From: Greg Kroah-Hartman Date: Mon, 27 Jul 2020 13:32:36 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.14.190~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b656f578e5d502edff7e23e32a1c0e83f78b616;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: asoc-qcom-drop-has_dma-dependency-to-fix-link-failure.patch asoc-rt5670-add-new-gpio1_is_ext_spk_en-quirk-and-enable-it-on-the-lenovo-miix-2-10.patch ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch ath9k-fix-regression-with-atheros-9271.patch dm-integrity-fix-integrity-recalculation-that-is-improperly-skipped.patch drm-amd-powerplay-fix-a-crash-when-overclocking-vega-m.patch drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch io-mapping-indicate-mapping-failure.patch mm-memcg-fix-refcount-error-while-moving-and-swapping.patch mm-memcg-slab-fix-memory-leak-at-non-root-kmem_cache-destroy.patch parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch x86-vmlinux.lds-page-align-end-of-..page_aligned-sections.patch --- diff --git a/queue-4.19/asoc-qcom-drop-has_dma-dependency-to-fix-link-failure.patch b/queue-4.19/asoc-qcom-drop-has_dma-dependency-to-fix-link-failure.patch new file mode 100644 index 00000000000..586561d8fce --- /dev/null +++ b/queue-4.19/asoc-qcom-drop-has_dma-dependency-to-fix-link-failure.patch @@ -0,0 +1,57 @@ +From b6aa06de7757667bac88997a8807b143b8436035 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 29 Jun 2020 14:24:43 +0200 +Subject: ASoC: qcom: Drop HAS_DMA dependency to fix link failure + +From: Geert Uytterhoeven + +commit b6aa06de7757667bac88997a8807b143b8436035 upstream. + +When building on allyesconfig kernel for a NO_DMA=y platform (e.g. +Sun-3), CONFIG_SND_SOC_QCOM_COMMON=y, but CONFIG_SND_SOC_QDSP6_AFE=n, +leading to a link failure: + + sound/soc/qcom/common.o: In function `qcom_snd_parse_of': + common.c:(.text+0x2e2): undefined reference to `q6afe_is_rx_port' + +While SND_SOC_QDSP6 depends on HAS_DMA, SND_SOC_MSM8996 and SND_SOC_SDM845 +don't, so the following warning is seen: + + WARNING: unmet direct dependencies detected for SND_SOC_QDSP6 + Depends on [n]: SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] && HAS_DMA [=n] + Selected by [y]: + - SND_SOC_MSM8996 [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] + - SND_SOC_SDM845 [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] && CROS_EC [=y] && I2C [=y] && SOUNDWIRE [=y] + +Until recently, this warning was harmless (from a compile-testing +point-of-view), but the new user of q6afe_is_rx_port() turned this into +a hard failure. + +As the QDSP6 driver itself builds fine if NO_DMA=y, and it depends on +QCOM_APR (which in turns depends on ARCH_QCOM || COMPILE_TEST), it is +safe to increase compile testing coverage. Hence fix the link failure +by dropping the HAS_DMA dependency of SND_SOC_QDSP6. + +Fixes: a2120089251f1fe2 ("ASoC: qcom: common: set correct directions for dailinks") +Fixes: 6b1687bf76ef84cb ("ASoC: qcom: add sdm845 sound card support") +Fixes: a6f933f63f2ffdb2 ("ASoC: qcom: apq8096: Add db820c machine driver") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20200629122443.21736-1-geert@linux-m68k.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/qcom/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/qcom/Kconfig ++++ b/sound/soc/qcom/Kconfig +@@ -70,7 +70,7 @@ config SND_SOC_QDSP6_ASM_DAI + + config SND_SOC_QDSP6 + tristate "SoC ALSA audio driver for QDSP6" +- depends on QCOM_APR && HAS_DMA ++ depends on QCOM_APR + select SND_SOC_QDSP6_COMMON + select SND_SOC_QDSP6_CORE + select SND_SOC_QDSP6_AFE diff --git a/queue-4.19/asoc-rt5670-add-new-gpio1_is_ext_spk_en-quirk-and-enable-it-on-the-lenovo-miix-2-10.patch b/queue-4.19/asoc-rt5670-add-new-gpio1_is_ext_spk_en-quirk-and-enable-it-on-the-lenovo-miix-2-10.patch new file mode 100644 index 00000000000..3981d4d0aea --- /dev/null +++ b/queue-4.19/asoc-rt5670-add-new-gpio1_is_ext_spk_en-quirk-and-enable-it-on-the-lenovo-miix-2-10.patch @@ -0,0 +1,166 @@ +From 85ca6b17e2bb96b19caac3b02c003d670b66de96 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 28 Jun 2020 17:52:28 +0200 +Subject: ASoC: rt5670: Add new gpio1_is_ext_spk_en quirk and enable it on the Lenovo Miix 2 10 + +From: Hans de Goede + +commit 85ca6b17e2bb96b19caac3b02c003d670b66de96 upstream. + +The Lenovo Miix 2 10 has a keyboard dock with extra speakers in the dock. +Rather then the ACL5672's GPIO1 pin being used as IRQ to the CPU, it is +actually used to enable the amplifier for these speakers +(the IRQ to the CPU comes directly from the jack-detect switch). + +Add a quirk for having an ext speaker-amplifier enable pin on GPIO1 +and replace the Lenovo Miix 2 10's dmi_system_id table entry's wrong +GPIO_DEV quirk (which needs to be renamed to GPIO1_IS_IRQ) with the +new RT5670_GPIO1_IS_EXT_SPK_EN quirk, so that we enable the external +speaker-amplifier as necessary. + +Also update the ident field for the dmi_system_id table entry, the +Miix models are not Thinkpads. + +Fixes: 67e03ff3f32f ("ASoC: codecs: rt5670: add Thinkpad Tablet 10 quirk") +Signed-off-by: Hans de Goede +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1786723 +Link: https://lore.kernel.org/r/20200628155231.71089-4-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/rt5670.h | 1 + sound/soc/codecs/rt5670.c | 71 ++++++++++++++++++++++++++++++++++++---------- + 2 files changed, 57 insertions(+), 15 deletions(-) + +--- a/include/sound/rt5670.h ++++ b/include/sound/rt5670.h +@@ -15,6 +15,7 @@ struct rt5670_platform_data { + int jd_mode; + bool in2_diff; + bool dev_gpio; ++ bool gpio1_is_ext_spk_en; + + bool dmic_en; + unsigned int dmic1_data_pin; +--- a/sound/soc/codecs/rt5670.c ++++ b/sound/soc/codecs/rt5670.c +@@ -34,18 +34,19 @@ + #include "rt5670.h" + #include "rt5670-dsp.h" + +-#define RT5670_DEV_GPIO BIT(0) +-#define RT5670_IN2_DIFF BIT(1) +-#define RT5670_DMIC_EN BIT(2) +-#define RT5670_DMIC1_IN2P BIT(3) +-#define RT5670_DMIC1_GPIO6 BIT(4) +-#define RT5670_DMIC1_GPIO7 BIT(5) +-#define RT5670_DMIC2_INR BIT(6) +-#define RT5670_DMIC2_GPIO8 BIT(7) +-#define RT5670_DMIC3_GPIO5 BIT(8) +-#define RT5670_JD_MODE1 BIT(9) +-#define RT5670_JD_MODE2 BIT(10) +-#define RT5670_JD_MODE3 BIT(11) ++#define RT5670_DEV_GPIO BIT(0) ++#define RT5670_IN2_DIFF BIT(1) ++#define RT5670_DMIC_EN BIT(2) ++#define RT5670_DMIC1_IN2P BIT(3) ++#define RT5670_DMIC1_GPIO6 BIT(4) ++#define RT5670_DMIC1_GPIO7 BIT(5) ++#define RT5670_DMIC2_INR BIT(6) ++#define RT5670_DMIC2_GPIO8 BIT(7) ++#define RT5670_DMIC3_GPIO5 BIT(8) ++#define RT5670_JD_MODE1 BIT(9) ++#define RT5670_JD_MODE2 BIT(10) ++#define RT5670_JD_MODE3 BIT(11) ++#define RT5670_GPIO1_IS_EXT_SPK_EN BIT(12) + + static unsigned long rt5670_quirk; + static unsigned int quirk_override; +@@ -1504,6 +1505,33 @@ static int rt5670_hp_event(struct snd_so + return 0; + } + ++static int rt5670_spk_event(struct snd_soc_dapm_widget *w, ++ struct snd_kcontrol *kcontrol, int event) ++{ ++ struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); ++ struct rt5670_priv *rt5670 = snd_soc_component_get_drvdata(component); ++ ++ if (!rt5670->pdata.gpio1_is_ext_spk_en) ++ return 0; ++ ++ switch (event) { ++ case SND_SOC_DAPM_POST_PMU: ++ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2, ++ RT5670_GP1_OUT_MASK, RT5670_GP1_OUT_HI); ++ break; ++ ++ case SND_SOC_DAPM_PRE_PMD: ++ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2, ++ RT5670_GP1_OUT_MASK, RT5670_GP1_OUT_LO); ++ break; ++ ++ default: ++ return 0; ++ } ++ ++ return 0; ++} ++ + static int rt5670_bst1_event(struct snd_soc_dapm_widget *w, + struct snd_kcontrol *kcontrol, int event) + { +@@ -1917,7 +1945,9 @@ static const struct snd_soc_dapm_widget + }; + + static const struct snd_soc_dapm_widget rt5672_specific_dapm_widgets[] = { +- SND_SOC_DAPM_PGA("SPO Amp", SND_SOC_NOPM, 0, 0, NULL, 0), ++ SND_SOC_DAPM_PGA_E("SPO Amp", SND_SOC_NOPM, 0, 0, NULL, 0, ++ rt5670_spk_event, SND_SOC_DAPM_PRE_PMD | ++ SND_SOC_DAPM_POST_PMU), + SND_SOC_DAPM_OUTPUT("SPOLP"), + SND_SOC_DAPM_OUTPUT("SPOLN"), + SND_SOC_DAPM_OUTPUT("SPORP"), +@@ -2901,14 +2931,14 @@ static const struct dmi_system_id dmi_pl + }, + { + .callback = rt5670_quirk_cb, +- .ident = "Lenovo Thinkpad Tablet 10", ++ .ident = "Lenovo Miix 2 10", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Miix 2 10"), + }, + .driver_data = (unsigned long *)(RT5670_DMIC_EN | + RT5670_DMIC1_IN2P | +- RT5670_DEV_GPIO | ++ RT5670_GPIO1_IS_EXT_SPK_EN | + RT5670_JD_MODE2), + }, + { +@@ -2956,6 +2986,10 @@ static int rt5670_i2c_probe(struct i2c_c + rt5670->pdata.dev_gpio = true; + dev_info(&i2c->dev, "quirk dev_gpio\n"); + } ++ if (rt5670_quirk & RT5670_GPIO1_IS_EXT_SPK_EN) { ++ rt5670->pdata.gpio1_is_ext_spk_en = true; ++ dev_info(&i2c->dev, "quirk GPIO1 is external speaker enable\n"); ++ } + if (rt5670_quirk & RT5670_IN2_DIFF) { + rt5670->pdata.in2_diff = true; + dev_info(&i2c->dev, "quirk IN2_DIFF\n"); +@@ -3054,6 +3088,13 @@ static int rt5670_i2c_probe(struct i2c_c + regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2, + RT5670_GP1_PF_MASK, RT5670_GP1_PF_OUT); + } ++ ++ if (rt5670->pdata.gpio1_is_ext_spk_en) { ++ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL1, ++ RT5670_GP1_PIN_MASK, RT5670_GP1_PIN_GPIO1); ++ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2, ++ RT5670_GP1_PF_MASK, RT5670_GP1_PF_OUT); ++ } + + if (rt5670->pdata.jd_mode) { + regmap_update_bits(rt5670->regmap, RT5670_GLB_CLK, diff --git a/queue-4.19/ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch b/queue-4.19/ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch new file mode 100644 index 00000000000..a664ddf0d38 --- /dev/null +++ b/queue-4.19/ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch @@ -0,0 +1,216 @@ +From 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 Mon Sep 17 00:00:00 2001 +From: Qiujun Huang +Date: Sat, 4 Apr 2020 12:18:38 +0800 +Subject: ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb + +From: Qiujun Huang + +commit 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 upstream. + +In ath9k_hif_usb_rx_cb interface number is assumed to be 0. +usb_ifnum_to_if(urb->dev, 0) +But it isn't always true. + +The case reported by syzbot: +https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com +usb 2-1: new high-speed USB device number 2 using dummy_hcd +usb 2-1: config 1 has an invalid interface number: 2 but max is 0 +usb 2-1: config 1 has no interface number 0 +usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= +1.08 +usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +general protection fault, probably for non-canonical address +0xdffffc0000000015: 0000 [#1] SMP KASAN +KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af] +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0 + +Call Trace +__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 +usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 +dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 +call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 +expire_timers kernel/time/timer.c:1449 [inline] +__run_timers kernel/time/timer.c:1773 [inline] +__run_timers kernel/time/timer.c:1740 [inline] +run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 +__do_softirq+0x21e/0x950 kernel/softirq.c:292 +invoke_softirq kernel/softirq.c:373 [inline] +irq_exit+0x178/0x1a0 kernel/softirq.c:413 +exiting_irq arch/x86/include/asm/apic.h:546 [inline] +smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146 +apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 + +Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com +Signed-off-by: Qiujun Huang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200404041838.10426-6-hqjagain@gmail.com +Cc: Viktor Jägersküpper +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 48 +++++++++++++++++++++++-------- + drivers/net/wireless/ath/ath9k/hif_usb.h | 5 +++ + 2 files changed, 42 insertions(+), 11 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -643,9 +643,9 @@ err: + + static void ath9k_hif_usb_rx_cb(struct urb *urb) + { +- struct sk_buff *skb = (struct sk_buff *) urb->context; +- struct hif_device_usb *hif_dev = +- usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0)); ++ struct rx_buf *rx_buf = (struct rx_buf *)urb->context; ++ struct hif_device_usb *hif_dev = rx_buf->hif_dev; ++ struct sk_buff *skb = rx_buf->skb; + int ret; + + if (!skb) +@@ -685,14 +685,15 @@ resubmit: + return; + free: + kfree_skb(skb); ++ kfree(rx_buf); + } + + static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + { +- struct sk_buff *skb = (struct sk_buff *) urb->context; ++ struct rx_buf *rx_buf = (struct rx_buf *)urb->context; ++ struct hif_device_usb *hif_dev = rx_buf->hif_dev; ++ struct sk_buff *skb = rx_buf->skb; + struct sk_buff *nskb; +- struct hif_device_usb *hif_dev = +- usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0)); + int ret; + + if (!skb) +@@ -750,6 +751,7 @@ resubmit: + return; + free: + kfree_skb(skb); ++ kfree(rx_buf); + urb->context = NULL; + } + +@@ -795,7 +797,7 @@ static int ath9k_hif_usb_alloc_tx_urbs(s + init_usb_anchor(&hif_dev->mgmt_submitted); + + for (i = 0; i < MAX_TX_URB_NUM; i++) { +- tx_buf = kzalloc(sizeof(struct tx_buf), GFP_KERNEL); ++ tx_buf = kzalloc(sizeof(*tx_buf), GFP_KERNEL); + if (!tx_buf) + goto err; + +@@ -832,8 +834,9 @@ static void ath9k_hif_usb_dealloc_rx_urb + + static int ath9k_hif_usb_alloc_rx_urbs(struct hif_device_usb *hif_dev) + { +- struct urb *urb = NULL; ++ struct rx_buf *rx_buf = NULL; + struct sk_buff *skb = NULL; ++ struct urb *urb = NULL; + int i, ret; + + init_usb_anchor(&hif_dev->rx_submitted); +@@ -841,6 +844,12 @@ static int ath9k_hif_usb_alloc_rx_urbs(s + + for (i = 0; i < MAX_RX_URB_NUM; i++) { + ++ rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL); ++ if (!rx_buf) { ++ ret = -ENOMEM; ++ goto err_rxb; ++ } ++ + /* Allocate URB */ + urb = usb_alloc_urb(0, GFP_KERNEL); + if (urb == NULL) { +@@ -855,11 +864,14 @@ static int ath9k_hif_usb_alloc_rx_urbs(s + goto err_skb; + } + ++ rx_buf->hif_dev = hif_dev; ++ rx_buf->skb = skb; ++ + usb_fill_bulk_urb(urb, hif_dev->udev, + usb_rcvbulkpipe(hif_dev->udev, + USB_WLAN_RX_PIPE), + skb->data, MAX_RX_BUF_SIZE, +- ath9k_hif_usb_rx_cb, skb); ++ ath9k_hif_usb_rx_cb, rx_buf); + + /* Anchor URB */ + usb_anchor_urb(urb, &hif_dev->rx_submitted); +@@ -885,6 +897,8 @@ err_submit: + err_skb: + usb_free_urb(urb); + err_urb: ++ kfree(rx_buf); ++err_rxb: + ath9k_hif_usb_dealloc_rx_urbs(hif_dev); + return ret; + } +@@ -896,14 +910,21 @@ static void ath9k_hif_usb_dealloc_reg_in + + static int ath9k_hif_usb_alloc_reg_in_urbs(struct hif_device_usb *hif_dev) + { +- struct urb *urb = NULL; ++ struct rx_buf *rx_buf = NULL; + struct sk_buff *skb = NULL; ++ struct urb *urb = NULL; + int i, ret; + + init_usb_anchor(&hif_dev->reg_in_submitted); + + for (i = 0; i < MAX_REG_IN_URB_NUM; i++) { + ++ rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL); ++ if (!rx_buf) { ++ ret = -ENOMEM; ++ goto err_rxb; ++ } ++ + /* Allocate URB */ + urb = usb_alloc_urb(0, GFP_KERNEL); + if (urb == NULL) { +@@ -918,11 +939,14 @@ static int ath9k_hif_usb_alloc_reg_in_ur + goto err_skb; + } + ++ rx_buf->hif_dev = hif_dev; ++ rx_buf->skb = skb; ++ + usb_fill_int_urb(urb, hif_dev->udev, + usb_rcvintpipe(hif_dev->udev, + USB_REG_IN_PIPE), + skb->data, MAX_REG_IN_BUF_SIZE, +- ath9k_hif_usb_reg_in_cb, skb, 1); ++ ath9k_hif_usb_reg_in_cb, rx_buf, 1); + + /* Anchor URB */ + usb_anchor_urb(urb, &hif_dev->reg_in_submitted); +@@ -948,6 +972,8 @@ err_submit: + err_skb: + usb_free_urb(urb); + err_urb: ++ kfree(rx_buf); ++err_rxb: + ath9k_hif_usb_dealloc_reg_in_urbs(hif_dev); + return ret; + } +--- a/drivers/net/wireless/ath/ath9k/hif_usb.h ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.h +@@ -86,6 +86,11 @@ struct tx_buf { + struct list_head list; + }; + ++struct rx_buf { ++ struct sk_buff *skb; ++ struct hif_device_usb *hif_dev; ++}; ++ + #define HIF_USB_TX_STOP BIT(0) + #define HIF_USB_TX_FLUSH BIT(1) + diff --git a/queue-4.19/ath9k-fix-regression-with-atheros-9271.patch b/queue-4.19/ath9k-fix-regression-with-atheros-9271.patch new file mode 100644 index 00000000000..5f0faf5b9ae --- /dev/null +++ b/queue-4.19/ath9k-fix-regression-with-atheros-9271.patch @@ -0,0 +1,44 @@ +From 92f53e2fda8bb9a559ad61d57bfb397ce67ed0ab Mon Sep 17 00:00:00 2001 +From: Mark O'Donovan +Date: Sat, 11 Jul 2020 05:33:24 +0100 +Subject: ath9k: Fix regression with Atheros 9271 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mark O'Donovan + +commit 92f53e2fda8bb9a559ad61d57bfb397ce67ed0ab upstream. + +This fix allows ath9k_htc modules to connect to WLAN once again. + +Fixes: 2bbcaaee1fcb ("ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=208251 +Signed-off-by: Mark O'Donovan +Reported-by: Roman Mamedov +Tested-by: Viktor Jägersküpper +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200711043324.8079-1-shiftee@posteo.net +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -733,11 +733,13 @@ static void ath9k_hif_usb_reg_in_cb(stru + return; + } + ++ rx_buf->skb = nskb; ++ + usb_fill_int_urb(urb, hif_dev->udev, + usb_rcvintpipe(hif_dev->udev, + USB_REG_IN_PIPE), + nskb->data, MAX_REG_IN_BUF_SIZE, +- ath9k_hif_usb_reg_in_cb, nskb, 1); ++ ath9k_hif_usb_reg_in_cb, rx_buf, 1); + } + + resubmit: diff --git a/queue-4.19/dm-integrity-fix-integrity-recalculation-that-is-improperly-skipped.patch b/queue-4.19/dm-integrity-fix-integrity-recalculation-that-is-improperly-skipped.patch new file mode 100644 index 00000000000..1a29bd6a377 --- /dev/null +++ b/queue-4.19/dm-integrity-fix-integrity-recalculation-that-is-improperly-skipped.patch @@ -0,0 +1,128 @@ +From 5df96f2b9f58a5d2dc1f30fe7de75e197f2c25f2 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 23 Jul 2020 10:42:09 -0400 +Subject: dm integrity: fix integrity recalculation that is improperly skipped + +From: Mikulas Patocka + +commit 5df96f2b9f58a5d2dc1f30fe7de75e197f2c25f2 upstream. + +Commit adc0daad366b62ca1bce3e2958a40b0b71a8b8b3 ("dm: report suspended +device during destroy") broke integrity recalculation. + +The problem is dm_suspended() returns true not only during suspend, +but also during resume. So this race condition could occur: +1. dm_integrity_resume calls queue_work(ic->recalc_wq, &ic->recalc_work) +2. integrity_recalc (&ic->recalc_work) preempts the current thread +3. integrity_recalc calls if (unlikely(dm_suspended(ic->ti))) goto unlock_ret; +4. integrity_recalc exits and no recalculating is done. + +To fix this race condition, add a function dm_post_suspending that is +only true during the postsuspend phase and use it instead of +dm_suspended(). + +Signed-off-by: Mikulas Patocka +Fixes: adc0daad366b ("dm: report suspended device during destroy") +Cc: stable vger kernel org # v4.18+ +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-integrity.c | 4 ++-- + drivers/md/dm.c | 17 +++++++++++++++++ + include/linux/device-mapper.h | 1 + + 3 files changed, 20 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -2068,7 +2068,7 @@ static void integrity_writer(struct work + unsigned prev_free_sectors; + + /* the following test is not needed, but it tests the replay code */ +- if (unlikely(dm_suspended(ic->ti)) && !ic->meta_dev) ++ if (unlikely(dm_post_suspending(ic->ti)) && !ic->meta_dev) + return; + + spin_lock_irq(&ic->endio_wait.lock); +@@ -2127,7 +2127,7 @@ static void integrity_recalc(struct work + + next_chunk: + +- if (unlikely(dm_suspended(ic->ti))) ++ if (unlikely(dm_post_suspending(ic->ti))) + goto unlock_ret; + + range.logical_sector = le64_to_cpu(ic->sb->recalc_sector); +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -141,6 +141,7 @@ EXPORT_SYMBOL_GPL(dm_bio_get_target_bio_ + #define DMF_NOFLUSH_SUSPENDING 5 + #define DMF_DEFERRED_REMOVE 6 + #define DMF_SUSPENDED_INTERNALLY 7 ++#define DMF_POST_SUSPENDING 8 + + #define DM_NUMA_NODE NUMA_NO_NODE + static int dm_numa_node = DM_NUMA_NODE; +@@ -2355,6 +2356,7 @@ static void __dm_destroy(struct mapped_d + if (!dm_suspended_md(md)) { + dm_table_presuspend_targets(map); + set_bit(DMF_SUSPENDED, &md->flags); ++ set_bit(DMF_POST_SUSPENDING, &md->flags); + dm_table_postsuspend_targets(map); + } + /* dm_put_live_table must be before msleep, otherwise deadlock is possible */ +@@ -2680,7 +2682,9 @@ retry: + if (r) + goto out_unlock; + ++ set_bit(DMF_POST_SUSPENDING, &md->flags); + dm_table_postsuspend_targets(map); ++ clear_bit(DMF_POST_SUSPENDING, &md->flags); + + out_unlock: + mutex_unlock(&md->suspend_lock); +@@ -2777,7 +2781,9 @@ static void __dm_internal_suspend(struct + (void) __dm_suspend(md, map, suspend_flags, TASK_UNINTERRUPTIBLE, + DMF_SUSPENDED_INTERNALLY); + ++ set_bit(DMF_POST_SUSPENDING, &md->flags); + dm_table_postsuspend_targets(map); ++ clear_bit(DMF_POST_SUSPENDING, &md->flags); + } + + static void __dm_internal_resume(struct mapped_device *md) +@@ -2938,6 +2944,11 @@ int dm_suspended_md(struct mapped_device + return test_bit(DMF_SUSPENDED, &md->flags); + } + ++static int dm_post_suspending_md(struct mapped_device *md) ++{ ++ return test_bit(DMF_POST_SUSPENDING, &md->flags); ++} ++ + int dm_suspended_internally_md(struct mapped_device *md) + { + return test_bit(DMF_SUSPENDED_INTERNALLY, &md->flags); +@@ -2954,6 +2965,12 @@ int dm_suspended(struct dm_target *ti) + } + EXPORT_SYMBOL_GPL(dm_suspended); + ++int dm_post_suspending(struct dm_target *ti) ++{ ++ return dm_post_suspending_md(dm_table_get_md(ti->table)); ++} ++EXPORT_SYMBOL_GPL(dm_post_suspending); ++ + int dm_noflush_suspending(struct dm_target *ti) + { + return __noflush_suspending(dm_table_get_md(ti->table)); +--- a/include/linux/device-mapper.h ++++ b/include/linux/device-mapper.h +@@ -419,6 +419,7 @@ const char *dm_device_name(struct mapped + int dm_copy_name_and_uuid(struct mapped_device *md, char *name, char *uuid); + struct gendisk *dm_disk(struct mapped_device *md); + int dm_suspended(struct dm_target *ti); ++int dm_post_suspending(struct dm_target *ti); + int dm_noflush_suspending(struct dm_target *ti); + void dm_accept_partial_bio(struct bio *bio, unsigned n_sectors); + void dm_remap_zone_report(struct dm_target *ti, struct bio *bio, diff --git a/queue-4.19/drm-amd-powerplay-fix-a-crash-when-overclocking-vega-m.patch b/queue-4.19/drm-amd-powerplay-fix-a-crash-when-overclocking-vega-m.patch new file mode 100644 index 00000000000..1f25def4fe6 --- /dev/null +++ b/queue-4.19/drm-amd-powerplay-fix-a-crash-when-overclocking-vega-m.patch @@ -0,0 +1,52 @@ +From 88bb16ad998a0395fe4b346b7d3f621aaa0a2324 Mon Sep 17 00:00:00 2001 +From: Qiu Wenbo +Date: Fri, 17 Jul 2020 15:09:57 +0800 +Subject: drm/amd/powerplay: fix a crash when overclocking Vega M + +From: Qiu Wenbo + +commit 88bb16ad998a0395fe4b346b7d3f621aaa0a2324 upstream. + +Avoid kernel crash when vddci_control is SMU7_VOLTAGE_CONTROL_NONE and +vddci_voltage_table is empty. It has been tested on Intel Hades Canyon +(i7-8809G). + +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=208489 +Fixes: ac7822b0026f ("drm/amd/powerplay: add smumgr support for VEGAM (v2)") +Reviewed-by: Evan Quan +Signed-off-by: Qiu Wenbo +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c ++++ b/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c +@@ -643,9 +643,6 @@ static int vegam_get_dependency_volt_by_ + + /* sclk is bigger than max sclk in the dependence table */ + *voltage |= (dep_table->entries[i - 1].vddc * VOLTAGE_SCALE) << VDDC_SHIFT; +- vddci = phm_find_closest_vddci(&(data->vddci_voltage_table), +- (dep_table->entries[i - 1].vddc - +- (uint16_t)VDDC_VDDCI_DELTA)); + + if (SMU7_VOLTAGE_CONTROL_NONE == data->vddci_control) + *voltage |= (data->vbios_boot_state.vddci_bootup_value * +@@ -653,8 +650,13 @@ static int vegam_get_dependency_volt_by_ + else if (dep_table->entries[i - 1].vddci) + *voltage |= (dep_table->entries[i - 1].vddci * + VOLTAGE_SCALE) << VDDC_SHIFT; +- else ++ else { ++ vddci = phm_find_closest_vddci(&(data->vddci_voltage_table), ++ (dep_table->entries[i - 1].vddc - ++ (uint16_t)VDDC_VDDCI_DELTA)); ++ + *voltage |= (vddci * VOLTAGE_SCALE) << VDDCI_SHIFT; ++ } + + if (SMU7_VOLTAGE_CONTROL_NONE == data->mvdd_control) + *mvdd = data->vbios_boot_state.mvdd_bootup_value * VOLTAGE_SCALE; diff --git a/queue-4.19/drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch b/queue-4.19/drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch new file mode 100644 index 00000000000..63969bd6a7d --- /dev/null +++ b/queue-4.19/drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch @@ -0,0 +1,61 @@ +From 38e0c89a19fd13f28d2b4721035160a3e66e270b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= +Date: Sun, 19 Jul 2020 17:54:53 +0200 +Subject: drm/amdgpu: Fix NULL dereference in dpm sysfs handlers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paweł Gronowski + +commit 38e0c89a19fd13f28d2b4721035160a3e66e270b upstream. + +NULL dereference occurs when string that is not ended with space or +newline is written to some dpm sysfs interface (for example pp_dpm_sclk). +This happens because strsep replaces the tmp with NULL if the delimiter +is not present in string, which is then dereferenced by tmp[0]. + +Reproduction example: +sudo sh -c 'echo -n 1 > /sys/class/drm/card0/device/pp_dpm_sclk' + +Signed-off-by: Paweł Gronowski +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c +@@ -529,8 +529,7 @@ static ssize_t amdgpu_set_pp_od_clk_volt + + while (isspace(*++tmp_str)); + +- while (tmp_str[0]) { +- sub_str = strsep(&tmp_str, delimiter); ++ while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { + ret = kstrtol(sub_str, 0, ¶meter[parameter_size]); + if (ret) + return -EINVAL; +@@ -630,8 +629,7 @@ static ssize_t amdgpu_read_mask(const ch + memcpy(buf_cpy, buf, bytes); + buf_cpy[bytes] = '\0'; + tmp = buf_cpy; +- while (tmp[0]) { +- sub_str = strsep(&tmp, delimiter); ++ while ((sub_str = strsep(&tmp, delimiter)) != NULL) { + if (strlen(sub_str)) { + ret = kstrtol(sub_str, 0, &level); + if (ret) +@@ -882,8 +880,7 @@ static ssize_t amdgpu_set_pp_power_profi + i++; + memcpy(buf_cpy, buf, count-i); + tmp_str = buf_cpy; +- while (tmp_str[0]) { +- sub_str = strsep(&tmp_str, delimiter); ++ while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { + ret = kstrtol(sub_str, 0, ¶meter[parameter_size]); + if (ret) { + count = -EINVAL; diff --git a/queue-4.19/io-mapping-indicate-mapping-failure.patch b/queue-4.19/io-mapping-indicate-mapping-failure.patch new file mode 100644 index 00000000000..351bff91c97 --- /dev/null +++ b/queue-4.19/io-mapping-indicate-mapping-failure.patch @@ -0,0 +1,73 @@ +From e0b3e0b1a04367fc15c07f44e78361545b55357c Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Thu, 23 Jul 2020 21:15:46 -0700 +Subject: io-mapping: indicate mapping failure + +From: Michael J. Ruhl + +commit e0b3e0b1a04367fc15c07f44e78361545b55357c upstream. + +The !ATOMIC_IOMAP version of io_maping_init_wc will always return +success, even when the ioremap fails. + +Since the ATOMIC_IOMAP version returns NULL when the init fails, and +callers check for a NULL return on error this is unexpected. + +During a device probe, where the ioremap failed, a crash can look like +this: + + BUG: unable to handle page fault for address: 0000000000210000 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + Oops: 0002 [#1] PREEMPT SMP + CPU: 0 PID: 177 Comm: + RIP: 0010:fill_page_dma [i915] + gen8_ppgtt_create [i915] + i915_ppgtt_create [i915] + intel_gt_init [i915] + i915_gem_init [i915] + i915_driver_probe [i915] + pci_device_probe + really_probe + driver_probe_device + +The remap failure occurred much earlier in the probe. If it had been +propagated, the driver would have exited with an error. + +Return NULL on ioremap failure. + +[akpm@linux-foundation.org: detect ioremap_wc() errors earlier] + +Fixes: cafaf14a5d8f ("io-mapping: Always create a struct to hold metadata about the io-mapping") +Signed-off-by: Michael J. Ruhl +Signed-off-by: Andrew Morton +Reviewed-by: Andrew Morton +Cc: Mike Rapoport +Cc: Andy Shevchenko +Cc: Chris Wilson +Cc: Daniel Vetter +Cc: +Link: http://lkml.kernel.org/r/20200721171936.81563-1-michael.j.ruhl@intel.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/io-mapping.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/include/linux/io-mapping.h ++++ b/include/linux/io-mapping.h +@@ -120,9 +120,12 @@ io_mapping_init_wc(struct io_mapping *io + resource_size_t base, + unsigned long size) + { ++ iomap->iomem = ioremap_wc(base, size); ++ if (!iomap->iomem) ++ return NULL; ++ + iomap->base = base; + iomap->size = size; +- iomap->iomem = ioremap_wc(base, size); + #if defined(pgprot_noncached_wc) /* archs can't agree on a name ... */ + iomap->prot = pgprot_noncached_wc(PAGE_KERNEL); + #elif defined(pgprot_writecombine) diff --git a/queue-4.19/mm-memcg-fix-refcount-error-while-moving-and-swapping.patch b/queue-4.19/mm-memcg-fix-refcount-error-while-moving-and-swapping.patch new file mode 100644 index 00000000000..bc0c1d3c18f --- /dev/null +++ b/queue-4.19/mm-memcg-fix-refcount-error-while-moving-and-swapping.patch @@ -0,0 +1,61 @@ +From 8d22a9351035ef2ff12ef163a1091b8b8cf1e49c Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Thu, 23 Jul 2020 21:15:24 -0700 +Subject: mm/memcg: fix refcount error while moving and swapping + +From: Hugh Dickins + +commit 8d22a9351035ef2ff12ef163a1091b8b8cf1e49c upstream. + +It was hard to keep a test running, moving tasks between memcgs with +move_charge_at_immigrate, while swapping: mem_cgroup_id_get_many()'s +refcount is discovered to be 0 (supposedly impossible), so it is then +forced to REFCOUNT_SATURATED, and after thousands of warnings in quick +succession, the test is at last put out of misery by being OOM killed. + +This is because of the way moved_swap accounting was saved up until the +task move gets completed in __mem_cgroup_clear_mc(), deferred from when +mem_cgroup_move_swap_account() actually exchanged old and new ids. +Concurrent activity can free up swap quicker than the task is scanned, +bringing id refcount down 0 (which should only be possible when +offlining). + +Just skip that optimization: do that part of the accounting immediately. + +Fixes: 615d66c37c75 ("mm: memcontrol: fix memcg id ref counter on swap charge move") +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Reviewed-by: Alex Shi +Cc: Johannes Weiner +Cc: Alex Shi +Cc: Shakeel Butt +Cc: Michal Hocko +Cc: +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2007071431050.4726@eggly.anvils +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5147,7 +5147,6 @@ static void __mem_cgroup_clear_mc(void) + if (!mem_cgroup_is_root(mc.to)) + page_counter_uncharge(&mc.to->memory, mc.moved_swap); + +- mem_cgroup_id_get_many(mc.to, mc.moved_swap); + css_put_many(&mc.to->css, mc.moved_swap); + + mc.moved_swap = 0; +@@ -5338,7 +5337,8 @@ put: /* get_mctgt_type() gets the page + ent = target.ent; + if (!mem_cgroup_move_swap_account(ent, mc.from, mc.to)) { + mc.precharge--; +- /* we fixup refcnts and charges later. */ ++ mem_cgroup_id_get_many(mc.to, 1); ++ /* we fixup other refcnts and charges later. */ + mc.moved_swap++; + } + break; diff --git a/queue-4.19/mm-memcg-slab-fix-memory-leak-at-non-root-kmem_cache-destroy.patch b/queue-4.19/mm-memcg-slab-fix-memory-leak-at-non-root-kmem_cache-destroy.patch new file mode 100644 index 00000000000..9e3c35aaae6 --- /dev/null +++ b/queue-4.19/mm-memcg-slab-fix-memory-leak-at-non-root-kmem_cache-destroy.patch @@ -0,0 +1,125 @@ +From d38a2b7a9c939e6d7329ab92b96559ccebf7b135 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Thu, 23 Jul 2020 21:15:27 -0700 +Subject: mm: memcg/slab: fix memory leak at non-root kmem_cache destroy + +From: Muchun Song + +commit d38a2b7a9c939e6d7329ab92b96559ccebf7b135 upstream. + +If the kmem_cache refcount is greater than one, we should not mark the +root kmem_cache as dying. If we mark the root kmem_cache dying +incorrectly, the non-root kmem_cache can never be destroyed. It +resulted in memory leak when memcg was destroyed. We can use the +following steps to reproduce. + + 1) Use kmem_cache_create() to create a new kmem_cache named A. + 2) Coincidentally, the kmem_cache A is an alias for kmem_cache B, + so the refcount of B is just increased. + 3) Use kmem_cache_destroy() to destroy the kmem_cache A, just + decrease the B's refcount but mark the B as dying. + 4) Create a new memory cgroup and alloc memory from the kmem_cache + B. It leads to create a non-root kmem_cache for allocating memory. + 5) When destroy the memory cgroup created in the step 4), the + non-root kmem_cache can never be destroyed. + +If we repeat steps 4) and 5), this will cause a lot of memory leak. So +only when refcount reach zero, we mark the root kmem_cache as dying. + +Fixes: 92ee383f6daa ("mm: fix race between kmem_cache destroy, create and deactivate") +Signed-off-by: Muchun Song +Signed-off-by: Andrew Morton +Reviewed-by: Shakeel Butt +Acked-by: Roman Gushchin +Cc: Vlastimil Babka +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Shakeel Butt +Cc: +Link: http://lkml.kernel.org/r/20200716165103.83462-1-songmuchun@bytedance.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slab_common.c | 35 ++++++++++++++++++++++++++++------- + 1 file changed, 28 insertions(+), 7 deletions(-) + +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -310,6 +310,14 @@ int slab_unmergeable(struct kmem_cache * + if (s->refcount < 0) + return 1; + ++#ifdef CONFIG_MEMCG_KMEM ++ /* ++ * Skip the dying kmem_cache. ++ */ ++ if (s->memcg_params.dying) ++ return 1; ++#endif ++ + return 0; + } + +@@ -832,12 +840,15 @@ static int shutdown_memcg_caches(struct + return 0; + } + +-static void flush_memcg_workqueue(struct kmem_cache *s) ++static void memcg_set_kmem_cache_dying(struct kmem_cache *s) + { + mutex_lock(&slab_mutex); + s->memcg_params.dying = true; + mutex_unlock(&slab_mutex); ++} + ++static void flush_memcg_workqueue(struct kmem_cache *s) ++{ + /* + * SLUB deactivates the kmem_caches through call_rcu_sched. Make + * sure all registered rcu callbacks have been invoked. +@@ -858,10 +869,6 @@ static inline int shutdown_memcg_caches( + { + return 0; + } +- +-static inline void flush_memcg_workqueue(struct kmem_cache *s) +-{ +-} + #endif /* CONFIG_MEMCG_KMEM */ + + void slab_kmem_cache_release(struct kmem_cache *s) +@@ -879,8 +886,6 @@ void kmem_cache_destroy(struct kmem_cach + if (unlikely(!s)) + return; + +- flush_memcg_workqueue(s); +- + get_online_cpus(); + get_online_mems(); + +@@ -890,6 +895,22 @@ void kmem_cache_destroy(struct kmem_cach + if (s->refcount) + goto out_unlock; + ++#ifdef CONFIG_MEMCG_KMEM ++ memcg_set_kmem_cache_dying(s); ++ ++ mutex_unlock(&slab_mutex); ++ ++ put_online_mems(); ++ put_online_cpus(); ++ ++ flush_memcg_workqueue(s); ++ ++ get_online_cpus(); ++ get_online_mems(); ++ ++ mutex_lock(&slab_mutex); ++#endif ++ + err = shutdown_memcg_caches(s); + if (!err) + err = shutdown_cache(s); diff --git a/queue-4.19/parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch b/queue-4.19/parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch new file mode 100644 index 00000000000..cf2ba4b0cc1 --- /dev/null +++ b/queue-4.19/parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch @@ -0,0 +1,84 @@ +From be6577af0cef934ccb036445314072e8cb9217b9 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Tue, 21 Jul 2020 07:36:59 -0400 +Subject: parisc: Add atomic64_set_release() define to avoid CPU soft lockups + +From: John David Anglin + +commit be6577af0cef934ccb036445314072e8cb9217b9 upstream. + +Stalls are quite frequent with recent kernels. I enabled +CONFIG_SOFTLOCKUP_DETECTOR and I caught the following stall: + +watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [cc1:22803] +CPU: 0 PID: 22803 Comm: cc1 Not tainted 5.6.17+ #3 +Hardware name: 9000/800/rp3440 + IAOQ[0]: d_alloc_parallel+0x384/0x688 + IAOQ[1]: d_alloc_parallel+0x388/0x688 + RP(r2): d_alloc_parallel+0x134/0x688 +Backtrace: + [<000000004036974c>] __lookup_slow+0xa4/0x200 + [<0000000040369fc8>] walk_component+0x288/0x458 + [<000000004036a9a0>] path_lookupat+0x88/0x198 + [<000000004036e748>] filename_lookup+0xa0/0x168 + [<000000004036e95c>] user_path_at_empty+0x64/0x80 + [<000000004035d93c>] vfs_statx+0x104/0x158 + [<000000004035dfcc>] __do_sys_lstat64+0x44/0x80 + [<000000004035e5a0>] sys_lstat64+0x20/0x38 + [<0000000040180054>] syscall_exit+0x0/0x14 + +The code was stuck in this loop in d_alloc_parallel: + + 4037d414: 0e 00 10 dc ldd 0(r16),ret0 + 4037d418: c7 fc 5f ed bb,< ret0,1f,4037d414 + 4037d41c: 08 00 02 40 nop + +This is the inner loop of bit_spin_lock which is called by hlist_bl_unlock in +d_alloc_parallel: + +static inline void bit_spin_lock(int bitnum, unsigned long *addr) +{ + /* + * Assuming the lock is uncontended, this never enters + * the body of the outer loop. If it is contended, then + * within the inner loop a non-atomic test is used to + * busywait with less bus contention for a good time to + * attempt to acquire the lock bit. + */ + preempt_disable(); +#if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK) + while (unlikely(test_and_set_bit_lock(bitnum, addr))) { + preempt_enable(); + do { + cpu_relax(); + } while (test_bit(bitnum, addr)); + preempt_disable(); + } +#endif + __acquire(bitlock); +} + +After consideration, I realized that we must be losing bit unlocks. +Then, I noticed that we missed defining atomic64_set_release(). +Adding this define fixes the stalls in bit operations. + +Signed-off-by: Dave Anglin +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/atomic.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/parisc/include/asm/atomic.h ++++ b/arch/parisc/include/asm/atomic.h +@@ -212,6 +212,8 @@ atomic64_set(atomic64_t *v, s64 i) + _atomic_spin_unlock_irqrestore(v, flags); + } + ++#define atomic64_set_release(v, i) atomic64_set((v), (i)) ++ + static __inline__ s64 + atomic64_read(const atomic64_t *v) + { diff --git a/queue-4.19/series b/queue-4.19/series index d46589c223b..59783077fd2 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -72,3 +72,15 @@ serial-8250_mtk-fix-high-speed-baud-rates-clamping.patch fbdev-detect-integer-underflow-at-struct-fbcon_ops-clear_margins.patch vt-reject-zero-sized-screen-buffer-size.patch makefile-fix-gcc_toolchain_dir-prefix-for-clang-cross-compilation.patch +mm-memcg-fix-refcount-error-while-moving-and-swapping.patch +mm-memcg-slab-fix-memory-leak-at-non-root-kmem_cache-destroy.patch +io-mapping-indicate-mapping-failure.patch +drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch +drm-amd-powerplay-fix-a-crash-when-overclocking-vega-m.patch +parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch +x86-vmlinux.lds-page-align-end-of-..page_aligned-sections.patch +asoc-rt5670-add-new-gpio1_is_ext_spk_en-quirk-and-enable-it-on-the-lenovo-miix-2-10.patch +asoc-qcom-drop-has_dma-dependency-to-fix-link-failure.patch +dm-integrity-fix-integrity-recalculation-that-is-improperly-skipped.patch +ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch +ath9k-fix-regression-with-atheros-9271.patch diff --git a/queue-4.19/x86-vmlinux.lds-page-align-end-of-..page_aligned-sections.patch b/queue-4.19/x86-vmlinux.lds-page-align-end-of-..page_aligned-sections.patch new file mode 100644 index 00000000000..3e6a264d815 --- /dev/null +++ b/queue-4.19/x86-vmlinux.lds-page-align-end-of-..page_aligned-sections.patch @@ -0,0 +1,78 @@ +From de2b41be8fcccb2f5b6c480d35df590476344201 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Tue, 21 Jul 2020 11:34:48 +0200 +Subject: x86, vmlinux.lds: Page-align end of ..page_aligned sections + +From: Joerg Roedel + +commit de2b41be8fcccb2f5b6c480d35df590476344201 upstream. + +On x86-32 the idt_table with 256 entries needs only 2048 bytes. It is +page-aligned, but the end of the .bss..page_aligned section is not +guaranteed to be page-aligned. + +As a result, objects from other .bss sections may end up on the same 4k +page as the idt_table, and will accidentially get mapped read-only during +boot, causing unexpected page-faults when the kernel writes to them. + +This could be worked around by making the objects in the page aligned +sections page sized, but that's wrong. + +Explicit sections which store only page aligned objects have an implicit +guarantee that the object is alone in the page in which it is placed. That +works for all objects except the last one. That's inconsistent. + +Enforcing page sized objects for these sections would wreckage memory +sanitizers, because the object becomes artificially larger than it should +be and out of bound access becomes legit. + +Align the end of the .bss..page_aligned and .data..page_aligned section on +page-size so all objects places in these sections are guaranteed to have +their own page. + +[ tglx: Amended changelog ] + +Signed-off-by: Joerg Roedel +Signed-off-by: Thomas Gleixner +Reviewed-by: Kees Cook +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20200721093448.10417-1-joro@8bytes.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/vmlinux.lds.S | 1 + + include/asm-generic/vmlinux.lds.h | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -372,6 +372,7 @@ SECTIONS + .bss : AT(ADDR(.bss) - LOAD_OFFSET) { + __bss_start = .; + *(.bss..page_aligned) ++ . = ALIGN(PAGE_SIZE); + *(BSS_MAIN) + BSS_DECRYPTED + . = ALIGN(PAGE_SIZE); +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -279,7 +279,8 @@ + + #define PAGE_ALIGNED_DATA(page_align) \ + . = ALIGN(page_align); \ +- *(.data..page_aligned) ++ *(.data..page_aligned) \ ++ . = ALIGN(page_align); + + #define READ_MOSTLY_DATA(align) \ + . = ALIGN(align); \ +@@ -650,7 +651,9 @@ + . = ALIGN(bss_align); \ + .bss : AT(ADDR(.bss) - LOAD_OFFSET) { \ + BSS_FIRST_SECTIONS \ ++ . = ALIGN(PAGE_SIZE); \ + *(.bss..page_aligned) \ ++ . = ALIGN(PAGE_SIZE); \ + *(.dynbss) \ + *(BSS_MAIN) \ + *(COMMON) \