +@@ -0,0 +1,36 @@ ++/* request_key authorisation token key type ++ * ++ * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells (dhowells@redhat.com) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#ifndef _KEYS_REQUEST_KEY_AUTH_TYPE_H ++#define _KEYS_REQUEST_KEY_AUTH_TYPE_H ++ ++#include ++ ++/* ++ * Authorisation record for request_key(). ++ */ ++struct request_key_auth { ++ struct key *target_key; ++ struct key *dest_keyring; ++ const struct cred *cred; ++ void *callout_info; ++ size_t callout_len; ++ pid_t pid; ++ char op[8]; ++} __randomize_layout; ++ ++static inline struct request_key_auth *get_request_key_auth(const struct key *key) ++{ ++ return key->payload.data[0]; ++} ++ ++ ++#endif /* _KEYS_REQUEST_KEY_AUTH_TYPE_H */ +diff --git a/include/linux/key-type.h b/include/linux/key-type.h +index 05d8fb5a06c4..d3c5ae8ad498 100644 +--- a/include/linux/key-type.h ++++ b/include/linux/key-type.h +@@ -17,15 +17,6 @@ + + #ifdef CONFIG_KEYS + +-/* +- * key under-construction record +- * - passed to the request_key actor if supplied +- */ +-struct key_construction { +- struct key *key; /* key being constructed */ +- struct key *authkey;/* authorisation for key being constructed */ +-}; +- + /* + * Pre-parsed payload, used by key add, update and instantiate. + * +@@ -47,8 +38,7 @@ struct key_preparsed_payload { + time64_t expiry; /* Expiry time of key */ + } __randomize_layout; + +-typedef int (*request_key_actor_t)(struct key_construction *key, +- const char *op, void *aux); ++typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); + + /* + * Preparsed matching criterion. +@@ -170,20 +160,20 @@ extern int key_instantiate_and_link(struct key *key, + const void *data, + size_t datalen, + struct key *keyring, +- struct key *instkey); ++ struct key *authkey); + extern int key_reject_and_link(struct key *key, + unsigned timeout, + unsigned error, + struct key *keyring, +- struct key *instkey); +-extern void complete_request_key(struct key_construction *cons, int error); ++ struct key *authkey); ++extern void complete_request_key(struct key *authkey, int error); + + static inline int key_negate_and_link(struct key *key, + unsigned timeout, + struct key *keyring, +- struct key *instkey) ++ struct key *authkey) + { +- return key_reject_and_link(key, timeout, ENOKEY, keyring, instkey); ++ return key_reject_and_link(key, timeout, ENOKEY, keyring, authkey); + } + + extern int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep); +diff --git a/security/keys/internal.h b/security/keys/internal.h +index 9f8208dc0e55..a02742621c8d 100644 +--- a/security/keys/internal.h ++++ b/security/keys/internal.h +@@ -188,20 +188,9 @@ static inline int key_permission(const key_ref_t key_ref, unsigned perm) + return key_task_permission(key_ref, current_cred(), perm); + } + +-/* +- * Authorisation record for request_key(). +- */ +-struct request_key_auth { +- struct key *target_key; +- struct key *dest_keyring; +- const struct cred *cred; +- void *callout_info; +- size_t callout_len; +- pid_t pid; +-} __randomize_layout; +- + extern struct key_type key_type_request_key_auth; + extern struct key *request_key_auth_new(struct key *target, ++ const char *op, + const void *callout_info, + size_t callout_len, + struct key *dest_keyring); +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index 1ffe60bb2845..ca31af186abd 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include "internal.h" + + #define KEY_MAX_DESC_SIZE 4096 +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index d5b25e535d3a..d776d2114651 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include "internal.h" + + /* Session keyring create vs join semaphore */ +diff --git a/security/keys/request_key.c b/security/keys/request_key.c +index 738553698649..1a547cec8385 100644 +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -18,31 +18,30 @@ + #include + #include + #include "internal.h" ++#include + + #define key_negative_timeout 60 /* default timeout on a negative key's existence */ + + /** + * complete_request_key - Complete the construction of a key. +- * @cons: The key construction record. ++ * @auth_key: The authorisation key. + * @error: The success or failute of the construction. + * + * Complete the attempt to construct a key. The key will be negated + * if an error is indicated. The authorisation key will be revoked + * unconditionally. + */ +-void complete_request_key(struct key_construction *cons, int error) ++void complete_request_key(struct key *authkey, int error) + { +- kenter("{%d,%d},%d", cons->key->serial, cons->authkey->serial, error); ++ struct request_key_auth *rka = get_request_key_auth(authkey); ++ struct key *key = rka->target_key; ++ ++ kenter("%d{%d},%d", authkey->serial, key->serial, error); + + if (error < 0) +- key_negate_and_link(cons->key, key_negative_timeout, NULL, +- cons->authkey); ++ key_negate_and_link(key, key_negative_timeout, NULL, authkey); + else +- key_revoke(cons->authkey); +- +- key_put(cons->key); +- key_put(cons->authkey); +- kfree(cons); ++ key_revoke(authkey); + } + EXPORT_SYMBOL(complete_request_key); + +@@ -91,21 +90,19 @@ static int call_usermodehelper_keys(const char *path, char **argv, char **envp, + * Request userspace finish the construction of a key + * - execute "/sbin/request-key " + */ +-static int call_sbin_request_key(struct key_construction *cons, +- const char *op, +- void *aux) ++static int call_sbin_request_key(struct key *authkey, void *aux) + { + static char const request_key[] = "/sbin/request-key"; ++ struct request_key_auth *rka = get_request_key_auth(authkey); + const struct cred *cred = current_cred(); + key_serial_t prkey, sskey; +- struct key *key = cons->key, *authkey = cons->authkey, *keyring, +- *session; ++ struct key *key = rka->target_key, *keyring, *session; + char *argv[9], *envp[3], uid_str[12], gid_str[12]; + char key_str[12], keyring_str[3][12]; + char desc[20]; + int ret, i; + +- kenter("{%d},{%d},%s", key->serial, authkey->serial, op); ++ kenter("{%d},{%d},%s", key->serial, authkey->serial, rka->op); + + ret = install_user_keyrings(); + if (ret < 0) +@@ -163,7 +160,7 @@ static int call_sbin_request_key(struct key_construction *cons, + /* set up the argument list */ + i = 0; + argv[i++] = (char *)request_key; +- argv[i++] = (char *) op; ++ argv[i++] = (char *)rka->op; + argv[i++] = key_str; + argv[i++] = uid_str; + argv[i++] = gid_str; +@@ -191,7 +188,7 @@ error_link: + key_put(keyring); + + error_alloc: +- complete_request_key(cons, ret); ++ complete_request_key(authkey, ret); + kleave(" = %d", ret); + return ret; + } +@@ -205,42 +202,31 @@ static int construct_key(struct key *key, const void *callout_info, + size_t callout_len, void *aux, + struct key *dest_keyring) + { +- struct key_construction *cons; + request_key_actor_t actor; + struct key *authkey; + int ret; + + kenter("%d,%p,%zu,%p", key->serial, callout_info, callout_len, aux); + +- cons = kmalloc(sizeof(*cons), GFP_KERNEL); +- if (!cons) +- return -ENOMEM; +- + /* allocate an authorisation key */ +- authkey = request_key_auth_new(key, callout_info, callout_len, ++ authkey = request_key_auth_new(key, "create", callout_info, callout_len, + dest_keyring); +- if (IS_ERR(authkey)) { +- kfree(cons); +- ret = PTR_ERR(authkey); +- authkey = NULL; +- } else { +- cons->authkey = key_get(authkey); +- cons->key = key_get(key); ++ if (IS_ERR(authkey)) ++ return PTR_ERR(authkey); + +- /* make the call */ +- actor = call_sbin_request_key; +- if (key->type->request_key) +- actor = key->type->request_key; ++ /* Make the call */ ++ actor = call_sbin_request_key; ++ if (key->type->request_key) ++ actor = key->type->request_key; + +- ret = actor(cons, "create", aux); ++ ret = actor(authkey, aux); + +- /* check that the actor called complete_request_key() prior to +- * returning an error */ +- WARN_ON(ret < 0 && +- !test_bit(KEY_FLAG_REVOKED, &authkey->flags)); +- key_put(authkey); +- } ++ /* check that the actor called complete_request_key() prior to ++ * returning an error */ ++ WARN_ON(ret < 0 && ++ !test_bit(KEY_FLAG_REVOKED, &authkey->flags)); + ++ key_put(authkey); + kleave(" = %d", ret); + return ret; + } +@@ -275,7 +261,7 @@ static int construct_get_dest_keyring(struct key **_dest_keyring) + if (cred->request_key_auth) { + authkey = cred->request_key_auth; + down_read(&authkey->sem); +- rka = authkey->payload.data[0]; ++ rka = get_request_key_auth(authkey); + if (!test_bit(KEY_FLAG_REVOKED, + &authkey->flags)) + dest_keyring = +diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c +index 6797843154f0..5e515791ccd1 100644 +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -18,7 +18,7 @@ + #include + #include + #include "internal.h" +-#include ++#include + + static int request_key_auth_preparse(struct key_preparsed_payload *); + static void request_key_auth_free_preparse(struct key_preparsed_payload *); +@@ -69,7 +69,7 @@ static int request_key_auth_instantiate(struct key *key, + static void request_key_auth_describe(const struct key *key, + struct seq_file *m) + { +- struct request_key_auth *rka = key->payload.data[0]; ++ struct request_key_auth *rka = get_request_key_auth(key); + + seq_puts(m, "key:"); + seq_puts(m, key->description); +@@ -84,7 +84,7 @@ static void request_key_auth_describe(const struct key *key, + static long request_key_auth_read(const struct key *key, + char __user *buffer, size_t buflen) + { +- struct request_key_auth *rka = key->payload.data[0]; ++ struct request_key_auth *rka = get_request_key_auth(key); + size_t datalen; + long ret; + +@@ -110,7 +110,7 @@ static long request_key_auth_read(const struct key *key, + */ + static void request_key_auth_revoke(struct key *key) + { +- struct request_key_auth *rka = key->payload.data[0]; ++ struct request_key_auth *rka = get_request_key_auth(key); + + kenter("{%d}", key->serial); + +@@ -137,7 +137,7 @@ static void free_request_key_auth(struct request_key_auth *rka) + */ + static void request_key_auth_destroy(struct key *key) + { +- struct request_key_auth *rka = key->payload.data[0]; ++ struct request_key_auth *rka = get_request_key_auth(key); + + kenter("{%d}", key->serial); + +@@ -148,8 +148,9 @@ static void request_key_auth_destroy(struct key *key) + * Create an authorisation token for /sbin/request-key or whoever to gain + * access to the caller's security data. + */ +-struct key *request_key_auth_new(struct key *target, const void *callout_info, +- size_t callout_len, struct key *dest_keyring) ++struct key *request_key_auth_new(struct key *target, const char *op, ++ const void *callout_info, size_t callout_len, ++ struct key *dest_keyring) + { + struct request_key_auth *rka, *irka; + const struct cred *cred = current->cred; +@@ -167,6 +168,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info, + if (!rka->callout_info) + goto error_free_rka; + rka->callout_len = callout_len; ++ strlcpy(rka->op, op, sizeof(rka->op)); + + /* see if the calling process is already servicing the key request of + * another process */ +-- +2.19.1 + diff --git a/queue-4.19/kvm-arm-arm64-reset-the-vcpu-without-preemption-and-.patch b/queue-4.19/kvm-arm-arm64-reset-the-vcpu-without-preemption-and-.patch new file mode 100644 index 00000000000..8938c292b89 --- /dev/null +++ b/queue-4.19/kvm-arm-arm64-reset-the-vcpu-without-preemption-and-.patch @@ -0,0 +1,87 @@ +From da07d7a812dfccf5c67ea59cba430c88e9229bc3 Mon Sep 17 00:00:00 2001 +From: Christoffer Dall +Date: Thu, 20 Dec 2018 12:44:05 +0100 +Subject: KVM: arm/arm64: Reset the VCPU without preemption and vcpu state + loaded + +[ Upstream commit e761a927bc9a7ee6ceb7c4f63d5922dbced87f0d ] + +We have two ways to reset a vcpu: +- either through VCPU_INIT +- or through a PSCI_ON call + +The first one is easy to reason about. The second one is implemented +in a more bizarre way, as it is the vcpu that handles PSCI_ON that +resets the vcpu that is being powered-on. As we need to turn the logic +around and have the target vcpu to reset itself, we must take some +preliminary steps. + +Resetting the VCPU state modifies the system register state in memory, +but this may interact with vcpu_load/vcpu_put if running with preemption +disabled, which in turn may lead to corrupted system register state. + +Address this by disabling preemption and doing put/load if required +around the reset logic. + +Reviewed-by: Andrew Jones +Signed-off-by: Christoffer Dall +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/reset.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c +index e37c78bbe1ca..644dd0050766 100644 +--- a/arch/arm64/kvm/reset.c ++++ b/arch/arm64/kvm/reset.c +@@ -99,16 +99,33 @@ int kvm_arch_dev_ioctl_check_extension(struct kvm *kvm, long ext) + * This function finds the right table above and sets the registers on + * the virtual CPU struct to their architecturally defined reset + * values. ++ * ++ * Note: This function can be called from two paths: The KVM_ARM_VCPU_INIT ++ * ioctl or as part of handling a request issued by another VCPU in the PSCI ++ * handling code. In the first case, the VCPU will not be loaded, and in the ++ * second case the VCPU will be loaded. Because this function operates purely ++ * on the memory-backed valus of system registers, we want to do a full put if ++ * we were loaded (handling a request) and load the values back at the end of ++ * the function. Otherwise we leave the state alone. In both cases, we ++ * disable preemption around the vcpu reset as we would otherwise race with ++ * preempt notifiers which also call put/load. + */ + int kvm_reset_vcpu(struct kvm_vcpu *vcpu) + { + const struct kvm_regs *cpu_reset; ++ int ret = -EINVAL; ++ bool loaded; ++ ++ preempt_disable(); ++ loaded = (vcpu->cpu != -1); ++ if (loaded) ++ kvm_arch_vcpu_put(vcpu); + + switch (vcpu->arch.target) { + default: + if (test_bit(KVM_ARM_VCPU_EL1_32BIT, vcpu->arch.features)) { + if (!cpu_has_32bit_el1()) +- return -EINVAL; ++ goto out; + cpu_reset = &default_regs_reset32; + } else { + cpu_reset = &default_regs_reset; +@@ -131,5 +148,10 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu) + vcpu->arch.workaround_flags |= VCPU_WORKAROUND_2_FLAG; + + /* Reset timer */ +- return kvm_timer_vcpu_reset(vcpu); ++ ret = kvm_timer_vcpu_reset(vcpu); ++out: ++ if (loaded) ++ kvm_arch_vcpu_load(vcpu, smp_processor_id()); ++ preempt_enable(); ++ return ret; + } +-- +2.19.1 + diff --git a/queue-4.19/kvm-arm-arm64-vgic-always-initialize-the-group-of-pr.patch b/queue-4.19/kvm-arm-arm64-vgic-always-initialize-the-group-of-pr.patch new file mode 100644 index 00000000000..950e5cd26c6 --- /dev/null +++ b/queue-4.19/kvm-arm-arm64-vgic-always-initialize-the-group-of-pr.patch @@ -0,0 +1,82 @@ +From ae4cdd17fd1e802bc55137d1e5f44086eeb914a9 Mon Sep 17 00:00:00 2001 +From: Christoffer Dall +Date: Thu, 10 Jan 2019 15:33:52 +0100 +Subject: KVM: arm/arm64: vgic: Always initialize the group of private IRQs + +[ Upstream commit ab2d5eb03dbb7b37a1c6356686fb48626ab0c93e ] + +We currently initialize the group of private IRQs during +kvm_vgic_vcpu_init, and the value of the group depends on the GIC model +we are emulating. However, CPUs created before creating (and +initializing) the VGIC might end up with the wrong group if the VGIC +is created as GICv3 later. + +Since we have no enforced ordering of creating the VGIC and creating +VCPUs, we can end up with part the VCPUs being properly intialized and +the remaining incorrectly initialized. That also means that we have no +single place to do the per-cpu data structure initialization which +depends on knowing the emulated GIC model (which is only the group +field). + +This patch removes the incorrect comment from kvm_vgic_vcpu_init and +initializes the group of all previously created VCPUs's private +interrupts in vgic_init in addition to the existing initialization in +kvm_vgic_vcpu_init. + +Signed-off-by: Christoffer Dall +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + virt/kvm/arm/vgic/vgic-init.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/virt/kvm/arm/vgic/vgic-init.c b/virt/kvm/arm/vgic/vgic-init.c +index 33e7ee814f7b..8196e4f8731f 100644 +--- a/virt/kvm/arm/vgic/vgic-init.c ++++ b/virt/kvm/arm/vgic/vgic-init.c +@@ -231,13 +231,6 @@ int kvm_vgic_vcpu_init(struct kvm_vcpu *vcpu) + irq->config = VGIC_CONFIG_LEVEL; + } + +- /* +- * GICv3 can only be created via the KVM_DEVICE_CREATE API and +- * so we always know the emulation type at this point as it's +- * either explicitly configured as GICv3, or explicitly +- * configured as GICv2, or not configured yet which also +- * implies GICv2. +- */ + if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) + irq->group = 1; + else +@@ -281,7 +274,7 @@ int vgic_init(struct kvm *kvm) + { + struct vgic_dist *dist = &kvm->arch.vgic; + struct kvm_vcpu *vcpu; +- int ret = 0, i; ++ int ret = 0, i, idx; + + if (vgic_initialized(kvm)) + return 0; +@@ -298,6 +291,19 @@ int vgic_init(struct kvm *kvm) + if (ret) + goto out; + ++ /* Initialize groups on CPUs created before the VGIC type was known */ ++ kvm_for_each_vcpu(idx, vcpu, kvm) { ++ struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu; ++ ++ for (i = 0; i < VGIC_NR_PRIVATE_IRQS; i++) { ++ struct vgic_irq *irq = &vgic_cpu->private_irqs[i]; ++ if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) ++ irq->group = 1; ++ else ++ irq->group = 0; ++ } ++ } ++ + if (vgic_has_its(kvm)) { + ret = vgic_v4_init(kvm); + if (ret) +-- +2.19.1 + diff --git a/queue-4.19/kvm-arm-arm64-vgic-make-vgic_dist-lpi_list_lock-a-ra.patch b/queue-4.19/kvm-arm-arm64-vgic-make-vgic_dist-lpi_list_lock-a-ra.patch new file mode 100644 index 00000000000..386a49bdd69 --- /dev/null +++ b/queue-4.19/kvm-arm-arm64-vgic-make-vgic_dist-lpi_list_lock-a-ra.patch @@ -0,0 +1,135 @@ +From d00106b1e4dffd77854dc185313dcda92052cba4 Mon Sep 17 00:00:00 2001 +From: Julien Thierry +Date: Mon, 7 Jan 2019 15:06:16 +0000 +Subject: KVM: arm/arm64: vgic: Make vgic_dist->lpi_list_lock a raw_spinlock + +[ Upstream commit fc3bc475231e12e9c0142f60100cf84d077c79e1 ] + +vgic_dist->lpi_list_lock must always be taken with interrupts disabled as +it is used in interrupt context. + +For configurations such as PREEMPT_RT_FULL, this means that it should +be a raw_spinlock since RT spinlocks are interruptible. + +Signed-off-by: Julien Thierry +Acked-by: Christoffer Dall +Acked-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Sasha Levin +--- + include/kvm/arm_vgic.h | 2 +- + virt/kvm/arm/vgic/vgic-init.c | 2 +- + virt/kvm/arm/vgic/vgic-its.c | 8 ++++---- + virt/kvm/arm/vgic/vgic.c | 10 +++++----- + 4 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/include/kvm/arm_vgic.h b/include/kvm/arm_vgic.h +index 4f31f96bbfab..90ac450745f1 100644 +--- a/include/kvm/arm_vgic.h ++++ b/include/kvm/arm_vgic.h +@@ -256,7 +256,7 @@ struct vgic_dist { + u64 propbaser; + + /* Protects the lpi_list and the count value below. */ +- spinlock_t lpi_list_lock; ++ raw_spinlock_t lpi_list_lock; + struct list_head lpi_list_head; + int lpi_list_count; + +diff --git a/virt/kvm/arm/vgic/vgic-init.c b/virt/kvm/arm/vgic/vgic-init.c +index c0c0b88af1d5..33e7ee814f7b 100644 +--- a/virt/kvm/arm/vgic/vgic-init.c ++++ b/virt/kvm/arm/vgic/vgic-init.c +@@ -64,7 +64,7 @@ void kvm_vgic_early_init(struct kvm *kvm) + struct vgic_dist *dist = &kvm->arch.vgic; + + INIT_LIST_HEAD(&dist->lpi_list_head); +- spin_lock_init(&dist->lpi_list_lock); ++ raw_spin_lock_init(&dist->lpi_list_lock); + } + + /* CREATION */ +diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c +index 12502251727e..f376c82afb61 100644 +--- a/virt/kvm/arm/vgic/vgic-its.c ++++ b/virt/kvm/arm/vgic/vgic-its.c +@@ -73,7 +73,7 @@ static struct vgic_irq *vgic_add_lpi(struct kvm *kvm, u32 intid, + irq->target_vcpu = vcpu; + irq->group = 1; + +- spin_lock_irqsave(&dist->lpi_list_lock, flags); ++ raw_spin_lock_irqsave(&dist->lpi_list_lock, flags); + + /* + * There could be a race with another vgic_add_lpi(), so we need to +@@ -101,7 +101,7 @@ static struct vgic_irq *vgic_add_lpi(struct kvm *kvm, u32 intid, + dist->lpi_list_count++; + + out_unlock: +- spin_unlock_irqrestore(&dist->lpi_list_lock, flags); ++ raw_spin_unlock_irqrestore(&dist->lpi_list_lock, flags); + + /* + * We "cache" the configuration table entries in our struct vgic_irq's. +@@ -339,7 +339,7 @@ int vgic_copy_lpi_list(struct kvm *kvm, struct kvm_vcpu *vcpu, u32 **intid_ptr) + if (!intids) + return -ENOMEM; + +- spin_lock_irqsave(&dist->lpi_list_lock, flags); ++ raw_spin_lock_irqsave(&dist->lpi_list_lock, flags); + list_for_each_entry(irq, &dist->lpi_list_head, lpi_list) { + if (i == irq_count) + break; +@@ -348,7 +348,7 @@ int vgic_copy_lpi_list(struct kvm *kvm, struct kvm_vcpu *vcpu, u32 **intid_ptr) + continue; + intids[i++] = irq->intid; + } +- spin_unlock_irqrestore(&dist->lpi_list_lock, flags); ++ raw_spin_unlock_irqrestore(&dist->lpi_list_lock, flags); + + *intid_ptr = intids; + return i; +diff --git a/virt/kvm/arm/vgic/vgic.c b/virt/kvm/arm/vgic/vgic.c +index f884a54b2601..c5165e3b80cb 100644 +--- a/virt/kvm/arm/vgic/vgic.c ++++ b/virt/kvm/arm/vgic/vgic.c +@@ -72,7 +72,7 @@ static struct vgic_irq *vgic_get_lpi(struct kvm *kvm, u32 intid) + struct vgic_irq *irq = NULL; + unsigned long flags; + +- spin_lock_irqsave(&dist->lpi_list_lock, flags); ++ raw_spin_lock_irqsave(&dist->lpi_list_lock, flags); + + list_for_each_entry(irq, &dist->lpi_list_head, lpi_list) { + if (irq->intid != intid) +@@ -88,7 +88,7 @@ static struct vgic_irq *vgic_get_lpi(struct kvm *kvm, u32 intid) + irq = NULL; + + out_unlock: +- spin_unlock_irqrestore(&dist->lpi_list_lock, flags); ++ raw_spin_unlock_irqrestore(&dist->lpi_list_lock, flags); + + return irq; + } +@@ -138,15 +138,15 @@ void vgic_put_irq(struct kvm *kvm, struct vgic_irq *irq) + if (irq->intid < VGIC_MIN_LPI) + return; + +- spin_lock_irqsave(&dist->lpi_list_lock, flags); ++ raw_spin_lock_irqsave(&dist->lpi_list_lock, flags); + if (!kref_put(&irq->refcount, vgic_irq_release)) { +- spin_unlock_irqrestore(&dist->lpi_list_lock, flags); ++ raw_spin_unlock_irqrestore(&dist->lpi_list_lock, flags); + return; + }; + + list_del(&irq->lpi_list); + dist->lpi_list_count--; +- spin_unlock_irqrestore(&dist->lpi_list_lock, flags); ++ raw_spin_unlock_irqrestore(&dist->lpi_list_lock, flags); + + kfree(irq); + } +-- +2.19.1 + diff --git a/queue-4.19/kvm-arm64-forbid-kprobing-of-the-vhe-world-switch-co.patch b/queue-4.19/kvm-arm64-forbid-kprobing-of-the-vhe-world-switch-co.patch new file mode 100644 index 00000000000..605a323996b --- /dev/null +++ b/queue-4.19/kvm-arm64-forbid-kprobing-of-the-vhe-world-switch-co.patch @@ -0,0 +1,161 @@ +From df74a8c7d7f85fb8d4764b6d72b6f8e59ad42579 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Thu, 24 Jan 2019 16:32:54 +0000 +Subject: KVM: arm64: Forbid kprobing of the VHE world-switch code + +[ Upstream commit 7d82602909ed9c73b34ad26f05d10db4850a4f8c ] + +On systems with VHE the kernel and KVM's world-switch code run at the +same exception level. Code that is only used on a VHE system does not +need to be annotated as __hyp_text as it can reside anywhere in the +kernel text. + +__hyp_text was also used to prevent kprobes from patching breakpoint +instructions into this region, as this code runs at a different +exception level. While this is no longer true with VHE, KVM still +switches VBAR_EL1, meaning a kprobe's breakpoint executed in the +world-switch code will cause a hyp-panic. + +echo "p:weasel sysreg_save_guest_state_vhe" > /sys/kernel/debug/tracing/kprobe_events +echo 1 > /sys/kernel/debug/tracing/events/kprobes/weasel/enable +lkvm run -k /boot/Image --console serial -p "console=ttyS0 earlycon=uart,mmio,0x3f8" + + # lkvm run -k /boot/Image -m 384 -c 3 --name guest-1474 + Info: Placing fdt at 0x8fe00000 - 0x8fffffff + Info: virtio-mmio.devices=0x200@0x10000:36 + + Info: virtio-mmio.devices=0x200@0x10200:37 + + Info: virtio-mmio.devices=0x200@0x10400:38 + +[ 614.178186] Kernel panic - not syncing: HYP panic: +[ 614.178186] PS:404003c9 PC:ffff0000100d70e0 ESR:f2000004 +[ 614.178186] FAR:0000000080080000 HPFAR:0000000000800800 PAR:1d00007edbadc0de +[ 614.178186] VCPU:00000000f8de32f1 +[ 614.178383] CPU: 2 PID: 1482 Comm: kvm-vcpu-0 Not tainted 5.0.0-rc2 #10799 +[ 614.178446] Call trace: +[ 614.178480] dump_backtrace+0x0/0x148 +[ 614.178567] show_stack+0x24/0x30 +[ 614.178658] dump_stack+0x90/0xb4 +[ 614.178710] panic+0x13c/0x2d8 +[ 614.178793] hyp_panic+0xac/0xd8 +[ 614.178880] kvm_vcpu_run_vhe+0x9c/0xe0 +[ 614.178958] kvm_arch_vcpu_ioctl_run+0x454/0x798 +[ 614.179038] kvm_vcpu_ioctl+0x360/0x898 +[ 614.179087] do_vfs_ioctl+0xc4/0x858 +[ 614.179174] ksys_ioctl+0x84/0xb8 +[ 614.179261] __arm64_sys_ioctl+0x28/0x38 +[ 614.179348] el0_svc_common+0x94/0x108 +[ 614.179401] el0_svc_handler+0x38/0x78 +[ 614.179487] el0_svc+0x8/0xc +[ 614.179558] SMP: stopping secondary CPUs +[ 614.179661] Kernel Offset: disabled +[ 614.179695] CPU features: 0x003,2a80aa38 +[ 614.179758] Memory Limit: none +[ 614.179858] ---[ end Kernel panic - not syncing: HYP panic: +[ 614.179858] PS:404003c9 PC:ffff0000100d70e0 ESR:f2000004 +[ 614.179858] FAR:0000000080080000 HPFAR:0000000000800800 PAR:1d00007edbadc0de +[ 614.179858] VCPU:00000000f8de32f1 ]--- + +Annotate the VHE world-switch functions that aren't marked +__hyp_text using NOKPROBE_SYMBOL(). + +Signed-off-by: James Morse +Fixes: 3f5c90b890ac ("KVM: arm64: Introduce VHE-specific kvm_vcpu_run") +Acked-by: Masami Hiramatsu +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/hyp/switch.c | 5 +++++ + arch/arm64/kvm/hyp/sysreg-sr.c | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c +index a1c32c1f2267..6290a4e81d57 100644 +--- a/arch/arm64/kvm/hyp/switch.c ++++ b/arch/arm64/kvm/hyp/switch.c +@@ -23,6 +23,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -107,6 +108,7 @@ static void activate_traps_vhe(struct kvm_vcpu *vcpu) + + write_sysreg(kvm_get_hyp_vector(), vbar_el1); + } ++NOKPROBE_SYMBOL(activate_traps_vhe); + + static void __hyp_text __activate_traps_nvhe(struct kvm_vcpu *vcpu) + { +@@ -146,6 +148,7 @@ static void deactivate_traps_vhe(void) + write_sysreg(CPACR_EL1_DEFAULT, cpacr_el1); + write_sysreg(vectors, vbar_el1); + } ++NOKPROBE_SYMBOL(deactivate_traps_vhe); + + static void __hyp_text __deactivate_traps_nvhe(void) + { +@@ -529,6 +532,7 @@ int kvm_vcpu_run_vhe(struct kvm_vcpu *vcpu) + + return exit_code; + } ++NOKPROBE_SYMBOL(kvm_vcpu_run_vhe); + + /* Switch to the guest for legacy non-VHE systems */ + int __hyp_text __kvm_vcpu_run_nvhe(struct kvm_vcpu *vcpu) +@@ -636,6 +640,7 @@ static void __hyp_call_panic_vhe(u64 spsr, u64 elr, u64 par, + read_sysreg_el2(esr), read_sysreg_el2(far), + read_sysreg(hpfar_el2), par, vcpu); + } ++NOKPROBE_SYMBOL(__hyp_call_panic_vhe); + + void __hyp_text __noreturn hyp_panic(struct kvm_cpu_context *host_ctxt) + { +diff --git a/arch/arm64/kvm/hyp/sysreg-sr.c b/arch/arm64/kvm/hyp/sysreg-sr.c +index 9ce223944983..963d669ae3a2 100644 +--- a/arch/arm64/kvm/hyp/sysreg-sr.c ++++ b/arch/arm64/kvm/hyp/sysreg-sr.c +@@ -18,6 +18,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -98,12 +99,14 @@ void sysreg_save_host_state_vhe(struct kvm_cpu_context *ctxt) + { + __sysreg_save_common_state(ctxt); + } ++NOKPROBE_SYMBOL(sysreg_save_host_state_vhe); + + void sysreg_save_guest_state_vhe(struct kvm_cpu_context *ctxt) + { + __sysreg_save_common_state(ctxt); + __sysreg_save_el2_return_state(ctxt); + } ++NOKPROBE_SYMBOL(sysreg_save_guest_state_vhe); + + static void __hyp_text __sysreg_restore_common_state(struct kvm_cpu_context *ctxt) + { +@@ -171,12 +174,14 @@ void sysreg_restore_host_state_vhe(struct kvm_cpu_context *ctxt) + { + __sysreg_restore_common_state(ctxt); + } ++NOKPROBE_SYMBOL(sysreg_restore_host_state_vhe); + + void sysreg_restore_guest_state_vhe(struct kvm_cpu_context *ctxt) + { + __sysreg_restore_common_state(ctxt); + __sysreg_restore_el2_return_state(ctxt); + } ++NOKPROBE_SYMBOL(sysreg_restore_guest_state_vhe); + + void __hyp_text __sysreg32_save_state(struct kvm_vcpu *vcpu) + { +-- +2.19.1 + diff --git a/queue-4.19/mac80211-call-drv_ibss_join-on-restart.patch b/queue-4.19/mac80211-call-drv_ibss_join-on-restart.patch new file mode 100644 index 00000000000..3ab90ed5002 --- /dev/null +++ b/queue-4.19/mac80211-call-drv_ibss_join-on-restart.patch @@ -0,0 +1,46 @@ +From 650bb3bd47ebe4062d1e2c2d2a214c20a4d3ed0c Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 6 Feb 2019 13:17:12 +0200 +Subject: mac80211: call drv_ibss_join() on restart + +[ Upstream commit 4926b51bfaa6d36bd6f398fb7698679d3962e19d ] + +If a driver does any significant activity in its ibss_join method, +then it will very well expect that to be called during restart, +before any stations are added. Do that. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/util.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 716cd6442d86..3deaa01ebee4 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -5,7 +5,7 @@ + * Copyright 2007 Johannes Berg + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright (C) 2015-2017 Intel Deutschland GmbH +- * Copyright (C) 2018 Intel Corporation ++ * Copyright (C) 2018-2019 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -2020,6 +2020,10 @@ int ieee80211_reconfig(struct ieee80211_local *local) + case NL80211_IFTYPE_AP_VLAN: + case NL80211_IFTYPE_MONITOR: + break; ++ case NL80211_IFTYPE_ADHOC: ++ if (sdata->vif.bss_conf.ibss_joined) ++ WARN_ON(drv_join_ibss(local, sdata)); ++ /* fall through */ + default: + ieee80211_reconfig_stations(sdata); + /* fall through */ +-- +2.19.1 + diff --git a/queue-4.19/mac80211-fix-tx-aggregation-session-tear-down-with-i.patch b/queue-4.19/mac80211-fix-tx-aggregation-session-tear-down-with-i.patch new file mode 100644 index 00000000000..89b1576e3c0 --- /dev/null +++ b/queue-4.19/mac80211-fix-tx-aggregation-session-tear-down-with-i.patch @@ -0,0 +1,56 @@ +From 580f679ca3e4f135e72c836438e3cd720e98921c Mon Sep 17 00:00:00 2001 +From: Ilan Peer +Date: Wed, 6 Feb 2019 13:17:21 +0200 +Subject: mac80211: Fix Tx aggregation session tear down with ITXQs + +[ Upstream commit 6157ca0d6bfe437691b1e98a62e2efe12b6714da ] + +When mac80211 requests the low level driver to stop an ongoing +Tx aggregation, the low level driver is expected to call +ieee80211_stop_tx_ba_cb_irqsafe() to indicate that it is ready +to stop the session. The callback in turn schedules a worker +to complete the session tear down, which in turn also handles +the relevant state for the intermediate Tx queue. + +However, as this flow in asynchronous, the intermediate queue +should be stopped and not continue servicing frames, as in +such a case frames that are dequeued would be marked as part +of an aggregation, although the aggregation is already been +stopped. + +Fix this by stopping the intermediate Tx queue, before +calling the low level driver to stop the Tx aggregation. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/agg-tx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c +index 69e831bc317b..54821fb1a960 100644 +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -8,7 +8,7 @@ + * Copyright 2007, Michael Wu + * Copyright 2007-2010, Intel Corporation + * Copyright(c) 2015-2017 Intel Deutschland GmbH +- * Copyright (C) 2018 Intel Corporation ++ * Copyright (C) 2018 - 2019 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -366,6 +366,8 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, + + set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state); + ++ ieee80211_agg_stop_txq(sta, tid); ++ + spin_unlock_bh(&sta->lock); + + ht_dbg(sta->sdata, "Tx BA session stop requested for %pM tid %u\n", +-- +2.19.1 + diff --git a/queue-4.19/mac80211_hwsim-propagate-genlmsg_reply-return-code.patch b/queue-4.19/mac80211_hwsim-propagate-genlmsg_reply-return-code.patch new file mode 100644 index 00000000000..74547ff41ae --- /dev/null +++ b/queue-4.19/mac80211_hwsim-propagate-genlmsg_reply-return-code.patch @@ -0,0 +1,32 @@ +From 1aa29fdbdecf10f78263a80264d9471f147e9699 Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Tue, 19 Feb 2019 13:12:40 +0800 +Subject: mac80211_hwsim: propagate genlmsg_reply return code + +[ Upstream commit 17407715240456448e4989bee46ffc93991add83 ] + +genlmsg_reply can fail, so propagate its return code + +Signed-off-by: Li RongQing +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 4ca6592f5b3a..7cd428c0af43 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3454,7 +3454,7 @@ static int hwsim_get_radio_nl(struct sk_buff *msg, struct genl_info *info) + goto out_err; + } + +- genlmsg_reply(skb, info); ++ res = genlmsg_reply(skb, info); + break; + } + +-- +2.19.1 + diff --git a/queue-4.19/mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-tim.patch b/queue-4.19/mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-tim.patch new file mode 100644 index 00000000000..c9acb712ca1 --- /dev/null +++ b/queue-4.19/mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-tim.patch @@ -0,0 +1,40 @@ +From b8abae16d0a5523d6a29a54f048ae789922b3041 Mon Sep 17 00:00:00 2001 +From: Rayagonda Kokatanur +Date: Mon, 4 Feb 2019 11:21:29 -0800 +Subject: mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue + +[ Upstream commit d7bf31a0f85faaf63c63c39d55154825a1eaaea9 ] + +RING_CONTROL reg was not written due to wrong address, hence all +the subsequent ring flush was timing out. + +Fixes: a371c10ea4b3 ("mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush sequence") + +Signed-off-by: Rayagonda Kokatanur +Signed-off-by: Ray Jui +Reviewed-by: Scott Branden +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/bcm-flexrm-mailbox.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mailbox/bcm-flexrm-mailbox.c b/drivers/mailbox/bcm-flexrm-mailbox.c +index 8ab077ff58f4..96bcabfebc23 100644 +--- a/drivers/mailbox/bcm-flexrm-mailbox.c ++++ b/drivers/mailbox/bcm-flexrm-mailbox.c +@@ -1396,9 +1396,9 @@ static void flexrm_shutdown(struct mbox_chan *chan) + + /* Clear ring flush state */ + timeout = 1000; /* timeout of 1s */ +- writel_relaxed(0x0, ring + RING_CONTROL); ++ writel_relaxed(0x0, ring->regs + RING_CONTROL); + do { +- if (!(readl_relaxed(ring + RING_FLUSH_DONE) & ++ if (!(readl_relaxed(ring->regs + RING_FLUSH_DONE) & + FLUSH_DONE_MASK)) + break; + mdelay(1); +-- +2.19.1 + diff --git a/queue-4.19/mm-gup-fix-gup_pmd_range-for-dax.patch b/queue-4.19/mm-gup-fix-gup_pmd_range-for-dax.patch new file mode 100644 index 00000000000..38a9cfb6c07 --- /dev/null +++ b/queue-4.19/mm-gup-fix-gup_pmd_range-for-dax.patch @@ -0,0 +1,48 @@ +From fd9f906a05d56a1d73ea08010d26001abc8820c1 Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Tue, 12 Feb 2019 15:35:58 -0800 +Subject: mm/gup: fix gup_pmd_range() for dax + +[ Upstream commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 ] + +For dax pmd, pmd_trans_huge() returns false but pmd_huge() returns true +on x86. So the function works as long as hugetlb is configured. +However, dax doesn't depend on hugetlb. + +Link: http://lkml.kernel.org/r/20190111034033.601-1-yuzhao@google.com +Signed-off-by: Yu Zhao +Reviewed-by: Jan Kara +Cc: Dan Williams +Cc: Huang Ying +Cc: Matthew Wilcox +Cc: Keith Busch +Cc: "Michael S . Tsirkin" +Cc: John Hubbard +Cc: Wei Yang +Cc: Mike Rapoport +Cc: Andrea Arcangeli +Cc: "Kirill A . Shutemov" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/gup.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/gup.c b/mm/gup.c +index 1abc8b4afff6..0a5374e6e82d 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1649,7 +1649,8 @@ static int gup_pmd_range(pud_t pud, unsigned long addr, unsigned long end, + if (!pmd_present(pmd)) + return 0; + +- if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd))) { ++ if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd) || ++ pmd_devmap(pmd))) { + /* + * NUMA hinting faults need to be handled in the GUP + * slowpath for accounting purposes and so that they +-- +2.19.1 + diff --git a/queue-4.19/mm-handle-lru_add_drain_all-for-up-properly.patch b/queue-4.19/mm-handle-lru_add_drain_all-for-up-properly.patch new file mode 100644 index 00000000000..841619bca54 --- /dev/null +++ b/queue-4.19/mm-handle-lru_add_drain_all-for-up-properly.patch @@ -0,0 +1,84 @@ +From 01a0b2e1bbb1f6b3e1c13186c597b6b9f949e403 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Wed, 20 Feb 2019 22:19:54 -0800 +Subject: mm: handle lru_add_drain_all for UP properly + +[ Upstream commit 6ea183d60c469560e7b08a83c9804299e84ec9eb ] + +Since for_each_cpu(cpu, mask) added by commit 2d3854a37e8b767a +("cpumask: introduce new API, without changing anything") did not +evaluate the mask argument if NR_CPUS == 1 due to CONFIG_SMP=n, +lru_add_drain_all() is hitting WARN_ON() at __flush_work() added by +commit 4d43d395fed12463 ("workqueue: Try to catch flush_work() without +INIT_WORK().") by unconditionally calling flush_work() [1]. + +Workaround this issue by using CONFIG_SMP=n specific lru_add_drain_all +implementation. There is no real need to defer the implementation to +the workqueue as the draining is going to happen on the local cpu. So +alias lru_add_drain_all to lru_add_drain which does all the necessary +work. + +[akpm@linux-foundation.org: fix various build warnings] +[1] https://lkml.kernel.org/r/18a30387-6aa5-6123-e67c-57579ecc3f38@roeck-us.net +Link: http://lkml.kernel.org/r/20190213124334.GH4525@dhcp22.suse.cz +Signed-off-by: Michal Hocko +Reported-by: Guenter Roeck +Debugged-by: Tetsuo Handa +Cc: Tejun Heo +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/swap.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/mm/swap.c b/mm/swap.c +index 26fc9b5f1b6c..a3fc028e338e 100644 +--- a/mm/swap.c ++++ b/mm/swap.c +@@ -321,11 +321,6 @@ static inline void activate_page_drain(int cpu) + { + } + +-static bool need_activate_page_drain(int cpu) +-{ +- return false; +-} +- + void activate_page(struct page *page) + { + struct zone *zone = page_zone(page); +@@ -654,13 +649,15 @@ void lru_add_drain(void) + put_cpu(); + } + ++#ifdef CONFIG_SMP ++ ++static DEFINE_PER_CPU(struct work_struct, lru_add_drain_work); ++ + static void lru_add_drain_per_cpu(struct work_struct *dummy) + { + lru_add_drain(); + } + +-static DEFINE_PER_CPU(struct work_struct, lru_add_drain_work); +- + /* + * Doesn't need any cpu hotplug locking because we do rely on per-cpu + * kworkers being shut down before our page_alloc_cpu_dead callback is +@@ -703,6 +700,12 @@ void lru_add_drain_all(void) + + mutex_unlock(&lock); + } ++#else ++void lru_add_drain_all(void) ++{ ++ lru_add_drain(); ++} ++#endif + + /** + * release_pages - batched put_page() +-- +2.19.1 + diff --git a/queue-4.19/mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch b/queue-4.19/mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch new file mode 100644 index 00000000000..2d95bf1c192 --- /dev/null +++ b/queue-4.19/mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch @@ -0,0 +1,72 @@ +From 4bbeb70b295a097104f7ea1c3c1973d96efdec2a Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 13 Feb 2019 22:45:59 +0100 +Subject: mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs + +[ Upstream commit 2c2ade81741c66082f8211f0b96cf509cc4c0218 ] + +The basic idea behind ->pagecnt_bias is: If we pre-allocate the maximum +number of references that we might need to create in the fastpath later, +the bump-allocation fastpath only has to modify the non-atomic bias value +that tracks the number of extra references we hold instead of the atomic +refcount. The maximum number of allocations we can serve (under the +assumption that no allocation is made with size 0) is nc->size, so that's +the bias used. + +However, even when all memory in the allocation has been given away, a +reference to the page is still held; and in the `offset < 0` slowpath, the +page may be reused if everyone else has dropped their references. +This means that the necessary number of references is actually +`nc->size+1`. + +Luckily, from a quick grep, it looks like the only path that can call +page_frag_alloc(fragsz=1) is TAP with the IFF_NAPI_FRAGS flag, which +requires CAP_NET_ADMIN in the init namespace and is only intended to be +used for kernel testing and fuzzing. + +To test for this issue, put a `WARN_ON(page_ref_count(page) == 0)` in the +`offset < 0` path, below the virt_to_page() call, and then repeatedly call +writev() on a TAP device with IFF_TAP|IFF_NO_PI|IFF_NAPI_FRAGS|IFF_NAPI, +with a vector consisting of 15 elements containing 1 byte each. + +Signed-off-by: Jann Horn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + mm/page_alloc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index a9de1dbb9a6c..ef99971c13dd 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -4532,11 +4532,11 @@ refill: + /* Even if we own the page, we do not use atomic_set(). + * This would break get_page_unless_zero() users. + */ +- page_ref_add(page, size - 1); ++ page_ref_add(page, size); + + /* reset page count bias and offset to start of new frag */ + nc->pfmemalloc = page_is_pfmemalloc(page); +- nc->pagecnt_bias = size; ++ nc->pagecnt_bias = size + 1; + nc->offset = size; + } + +@@ -4552,10 +4552,10 @@ refill: + size = nc->size; + #endif + /* OK, page count is 0, we can safely set it */ +- set_page_count(page, size); ++ set_page_count(page, size + 1); + + /* reset page count bias and offset to start of new frag */ +- nc->pagecnt_bias = size; ++ nc->pagecnt_bias = size + 1; + offset = size - fragsz; + } + +-- +2.19.1 + diff --git a/queue-4.19/net-dsa-bcm_sf2-do-not-assume-dsa-master-supports-wo.patch b/queue-4.19/net-dsa-bcm_sf2-do-not-assume-dsa-master-supports-wo.patch new file mode 100644 index 00000000000..47e40e16b28 --- /dev/null +++ b/queue-4.19/net-dsa-bcm_sf2-do-not-assume-dsa-master-supports-wo.patch @@ -0,0 +1,54 @@ +From e1d1ab0dbd532a1df39531500ac67558bc9cbb21 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 15 Feb 2019 12:16:52 -0800 +Subject: net: dsa: bcm_sf2: Do not assume DSA master supports WoL + +[ Upstream commit c3152ec4c0691e351f35a2f63347a464b5f35151 ] + +We assume in the bcm_sf2 driver that the DSA master network device +supports ethtool_ops::{get,set}_wol operations, which is not a given. +Avoid de-referencing potentially non-existent function pointers and +check them as we should. + +Fixes: 96e65d7f3f88 ("net: dsa: bcm_sf2: add support for Wake-on-LAN") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index bb26a193361e..2fa2caf7a746 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -724,10 +724,11 @@ static void bcm_sf2_sw_get_wol(struct dsa_switch *ds, int port, + { + struct net_device *p = ds->ports[port].cpu_dp->master; + struct bcm_sf2_priv *priv = bcm_sf2_to_priv(ds); +- struct ethtool_wolinfo pwol; ++ struct ethtool_wolinfo pwol = { }; + + /* Get the parent device WoL settings */ +- p->ethtool_ops->get_wol(p, &pwol); ++ if (p->ethtool_ops->get_wol) ++ p->ethtool_ops->get_wol(p, &pwol); + + /* Advertise the parent device supported settings */ + wol->supported = pwol.supported; +@@ -748,9 +749,10 @@ static int bcm_sf2_sw_set_wol(struct dsa_switch *ds, int port, + struct net_device *p = ds->ports[port].cpu_dp->master; + struct bcm_sf2_priv *priv = bcm_sf2_to_priv(ds); + s8 cpu_port = ds->ports[port].cpu_dp->index; +- struct ethtool_wolinfo pwol; ++ struct ethtool_wolinfo pwol = { }; + +- p->ethtool_ops->get_wol(p, &pwol); ++ if (p->ethtool_ops->get_wol) ++ p->ethtool_ops->get_wol(p, &pwol); + if (wol->wolopts & ~pwol.supported) + return -EINVAL; + +-- +2.19.1 + diff --git a/queue-4.19/net-dsa-bcm_sf2-potential-array-overflow-in-bcm_sf2_.patch b/queue-4.19/net-dsa-bcm_sf2-potential-array-overflow-in-bcm_sf2_.patch new file mode 100644 index 00000000000..65a800f3c19 --- /dev/null +++ b/queue-4.19/net-dsa-bcm_sf2-potential-array-overflow-in-bcm_sf2_.patch @@ -0,0 +1,39 @@ +From aac8c28cbe187babf45a139a3c097873c1ece6d5 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 13 Feb 2019 11:23:04 +0300 +Subject: net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend() + +[ Upstream commit 8d6ea932856c7087ce8c3d0e79494b7d5386f962 ] + +The value of ->num_ports comes from bcm_sf2_sw_probe() and it is less +than or equal to DSA_MAX_PORTS. The ds->ports[] array is used inside +the dsa_is_user_port() and dsa_is_cpu_port() functions. The ds->ports[] +array is allocated in dsa_switch_alloc() and it has ds->num_ports +elements so this leads to a static checker warning about a potential out +of bounds read. + +Fixes: 8cfa94984c9c ("net: dsa: bcm_sf2: add suspend/resume callbacks") +Signed-off-by: Dan Carpenter +Reviewed-by: Vivien Didelot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index fc8b48adf38b..bb26a193361e 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -692,7 +692,7 @@ static int bcm_sf2_sw_suspend(struct dsa_switch *ds) + * port, the other ones have already been disabled during + * bcm_sf2_sw_setup + */ +- for (port = 0; port < DSA_MAX_PORTS; port++) { ++ for (port = 0; port < ds->num_ports; port++) { + if (dsa_is_user_port(ds, port) || dsa_is_cpu_port(ds, port)) + bcm_sf2_port_disable(ds, port, NULL); + } +-- +2.19.1 + diff --git a/queue-4.19/net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch b/queue-4.19/net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch new file mode 100644 index 00000000000..850bdf0663b --- /dev/null +++ b/queue-4.19/net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch @@ -0,0 +1,40 @@ +From d7f8f51ab82906e57af3361c6b6bf4d29706a5d4 Mon Sep 17 00:00:00 2001 +From: Huang Zijiang +Date: Thu, 14 Feb 2019 14:41:45 +0800 +Subject: net: hns: Fix object reference leaks in hns_dsaf_roce_reset() + +[ Upstream commit c969c6e7ab8cb42b5c787c567615474fdbad9d6a ] + +The of_find_device_by_node() takes a reference to the underlying device +structure, we should release that reference. + +Signed-off-by: Huang Zijiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c +index 3b9e74be5fbd..b8155f5e71b4 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c +@@ -3081,6 +3081,7 @@ int hns_dsaf_roce_reset(struct fwnode_handle *dsaf_fwnode, bool dereset) + dsaf_dev = dev_get_drvdata(&pdev->dev); + if (!dsaf_dev) { + dev_err(&pdev->dev, "dsaf_dev is NULL\n"); ++ put_device(&pdev->dev); + return -ENODEV; + } + +@@ -3088,6 +3089,7 @@ int hns_dsaf_roce_reset(struct fwnode_handle *dsaf_fwnode, bool dereset) + if (AE_IS_VER1(dsaf_dev->dsaf_ver)) { + dev_err(dsaf_dev->dev, "%s v1 chip doesn't support RoCE!\n", + dsaf_dev->ae_dev.name); ++ put_device(&pdev->dev); + return -ENODEV; + } + +-- +2.19.1 + diff --git a/queue-4.19/net-marvell-mvneta-fix-dma-debug-warning.patch b/queue-4.19/net-marvell-mvneta-fix-dma-debug-warning.patch new file mode 100644 index 00000000000..0f6e4536e57 --- /dev/null +++ b/queue-4.19/net-marvell-mvneta-fix-dma-debug-warning.patch @@ -0,0 +1,58 @@ +From 8df5a476013634a7bb434b1582862d3e24fa81d6 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 15 Feb 2019 13:55:47 +0000 +Subject: net: marvell: mvneta: fix DMA debug warning + +[ Upstream commit a8fef9ba58c9966ddb1fec916d8d8137c9d8bc89 ] + +Booting 4.20 on SolidRun Clearfog issues this warning with DMA API +debug enabled: + +WARNING: CPU: 0 PID: 555 at kernel/dma/debug.c:1230 check_sync+0x514/0x5bc +mvneta f1070000.ethernet: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x000000002dd7dc00] [size=240 bytes] +Modules linked in: ahci mv88e6xxx dsa_core xhci_plat_hcd xhci_hcd devlink armada_thermal marvell_cesa des_generic ehci_orion phy_armada38x_comphy mcp3021 spi_orion evbug sfp mdio_i2c ip_tables x_tables +CPU: 0 PID: 555 Comm: bridge-network- Not tainted 4.20.0+ #291 +Hardware name: Marvell Armada 380/385 (Device Tree) +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x9c/0xd4) +[] (dump_stack) from [] (__warn+0xf8/0x124) +[] (__warn) from [] (warn_slowpath_fmt+0x38/0x48) +[] (warn_slowpath_fmt) from [] (check_sync+0x514/0x5bc) +[] (check_sync) from [] (debug_dma_sync_single_range_for_cpu+0x6c/0x74) +[] (debug_dma_sync_single_range_for_cpu) from [] (mvneta_poll+0x298/0xf58) +[] (mvneta_poll) from [] (net_rx_action+0x128/0x424) +[] (net_rx_action) from [] (__do_softirq+0xf0/0x540) +[] (__do_softirq) from [] (irq_exit+0x124/0x144) +[] (irq_exit) from [] (__handle_domain_irq+0x58/0xb0) +[] (__handle_domain_irq) from [] (gic_handle_irq+0x48/0x98) +[] (gic_handle_irq) from [] (__irq_svc+0x70/0x98) +... + +This appears to be caused by mvneta_rx_hwbm() calling +dma_sync_single_range_for_cpu() with the wrong struct device pointer, +as the buffer manager device pointer is used to map and unmap the +buffer. Fix this. + +Signed-off-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index a78a39244b79..2ba0d89aaf3c 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -2147,7 +2147,7 @@ err_drop_frame: + if (unlikely(!skb)) + goto err_drop_frame_ret_pool; + +- dma_sync_single_range_for_cpu(dev->dev.parent, ++ dma_sync_single_range_for_cpu(&pp->bm_priv->pdev->dev, + rx_desc->buf_phys_addr, + MVNETA_MH_SIZE + NET_SKB_PAD, + rx_bytes, +-- +2.19.1 + diff --git a/queue-4.19/net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch b/queue-4.19/net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch new file mode 100644 index 00000000000..bed52d5b003 --- /dev/null +++ b/queue-4.19/net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch @@ -0,0 +1,48 @@ +From 8d6f3a586e717ec238acb977d06b76b1760a569d Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Sat, 16 Feb 2019 00:20:54 +0300 +Subject: net: mv643xx_eth: disable clk on error path in + mv643xx_eth_shared_probe() + +[ Upstream commit e928b5d6b75e239feb9c6d5488974b6646a0ebc8 ] + +If mv643xx_eth_shared_of_probe() fails, mv643xx_eth_shared_probe() +leaves clk enabled. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c +index 62f204f32316..59007d6cd36d 100644 +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2886,7 +2886,7 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev) + + ret = mv643xx_eth_shared_of_probe(pdev); + if (ret) +- return ret; ++ goto err_put_clk; + pd = dev_get_platdata(&pdev->dev); + + msp->tx_csum_limit = (pd != NULL && pd->tx_csum_limit) ? +@@ -2894,6 +2894,11 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev) + infer_hw_params(msp); + + return 0; ++ ++err_put_clk: ++ if (!IS_ERR(msp->clk)) ++ clk_disable_unprepare(msp->clk); ++ return ret; + } + + static int mv643xx_eth_shared_remove(struct platform_device *pdev) +-- +2.19.1 + diff --git a/queue-4.19/net-set-static-variable-an-initial-value-in-atl2_pro.patch b/queue-4.19/net-set-static-variable-an-initial-value-in-atl2_pro.patch new file mode 100644 index 00000000000..41dc5496020 --- /dev/null +++ b/queue-4.19/net-set-static-variable-an-initial-value-in-atl2_pro.patch @@ -0,0 +1,40 @@ +From 95d0dd5ad09b43ffd5d91892d35c44ad77377e3e Mon Sep 17 00:00:00 2001 +From: Mao Wenan +Date: Fri, 22 Feb 2019 14:57:23 +0800 +Subject: net: set static variable an initial value in atl2_probe() + +[ Upstream commit 4593403fa516a5a4cffe6883c5062d60932cbfbe ] + +cards_found is a static variable, but when it enters atl2_probe(), +cards_found is set to zero, the value is not consistent with last probe, +so next behavior is not our expect. + +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/atlx/atl2.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c +index bb41becb6609..31ff1e0d1baa 100644 +--- a/drivers/net/ethernet/atheros/atlx/atl2.c ++++ b/drivers/net/ethernet/atheros/atlx/atl2.c +@@ -1335,13 +1335,11 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { + struct net_device *netdev; + struct atl2_adapter *adapter; +- static int cards_found; ++ static int cards_found = 0; + unsigned long mmio_start; + int mmio_len; + int err; + +- cards_found = 0; +- + err = pci_enable_device(pdev); + if (err) + return err; +-- +2.19.1 + diff --git a/queue-4.19/net-systemport-fix-reception-of-bpdus.patch b/queue-4.19/net-systemport-fix-reception-of-bpdus.patch new file mode 100644 index 00000000000..b4549fb8089 --- /dev/null +++ b/queue-4.19/net-systemport-fix-reception-of-bpdus.patch @@ -0,0 +1,38 @@ +From 1b7b690b0192e5818679b0c1e90c9f7f1ccf602b Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 15 Feb 2019 12:16:51 -0800 +Subject: net: systemport: Fix reception of BPDUs + +[ Upstream commit a40061ea2e39494104602b3048751341bda374a1 ] + +SYSTEMPORT has its RXCHK parser block that attempts to validate the +packet structures, unfortunately setting the L2 header check bit will +cause Bridge PDUs (BPDUs) to be incorrectly rejected because they look +like LLC/SNAP packets with a non-IPv4 or non-IPv6 Ethernet Type. + +Fixes: 4e8aedfe78c7 ("net: systemport: Turn on offloads by default") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index fc16b2b0d0e9..0bdbc72605e1 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -134,6 +134,10 @@ static int bcm_sysport_set_rx_csum(struct net_device *dev, + + priv->rx_chk_en = !!(wanted & NETIF_F_RXCSUM); + reg = rxchk_readl(priv, RXCHK_CONTROL); ++ /* Clear L2 header checks, which would prevent BPDUs ++ * from being received. ++ */ ++ reg &= ~RXCHK_L2_HDR_DIS; + if (priv->rx_chk_en) + reg |= RXCHK_EN; + else +-- +2.19.1 + diff --git a/queue-4.19/net-thunderx-add-nicvf_send_msg_to_pf-result-check-f.patch b/queue-4.19/net-thunderx-add-nicvf_send_msg_to_pf-result-check-f.patch new file mode 100644 index 00000000000..c653509d133 --- /dev/null +++ b/queue-4.19/net-thunderx-add-nicvf_send_msg_to_pf-result-check-f.patch @@ -0,0 +1,69 @@ +From 67324ba376f6a66d0f112e1c1e48c6a9dce5fac6 Mon Sep 17 00:00:00 2001 +From: Vadim Lomovtsev +Date: Wed, 20 Feb 2019 11:02:44 +0000 +Subject: net: thunderx: add nicvf_send_msg_to_pf result check for + set_rx_mode_task + +[ Upstream commit 7db730d9d2f7b6af6aeac621b1890ea477a0cb8d ] + +The rx_set_mode invokes number of messages to be send to PF for receive +mode configuration. In case if there any issues we need to stop sending +messages and release allocated memory. + +This commit is to implement check of nicvf_msg_send_to_pf() result. + +Signed-off-by: Vadim Lomovtsev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +index 4eb24e10ba4d..9800738448ec 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -1950,7 +1950,8 @@ static void __nicvf_set_rx_mode_task(u8 mode, struct xcast_addr_list *mc_addrs, + + /* flush DMAC filters and reset RX mode */ + mbx.xcast.msg = NIC_MBOX_MSG_RESET_XCAST; +- nicvf_send_msg_to_pf(nic, &mbx); ++ if (nicvf_send_msg_to_pf(nic, &mbx) < 0) ++ goto free_mc; + + if (mode & BGX_XCAST_MCAST_FILTER) { + /* once enabling filtering, we need to signal to PF to add +@@ -1958,7 +1959,8 @@ static void __nicvf_set_rx_mode_task(u8 mode, struct xcast_addr_list *mc_addrs, + */ + mbx.xcast.msg = NIC_MBOX_MSG_ADD_MCAST; + mbx.xcast.data.mac = 0; +- nicvf_send_msg_to_pf(nic, &mbx); ++ if (nicvf_send_msg_to_pf(nic, &mbx) < 0) ++ goto free_mc; + } + + /* check if we have any specific MACs to be added to PF DMAC filter */ +@@ -1967,9 +1969,9 @@ static void __nicvf_set_rx_mode_task(u8 mode, struct xcast_addr_list *mc_addrs, + for (idx = 0; idx < mc_addrs->count; idx++) { + mbx.xcast.msg = NIC_MBOX_MSG_ADD_MCAST; + mbx.xcast.data.mac = mc_addrs->mc[idx]; +- nicvf_send_msg_to_pf(nic, &mbx); ++ if (nicvf_send_msg_to_pf(nic, &mbx) < 0) ++ goto free_mc; + } +- kfree(mc_addrs); + } + + /* and finally set rx mode for PF accordingly */ +@@ -1977,6 +1979,8 @@ static void __nicvf_set_rx_mode_task(u8 mode, struct xcast_addr_list *mc_addrs, + mbx.xcast.data.mode = mode; + + nicvf_send_msg_to_pf(nic, &mbx); ++free_mc: ++ kfree(mc_addrs); + } + + static void nicvf_set_rx_mode_task(struct work_struct *work_arg) +-- +2.19.1 + diff --git a/queue-4.19/net-thunderx-make-cfg_done-message-to-run-through-ge.patch b/queue-4.19/net-thunderx-make-cfg_done-message-to-run-through-ge.patch new file mode 100644 index 00000000000..19f06b43d02 --- /dev/null +++ b/queue-4.19/net-thunderx-make-cfg_done-message-to-run-through-ge.patch @@ -0,0 +1,78 @@ +From 7407dee6b3cecfe021d05011ed2b35ea4ba4ef3c Mon Sep 17 00:00:00 2001 +From: Vadim Lomovtsev +Date: Wed, 20 Feb 2019 11:02:43 +0000 +Subject: net: thunderx: make CFG_DONE message to run through generic send-ack + sequence + +[ Upstream commit 0dd563b9a62c4cbabf5d4fd6596440c2491e72b1 ] + +At the end of NIC VF initialization VF sends CFG_DONE message to PF without +using nicvf_msg_send_to_pf routine. This potentially could re-write data in +mailbox. This commit is to implement common way of sending CFG_DONE message +by the same way with other configuration messages by using +nicvf_send_msg_to_pf() routine. + +Signed-off-by: Vadim Lomovtsev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/nic_main.c | 2 +- + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 15 ++++++++++++--- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/nic_main.c b/drivers/net/ethernet/cavium/thunder/nic_main.c +index 6c8dcb65ff03..90497a27df18 100644 +--- a/drivers/net/ethernet/cavium/thunder/nic_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c +@@ -1039,7 +1039,7 @@ static void nic_handle_mbx_intr(struct nicpf *nic, int vf) + case NIC_MBOX_MSG_CFG_DONE: + /* Last message of VF config msg sequence */ + nic_enable_vf(nic, vf, true); +- goto unlock; ++ break; + case NIC_MBOX_MSG_SHUTDOWN: + /* First msg in VF teardown sequence */ + if (vf >= nic->num_vf_en) +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +index 88f8a8fa93cd..4eb24e10ba4d 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -172,6 +172,17 @@ static int nicvf_check_pf_ready(struct nicvf *nic) + return 1; + } + ++static void nicvf_send_cfg_done(struct nicvf *nic) ++{ ++ union nic_mbx mbx = {}; ++ ++ mbx.msg.msg = NIC_MBOX_MSG_CFG_DONE; ++ if (nicvf_send_msg_to_pf(nic, &mbx)) { ++ netdev_err(nic->netdev, ++ "PF didn't respond to CFG DONE msg\n"); ++ } ++} ++ + static void nicvf_read_bgx_stats(struct nicvf *nic, struct bgx_stats_msg *bgx) + { + if (bgx->rx) +@@ -1416,7 +1427,6 @@ int nicvf_open(struct net_device *netdev) + struct nicvf *nic = netdev_priv(netdev); + struct queue_set *qs = nic->qs; + struct nicvf_cq_poll *cq_poll = NULL; +- union nic_mbx mbx = {}; + + netif_carrier_off(netdev); + +@@ -1512,8 +1522,7 @@ int nicvf_open(struct net_device *netdev) + nicvf_enable_intr(nic, NICVF_INTR_RBDR, qidx); + + /* Send VF config done msg to PF */ +- mbx.msg.msg = NIC_MBOX_MSG_CFG_DONE; +- nicvf_write_to_mbx(nic, &mbx); ++ nicvf_send_cfg_done(nic); + + return 0; + cleanup: +-- +2.19.1 + diff --git a/queue-4.19/netfilter-compat-initialize-all-fields-in-xt_init.patch b/queue-4.19/netfilter-compat-initialize-all-fields-in-xt_init.patch new file mode 100644 index 00000000000..7b975ca9eca --- /dev/null +++ b/queue-4.19/netfilter-compat-initialize-all-fields-in-xt_init.patch @@ -0,0 +1,69 @@ +From ae78c9c5e681bfd62037106c229738bcf9bf478c Mon Sep 17 00:00:00 2001 +From: Francesco Ruggeri +Date: Sun, 10 Feb 2019 11:58:29 -0800 +Subject: netfilter: compat: initialize all fields in xt_init + +[ Upstream commit 8d29d16d21342a0c86405d46de0c4ac5daf1760f ] + +If a non zero value happens to be in xt[NFPROTO_BRIDGE].cur at init +time, the following panic can be caused by running + +% ebtables -t broute -F BROUTING + +from a 32-bit user level on a 64-bit kernel. This patch replaces +kmalloc_array with kcalloc when allocating xt. + +[ 474.680846] BUG: unable to handle kernel paging request at 0000000009600920 +[ 474.687869] PGD 2037006067 P4D 2037006067 PUD 2038938067 PMD 0 +[ 474.693838] Oops: 0000 [#1] SMP +[ 474.697055] CPU: 9 PID: 4662 Comm: ebtables Kdump: loaded Not tainted 4.19.17-11302235.AroraKernelnext.fc18.x86_64 #1 +[ 474.707721] Hardware name: Supermicro X9DRT/X9DRT, BIOS 3.0 06/28/2013 +[ 474.714313] RIP: 0010:xt_compat_calc_jump+0x2f/0x63 [x_tables] +[ 474.720201] Code: 40 0f b6 ff 55 31 c0 48 6b ff 70 48 03 3d dc 45 00 00 48 89 e5 8b 4f 6c 4c 8b 47 60 ff c9 39 c8 7f 2f 8d 14 08 d1 fa 48 63 fa <41> 39 34 f8 4c 8d 0c fd 00 00 00 00 73 05 8d 42 01 eb e1 76 05 8d +[ 474.739023] RSP: 0018:ffffc9000943fc58 EFLAGS: 00010207 +[ 474.744296] RAX: 0000000000000000 RBX: ffffc90006465000 RCX: 0000000002580249 +[ 474.751485] RDX: 00000000012c0124 RSI: fffffffff7be17e9 RDI: 00000000012c0124 +[ 474.758670] RBP: ffffc9000943fc58 R08: 0000000000000000 R09: ffffffff8117cf8f +[ 474.765855] R10: ffffc90006477000 R11: 0000000000000000 R12: 0000000000000001 +[ 474.773048] R13: 0000000000000000 R14: ffffc9000943fcb8 R15: ffffc9000943fcb8 +[ 474.780234] FS: 0000000000000000(0000) GS:ffff88a03f840000(0063) knlGS:00000000f7ac7700 +[ 474.788612] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 +[ 474.794632] CR2: 0000000009600920 CR3: 0000002037422006 CR4: 00000000000606e0 +[ 474.802052] Call Trace: +[ 474.804789] compat_do_replace+0x1fb/0x2a3 [ebtables] +[ 474.810105] compat_do_ebt_set_ctl+0x69/0xe6 [ebtables] +[ 474.815605] ? try_module_get+0x37/0x42 +[ 474.819716] compat_nf_setsockopt+0x4f/0x6d +[ 474.824172] compat_ip_setsockopt+0x7e/0x8c +[ 474.828641] compat_raw_setsockopt+0x16/0x3a +[ 474.833220] compat_sock_common_setsockopt+0x1d/0x24 +[ 474.838458] __compat_sys_setsockopt+0x17e/0x1b1 +[ 474.843343] ? __check_object_size+0x76/0x19a +[ 474.847960] __ia32_compat_sys_socketcall+0x1cb/0x25b +[ 474.853276] do_fast_syscall_32+0xaf/0xf6 +[ 474.857548] entry_SYSENTER_compat+0x6b/0x7a + +Signed-off-by: Francesco Ruggeri +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/x_tables.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index aecadd471e1d..13e1ac333fa4 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1899,7 +1899,7 @@ static int __init xt_init(void) + seqcount_init(&per_cpu(xt_recseq, i)); + } + +- xt = kmalloc_array(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL); ++ xt = kcalloc(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL); + if (!xt) + return -ENOMEM; + +-- +2.19.1 + diff --git a/queue-4.19/nfp-bpf-fix-alu32-high-bits-clearance-bug.patch b/queue-4.19/nfp-bpf-fix-alu32-high-bits-clearance-bug.patch new file mode 100644 index 00000000000..d2f11481a0e --- /dev/null +++ b/queue-4.19/nfp-bpf-fix-alu32-high-bits-clearance-bug.patch @@ -0,0 +1,96 @@ +From 75dcff174751ef23eaf84aedee75228aa514b774 Mon Sep 17 00:00:00 2001 +From: Jiong Wang +Date: Fri, 22 Feb 2019 22:36:04 +0000 +Subject: nfp: bpf: fix ALU32 high bits clearance bug + +[ Upstream commit f036ebd9bfbe1e91a3d855e85e05fc5ff156b641 ] + +NFP BPF JIT compiler is doing a couple of small optimizations when jitting +ALU imm instructions, some of these optimizations could save code-gen, for +example: + + A & -1 = A + A | 0 = A + A ^ 0 = A + +However, for ALU32, high 32-bit of the 64-bit register should still be +cleared according to ISA semantics. + +Fixes: cd7df56ed3e6 ("nfp: add BPF to NFP code translator") +Reviewed-by: Jakub Kicinski +Signed-off-by: Jiong Wang +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/bpf/jit.c | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/bpf/jit.c b/drivers/net/ethernet/netronome/nfp/bpf/jit.c +index 0a934296ea53..4e18d95e548f 100644 +--- a/drivers/net/ethernet/netronome/nfp/bpf/jit.c ++++ b/drivers/net/ethernet/netronome/nfp/bpf/jit.c +@@ -1288,15 +1288,10 @@ wrp_alu64_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta, + + static int + wrp_alu32_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta, +- enum alu_op alu_op, bool skip) ++ enum alu_op alu_op) + { + const struct bpf_insn *insn = &meta->insn; + +- if (skip) { +- meta->skip = true; +- return 0; +- } +- + wrp_alu_imm(nfp_prog, insn->dst_reg * 2, alu_op, insn->imm); + wrp_immed(nfp_prog, reg_both(insn->dst_reg * 2 + 1), 0); + +@@ -2306,7 +2301,7 @@ static int xor_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int xor_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR, !meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR); + } + + static int and_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +@@ -2316,7 +2311,7 @@ static int and_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int and_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_AND, !~meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_AND); + } + + static int or_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +@@ -2326,7 +2321,7 @@ static int or_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int or_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_OR, !meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_OR); + } + + static int add_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +@@ -2336,7 +2331,7 @@ static int add_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int add_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_ADD, !meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_ADD); + } + + static int sub_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +@@ -2346,7 +2341,7 @@ static int sub_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int sub_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_SUB, !meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_SUB); + } + + static int mul_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +-- +2.19.1 + diff --git a/queue-4.19/nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch b/queue-4.19/nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch new file mode 100644 index 00000000000..0e843c5c6ca --- /dev/null +++ b/queue-4.19/nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch @@ -0,0 +1,34 @@ +From a0954a3a8f0d18ac65f654ba493fbf9d89470bf3 Mon Sep 17 00:00:00 2001 +From: Jiong Wang +Date: Fri, 22 Feb 2019 22:36:03 +0000 +Subject: nfp: bpf: fix code-gen bug on BPF_ALU | BPF_XOR | BPF_K + +[ Upstream commit 71c190249f0ced5b26377ea6bf829ab3af77a40c ] + +The intended optimization should be A ^ 0 = A, not A ^ -1 = A. + +Fixes: cd7df56ed3e6 ("nfp: add BPF to NFP code translator") +Reviewed-by: Jakub Kicinski +Signed-off-by: Jiong Wang +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/bpf/jit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/bpf/jit.c b/drivers/net/ethernet/netronome/nfp/bpf/jit.c +index eff57f7d056a..0a934296ea53 100644 +--- a/drivers/net/ethernet/netronome/nfp/bpf/jit.c ++++ b/drivers/net/ethernet/netronome/nfp/bpf/jit.c +@@ -2306,7 +2306,7 @@ static int xor_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int xor_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR, !~meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR, !meta->insn.imm); + } + + static int and_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +-- +2.19.1 + diff --git a/queue-4.19/nfs-don-t-use-page_file_mapping-after-removing-the-p.patch b/queue-4.19/nfs-don-t-use-page_file_mapping-after-removing-the-p.patch new file mode 100644 index 00000000000..683116ed93a --- /dev/null +++ b/queue-4.19/nfs-don-t-use-page_file_mapping-after-removing-the-p.patch @@ -0,0 +1,67 @@ +From 9884b3cdfef8d7d7324a23d8f688a96cef0b89b2 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Wed, 6 Feb 2019 06:09:43 -0500 +Subject: NFS: Don't use page_file_mapping after removing the page + +[ Upstream commit d2ceb7e57086750ea6198a31fd942d98099a0786 ] + +If nfs_page_async_flush() removes the page from the mapping, then we can't +use page_file_mapping() on it as nfs_updatepate() is wont to do when +receiving an error. Instead, push the mapping to the stack before the page +is possibly truncated. + +Fixes: 8fc75bed96bb ("NFS: Fix up return value on fatal errors in nfs_page_async_flush()") +Signed-off-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/write.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index d790faff8e47..51d0b7913c04 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -238,9 +238,9 @@ out: + } + + /* A writeback failed: mark the page as bad, and invalidate the page cache */ +-static void nfs_set_pageerror(struct page *page) ++static void nfs_set_pageerror(struct address_space *mapping) + { +- nfs_zap_mapping(page_file_mapping(page)->host, page_file_mapping(page)); ++ nfs_zap_mapping(mapping->host, mapping); + } + + /* +@@ -994,7 +994,7 @@ static void nfs_write_completion(struct nfs_pgio_header *hdr) + nfs_list_remove_request(req); + if (test_bit(NFS_IOHDR_ERROR, &hdr->flags) && + (hdr->good_bytes < bytes)) { +- nfs_set_pageerror(req->wb_page); ++ nfs_set_pageerror(page_file_mapping(req->wb_page)); + nfs_context_set_write_error(req->wb_context, hdr->error); + goto remove_req; + } +@@ -1330,7 +1330,8 @@ int nfs_updatepage(struct file *file, struct page *page, + unsigned int offset, unsigned int count) + { + struct nfs_open_context *ctx = nfs_file_open_context(file); +- struct inode *inode = page_file_mapping(page)->host; ++ struct address_space *mapping = page_file_mapping(page); ++ struct inode *inode = mapping->host; + int status = 0; + + nfs_inc_stats(inode, NFSIOS_VFSUPDATEPAGE); +@@ -1348,7 +1349,7 @@ int nfs_updatepage(struct file *file, struct page *page, + + status = nfs_writepage_setup(ctx, page, offset, count); + if (status < 0) +- nfs_set_pageerror(page); ++ nfs_set_pageerror(mapping); + else + __set_page_dirty_nobuffers(page); + out: +-- +2.19.1 + diff --git a/queue-4.19/phonet-fix-building-with-clang.patch b/queue-4.19/phonet-fix-building-with-clang.patch new file mode 100644 index 00000000000..470d69258fa --- /dev/null +++ b/queue-4.19/phonet-fix-building-with-clang.patch @@ -0,0 +1,184 @@ +From 02933e9d58157582e54ddc58ea792ab6f13d0317 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 19 Feb 2019 22:53:50 +0100 +Subject: phonet: fix building with clang +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 6321aa197547da397753757bd84c6ce64b3e3d89 ] + +clang warns about overflowing the data[] member in the struct pnpipehdr: + +net/phonet/pep.c:295:8: warning: array index 4 is past the end of the array (which contains 1 element) [-Warray-bounds] + if (hdr->data[4] == PEP_IND_READY) + ^ ~ +include/net/phonet/pep.h:66:3: note: array 'data' declared here + u8 data[1]; + +Using a flexible array member at the end of the struct avoids the +warning, but since we cannot have a flexible array member inside +of the union, each index now has to be moved back by one, which +makes it a little uglier. + +Signed-off-by: Arnd Bergmann +Acked-by: Rémi Denis-Courmont +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/phonet/pep.h | 5 +++-- + net/phonet/pep.c | 32 ++++++++++++++++---------------- + 2 files changed, 19 insertions(+), 18 deletions(-) + +diff --git a/include/net/phonet/pep.h b/include/net/phonet/pep.h +index b669fe6dbc3b..98f31c7ea23d 100644 +--- a/include/net/phonet/pep.h ++++ b/include/net/phonet/pep.h +@@ -63,10 +63,11 @@ struct pnpipehdr { + u8 state_after_reset; /* reset request */ + u8 error_code; /* any response */ + u8 pep_type; /* status indication */ +- u8 data[1]; ++ u8 data0; /* anything else */ + }; ++ u8 data[]; + }; +-#define other_pep_type data[1] ++#define other_pep_type data[0] + + static inline struct pnpipehdr *pnp_hdr(struct sk_buff *skb) + { +diff --git a/net/phonet/pep.c b/net/phonet/pep.c +index 9fc76b19cd3c..db3473540303 100644 +--- a/net/phonet/pep.c ++++ b/net/phonet/pep.c +@@ -132,7 +132,7 @@ static int pep_indicate(struct sock *sk, u8 id, u8 code, + ph->utid = 0; + ph->message_id = id; + ph->pipe_handle = pn->pipe_handle; +- ph->data[0] = code; ++ ph->error_code = code; + return pn_skb_send(sk, skb, NULL); + } + +@@ -153,7 +153,7 @@ static int pipe_handler_request(struct sock *sk, u8 id, u8 code, + ph->utid = id; /* whatever */ + ph->message_id = id; + ph->pipe_handle = pn->pipe_handle; +- ph->data[0] = code; ++ ph->error_code = code; + return pn_skb_send(sk, skb, NULL); + } + +@@ -208,7 +208,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code, + struct pnpipehdr *ph; + struct sockaddr_pn dst; + u8 data[4] = { +- oph->data[0], /* PEP type */ ++ oph->pep_type, /* PEP type */ + code, /* error code, at an unusual offset */ + PAD, PAD, + }; +@@ -221,7 +221,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code, + ph->utid = oph->utid; + ph->message_id = PNS_PEP_CTRL_RESP; + ph->pipe_handle = oph->pipe_handle; +- ph->data[0] = oph->data[1]; /* CTRL id */ ++ ph->data0 = oph->data[0]; /* CTRL id */ + + pn_skb_get_src_sockaddr(oskb, &dst); + return pn_skb_send(sk, skb, &dst); +@@ -272,17 +272,17 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) + return -EINVAL; + + hdr = pnp_hdr(skb); +- if (hdr->data[0] != PN_PEP_TYPE_COMMON) { ++ if (hdr->pep_type != PN_PEP_TYPE_COMMON) { + net_dbg_ratelimited("Phonet unknown PEP type: %u\n", +- (unsigned int)hdr->data[0]); ++ (unsigned int)hdr->pep_type); + return -EOPNOTSUPP; + } + +- switch (hdr->data[1]) { ++ switch (hdr->data[0]) { + case PN_PEP_IND_FLOW_CONTROL: + switch (pn->tx_fc) { + case PN_LEGACY_FLOW_CONTROL: +- switch (hdr->data[4]) { ++ switch (hdr->data[3]) { + case PEP_IND_BUSY: + atomic_set(&pn->tx_credits, 0); + break; +@@ -292,7 +292,7 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) + } + break; + case PN_ONE_CREDIT_FLOW_CONTROL: +- if (hdr->data[4] == PEP_IND_READY) ++ if (hdr->data[3] == PEP_IND_READY) + atomic_set(&pn->tx_credits, wake = 1); + break; + } +@@ -301,12 +301,12 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) + case PN_PEP_IND_ID_MCFC_GRANT_CREDITS: + if (pn->tx_fc != PN_MULTI_CREDIT_FLOW_CONTROL) + break; +- atomic_add(wake = hdr->data[4], &pn->tx_credits); ++ atomic_add(wake = hdr->data[3], &pn->tx_credits); + break; + + default: + net_dbg_ratelimited("Phonet unknown PEP indication: %u\n", +- (unsigned int)hdr->data[1]); ++ (unsigned int)hdr->data[0]); + return -EOPNOTSUPP; + } + if (wake) +@@ -318,7 +318,7 @@ static int pipe_rcv_created(struct sock *sk, struct sk_buff *skb) + { + struct pep_sock *pn = pep_sk(sk); + struct pnpipehdr *hdr = pnp_hdr(skb); +- u8 n_sb = hdr->data[0]; ++ u8 n_sb = hdr->data0; + + pn->rx_fc = pn->tx_fc = PN_LEGACY_FLOW_CONTROL; + __skb_pull(skb, sizeof(*hdr)); +@@ -506,7 +506,7 @@ static int pep_connresp_rcv(struct sock *sk, struct sk_buff *skb) + return -ECONNREFUSED; + + /* Parse sub-blocks */ +- n_sb = hdr->data[4]; ++ n_sb = hdr->data[3]; + while (n_sb > 0) { + u8 type, buf[6], len = sizeof(buf); + const u8 *data = pep_get_sb(skb, &type, &len, buf); +@@ -739,7 +739,7 @@ static int pipe_do_remove(struct sock *sk) + ph->utid = 0; + ph->message_id = PNS_PIPE_REMOVE_REQ; + ph->pipe_handle = pn->pipe_handle; +- ph->data[0] = PAD; ++ ph->data0 = PAD; + return pn_skb_send(sk, skb, NULL); + } + +@@ -817,7 +817,7 @@ static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp, + peer_type = hdr->other_pep_type << 8; + + /* Parse sub-blocks (options) */ +- n_sb = hdr->data[4]; ++ n_sb = hdr->data[3]; + while (n_sb > 0) { + u8 type, buf[1], len = sizeof(buf); + const u8 *data = pep_get_sb(skb, &type, &len, buf); +@@ -1109,7 +1109,7 @@ static int pipe_skb_send(struct sock *sk, struct sk_buff *skb) + ph->utid = 0; + if (pn->aligned) { + ph->message_id = PNS_PIPE_ALIGNED_DATA; +- ph->data[0] = 0; /* padding */ ++ ph->data0 = 0; /* padding */ + } else + ph->message_id = PNS_PIPE_DATA; + ph->pipe_handle = pn->pipe_handle; +-- +2.19.1 + diff --git a/queue-4.19/pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch b/queue-4.19/pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch new file mode 100644 index 00000000000..6fc7c4be71e --- /dev/null +++ b/queue-4.19/pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch @@ -0,0 +1,36 @@ +From b442cd4dd8bb0ea789e12e7435cde9fd1c41e930 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sat, 9 Feb 2019 02:01:01 +0100 +Subject: pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins + +[ Upstream commit c17abcfa93bf0be5e48bb011607d237ac2bfc839 ] + +Fix the mismatch between the "sdxc_d13_1_a" pin group definition from +meson8b_cbus_groups and the entry in sdxc_a_groups ("sdxc_d0_13_1_a"). +This makes it possible to use "sdxc_d13_1_a" in device-tree files to +route the MMC data 1..3 pins to GPIOX_1..3. + +Fixes: 0fefcb6876d0d6 ("pinctrl: Add support for Meson8b") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/meson/pinctrl-meson8b.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/meson/pinctrl-meson8b.c b/drivers/pinctrl/meson/pinctrl-meson8b.c +index 91cffc051055..ead4beb5f55f 100644 +--- a/drivers/pinctrl/meson/pinctrl-meson8b.c ++++ b/drivers/pinctrl/meson/pinctrl-meson8b.c +@@ -665,7 +665,7 @@ static const char * const sd_a_groups[] = { + + static const char * const sdxc_a_groups[] = { + "sdxc_d0_0_a", "sdxc_d13_0_a", "sdxc_d47_a", "sdxc_clk_a", +- "sdxc_cmd_a", "sdxc_d0_1_a", "sdxc_d0_13_1_a" ++ "sdxc_cmd_a", "sdxc_d0_1_a", "sdxc_d13_1_a" + }; + + static const char * const pcm_a_groups[] = { +-- +2.19.1 + diff --git a/queue-4.19/qed-fix-iwarp-buffer-size-provided-for-syn-packet-pr.patch b/queue-4.19/qed-fix-iwarp-buffer-size-provided-for-syn-packet-pr.patch new file mode 100644 index 00000000000..0c36401e3dc --- /dev/null +++ b/queue-4.19/qed-fix-iwarp-buffer-size-provided-for-syn-packet-pr.patch @@ -0,0 +1,90 @@ +From 87a6cd94ecf74fbce916ce061661724e4a4f352d Mon Sep 17 00:00:00 2001 +From: Michal Kalderon +Date: Mon, 18 Feb 2019 15:24:02 +0200 +Subject: qed: Fix iWARP buffer size provided for syn packet processing. + +[ Upstream commit 9addc92730df55e2c05e8d3f69267a89d65bcba8 ] + +The assumption that the maximum size of a syn packet is 128 bytes +is wrong. Tunneling headers were not accounted for. +Allocate buffers large enough for mtu. + +Signed-off-by: Ariel Elior +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 12 ++++++------ + drivers/net/ethernet/qlogic/qed/qed_iwarp.h | 1 - + 2 files changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c +index e860bdf0f752..3c932f79a02e 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c +@@ -2606,7 +2606,7 @@ qed_iwarp_ll2_start(struct qed_hwfn *p_hwfn, + struct qed_iwarp_info *iwarp_info; + struct qed_ll2_acquire_data data; + struct qed_ll2_cbs cbs; +- u32 mpa_buff_size; ++ u32 buff_size; + u16 n_ooo_bufs; + int rc = 0; + int i; +@@ -2633,7 +2633,7 @@ qed_iwarp_ll2_start(struct qed_hwfn *p_hwfn, + + memset(&data, 0, sizeof(data)); + data.input.conn_type = QED_LL2_TYPE_IWARP; +- data.input.mtu = QED_IWARP_MAX_SYN_PKT_SIZE; ++ data.input.mtu = params->max_mtu; + data.input.rx_num_desc = QED_IWARP_LL2_SYN_RX_SIZE; + data.input.tx_num_desc = QED_IWARP_LL2_SYN_TX_SIZE; + data.input.tx_max_bds_per_packet = 1; /* will never be fragmented */ +@@ -2655,9 +2655,10 @@ qed_iwarp_ll2_start(struct qed_hwfn *p_hwfn, + goto err; + } + ++ buff_size = QED_IWARP_MAX_BUF_SIZE(params->max_mtu); + rc = qed_iwarp_ll2_alloc_buffers(p_hwfn, + QED_IWARP_LL2_SYN_RX_SIZE, +- QED_IWARP_MAX_SYN_PKT_SIZE, ++ buff_size, + iwarp_info->ll2_syn_handle); + if (rc) + goto err; +@@ -2711,10 +2712,9 @@ qed_iwarp_ll2_start(struct qed_hwfn *p_hwfn, + if (rc) + goto err; + +- mpa_buff_size = QED_IWARP_MAX_BUF_SIZE(params->max_mtu); + rc = qed_iwarp_ll2_alloc_buffers(p_hwfn, + data.input.rx_num_desc, +- mpa_buff_size, ++ buff_size, + iwarp_info->ll2_mpa_handle); + if (rc) + goto err; +@@ -2727,7 +2727,7 @@ qed_iwarp_ll2_start(struct qed_hwfn *p_hwfn, + + iwarp_info->max_num_partial_fpdus = (u16)p_hwfn->p_rdma_info->num_qps; + +- iwarp_info->mpa_intermediate_buf = kzalloc(mpa_buff_size, GFP_KERNEL); ++ iwarp_info->mpa_intermediate_buf = kzalloc(buff_size, GFP_KERNEL); + if (!iwarp_info->mpa_intermediate_buf) + goto err; + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_iwarp.h b/drivers/net/ethernet/qlogic/qed/qed_iwarp.h +index b8f612d00241..7ac959038324 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_iwarp.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_iwarp.h +@@ -46,7 +46,6 @@ enum qed_iwarp_qp_state qed_roce2iwarp_state(enum qed_roce_qp_state state); + + #define QED_IWARP_LL2_SYN_TX_SIZE (128) + #define QED_IWARP_LL2_SYN_RX_SIZE (256) +-#define QED_IWARP_MAX_SYN_PKT_SIZE (128) + + #define QED_IWARP_LL2_OOO_DEF_TX_SIZE (256) + #define QED_IWARP_MAX_OOO (16) +-- +2.19.1 + diff --git a/queue-4.19/qed-fix-iwarp-syn-packet-mac-address-validation.patch b/queue-4.19/qed-fix-iwarp-syn-packet-mac-address-validation.patch new file mode 100644 index 00000000000..94068160591 --- /dev/null +++ b/queue-4.19/qed-fix-iwarp-syn-packet-mac-address-validation.patch @@ -0,0 +1,42 @@ +From 1da2a224ffa4443ddb0bc6d1d167cc63d81fcf8b Mon Sep 17 00:00:00 2001 +From: Michal Kalderon +Date: Mon, 18 Feb 2019 15:24:03 +0200 +Subject: qed: Fix iWARP syn packet mac address validation. + +[ Upstream commit 8be3dadf04050c2907760ec1955ca1c8fbc25585 ] + +The ll2 forwards all syn packets to the driver without validating the mac +address. Add validation check in the driver's iWARP listener flow and drop +the packet if it isn't intended for the device. + +Signed-off-by: Ariel Elior +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c +index 3c932f79a02e..b7471e48db7b 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c +@@ -1689,6 +1689,15 @@ qed_iwarp_parse_rx_pkt(struct qed_hwfn *p_hwfn, + + eth_hlen = ETH_HLEN + (vlan_valid ? sizeof(u32) : 0); + ++ if (!ether_addr_equal(ethh->h_dest, ++ p_hwfn->p_rdma_info->iwarp.mac_addr)) { ++ DP_VERBOSE(p_hwfn, ++ QED_MSG_RDMA, ++ "Got unexpected mac %pM instead of %pM\n", ++ ethh->h_dest, p_hwfn->p_rdma_info->iwarp.mac_addr); ++ return -EINVAL; ++ } ++ + ether_addr_copy(remote_mac_addr, ethh->h_source); + ether_addr_copy(local_mac_addr, ethh->h_dest); + +-- +2.19.1 + diff --git a/queue-4.19/qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch b/queue-4.19/qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch new file mode 100644 index 00000000000..60dfa860855 --- /dev/null +++ b/queue-4.19/qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch @@ -0,0 +1,40 @@ +From 05d0c84d22a6f3f1d21438712bb65c183e657248 Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani +Date: Fri, 15 Feb 2019 13:20:42 +0100 +Subject: qmi_wwan: apply SET_DTR quirk to Sierra WP7607 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 97dc47a1308a3af46a09b1546cfb869f2e382a81 ] + +The 1199:68C0 USB ID is reused by Sierra WP7607 which requires the DTR +quirk to be detected. Apply QMI_QUIRK_SET_DTR unconditionally as +already done for other IDs shared between different devices. + +Signed-off-by: Beniamino Galvani +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 6e381354f658..74bebbdb4b15 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1208,8 +1208,8 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 19)}, /* Sierra Wireless MC7710 in QMI mode */ +- {QMI_FIXED_INTF(0x1199, 0x68c0, 8)}, /* Sierra Wireless MC7304/MC7354 */ +- {QMI_FIXED_INTF(0x1199, 0x68c0, 10)}, /* Sierra Wireless MC7304/MC7354 */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x68c0, 8)}, /* Sierra Wireless MC7304/MC7354, WP76xx */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x68c0, 10)},/* Sierra Wireless MC7304/MC7354 */ + {QMI_FIXED_INTF(0x1199, 0x901c, 8)}, /* Sierra Wireless EM7700 */ + {QMI_FIXED_INTF(0x1199, 0x901f, 8)}, /* Sierra Wireless EM7355 */ + {QMI_FIXED_INTF(0x1199, 0x9041, 8)}, /* Sierra Wireless MC7305/MC7355 */ +-- +2.19.1 + diff --git a/queue-4.19/revert-mm-use-early_pfn_to_nid-in-page_ext_init.patch b/queue-4.19/revert-mm-use-early_pfn_to_nid-in-page_ext_init.patch new file mode 100644 index 00000000000..17d054c6ff7 --- /dev/null +++ b/queue-4.19/revert-mm-use-early_pfn_to_nid-in-page_ext_init.patch @@ -0,0 +1,115 @@ +From dd8d0bef83fb584c7e9b89a3f3bbec5150881a4a Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 12 Feb 2019 15:36:03 -0800 +Subject: Revert "mm: use early_pfn_to_nid in page_ext_init" + +[ Upstream commit 2f1ee0913ce58efe7f18fbd518bd54c598559b89 ] + +This reverts commit fe53ca54270a ("mm: use early_pfn_to_nid in +page_ext_init"). + +When booting a system with "page_owner=on", + +start_kernel + page_ext_init + invoke_init_callbacks + init_section_page_ext + init_page_owner + init_early_allocated_pages + init_zones_in_node + init_pages_in_zone + lookup_page_ext + page_to_nid + +The issue here is that page_to_nid() will not work since some page flags +have no node information until later in page_alloc_init_late() due to +DEFERRED_STRUCT_PAGE_INIT. Hence, it could trigger an out-of-bounds +access with an invalid nid. + + UBSAN: Undefined behaviour in ./include/linux/mm.h:1104:50 + index 7 is out of range for type 'zone [5]' + +Also, kernel will panic since flags were poisoned earlier with, + +CONFIG_DEBUG_VM_PGFLAGS=y +CONFIG_NODE_NOT_IN_PAGE_FLAGS=n + +start_kernel + setup_arch + pagetable_init + paging_init + sparse_init + sparse_init_nid + memblock_alloc_try_nid_raw + +It did not handle it well in init_pages_in_zone() which ends up calling +page_to_nid(). + + page:ffffea0004200000 is uninitialized and poisoned + raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff + raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff + page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p)) + page_owner info is not active (free page?) + kernel BUG at include/linux/mm.h:990! + RIP: 0010:init_page_owner+0x486/0x520 + +This means that assumptions behind commit fe53ca54270a ("mm: use +early_pfn_to_nid in page_ext_init") are incomplete. Therefore, revert +the commit for now. A proper way to move the page_owner initialization +to sooner is to hook into memmap initialization. + +Link: http://lkml.kernel.org/r/20190115202812.75820-1-cai@lca.pw +Signed-off-by: Qian Cai +Acked-by: Michal Hocko +Cc: Pasha Tatashin +Cc: Mel Gorman +Cc: Yang Shi +Cc: Joonsoo Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + init/main.c | 3 ++- + mm/page_ext.c | 4 +--- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/init/main.c b/init/main.c +index 18f8f0140fa0..e083fac08aed 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -689,7 +689,6 @@ asmlinkage __visible void __init start_kernel(void) + initrd_start = 0; + } + #endif +- page_ext_init(); + kmemleak_init(); + debug_objects_mem_init(); + setup_per_cpu_pageset(); +@@ -1140,6 +1139,8 @@ static noinline void __init kernel_init_freeable(void) + sched_init_smp(); + + page_alloc_init_late(); ++ /* Initialize page ext after all struct pages are initialized. */ ++ page_ext_init(); + + do_basic_setup(); + +diff --git a/mm/page_ext.c b/mm/page_ext.c +index a9826da84ccb..4961f13b6ec1 100644 +--- a/mm/page_ext.c ++++ b/mm/page_ext.c +@@ -398,10 +398,8 @@ void __init page_ext_init(void) + * We know some arch can have a nodes layout such as + * -------------pfn--------------> + * N0 | N1 | N2 | N0 | N1 | N2|.... +- * +- * Take into account DEFERRED_STRUCT_PAGE_INIT. + */ +- if (early_pfn_to_nid(pfn) != nid) ++ if (pfn_to_nid(pfn) != nid) + continue; + if (init_section_page_ext(pfn, nid)) + goto oom; +-- +2.19.1 + diff --git a/queue-4.19/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch b/queue-4.19/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch new file mode 100644 index 00000000000..33cac7211f6 --- /dev/null +++ b/queue-4.19/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch @@ -0,0 +1,96 @@ +From dec460dc2dd6554fe56ea58eac4d2e19d3da6f76 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Wed, 21 Nov 2018 12:39:47 +0100 +Subject: s390/dasd: fix using offset into zero size array error + +[ Upstream commit 4a8ef6999bce998fa5813023a9a6b56eea329dba ] + +Dan Carpenter reported the following: + +The patch 52898025cf7d: "[S390] dasd: security and PSF update patch +for EMC CKD ioctl" from Mar 8, 2010, leads to the following static +checker warning: + + drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io() + error: using offset into zero size array 'psf_data[]' + +drivers/s390/block/dasd_eckd.c + 4458 /* Copy parms from caller */ + 4459 rc = -EFAULT; + 4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm))) + ^^^^^^^ +The user can specify any "usrparm.psf_data_len". They choose zero by +mistake. + + 4461 goto out; + 4462 if (is_compat_task()) { + 4463 /* Make sure pointers are sane even on 31 bit. */ + 4464 rc = -EINVAL; + 4465 if ((usrparm.psf_data >> 32) != 0) + 4466 goto out; + 4467 if ((usrparm.rssd_result >> 32) != 0) + 4468 goto out; + 4469 usrparm.psf_data &= 0x7fffffffULL; + 4470 usrparm.rssd_result &= 0x7fffffffULL; + 4471 } + 4472 /* alloc I/O data area */ + 4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL + | GFP_DMA); + 4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL + | GFP_DMA); + 4475 if (!psf_data || !rssd_result) { + +kzalloc() returns a ZERO_SIZE_PTR (0x16). + + 4476 rc = -ENOMEM; + 4477 goto out_free; + 4478 } + 4479 + 4480 /* get syscall header from user space */ + 4481 rc = -EFAULT; + 4482 if (copy_from_user(psf_data, + 4483 (void __user *)(unsigned long) + usrparm.psf_data, + 4484 usrparm.psf_data_len)) + +That all works great. + + 4485 goto out_free; + 4486 psf0 = psf_data[0]; + 4487 psf1 = psf_data[1]; + +But now we're assuming that "->psf_data_len" was at least 2 bytes. + +Fix this by checking the user specified length psf_data_len. + +Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl") +Reported-by: Dan Carpenter +Signed-off-by: Stefan Haberland +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd_eckd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 4e7b55a14b1a..6e294b4d3635 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -4469,6 +4469,14 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp) + usrparm.psf_data &= 0x7fffffffULL; + usrparm.rssd_result &= 0x7fffffffULL; + } ++ /* at least 2 bytes are accessed and should be allocated */ ++ if (usrparm.psf_data_len < 2) { ++ DBF_DEV_EVENT(DBF_WARNING, device, ++ "Symmetrix ioctl invalid data length %d", ++ usrparm.psf_data_len); ++ rc = -EINVAL; ++ goto out; ++ } + /* alloc I/O data area */ + psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA); + rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA); +-- +2.19.1 + diff --git a/queue-4.19/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch b/queue-4.19/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch new file mode 100644 index 00000000000..e87282dae8d --- /dev/null +++ b/queue-4.19/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch @@ -0,0 +1,110 @@ +From 51b99c8f7b4edac7b1bdc77b94a458bf9ae87106 Mon Sep 17 00:00:00 2001 +From: Anoob Soman +Date: Wed, 13 Feb 2019 13:21:39 +0800 +Subject: scsi: libiscsi: Fix race between iscsi_xmit_task and + iscsi_complete_task + +[ Upstream commit 79edd00dc6a96644d76b4a1cb97d94d49e026768 ] + +When a target sends Check Condition, whilst initiator is busy xmiting +re-queued data, could lead to race between iscsi_complete_task() and +iscsi_xmit_task() and eventually crashing with the following kernel +backtrace. + +[3326150.987523] ALERT: BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 +[3326150.987549] ALERT: IP: [] iscsi_xmit_task+0x2d/0xc0 [libiscsi] +[3326150.987571] WARN: PGD 569c8067 PUD 569c9067 PMD 0 +[3326150.987582] WARN: Oops: 0002 [#1] SMP +[3326150.987593] WARN: Modules linked in: tun nfsv3 nfs fscache dm_round_robin +[3326150.987762] WARN: CPU: 2 PID: 8399 Comm: kworker/u32:1 Tainted: G O 4.4.0+2 #1 +[3326150.987774] WARN: Hardware name: Dell Inc. PowerEdge R720/0W7JN5, BIOS 2.5.4 01/22/2016 +[3326150.987790] WARN: Workqueue: iscsi_q_13 iscsi_xmitworker [libiscsi] +[3326150.987799] WARN: task: ffff8801d50f3800 ti: ffff8801f5458000 task.ti: ffff8801f5458000 +[3326150.987810] WARN: RIP: e030:[] [] iscsi_xmit_task+0x2d/0xc0 [libiscsi] +[3326150.987825] WARN: RSP: e02b:ffff8801f545bdb0 EFLAGS: 00010246 +[3326150.987831] WARN: RAX: 00000000ffffffc3 RBX: ffff880282d2ab20 RCX: ffff88026b6ac480 +[3326150.987842] WARN: RDX: 0000000000000000 RSI: 00000000fffffe01 RDI: ffff880282d2ab20 +[3326150.987852] WARN: RBP: ffff8801f545bdc8 R08: 0000000000000000 R09: 0000000000000008 +[3326150.987862] WARN: R10: 0000000000000000 R11: 000000000000fe88 R12: 0000000000000000 +[3326150.987872] WARN: R13: ffff880282d2abe8 R14: ffff880282d2abd8 R15: ffff880282d2ac08 +[3326150.987890] WARN: FS: 00007f5a866b4840(0000) GS:ffff88028a640000(0000) knlGS:0000000000000000 +[3326150.987900] WARN: CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 +[3326150.987907] WARN: CR2: 0000000000000078 CR3: 0000000070244000 CR4: 0000000000042660 +[3326150.987918] WARN: Stack: +[3326150.987924] WARN: ffff880282d2ad58 ffff880282d2ab20 ffff880282d2abe8 ffff8801f545be18 +[3326150.987938] WARN: ffffffffa05cea90 ffff880282d2abf8 ffff88026b59cc80 ffff88026b59cc00 +[3326150.987951] WARN: ffff88022acf32c0 ffff880289491800 ffff880255a80800 0000000000000400 +[3326150.987964] WARN: Call Trace: +[3326150.987975] WARN: [] iscsi_xmitworker+0x2f0/0x360 [libiscsi] +[3326150.987988] WARN: [] process_one_work+0x1fc/0x3b0 +[3326150.987997] WARN: [] worker_thread+0x2a5/0x470 +[3326150.988006] WARN: [] ? __schedule+0x648/0x870 +[3326150.988015] WARN: [] ? rescuer_thread+0x300/0x300 +[3326150.988023] WARN: [] kthread+0xd5/0xe0 +[3326150.988031] WARN: [] ? kthread_stop+0x110/0x110 +[3326150.988040] WARN: [] ret_from_fork+0x3f/0x70 +[3326150.988048] WARN: [] ? kthread_stop+0x110/0x110 +[3326150.988127] ALERT: RIP [] iscsi_xmit_task+0x2d/0xc0 [libiscsi] +[3326150.988138] WARN: RSP +[3326150.988144] WARN: CR2: 0000000000000078 +[3326151.020366] WARN: ---[ end trace 1c60974d4678d81b ]--- + +Commit 6f8830f5bbab ("scsi: libiscsi: add lock around task lists to fix +list corruption regression") introduced "taskqueuelock" to fix list +corruption during the race, but this wasn't enough. + +Re-setting of conn->task to NULL, could race with iscsi_xmit_task(). +iscsi_complete_task() +{ + .... + if (conn->task == task) + conn->task = NULL; +} + +conn->task in iscsi_xmit_task() could be NULL and so will be task. +__iscsi_get_task(task) will crash (NullPtr de-ref), trying to access +refcount. + +iscsi_xmit_task() +{ + struct iscsi_task *task = conn->task; + + __iscsi_get_task(task); +} + +This commit will take extra conn->session->back_lock in iscsi_xmit_task() +to ensure iscsi_xmit_task() waits for iscsi_complete_task(), if +iscsi_complete_task() wins the race. If iscsi_xmit_task() wins the race, +iscsi_xmit_task() increments task->refcount +(__iscsi_get_task) ensuring iscsi_complete_task() will not iscsi_free_task(). + +Signed-off-by: Anoob Soman +Signed-off-by: Bob Liu +Acked-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index f78d2e5c1471..4ad61cfa69c0 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1449,7 +1449,13 @@ static int iscsi_xmit_task(struct iscsi_conn *conn) + if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) + return -ENODATA; + ++ spin_lock_bh(&conn->session->back_lock); ++ if (conn->task == NULL) { ++ spin_unlock_bh(&conn->session->back_lock); ++ return -ENODATA; ++ } + __iscsi_get_task(task); ++ spin_unlock_bh(&conn->session->back_lock); + spin_unlock_bh(&conn->session->frwd_lock); + rc = conn->session->tt->xmit_task(task); + spin_lock_bh(&conn->session->frwd_lock); +-- +2.19.1 + diff --git a/queue-4.19/scsi-qla2xxx-fix-panic-from-use-after-free-in-qla2x0.patch b/queue-4.19/scsi-qla2xxx-fix-panic-from-use-after-free-in-qla2x0.patch new file mode 100644 index 00000000000..ff0c5801b65 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-panic-from-use-after-free-in-qla2x0.patch @@ -0,0 +1,43 @@ +From aa43cffe451d388fba57d9d5526c9113f8171563 Mon Sep 17 00:00:00 2001 +From: Bill Kuzeja +Date: Tue, 12 Feb 2019 09:29:50 -0500 +Subject: scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd + +[ Upstream commit 388a49959ee4e4e99f160241d9599efa62cd4299 ] + +In qla2x00_async_tm_cmd, we reference off sp after it has been freed. This +caused a panic on a system running a slub debug kernel. Since fcport is +passed in anyways, just use that instead. + +Signed-off-by: Bill Kuzeja +Acked-by: Giridhar Malavali +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 5352c9bbcaf7..2271a2cd29d2 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -1719,13 +1719,13 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun, + + /* Issue Marker IOCB */ + qla2x00_marker(vha, vha->hw->req_q_map[0], +- vha->hw->rsp_q_map[0], sp->fcport->loop_id, lun, ++ vha->hw->rsp_q_map[0], fcport->loop_id, lun, + flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID); + } + + done_free_sp: + sp->free(sp); +- sp->fcport->flags &= ~FCF_ASYNC_SENT; ++ fcport->flags &= ~FCF_ASYNC_SENT; + done: + return rval; + } +-- +2.19.1 + diff --git a/queue-4.19/selftests-fib_tests-sleep-after-changing-carrier.-ag.patch b/queue-4.19/selftests-fib_tests-sleep-after-changing-carrier.-ag.patch new file mode 100644 index 00000000000..53ecd436f57 --- /dev/null +++ b/queue-4.19/selftests-fib_tests-sleep-after-changing-carrier.-ag.patch @@ -0,0 +1,43 @@ +From d565df12cb814befd29467fa09d31a0bea80085e Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 22 Feb 2019 07:27:41 -0300 +Subject: selftests: fib_tests: sleep after changing carrier. again. + +[ Upstream commit af548a27b158d548d41e56255e6eaca1658cc3be ] + +Just like commit e2ba732a1681 ("selftests: fib_tests: sleep after +changing carrier"), wait one second to allow linkwatch to propagate the +carrier change to the stack. + +There are two sets of carrier tests. The first slept after the carrier +was set to off, and when the second set ran, it was likely that the +linkwatch would be able to run again without much delay, reducing the +likelihood of a race. However, if you run 'fib_tests.sh -t carrier' on a +loop, you will quickly notice the failures. + +Sleeping on the second set of tests make the failures go away. + +Cc: David Ahern +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib_tests.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh +index 0f45633bd634..a4ccde0e473b 100755 +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -385,6 +385,7 @@ fib_carrier_unicast_test() + + set -e + $IP link set dev dummy0 carrier off ++ sleep 1 + set +e + + echo " Carrier down" +-- +2.19.1 + diff --git a/queue-4.19/series b/queue-4.19/series index cba1302a227..b10e57087da 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -20,3 +20,94 @@ crypto-cfb-remove-bogus-memcpy-with-src-dest.patch crypto-ahash-fix-another-early-termination-in-hash-walk.patch crypto-rockchip-fix-scatterlist-nents-error.patch crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch +drm-imx-ignore-plane-updates-on-disabled-crtcs.patch +gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch +drm-imx-imx-ldb-add-missing-of_node_puts.patch +gpu-ipu-v3-fix-csi-offsets-for-imx53.patch +asoc-rt5682-correct-the-setting-while-select-asrc-cl.patch +clocksource-timer-ti-dm-fix-pwm-dmtimer-usage-of-fck.patch +kvm-arm-arm64-vgic-make-vgic_dist-lpi_list_lock-a-ra.patch +arm64-dts-rockchip-fix-graph_port-warning-on-rk3399-.patch +s390-dasd-fix-using-offset-into-zero-size-array-erro.patch +input-pwm-vibra-prevent-unbalanced-regulator.patch +input-pwm-vibra-stop-regulator-after-disabling-pwm-n.patch +arm-dts-configure-clock-parent-for-pwm-vibra.patch +arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch +asoc-dapm-fix-out-of-bounds-accesses-to-dapm-lookup-.patch +asoc-rsnd-fixup-rsnd_ssi_master_clk_start-user-count.patch +kvm-arm-arm64-reset-the-vcpu-without-preemption-and-.patch +arm-arm64-kvm-allow-a-vcpu-to-fully-reset-itself.patch +arm-arm64-kvm-don-t-panic-on-failure-to-properly-res.patch +kvm-arm-arm64-vgic-always-initialize-the-group-of-pr.patch +kvm-arm64-forbid-kprobing-of-the-vhe-world-switch-co.patch +asoc-samsung-prevent-clk_get_rate-calls-in-atomic-co.patch +arm-omap2-fix-lack-of-timer-interrupts-on-cpu1-after.patch +input-cap11xx-switch-to-using-set_brightness_blockin.patch +input-ps2-gpio-flush-tx-work-when-closing-port.patch +input-matrix_keypad-use-flush_delayed_work.patch +mac80211-call-drv_ibss_join-on-restart.patch +mac80211-fix-tx-aggregation-session-tear-down-with-i.patch +netfilter-compat-initialize-all-fields-in-xt_init.patch +blk-mq-insert-rq-with-dontprep-to-hctx-dispatch-list.patch +ipvs-fix-dependency-on-nf_defrag_ipv6.patch +floppy-check_events-callback-should-not-return-a-neg.patch +xprtrdma-make-sure-send-cq-is-allocated-on-an-existi.patch +nfs-don-t-use-page_file_mapping-after-removing-the-p.patch +mm-gup-fix-gup_pmd_range-for-dax.patch +revert-mm-use-early_pfn_to_nid-in-page_ext_init.patch +scsi-qla2xxx-fix-panic-from-use-after-free-in-qla2x0.patch +net-dsa-bcm_sf2-potential-array-overflow-in-bcm_sf2_.patch +x86-cpu-add-icelake-model-number.patch +mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch +net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch +i2c-cadence-fix-the-hold-bit-setting.patch +i2c-bcm2835-clear-current-buffer-pointers-and-counts.patch +auxdisplay-ht16k33-fix-potential-user-after-free-on-.patch +input-st-keyscan-fix-potential-zalloc-null-dereferen.patch +clk-sunxi-ng-v3s-fix-tcon-reset-de-assert-bit.patch +kallsyms-handle-too-long-symbols-in-kallsyms.c.patch +clk-sunxi-a31-fix-wrong-ahb-gate-number.patch +esp-skip-tx-bytes-accounting-when-sending-from-a-req.patch +arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch +bpf-only-adjust-gso_size-on-bytestream-protocols.patch +bpf-fix-lockdep-false-positive-in-stackmap.patch +af_key-unconditionally-clone-on-broadcast.patch +arm-8835-1-dma-mapping-clear-dma-ops-on-teardown.patch +assoc_array-fix-shortcut-creation.patch +keys-fix-dependency-loop-between-construction-record.patch +scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch +net-systemport-fix-reception-of-bpdus.patch +net-dsa-bcm_sf2-do-not-assume-dsa-master-supports-wo.patch +pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch +qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch +net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch +xfrm-fix-inbound-traffic-via-xfrm-interfaces-across-.patch +mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-tim.patch +asoc-topology-free-created-components-in-tplg-load-e.patch +qed-fix-iwarp-buffer-size-provided-for-syn-packet-pr.patch +qed-fix-iwarp-syn-packet-mac-address-validation.patch +arm-dts-armada-xp-fix-armada-xp-boards-nand-descript.patch +arm64-relax-gic-version-check-during-early-boot.patch +arm-tegra-restore-dt-abi-on-tegra124-chromebooks.patch +net-marvell-mvneta-fix-dma-debug-warning.patch +kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch +mm-handle-lru_add_drain_all-for-up-properly.patch +tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch +kasan-slab-fix-conflicts-with-config_hardened_userco.patch +ixgbe-fix-older-devices-that-do-not-support-ixgbe_mr.patch +arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch +arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch +arcv2-support-manual-regfile-save-on-interrupts.patch +arcv2-don-t-assume-core-0x54-has-dual-issue.patch +phonet-fix-building-with-clang.patch +mac80211_hwsim-propagate-genlmsg_reply-return-code.patch +bpf-lpm-fix-lookup-bug-in-map_delete_elem.patch +net-thunderx-make-cfg_done-message-to-run-through-ge.patch +net-thunderx-add-nicvf_send_msg_to_pf-result-check-f.patch +nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch +nfp-bpf-fix-alu32-high-bits-clearance-bug.patch +bnxt_en-fix-typo-in-firmware-message-timeout-logic.patch +bnxt_en-wait-longer-for-the-firmware-message-respons.patch +net-set-static-variable-an-initial-value-in-atl2_pro.patch +selftests-fib_tests-sleep-after-changing-carrier.-ag.patch +tmpfs-fix-uninitialized-return-value-in-shmem_link.patch diff --git a/queue-4.19/tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch b/queue-4.19/tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch new file mode 100644 index 00000000000..8b67028fd6e --- /dev/null +++ b/queue-4.19/tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch @@ -0,0 +1,62 @@ +From 8fb0b5fc39a4bed3c13af179633fb4a517de42d7 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Thu, 21 Feb 2019 08:48:09 -0800 +Subject: tmpfs: fix link accounting when a tmpfile is linked in + +[ Upstream commit 1062af920c07f5b54cf5060fde3339da6df0cf6b ] + +tmpfs has a peculiarity of accounting hard links as if they were +separate inodes: so that when the number of inodes is limited, as it is +by default, a user cannot soak up an unlimited amount of unreclaimable +dcache memory just by repeatedly linking a file. + +But when v3.11 added O_TMPFILE, and the ability to use linkat() on the +fd, we missed accommodating this new case in tmpfs: "df -i" shows that +an extra "inode" remains accounted after the file is unlinked and the fd +closed and the actual inode evicted. If a user repeatedly links +tmpfiles into a tmpfs, the limit will be hit (ENOSPC) even after they +are deleted. + +Just skip the extra reservation from shmem_link() in this case: there's +a sense in which this first link of a tmpfile is then cheaper than a +hard link of another file, but the accounting works out, and there's +still good limiting, so no need to do anything more complicated. + +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1902182134370.7035@eggly.anvils +Fixes: f4e0c30c191 ("allow the temp files created by open() to be linked to") +Signed-off-by: Darrick J. Wong +Signed-off-by: Hugh Dickins +Reported-by: Matej Kupljen +Acked-by: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/shmem.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/mm/shmem.c b/mm/shmem.c +index b6cf0e8e685b..bf13966b009c 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2901,10 +2901,14 @@ static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentr + * No ordinary (disk based) filesystem counts links as inodes; + * but each new link needs a new dentry, pinning lowmem, and + * tmpfs dentries cannot be pruned until they are unlinked. ++ * But if an O_TMPFILE file is linked into the tmpfs, the ++ * first link must skip that, to get the accounting right. + */ +- ret = shmem_reserve_inode(inode->i_sb); +- if (ret) +- goto out; ++ if (inode->i_nlink) { ++ ret = shmem_reserve_inode(inode->i_sb); ++ if (ret) ++ goto out; ++ } + + dir->i_size += BOGO_DIRENT_SIZE; + inode->i_ctime = dir->i_ctime = dir->i_mtime = current_time(inode); +-- +2.19.1 + diff --git a/queue-4.19/tmpfs-fix-uninitialized-return-value-in-shmem_link.patch b/queue-4.19/tmpfs-fix-uninitialized-return-value-in-shmem_link.patch new file mode 100644 index 00000000000..381c86fe763 --- /dev/null +++ b/queue-4.19/tmpfs-fix-uninitialized-return-value-in-shmem_link.patch @@ -0,0 +1,40 @@ +From 83c2d5fb54241956ab871f8d519f00cead067d70 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Fri, 22 Feb 2019 22:35:32 -0800 +Subject: tmpfs: fix uninitialized return value in shmem_link + +[ Upstream commit 29b00e609960ae0fcff382f4c7079dd0874a5311 ] + +When we made the shmem_reserve_inode call in shmem_link conditional, we +forgot to update the declaration for ret so that it always has a known +value. Dan Carpenter pointed out this deficiency in the original patch. + +Fixes: 1062af920c07 ("tmpfs: fix link accounting when a tmpfile is linked in") +Reported-by: Dan Carpenter +Signed-off-by: Darrick J. Wong +Signed-off-by: Hugh Dickins +Cc: Matej Kupljen +Cc: Al Viro +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/shmem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/shmem.c b/mm/shmem.c +index bf13966b009c..3c8742655756 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2895,7 +2895,7 @@ static int shmem_create(struct inode *dir, struct dentry *dentry, umode_t mode, + static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry) + { + struct inode *inode = d_inode(old_dentry); +- int ret; ++ int ret = 0; + + /* + * No ordinary (disk based) filesystem counts links as inodes; +-- +2.19.1 + diff --git a/queue-4.19/x86-cpu-add-icelake-model-number.patch b/queue-4.19/x86-cpu-add-icelake-model-number.patch new file mode 100644 index 00000000000..3e4ba0d1df8 --- /dev/null +++ b/queue-4.19/x86-cpu-add-icelake-model-number.patch @@ -0,0 +1,47 @@ +From 9a4d4a120f892c2d09d6b627ab4f1e33f2120665 Mon Sep 17 00:00:00 2001 +From: Rajneesh Bhardwaj +Date: Thu, 14 Feb 2019 17:27:08 +0530 +Subject: x86/CPU: Add Icelake model number + +[ Upstream commit 8cd8f0ce0d6aafe661cb3d6781c8b82bc696c04d ] + +Add the CPUID model number of Icelake (ICL) mobile processors to the +Intel family list. Icelake U/Y series uses model number 0x7E. + +Signed-off-by: Rajneesh Bhardwaj +Signed-off-by: Borislav Petkov +Cc: Andy Shevchenko +Cc: Dave Hansen +Cc: "David E. Box" +Cc: dvhart@infradead.org +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Kan Liang +Cc: Peter Zijlstra +Cc: platform-driver-x86@vger.kernel.org +Cc: Qiuxu Zhuo +Cc: Srinivas Pandruvada +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190214115712.19642-2-rajneesh.bhardwaj@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/intel-family.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h +index 7ed08a7c3398..0ad25cc895ae 100644 +--- a/arch/x86/include/asm/intel-family.h ++++ b/arch/x86/include/asm/intel-family.h +@@ -55,6 +55,8 @@ + + #define INTEL_FAM6_CANNONLAKE_MOBILE 0x66 + ++#define INTEL_FAM6_ICELAKE_MOBILE 0x7E ++ + /* "Small Core" Processors (Atom) */ + + #define INTEL_FAM6_ATOM_PINEVIEW 0x1C +-- +2.19.1 + diff --git a/queue-4.19/xfrm-fix-inbound-traffic-via-xfrm-interfaces-across-.patch b/queue-4.19/xfrm-fix-inbound-traffic-via-xfrm-interfaces-across-.patch new file mode 100644 index 00000000000..f23258a971f --- /dev/null +++ b/queue-4.19/xfrm-fix-inbound-traffic-via-xfrm-interfaces-across-.patch @@ -0,0 +1,65 @@ +From 1d369f463431cc5607682c87b497fa7ed5ed5bbb Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Mon, 18 Feb 2019 10:49:39 +0100 +Subject: xfrm: Fix inbound traffic via XFRM interfaces across network + namespaces + +[ Upstream commit 660899ddf06ae8bb5bbbd0a19418b739375430c5 ] + +After moving an XFRM interface to another namespace it stays associated +with the original namespace (net in `struct xfrm_if` and the list keyed +with `xfrmi_net_id`), allowing processes in the new namespace to use +SAs/policies that were created in the original namespace. For instance, +this allows a keying daemon in one namespace to establish IPsec SAs for +other namespaces without processes there having access to the keys or IKE +credentials. + +This worked fine for outbound traffic, however, for inbound traffic the +lookup for the interfaces and the policies used the incorrect namespace +(the one the XFRM interface was moved to). + +Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") +Signed-off-by: Tobias Brunner +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_interface.c | 4 ++-- + net/xfrm/xfrm_policy.c | 4 +++- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c +index 6f05e831a73e..82723ef44db3 100644 +--- a/net/xfrm/xfrm_interface.c ++++ b/net/xfrm/xfrm_interface.c +@@ -76,10 +76,10 @@ static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb) + int ifindex; + struct xfrm_if *xi; + +- if (!skb->dev) ++ if (!secpath_exists(skb) || !skb->dev) + return NULL; + +- xfrmn = net_generic(dev_net(skb->dev), xfrmi_net_id); ++ xfrmn = net_generic(xs_net(xfrm_input_state(skb)), xfrmi_net_id); + ifindex = skb->dev->ifindex; + + for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) { +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 6ea8036fcdbe..bf5d59270f79 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -2340,8 +2340,10 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + + if (ifcb) { + xi = ifcb->decode_session(skb); +- if (xi) ++ if (xi) { + if_id = xi->p.if_id; ++ net = xi->net; ++ } + } + rcu_read_unlock(); + +-- +2.19.1 + diff --git a/queue-4.19/xprtrdma-make-sure-send-cq-is-allocated-on-an-existi.patch b/queue-4.19/xprtrdma-make-sure-send-cq-is-allocated-on-an-existi.patch new file mode 100644 index 00000000000..5a543e2c8aa --- /dev/null +++ b/queue-4.19/xprtrdma-make-sure-send-cq-is-allocated-on-an-existi.patch @@ -0,0 +1,36 @@ +From 9abd2655099f531240941b9e24286b3c67b79c64 Mon Sep 17 00:00:00 2001 +From: Nicolas Morey-Chaisemartin +Date: Tue, 5 Feb 2019 18:21:02 +0100 +Subject: xprtrdma: Make sure Send CQ is allocated on an existing compvec + +[ Upstream commit a4cb5bdb754afe21f3e9e7164213e8600cf69427 ] + +Make sure the device has at least 2 completion vectors +before allocating to compvec#1 + +Fixes: a4699f5647f3 (xprtrdma: Put Send CQ in IB_POLL_WORKQUEUE mode) +Signed-off-by: Nicolas Morey-Chaisemartin +Reviewed-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/verbs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c +index 3d6bf790cf1f..5ddbf227e7c6 100644 +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -546,7 +546,8 @@ rpcrdma_ep_create(struct rpcrdma_ep *ep, struct rpcrdma_ia *ia, + + sendcq = ib_alloc_cq(ia->ri_device, NULL, + ep->rep_attr.cap.max_send_wr + 1, +- 1, IB_POLL_WORKQUEUE); ++ ia->ri_device->num_comp_vectors > 1 ? 1 : 0, ++ IB_POLL_WORKQUEUE); + if (IS_ERR(sendcq)) { + rc = PTR_ERR(sendcq); + dprintk("RPC: %s: failed to create send CQ: %i\n", +-- +2.19.1 +