From: Sasha Levin Date: Tue, 29 Oct 2019 11:33:39 +0000 (-0400) Subject: fixes for 4.19 X-Git-Tag: v4.4.199~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=494c08b968c066548978eb9743cbe96fadfef369;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/alsa-hda-realtek-apply-alc294-hp-init-also-for-s4-re.patch b/queue-4.19/alsa-hda-realtek-apply-alc294-hp-init-also-for-s4-re.patch new file mode 100644 index 00000000000..25c466b6aef --- /dev/null +++ b/queue-4.19/alsa-hda-realtek-apply-alc294-hp-init-also-for-s4-re.patch @@ -0,0 +1,40 @@ +From 9e4e7512eba0508fd55d442c9f15f564fca28eb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jan 2019 14:14:51 +0100 +Subject: ALSA: hda/realtek - Apply ALC294 hp init also for S4 resume + +From: Takashi Iwai + +[ Upstream commit f6ef4e0e284251ff795c541db1129c84515ed044 ] + +The init sequence for ALC294 headphone stuff is needed not only for +the boot up time but also for the resume from hibernation, where the +device is switched from the boot kernel without sound driver to the +suspended image. Since we record the PM event in the device +power_state field, we can now recognize the call pattern and apply the +sequence conditionally. + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index dd46354270d0d..7480218f32ba7 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3458,7 +3458,9 @@ static void alc294_init(struct hda_codec *codec) + { + struct alc_spec *spec = codec->spec; + +- if (!spec->done_hp_init) { ++ /* required only at boot or S4 resume time */ ++ if (!spec->done_hp_init || ++ codec->core.dev.power.power_state.event == PM_EVENT_RESTORE) { + alc294_hp_init(codec); + spec->done_hp_init = true; + } +-- +2.20.1 + diff --git a/queue-4.19/alsa-usb-audio-cleanup-dsd-whitelist.patch b/queue-4.19/alsa-usb-audio-cleanup-dsd-whitelist.patch new file mode 100644 index 00000000000..9eb5caef3fe --- /dev/null +++ b/queue-4.19/alsa-usb-audio-cleanup-dsd-whitelist.patch @@ -0,0 +1,75 @@ +From d083b1eb741e9311ceaed049d08c879666feff1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jan 2019 00:47:01 +0200 +Subject: ALSA: usb-audio: Cleanup DSD whitelist + +From: Jussi Laako + +[ Upstream commit 202e69e645545e8dcec5e239658125276a7a315a ] + +XMOS/Thesycon family of USB Audio Class firmware flags DSD altsetting +separate from the PCM ones. Thus the DSD altsetting can be auto-detected +based on the flag and doesn't need maintaining specific altsetting +whitelist. + +In addition, static VID:PID-to-altsetting whitelisting causes problems +when firmware update changes the altsetting, or same VID:PID is reused +for another device that has different kind of firmware. + +This patch removes existing explicit whitelist mappings for XMOS VID +(0x20b1) and Thesycon VID (0x152a). + +Also corrects placement of Hegel HD12 and NuPrime DAC-10 to keep list +sorted based on VID. + +Signed-off-by: Jussi Laako +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks.c | 18 ++---------------- + 1 file changed, 2 insertions(+), 16 deletions(-) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 60d00091f64b2..e5dde06c31a6f 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1360,10 +1360,6 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip, + /* XMOS based USB DACs */ + switch (chip->usb_id) { + case USB_ID(0x1511, 0x0037): /* AURALiC VEGA */ +- case USB_ID(0x20b1, 0x0002): /* Wyred 4 Sound DAC-2 DSD */ +- case USB_ID(0x20b1, 0x2004): /* Matrix Audio X-SPDIF 2 */ +- case USB_ID(0x20b1, 0x2008): /* Matrix Audio X-Sabre */ +- case USB_ID(0x20b1, 0x300a): /* Matrix Audio Mini-i Pro */ + case USB_ID(0x22d9, 0x0416): /* OPPO HA-1 */ + case USB_ID(0x22d9, 0x0436): /* OPPO Sonica */ + case USB_ID(0x22d9, 0x0461): /* OPPO UDP-205 */ +@@ -1373,23 +1369,13 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip, + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + break; + +- case USB_ID(0x10cb, 0x0103): /* The Bit Opus #3; with fp->dsd_raw */ +- case USB_ID(0x152a, 0x85de): /* SMSL D1 DAC */ +- case USB_ID(0x16d0, 0x09dd): /* Encore mDSD */ + case USB_ID(0x0d8c, 0x0316): /* Hegel HD12 DSD */ ++ case USB_ID(0x10cb, 0x0103): /* The Bit Opus #3; with fp->dsd_raw */ + case USB_ID(0x16b0, 0x06b2): /* NuPrime DAC-10 */ ++ case USB_ID(0x16d0, 0x09dd): /* Encore mDSD */ + case USB_ID(0x16d0, 0x0733): /* Furutech ADL Stratos */ + case USB_ID(0x16d0, 0x09db): /* NuPrime Audio DAC-9 */ + case USB_ID(0x1db5, 0x0003): /* Bryston BDA3 */ +- case USB_ID(0x20b1, 0x000a): /* Gustard DAC-X20U */ +- case USB_ID(0x20b1, 0x2005): /* Denafrips Ares DAC */ +- case USB_ID(0x20b1, 0x2009): /* DIYINHK DSD DXD 384kHz USB to I2S/DSD */ +- case USB_ID(0x20b1, 0x2023): /* JLsounds I2SoverUSB */ +- case USB_ID(0x20b1, 0x3021): /* Eastern El. MiniMax Tube DAC Supreme */ +- case USB_ID(0x20b1, 0x3023): /* Aune X1S 32BIT/384 DSD DAC */ +- case USB_ID(0x20b1, 0x302d): /* Unison Research Unico CD Due */ +- case USB_ID(0x20b1, 0x307b): /* CH Precision C1 DAC */ +- case USB_ID(0x20b1, 0x3086): /* Singxer F-1 converter board */ + case USB_ID(0x22d9, 0x0426): /* OPPO HA-2 */ + case USB_ID(0x22e1, 0xca01): /* HDTA Serenade DSD */ + case USB_ID(0x249c, 0x9326): /* M2Tech Young MkIII */ +-- +2.20.1 + diff --git a/queue-4.19/arm64-armv8_deprecated-checking-return-value-for-mem.patch b/queue-4.19/arm64-armv8_deprecated-checking-return-value-for-mem.patch new file mode 100644 index 00000000000..74712b7ed32 --- /dev/null +++ b/queue-4.19/arm64-armv8_deprecated-checking-return-value-for-mem.patch @@ -0,0 +1,45 @@ +From 7597cebb1df1d09ffd354153cde940fd4f17ae36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Sep 2019 12:44:17 +0800 +Subject: arm64: armv8_deprecated: Checking return value for memory allocation + +From: Yunfeng Ye + +[ Upstream commit 3e7c93bd04edfb0cae7dad1215544c9350254b8f ] + +There are no return value checking when using kzalloc() and kcalloc() for +memory allocation. so add it. + +Signed-off-by: Yunfeng Ye +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/armv8_deprecated.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c +index 92be1d12d5908..39dc98dd78ebf 100644 +--- a/arch/arm64/kernel/armv8_deprecated.c ++++ b/arch/arm64/kernel/armv8_deprecated.c +@@ -177,6 +177,9 @@ static void __init register_insn_emulation(struct insn_emulation_ops *ops) + struct insn_emulation *insn; + + insn = kzalloc(sizeof(*insn), GFP_KERNEL); ++ if (!insn) ++ return; ++ + insn->ops = ops; + insn->min = INSN_UNDEF; + +@@ -236,6 +239,8 @@ static void __init register_insn_emulation_sysctl(void) + + insns_sysctl = kcalloc(nr_insn_emulated + 1, sizeof(*sysctl), + GFP_KERNEL); ++ if (!insns_sysctl) ++ return; + + raw_spin_lock_irqsave(&insn_emulation_lock, flags); + list_for_each_entry(insn, &insn_emulation, node) { +-- +2.20.1 + diff --git a/queue-4.19/arm64-ftrace-ensure-synchronisation-in-plt-setup-for.patch b/queue-4.19/arm64-ftrace-ensure-synchronisation-in-plt-setup-for.patch new file mode 100644 index 00000000000..07ee615f090 --- /dev/null +++ b/queue-4.19/arm64-ftrace-ensure-synchronisation-in-plt-setup-for.patch @@ -0,0 +1,65 @@ +From 7d6b5f4ca044deb8b7e9086b773171c0e4bf661f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 10:49:35 +0100 +Subject: arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 + #1542419 + +From: James Morse + +[ Upstream commit dd8a1f13488438c6c220b7cafa500baaf21a6e53 ] + +CPUs affected by Neoverse-N1 #1542419 may execute a stale instruction if +it was recently modified. The affected sequence requires freshly written +instructions to be executable before a branch to them is updated. + +There are very few places in the kernel that modify executable text, +all but one come with sufficient synchronisation: + * The module loader's flush_module_icache() calls flush_icache_range(), + which does a kick_all_cpus_sync() + * bpf_int_jit_compile() calls flush_icache_range(). + * Kprobes calls aarch64_insn_patch_text(), which does its work in + stop_machine(). + * static keys and ftrace both patch between nops and branches to + existing kernel code (not generated code). + +The affected sequence is the interaction between ftrace and modules. +The module PLT is cleaned using __flush_icache_range() as the trampoline +shouldn't be executable until we update the branch to it. + +Drop the double-underscore so that this path runs kick_all_cpus_sync() +too. + +Signed-off-by: James Morse +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/ftrace.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/ftrace.c b/arch/arm64/kernel/ftrace.c +index 7eff8afa035fd..b6618391be8c6 100644 +--- a/arch/arm64/kernel/ftrace.c ++++ b/arch/arm64/kernel/ftrace.c +@@ -119,10 +119,16 @@ int ftrace_make_call(struct dyn_ftrace *rec, unsigned long addr) + + /* + * Ensure updated trampoline is visible to instruction +- * fetch before we patch in the branch. ++ * fetch before we patch in the branch. Although the ++ * architecture doesn't require an IPI in this case, ++ * Neoverse-N1 erratum #1542419 does require one ++ * if the TLB maintenance in module_enable_ro() is ++ * skipped due to rodata_enabled. It doesn't seem worth ++ * it to make it conditional given that this is ++ * certainly not a fast-path. + */ +- __flush_icache_range((unsigned long)&dst[0], +- (unsigned long)&dst[1]); ++ flush_icache_range((unsigned long)&dst[0], ++ (unsigned long)&dst[1]); + } + addr = (unsigned long)dst; + #else /* CONFIG_ARM64_MODULE_PLTS */ +-- +2.20.1 + diff --git a/queue-4.19/arm64-kpti-whitelist-hisilicon-taishan-v110-cpus.patch b/queue-4.19/arm64-kpti-whitelist-hisilicon-taishan-v110-cpus.patch new file mode 100644 index 00000000000..cbfe741b9b3 --- /dev/null +++ b/queue-4.19/arm64-kpti-whitelist-hisilicon-taishan-v110-cpus.patch @@ -0,0 +1,37 @@ +From ee9369352522a1fdcf8d004c6e981c286b95992b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2019 21:40:58 +0800 +Subject: arm64: kpti: Whitelist HiSilicon Taishan v110 CPUs + +From: Hanjun Guo + +[ Upstream commit 0ecc471a2cb7d4d386089445a727f47b59dc9b6e ] + +HiSilicon Taishan v110 CPUs didn't implement CSV3 field of the +ID_AA64PFR0_EL1 and are not susceptible to Meltdown, so whitelist +the MIDR in kpti_safe_list[] table. + +Signed-off-by: Hanjun Guo +Reviewed-by: John Garry +Reviewed-by: Zhangshaokun +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/cpufeature.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c +index ff5beb59b3dc3..220ebfa0ece6e 100644 +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -906,6 +906,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A57), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A72), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A73), ++ MIDR_ALL_VERSIONS(MIDR_HISI_TSV110), + { /* sentinel */ } + }; + char const *str = "kpti command line option"; +-- +2.20.1 + diff --git a/queue-4.19/ath10k-assign-n_cipher_suites-11-for-wcn3990-to-enab.patch b/queue-4.19/ath10k-assign-n_cipher_suites-11-for-wcn3990-to-enab.patch new file mode 100644 index 00000000000..003603cc18b --- /dev/null +++ b/queue-4.19/ath10k-assign-n_cipher_suites-11-for-wcn3990-to-enab.patch @@ -0,0 +1,42 @@ +From faa282d5258afe87a616ba682bef4d19e6429110 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Feb 2019 14:55:23 +0200 +Subject: ath10k: assign 'n_cipher_suites = 11' for WCN3990 to enable WPA3 + +From: Abhishek Ambure + +[ Upstream commit 7ba31e6e0cdc0cc2e60e1fcbf467f3c95aea948e ] + +Hostapd uses CCMP, GCMP & GCMP-256 as 'wpa_pairwise' option to run WPA3. +In WCN3990 firmware cipher suite numbers 9 to 11 are for CCMP, +GCMP & GCMP-256. + +To enable CCMP, GCMP & GCMP-256 cipher suites in WCN3990 firmware, +host sets 'n_cipher_suites = 11' while initializing hardware parameters. + +Tested HW: WCN3990 +Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1 + +Signed-off-by: Abhishek Ambure +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c +index 5210cffb53440..2791ef2fd716c 100644 +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -532,7 +532,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .hw_ops = &wcn3990_ops, + .decap_align_bytes = 1, + .num_peers = TARGET_HL_10_TLV_NUM_PEERS, +- .n_cipher_suites = 8, ++ .n_cipher_suites = 11, + .ast_skid_limit = TARGET_HL_10_TLV_AST_SKID_LIMIT, + .num_wds_entries = TARGET_HL_10_TLV_NUM_WDS_ENTRIES, + .target_64bit = true, +-- +2.20.1 + diff --git a/queue-4.19/bcache-fix-input-overflow-to-writeback_rate_minimum.patch b/queue-4.19/bcache-fix-input-overflow-to-writeback_rate_minimum.patch new file mode 100644 index 00000000000..50681bb20c1 --- /dev/null +++ b/queue-4.19/bcache-fix-input-overflow-to-writeback_rate_minimum.patch @@ -0,0 +1,43 @@ +From 73fe6ecf4f480d25365978c6c424b19068397bbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Feb 2019 12:53:07 +0800 +Subject: bcache: fix input overflow to writeback_rate_minimum + +From: Coly Li + +[ Upstream commit dab71b2db98dcdd4657d151b01a7be88ce10f9d1 ] + +dc->writeback_rate_minimum is type unsigned integer variable, it is set +via sysfs interface, and converte from input string to unsigned integer +by d_strtoul_nonzero(). When the converted input value is larger than +UINT_MAX, overflow to unsigned integer happens. + +This patch fixes the overflow by using sysfs_strotoul_clamp() to +convert input string and limit the value in range [1, UINT_MAX], then +the overflow can be avoided. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/sysfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index 5bb81e564ce88..3e8d1f1b562f8 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -289,7 +289,9 @@ STORE(__cached_dev) + sysfs_strtoul_clamp(writeback_rate_p_term_inverse, + dc->writeback_rate_p_term_inverse, + 1, UINT_MAX); +- d_strtoul_nonzero(writeback_rate_minimum); ++ sysfs_strtoul_clamp(writeback_rate_minimum, ++ dc->writeback_rate_minimum, ++ 1, UINT_MAX); + + sysfs_strtoul_clamp(io_error_limit, dc->error_limit, 0, INT_MAX); + +-- +2.20.1 + diff --git a/queue-4.19/btrfs-fix-deadlock-on-tree-root-leaf-when-finding-fr.patch b/queue-4.19/btrfs-fix-deadlock-on-tree-root-leaf-when-finding-fr.patch new file mode 100644 index 00000000000..2136c01c610 --- /dev/null +++ b/queue-4.19/btrfs-fix-deadlock-on-tree-root-leaf-when-finding-fr.patch @@ -0,0 +1,218 @@ +From 890cae8b6bd2fbd753d6377b22c6fa9042fda924 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Oct 2018 10:13:03 +0100 +Subject: Btrfs: fix deadlock on tree root leaf when finding free extent + +From: Filipe Manana + +[ Upstream commit 4222ea7100c0e37adace2790c8822758bbeee179 ] + +When we are writing out a free space cache, during the transaction commit +phase, we can end up in a deadlock which results in a stack trace like the +following: + + schedule+0x28/0x80 + btrfs_tree_read_lock+0x8e/0x120 [btrfs] + ? finish_wait+0x80/0x80 + btrfs_read_lock_root_node+0x2f/0x40 [btrfs] + btrfs_search_slot+0xf6/0x9f0 [btrfs] + ? evict_refill_and_join+0xd0/0xd0 [btrfs] + ? inode_insert5+0x119/0x190 + btrfs_lookup_inode+0x3a/0xc0 [btrfs] + ? kmem_cache_alloc+0x166/0x1d0 + btrfs_iget+0x113/0x690 [btrfs] + __lookup_free_space_inode+0xd8/0x150 [btrfs] + lookup_free_space_inode+0x5b/0xb0 [btrfs] + load_free_space_cache+0x7c/0x170 [btrfs] + ? cache_block_group+0x72/0x3b0 [btrfs] + cache_block_group+0x1b3/0x3b0 [btrfs] + ? finish_wait+0x80/0x80 + find_free_extent+0x799/0x1010 [btrfs] + btrfs_reserve_extent+0x9b/0x180 [btrfs] + btrfs_alloc_tree_block+0x1b3/0x4f0 [btrfs] + __btrfs_cow_block+0x11d/0x500 [btrfs] + btrfs_cow_block+0xdc/0x180 [btrfs] + btrfs_search_slot+0x3bd/0x9f0 [btrfs] + btrfs_lookup_inode+0x3a/0xc0 [btrfs] + ? kmem_cache_alloc+0x166/0x1d0 + btrfs_update_inode_item+0x46/0x100 [btrfs] + cache_save_setup+0xe4/0x3a0 [btrfs] + btrfs_start_dirty_block_groups+0x1be/0x480 [btrfs] + btrfs_commit_transaction+0xcb/0x8b0 [btrfs] + +At cache_save_setup() we need to update the inode item of a block group's +cache which is located in the tree root (fs_info->tree_root), which means +that it may result in COWing a leaf from that tree. If that happens we +need to find a free metadata extent and while looking for one, if we find +a block group which was not cached yet we attempt to load its cache by +calling cache_block_group(). However this function will try to load the +inode of the free space cache, which requires finding the matching inode +item in the tree root - if that inode item is located in the same leaf as +the inode item of the space cache we are updating at cache_save_setup(), +we end up in a deadlock, since we try to obtain a read lock on the same +extent buffer that we previously write locked. + +So fix this by using the tree root's commit root when searching for a +block group's free space cache inode item when we are attempting to load +a free space cache. This is safe since block groups once loaded stay in +memory forever, as well as their caches, so after they are first loaded +we will never need to read their inode items again. For new block groups, +once they are created they get their ->cached field set to +BTRFS_CACHE_FINISHED meaning we will not need to read their inode item. + +Reported-by: Andrew Nelson +Link: https://lore.kernel.org/linux-btrfs/CAPTELenq9x5KOWuQ+fa7h1r3nsJG8vyiTH8+ifjURc_duHh2Wg@mail.gmail.com/ +Fixes: 9d66e233c704 ("Btrfs: load free space cache if it exists") +Tested-by: Andrew Nelson +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 3 +++ + fs/btrfs/free-space-cache.c | 22 +++++++++++++++++++++- + fs/btrfs/inode.c | 32 ++++++++++++++++++++++---------- + 3 files changed, 46 insertions(+), 11 deletions(-) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index ef7a352d72ed8..cc2d268e2cd7a 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -3177,6 +3177,9 @@ void btrfs_destroy_inode(struct inode *inode); + int btrfs_drop_inode(struct inode *inode); + int __init btrfs_init_cachep(void); + void __cold btrfs_destroy_cachep(void); ++struct inode *btrfs_iget_path(struct super_block *s, struct btrfs_key *location, ++ struct btrfs_root *root, int *new, ++ struct btrfs_path *path); + struct inode *btrfs_iget(struct super_block *s, struct btrfs_key *location, + struct btrfs_root *root, int *was_new); + struct extent_map *btrfs_get_extent(struct btrfs_inode *inode, +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c +index 4381e0aba8c01..ec01bd38d675c 100644 +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -75,7 +75,8 @@ static struct inode *__lookup_free_space_inode(struct btrfs_root *root, + * sure NOFS is set to keep us from deadlocking. + */ + nofs_flag = memalloc_nofs_save(); +- inode = btrfs_iget(fs_info->sb, &location, root, NULL); ++ inode = btrfs_iget_path(fs_info->sb, &location, root, NULL, path); ++ btrfs_release_path(path); + memalloc_nofs_restore(nofs_flag); + if (IS_ERR(inode)) + return inode; +@@ -839,6 +840,25 @@ int load_free_space_cache(struct btrfs_fs_info *fs_info, + path->search_commit_root = 1; + path->skip_locking = 1; + ++ /* ++ * We must pass a path with search_commit_root set to btrfs_iget in ++ * order to avoid a deadlock when allocating extents for the tree root. ++ * ++ * When we are COWing an extent buffer from the tree root, when looking ++ * for a free extent, at extent-tree.c:find_free_extent(), we can find ++ * block group without its free space cache loaded. When we find one ++ * we must load its space cache which requires reading its free space ++ * cache's inode item from the root tree. If this inode item is located ++ * in the same leaf that we started COWing before, then we end up in ++ * deadlock on the extent buffer (trying to read lock it when we ++ * previously write locked it). ++ * ++ * It's safe to read the inode item using the commit root because ++ * block groups, once loaded, stay in memory forever (until they are ++ * removed) as well as their space caches once loaded. New block groups ++ * once created get their ->cached field set to BTRFS_CACHE_FINISHED so ++ * we will never try to read their inode item while the fs is mounted. ++ */ + inode = lookup_free_space_inode(fs_info, block_group, path); + if (IS_ERR(inode)) { + btrfs_free_path(path); +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 9aea9381ceeb6..f0f7bc5d2e4a0 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -3607,10 +3607,11 @@ static noinline int acls_after_inode_item(struct extent_buffer *leaf, + /* + * read an inode from the btree into the in-memory inode + */ +-static int btrfs_read_locked_inode(struct inode *inode) ++static int btrfs_read_locked_inode(struct inode *inode, ++ struct btrfs_path *in_path) + { + struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb); +- struct btrfs_path *path; ++ struct btrfs_path *path = in_path; + struct extent_buffer *leaf; + struct btrfs_inode_item *inode_item; + struct btrfs_root *root = BTRFS_I(inode)->root; +@@ -3626,15 +3627,18 @@ static int btrfs_read_locked_inode(struct inode *inode) + if (!ret) + filled = true; + +- path = btrfs_alloc_path(); +- if (!path) +- return -ENOMEM; ++ if (!path) { ++ path = btrfs_alloc_path(); ++ if (!path) ++ return -ENOMEM; ++ } + + memcpy(&location, &BTRFS_I(inode)->location, sizeof(location)); + + ret = btrfs_lookup_inode(NULL, root, path, &location, 0); + if (ret) { +- btrfs_free_path(path); ++ if (path != in_path) ++ btrfs_free_path(path); + return ret; + } + +@@ -3774,7 +3778,8 @@ cache_acl: + btrfs_ino(BTRFS_I(inode)), + root->root_key.objectid, ret); + } +- btrfs_free_path(path); ++ if (path != in_path) ++ btrfs_free_path(path); + + if (!maybe_acls) + cache_no_acl(inode); +@@ -5716,8 +5721,9 @@ static struct inode *btrfs_iget_locked(struct super_block *s, + /* Get an inode object given its location and corresponding root. + * Returns in *is_new if the inode was read from disk + */ +-struct inode *btrfs_iget(struct super_block *s, struct btrfs_key *location, +- struct btrfs_root *root, int *new) ++struct inode *btrfs_iget_path(struct super_block *s, struct btrfs_key *location, ++ struct btrfs_root *root, int *new, ++ struct btrfs_path *path) + { + struct inode *inode; + +@@ -5728,7 +5734,7 @@ struct inode *btrfs_iget(struct super_block *s, struct btrfs_key *location, + if (inode->i_state & I_NEW) { + int ret; + +- ret = btrfs_read_locked_inode(inode); ++ ret = btrfs_read_locked_inode(inode, path); + if (!ret) { + inode_tree_add(inode); + unlock_new_inode(inode); +@@ -5750,6 +5756,12 @@ struct inode *btrfs_iget(struct super_block *s, struct btrfs_key *location, + return inode; + } + ++struct inode *btrfs_iget(struct super_block *s, struct btrfs_key *location, ++ struct btrfs_root *root, int *new) ++{ ++ return btrfs_iget_path(s, location, root, new, NULL); ++} ++ + static struct inode *new_simple_dir(struct super_block *s, + struct btrfs_key *key, + struct btrfs_root *root) +-- +2.20.1 + diff --git a/queue-4.19/btrfs-fix-inode-cache-block-reserve-leak-on-failure-.patch b/queue-4.19/btrfs-fix-inode-cache-block-reserve-leak-on-failure-.patch new file mode 100644 index 00000000000..f478fdd24e3 --- /dev/null +++ b/queue-4.19/btrfs-fix-inode-cache-block-reserve-leak-on-failure-.patch @@ -0,0 +1,237 @@ +From a60491254ee729e946893ca547b21014d49f0404 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jul 2019 16:24:19 +0100 +Subject: Btrfs: fix inode cache block reserve leak on failure to allocate data + space + +From: Filipe Manana + +[ Upstream commit 29d47d00e0ae61668ee0c5d90bef2893c8abbafa ] + +If we failed to allocate the data extent(s) for the inode space cache, we +were bailing out without releasing the previously reserved metadata. This +was triggering the following warnings when unmounting a filesystem: + + $ cat -n fs/btrfs/inode.c + (...) + 9268 void btrfs_destroy_inode(struct inode *inode) + 9269 { + (...) + 9276 WARN_ON(BTRFS_I(inode)->block_rsv.reserved); + 9277 WARN_ON(BTRFS_I(inode)->block_rsv.size); + (...) + 9281 WARN_ON(BTRFS_I(inode)->csum_bytes); + 9282 WARN_ON(BTRFS_I(inode)->defrag_bytes); + (...) + +Several fstests test cases triggered this often, such as generic/083, +generic/102, generic/172, generic/269 and generic/300 at least, producing +stack traces like the following in dmesg/syslog: + + [82039.079546] WARNING: CPU: 2 PID: 13167 at fs/btrfs/inode.c:9276 btrfs_destroy_inode+0x203/0x270 [btrfs] + (...) + [82039.081543] CPU: 2 PID: 13167 Comm: umount Tainted: G W 5.2.0-rc4-btrfs-next-50 #1 + [82039.081912] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 + [82039.082673] RIP: 0010:btrfs_destroy_inode+0x203/0x270 [btrfs] + (...) + [82039.083913] RSP: 0018:ffffac0b426a7d30 EFLAGS: 00010206 + [82039.084320] RAX: ffff8ddf77691158 RBX: ffff8dde29b34660 RCX: 0000000000000002 + [82039.084736] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8dde29b34660 + [82039.085156] RBP: ffff8ddf5fbec000 R08: 0000000000000000 R09: 0000000000000000 + [82039.085578] R10: ffffac0b426a7c90 R11: ffffffffb9aad768 R12: ffffac0b426a7db0 + [82039.086000] R13: ffff8ddf5fbec0a0 R14: dead000000000100 R15: 0000000000000000 + [82039.086416] FS: 00007f8db96d12c0(0000) GS:ffff8de036b00000(0000) knlGS:0000000000000000 + [82039.086837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [82039.087253] CR2: 0000000001416108 CR3: 00000002315cc001 CR4: 00000000003606e0 + [82039.087672] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [82039.088089] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [82039.088504] Call Trace: + [82039.088918] destroy_inode+0x3b/0x70 + [82039.089340] btrfs_free_fs_root+0x16/0xa0 [btrfs] + [82039.089768] btrfs_free_fs_roots+0xd8/0x160 [btrfs] + [82039.090183] ? wait_for_completion+0x65/0x1a0 + [82039.090607] close_ctree+0x172/0x370 [btrfs] + [82039.091021] generic_shutdown_super+0x6c/0x110 + [82039.091427] kill_anon_super+0xe/0x30 + [82039.091832] btrfs_kill_super+0x12/0xa0 [btrfs] + [82039.092233] deactivate_locked_super+0x3a/0x70 + [82039.092636] cleanup_mnt+0x3b/0x80 + [82039.093039] task_work_run+0x93/0xc0 + [82039.093457] exit_to_usermode_loop+0xfa/0x100 + [82039.093856] do_syscall_64+0x162/0x1d0 + [82039.094244] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [82039.094634] RIP: 0033:0x7f8db8fbab37 + (...) + [82039.095876] RSP: 002b:00007ffdce35b468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 + [82039.096290] RAX: 0000000000000000 RBX: 0000560d20b00060 RCX: 00007f8db8fbab37 + [82039.096700] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560d20b00240 + [82039.097110] RBP: 0000560d20b00240 R08: 0000560d20b00270 R09: 0000000000000015 + [82039.097522] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f8db94bce64 + [82039.097937] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffdce35b6f0 + [82039.098350] irq event stamp: 0 + [82039.098750] hardirqs last enabled at (0): [<0000000000000000>] 0x0 + [82039.099150] hardirqs last disabled at (0): [] copy_process.part.33+0x7f2/0x1f00 + [82039.099545] softirqs last enabled at (0): [] copy_process.part.33+0x7f2/0x1f00 + [82039.099925] softirqs last disabled at (0): [<0000000000000000>] 0x0 + [82039.100292] ---[ end trace f2521afa616ddccc ]--- + [82039.100707] WARNING: CPU: 2 PID: 13167 at fs/btrfs/inode.c:9277 btrfs_destroy_inode+0x1ac/0x270 [btrfs] + (...) + [82039.103050] CPU: 2 PID: 13167 Comm: umount Tainted: G W 5.2.0-rc4-btrfs-next-50 #1 + [82039.103428] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 + [82039.104203] RIP: 0010:btrfs_destroy_inode+0x1ac/0x270 [btrfs] + (...) + [82039.105461] RSP: 0018:ffffac0b426a7d30 EFLAGS: 00010206 + [82039.105866] RAX: ffff8ddf77691158 RBX: ffff8dde29b34660 RCX: 0000000000000002 + [82039.106270] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8dde29b34660 + [82039.106673] RBP: ffff8ddf5fbec000 R08: 0000000000000000 R09: 0000000000000000 + [82039.107078] R10: ffffac0b426a7c90 R11: ffffffffb9aad768 R12: ffffac0b426a7db0 + [82039.107487] R13: ffff8ddf5fbec0a0 R14: dead000000000100 R15: 0000000000000000 + [82039.107894] FS: 00007f8db96d12c0(0000) GS:ffff8de036b00000(0000) knlGS:0000000000000000 + [82039.108309] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [82039.108723] CR2: 0000000001416108 CR3: 00000002315cc001 CR4: 00000000003606e0 + [82039.109146] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [82039.109567] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [82039.109989] Call Trace: + [82039.110405] destroy_inode+0x3b/0x70 + [82039.110830] btrfs_free_fs_root+0x16/0xa0 [btrfs] + [82039.111257] btrfs_free_fs_roots+0xd8/0x160 [btrfs] + [82039.111675] ? wait_for_completion+0x65/0x1a0 + [82039.112101] close_ctree+0x172/0x370 [btrfs] + [82039.112519] generic_shutdown_super+0x6c/0x110 + [82039.112988] kill_anon_super+0xe/0x30 + [82039.113439] btrfs_kill_super+0x12/0xa0 [btrfs] + [82039.113861] deactivate_locked_super+0x3a/0x70 + [82039.114278] cleanup_mnt+0x3b/0x80 + [82039.114685] task_work_run+0x93/0xc0 + [82039.115083] exit_to_usermode_loop+0xfa/0x100 + [82039.115476] do_syscall_64+0x162/0x1d0 + [82039.115863] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [82039.116254] RIP: 0033:0x7f8db8fbab37 + (...) + [82039.117463] RSP: 002b:00007ffdce35b468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 + [82039.117882] RAX: 0000000000000000 RBX: 0000560d20b00060 RCX: 00007f8db8fbab37 + [82039.118330] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560d20b00240 + [82039.118743] RBP: 0000560d20b00240 R08: 0000560d20b00270 R09: 0000000000000015 + [82039.119159] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f8db94bce64 + [82039.119574] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffdce35b6f0 + [82039.119987] irq event stamp: 0 + [82039.120387] hardirqs last enabled at (0): [<0000000000000000>] 0x0 + [82039.120787] hardirqs last disabled at (0): [] copy_process.part.33+0x7f2/0x1f00 + [82039.121182] softirqs last enabled at (0): [] copy_process.part.33+0x7f2/0x1f00 + [82039.121563] softirqs last disabled at (0): [<0000000000000000>] 0x0 + [82039.121933] ---[ end trace f2521afa616ddccd ]--- + [82039.122353] WARNING: CPU: 2 PID: 13167 at fs/btrfs/inode.c:9278 btrfs_destroy_inode+0x1bc/0x270 [btrfs] + (...) + [82039.124606] CPU: 2 PID: 13167 Comm: umount Tainted: G W 5.2.0-rc4-btrfs-next-50 #1 + [82039.125008] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 + [82039.125801] RIP: 0010:btrfs_destroy_inode+0x1bc/0x270 [btrfs] + (...) + [82039.126998] RSP: 0018:ffffac0b426a7d30 EFLAGS: 00010202 + [82039.127399] RAX: ffff8ddf77691158 RBX: ffff8dde29b34660 RCX: 0000000000000002 + [82039.127803] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff8dde29b34660 + [82039.128206] RBP: ffff8ddf5fbec000 R08: 0000000000000000 R09: 0000000000000000 + [82039.128611] R10: ffffac0b426a7c90 R11: ffffffffb9aad768 R12: ffffac0b426a7db0 + [82039.129020] R13: ffff8ddf5fbec0a0 R14: dead000000000100 R15: 0000000000000000 + [82039.129428] FS: 00007f8db96d12c0(0000) GS:ffff8de036b00000(0000) knlGS:0000000000000000 + [82039.129846] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [82039.130261] CR2: 0000000001416108 CR3: 00000002315cc001 CR4: 00000000003606e0 + [82039.130684] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [82039.131142] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [82039.131561] Call Trace: + [82039.131990] destroy_inode+0x3b/0x70 + [82039.132417] btrfs_free_fs_root+0x16/0xa0 [btrfs] + [82039.132844] btrfs_free_fs_roots+0xd8/0x160 [btrfs] + [82039.133262] ? wait_for_completion+0x65/0x1a0 + [82039.133688] close_ctree+0x172/0x370 [btrfs] + [82039.134157] generic_shutdown_super+0x6c/0x110 + [82039.134575] kill_anon_super+0xe/0x30 + [82039.134997] btrfs_kill_super+0x12/0xa0 [btrfs] + [82039.135415] deactivate_locked_super+0x3a/0x70 + [82039.135832] cleanup_mnt+0x3b/0x80 + [82039.136239] task_work_run+0x93/0xc0 + [82039.136637] exit_to_usermode_loop+0xfa/0x100 + [82039.137029] do_syscall_64+0x162/0x1d0 + [82039.137418] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [82039.137812] RIP: 0033:0x7f8db8fbab37 + (...) + [82039.139059] RSP: 002b:00007ffdce35b468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 + [82039.139475] RAX: 0000000000000000 RBX: 0000560d20b00060 RCX: 00007f8db8fbab37 + [82039.139890] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560d20b00240 + [82039.140302] RBP: 0000560d20b00240 R08: 0000560d20b00270 R09: 0000000000000015 + [82039.140719] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f8db94bce64 + [82039.141138] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffdce35b6f0 + [82039.141597] irq event stamp: 0 + [82039.142043] hardirqs last enabled at (0): [<0000000000000000>] 0x0 + [82039.142443] hardirqs last disabled at (0): [] copy_process.part.33+0x7f2/0x1f00 + [82039.142839] softirqs last enabled at (0): [] copy_process.part.33+0x7f2/0x1f00 + [82039.143220] softirqs last disabled at (0): [<0000000000000000>] 0x0 + [82039.143588] ---[ end trace f2521afa616ddcce ]--- + [82039.167472] WARNING: CPU: 3 PID: 13167 at fs/btrfs/extent-tree.c:10120 btrfs_free_block_groups+0x30d/0x460 [btrfs] + (...) + [82039.173800] CPU: 3 PID: 13167 Comm: umount Tainted: G W 5.2.0-rc4-btrfs-next-50 #1 + [82039.174847] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 + [82039.177031] RIP: 0010:btrfs_free_block_groups+0x30d/0x460 [btrfs] + (...) + [82039.180397] RSP: 0018:ffffac0b426a7dd8 EFLAGS: 00010206 + [82039.181574] RAX: ffff8de010a1db40 RBX: ffff8de010a1db40 RCX: 0000000000170014 + [82039.182711] RDX: ffff8ddff4380040 RSI: ffff8de010a1da58 RDI: 0000000000000246 + [82039.183817] RBP: ffff8ddf5fbec000 R08: 0000000000000000 R09: 0000000000000000 + [82039.184925] R10: ffff8de036404380 R11: ffffffffb8a5ea00 R12: ffff8de010a1b2b8 + [82039.186090] R13: ffff8de010a1b2b8 R14: 0000000000000000 R15: dead000000000100 + [82039.187208] FS: 00007f8db96d12c0(0000) GS:ffff8de036b80000(0000) knlGS:0000000000000000 + [82039.188345] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [82039.189481] CR2: 00007fb044005170 CR3: 00000002315cc006 CR4: 00000000003606e0 + [82039.190674] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [82039.191829] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [82039.192978] Call Trace: + [82039.194160] close_ctree+0x19a/0x370 [btrfs] + [82039.195315] generic_shutdown_super+0x6c/0x110 + [82039.196486] kill_anon_super+0xe/0x30 + [82039.197645] btrfs_kill_super+0x12/0xa0 [btrfs] + [82039.198696] deactivate_locked_super+0x3a/0x70 + [82039.199619] cleanup_mnt+0x3b/0x80 + [82039.200559] task_work_run+0x93/0xc0 + [82039.201505] exit_to_usermode_loop+0xfa/0x100 + [82039.202436] do_syscall_64+0x162/0x1d0 + [82039.203339] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [82039.204091] RIP: 0033:0x7f8db8fbab37 + (...) + [82039.206360] RSP: 002b:00007ffdce35b468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 + [82039.207132] RAX: 0000000000000000 RBX: 0000560d20b00060 RCX: 00007f8db8fbab37 + [82039.207906] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560d20b00240 + [82039.208621] RBP: 0000560d20b00240 R08: 0000560d20b00270 R09: 0000000000000015 + [82039.209285] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f8db94bce64 + [82039.209984] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffdce35b6f0 + [82039.210642] irq event stamp: 0 + [82039.211306] hardirqs last enabled at (0): [<0000000000000000>] 0x0 + [82039.211971] hardirqs last disabled at (0): [] copy_process.part.33+0x7f2/0x1f00 + [82039.212643] softirqs last enabled at (0): [] copy_process.part.33+0x7f2/0x1f00 + [82039.213304] softirqs last disabled at (0): [<0000000000000000>] 0x0 + [82039.213875] ---[ end trace f2521afa616ddccf ]--- + +Fix this by releasing the reserved metadata on failure to allocate data +extent(s) for the inode cache. + +Fixes: 69fe2d75dd91d0 ("btrfs: make the delalloc block rsv per inode") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode-map.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/btrfs/inode-map.c b/fs/btrfs/inode-map.c +index ffca2abf13d0c..0141fc08d317e 100644 +--- a/fs/btrfs/inode-map.c ++++ b/fs/btrfs/inode-map.c +@@ -484,6 +484,7 @@ again: + prealloc, prealloc, &alloc_hint); + if (ret) { + btrfs_delalloc_release_extents(BTRFS_I(inode), prealloc, true); ++ btrfs_delalloc_release_metadata(BTRFS_I(inode), prealloc, true); + goto out_put; + } + +-- +2.20.1 + diff --git a/queue-4.19/btrfs-fix-memory-leak-due-to-concurrent-append-write.patch b/queue-4.19/btrfs-fix-memory-leak-due-to-concurrent-append-write.patch new file mode 100644 index 00000000000..d0a37f5e187 --- /dev/null +++ b/queue-4.19/btrfs-fix-memory-leak-due-to-concurrent-append-write.patch @@ -0,0 +1,154 @@ +From 7534d3325f96d77c2a160794a09b95ede69309f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 10:20:25 +0100 +Subject: Btrfs: fix memory leak due to concurrent append writes with fiemap + +From: Filipe Manana + +[ Upstream commit c67d970f0ea8dcc423e112137d34334fa0abb8ec ] + +When we have a buffered write that starts at an offset greater than or +equals to the file's size happening concurrently with a full ranged +fiemap, we can end up leaking an extent state structure. + +Suppose we have a file with a size of 1Mb, and before the buffered write +and fiemap are performed, it has a single extent state in its io tree +representing the range from 0 to 1Mb, with the EXTENT_DELALLOC bit set. + +The following sequence diagram shows how the memory leak happens if a +fiemap a buffered write, starting at offset 1Mb and with a length of +4Kb, are performed concurrently. + + CPU 1 CPU 2 + + extent_fiemap() + --> it's a full ranged fiemap + range from 0 to LLONG_MAX - 1 + (9223372036854775807) + + --> locks range in the inode's + io tree + --> after this we have 2 extent + states in the io tree: + --> 1 for range [0, 1Mb[ with + the bits EXTENT_LOCKED and + EXTENT_DELALLOC_BITS set + --> 1 for the range + [1Mb, LLONG_MAX[ with + the EXTENT_LOCKED bit set + + --> start buffered write at offset + 1Mb with a length of 4Kb + + btrfs_file_write_iter() + + btrfs_buffered_write() + --> cached_state is NULL + + lock_and_cleanup_extent_if_need() + --> returns 0 and does not lock + range because it starts + at current i_size / eof + + --> cached_state remains NULL + + btrfs_dirty_pages() + btrfs_set_extent_delalloc() + (...) + __set_extent_bit() + + --> splits extent state for range + [1Mb, LLONG_MAX[ and now we + have 2 extent states: + + --> one for the range + [1Mb, 1Mb + 4Kb[ with + EXTENT_LOCKED set + --> another one for the range + [1Mb + 4Kb, LLONG_MAX[ with + EXTENT_LOCKED set as well + + --> sets EXTENT_DELALLOC on the + extent state for the range + [1Mb, 1Mb + 4Kb[ + --> caches extent state + [1Mb, 1Mb + 4Kb[ into + @cached_state because it has + the bit EXTENT_LOCKED set + + --> btrfs_buffered_write() ends up + with a non-NULL cached_state and + never calls anything to release its + reference on it, resulting in a + memory leak + +Fix this by calling free_extent_state() on cached_state if the range was +not locked by lock_and_cleanup_extent_if_need(). + +The same issue can happen if anything else other than fiemap locks a range +that covers eof and beyond. + +This could be triggered, sporadically, by test case generic/561 from the +fstests suite, which makes duperemove run concurrently with fsstress, and +duperemove does plenty of calls to fiemap. When CONFIG_BTRFS_DEBUG is set +the leak is reported in dmesg/syslog when removing the btrfs module with +a message like the following: + + [77100.039461] BTRFS: state leak: start 6574080 end 6582271 state 16402 in tree 0 refs 1 + +Otherwise (CONFIG_BTRFS_DEBUG not set) detectable with kmemleak. + +CC: stable@vger.kernel.org # 4.16+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/file.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index 4870440d6424a..5d036b794e4af 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -1591,7 +1591,6 @@ static noinline ssize_t btrfs_buffered_write(struct kiocb *iocb, + struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb); + struct btrfs_root *root = BTRFS_I(inode)->root; + struct page **pages = NULL; +- struct extent_state *cached_state = NULL; + struct extent_changeset *data_reserved = NULL; + u64 release_bytes = 0; + u64 lockstart; +@@ -1612,6 +1611,7 @@ static noinline ssize_t btrfs_buffered_write(struct kiocb *iocb, + + while (iov_iter_count(i) > 0) { + size_t offset = pos & (PAGE_SIZE - 1); ++ struct extent_state *cached_state = NULL; + size_t sector_offset; + size_t write_bytes = min(iov_iter_count(i), + nrptrs * (size_t)PAGE_SIZE - +@@ -1758,9 +1758,20 @@ again: + if (copied > 0) + ret = btrfs_dirty_pages(inode, pages, dirty_pages, + pos, copied, &cached_state); ++ ++ /* ++ * If we have not locked the extent range, because the range's ++ * start offset is >= i_size, we might still have a non-NULL ++ * cached extent state, acquired while marking the extent range ++ * as delalloc through btrfs_dirty_pages(). Therefore free any ++ * possible cached extent state to avoid a memory leak. ++ */ + if (extents_locked) + unlock_extent_cached(&BTRFS_I(inode)->io_tree, + lockstart, lockend, &cached_state); ++ else ++ free_extent_state(cached_state); ++ + btrfs_delalloc_release_extents(BTRFS_I(inode), reserve_bytes, + true); + if (ret) { +-- +2.20.1 + diff --git a/queue-4.19/btrfs-qgroup-always-free-prealloc-meta-reserve-in-bt.patch b/queue-4.19/btrfs-qgroup-always-free-prealloc-meta-reserve-in-bt.patch new file mode 100644 index 00000000000..c0af95c58f7 --- /dev/null +++ b/queue-4.19/btrfs-qgroup-always-free-prealloc-meta-reserve-in-bt.patch @@ -0,0 +1,324 @@ +From b176c6601a3dd760fd4930e54f317aeb01c475d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2019 14:34:51 +0800 +Subject: btrfs: qgroup: Always free PREALLOC META reserve in + btrfs_delalloc_release_extents() + +From: Qu Wenruo + +[ Upstream commit 8702ba9396bf7bbae2ab93c94acd4bd37cfa4f09 ] + +[Background] +Btrfs qgroup uses two types of reserved space for METADATA space, +PERTRANS and PREALLOC. + +PERTRANS is metadata space reserved for each transaction started by +btrfs_start_transaction(). +While PREALLOC is for delalloc, where we reserve space before joining a +transaction, and finally it will be converted to PERTRANS after the +writeback is done. + +[Inconsistency] +However there is inconsistency in how we handle PREALLOC metadata space. + +The most obvious one is: +In btrfs_buffered_write(): + btrfs_delalloc_release_extents(BTRFS_I(inode), reserve_bytes, true); + +We always free qgroup PREALLOC meta space. + +While in btrfs_truncate_block(): + btrfs_delalloc_release_extents(BTRFS_I(inode), blocksize, (ret != 0)); + +We only free qgroup PREALLOC meta space when something went wrong. + +[The Correct Behavior] +The correct behavior should be the one in btrfs_buffered_write(), we +should always free PREALLOC metadata space. + +The reason is, the btrfs_delalloc_* mechanism works by: +- Reserve metadata first, even it's not necessary + In btrfs_delalloc_reserve_metadata() + +- Free the unused metadata space + Normally in: + btrfs_delalloc_release_extents() + |- btrfs_inode_rsv_release() + Here we do calculation on whether we should release or not. + +E.g. for 64K buffered write, the metadata rsv works like: + +/* The first page */ +reserve_meta: num_bytes=calc_inode_reservations() +free_meta: num_bytes=0 +total: num_bytes=calc_inode_reservations() +/* The first page caused one outstanding extent, thus needs metadata + rsv */ + +/* The 2nd page */ +reserve_meta: num_bytes=calc_inode_reservations() +free_meta: num_bytes=calc_inode_reservations() +total: not changed +/* The 2nd page doesn't cause new outstanding extent, needs no new meta + rsv, so we free what we have reserved */ + +/* The 3rd~16th pages */ +reserve_meta: num_bytes=calc_inode_reservations() +free_meta: num_bytes=calc_inode_reservations() +total: not changed (still space for one outstanding extent) + +This means, if btrfs_delalloc_release_extents() determines to free some +space, then those space should be freed NOW. +So for qgroup, we should call btrfs_qgroup_free_meta_prealloc() other +than btrfs_qgroup_convert_reserved_meta(). + +The good news is: +- The callers are not that hot + The hottest caller is in btrfs_buffered_write(), which is already + fixed by commit 336a8bb8e36a ("btrfs: Fix wrong + btrfs_delalloc_release_extents parameter"). Thus it's not that + easy to cause false EDQUOT. + +- The trans commit in advance for qgroup would hide the bug + Since commit f5fef4593653 ("btrfs: qgroup: Make qgroup async transaction + commit more aggressive"), when btrfs qgroup metadata free space is slow, + it will try to commit transaction and free the wrongly converted + PERTRANS space, so it's not that easy to hit such bug. + +[FIX] +So to fix the problem, remove the @qgroup_free parameter for +btrfs_delalloc_release_extents(), and always pass true to +btrfs_inode_rsv_release(). + +Reported-by: Filipe Manana +Fixes: 43b18595d660 ("btrfs: qgroup: Use separate meta reservation type for delalloc") +CC: stable@vger.kernel.org # 4.19+ +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 3 +-- + fs/btrfs/extent-tree.c | 5 ++--- + fs/btrfs/file.c | 7 +++---- + fs/btrfs/inode-map.c | 4 ++-- + fs/btrfs/inode.c | 12 ++++++------ + fs/btrfs/ioctl.c | 6 ++---- + fs/btrfs/relocation.c | 9 ++++----- + 7 files changed, 20 insertions(+), 26 deletions(-) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index faca485ccd8f4..ef7a352d72ed8 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -2747,8 +2747,7 @@ int btrfs_subvolume_reserve_metadata(struct btrfs_root *root, + int nitems, bool use_global_rsv); + void btrfs_subvolume_release_metadata(struct btrfs_fs_info *fs_info, + struct btrfs_block_rsv *rsv); +-void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes, +- bool qgroup_free); ++void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes); + + int btrfs_delalloc_reserve_metadata(struct btrfs_inode *inode, u64 num_bytes); + void btrfs_delalloc_release_metadata(struct btrfs_inode *inode, u64 num_bytes, +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 72c745682996f..024dd336b20ae 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -5980,8 +5980,7 @@ void btrfs_delalloc_release_metadata(struct btrfs_inode *inode, u64 num_bytes, + * temporarily tracked outstanding_extents. This _must_ be used in conjunction + * with btrfs_delalloc_reserve_metadata. + */ +-void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes, +- bool qgroup_free) ++void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes) + { + struct btrfs_fs_info *fs_info = inode->root->fs_info; + unsigned num_extents; +@@ -5995,7 +5994,7 @@ void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes, + if (btrfs_is_testing(fs_info)) + return; + +- btrfs_inode_rsv_release(inode, qgroup_free); ++ btrfs_inode_rsv_release(inode, true); + } + + /** +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index 5d036b794e4af..a456801e0cd54 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -1692,7 +1692,7 @@ again: + force_page_uptodate); + if (ret) { + btrfs_delalloc_release_extents(BTRFS_I(inode), +- reserve_bytes, true); ++ reserve_bytes); + break; + } + +@@ -1704,7 +1704,7 @@ again: + if (extents_locked == -EAGAIN) + goto again; + btrfs_delalloc_release_extents(BTRFS_I(inode), +- reserve_bytes, true); ++ reserve_bytes); + ret = extents_locked; + break; + } +@@ -1772,8 +1772,7 @@ again: + else + free_extent_state(cached_state); + +- btrfs_delalloc_release_extents(BTRFS_I(inode), reserve_bytes, +- true); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), reserve_bytes); + if (ret) { + btrfs_drop_pages(pages, num_pages); + break; +diff --git a/fs/btrfs/inode-map.c b/fs/btrfs/inode-map.c +index 0141fc08d317e..e1b50c62ba650 100644 +--- a/fs/btrfs/inode-map.c ++++ b/fs/btrfs/inode-map.c +@@ -483,13 +483,13 @@ again: + ret = btrfs_prealloc_file_range_trans(inode, trans, 0, 0, prealloc, + prealloc, prealloc, &alloc_hint); + if (ret) { +- btrfs_delalloc_release_extents(BTRFS_I(inode), prealloc, true); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), prealloc); + btrfs_delalloc_release_metadata(BTRFS_I(inode), prealloc, true); + goto out_put; + } + + ret = btrfs_write_out_ino_cache(root, trans, path, inode); +- btrfs_delalloc_release_extents(BTRFS_I(inode), prealloc, false); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), prealloc); + out_put: + iput(inode); + out_release: +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 37332f83a3a96..9aea9381ceeb6 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -2166,7 +2166,7 @@ again: + + ClearPageChecked(page); + set_page_dirty(page); +- btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE, false); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE); + out: + unlock_extent_cached(&BTRFS_I(inode)->io_tree, page_start, page_end, + &cached_state); +@@ -4918,7 +4918,7 @@ again: + if (!page) { + btrfs_delalloc_release_space(inode, data_reserved, + block_start, blocksize, true); +- btrfs_delalloc_release_extents(BTRFS_I(inode), blocksize, true); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), blocksize); + ret = -ENOMEM; + goto out; + } +@@ -4986,7 +4986,7 @@ out_unlock: + if (ret) + btrfs_delalloc_release_space(inode, data_reserved, block_start, + blocksize, true); +- btrfs_delalloc_release_extents(BTRFS_I(inode), blocksize, (ret != 0)); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), blocksize); + unlock_page(page); + put_page(page); + out: +@@ -8660,7 +8660,7 @@ static ssize_t btrfs_direct_IO(struct kiocb *iocb, struct iov_iter *iter) + } else if (ret >= 0 && (size_t)ret < count) + btrfs_delalloc_release_space(inode, data_reserved, + offset, count - (size_t)ret, true); +- btrfs_delalloc_release_extents(BTRFS_I(inode), count, false); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), count); + } + out: + if (wakeup) +@@ -9013,7 +9013,7 @@ again: + unlock_extent_cached(io_tree, page_start, page_end, &cached_state); + + if (!ret2) { +- btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE, true); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE); + sb_end_pagefault(inode->i_sb); + extent_changeset_free(data_reserved); + return VM_FAULT_LOCKED; +@@ -9022,7 +9022,7 @@ again: + out_unlock: + unlock_page(page); + out: +- btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE, (ret != 0)); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE); + btrfs_delalloc_release_space(inode, data_reserved, page_start, + reserved_space, (ret != 0)); + out_noreserve: +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 0eb333c62fe46..7592beb53fc4e 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -1359,8 +1359,7 @@ again: + unlock_page(pages[i]); + put_page(pages[i]); + } +- btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT, +- false); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT); + extent_changeset_free(data_reserved); + return i_done; + out: +@@ -1371,8 +1370,7 @@ out: + btrfs_delalloc_release_space(inode, data_reserved, + start_index << PAGE_SHIFT, + page_cnt << PAGE_SHIFT, true); +- btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT, +- true); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT); + extent_changeset_free(data_reserved); + return ret; + +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index bccd9dede2af4..b4958f724ce5f 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -3188,7 +3188,7 @@ static int relocate_file_extent_cluster(struct inode *inode, + btrfs_delalloc_release_metadata(BTRFS_I(inode), + PAGE_SIZE, true); + btrfs_delalloc_release_extents(BTRFS_I(inode), +- PAGE_SIZE, true); ++ PAGE_SIZE); + ret = -ENOMEM; + goto out; + } +@@ -3209,7 +3209,7 @@ static int relocate_file_extent_cluster(struct inode *inode, + btrfs_delalloc_release_metadata(BTRFS_I(inode), + PAGE_SIZE, true); + btrfs_delalloc_release_extents(BTRFS_I(inode), +- PAGE_SIZE, true); ++ PAGE_SIZE); + ret = -EIO; + goto out; + } +@@ -3238,7 +3238,7 @@ static int relocate_file_extent_cluster(struct inode *inode, + btrfs_delalloc_release_metadata(BTRFS_I(inode), + PAGE_SIZE, true); + btrfs_delalloc_release_extents(BTRFS_I(inode), +- PAGE_SIZE, true); ++ PAGE_SIZE); + + clear_extent_bits(&BTRFS_I(inode)->io_tree, + page_start, page_end, +@@ -3254,8 +3254,7 @@ static int relocate_file_extent_cluster(struct inode *inode, + put_page(page); + + index++; +- btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE, +- false); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE); + balance_dirty_pages_ratelimited(inode->i_mapping); + btrfs_throttle(fs_info); + } +-- +2.20.1 + diff --git a/queue-4.19/btrfs-tracepoints-fix-wrong-parameter-order-for-qgro.patch b/queue-4.19/btrfs-tracepoints-fix-wrong-parameter-order-for-qgro.patch new file mode 100644 index 00000000000..108eb9dd291 --- /dev/null +++ b/queue-4.19/btrfs-tracepoints-fix-wrong-parameter-order-for-qgro.patch @@ -0,0 +1,63 @@ +From 9346ff19076fb4bb88c9683c5c1401eb0405af06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2019 10:38:36 +0800 +Subject: btrfs: tracepoints: Fix wrong parameter order for qgroup events + +From: Qu Wenruo + +[ Upstream commit fd2b007eaec898564e269d1f478a2da0380ecf51 ] + +[BUG] +For btrfs:qgroup_meta_reserve event, the trace event can output garbage: + + qgroup_meta_reserve: 9c7f6acc-b342-4037-bc47-7f6e4d2232d7: refroot=5(FS_TREE) type=DATA diff=2 + +The diff should always be alinged to sector size (4k), so there is +definitely something wrong. + +[CAUSE] +For the wrong @diff, it's caused by wrong parameter order. +The correct parameters are: + + struct btrfs_root, s64 diff, int type. + +However the parameters used are: + + struct btrfs_root, int type, s64 diff. + +Fixes: 4ee0d8832c2e ("btrfs: qgroup: Update trace events for metadata reservation") +CC: stable@vger.kernel.org # 4.19+ +Reviewed-by: Nikolay Borisov +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index 3ea2008dcde3e..cdd6d50210004 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -3259,7 +3259,7 @@ int __btrfs_qgroup_reserve_meta(struct btrfs_root *root, int num_bytes, + return 0; + + BUG_ON(num_bytes != round_down(num_bytes, fs_info->nodesize)); +- trace_qgroup_meta_reserve(root, type, (s64)num_bytes); ++ trace_qgroup_meta_reserve(root, (s64)num_bytes, type); + ret = qgroup_reserve(root, num_bytes, enforce, type); + if (ret < 0) + return ret; +@@ -3306,7 +3306,7 @@ void __btrfs_qgroup_free_meta(struct btrfs_root *root, int num_bytes, + */ + num_bytes = sub_root_meta_rsv(root, num_bytes, type); + BUG_ON(num_bytes != round_down(num_bytes, fs_info->nodesize)); +- trace_qgroup_meta_reserve(root, type, -(s64)num_bytes); ++ trace_qgroup_meta_reserve(root, -(s64)num_bytes, type); + btrfs_qgroup_free_refroot(fs_info, root->objectid, num_bytes, type); + } + +-- +2.20.1 + diff --git a/queue-4.19/cifs-add-credits-from-unmatched-responses-messages.patch b/queue-4.19/cifs-add-credits-from-unmatched-responses-messages.patch new file mode 100644 index 00000000000..156dcca0070 --- /dev/null +++ b/queue-4.19/cifs-add-credits-from-unmatched-responses-messages.patch @@ -0,0 +1,88 @@ +From 960608b3dea9a05050b7437781c9c69d7ffc9061 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Feb 2019 12:56:44 +1000 +Subject: cifs: add credits from unmatched responses/messages + +From: Ronnie Sahlberg + +[ Upstream commit eca004523811f816bcfca3046ab54e1278e0973b ] + +We should add any credits granted to us from unmatched server responses. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 22 ++++++++++++++++++++++ + fs/cifs/smb2misc.c | 7 ------- + 2 files changed, 22 insertions(+), 7 deletions(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 966e493c82e57..7e85070d010f4 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -930,6 +930,26 @@ cifs_handle_standard(struct TCP_Server_Info *server, struct mid_q_entry *mid) + return 0; + } + ++static void ++smb2_add_credits_from_hdr(char *buffer, struct TCP_Server_Info *server) ++{ ++ struct smb2_sync_hdr *shdr = (struct smb2_sync_hdr *)buffer; ++ ++ /* ++ * SMB1 does not use credits. ++ */ ++ if (server->vals->header_preamble_size) ++ return; ++ ++ if (shdr->CreditRequest) { ++ spin_lock(&server->req_lock); ++ server->credits += le16_to_cpu(shdr->CreditRequest); ++ spin_unlock(&server->req_lock); ++ wake_up(&server->request_q); ++ } ++} ++ ++ + static int + cifs_demultiplex_thread(void *p) + { +@@ -1059,6 +1079,7 @@ next_pdu: + } else if (server->ops->is_oplock_break && + server->ops->is_oplock_break(bufs[i], + server)) { ++ smb2_add_credits_from_hdr(bufs[i], server); + cifs_dbg(FYI, "Received oplock break\n"); + } else { + cifs_dbg(VFS, "No task to wake, unknown frame " +@@ -1070,6 +1091,7 @@ next_pdu: + if (server->ops->dump_detail) + server->ops->dump_detail(bufs[i], + server); ++ smb2_add_credits_from_hdr(bufs[i], server); + cifs_dump_mids(server); + #endif /* CIFS_DEBUG2 */ + } +diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c +index 0a7ed2e3ad4f2..e311f58dc1c82 100644 +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -659,13 +659,6 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) + if (rsp->sync_hdr.Command != SMB2_OPLOCK_BREAK) + return false; + +- if (rsp->sync_hdr.CreditRequest) { +- spin_lock(&server->req_lock); +- server->credits += le16_to_cpu(rsp->sync_hdr.CreditRequest); +- spin_unlock(&server->req_lock); +- wake_up(&server->request_q); +- } +- + if (rsp->StructureSize != + smb2_rsp_struct_sizes[SMB2_OPLOCK_BREAK_HE]) { + if (le16_to_cpu(rsp->StructureSize) == 44) +-- +2.20.1 + diff --git a/queue-4.19/cifs-respect-smb2-hdr-preamble-size-in-read-response.patch b/queue-4.19/cifs-respect-smb2-hdr-preamble-size-in-read-response.patch new file mode 100644 index 00000000000..e9a21359261 --- /dev/null +++ b/queue-4.19/cifs-respect-smb2-hdr-preamble-size-in-read-response.patch @@ -0,0 +1,60 @@ +From e368caa86e9af7cda623370df809728fb63eebb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jan 2019 16:18:38 -0800 +Subject: CIFS: Respect SMB2 hdr preamble size in read responses + +From: Pavel Shilovsky + +[ Upstream commit bb1bccb60c2ebd9a6f895507d1d48d5ed773814e ] + +There are a couple places where we still account for 4 bytes +in the beginning of SMB2 packet which is not true in the current +code. Fix this to use a header preamble size where possible. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifssmb.c | 7 ++++--- + fs/cifs/smb2ops.c | 6 +++--- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index 86a54b809c484..8b9471904f67e 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -1521,9 +1521,10 @@ cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid) + + /* set up first two iov for signature check and to get credits */ + rdata->iov[0].iov_base = buf; +- rdata->iov[0].iov_len = 4; +- rdata->iov[1].iov_base = buf + 4; +- rdata->iov[1].iov_len = server->total_read - 4; ++ rdata->iov[0].iov_len = server->vals->header_preamble_size; ++ rdata->iov[1].iov_base = buf + server->vals->header_preamble_size; ++ rdata->iov[1].iov_len = ++ server->total_read - server->vals->header_preamble_size; + cifs_dbg(FYI, "0: iov_base=%p iov_len=%zu\n", + rdata->iov[0].iov_base, rdata->iov[0].iov_len); + cifs_dbg(FYI, "1: iov_base=%p iov_len=%zu\n", +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index f0d966da7f378..6fc16329ceb45 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3000,10 +3000,10 @@ handle_read_data(struct TCP_Server_Info *server, struct mid_q_entry *mid, + + /* set up first two iov to get credits */ + rdata->iov[0].iov_base = buf; +- rdata->iov[0].iov_len = 4; +- rdata->iov[1].iov_base = buf + 4; ++ rdata->iov[0].iov_len = 0; ++ rdata->iov[1].iov_base = buf; + rdata->iov[1].iov_len = +- min_t(unsigned int, buf_len, server->vals->read_rsp_size) - 4; ++ min_t(unsigned int, buf_len, server->vals->read_rsp_size); + cifs_dbg(FYI, "0: iov_base=%p iov_len=%zu\n", + rdata->iov[0].iov_base, rdata->iov[0].iov_len); + cifs_dbg(FYI, "1: iov_base=%p iov_len=%zu\n", +-- +2.20.1 + diff --git a/queue-4.19/clk-boston-unregister-clks-on-failure-in-clk_boston_.patch b/queue-4.19/clk-boston-unregister-clks-on-failure-in-clk_boston_.patch new file mode 100644 index 00000000000..2f682125ff2 --- /dev/null +++ b/queue-4.19/clk-boston-unregister-clks-on-failure-in-clk_boston_.patch @@ -0,0 +1,71 @@ +From 432c886d2fd6de224d695554953e94859c8598dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Oct 2018 15:41:42 +0800 +Subject: clk: boston: unregister clks on failure in clk_boston_setup() + +From: Yi Wang + +[ Upstream commit 8b627f616ed63dcaf922369fc14a5daf8ad03038 ] + +The registered clks should unregister when something wrong happens +before going out in function clk_boston_setup(). + +Signed-off-by: Yi Wang +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/imgtec/clk-boston.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/clk/imgtec/clk-boston.c b/drivers/clk/imgtec/clk-boston.c +index f5d54a64d33c5..dddda45127a80 100644 +--- a/drivers/clk/imgtec/clk-boston.c ++++ b/drivers/clk/imgtec/clk-boston.c +@@ -73,31 +73,39 @@ static void __init clk_boston_setup(struct device_node *np) + hw = clk_hw_register_fixed_rate(NULL, "input", NULL, 0, in_freq); + if (IS_ERR(hw)) { + pr_err("failed to register input clock: %ld\n", PTR_ERR(hw)); +- goto error; ++ goto fail_input; + } + onecell->hws[BOSTON_CLK_INPUT] = hw; + + hw = clk_hw_register_fixed_rate(NULL, "sys", "input", 0, sys_freq); + if (IS_ERR(hw)) { + pr_err("failed to register sys clock: %ld\n", PTR_ERR(hw)); +- goto error; ++ goto fail_sys; + } + onecell->hws[BOSTON_CLK_SYS] = hw; + + hw = clk_hw_register_fixed_rate(NULL, "cpu", "input", 0, cpu_freq); + if (IS_ERR(hw)) { + pr_err("failed to register cpu clock: %ld\n", PTR_ERR(hw)); +- goto error; ++ goto fail_cpu; + } + onecell->hws[BOSTON_CLK_CPU] = hw; + + err = of_clk_add_hw_provider(np, of_clk_hw_onecell_get, onecell); +- if (err) ++ if (err) { + pr_err("failed to add DT provider: %d\n", err); ++ goto fail_clk_add; ++ } + + return; + +-error: ++fail_clk_add: ++ clk_hw_unregister_fixed_rate(onecell->hws[BOSTON_CLK_CPU]); ++fail_cpu: ++ clk_hw_unregister_fixed_rate(onecell->hws[BOSTON_CLK_SYS]); ++fail_sys: ++ clk_hw_unregister_fixed_rate(onecell->hws[BOSTON_CLK_INPUT]); ++fail_input: + kfree(onecell); + } + +-- +2.20.1 + diff --git a/queue-4.19/dm-snapshot-introduce-account_start_copy-and-account.patch b/queue-4.19/dm-snapshot-introduce-account_start_copy-and-account.patch new file mode 100644 index 00000000000..ce1fbdfff2f --- /dev/null +++ b/queue-4.19/dm-snapshot-introduce-account_start_copy-and-account.patch @@ -0,0 +1,73 @@ +From 4685a173efea3fb0a2a9e54ebe7a949e550c4439 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 06:14:17 -0400 +Subject: dm snapshot: introduce account_start_copy() and account_end_copy() + +From: Mikulas Patocka + +[ Upstream commit a2f83e8b0c82c9500421a26c49eb198b25fcdea3 ] + +This simple refactoring moves code for modifying the semaphore cow_count +into separate functions to prepare for changes that will extend these +methods to provide for a more sophisticated mechanism for COW +throttling. + +Signed-off-by: Mikulas Patocka +Reviewed-by: Nikos Tsironis +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-snap.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c +index 36805b12661e1..d9216afbd490f 100644 +--- a/drivers/md/dm-snap.c ++++ b/drivers/md/dm-snap.c +@@ -1399,6 +1399,16 @@ static void snapshot_dtr(struct dm_target *ti) + kfree(s); + } + ++static void account_start_copy(struct dm_snapshot *s) ++{ ++ down(&s->cow_count); ++} ++ ++static void account_end_copy(struct dm_snapshot *s) ++{ ++ up(&s->cow_count); ++} ++ + /* + * Flush a list of buffers. + */ +@@ -1594,7 +1604,7 @@ static void copy_callback(int read_err, unsigned long write_err, void *context) + rb_link_node(&pe->out_of_order_node, parent, p); + rb_insert_color(&pe->out_of_order_node, &s->out_of_order_tree); + } +- up(&s->cow_count); ++ account_end_copy(s); + } + + /* +@@ -1618,7 +1628,7 @@ static void start_copy(struct dm_snap_pending_exception *pe) + dest.count = src.count; + + /* Hand over to kcopyd */ +- down(&s->cow_count); ++ account_start_copy(s); + dm_kcopyd_copy(s->kcopyd_client, &src, 1, &dest, 0, copy_callback, pe); + } + +@@ -1638,7 +1648,7 @@ static void start_full_bio(struct dm_snap_pending_exception *pe, + pe->full_bio = bio; + pe->full_bio_end_io = bio->bi_end_io; + +- down(&s->cow_count); ++ account_start_copy(s); + callback_data = dm_kcopyd_prepare_callback(s->kcopyd_client, + copy_callback, pe); + +-- +2.20.1 + diff --git a/queue-4.19/dm-snapshot-rework-cow-throttling-to-fix-deadlock.patch b/queue-4.19/dm-snapshot-rework-cow-throttling-to-fix-deadlock.patch new file mode 100644 index 00000000000..f0f51eeb2d0 --- /dev/null +++ b/queue-4.19/dm-snapshot-rework-cow-throttling-to-fix-deadlock.patch @@ -0,0 +1,244 @@ +From 053eb3bd185964e4f90db6220e1a005ad53aec57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 06:15:53 -0400 +Subject: dm snapshot: rework COW throttling to fix deadlock + +From: Mikulas Patocka + +[ Upstream commit b21555786f18cd77f2311ad89074533109ae3ffa ] + +Commit 721b1d98fb517a ("dm snapshot: Fix excessive memory usage and +workqueue stalls") introduced a semaphore to limit the maximum number of +in-flight kcopyd (COW) jobs. + +The implementation of this throttling mechanism is prone to a deadlock: + +1. One or more threads write to the origin device causing COW, which is + performed by kcopyd. + +2. At some point some of these threads might reach the s->cow_count + semaphore limit and block in down(&s->cow_count), holding a read lock + on _origins_lock. + +3. Someone tries to acquire a write lock on _origins_lock, e.g., + snapshot_ctr(), which blocks because the threads at step (2) already + hold a read lock on it. + +4. A COW operation completes and kcopyd runs dm-snapshot's completion + callback, which ends up calling pending_complete(). + pending_complete() tries to resubmit any deferred origin bios. This + requires acquiring a read lock on _origins_lock, which blocks. + + This happens because the read-write semaphore implementation gives + priority to writers, meaning that as soon as a writer tries to enter + the critical section, no readers will be allowed in, until all + writers have completed their work. + + So, pending_complete() waits for the writer at step (3) to acquire + and release the lock. This writer waits for the readers at step (2) + to release the read lock and those readers wait for + pending_complete() (the kcopyd thread) to signal the s->cow_count + semaphore: DEADLOCK. + +The above was thoroughly analyzed and documented by Nikos Tsironis as +part of his initial proposal for fixing this deadlock, see: +https://www.redhat.com/archives/dm-devel/2019-October/msg00001.html + +Fix this deadlock by reworking COW throttling so that it waits without +holding any locks. Add a variable 'in_progress' that counts how many +kcopyd jobs are running. A function wait_for_in_progress() will sleep if +'in_progress' is over the limit. It drops _origins_lock in order to +avoid the deadlock. + +Reported-by: Guruswamy Basavaiah +Reported-by: Nikos Tsironis +Reviewed-by: Nikos Tsironis +Tested-by: Nikos Tsironis +Fixes: 721b1d98fb51 ("dm snapshot: Fix excessive memory usage and workqueue stalls") +Cc: stable@vger.kernel.org # v5.0+ +Depends-on: 4a3f111a73a8c ("dm snapshot: introduce account_start_copy() and account_end_copy()") +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-snap.c | 78 ++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 64 insertions(+), 14 deletions(-) + +diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c +index d9216afbd490f..d3f28a9e3fd95 100644 +--- a/drivers/md/dm-snap.c ++++ b/drivers/md/dm-snap.c +@@ -19,7 +19,6 @@ + #include + #include + #include +-#include + + #include "dm.h" + +@@ -106,8 +105,8 @@ struct dm_snapshot { + /* The on disk metadata handler */ + struct dm_exception_store *store; + +- /* Maximum number of in-flight COW jobs. */ +- struct semaphore cow_count; ++ unsigned in_progress; ++ struct wait_queue_head in_progress_wait; + + struct dm_kcopyd_client *kcopyd_client; + +@@ -158,8 +157,8 @@ struct dm_snapshot { + */ + #define DEFAULT_COW_THRESHOLD 2048 + +-static int cow_threshold = DEFAULT_COW_THRESHOLD; +-module_param_named(snapshot_cow_threshold, cow_threshold, int, 0644); ++static unsigned cow_threshold = DEFAULT_COW_THRESHOLD; ++module_param_named(snapshot_cow_threshold, cow_threshold, uint, 0644); + MODULE_PARM_DESC(snapshot_cow_threshold, "Maximum number of chunks being copied on write"); + + DECLARE_DM_KCOPYD_THROTTLE_WITH_MODULE_PARM(snapshot_copy_throttle, +@@ -1207,7 +1206,7 @@ static int snapshot_ctr(struct dm_target *ti, unsigned int argc, char **argv) + goto bad_hash_tables; + } + +- sema_init(&s->cow_count, (cow_threshold > 0) ? cow_threshold : INT_MAX); ++ init_waitqueue_head(&s->in_progress_wait); + + s->kcopyd_client = dm_kcopyd_client_create(&dm_kcopyd_throttle); + if (IS_ERR(s->kcopyd_client)) { +@@ -1396,17 +1395,54 @@ static void snapshot_dtr(struct dm_target *ti) + + dm_put_device(ti, s->origin); + ++ WARN_ON(s->in_progress); ++ + kfree(s); + } + + static void account_start_copy(struct dm_snapshot *s) + { +- down(&s->cow_count); ++ spin_lock(&s->in_progress_wait.lock); ++ s->in_progress++; ++ spin_unlock(&s->in_progress_wait.lock); + } + + static void account_end_copy(struct dm_snapshot *s) + { +- up(&s->cow_count); ++ spin_lock(&s->in_progress_wait.lock); ++ BUG_ON(!s->in_progress); ++ s->in_progress--; ++ if (likely(s->in_progress <= cow_threshold) && ++ unlikely(waitqueue_active(&s->in_progress_wait))) ++ wake_up_locked(&s->in_progress_wait); ++ spin_unlock(&s->in_progress_wait.lock); ++} ++ ++static bool wait_for_in_progress(struct dm_snapshot *s, bool unlock_origins) ++{ ++ if (unlikely(s->in_progress > cow_threshold)) { ++ spin_lock(&s->in_progress_wait.lock); ++ if (likely(s->in_progress > cow_threshold)) { ++ /* ++ * NOTE: this throttle doesn't account for whether ++ * the caller is servicing an IO that will trigger a COW ++ * so excess throttling may result for chunks not required ++ * to be COW'd. But if cow_threshold was reached, extra ++ * throttling is unlikely to negatively impact performance. ++ */ ++ DECLARE_WAITQUEUE(wait, current); ++ __add_wait_queue(&s->in_progress_wait, &wait); ++ __set_current_state(TASK_UNINTERRUPTIBLE); ++ spin_unlock(&s->in_progress_wait.lock); ++ if (unlock_origins) ++ up_read(&_origins_lock); ++ io_schedule(); ++ remove_wait_queue(&s->in_progress_wait, &wait); ++ return false; ++ } ++ spin_unlock(&s->in_progress_wait.lock); ++ } ++ return true; + } + + /* +@@ -1424,7 +1460,7 @@ static void flush_bios(struct bio *bio) + } + } + +-static int do_origin(struct dm_dev *origin, struct bio *bio); ++static int do_origin(struct dm_dev *origin, struct bio *bio, bool limit); + + /* + * Flush a list of buffers. +@@ -1437,7 +1473,7 @@ static void retry_origin_bios(struct dm_snapshot *s, struct bio *bio) + while (bio) { + n = bio->bi_next; + bio->bi_next = NULL; +- r = do_origin(s->origin, bio); ++ r = do_origin(s->origin, bio, false); + if (r == DM_MAPIO_REMAPPED) + generic_make_request(bio); + bio = n; +@@ -1739,6 +1775,11 @@ static int snapshot_map(struct dm_target *ti, struct bio *bio) + if (!s->valid) + return DM_MAPIO_KILL; + ++ if (bio_data_dir(bio) == WRITE) { ++ while (unlikely(!wait_for_in_progress(s, false))) ++ ; /* wait_for_in_progress() has slept */ ++ } ++ + mutex_lock(&s->lock); + + if (!s->valid || (unlikely(s->snapshot_overflowed) && +@@ -1887,7 +1928,7 @@ redirect_to_origin: + + if (bio_data_dir(bio) == WRITE) { + mutex_unlock(&s->lock); +- return do_origin(s->origin, bio); ++ return do_origin(s->origin, bio, false); + } + + out_unlock: +@@ -2224,15 +2265,24 @@ next_snapshot: + /* + * Called on a write from the origin driver. + */ +-static int do_origin(struct dm_dev *origin, struct bio *bio) ++static int do_origin(struct dm_dev *origin, struct bio *bio, bool limit) + { + struct origin *o; + int r = DM_MAPIO_REMAPPED; + ++again: + down_read(&_origins_lock); + o = __lookup_origin(origin->bdev); +- if (o) ++ if (o) { ++ if (limit) { ++ struct dm_snapshot *s; ++ list_for_each_entry(s, &o->snapshots, list) ++ if (unlikely(!wait_for_in_progress(s, true))) ++ goto again; ++ } ++ + r = __origin_write(&o->snapshots, bio->bi_iter.bi_sector, bio); ++ } + up_read(&_origins_lock); + + return r; +@@ -2345,7 +2395,7 @@ static int origin_map(struct dm_target *ti, struct bio *bio) + dm_accept_partial_bio(bio, available_sectors); + + /* Only tell snapshots if this is a write */ +- return do_origin(o->dev, bio); ++ return do_origin(o->dev, bio, true); + } + + static long origin_dax_direct_access(struct dm_target *ti, pgoff_t pgoff, +-- +2.20.1 + diff --git a/queue-4.19/drm-amd-display-fix-odm-combine-pipe-reset.patch b/queue-4.19/drm-amd-display-fix-odm-combine-pipe-reset.patch new file mode 100644 index 00000000000..5f86ff71cfa --- /dev/null +++ b/queue-4.19/drm-amd-display-fix-odm-combine-pipe-reset.patch @@ -0,0 +1,49 @@ +From e6eda8a9562b6f4ec92890ef699da675ced06c30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2019 16:44:53 -0500 +Subject: drm/amd/display: fix odm combine pipe reset + +From: Dmytro Laktyushkin + +[ Upstream commit f25f06b67ba237b76092a6fc522b1a94e84bfa85 ] + +We fail to reset the second odm combine pipe. This change fixes +odm pointer management. + +Signed-off-by: Dmytro Laktyushkin +Reviewed-by: Tony Cheng +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index d440b28ee43fb..6896d69b8c240 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -1399,9 +1399,9 @@ bool dc_remove_plane_from_context( + * For head pipe detach surfaces from pipe for tail + * pipe just zero it out + */ +- if (!pipe_ctx->top_pipe || +- (!pipe_ctx->top_pipe->top_pipe && ++ if (!pipe_ctx->top_pipe || (!pipe_ctx->top_pipe->top_pipe && + pipe_ctx->top_pipe->stream_res.opp != pipe_ctx->stream_res.opp)) { ++ pipe_ctx->top_pipe = NULL; + pipe_ctx->plane_state = NULL; + pipe_ctx->bottom_pipe = NULL; + } else { +@@ -1803,8 +1803,6 @@ enum dc_status dc_remove_stream_from_ctx( + dc->res_pool->funcs->remove_stream_from_ctx(dc, new_ctx, stream); + + memset(del_pipe, 0, sizeof(*del_pipe)); +- +- break; + } + } + +-- +2.20.1 + diff --git a/queue-4.19/drm-amdgpu-fix-memory-leak.patch b/queue-4.19/drm-amdgpu-fix-memory-leak.patch new file mode 100644 index 00000000000..b7f7236a31f --- /dev/null +++ b/queue-4.19/drm-amdgpu-fix-memory-leak.patch @@ -0,0 +1,74 @@ +From 14bfc0d8f75b1c2653c4bd90f30da9de93afc13b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2019 11:53:37 +0200 +Subject: drm/amdgpu: fix memory leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nirmoy Das + +[ Upstream commit 083164dbdb17c5ea4ad92c1782b59c9d75567790 ] + +cleanup error handling code and make sure temporary info array +with the handles are freed by amdgpu_bo_list_put() on +idr_replace()'s failure. + +Signed-off-by: Nirmoy Das +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c +index b80243d3972e4..ce7f18c5ccb26 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c +@@ -264,7 +264,7 @@ int amdgpu_bo_list_ioctl(struct drm_device *dev, void *data, + + r = amdgpu_bo_create_list_entry_array(&args->in, &info); + if (r) +- goto error_free; ++ return r; + + switch (args->in.operation) { + case AMDGPU_BO_LIST_OP_CREATE: +@@ -277,8 +277,7 @@ int amdgpu_bo_list_ioctl(struct drm_device *dev, void *data, + r = idr_alloc(&fpriv->bo_list_handles, list, 1, 0, GFP_KERNEL); + mutex_unlock(&fpriv->bo_list_lock); + if (r < 0) { +- amdgpu_bo_list_put(list); +- return r; ++ goto error_put_list; + } + + handle = r; +@@ -300,9 +299,8 @@ int amdgpu_bo_list_ioctl(struct drm_device *dev, void *data, + mutex_unlock(&fpriv->bo_list_lock); + + if (IS_ERR(old)) { +- amdgpu_bo_list_put(list); + r = PTR_ERR(old); +- goto error_free; ++ goto error_put_list; + } + + amdgpu_bo_list_put(old); +@@ -319,8 +317,10 @@ int amdgpu_bo_list_ioctl(struct drm_device *dev, void *data, + + return 0; + ++error_put_list: ++ amdgpu_bo_list_put(list); ++ + error_free: +- if (info) +- kvfree(info); ++ kvfree(info); + return r; + } +-- +2.20.1 + diff --git a/queue-4.19/drm-msm-dpu-handle-failures-while-initializing-displ.patch b/queue-4.19/drm-msm-dpu-handle-failures-while-initializing-displ.patch new file mode 100644 index 00000000000..dbe3dba9fb7 --- /dev/null +++ b/queue-4.19/drm-msm-dpu-handle-failures-while-initializing-displ.patch @@ -0,0 +1,111 @@ +From 6c9317cfdc82acb24daacf91c145513635e30c5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Dec 2018 14:35:04 -0800 +Subject: drm/msm/dpu: handle failures while initializing displays + +From: Jeykumar Sankaran + +[ Upstream commit a802ee99c448ca0496fa307f3e46b834ae2a46a3 ] + +Bail out KMS hw init on display initialization failures with +proper error logging. + +changes in v3: + - introduced in the series +changes in v4: + - avoid duplicate return on errors (Sean Paul) + - avoid spamming errors on failures (Jordon Crouse) + +Signed-off-by: Jeykumar Sankaran +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 31 ++++++++++++++----------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +index 74cc204b07e80..2d9b7b5fb49c8 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +@@ -442,35 +442,38 @@ static void dpu_kms_wait_for_commit_done(struct msm_kms *kms, + } + } + +-static void _dpu_kms_initialize_dsi(struct drm_device *dev, ++static int _dpu_kms_initialize_dsi(struct drm_device *dev, + struct msm_drm_private *priv, + struct dpu_kms *dpu_kms) + { + struct drm_encoder *encoder = NULL; +- int i, rc; ++ int i, rc = 0; ++ ++ if (!(priv->dsi[0] || priv->dsi[1])) ++ return rc; + + /*TODO: Support two independent DSI connectors */ + encoder = dpu_encoder_init(dev, DRM_MODE_ENCODER_DSI); +- if (IS_ERR_OR_NULL(encoder)) { ++ if (IS_ERR(encoder)) { + DPU_ERROR("encoder init failed for dsi display\n"); +- return; ++ return PTR_ERR(encoder); + } + + priv->encoders[priv->num_encoders++] = encoder; + + for (i = 0; i < ARRAY_SIZE(priv->dsi); i++) { +- if (!priv->dsi[i]) { +- DPU_DEBUG("invalid msm_dsi for ctrl %d\n", i); +- return; +- } ++ if (!priv->dsi[i]) ++ continue; + + rc = msm_dsi_modeset_init(priv->dsi[i], dev, encoder); + if (rc) { + DPU_ERROR("modeset_init failed for dsi[%d], rc = %d\n", + i, rc); +- continue; ++ break; + } + } ++ ++ return rc; + } + + /** +@@ -481,16 +484,16 @@ static void _dpu_kms_initialize_dsi(struct drm_device *dev, + * @dpu_kms: Pointer to dpu kms structure + * Returns: Zero on success + */ +-static void _dpu_kms_setup_displays(struct drm_device *dev, ++static int _dpu_kms_setup_displays(struct drm_device *dev, + struct msm_drm_private *priv, + struct dpu_kms *dpu_kms) + { +- _dpu_kms_initialize_dsi(dev, priv, dpu_kms); +- + /** + * Extend this function to initialize other + * types of displays + */ ++ ++ return _dpu_kms_initialize_dsi(dev, priv, dpu_kms); + } + + static void _dpu_kms_drm_obj_destroy(struct dpu_kms *dpu_kms) +@@ -552,7 +555,9 @@ static int _dpu_kms_drm_obj_init(struct dpu_kms *dpu_kms) + * Create encoder and query display drivers to create + * bridges and connectors + */ +- _dpu_kms_setup_displays(dev, priv, dpu_kms); ++ ret = _dpu_kms_setup_displays(dev, priv, dpu_kms); ++ if (ret) ++ goto fail; + + max_crtc_count = min(catalog->mixer_count, priv->num_encoders); + +-- +2.20.1 + diff --git a/queue-4.19/efi-cper-fix-endianness-of-pcie-class-code.patch b/queue-4.19/efi-cper-fix-endianness-of-pcie-class-code.patch new file mode 100644 index 00000000000..092f6f6b26b --- /dev/null +++ b/queue-4.19/efi-cper-fix-endianness-of-pcie-class-code.patch @@ -0,0 +1,61 @@ +From 55fca10582f5fd5e4cba66b79405284c0370bf63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 18:58:58 +0200 +Subject: efi/cper: Fix endianness of PCIe class code + +From: Lukas Wunner + +[ Upstream commit 6fb9367a15d1a126d222d738b2702c7958594a5f ] + +The CPER parser assumes that the class code is big endian, but at least +on this edk2-derived Intel Purley platform it's little endian: + + efi: EFI v2.50 by EDK II BIOS ID:PLYDCRB1.86B.0119.R05.1701181843 + DMI: Intel Corporation PURLEY/PURLEY, BIOS PLYDCRB1.86B.0119.R05.1701181843 01/18/2017 + + {1}[Hardware Error]: device_id: 0000:5d:00.0 + {1}[Hardware Error]: slot: 0 + {1}[Hardware Error]: secondary_bus: 0x5e + {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2030 + {1}[Hardware Error]: class_code: 000406 + ^^^^^^ (should be 060400) + +Signed-off-by: Lukas Wunner +Signed-off-by: Ard Biesheuvel +Cc: Ben Dooks +Cc: Dave Young +Cc: Jarkko Sakkinen +Cc: Jerry Snitselaar +Cc: Linus Torvalds +Cc: Lyude Paul +Cc: Matthew Garrett +Cc: Octavian Purdila +Cc: Peter Jones +Cc: Peter Zijlstra +Cc: Scott Talbert +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Cc: linux-integrity@vger.kernel.org +Link: https://lkml.kernel.org/r/20191002165904.8819-2-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index 4045098ddb860..116989cf3d457 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -393,7 +393,7 @@ static void cper_print_pcie(const char *pfx, const struct cper_sec_pcie *pcie, + printk("%s""vendor_id: 0x%04x, device_id: 0x%04x\n", pfx, + pcie->device_id.vendor_id, pcie->device_id.device_id); + p = pcie->device_id.class_code; +- printk("%s""class_code: %02x%02x%02x\n", pfx, p[0], p[1], p[2]); ++ printk("%s""class_code: %02x%02x%02x\n", pfx, p[2], p[1], p[0]); + } + if (pcie->validation_bits & CPER_PCIE_VALID_SERIAL_NUMBER) + printk("%s""serial number: 0x%04x, 0x%04x\n", pfx, +-- +2.20.1 + diff --git a/queue-4.19/efi-x86-do-not-clean-dummy-variable-in-kexec-path.patch b/queue-4.19/efi-x86-do-not-clean-dummy-variable-in-kexec-path.patch new file mode 100644 index 00000000000..e360398a2a3 --- /dev/null +++ b/queue-4.19/efi-x86-do-not-clean-dummy-variable-in-kexec-path.patch @@ -0,0 +1,61 @@ +From 972bd3aa809509513b13b99557b664fc8bbd3853 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 18:59:04 +0200 +Subject: efi/x86: Do not clean dummy variable in kexec path + +From: Dave Young + +[ Upstream commit 2ecb7402cfc7f22764e7bbc80790e66eadb20560 ] + +kexec reboot fails randomly in UEFI based KVM guest. The firmware +just resets while calling efi_delete_dummy_variable(); Unfortunately +I don't know how to debug the firmware, it is also possible a potential +problem on real hardware as well although nobody reproduced it. + +The intention of the efi_delete_dummy_variable is to trigger garbage collection +when entering virtual mode. But SetVirtualAddressMap can only run once +for each physical reboot, thus kexec_enter_virtual_mode() is not necessarily +a good place to clean a dummy object. + +Drop the efi_delete_dummy_variable so that kexec reboot can work. + +Signed-off-by: Dave Young +Signed-off-by: Ard Biesheuvel +Acked-by: Matthew Garrett +Cc: Ben Dooks +Cc: Jarkko Sakkinen +Cc: Jerry Snitselaar +Cc: Linus Torvalds +Cc: Lukas Wunner +Cc: Lyude Paul +Cc: Octavian Purdila +Cc: Peter Jones +Cc: Peter Zijlstra +Cc: Scott Talbert +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Cc: linux-integrity@vger.kernel.org +Link: https://lkml.kernel.org/r/20191002165904.8819-8-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/platform/efi/efi.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index 9061babfbc83d..335a62e74a2e9 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -893,9 +893,6 @@ static void __init kexec_enter_virtual_mode(void) + + if (efi_enabled(EFI_OLD_MEMMAP) && (__supported_pte_mask & _PAGE_NX)) + runtime_code_page_mkexec(); +- +- /* clean DUMMY object */ +- efi_delete_dummy_variable(); + #endif + } + +-- +2.20.1 + diff --git a/queue-4.19/exec-load_script-do-not-exec-truncated-interpreter-p.patch b/queue-4.19/exec-load_script-do-not-exec-truncated-interpreter-p.patch new file mode 100644 index 00000000000..0b240193ba9 --- /dev/null +++ b/queue-4.19/exec-load_script-do-not-exec-truncated-interpreter-p.patch @@ -0,0 +1,119 @@ +From 1dddf194551c4c00ae024ccf9a697cd9b0299bcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Feb 2019 16:36:48 -0800 +Subject: exec: load_script: Do not exec truncated interpreter path + +From: Kees Cook + +[ Upstream commit b5372fe5dc84235dbe04998efdede3c4daa866a9 ] + +Commit 8099b047ecc4 ("exec: load_script: don't blindly truncate +shebang string") was trying to protect against a confused exec of a +truncated interpreter path. However, it was overeager and also refused +to truncate arguments as well, which broke userspace, and it was +reverted. This attempts the protection again, but allows arguments to +remain truncated. In an effort to improve readability, helper functions +and comments have been added. + +Co-developed-by: Linus Torvalds +Signed-off-by: Kees Cook +Cc: Andrew Morton +Cc: Oleg Nesterov +Cc: Samuel Dionne-Riel +Cc: Richard Weinberger +Cc: Graham Christensen +Cc: Michal Hocko +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/binfmt_script.c | 57 ++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 48 insertions(+), 9 deletions(-) + +diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c +index 7cde3f46ad263..e996174cbfc02 100644 +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -14,13 +14,30 @@ + #include + #include + ++static inline bool spacetab(char c) { return c == ' ' || c == '\t'; } ++static inline char *next_non_spacetab(char *first, const char *last) ++{ ++ for (; first <= last; first++) ++ if (!spacetab(*first)) ++ return first; ++ return NULL; ++} ++static inline char *next_terminator(char *first, const char *last) ++{ ++ for (; first <= last; first++) ++ if (spacetab(*first) || !*first) ++ return first; ++ return NULL; ++} ++ + static int load_script(struct linux_binprm *bprm) + { + const char *i_arg, *i_name; +- char *cp; ++ char *cp, *buf_end; + struct file *file; + int retval; + ++ /* Not ours to exec if we don't start with "#!". */ + if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!')) + return -ENOEXEC; + +@@ -33,18 +50,40 @@ static int load_script(struct linux_binprm *bprm) + if (bprm->interp_flags & BINPRM_FLAGS_PATH_INACCESSIBLE) + return -ENOENT; + +- /* +- * This section does the #! interpretation. +- * Sorta complicated, but hopefully it will work. -TYT +- */ +- ++ /* Release since we are not mapping a binary into memory. */ + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; + +- bprm->buf[BINPRM_BUF_SIZE - 1] = '\0'; +- if ((cp = strchr(bprm->buf, '\n')) == NULL) +- cp = bprm->buf+BINPRM_BUF_SIZE-1; ++ /* ++ * This section handles parsing the #! line into separate ++ * interpreter path and argument strings. We must be careful ++ * because bprm->buf is not yet guaranteed to be NUL-terminated ++ * (though the buffer will have trailing NUL padding when the ++ * file size was smaller than the buffer size). ++ * ++ * We do not want to exec a truncated interpreter path, so either ++ * we find a newline (which indicates nothing is truncated), or ++ * we find a space/tab/NUL after the interpreter path (which ++ * itself may be preceded by spaces/tabs). Truncating the ++ * arguments is fine: the interpreter can re-read the script to ++ * parse them on its own. ++ */ ++ buf_end = bprm->buf + sizeof(bprm->buf) - 1; ++ cp = strnchr(bprm->buf, sizeof(bprm->buf), '\n'); ++ if (!cp) { ++ cp = next_non_spacetab(bprm->buf + 2, buf_end); ++ if (!cp) ++ return -ENOEXEC; /* Entire buf is spaces/tabs */ ++ /* ++ * If there is no later space/tab/NUL we must assume the ++ * interpreter path is truncated. ++ */ ++ if (!next_terminator(cp, buf_end)) ++ return -ENOEXEC; ++ cp = buf_end; ++ } ++ /* NUL-terminate the buffer and any trailing spaces/tabs. */ + *cp = '\0'; + while (cp > bprm->buf) { + cp--; +-- +2.20.1 + diff --git a/queue-4.19/ext4-disallow-files-with-ext4_journal_data_fl-from-e.patch b/queue-4.19/ext4-disallow-files-with-ext4_journal_data_fl-from-e.patch new file mode 100644 index 00000000000..66613be9668 --- /dev/null +++ b/queue-4.19/ext4-disallow-files-with-ext4_journal_data_fl-from-e.patch @@ -0,0 +1,35 @@ +From c1da96c3f964522068d1eb2897c665ef6b0d7e34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Feb 2019 01:07:10 -0500 +Subject: ext4: disallow files with EXT4_JOURNAL_DATA_FL from + EXT4_IOC_SWAP_BOOT + +From: Theodore Ts'o + +[ Upstream commit 6e589291f4b1b700ca12baec5930592a0d51e63c ] + +A malicious/clueless root user can use EXT4_IOC_SWAP_BOOT to force a +corner casew which can lead to the file system getting corrupted. +There's no usefulness to allowing this, so just prohibit this case. + +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index abb6fcff0a1d3..783c54bb2ce75 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -132,6 +132,7 @@ static long swap_inode_boot_loader(struct super_block *sb, + + if (inode->i_nlink != 1 || !S_ISREG(inode->i_mode) || + IS_SWAPFILE(inode) || IS_ENCRYPTED(inode) || ++ (EXT4_I(inode)->i_flags & EXT4_JOURNAL_DATA_FL) || + ext4_has_inline_data(inode)) { + err = -EINVAL; + goto journal_err_out; +-- +2.20.1 + diff --git a/queue-4.19/f2fs-fix-to-recover-inode-i_flags-of-inode-block-dur.patch b/queue-4.19/f2fs-fix-to-recover-inode-i_flags-of-inode-block-dur.patch new file mode 100644 index 00000000000..f2240af7678 --- /dev/null +++ b/queue-4.19/f2fs-fix-to-recover-inode-i_flags-of-inode-block-dur.patch @@ -0,0 +1,51 @@ +From b0c9eba6e1c7a66e36563b3d15b1f600a19981b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Oct 2018 03:03:38 +0800 +Subject: f2fs: fix to recover inode->i_flags of inode block during POR + +From: Chao Yu + +[ Upstream commit 0c093b590efb5c1ccdc835868dc2ae94bd2e14dc ] + +Testcase to reproduce this bug: +1. mkfs.f2fs /dev/sdd +2. mount -t f2fs /dev/sdd /mnt/f2fs +3. touch /mnt/f2fs/file +4. sync +5. chattr +a /mnt/f2fs/file +6. xfs_io -a /mnt/f2fs/file -c "fsync" +7. godown /mnt/f2fs +8. umount /mnt/f2fs +9. mount -t f2fs /dev/sdd /mnt/f2fs +10. xfs_io /mnt/f2fs/file + +There is no error when opening this file w/o O_APPEND, but actually, +we expect the correct result should be: + +/mnt/f2fs/file: Operation not permitted + +The root cause is, in recover_inode(), we recover inode->i_flags more +than F2FS_I(inode)->i_flags, so fix it. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/recovery.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c +index 281ba46b5b359..2c3be4c3c626f 100644 +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -226,6 +226,7 @@ static void recover_inode(struct inode *inode, struct page *page) + + F2FS_I(inode)->i_advise = raw->i_advise; + F2FS_I(inode)->i_flags = le32_to_cpu(raw->i_flags); ++ f2fs_set_inode_flags(inode); + F2FS_I(inode)->i_gc_failures[GC_FAILURE_PIN] = + le16_to_cpu(raw->i_gc_failures); + +-- +2.20.1 + diff --git a/queue-4.19/f2fs-fix-to-recover-inode-s-i_gc_failures-during-por.patch b/queue-4.19/f2fs-fix-to-recover-inode-s-i_gc_failures-during-por.patch new file mode 100644 index 00000000000..6b088d5a1b2 --- /dev/null +++ b/queue-4.19/f2fs-fix-to-recover-inode-s-i_gc_failures-during-por.patch @@ -0,0 +1,36 @@ +From d7f56c9525895a4ff8ad9326df59d7405cd3d0a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Sep 2018 15:36:00 +0800 +Subject: f2fs: fix to recover inode's i_gc_failures during POR + +From: Chao Yu + +[ Upstream commit 7de36cf3e4087207f42a88992f8cb615a1bd902e ] + +inode.i_gc_failures is used to indicate that skip count of migrating +on blocks of inode, we should guarantee it can be recovered in sudden +power-off case. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/recovery.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c +index 0b224f4a4a656..281ba46b5b359 100644 +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -226,6 +226,8 @@ static void recover_inode(struct inode *inode, struct page *page) + + F2FS_I(inode)->i_advise = raw->i_advise; + F2FS_I(inode)->i_flags = le32_to_cpu(raw->i_flags); ++ F2FS_I(inode)->i_gc_failures[GC_FAILURE_PIN] = ++ le16_to_cpu(raw->i_gc_failures); + + recover_inline_flags(inode, raw); + +-- +2.20.1 + diff --git a/queue-4.19/f2fs-flush-quota-blocks-after-turnning-it-off.patch b/queue-4.19/f2fs-flush-quota-blocks-after-turnning-it-off.patch new file mode 100644 index 00000000000..d7fab1e004c --- /dev/null +++ b/queue-4.19/f2fs-flush-quota-blocks-after-turnning-it-off.patch @@ -0,0 +1,40 @@ +From 761c41c7bd9e32ac8d9439f082cbf3996dfee111 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jan 2019 17:59:53 -0800 +Subject: f2fs: flush quota blocks after turnning it off + +From: Jaegeuk Kim + +[ Upstream commit 0e0667b625cf64243df83171bff61f9d350b9ca5 ] + +After quota_off, we'll get some dirty blocks. If put_super don't have a chance +to flush them by checkpoint, it causes NULL pointer exception in end_io after +iput(node_inode). (e.g., by checkpoint=disable) + +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 6851afc3bf805..d9106bbe7df63 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1886,6 +1886,12 @@ void f2fs_quota_off_umount(struct super_block *sb) + set_sbi_flag(F2FS_SB(sb), SBI_NEED_FSCK); + } + } ++ /* ++ * In case of checkpoint=disable, we must flush quota blocks. ++ * This can cause NULL exception for node_inode in end_io, since ++ * put_super already dropped it. ++ */ ++ sync_filesystem(sb); + } + + static void f2fs_truncate_quota_inode_pages(struct super_block *sb) +-- +2.20.1 + diff --git a/queue-4.19/fs-cifs-mute-wunused-const-variable-message.patch b/queue-4.19/fs-cifs-mute-wunused-const-variable-message.patch new file mode 100644 index 00000000000..c40e482a456 --- /dev/null +++ b/queue-4.19/fs-cifs-mute-wunused-const-variable-message.patch @@ -0,0 +1,43 @@ +From 48d2aac8f0a3a0a5c3c9e35b199d30a29b715c29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 16:34:13 +0900 +Subject: fs: cifs: mute -Wunused-const-variable message + +From: Austin Kim + +[ Upstream commit dd19c106a36690b47bb1acc68372f2b472b495b8 ] + +After 'Initial git repository build' commit, +'mapping_table_ERRHRD' variable has not been used. + +So 'mapping_table_ERRHRD' const variable could be removed +to mute below warning message: + + fs/cifs/netmisc.c:120:40: warning: unused variable 'mapping_table_ERRHRD' [-Wunused-const-variable] + static const struct smb_to_posix_error mapping_table_ERRHRD[] = { + ^ +Signed-off-by: Austin Kim +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/netmisc.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c +index fdd908e4a26b3..66c10121a6eae 100644 +--- a/fs/cifs/netmisc.c ++++ b/fs/cifs/netmisc.c +@@ -130,10 +130,6 @@ static const struct smb_to_posix_error mapping_table_ERRSRV[] = { + {0, 0} + }; + +-static const struct smb_to_posix_error mapping_table_ERRHRD[] = { +- {0, 0} +-}; +- + /* + * Convert a string containing text IPv4 or IPv6 address to binary form. + * +-- +2.20.1 + diff --git a/queue-4.19/fs-ocfs2-fix-a-possible-null-pointer-dereference-in-.patch b/queue-4.19/fs-ocfs2-fix-a-possible-null-pointer-dereference-in-.patch new file mode 100644 index 00000000000..fd720136faa --- /dev/null +++ b/queue-4.19/fs-ocfs2-fix-a-possible-null-pointer-dereference-in-.patch @@ -0,0 +1,60 @@ +From 1368418dc1b1e5e1d00b09aa294a8fda4c784018 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2019 17:57:54 -0700 +Subject: fs: ocfs2: fix a possible null-pointer dereference in + ocfs2_write_end_nolock() + +From: Jia-Ju Bai + +[ Upstream commit 583fee3e12df0e6f1f66f063b989d8e7fed0e65a ] + +In ocfs2_write_end_nolock(), there are an if statement on lines 1976, +2047 and 2058, to check whether handle is NULL: + + if (handle) + +When handle is NULL, it is used on line 2045: + + ocfs2_update_inode_fsync_trans(handle, inode, 1); + oi->i_sync_tid = handle->h_transaction->t_tid; + +Thus, a possible null-pointer dereference may occur. + +To fix this bug, handle is checked before calling +ocfs2_update_inode_fsync_trans(). + +This bug is found by a static analysis tool STCheck written by us. + +Link: http://lkml.kernel.org/r/20190726033705.32307-1-baijiaju1990@gmail.com +Signed-off-by: Jia-Ju Bai +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/aops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c +index dc773e163132c..543efa3e5655f 100644 +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -2056,7 +2056,8 @@ out_write_size: + inode->i_mtime = inode->i_ctime = current_time(inode); + di->i_mtime = di->i_ctime = cpu_to_le64(inode->i_mtime.tv_sec); + di->i_mtime_nsec = di->i_ctime_nsec = cpu_to_le32(inode->i_mtime.tv_nsec); +- ocfs2_update_inode_fsync_trans(handle, inode, 1); ++ if (handle) ++ ocfs2_update_inode_fsync_trans(handle, inode, 1); + } + if (handle) + ocfs2_journal_dirty(handle, wc->w_di_bh); +-- +2.20.1 + diff --git a/queue-4.19/fs-ocfs2-fix-a-possible-null-pointer-dereference-in-.patch-767 b/queue-4.19/fs-ocfs2-fix-a-possible-null-pointer-dereference-in-.patch-767 new file mode 100644 index 00000000000..b19f32227d2 --- /dev/null +++ b/queue-4.19/fs-ocfs2-fix-a-possible-null-pointer-dereference-in-.patch-767 @@ -0,0 +1,59 @@ +From 3e89f172550ce6876abde392e4ed2ac27d618f4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2019 17:57:57 -0700 +Subject: fs: ocfs2: fix a possible null-pointer dereference in + ocfs2_info_scan_inode_alloc() + +From: Jia-Ju Bai + +[ Upstream commit 2abb7d3b12d007c30193f48bebed781009bebdd2 ] + +In ocfs2_info_scan_inode_alloc(), there is an if statement on line 283 +to check whether inode_alloc is NULL: + + if (inode_alloc) + +When inode_alloc is NULL, it is used on line 287: + + ocfs2_inode_lock(inode_alloc, &bh, 0); + ocfs2_inode_lock_full_nested(inode, ...) + struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); + +Thus, a possible null-pointer dereference may occur. + +To fix this bug, inode_alloc is checked on line 286. + +This bug is found by a static analysis tool STCheck written by us. + +Link: http://lkml.kernel.org/r/20190726033717.32359-1-baijiaju1990@gmail.com +Signed-off-by: Jia-Ju Bai +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ocfs2/ioctl.c b/fs/ocfs2/ioctl.c +index 994726ada857c..a6c328211dccd 100644 +--- a/fs/ocfs2/ioctl.c ++++ b/fs/ocfs2/ioctl.c +@@ -290,7 +290,7 @@ static int ocfs2_info_scan_inode_alloc(struct ocfs2_super *osb, + if (inode_alloc) + inode_lock(inode_alloc); + +- if (o2info_coherent(&fi->ifi_req)) { ++ if (inode_alloc && o2info_coherent(&fi->ifi_req)) { + status = ocfs2_inode_lock(inode_alloc, &bh, 0); + if (status < 0) { + mlog_errno(status); +-- +2.20.1 + diff --git a/queue-4.19/fs-ocfs2-fix-possible-null-pointer-dereferences-in-o.patch b/queue-4.19/fs-ocfs2-fix-possible-null-pointer-dereferences-in-o.patch new file mode 100644 index 00000000000..85fb6540ec6 --- /dev/null +++ b/queue-4.19/fs-ocfs2-fix-possible-null-pointer-dereferences-in-o.patch @@ -0,0 +1,131 @@ +From 00fdc3f9a786b702563fb3136701f99a80092dfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2019 17:57:50 -0700 +Subject: fs: ocfs2: fix possible null-pointer dereferences in + ocfs2_xa_prepare_entry() + +From: Jia-Ju Bai + +[ Upstream commit 56e94ea132bb5c2c1d0b60a6aeb34dcb7d71a53d ] + +In ocfs2_xa_prepare_entry(), there is an if statement on line 2136 to +check whether loc->xl_entry is NULL: + + if (loc->xl_entry) + +When loc->xl_entry is NULL, it is used on line 2158: + + ocfs2_xa_add_entry(loc, name_hash); + loc->xl_entry->xe_name_hash = cpu_to_le32(name_hash); + loc->xl_entry->xe_name_offset = cpu_to_le16(loc->xl_size); + +and line 2164: + + ocfs2_xa_add_namevalue(loc, xi); + loc->xl_entry->xe_value_size = cpu_to_le64(xi->xi_value_len); + loc->xl_entry->xe_name_len = xi->xi_name_len; + +Thus, possible null-pointer dereferences may occur. + +To fix these bugs, if loc-xl_entry is NULL, ocfs2_xa_prepare_entry() +abnormally returns with -EINVAL. + +These bugs are found by a static analysis tool STCheck written by us. + +[akpm@linux-foundation.org: remove now-unused ocfs2_xa_add_entry()] +Link: http://lkml.kernel.org/r/20190726101447.9153-1-baijiaju1990@gmail.com +Signed-off-by: Jia-Ju Bai +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: Stephen Rothwell +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/xattr.c | 56 ++++++++++++++++++++---------------------------- + 1 file changed, 23 insertions(+), 33 deletions(-) + +diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c +index c146e12a8601f..0d80e0df6c241 100644 +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -1498,18 +1498,6 @@ static int ocfs2_xa_check_space(struct ocfs2_xa_loc *loc, + return loc->xl_ops->xlo_check_space(loc, xi); + } + +-static void ocfs2_xa_add_entry(struct ocfs2_xa_loc *loc, u32 name_hash) +-{ +- loc->xl_ops->xlo_add_entry(loc, name_hash); +- loc->xl_entry->xe_name_hash = cpu_to_le32(name_hash); +- /* +- * We can't leave the new entry's xe_name_offset at zero or +- * add_namevalue() will go nuts. We set it to the size of our +- * storage so that it can never be less than any other entry. +- */ +- loc->xl_entry->xe_name_offset = cpu_to_le16(loc->xl_size); +-} +- + static void ocfs2_xa_add_namevalue(struct ocfs2_xa_loc *loc, + struct ocfs2_xattr_info *xi) + { +@@ -2141,29 +2129,31 @@ static int ocfs2_xa_prepare_entry(struct ocfs2_xa_loc *loc, + if (rc) + goto out; + +- if (loc->xl_entry) { +- if (ocfs2_xa_can_reuse_entry(loc, xi)) { +- orig_value_size = loc->xl_entry->xe_value_size; +- rc = ocfs2_xa_reuse_entry(loc, xi, ctxt); +- if (rc) +- goto out; +- goto alloc_value; +- } ++ if (!loc->xl_entry) { ++ rc = -EINVAL; ++ goto out; ++ } + +- if (!ocfs2_xattr_is_local(loc->xl_entry)) { +- orig_clusters = ocfs2_xa_value_clusters(loc); +- rc = ocfs2_xa_value_truncate(loc, 0, ctxt); +- if (rc) { +- mlog_errno(rc); +- ocfs2_xa_cleanup_value_truncate(loc, +- "overwriting", +- orig_clusters); +- goto out; +- } ++ if (ocfs2_xa_can_reuse_entry(loc, xi)) { ++ orig_value_size = loc->xl_entry->xe_value_size; ++ rc = ocfs2_xa_reuse_entry(loc, xi, ctxt); ++ if (rc) ++ goto out; ++ goto alloc_value; ++ } ++ ++ if (!ocfs2_xattr_is_local(loc->xl_entry)) { ++ orig_clusters = ocfs2_xa_value_clusters(loc); ++ rc = ocfs2_xa_value_truncate(loc, 0, ctxt); ++ if (rc) { ++ mlog_errno(rc); ++ ocfs2_xa_cleanup_value_truncate(loc, ++ "overwriting", ++ orig_clusters); ++ goto out; + } +- ocfs2_xa_wipe_namevalue(loc); +- } else +- ocfs2_xa_add_entry(loc, name_hash); ++ } ++ ocfs2_xa_wipe_namevalue(loc); + + /* + * If we get here, we have a blank entry. Fill it. We grow our +-- +2.20.1 + diff --git a/queue-4.19/gpio-max77620-use-correct-unit-for-debounce-times.patch b/queue-4.19/gpio-max77620-use-correct-unit-for-debounce-times.patch new file mode 100644 index 00000000000..db7f54561b7 --- /dev/null +++ b/queue-4.19/gpio-max77620-use-correct-unit-for-debounce-times.patch @@ -0,0 +1,45 @@ +From 6a7d3129b60bcc90f8a1dddd0f51503d644cb9f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 14:28:23 +0200 +Subject: gpio: max77620: Use correct unit for debounce times + +From: Thierry Reding + +[ Upstream commit fffa6af94894126994a7600c6f6f09b892e89fa9 ] + +The gpiod_set_debounce() function takes the debounce time in +microseconds. Adjust the switch/case values in the MAX77620 GPIO to use +the correct unit. + +Signed-off-by: Thierry Reding +Link: https://lore.kernel.org/r/20191002122825.3948322-1-thierry.reding@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-max77620.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpio/gpio-max77620.c b/drivers/gpio/gpio-max77620.c +index 538bce4b5b427..ac6c1c0548b69 100644 +--- a/drivers/gpio/gpio-max77620.c ++++ b/drivers/gpio/gpio-max77620.c +@@ -163,13 +163,13 @@ static int max77620_gpio_set_debounce(struct max77620_gpio *mgpio, + case 0: + val = MAX77620_CNFG_GPIO_DBNC_None; + break; +- case 1 ... 8: ++ case 1000 ... 8000: + val = MAX77620_CNFG_GPIO_DBNC_8ms; + break; +- case 9 ... 16: ++ case 9000 ... 16000: + val = MAX77620_CNFG_GPIO_DBNC_16ms; + break; +- case 17 ... 32: ++ case 17000 ... 32000: + val = MAX77620_CNFG_GPIO_DBNC_32ms; + break; + default: +-- +2.20.1 + diff --git a/queue-4.19/hid-add-asus-t100chi-keyboard-dock-battery-quirks.patch b/queue-4.19/hid-add-asus-t100chi-keyboard-dock-battery-quirks.patch new file mode 100644 index 00000000000..62a6d21b0b5 --- /dev/null +++ b/queue-4.19/hid-add-asus-t100chi-keyboard-dock-battery-quirks.patch @@ -0,0 +1,36 @@ +From a147e2ec2b5955e429eca563183cd4fd57bc24e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jan 2019 13:31:05 +0900 +Subject: HID: Add ASUS T100CHI keyboard dock battery quirks + +From: NOGUCHI Hiroshi + +[ Upstream commit a767ffea05d2737f6542cd78458a84a157fa216d ] + +Add ASUS Transbook T100CHI/T90CHI keyboard dock into battery quirk list, in +order to add specific implementation in hid-asus. + +Signed-off-by: NOGUCHI Hiroshi +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index d988b92b20c82..01bed2f6862ee 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -328,6 +328,9 @@ static const struct hid_device_id hid_battery_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_SYMBOL, + USB_DEVICE_ID_SYMBOL_SCANNER_3), + HID_BATTERY_QUIRK_IGNORE }, ++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ASUSTEK, ++ USB_DEVICE_ID_ASUSTEK_T100CHI_KEYBOARD), ++ HID_BATTERY_QUIRK_IGNORE }, + {} + }; + +-- +2.20.1 + diff --git a/queue-4.19/hid-hyperv-use-in-place-iterator-api-in-the-channel-.patch b/queue-4.19/hid-hyperv-use-in-place-iterator-api-in-the-channel-.patch new file mode 100644 index 00000000000..4443d5d6d58 --- /dev/null +++ b/queue-4.19/hid-hyperv-use-in-place-iterator-api-in-the-channel-.patch @@ -0,0 +1,99 @@ +From 67b6666e327f1316a00fa06ad7f7fcca27074dae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2019 02:56:34 +0000 +Subject: HID: hyperv: Use in-place iterator API in the channel callback + +From: Dexuan Cui + +[ Upstream commit 6a297c90efa68b2864483193b8bfb0d19478600c ] + +Simplify the ring buffer handling with the in-place API. + +Also avoid the dynamic allocation and the memory leak in the channel +callback function. + +Signed-off-by: Dexuan Cui +Acked-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-hyperv.c | 56 +++++++--------------------------------- + 1 file changed, 10 insertions(+), 46 deletions(-) + +diff --git a/drivers/hid/hid-hyperv.c b/drivers/hid/hid-hyperv.c +index 704049e62d58a..4d1496f60071f 100644 +--- a/drivers/hid/hid-hyperv.c ++++ b/drivers/hid/hid-hyperv.c +@@ -322,60 +322,24 @@ static void mousevsc_on_receive(struct hv_device *device, + + static void mousevsc_on_channel_callback(void *context) + { +- const int packet_size = 0x100; +- int ret; + struct hv_device *device = context; +- u32 bytes_recvd; +- u64 req_id; + struct vmpacket_descriptor *desc; +- unsigned char *buffer; +- int bufferlen = packet_size; +- +- buffer = kmalloc(bufferlen, GFP_ATOMIC); +- if (!buffer) +- return; +- +- do { +- ret = vmbus_recvpacket_raw(device->channel, buffer, +- bufferlen, &bytes_recvd, &req_id); +- +- switch (ret) { +- case 0: +- if (bytes_recvd <= 0) { +- kfree(buffer); +- return; +- } +- desc = (struct vmpacket_descriptor *)buffer; +- +- switch (desc->type) { +- case VM_PKT_COMP: +- break; +- +- case VM_PKT_DATA_INBAND: +- mousevsc_on_receive(device, desc); +- break; +- +- default: +- pr_err("unhandled packet type %d, tid %llx len %d\n", +- desc->type, req_id, bytes_recvd); +- break; +- } + ++ foreach_vmbus_pkt(desc, device->channel) { ++ switch (desc->type) { ++ case VM_PKT_COMP: + break; + +- case -ENOBUFS: +- kfree(buffer); +- /* Handle large packet */ +- bufferlen = bytes_recvd; +- buffer = kmalloc(bytes_recvd, GFP_ATOMIC); +- +- if (!buffer) +- return; ++ case VM_PKT_DATA_INBAND: ++ mousevsc_on_receive(device, desc); ++ break; + ++ default: ++ pr_err("Unhandled packet type %d, tid %llx len %d\n", ++ desc->type, desc->trans_id, desc->len8 * 8); + break; + } +- } while (1); +- ++ } + } + + static int mousevsc_connect_to_vsp(struct hv_device *device) +-- +2.20.1 + diff --git a/queue-4.19/hid-i2c-hid-add-direkt-tek-dtlapy133-1-to-descriptor.patch b/queue-4.19/hid-i2c-hid-add-direkt-tek-dtlapy133-1-to-descriptor.patch new file mode 100644 index 00000000000..a0ad09a20a5 --- /dev/null +++ b/queue-4.19/hid-i2c-hid-add-direkt-tek-dtlapy133-1-to-descriptor.patch @@ -0,0 +1,42 @@ +From dda7c4191c742548e259e5518baa7f7b9ac5a18e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Oct 2018 22:40:26 +0200 +Subject: HID: i2c-hid: add Direkt-Tek DTLAPY133-1 to descriptor override + +From: Julian Sax + +[ Upstream commit 399474e4c1100bca264ed14fa3ad0d68fab484d8 ] + +This device uses the SIPODEV SP1064 touchpad, which does not +supply descriptors, so it has to be added to the override list. + +Reported-by: Tim Aldridge +Signed-off-by: Julian Sax +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c +index cac262a912c12..89f2976f9c534 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c ++++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c +@@ -330,6 +330,14 @@ static const struct dmi_system_id i2c_hid_dmi_desc_override_table[] = { + }, + .driver_data = (void *)&sipodev_desc + }, ++ { ++ .ident = "Direkt-Tek DTLAPY133-1", ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Direkt-Tek"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "DTLAPY133-1"), ++ }, ++ .driver_data = (void *)&sipodev_desc ++ }, + { + .ident = "Mediacom Flexbook Edge 11", + .matches = { +-- +2.20.1 + diff --git a/queue-4.19/hid-i2c-hid-add-odys-winbook-13-to-descriptor-overri.patch b/queue-4.19/hid-i2c-hid-add-odys-winbook-13-to-descriptor-overri.patch new file mode 100644 index 00000000000..09f283d560f --- /dev/null +++ b/queue-4.19/hid-i2c-hid-add-odys-winbook-13-to-descriptor-overri.patch @@ -0,0 +1,44 @@ +From ead7b3cd78e5fea12524e5cc73ea96e8f2998469 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Dec 2018 15:31:56 +0100 +Subject: HID: i2c-hid: Add Odys Winbook 13 to descriptor override + +From: Hans de Goede + +[ Upstream commit f8f807441eefddc3c6d8a378421f0ede6361d565 ] + +The Odys Winbook 13 uses a SIPODEV SP1064 touchpad, which does not +supply descriptors, add this to the DMI descriptor override list, fixing +the touchpad not working. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1526312 +Reported-by: Rene Wagner +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c +index 89f2976f9c534..fd1b6eea6d2fd 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c ++++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c +@@ -346,6 +346,14 @@ static const struct dmi_system_id i2c_hid_dmi_desc_override_table[] = { + }, + .driver_data = (void *)&sipodev_desc + }, ++ { ++ .ident = "Odys Winbook 13", ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AXDIA International GmbH"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "WINBOOK 13"), ++ }, ++ .driver_data = (void *)&sipodev_desc ++ }, + { } /* Terminate list */ + }; + +-- +2.20.1 + diff --git a/queue-4.19/hid-i2c-hid-disable-runtime-pm-for-lg-touchscreen.patch b/queue-4.19/hid-i2c-hid-disable-runtime-pm-for-lg-touchscreen.patch new file mode 100644 index 00000000000..ce4ca1b93ee --- /dev/null +++ b/queue-4.19/hid-i2c-hid-disable-runtime-pm-for-lg-touchscreen.patch @@ -0,0 +1,61 @@ +From 95219e71a65fb63f59045204fd9027b9e0acd36e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Nov 2018 07:24:57 +0000 +Subject: HID: i2c-hid: Disable runtime PM for LG touchscreen + +From: Kai-Heng Feng + +[ Upstream commit 86c31524b27c7e686841dd4a79eda95cfd989f16 ] + +LG touchscreen (1fd2:8001) stops working after reboot: +[ 4.859153] i2c_hid i2c-SAPS2101:00: i2c_hid_get_input: incomplete report (64/66) +[ 4.936070] i2c_hid i2c-SAPS2101:00: i2c_hid_get_input: incomplete report (64/66) +[ 9.948224] i2c_hid i2c-SAPS2101:00: failed to reset device. + +The device in question stops working after receives SLEEP, ON, SLEEP +commands in a short period. The scenario is like this: +- Once the desktop session closes, it also closed the hid device, so the +device gets runtime suspended and receives a SLEEP command. +- Before calling shutdown callback, it gets runtime resumed and received +an ON command. +- In the shutdown callback, it receives another SLEEP command. + +I failed to find a reliable interval between ON/SLEEP commands that can +make it work, so let's simply disable runtime PM for the device. + +Signed-off-by: Kai-Heng Feng +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/i2c-hid/i2c-hid-core.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 0eeb273fb73d2..6b33117ca60e5 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -713,6 +713,7 @@ + #define USB_VENDOR_ID_LG 0x1fd2 + #define USB_DEVICE_ID_LG_MULTITOUCH 0x0064 + #define USB_DEVICE_ID_LG_MELFAS_MT 0x6007 ++#define I2C_DEVICE_ID_LG_8001 0x8001 + + #define USB_VENDOR_ID_LOGITECH 0x046d + #define USB_DEVICE_ID_LOGITECH_AUDIOHUB 0x0a0e +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 3cde7c1b9c33c..8555ce7e737b3 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -177,6 +177,8 @@ static const struct i2c_hid_quirks { + I2C_HID_QUIRK_NO_RUNTIME_PM }, + { I2C_VENDOR_ID_RAYDIUM, I2C_PRODUCT_ID_RAYDIUM_4B33, + I2C_HID_QUIRK_DELAY_AFTER_SLEEP }, ++ { USB_VENDOR_ID_LG, I2C_DEVICE_ID_LG_8001, ++ I2C_HID_QUIRK_NO_RUNTIME_PM }, + { 0, 0 } + }; + +-- +2.20.1 + diff --git a/queue-4.19/hid-i2c-hid-ignore-input-report-if-there-s-no-data-p.patch b/queue-4.19/hid-i2c-hid-ignore-input-report-if-there-s-no-data-p.patch new file mode 100644 index 00000000000..1356d51ae28 --- /dev/null +++ b/queue-4.19/hid-i2c-hid-ignore-input-report-if-there-s-no-data-p.patch @@ -0,0 +1,64 @@ +From 31d557d9554138ea370871adb6b6e483d1f04cc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jan 2019 15:24:29 +0800 +Subject: HID: i2c-hid: Ignore input report if there's no data present on Elan + touchpanels + +From: Kai-Heng Feng + +[ Upstream commit 1475af255e18f35dc46f8a7acc18354c73d45149 ] + +While using Elan touchpads, the message floods: +[ 136.138487] i2c_hid i2c-DELL08D6:00: i2c_hid_get_input: incomplete report (14/65535) + +Though the message flood is annoying, the device it self works without +any issue. I suspect that the device in question takes too much time to +pull the IRQ back to high after I2C host has done reading its data. + +Since the host receives all useful data, let's ignore the input report +when there's no data. + +Signed-off-by: Kai-Heng Feng +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 8555ce7e737b3..2f940c1de6169 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -50,6 +50,7 @@ + #define I2C_HID_QUIRK_NO_IRQ_AFTER_RESET BIT(1) + #define I2C_HID_QUIRK_NO_RUNTIME_PM BIT(2) + #define I2C_HID_QUIRK_DELAY_AFTER_SLEEP BIT(3) ++#define I2C_HID_QUIRK_BOGUS_IRQ BIT(4) + + /* flags */ + #define I2C_HID_STARTED 0 +@@ -179,6 +180,8 @@ static const struct i2c_hid_quirks { + I2C_HID_QUIRK_DELAY_AFTER_SLEEP }, + { USB_VENDOR_ID_LG, I2C_DEVICE_ID_LG_8001, + I2C_HID_QUIRK_NO_RUNTIME_PM }, ++ { USB_VENDOR_ID_ELAN, HID_ANY_ID, ++ I2C_HID_QUIRK_BOGUS_IRQ }, + { 0, 0 } + }; + +@@ -503,6 +506,12 @@ static void i2c_hid_get_input(struct i2c_hid *ihid) + return; + } + ++ if (ihid->quirks & I2C_HID_QUIRK_BOGUS_IRQ && ret_size == 0xffff) { ++ dev_warn_once(&ihid->client->dev, "%s: IRQ triggered but " ++ "there's no data\n", __func__); ++ return; ++ } ++ + if ((ret_size > size) || (ret_size < 2)) { + dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", + __func__, size, ret_size); +-- +2.20.1 + diff --git a/queue-4.19/hid-steam-fix-boot-loop-with-bluetooth-firmware.patch b/queue-4.19/hid-steam-fix-boot-loop-with-bluetooth-firmware.patch new file mode 100644 index 00000000000..70d89f01319 --- /dev/null +++ b/queue-4.19/hid-steam-fix-boot-loop-with-bluetooth-firmware.patch @@ -0,0 +1,123 @@ +From acfec4d61430f25ee367492cacf1f2a594d54929 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Feb 2019 22:27:54 +0100 +Subject: HID: steam: fix boot loop with bluetooth firmware + +From: Rodrigo Rivas Costa + +[ Upstream commit cf28aee292e102740e49f74385b4b89c00050763 ] + +There is a new firmware for the Steam Controller with support for BLE +connections. When using such a device with a wired connection, it +reboots itself every 10 seconds unless an application has opened it. + +Doing hid_hw_open() unconditionally on probe fixes the issue, and the +code becomes simpler. + +Signed-off-by: Rodrigo Rivas Costa +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-steam.c | 34 +++++++++++----------------------- + 1 file changed, 11 insertions(+), 23 deletions(-) + +diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c +index dc4128bfe2ca9..8141cadfca0e3 100644 +--- a/drivers/hid/hid-steam.c ++++ b/drivers/hid/hid-steam.c +@@ -283,11 +283,6 @@ static void steam_set_lizard_mode(struct steam_device *steam, bool enable) + static int steam_input_open(struct input_dev *dev) + { + struct steam_device *steam = input_get_drvdata(dev); +- int ret; +- +- ret = hid_hw_open(steam->hdev); +- if (ret) +- return ret; + + mutex_lock(&steam->mutex); + if (!steam->client_opened && lizard_mode) +@@ -304,8 +299,6 @@ static void steam_input_close(struct input_dev *dev) + if (!steam->client_opened && lizard_mode) + steam_set_lizard_mode(steam, true); + mutex_unlock(&steam->mutex); +- +- hid_hw_close(steam->hdev); + } + + static enum power_supply_property steam_battery_props[] = { +@@ -623,11 +616,6 @@ static void steam_client_ll_stop(struct hid_device *hdev) + static int steam_client_ll_open(struct hid_device *hdev) + { + struct steam_device *steam = hdev->driver_data; +- int ret; +- +- ret = hid_hw_open(steam->hdev); +- if (ret) +- return ret; + + mutex_lock(&steam->mutex); + steam->client_opened = true; +@@ -635,7 +623,7 @@ static int steam_client_ll_open(struct hid_device *hdev) + + steam_input_unregister(steam); + +- return ret; ++ return 0; + } + + static void steam_client_ll_close(struct hid_device *hdev) +@@ -646,7 +634,6 @@ static void steam_client_ll_close(struct hid_device *hdev) + steam->client_opened = false; + mutex_unlock(&steam->mutex); + +- hid_hw_close(steam->hdev); + if (steam->connected) { + steam_set_lizard_mode(steam, lizard_mode); + steam_input_register(steam); +@@ -759,14 +746,15 @@ static int steam_probe(struct hid_device *hdev, + if (ret) + goto client_hdev_add_fail; + ++ ret = hid_hw_open(hdev); ++ if (ret) { ++ hid_err(hdev, ++ "%s:hid_hw_open\n", ++ __func__); ++ goto hid_hw_open_fail; ++ } ++ + if (steam->quirks & STEAM_QUIRK_WIRELESS) { +- ret = hid_hw_open(hdev); +- if (ret) { +- hid_err(hdev, +- "%s:hid_hw_open for wireless\n", +- __func__); +- goto hid_hw_open_fail; +- } + hid_info(hdev, "Steam wireless receiver connected"); + steam_request_conn_status(steam); + } else { +@@ -781,8 +769,8 @@ static int steam_probe(struct hid_device *hdev, + + return 0; + +-hid_hw_open_fail: + input_register_fail: ++hid_hw_open_fail: + client_hdev_add_fail: + hid_hw_stop(hdev); + hid_hw_start_fail: +@@ -809,8 +797,8 @@ static void steam_remove(struct hid_device *hdev) + cancel_work_sync(&steam->work_connect); + if (steam->quirks & STEAM_QUIRK_WIRELESS) { + hid_info(hdev, "Steam wireless receiver disconnected"); +- hid_hw_close(hdev); + } ++ hid_hw_close(hdev); + hid_hw_stop(hdev); + steam_unregister(steam); + } +-- +2.20.1 + diff --git a/queue-4.19/hid-steam-fix-deadlock-with-input-devices.patch b/queue-4.19/hid-steam-fix-deadlock-with-input-devices.patch new file mode 100644 index 00000000000..6e30def4e96 --- /dev/null +++ b/queue-4.19/hid-steam-fix-deadlock-with-input-devices.patch @@ -0,0 +1,104 @@ +From 6a4477bbd6e03199d8dd9630b03ff26417d83c13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2019 20:09:10 +0100 +Subject: HID: steam: fix deadlock with input devices. + +From: Rodrigo Rivas Costa + +[ Upstream commit 6b538cc21334b83f09b25dec4aa2d2726bf07ed0 ] + +When using this driver with the wireless dongle and some usermode +program that monitors every input device (acpid, for example), while +another usermode client opens and closes the low-level device +repeadedly, the system eventually deadlocks. + +The reason is that steam_input_register_device() must not be called with +the mutex held, because the input subsystem has its own synchronization +that clashes with this one: it is possible that steam_input_open() is +called before input_register_device() returns, and since +steam_input_open() needs to lock the mutex, it deadlocks. + +However we must hold the mutex when calling any function that sends +commands to the controller. If not, random commands end up falling fail. + +Reported-by: Simon Gene Gottlieb +Signed-off-by: Rodrigo Rivas Costa +Tested-by: Simon Gene Gottlieb +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-steam.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c +index 8141cadfca0e3..8dae0f9b819e0 100644 +--- a/drivers/hid/hid-steam.c ++++ b/drivers/hid/hid-steam.c +@@ -499,6 +499,7 @@ static void steam_battery_unregister(struct steam_device *steam) + static int steam_register(struct steam_device *steam) + { + int ret; ++ bool client_opened; + + /* + * This function can be called several times in a row with the +@@ -511,9 +512,11 @@ static int steam_register(struct steam_device *steam) + * Unlikely, but getting the serial could fail, and it is not so + * important, so make up a serial number and go on. + */ ++ mutex_lock(&steam->mutex); + if (steam_get_serial(steam) < 0) + strlcpy(steam->serial_no, "XXXXXXXXXX", + sizeof(steam->serial_no)); ++ mutex_unlock(&steam->mutex); + + hid_info(steam->hdev, "Steam Controller '%s' connected", + steam->serial_no); +@@ -528,13 +531,15 @@ static int steam_register(struct steam_device *steam) + } + + mutex_lock(&steam->mutex); +- if (!steam->client_opened) { ++ client_opened = steam->client_opened; ++ if (!client_opened) + steam_set_lizard_mode(steam, lizard_mode); ++ mutex_unlock(&steam->mutex); ++ ++ if (!client_opened) + ret = steam_input_register(steam); +- } else { ++ else + ret = 0; +- } +- mutex_unlock(&steam->mutex); + + return ret; + } +@@ -630,14 +635,21 @@ static void steam_client_ll_close(struct hid_device *hdev) + { + struct steam_device *steam = hdev->driver_data; + ++ unsigned long flags; ++ bool connected; ++ ++ spin_lock_irqsave(&steam->lock, flags); ++ connected = steam->connected; ++ spin_unlock_irqrestore(&steam->lock, flags); ++ + mutex_lock(&steam->mutex); + steam->client_opened = false; ++ if (connected) ++ steam_set_lizard_mode(steam, lizard_mode); + mutex_unlock(&steam->mutex); + +- if (steam->connected) { +- steam_set_lizard_mode(steam, lizard_mode); ++ if (connected) + steam_input_register(steam); +- } + } + + static int steam_client_ll_raw_request(struct hid_device *hdev, +-- +2.20.1 + diff --git a/queue-4.19/iio-adc-meson_saradc-fix-memory-allocation-order.patch b/queue-4.19/iio-adc-meson_saradc-fix-memory-allocation-order.patch new file mode 100644 index 00000000000..67ea1be26cd --- /dev/null +++ b/queue-4.19/iio-adc-meson_saradc-fix-memory-allocation-order.patch @@ -0,0 +1,60 @@ +From 307d56603c5d54a1df656815cae30d1fd29e05dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2019 12:54:10 +0200 +Subject: iio: adc: meson_saradc: Fix memory allocation order + +From: Remi Pommarel + +[ Upstream commit de10ac47597e7a3596b27631d0d5ce5f48d2c099 ] + +meson_saradc's irq handler uses priv->regmap so make sure that it is +allocated before the irq get enabled. + +This also fixes crash when CONFIG_DEBUG_SHIRQ is enabled, as device +managed resources are freed in the inverted order they had been +allocated, priv->regmap was freed before the spurious fake irq that +CONFIG_DEBUG_SHIRQ adds called the handler. + +Fixes: 3af109131b7eb8 ("iio: adc: meson-saradc: switch from polling to interrupt mode") +Reported-by: Elie Roudninski +Signed-off-by: Remi Pommarel +Reviewed-by: Martin Blumenstingl +Tested-by: Elie ROUDNINSKI +Reviewed-by: Kevin Hilman +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/meson_saradc.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/iio/adc/meson_saradc.c b/drivers/iio/adc/meson_saradc.c +index 5dd104cf0939b..6e0ef9bb2497f 100644 +--- a/drivers/iio/adc/meson_saradc.c ++++ b/drivers/iio/adc/meson_saradc.c +@@ -1023,6 +1023,11 @@ static int meson_sar_adc_probe(struct platform_device *pdev) + if (IS_ERR(base)) + return PTR_ERR(base); + ++ priv->regmap = devm_regmap_init_mmio(&pdev->dev, base, ++ priv->data->param->regmap_config); ++ if (IS_ERR(priv->regmap)) ++ return PTR_ERR(priv->regmap); ++ + irq = irq_of_parse_and_map(pdev->dev.of_node, 0); + if (!irq) + return -EINVAL; +@@ -1032,11 +1037,6 @@ static int meson_sar_adc_probe(struct platform_device *pdev) + if (ret) + return ret; + +- priv->regmap = devm_regmap_init_mmio(&pdev->dev, base, +- priv->data->param->regmap_config); +- if (IS_ERR(priv->regmap)) +- return PTR_ERR(priv->regmap); +- + priv->clkin = devm_clk_get(&pdev->dev, "clkin"); + if (IS_ERR(priv->clkin)) { + dev_err(&pdev->dev, "failed to get clkin\n"); +-- +2.20.1 + diff --git a/queue-4.19/iio-fix-center-temperature-of-bmc150-accel-core.patch b/queue-4.19/iio-fix-center-temperature-of-bmc150-accel-core.patch new file mode 100644 index 00000000000..a8adb3dfae4 --- /dev/null +++ b/queue-4.19/iio-fix-center-temperature-of-bmc150-accel-core.patch @@ -0,0 +1,39 @@ +From 31d8452235c79c0b50e56cd390e0e5b4fcd33043 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2019 07:29:41 +0200 +Subject: iio: fix center temperature of bmc150-accel-core + +From: Pascal Bouwmann + +[ Upstream commit 6c59a962e081df6d8fe43325bbfabec57e0d4751 ] + +The center temperature of the supported devices stored in the constant +BMC150_ACCEL_TEMP_CENTER_VAL is not 24 degrees but 23 degrees. + +It seems that some datasheets were inconsistent on this value leading +to the error. For most usecases will only make minor difference so +not queued for stable. + +Signed-off-by: Pascal Bouwmann +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/bmc150-accel-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/accel/bmc150-accel-core.c b/drivers/iio/accel/bmc150-accel-core.c +index 383c802eb5b86..cb8c98a440109 100644 +--- a/drivers/iio/accel/bmc150-accel-core.c ++++ b/drivers/iio/accel/bmc150-accel-core.c +@@ -125,7 +125,7 @@ + #define BMC150_ACCEL_SLEEP_1_SEC 0x0F + + #define BMC150_ACCEL_REG_TEMP 0x08 +-#define BMC150_ACCEL_TEMP_CENTER_VAL 24 ++#define BMC150_ACCEL_TEMP_CENTER_VAL 23 + + #define BMC150_ACCEL_AXIS_TO_REG(axis) (BMC150_ACCEL_REG_XOUT_L + (axis * 2)) + #define BMC150_AUTO_SUSPEND_DELAY_MS 2000 +-- +2.20.1 + diff --git a/queue-4.19/iio-imu-adis16400-release-allocated-memory-on-failur.patch b/queue-4.19/iio-imu-adis16400-release-allocated-memory-on-failur.patch new file mode 100644 index 00000000000..5edda15b057 --- /dev/null +++ b/queue-4.19/iio-imu-adis16400-release-allocated-memory-on-failur.patch @@ -0,0 +1,40 @@ +From f094faf80dc66d86b4d5b390a33828a3bbbfb8c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Sep 2019 10:50:02 -0500 +Subject: iio: imu: adis16400: release allocated memory on failure + +From: Navid Emamdoost + +[ Upstream commit ab612b1daf415b62c58e130cb3d0f30b255a14d0 ] + +In adis_update_scan_mode, if allocation for adis->buffer fails, +previously allocated adis->xfer needs to be released. + +Signed-off-by: Navid Emamdoost +Reviewed-by: Alexandru Ardelean +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/imu/adis_buffer.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c +index 76643c5571aa8..e59d0438de732 100644 +--- a/drivers/iio/imu/adis_buffer.c ++++ b/drivers/iio/imu/adis_buffer.c +@@ -39,8 +39,11 @@ int adis_update_scan_mode(struct iio_dev *indio_dev, + return -ENOMEM; + + adis->buffer = kcalloc(indio_dev->scan_bytes, 2, GFP_KERNEL); +- if (!adis->buffer) ++ if (!adis->buffer) { ++ kfree(adis->xfer); ++ adis->xfer = NULL; + return -ENOMEM; ++ } + + rx = adis->buffer; + tx = rx + scan_count; +-- +2.20.1 + diff --git a/queue-4.19/libsubcmd-make-_fortify_source-defines-dependent-on-.patch b/queue-4.19/libsubcmd-make-_fortify_source-defines-dependent-on-.patch new file mode 100644 index 00000000000..fdc5eeaac03 --- /dev/null +++ b/queue-4.19/libsubcmd-make-_fortify_source-defines-dependent-on-.patch @@ -0,0 +1,52 @@ +From 068d4b1c6fa1f0219c0a966dc9707bfe116db574 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2019 12:59:23 -0700 +Subject: libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature + +From: Ian Rogers + +[ Upstream commit 4b0b2b096da9d296e0e5668cdfba8613bd6f5bc8 ] + +Unconditionally defining _FORTIFY_SOURCE can break tools that don't work +with it, such as memory sanitizers: + + https://github.com/google/sanitizers/wiki/AddressSanitizer#faq + +Fixes: 4b6ab94eabe4 ("perf subcmd: Create subcmd library") +Signed-off-by: Ian Rogers +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Josh Poimboeuf +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lore.kernel.org/lkml/20190925195924.152834-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/subcmd/Makefile | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/subcmd/Makefile b/tools/lib/subcmd/Makefile +index ed61fb3a46c08..5b2cd5e58df09 100644 +--- a/tools/lib/subcmd/Makefile ++++ b/tools/lib/subcmd/Makefile +@@ -20,7 +20,13 @@ MAKEFLAGS += --no-print-directory + LIBFILE = $(OUTPUT)libsubcmd.a + + CFLAGS := $(EXTRA_WARNINGS) $(EXTRA_CFLAGS) +-CFLAGS += -ggdb3 -Wall -Wextra -std=gnu99 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fPIC ++CFLAGS += -ggdb3 -Wall -Wextra -std=gnu99 -fPIC ++ ++ifeq ($(DEBUG),0) ++ ifeq ($(feature-fortify-source), 1) ++ CFLAGS += -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 ++ endif ++endif + + ifeq ($(CC_NO_CLANG), 0) + CFLAGS += -O3 +-- +2.20.1 + diff --git a/queue-4.19/media-vimc-remove-unused-but-set-variables.patch b/queue-4.19/media-vimc-remove-unused-but-set-variables.patch new file mode 100644 index 00000000000..31af1e03ef1 --- /dev/null +++ b/queue-4.19/media-vimc-remove-unused-but-set-variables.patch @@ -0,0 +1,44 @@ +From 774ab927edf05560f251e1f6ff1e531ff41be3d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Feb 2019 18:59:41 -0500 +Subject: media: vimc: Remove unused but set variables +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lucas A. M. Magalhães + +[ Upstream commit 5515e414f42bf2769caae15b634004d456658284 ] + +Remove unused but set variables to clean up the code and avoid +warning. + +Signed-off-by: Lucas A. M. Magalhães +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vimc/vimc-sensor.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/media/platform/vimc/vimc-sensor.c b/drivers/media/platform/vimc/vimc-sensor.c +index 9e0d70e9f119c..3f0ffd4915cd2 100644 +--- a/drivers/media/platform/vimc/vimc-sensor.c ++++ b/drivers/media/platform/vimc/vimc-sensor.c +@@ -204,13 +204,6 @@ static void *vimc_sen_process_frame(struct vimc_ent_device *ved, + { + struct vimc_sen_device *vsen = container_of(ved, struct vimc_sen_device, + ved); +- const struct vimc_pix_map *vpix; +- unsigned int frame_size; +- +- /* Calculate the frame size */ +- vpix = vimc_pix_map_by_code(vsen->mbus_format.code); +- frame_size = vsen->mbus_format.width * vpix->bpp * +- vsen->mbus_format.height; + + tpg_fill_plane_buffer(&vsen->tpg, 0, 0, vsen->frame); + return vsen->frame; +-- +2.20.1 + diff --git a/queue-4.19/mips-fw-sni-fix-out-of-bounds-init-of-o32-stack.patch b/queue-4.19/mips-fw-sni-fix-out-of-bounds-init-of-o32-stack.patch new file mode 100644 index 00000000000..3ebcc80bebd --- /dev/null +++ b/queue-4.19/mips-fw-sni-fix-out-of-bounds-init-of-o32-stack.patch @@ -0,0 +1,38 @@ +From 77c8028778deeec6cdad509203db864a1b2bd71a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 17:10:56 +0200 +Subject: MIPS: fw: sni: Fix out of bounds init of o32 stack + +From: Thomas Bogendoerfer + +[ Upstream commit efcb529694c3b707dc0471b312944337ba16e4dd ] + +Use ARRAY_SIZE to caluculate the top of the o32 stack. + +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/fw/sni/sniprom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/fw/sni/sniprom.c b/arch/mips/fw/sni/sniprom.c +index 8772617b64cef..80112f2298b68 100644 +--- a/arch/mips/fw/sni/sniprom.c ++++ b/arch/mips/fw/sni/sniprom.c +@@ -43,7 +43,7 @@ + + /* O32 stack has to be 8-byte aligned. */ + static u64 o32_stk[4096]; +-#define O32_STK &o32_stk[sizeof(o32_stk)] ++#define O32_STK (&o32_stk[ARRAY_SIZE(o32_stk)]) + + #define __PROM_O32(fun, arg) fun arg __asm__(#fun); \ + __asm__(#fun " = call_o32") +-- +2.20.1 + diff --git a/queue-4.19/mips-include-mark-__cmpxchg-as-__always_inline.patch b/queue-4.19/mips-include-mark-__cmpxchg-as-__always_inline.patch new file mode 100644 index 00000000000..a091975a1f1 --- /dev/null +++ b/queue-4.19/mips-include-mark-__cmpxchg-as-__always_inline.patch @@ -0,0 +1,47 @@ +From 8ffcc28e703b2b9fd45cece5218954b6f534229d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2019 15:12:32 +0200 +Subject: MIPS: include: Mark __cmpxchg as __always_inline + +From: Thomas Bogendoerfer + +[ Upstream commit 88356d09904bc606182c625575237269aeece22e ] + +Commit ac7c3e4ff401 ("compiler: enable CONFIG_OPTIMIZE_INLINING +forcibly") allows compiler to uninline functions marked as 'inline'. +In cace of cmpxchg this would cause to reference function +__cmpxchg_called_with_bad_pointer, which is a error case +for catching bugs and will not happen for correct code, if +__cmpxchg is inlined. + +Signed-off-by: Thomas Bogendoerfer +[paul.burton@mips.com: s/__cmpxchd/__cmpxchg in subject] +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/cmpxchg.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/include/asm/cmpxchg.h b/arch/mips/include/asm/cmpxchg.h +index 89e9fb7976fe6..895f91b9e89c3 100644 +--- a/arch/mips/include/asm/cmpxchg.h ++++ b/arch/mips/include/asm/cmpxchg.h +@@ -146,8 +146,9 @@ static inline unsigned long __xchg(volatile void *ptr, unsigned long x, + extern unsigned long __cmpxchg_small(volatile void *ptr, unsigned long old, + unsigned long new, unsigned int size); + +-static inline unsigned long __cmpxchg(volatile void *ptr, unsigned long old, +- unsigned long new, unsigned int size) ++static __always_inline ++unsigned long __cmpxchg(volatile void *ptr, unsigned long old, ++ unsigned long new, unsigned int size) + { + switch (size) { + case 1: +-- +2.20.1 + diff --git a/queue-4.19/mips-include-mark-__xchg-as-__always_inline.patch b/queue-4.19/mips-include-mark-__xchg-as-__always_inline.patch new file mode 100644 index 00000000000..5decccfa77a --- /dev/null +++ b/queue-4.19/mips-include-mark-__xchg-as-__always_inline.patch @@ -0,0 +1,49 @@ +From f9079486c0ed194167457fe05d8d48eb97cedfe2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 12:06:00 +0200 +Subject: MIPS: include: Mark __xchg as __always_inline +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Bogendoerfer + +[ Upstream commit 46f1619500d022501a4f0389f9f4c349ab46bb86 ] + +Commit ac7c3e4ff401 ("compiler: enable CONFIG_OPTIMIZE_INLINING +forcibly") allows compiler to uninline functions marked as 'inline'. +In cace of __xchg this would cause to reference function +__xchg_called_with_bad_pointer, which is an error case +for catching bugs and will not happen for correct code, if +__xchg is inlined. + +Signed-off-by: Thomas Bogendoerfer +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/cmpxchg.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/include/asm/cmpxchg.h b/arch/mips/include/asm/cmpxchg.h +index 895f91b9e89c3..520ca166cbed5 100644 +--- a/arch/mips/include/asm/cmpxchg.h ++++ b/arch/mips/include/asm/cmpxchg.h +@@ -73,8 +73,8 @@ extern unsigned long __xchg_called_with_bad_pointer(void) + extern unsigned long __xchg_small(volatile void *ptr, unsigned long val, + unsigned int size); + +-static inline unsigned long __xchg(volatile void *ptr, unsigned long x, +- int size) ++static __always_inline ++unsigned long __xchg(volatile void *ptr, unsigned long x, int size) + { + switch (size) { + case 1: +-- +2.20.1 + diff --git a/queue-4.19/mlxsw-spectrum-set-lag-port-collector-only-when-acti.patch b/queue-4.19/mlxsw-spectrum-set-lag-port-collector-only-when-acti.patch new file mode 100644 index 00000000000..7d36ba333e1 --- /dev/null +++ b/queue-4.19/mlxsw-spectrum-set-lag-port-collector-only-when-acti.patch @@ -0,0 +1,134 @@ +From c64bc6d5d8c2e335e494195a98b02de344fbe332 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Feb 2019 16:29:51 +0000 +Subject: mlxsw: spectrum: Set LAG port collector only when active + +From: Nir Dotan + +[ Upstream commit 48ebab31d424fbdb8ede8914923bec671a933246 ] + +The LAG port collecting (receive) function was mistakenly set when the +port was registered as a LAG member, while it should be set only when +the port collection state is set to true. Set LAG port to collecting +when it is set to distributing, as described in the IEEE link +aggregation standard coupled control mux machine state diagram. + +Signed-off-by: Nir Dotan +Acked-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlxsw/spectrum.c | 62 ++++++++++++++----- + 1 file changed, 45 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +index ee126bcf7c350..ccd9aca281b37 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -4410,9 +4410,6 @@ static int mlxsw_sp_port_lag_join(struct mlxsw_sp_port *mlxsw_sp_port, + err = mlxsw_sp_lag_col_port_add(mlxsw_sp_port, lag_id, port_index); + if (err) + goto err_col_port_add; +- err = mlxsw_sp_lag_col_port_enable(mlxsw_sp_port, lag_id); +- if (err) +- goto err_col_port_enable; + + mlxsw_core_lag_mapping_set(mlxsw_sp->core, lag_id, port_index, + mlxsw_sp_port->local_port); +@@ -4427,8 +4424,6 @@ static int mlxsw_sp_port_lag_join(struct mlxsw_sp_port *mlxsw_sp_port, + + return 0; + +-err_col_port_enable: +- mlxsw_sp_lag_col_port_remove(mlxsw_sp_port, lag_id); + err_col_port_add: + if (!lag->ref_count) + mlxsw_sp_lag_destroy(mlxsw_sp, lag_id); +@@ -4447,7 +4442,6 @@ static void mlxsw_sp_port_lag_leave(struct mlxsw_sp_port *mlxsw_sp_port, + lag = mlxsw_sp_lag_get(mlxsw_sp, lag_id); + WARN_ON(lag->ref_count == 0); + +- mlxsw_sp_lag_col_port_disable(mlxsw_sp_port, lag_id); + mlxsw_sp_lag_col_port_remove(mlxsw_sp_port, lag_id); + + /* Any VLANs configured on the port are no longer valid */ +@@ -4492,21 +4486,56 @@ static int mlxsw_sp_lag_dist_port_remove(struct mlxsw_sp_port *mlxsw_sp_port, + return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(sldr), sldr_pl); + } + +-static int mlxsw_sp_port_lag_tx_en_set(struct mlxsw_sp_port *mlxsw_sp_port, +- bool lag_tx_enabled) ++static int ++mlxsw_sp_port_lag_col_dist_enable(struct mlxsw_sp_port *mlxsw_sp_port) + { +- if (lag_tx_enabled) +- return mlxsw_sp_lag_dist_port_add(mlxsw_sp_port, +- mlxsw_sp_port->lag_id); +- else +- return mlxsw_sp_lag_dist_port_remove(mlxsw_sp_port, +- mlxsw_sp_port->lag_id); ++ int err; ++ ++ err = mlxsw_sp_lag_col_port_enable(mlxsw_sp_port, ++ mlxsw_sp_port->lag_id); ++ if (err) ++ return err; ++ ++ err = mlxsw_sp_lag_dist_port_add(mlxsw_sp_port, mlxsw_sp_port->lag_id); ++ if (err) ++ goto err_dist_port_add; ++ ++ return 0; ++ ++err_dist_port_add: ++ mlxsw_sp_lag_col_port_disable(mlxsw_sp_port, mlxsw_sp_port->lag_id); ++ return err; ++} ++ ++static int ++mlxsw_sp_port_lag_col_dist_disable(struct mlxsw_sp_port *mlxsw_sp_port) ++{ ++ int err; ++ ++ err = mlxsw_sp_lag_dist_port_remove(mlxsw_sp_port, ++ mlxsw_sp_port->lag_id); ++ if (err) ++ return err; ++ ++ err = mlxsw_sp_lag_col_port_disable(mlxsw_sp_port, ++ mlxsw_sp_port->lag_id); ++ if (err) ++ goto err_col_port_disable; ++ ++ return 0; ++ ++err_col_port_disable: ++ mlxsw_sp_lag_dist_port_add(mlxsw_sp_port, mlxsw_sp_port->lag_id); ++ return err; + } + + static int mlxsw_sp_port_lag_changed(struct mlxsw_sp_port *mlxsw_sp_port, + struct netdev_lag_lower_state_info *info) + { +- return mlxsw_sp_port_lag_tx_en_set(mlxsw_sp_port, info->tx_enabled); ++ if (info->tx_enabled) ++ return mlxsw_sp_port_lag_col_dist_enable(mlxsw_sp_port); ++ else ++ return mlxsw_sp_port_lag_col_dist_disable(mlxsw_sp_port); + } + + static int mlxsw_sp_port_stp_set(struct mlxsw_sp_port *mlxsw_sp_port, +@@ -4668,8 +4697,7 @@ static int mlxsw_sp_netdevice_port_upper_event(struct net_device *lower_dev, + err = mlxsw_sp_port_lag_join(mlxsw_sp_port, + upper_dev); + } else { +- mlxsw_sp_port_lag_tx_en_set(mlxsw_sp_port, +- false); ++ mlxsw_sp_port_lag_col_dist_disable(mlxsw_sp_port); + mlxsw_sp_port_lag_leave(mlxsw_sp_port, + upper_dev); + } +-- +2.20.1 + diff --git a/queue-4.19/nbd-fix-possible-sysfs-duplicate-warning.patch b/queue-4.19/nbd-fix-possible-sysfs-duplicate-warning.patch new file mode 100644 index 00000000000..939ef5e5fa9 --- /dev/null +++ b/queue-4.19/nbd-fix-possible-sysfs-duplicate-warning.patch @@ -0,0 +1,49 @@ +From 65966c15a63825e24e83e2c2f2032365a964e4a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Sep 2019 11:44:27 +0530 +Subject: nbd: fix possible sysfs duplicate warning + +From: Xiubo Li + +[ Upstream commit 862488105b84ca744b3d8ff131e0fcfe10644be1 ] + +1. nbd_put takes the mutex and drops nbd->ref to 0. It then does +idr_remove and drops the mutex. + +2. nbd_genl_connect takes the mutex. idr_find/idr_for_each fails +to find an existing device, so it does nbd_dev_add. + +3. just before the nbd_put could call nbd_dev_remove or not finished +totally, but if nbd_dev_add try to add_disk, we can hit: + +debugfs: Directory 'nbd1' with parent 'block' already present! + +This patch will make sure all the disk add/remove stuff are done +by holding the nbd_index_mutex lock. + +Reported-by: Mike Christie +Reviewed-by: Josef Bacik +Signed-off-by: Xiubo Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index bc2fa4e85f0ca..d445195945618 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -228,8 +228,8 @@ static void nbd_put(struct nbd_device *nbd) + if (refcount_dec_and_mutex_lock(&nbd->refs, + &nbd_index_mutex)) { + idr_remove(&nbd_index_idr, nbd->index); +- mutex_unlock(&nbd_index_mutex); + nbd_dev_remove(nbd); ++ mutex_unlock(&nbd_index_mutex); + } + } + +-- +2.20.1 + diff --git a/queue-4.19/net-dsa-mv88e6xxx-release-lock-while-requesting-irq.patch b/queue-4.19/net-dsa-mv88e6xxx-release-lock-while-requesting-irq.patch new file mode 100644 index 00000000000..632870b8005 --- /dev/null +++ b/queue-4.19/net-dsa-mv88e6xxx-release-lock-while-requesting-irq.patch @@ -0,0 +1,41 @@ +From e0d41c56f2366cb49e3ac368f7be0f9069454956 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Feb 2019 17:43:57 +0100 +Subject: net: dsa: mv88e6xxx: Release lock while requesting IRQ + +From: Andrew Lunn + +[ Upstream commit 342a0ee70acbee97fdeb91349420f8744eb291fb ] + +There is no need to hold the register lock while requesting the GPIO +interrupt. By not holding it we can also avoid a false positive +lockdep splat. + +Reported-by: Russell King +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 703e6bdaf0e1f..d075f0f7a3de8 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -456,10 +456,12 @@ static int mv88e6xxx_g1_irq_setup(struct mv88e6xxx_chip *chip) + */ + irq_set_lockdep_class(chip->irq, &lock_key, &request_key); + ++ mutex_unlock(&chip->reg_lock); + err = request_threaded_irq(chip->irq, NULL, + mv88e6xxx_g1_irq_thread_fn, + IRQF_ONESHOT, + dev_name(chip->dev), chip); ++ mutex_lock(&chip->reg_lock); + if (err) + mv88e6xxx_g1_irq_free_common(chip); + +-- +2.20.1 + diff --git a/queue-4.19/net-stmmac-fix-napi-poll-in-tx-path-when-in-multi-qu.patch b/queue-4.19/net-stmmac-fix-napi-poll-in-tx-path-when-in-multi-qu.patch new file mode 100644 index 00000000000..bdef37a786d --- /dev/null +++ b/queue-4.19/net-stmmac-fix-napi-poll-in-tx-path-when-in-multi-qu.patch @@ -0,0 +1,255 @@ +From fabec3dc2234d5cdd8c87178c0ef8c6490165b77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Feb 2019 10:38:47 +0100 +Subject: net: stmmac: Fix NAPI poll in TX path when in multi-queue + +From: Jose Abreu + +[ Upstream commit 4ccb45857c2c0776d0f72e39768295062c1a0de1 ] + +Commit 8fce33317023 introduced the concept of NAPI per-channel and +independent cleaning of TX path. + +This is currently breaking performance in some cases. The scenario +happens when all packets are being received in Queue 0 but the TX is +performed in Queue != 0. + +Fix this by using different NAPI instances per each TX and RX queue, as +suggested by Florian. + +Changes from v2: + - Only force restart transmission if there are pending packets +Changes from v1: + - Pass entire ring size to TX clean path (Florian) + +Signed-off-by: Jose Abreu +Cc: Florian Fainelli +Cc: Joao Pinto +Cc: David S. Miller +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac.h | 5 +- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 115 ++++++++++-------- + 2 files changed, 68 insertions(+), 52 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac.h b/drivers/net/ethernet/stmicro/stmmac/stmmac.h +index 63e1064b27a24..e697ecd9b0a64 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h +@@ -78,11 +78,10 @@ struct stmmac_rx_queue { + }; + + struct stmmac_channel { +- struct napi_struct napi ____cacheline_aligned_in_smp; ++ struct napi_struct rx_napi ____cacheline_aligned_in_smp; ++ struct napi_struct tx_napi ____cacheline_aligned_in_smp; + struct stmmac_priv *priv_data; + u32 index; +- int has_rx; +- int has_tx; + }; + + struct stmmac_tc_entry { +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 014fe93ed2d82..f4542ac0852d2 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -155,7 +155,10 @@ static void stmmac_disable_all_queues(struct stmmac_priv *priv) + for (queue = 0; queue < maxq; queue++) { + struct stmmac_channel *ch = &priv->channel[queue]; + +- napi_disable(&ch->napi); ++ if (queue < rx_queues_cnt) ++ napi_disable(&ch->rx_napi); ++ if (queue < tx_queues_cnt) ++ napi_disable(&ch->tx_napi); + } + } + +@@ -173,7 +176,10 @@ static void stmmac_enable_all_queues(struct stmmac_priv *priv) + for (queue = 0; queue < maxq; queue++) { + struct stmmac_channel *ch = &priv->channel[queue]; + +- napi_enable(&ch->napi); ++ if (queue < rx_queues_cnt) ++ napi_enable(&ch->rx_napi); ++ if (queue < tx_queues_cnt) ++ napi_enable(&ch->tx_napi); + } + } + +@@ -1946,6 +1952,10 @@ static int stmmac_tx_clean(struct stmmac_priv *priv, int budget, u32 queue) + mod_timer(&priv->eee_ctrl_timer, STMMAC_LPI_T(eee_timer)); + } + ++ /* We still have pending packets, let's call for a new scheduling */ ++ if (tx_q->dirty_tx != tx_q->cur_tx) ++ mod_timer(&tx_q->txtimer, STMMAC_COAL_TIMER(10)); ++ + __netif_tx_unlock_bh(netdev_get_tx_queue(priv->dev, queue)); + + return count; +@@ -2036,23 +2046,15 @@ static int stmmac_napi_check(struct stmmac_priv *priv, u32 chan) + int status = stmmac_dma_interrupt_status(priv, priv->ioaddr, + &priv->xstats, chan); + struct stmmac_channel *ch = &priv->channel[chan]; +- bool needs_work = false; +- +- if ((status & handle_rx) && ch->has_rx) { +- needs_work = true; +- } else { +- status &= ~handle_rx; +- } + +- if ((status & handle_tx) && ch->has_tx) { +- needs_work = true; +- } else { +- status &= ~handle_tx; ++ if ((status & handle_rx) && (chan < priv->plat->rx_queues_to_use)) { ++ stmmac_disable_dma_irq(priv, priv->ioaddr, chan); ++ napi_schedule_irqoff(&ch->rx_napi); + } + +- if (needs_work && napi_schedule_prep(&ch->napi)) { ++ if ((status & handle_tx) && (chan < priv->plat->tx_queues_to_use)) { + stmmac_disable_dma_irq(priv, priv->ioaddr, chan); +- __napi_schedule(&ch->napi); ++ napi_schedule_irqoff(&ch->tx_napi); + } + + return status; +@@ -2248,8 +2250,14 @@ static void stmmac_tx_timer(struct timer_list *t) + + ch = &priv->channel[tx_q->queue_index]; + +- if (likely(napi_schedule_prep(&ch->napi))) +- __napi_schedule(&ch->napi); ++ /* ++ * If NAPI is already running we can miss some events. Let's rearm ++ * the timer and try again. ++ */ ++ if (likely(napi_schedule_prep(&ch->tx_napi))) ++ __napi_schedule(&ch->tx_napi); ++ else ++ mod_timer(&tx_q->txtimer, STMMAC_COAL_TIMER(10)); + } + + /** +@@ -3506,7 +3514,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + else + skb->ip_summed = CHECKSUM_UNNECESSARY; + +- napi_gro_receive(&ch->napi, skb); ++ napi_gro_receive(&ch->rx_napi, skb); + + priv->dev->stats.rx_packets++; + priv->dev->stats.rx_bytes += frame_len; +@@ -3520,40 +3528,45 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + return count; + } + +-/** +- * stmmac_poll - stmmac poll method (NAPI) +- * @napi : pointer to the napi structure. +- * @budget : maximum number of packets that the current CPU can receive from +- * all interfaces. +- * Description : +- * To look at the incoming frames and clear the tx resources. +- */ +-static int stmmac_napi_poll(struct napi_struct *napi, int budget) ++static int stmmac_napi_poll_rx(struct napi_struct *napi, int budget) + { + struct stmmac_channel *ch = +- container_of(napi, struct stmmac_channel, napi); ++ container_of(napi, struct stmmac_channel, rx_napi); + struct stmmac_priv *priv = ch->priv_data; +- int work_done, rx_done = 0, tx_done = 0; + u32 chan = ch->index; ++ int work_done; + + priv->xstats.napi_poll++; + +- if (ch->has_tx) +- tx_done = stmmac_tx_clean(priv, budget, chan); +- if (ch->has_rx) +- rx_done = stmmac_rx(priv, budget, chan); ++ work_done = stmmac_rx(priv, budget, chan); ++ if (work_done < budget && napi_complete_done(napi, work_done)) ++ stmmac_enable_dma_irq(priv, priv->ioaddr, chan); ++ return work_done; ++} + +- work_done = max(rx_done, tx_done); +- work_done = min(work_done, budget); ++static int stmmac_napi_poll_tx(struct napi_struct *napi, int budget) ++{ ++ struct stmmac_channel *ch = ++ container_of(napi, struct stmmac_channel, tx_napi); ++ struct stmmac_priv *priv = ch->priv_data; ++ struct stmmac_tx_queue *tx_q; ++ u32 chan = ch->index; ++ int work_done; + +- if (work_done < budget && napi_complete_done(napi, work_done)) { +- int stat; ++ priv->xstats.napi_poll++; ++ ++ work_done = stmmac_tx_clean(priv, DMA_TX_SIZE, chan); ++ work_done = min(work_done, budget); + ++ if (work_done < budget && napi_complete_done(napi, work_done)) + stmmac_enable_dma_irq(priv, priv->ioaddr, chan); +- stat = stmmac_dma_interrupt_status(priv, priv->ioaddr, +- &priv->xstats, chan); +- if (stat && napi_reschedule(napi)) +- stmmac_disable_dma_irq(priv, priv->ioaddr, chan); ++ ++ /* Force transmission restart */ ++ tx_q = &priv->tx_queue[chan]; ++ if (tx_q->cur_tx != tx_q->dirty_tx) { ++ stmmac_enable_dma_transmission(priv, priv->ioaddr); ++ stmmac_set_tx_tail_ptr(priv, priv->ioaddr, tx_q->tx_tail_addr, ++ chan); + } + + return work_done; +@@ -4376,13 +4389,14 @@ int stmmac_dvr_probe(struct device *device, + ch->priv_data = priv; + ch->index = queue; + +- if (queue < priv->plat->rx_queues_to_use) +- ch->has_rx = true; +- if (queue < priv->plat->tx_queues_to_use) +- ch->has_tx = true; +- +- netif_napi_add(ndev, &ch->napi, stmmac_napi_poll, +- NAPI_POLL_WEIGHT); ++ if (queue < priv->plat->rx_queues_to_use) { ++ netif_napi_add(ndev, &ch->rx_napi, stmmac_napi_poll_rx, ++ NAPI_POLL_WEIGHT); ++ } ++ if (queue < priv->plat->tx_queues_to_use) { ++ netif_napi_add(ndev, &ch->tx_napi, stmmac_napi_poll_tx, ++ NAPI_POLL_WEIGHT); ++ } + } + + mutex_init(&priv->lock); +@@ -4438,7 +4452,10 @@ error_mdio_register: + for (queue = 0; queue < maxq; queue++) { + struct stmmac_channel *ch = &priv->channel[queue]; + +- netif_napi_del(&ch->napi); ++ if (queue < priv->plat->rx_queues_to_use) ++ netif_napi_del(&ch->rx_napi); ++ if (queue < priv->plat->tx_queues_to_use) ++ netif_napi_del(&ch->tx_napi); + } + error_hw_init: + destroy_workqueue(priv->wq); +-- +2.20.1 + diff --git a/queue-4.19/netfilter-ipset-make-invalid-mac-address-checks-cons.patch b/queue-4.19/netfilter-ipset-make-invalid-mac-address-checks-cons.patch new file mode 100644 index 00000000000..e63c84d40a7 --- /dev/null +++ b/queue-4.19/netfilter-ipset-make-invalid-mac-address-checks-cons.patch @@ -0,0 +1,95 @@ +From 5e10d8f70c9de7f522cf76dd59c95d86606bbacb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Aug 2018 21:09:48 +0200 +Subject: netfilter: ipset: Make invalid MAC address checks consistent + +From: Stefano Brivio + +[ Upstream commit 29edbc3ebdb0faa934114f14bf12fc0b784d4f1b ] + +Set types bitmap:ipmac and hash:ipmac check that MAC addresses +are not all zeroes. + +Introduce one missing check, and make the remaining ones +consistent, using is_zero_ether_addr() instead of comparing +against an array containing zeroes. + +This was already done for hash:mac sets in commit 26c97c5d8dac +("netfilter: ipset: Use is_zero_ether_addr instead of static and +memcmp"). + +Signed-off-by: Stefano Brivio +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_bitmap_ipmac.c | 3 +++ + net/netfilter/ipset/ip_set_hash_ipmac.c | 11 ++++------- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +index 4f01321e793ce..794e0335a8648 100644 +--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +@@ -235,6 +235,9 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb, + else + ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); + ++ if (is_zero_ether_addr(e.ether)) ++ return -EINVAL; ++ + return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); + } + +diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c +index 16ec822e40447..25560ea742d66 100644 +--- a/net/netfilter/ipset/ip_set_hash_ipmac.c ++++ b/net/netfilter/ipset/ip_set_hash_ipmac.c +@@ -36,9 +36,6 @@ MODULE_ALIAS("ip_set_hash:ip,mac"); + /* Type specific function prefix */ + #define HTYPE hash_ipmac + +-/* Zero valued element is not supported */ +-static const unsigned char invalid_ether[ETH_ALEN] = { 0 }; +- + /* IPv4 variant */ + + /* Member elements */ +@@ -104,7 +101,7 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb, + else + ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); + +- if (ether_addr_equal(e.ether, invalid_ether)) ++ if (is_zero_ether_addr(e.ether)) + return -EINVAL; + + ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip); +@@ -140,7 +137,7 @@ hash_ipmac4_uadt(struct ip_set *set, struct nlattr *tb[], + if (ret) + return ret; + memcpy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]), ETH_ALEN); +- if (ether_addr_equal(e.ether, invalid_ether)) ++ if (is_zero_ether_addr(e.ether)) + return -IPSET_ERR_HASH_ELEM; + + return adtfn(set, &e, &ext, &ext, flags); +@@ -220,7 +217,7 @@ hash_ipmac6_kadt(struct ip_set *set, const struct sk_buff *skb, + else + ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); + +- if (ether_addr_equal(e.ether, invalid_ether)) ++ if (is_zero_ether_addr(e.ether)) + return -EINVAL; + + ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6); +@@ -260,7 +257,7 @@ hash_ipmac6_uadt(struct ip_set *set, struct nlattr *tb[], + return ret; + + memcpy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]), ETH_ALEN); +- if (ether_addr_equal(e.ether, invalid_ether)) ++ if (is_zero_ether_addr(e.ether)) + return -IPSET_ERR_HASH_ELEM; + + return adtfn(set, &e, &ext, &ext, flags); +-- +2.20.1 + diff --git a/queue-4.19/nfs-fix-nfsi-nrequests-count-error-on-nfs_inode_remo.patch b/queue-4.19/nfs-fix-nfsi-nrequests-count-error-on-nfs_inode_remo.patch new file mode 100644 index 00000000000..be5dbf7d824 --- /dev/null +++ b/queue-4.19/nfs-fix-nfsi-nrequests-count-error-on-nfs_inode_remo.patch @@ -0,0 +1,91 @@ +From 3645e143608671b34ec68c00d53351f4b901a9a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2019 14:29:38 +0800 +Subject: nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request + +From: ZhangXiaoxu + +[ Upstream commit 33ea5aaa87cdae0f9af4d6b7ee4f650a1a36fd1d ] + +When xfstests testing, there are some WARNING as below: + +WARNING: CPU: 0 PID: 6235 at fs/nfs/inode.c:122 nfs_clear_inode+0x9c/0xd8 +Modules linked in: +CPU: 0 PID: 6235 Comm: umount.nfs +Hardware name: linux,dummy-virt (DT) +pstate: 60000005 (nZCv daif -PAN -UAO) +pc : nfs_clear_inode+0x9c/0xd8 +lr : nfs_evict_inode+0x60/0x78 +sp : fffffc000f68fc00 +x29: fffffc000f68fc00 x28: fffffe00c53155c0 +x27: fffffe00c5315000 x26: fffffc0009a63748 +x25: fffffc000f68fd18 x24: fffffc000bfaaf40 +x23: fffffc000936d3c0 x22: fffffe00c4ff5e20 +x21: fffffc000bfaaf40 x20: fffffe00c4ff5d10 +x19: fffffc000c056000 x18: 000000000000003c +x17: 0000000000000000 x16: 0000000000000000 +x15: 0000000000000040 x14: 0000000000000228 +x13: fffffc000c3a2000 x12: 0000000000000045 +x11: 0000000000000000 x10: 0000000000000000 +x9 : 0000000000000000 x8 : 0000000000000000 +x7 : 0000000000000000 x6 : fffffc00084b027c +x5 : fffffc0009a64000 x4 : fffffe00c0e77400 +x3 : fffffc000c0563a8 x2 : fffffffffffffffb +x1 : 000000000000764e x0 : 0000000000000001 +Call trace: + nfs_clear_inode+0x9c/0xd8 + nfs_evict_inode+0x60/0x78 + evict+0x108/0x380 + dispose_list+0x70/0xa0 + evict_inodes+0x194/0x210 + generic_shutdown_super+0xb0/0x220 + nfs_kill_super+0x40/0x88 + deactivate_locked_super+0xb4/0x120 + deactivate_super+0x144/0x160 + cleanup_mnt+0x98/0x148 + __cleanup_mnt+0x38/0x50 + task_work_run+0x114/0x160 + do_notify_resume+0x2f8/0x308 + work_pending+0x8/0x14 + +The nrequest should be increased/decreased only if PG_INODE_REF flag +was setted. + +But in the nfs_inode_remove_request function, it maybe decrease when +no PG_INODE_REF flag, this maybe lead nrequests count error. + +Reported-by: Hulk Robot +Signed-off-by: ZhangXiaoxu +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/write.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 5ab997912d8d5..117ffd90419e2 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -783,7 +783,6 @@ static void nfs_inode_remove_request(struct nfs_page *req) + struct nfs_inode *nfsi = NFS_I(inode); + struct nfs_page *head; + +- atomic_long_dec(&nfsi->nrequests); + if (nfs_page_group_sync_on_bit(req, PG_REMOVE)) { + head = req->wb_head; + +@@ -796,8 +795,10 @@ static void nfs_inode_remove_request(struct nfs_page *req) + spin_unlock(&mapping->private_lock); + } + +- if (test_and_clear_bit(PG_INODE_REF, &req->wb_flags)) ++ if (test_and_clear_bit(PG_INODE_REF, &req->wb_flags)) { + nfs_release_request(req); ++ atomic_long_dec(&nfsi->nrequests); ++ } + } + + static void +-- +2.20.1 + diff --git a/queue-4.19/nfsv4-ensure-that-the-state-manager-exits-the-loop-o.patch b/queue-4.19/nfsv4-ensure-that-the-state-manager-exits-the-loop-o.patch new file mode 100644 index 00000000000..7dbbf1f35dc --- /dev/null +++ b/queue-4.19/nfsv4-ensure-that-the-state-manager-exits-the-loop-o.patch @@ -0,0 +1,31 @@ +From d69e0ded65c30cfca7c86534be191291411a0575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Nov 2018 12:17:01 -0500 +Subject: NFSv4: Ensure that the state manager exits the loop on SIGKILL + +From: Trond Myklebust + +[ Upstream commit a1aa09be21fa344d1f5585aab8164bfae55f57e3 ] + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index c36ef75f2054b..b3086e99420c7 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -2613,7 +2613,7 @@ static void nfs4_state_manager(struct nfs_client *clp) + return; + if (test_and_set_bit(NFS4CLNT_MANAGER_RUNNING, &clp->cl_state) != 0) + return; +- } while (refcount_read(&clp->cl_count) > 1); ++ } while (refcount_read(&clp->cl_count) > 1 && !signalled()); + goto out_drain; + + out_error: +-- +2.20.1 + diff --git a/queue-4.19/nfsv4-fix-leak-of-clp-cl_acceptor-string.patch b/queue-4.19/nfsv4-fix-leak-of-clp-cl_acceptor-string.patch new file mode 100644 index 00000000000..d1c900e3c8e --- /dev/null +++ b/queue-4.19/nfsv4-fix-leak-of-clp-cl_acceptor-string.patch @@ -0,0 +1,60 @@ +From 500511deb90f8b96f81dd436a846b2f6463e11bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2019 09:58:54 -0400 +Subject: NFSv4: Fix leak of clp->cl_acceptor string + +From: Chuck Lever + +[ Upstream commit 1047ec868332034d1fbcb2fae19fe6d4cb869ff2 ] + +Our client can issue multiple SETCLIENTID operations to the same +server in some circumstances. Ensure that calls to +nfs4_proc_setclientid() after the first one do not overwrite the +previously allocated cl_acceptor string. + +unreferenced object 0xffff888461031800 (size 32): + comm "mount.nfs", pid 2227, jiffies 4294822467 (age 1407.749s) + hex dump (first 32 bytes): + 6e 66 73 40 6b 6c 69 6d 74 2e 69 62 2e 31 30 31 nfs@klimt.ib.101 + 35 67 72 61 6e 67 65 72 2e 6e 65 74 00 00 00 00 5granger.net.... + backtrace: + [<00000000ab820188>] __kmalloc+0x128/0x176 + [<00000000eeaf4ec8>] gss_stringify_acceptor+0xbd/0x1a7 [auth_rpcgss] + [<00000000e85e3382>] nfs4_proc_setclientid+0x34e/0x46c [nfsv4] + [<000000003d9cf1fa>] nfs40_discover_server_trunking+0x7a/0xed [nfsv4] + [<00000000b81c3787>] nfs4_discover_server_trunking+0x81/0x244 [nfsv4] + [<000000000801b55f>] nfs4_init_client+0x1b0/0x238 [nfsv4] + [<00000000977daf7f>] nfs4_set_client+0xfe/0x14d [nfsv4] + [<0000000053a68a2a>] nfs4_create_server+0x107/0x1db [nfsv4] + [<0000000088262019>] nfs4_remote_mount+0x2c/0x59 [nfsv4] + [<00000000e84a2fd0>] legacy_get_tree+0x2d/0x4c + [<00000000797e947c>] vfs_get_tree+0x20/0xc7 + [<00000000ecabaaa8>] fc_mount+0xe/0x36 + [<00000000f15fafc2>] vfs_kern_mount+0x74/0x8d + [<00000000a3ff4e26>] nfs_do_root_mount+0x8a/0xa3 [nfsv4] + [<00000000d1c2b337>] nfs4_try_mount+0x58/0xad [nfsv4] + [<000000004c9bddee>] nfs_fs_mount+0x820/0x869 [nfs] + +Fixes: f11b2a1cfbf5 ("nfs4: copy acceptor name from context ... ") +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 621e3cf90f4eb..75faef7af22d3 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -5943,6 +5943,7 @@ int nfs4_proc_setclientid(struct nfs_client *clp, u32 program, + } + status = task->tk_status; + if (setclientid.sc_cred) { ++ kfree(clp->cl_acceptor); + clp->cl_acceptor = rpcauth_stringify_acceptor(setclientid.sc_cred); + put_rpccred(setclientid.sc_cred); + } +-- +2.20.1 + diff --git a/queue-4.19/ocfs2-clear-zero-in-unaligned-direct-io.patch b/queue-4.19/ocfs2-clear-zero-in-unaligned-direct-io.patch new file mode 100644 index 00000000000..0f9c8c63031 --- /dev/null +++ b/queue-4.19/ocfs2-clear-zero-in-unaligned-direct-io.patch @@ -0,0 +1,93 @@ +From 43d8465ec9825b293dc388a5b05c8fc07673d4f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2019 17:57:47 -0700 +Subject: ocfs2: clear zero in unaligned direct IO + +From: Jia Guo + +[ Upstream commit 7a243c82ea527cd1da47381ad9cd646844f3b693 ] + +Unused portion of a part-written fs-block-sized block is not set to zero +in unaligned append direct write.This can lead to serious data +inconsistencies. + +Ocfs2 manage disk with cluster size(for example, 1M), part-written in +one cluster will change the cluster state from UN-WRITTEN to WRITTEN, +VFS(function dio_zero_block) doesn't do the cleaning because bh's state +is not set to NEW in function ocfs2_dio_wr_get_block when we write a +WRITTEN cluster. For example, the cluster size is 1M, file size is 8k +and we direct write from 14k to 15k, then 12k~14k and 15k~16k will +contain dirty data. + +We have to deal with two cases: + 1.The starting position of direct write is outside the file. + 2.The starting position of direct write is located in the file. + +We need set bh's state to NEW in the first case. In the second case, we +need mapped twice because bh's state of area out file should be set to +NEW while area in file not. + +[akpm@linux-foundation.org: coding style fixes] +Link: http://lkml.kernel.org/r/5292e287-8f1a-fd4a-1a14-661e555e0bed@huawei.com +Signed-off-by: Jia Guo +Reviewed-by: Yiwen Jiang +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/aops.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c +index 7578bd507c70b..dc773e163132c 100644 +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -2153,13 +2153,30 @@ static int ocfs2_dio_wr_get_block(struct inode *inode, sector_t iblock, + struct ocfs2_dio_write_ctxt *dwc = NULL; + struct buffer_head *di_bh = NULL; + u64 p_blkno; +- loff_t pos = iblock << inode->i_sb->s_blocksize_bits; ++ unsigned int i_blkbits = inode->i_sb->s_blocksize_bits; ++ loff_t pos = iblock << i_blkbits; ++ sector_t endblk = (i_size_read(inode) - 1) >> i_blkbits; + unsigned len, total_len = bh_result->b_size; + int ret = 0, first_get_block = 0; + + len = osb->s_clustersize - (pos & (osb->s_clustersize - 1)); + len = min(total_len, len); + ++ /* ++ * bh_result->b_size is count in get_more_blocks according to write ++ * "pos" and "end", we need map twice to return different buffer state: ++ * 1. area in file size, not set NEW; ++ * 2. area out file size, set NEW. ++ * ++ * iblock endblk ++ * |--------|---------|---------|--------- ++ * |<-------area in file------->| ++ */ ++ ++ if ((iblock <= endblk) && ++ ((iblock + ((len - 1) >> i_blkbits)) > endblk)) ++ len = (endblk - iblock + 1) << i_blkbits; ++ + mlog(0, "get block of %lu at %llu:%u req %u\n", + inode->i_ino, pos, len, total_len); + +@@ -2243,6 +2260,9 @@ static int ocfs2_dio_wr_get_block(struct inode *inode, sector_t iblock, + if (desc->c_needs_zero) + set_buffer_new(bh_result); + ++ if (iblock > endblk) ++ set_buffer_new(bh_result); ++ + /* May sleep in end_io. It should not happen in a irq context. So defer + * it to dio work queue. */ + set_buffer_defer_completion(bh_result); +-- +2.20.1 + diff --git a/queue-4.19/pci-fix-switchtec-dma-aliasing-quirk-dmesg-noise.patch b/queue-4.19/pci-fix-switchtec-dma-aliasing-quirk-dmesg-noise.patch new file mode 100644 index 00000000000..db82a62346e --- /dev/null +++ b/queue-4.19/pci-fix-switchtec-dma-aliasing-quirk-dmesg-noise.patch @@ -0,0 +1,53 @@ +From 7f1e903d8fcda969d7bccc3939038715e4ceb465 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Oct 2018 09:49:40 -0600 +Subject: PCI: Fix Switchtec DMA aliasing quirk dmesg noise + +From: Logan Gunthorpe + +[ Upstream commit 742bbe1ee35b5699c092541f97c7cec326556bb1 ] + +Currently the Switchtec quirk runs on all endpoints in the switch, +including all the upstream and downstream ports. These other functions do +not contain BARs, so the quirk fails when trying to map the BAR and prints +the error "Cannot iomap Switchtec device". The user will see a few of +these useless and scary errors, one for each port in the switch. + +At most, the quirk should only run on either a management endpoint +(PCI_CLASS_MEMORY_OTHER) or an NTB endpoint (PCI_CLASS_BRIDGE_OTHER). +However, the quirk is useless except in NTB applications, so we will +only run it when the class is PCI_CLASS_BRIDGE_OTHER. + +Switch to using DECLARE_PCI_FIXUP_CLASS_FINAL and only match +PCI_CLASS_BRIDGE_OTHER. + +Reported-by: Stephen Bates +Fixes: ad281ecf1c7d ("PCI: Add DMA alias quirk for Microsemi Switchtec NTB") +Signed-off-by: Logan Gunthorpe +[bhelgaas: split SWITCHTEC_QUIRK() introduction to separate patch] +Signed-off-by: Bjorn Helgaas +Cc: Doug Meyer +Cc: Kurt Schwemmer +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 06be52912dcdb..64933994f7722 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -5083,8 +5083,8 @@ static void quirk_switchtec_ntb_dma_alias(struct pci_dev *pdev) + pci_disable_device(pdev); + } + #define SWITCHTEC_QUIRK(vid) \ +- DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_MICROSEMI, vid, \ +- quirk_switchtec_ntb_dma_alias) ++ DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_VENDOR_ID_MICROSEMI, vid, \ ++ PCI_CLASS_BRIDGE_OTHER, 8, quirk_switchtec_ntb_dma_alias) + + SWITCHTEC_QUIRK(0x8531); /* PFX 24xG3 */ + SWITCHTEC_QUIRK(0x8532); /* PFX 32xG3 */ +-- +2.20.1 + diff --git a/queue-4.19/pci-pme-fix-possible-use-after-free-on-remove.patch b/queue-4.19/pci-pme-fix-possible-use-after-free-on-remove.patch new file mode 100644 index 00000000000..6e4f768b3d2 --- /dev/null +++ b/queue-4.19/pci-pme-fix-possible-use-after-free-on-remove.patch @@ -0,0 +1,41 @@ +From 19e42c8d8e7452416b89194eb897105ce4dc0e8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2019 11:54:19 -0500 +Subject: PCI/PME: Fix possible use-after-free on remove + +From: Sven Van Asbroeck + +[ Upstream commit 7cf58b79b3072029af127ae865ffc6f00f34b1f8 ] + +In remove(), ensure that the PME work cannot run after kfree() is called. +Otherwise, this could result in a use-after-free. + +This issue was detected with the help of Coccinelle. + +Signed-off-by: Sven Van Asbroeck +Signed-off-by: Bjorn Helgaas +Cc: Sinan Kaya +Cc: Frederick Lawler +Cc: Mika Westerberg +Cc: Keith Busch +Cc: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/pme.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/pcie/pme.c b/drivers/pci/pcie/pme.c +index e85c5a8206c43..6ac17f0c40775 100644 +--- a/drivers/pci/pcie/pme.c ++++ b/drivers/pci/pcie/pme.c +@@ -437,6 +437,7 @@ static void pcie_pme_remove(struct pcie_device *srv) + + pcie_pme_disable_interrupt(srv->port, data); + free_irq(srv->irq, srv); ++ cancel_work_sync(&data->work); + kfree(data); + } + +-- +2.20.1 + diff --git a/queue-4.19/perf-annotate-fix-the-signedness-of-failure-returns.patch b/queue-4.19/perf-annotate-fix-the-signedness-of-failure-returns.patch new file mode 100644 index 00000000000..3afbaf5c748 --- /dev/null +++ b/queue-4.19/perf-annotate-fix-the-signedness-of-failure-returns.patch @@ -0,0 +1,44 @@ +From f3dea701238589ae3a08e4727a082292d15d2cd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 15:11:47 -0300 +Subject: perf annotate: Fix the signedness of failure returns + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 28f4417c3333940b242af03d90214f713bbef232 ] + +Callers of symbol__annotate() expect a errno value or some other +extended error value range in symbol__strerror_disassemble() to +convert to a proper error string, fix it when propagating a failure to +find the arch specific annotation routines via arch__find(arch_name). + +Reported-by: Russell King - ARM Linux admin +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra , +Cc: Will Deacon +Link: https://lkml.kernel.org/n/tip-o0k6dw7cas0vvmjjvgsyvu1i@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index 4ef62bcdc80f0..b4946ef48b621 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -1875,7 +1875,7 @@ int symbol__annotate(struct symbol *sym, struct map *map, + + args.arch = arch = arch__find(arch_name); + if (arch == NULL) +- return -ENOTSUP; ++ return ENOTSUP; + + if (parch) + *parch = arch; +-- +2.20.1 + diff --git a/queue-4.19/perf-annotate-propagate-perf_env__arch-error.patch b/queue-4.19/perf-annotate-propagate-perf_env__arch-error.patch new file mode 100644 index 00000000000..df908bbeed0 --- /dev/null +++ b/queue-4.19/perf-annotate-propagate-perf_env__arch-error.patch @@ -0,0 +1,45 @@ +From 042de4758565add892082f87fd7f5adbb58bd8d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 15:06:01 -0300 +Subject: perf annotate: Propagate perf_env__arch() error + +From: Arnaldo Carvalho de Melo + +[ Upstream commit a66fa0619a0ae3585ef09e9c33ecfb5c7c6cb72b ] + +The callers of symbol__annotate2() use symbol__strerror_disassemble() to +convert its failure returns into a human readable string, so +propagate error values from functions it calls, starting with +perf_env__arch() that when fails the right thing to do is to look at +'errno' to see why its possible call to uname() failed. + +Reported-by: Russell King - ARM Linux admin +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra , +Cc: Will Deacon +Link: https://lkml.kernel.org/n/tip-it5d83kyusfhb1q1b0l4pxzs@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index daea1fdf73856..4ef62bcdc80f0 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -1871,7 +1871,7 @@ int symbol__annotate(struct symbol *sym, struct map *map, + int err; + + if (!arch_name) +- return -1; ++ return errno; + + args.arch = arch = arch__find(arch_name); + if (arch == NULL) +-- +2.20.1 + diff --git a/queue-4.19/perf-annotate-propagate-the-symbol__annotate-error-r.patch b/queue-4.19/perf-annotate-propagate-the-symbol__annotate-error-r.patch new file mode 100644 index 00000000000..b8fcdf469a4 --- /dev/null +++ b/queue-4.19/perf-annotate-propagate-the-symbol__annotate-error-r.patch @@ -0,0 +1,48 @@ +From c30143eea7b9ed4a52ae9da23d197e17b92b7bf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 15:44:13 -0300 +Subject: perf annotate: Propagate the symbol__annotate() error return + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 211f493b611eef012841f795166c38ec7528738d ] + +We were just returning -1 in symbol__annotate() when symbol__annotate() +failed, propagate its error as it is used later to pass to +symbol__strerror_disassemble() to present a error message to the user, +that in some cases were getting: + + "Invalid -1 error code" + +Fix it to propagate the error. + +Reported-by: Russell King - ARM Linux admin +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra , +Cc: Will Deacon +Link: https://lkml.kernel.org/n/tip-0tj89rs9g7nbcyd5skadlvuu@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index b4946ef48b621..83a3ad4256c5b 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -2757,7 +2757,7 @@ int symbol__annotate2(struct symbol *sym, struct map *map, struct perf_evsel *ev + + out_free_offsets: + zfree(¬es->offsets); +- return -1; ++ return err; + } + + #define ANNOTATION__CFG(n) \ +-- +2.20.1 + diff --git a/queue-4.19/perf-annotate-return-appropriate-error-code-for-allo.patch b/queue-4.19/perf-annotate-return-appropriate-error-code-for-allo.patch new file mode 100644 index 00000000000..aaf2b1c3ae9 --- /dev/null +++ b/queue-4.19/perf-annotate-return-appropriate-error-code-for-allo.patch @@ -0,0 +1,52 @@ +From a26d37552711e5953ef83cf7f5385a6925973d85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 15:53:33 -0300 +Subject: perf annotate: Return appropriate error code for allocation failures + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 16ed3c1e91159e28b02f11f71ff4ce4cbc6f99e4 ] + +We should return errno or the annotation extra range understood by +symbol__strerror_disassemble() instead of -1, fix it, returning ENOMEM +instead. + +Reported-by: Russell King - ARM Linux admin +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra , +Cc: Will Deacon +Link: https://lkml.kernel.org/n/tip-8of1cmj3rz0mppfcshc9bbqq@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index 83a3ad4256c5b..6958d7eed5bed 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -1614,7 +1614,7 @@ static int dso__disassemble_filename(struct dso *dso, char *filename, size_t fil + + build_id_path = strdup(filename); + if (!build_id_path) +- return -1; ++ return ENOMEM; + + /* + * old style build-id cache has name of XX/XXXXXXX.. while +@@ -2732,7 +2732,7 @@ int symbol__annotate2(struct symbol *sym, struct map *map, struct perf_evsel *ev + + notes->offsets = zalloc(size * sizeof(struct annotation_line *)); + if (notes->offsets == NULL) +- return -1; ++ return ENOMEM; + + if (perf_evsel__is_group_event(evsel)) + nr_pcnt = evsel->nr_members; +-- +2.20.1 + diff --git a/queue-4.19/perf-jevents-fix-period-for-intel-fixed-counters.patch b/queue-4.19/perf-jevents-fix-period-for-intel-fixed-counters.patch new file mode 100644 index 00000000000..b42fe91db1e --- /dev/null +++ b/queue-4.19/perf-jevents-fix-period-for-intel-fixed-counters.patch @@ -0,0 +1,53 @@ +From a072ef9588c96d735e53fa183d70e4c5c42fb55a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 16:35:45 -0700 +Subject: perf jevents: Fix period for Intel fixed counters + +From: Andi Kleen + +[ Upstream commit 6bdfd9f118bd59cf0f85d3bf4b72b586adea17c1 ] + +The Intel fixed counters use a special table to override the JSON +information. + +During this override the period information from the JSON file got +dropped, which results in inst_retired.any and similar running with +frequency mode instead of a period. + +Just specify the expected period in the table. + +Signed-off-by: Andi Kleen +Cc: Jiri Olsa +Link: http://lore.kernel.org/lkml/20190927233546.11533-2-andi@firstfloor.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/pmu-events/jevents.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c +index 6b36b71106695..6cd9623ebc93b 100644 +--- a/tools/perf/pmu-events/jevents.c ++++ b/tools/perf/pmu-events/jevents.c +@@ -446,12 +446,12 @@ static struct fixed { + const char *name; + const char *event; + } fixed[] = { +- { "inst_retired.any", "event=0xc0" }, +- { "inst_retired.any_p", "event=0xc0" }, +- { "cpu_clk_unhalted.ref", "event=0x0,umask=0x03" }, +- { "cpu_clk_unhalted.thread", "event=0x3c" }, +- { "cpu_clk_unhalted.core", "event=0x3c" }, +- { "cpu_clk_unhalted.thread_any", "event=0x3c,any=1" }, ++ { "inst_retired.any", "event=0xc0,period=2000003" }, ++ { "inst_retired.any_p", "event=0xc0,period=2000003" }, ++ { "cpu_clk_unhalted.ref", "event=0x0,umask=0x03,period=2000003" }, ++ { "cpu_clk_unhalted.thread", "event=0x3c,period=2000003" }, ++ { "cpu_clk_unhalted.core", "event=0x3c,period=2000003" }, ++ { "cpu_clk_unhalted.thread_any", "event=0x3c,any=1,period=2000003" }, + { NULL, NULL}, + }; + +-- +2.20.1 + diff --git a/queue-4.19/perf-map-fix-overlapped-map-handling.patch b/queue-4.19/perf-map-fix-overlapped-map-handling.patch new file mode 100644 index 00000000000..4761ba63c2d --- /dev/null +++ b/queue-4.19/perf-map-fix-overlapped-map-handling.patch @@ -0,0 +1,120 @@ +From c747e5181ed38b28d294869fbd5e2fd26cfd9c34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Sep 2019 01:39:00 +0000 +Subject: perf map: Fix overlapped map handling + +From: Steve MacLean + +[ Upstream commit ee212d6ea20887c0ef352be8563ca13dbf965906 ] + +Whenever an mmap/mmap2 event occurs, the map tree must be updated to add a new +entry. If a new map overlaps a previous map, the overlapped section of the +previous map is effectively unmapped, but the non-overlapping sections are +still valid. + +maps__fixup_overlappings() is responsible for creating any new map entries from +the previously overlapped map. It optionally creates a before and an after map. + +When creating the after map the existing code failed to adjust the map.pgoff. +This meant the new after map would incorrectly calculate the file offset +for the ip. This results in incorrect symbol name resolution for any ip in the +after region. + +Make maps__fixup_overlappings() correctly populate map.pgoff. + +Add an assert that new mapping matches old mapping at the beginning of +the after map. + +Committer-testing: + +Validated correct parsing of libcoreclr.so symbols from .NET Core 3.0 preview9 +(which didn't strip symbols). + +Preparation: + + ~/dotnet3.0-preview9/dotnet new webapi -o perfSymbol + cd perfSymbol + ~/dotnet3.0-preview9/dotnet publish + perf record ~/dotnet3.0-preview9/dotnet \ + bin/Debug/netcoreapp3.0/publish/perfSymbol.dll + ^C + +Before: + + perf script --show-mmap-events 2>&1 | grep -e MMAP -e unknown |\ + grep libcoreclr.so | head -n 4 + dotnet 1907 373352.698780: PERF_RECORD_MMAP2 1907/1907: \ + [0x7fe615726000(0x768000) @ 0 08:02 5510620 765057155]: \ + r-xp .../3.0.0-preview9-19423-09/libcoreclr.so + dotnet 1907 373352.701091: PERF_RECORD_MMAP2 1907/1907: \ + [0x7fe615974000(0x1000) @ 0x24e000 08:02 5510620 765057155]: \ + rwxp .../3.0.0-preview9-19423-09/libcoreclr.so + dotnet 1907 373352.701241: PERF_RECORD_MMAP2 1907/1907: \ + [0x7fe615c42000(0x1000) @ 0x51c000 08:02 5510620 765057155]: \ + rwxp .../3.0.0-preview9-19423-09/libcoreclr.so + dotnet 1907 373352.705249: 250000 cpu-clock: \ + 7fe6159a1f99 [unknown] \ + (.../3.0.0-preview9-19423-09/libcoreclr.so) + +After: + + perf script --show-mmap-events 2>&1 | grep -e MMAP -e unknown |\ + grep libcoreclr.so | head -n 4 + dotnet 1907 373352.698780: PERF_RECORD_MMAP2 1907/1907: \ + [0x7fe615726000(0x768000) @ 0 08:02 5510620 765057155]: \ + r-xp .../3.0.0-preview9-19423-09/libcoreclr.so + dotnet 1907 373352.701091: PERF_RECORD_MMAP2 1907/1907: \ + [0x7fe615974000(0x1000) @ 0x24e000 08:02 5510620 765057155]: \ + rwxp .../3.0.0-preview9-19423-09/libcoreclr.so + dotnet 1907 373352.701241: PERF_RECORD_MMAP2 1907/1907: \ + [0x7fe615c42000(0x1000) @ 0x51c000 08:02 5510620 765057155]: \ + rwxp .../3.0.0-preview9-19423-09/libcoreclr.so + +All the [unknown] symbols were resolved. + +Signed-off-by: Steve MacLean +Tested-by: Brian Robbins +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Davidlohr Bueso +Cc: Eric Saint-Etienne +Cc: John Keeping +Cc: John Salem +Cc: Leo Yan +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Stephane Eranian +Cc: Tom McDonald +Link: http://lore.kernel.org/lkml/BN8PR21MB136270949F22A6A02335C238F7800@BN8PR21MB1362.namprd21.prod.outlook.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/map.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c +index 6a6929f208b4d..1117ab86ebd34 100644 +--- a/tools/perf/util/map.c ++++ b/tools/perf/util/map.c +@@ -1,5 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 + #include "symbol.h" ++#include + #include + #include + #include +@@ -751,6 +752,8 @@ static int maps__fixup_overlappings(struct maps *maps, struct map *map, FILE *fp + } + + after->start = map->end; ++ after->pgoff += map->end - pos->start; ++ assert(pos->map_ip(pos, map->end) == after->map_ip(after, map->end)); + __map_groups__insert(pos->groups, after); + if (verbose >= 2 && !use_browser) + map__fprintf(after, fp); +-- +2.20.1 + diff --git a/queue-4.19/perf-script-brstackinsn-fix-recovery-from-lbr-binary.patch b/queue-4.19/perf-script-brstackinsn-fix-recovery-from-lbr-binary.patch new file mode 100644 index 00000000000..bf086f68ff1 --- /dev/null +++ b/queue-4.19/perf-script-brstackinsn-fix-recovery-from-lbr-binary.patch @@ -0,0 +1,77 @@ +From 441bbafd42009e37fe57d89f93ecd8ee90d4ca76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 16:35:44 -0700 +Subject: perf script brstackinsn: Fix recovery from LBR/binary mismatch + +From: Andi Kleen + +[ Upstream commit e98df280bc2a499fd41d7f9e2d6733884de69902 ] + +When the LBR data and the instructions in a binary do not match the loop +printing instructions could get confused and print a long stream of +bogus instructions. + +The problem was that if the instruction decoder cannot decode an +instruction it ilen wasn't initialized, so the loop going through the +basic block would continue with the previous value. + +Harden the code to avoid such problems: + +- Make sure ilen is always freshly initialized and is 0 for bad + instructions. + +- Do not overrun the code buffer while printing instructions + +- Print a warning message if the final jump is not on an instruction + boundary. + +Signed-off-by: Andi Kleen +Cc: Jiri Olsa +Link: http://lore.kernel.org/lkml/20190927233546.11533-1-andi@firstfloor.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-script.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c +index 53c11fc0855ee..d20f851796c52 100644 +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -1021,7 +1021,7 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample, + continue; + + insn = 0; +- for (off = 0;; off += ilen) { ++ for (off = 0; off < (unsigned)len; off += ilen) { + uint64_t ip = start + off; + + printed += ip__fprintf_sym(ip, thread, x.cpumode, x.cpu, &lastsym, attr, fp); +@@ -1029,6 +1029,7 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample, + printed += ip__fprintf_jump(ip, &br->entries[i], &x, buffer + off, len - off, insn, fp); + break; + } else { ++ ilen = 0; + printed += fprintf(fp, "\t%016" PRIx64 "\t%s\n", ip, + dump_insn(&x, ip, buffer + off, len - off, &ilen)); + if (ilen == 0) +@@ -1036,6 +1037,8 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample, + insn++; + } + } ++ if (off != (unsigned)len) ++ printed += fprintf(fp, "\tmismatch of LBR data and executable\n"); + } + + /* +@@ -1066,6 +1069,7 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample, + goto out; + } + for (off = 0; off <= end - start; off += ilen) { ++ ilen = 0; + printed += fprintf(fp, "\t%016" PRIx64 "\t%s\n", start + off, + dump_insn(&x, start + off, buffer + off, len - off, &ilen)); + if (ilen == 0) +-- +2.20.1 + diff --git a/queue-4.19/perf-tests-avoid-raising-segv-using-an-obvious-null-.patch b/queue-4.19/perf-tests-avoid-raising-segv-using-an-obvious-null-.patch new file mode 100644 index 00000000000..cfead0cef7d --- /dev/null +++ b/queue-4.19/perf-tests-avoid-raising-segv-using-an-obvious-null-.patch @@ -0,0 +1,90 @@ +From 08cfbf0760176993c2be4deef31d3926ed6332de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2019 12:59:24 -0700 +Subject: perf tests: Avoid raising SEGV using an obvious NULL dereference + +From: Ian Rogers + +[ Upstream commit e3e2cf3d5b1fe800b032e14c0fdcd9a6fb20cf3b ] + +An optimized build such as: + + make -C tools/perf CLANG=1 CC=clang EXTRA_CFLAGS="-O3 + +will turn the dereference operation into a ud2 instruction, raising a +SIGILL rather than a SIGSEGV. Use raise(..) for correctness and clarity. + +Similar issues were addressed in Numfor Mbiziwo-Tiapo's patch: + + https://lkml.org/lkml/2019/7/8/1234 + +Committer testing: + +Before: + + [root@quaco ~]# perf test hooks + 55: perf hooks : Ok + [root@quaco ~]# perf test -v hooks + 55: perf hooks : + --- start --- + test child forked, pid 17092 + SIGSEGV is observed as expected, try to recover. + Fatal error (SEGFAULT) in perf hook 'test' + test child finished with 0 + ---- end ---- + perf hooks: Ok + [root@quaco ~]# + +After: + + [root@quaco ~]# perf test hooks + 55: perf hooks : Ok + [root@quaco ~]# perf test -v hooks + 55: perf hooks : + --- start --- + test child forked, pid 17909 + SIGSEGV is observed as expected, try to recover. + Fatal error (SEGFAULT) in perf hook 'test' + test child finished with 0 + ---- end ---- + perf hooks: Ok + [root@quaco ~]# + +Fixes: a074865e60ed ("perf tools: Introduce perf hooks") +Signed-off-by: Ian Rogers +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Wang Nan +Link: http://lore.kernel.org/lkml/20190925195924.152834-2-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/perf-hooks.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tools/perf/tests/perf-hooks.c b/tools/perf/tests/perf-hooks.c +index a693bcf017ea2..44c16fd11bf6e 100644 +--- a/tools/perf/tests/perf-hooks.c ++++ b/tools/perf/tests/perf-hooks.c +@@ -20,12 +20,11 @@ static void sigsegv_handler(int sig __maybe_unused) + static void the_hook(void *_hook_flags) + { + int *hook_flags = _hook_flags; +- int *p = NULL; + + *hook_flags = 1234; + + /* Generate a segfault, test perf_hooks__recover */ +- *p = 0; ++ raise(SIGSEGV); + } + + int test__perf_hooks(struct test *test __maybe_unused, int subtest __maybe_unused) +-- +2.20.1 + diff --git a/queue-4.19/perf-tools-propagate-get_cpuid-error.patch b/queue-4.19/perf-tools-propagate-get_cpuid-error.patch new file mode 100644 index 00000000000..159ea2b24a1 --- /dev/null +++ b/queue-4.19/perf-tools-propagate-get_cpuid-error.patch @@ -0,0 +1,138 @@ +From 57acaee278ff80b9559b8cc2d1df75f7e243a806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 10:55:34 -0300 +Subject: perf tools: Propagate get_cpuid() error + +From: Arnaldo Carvalho de Melo + +[ Upstream commit f67001a4a08eb124197ed4376941e1da9cf94b42 ] + +For consistency, propagate the exact cause for get_cpuid() to have +failed. + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-9ig269f7ktnhh99g4l15vpu2@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/powerpc/util/header.c | 3 ++- + tools/perf/arch/s390/util/header.c | 9 +++++---- + tools/perf/arch/x86/util/header.c | 3 ++- + tools/perf/builtin-kvm.c | 7 ++++--- + 4 files changed, 13 insertions(+), 9 deletions(-) + +diff --git a/tools/perf/arch/powerpc/util/header.c b/tools/perf/arch/powerpc/util/header.c +index 0b242664f5ea7..e46be9ef5a688 100644 +--- a/tools/perf/arch/powerpc/util/header.c ++++ b/tools/perf/arch/powerpc/util/header.c +@@ -1,5 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 + #include ++#include + #include + #include + #include +@@ -31,7 +32,7 @@ get_cpuid(char *buffer, size_t sz) + buffer[nb-1] = '\0'; + return 0; + } +- return -1; ++ return ENOBUFS; + } + + char * +diff --git a/tools/perf/arch/s390/util/header.c b/tools/perf/arch/s390/util/header.c +index 163b92f339980..cc72554c362a1 100644 +--- a/tools/perf/arch/s390/util/header.c ++++ b/tools/perf/arch/s390/util/header.c +@@ -11,6 +11,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -56,7 +57,7 @@ int get_cpuid(char *buffer, size_t sz) + + sysinfo = fopen(SYSINFO, "r"); + if (sysinfo == NULL) +- return -1; ++ return errno; + + while ((read = getline(&line, &line_sz, sysinfo)) != -1) { + if (!strncmp(line, SYSINFO_MANU, strlen(SYSINFO_MANU))) { +@@ -91,7 +92,7 @@ int get_cpuid(char *buffer, size_t sz) + + /* Missing manufacturer, type or model information should not happen */ + if (!manufacturer[0] || !type[0] || !model[0]) +- return -1; ++ return EINVAL; + + /* + * Scan /proc/service_levels and return the CPU-MF counter facility +@@ -135,14 +136,14 @@ skip_sysinfo: + else + nbytes = snprintf(buffer, sz, "%s,%s,%s", manufacturer, type, + model); +- return (nbytes >= sz) ? -1 : 0; ++ return (nbytes >= sz) ? ENOBUFS : 0; + } + + char *get_cpuid_str(struct perf_pmu *pmu __maybe_unused) + { + char *buf = malloc(128); + +- if (buf && get_cpuid(buf, 128) < 0) ++ if (buf && get_cpuid(buf, 128)) + zfree(&buf); + return buf; + } +diff --git a/tools/perf/arch/x86/util/header.c b/tools/perf/arch/x86/util/header.c +index fb0d71afee8bb..2a5daec6fb8b0 100644 +--- a/tools/perf/arch/x86/util/header.c ++++ b/tools/perf/arch/x86/util/header.c +@@ -1,5 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 + #include ++#include + #include + #include + #include +@@ -56,7 +57,7 @@ __get_cpuid(char *buffer, size_t sz, const char *fmt) + buffer[nb-1] = '\0'; + return 0; + } +- return -1; ++ return ENOBUFS; + } + + int +diff --git a/tools/perf/builtin-kvm.c b/tools/perf/builtin-kvm.c +index 2b1ef704169f2..952e2228f6c60 100644 +--- a/tools/perf/builtin-kvm.c ++++ b/tools/perf/builtin-kvm.c +@@ -699,14 +699,15 @@ static int process_sample_event(struct perf_tool *tool, + + static int cpu_isa_config(struct perf_kvm_stat *kvm) + { +- char buf[64], *cpuid; ++ char buf[128], *cpuid; + int err; + + if (kvm->live) { + err = get_cpuid(buf, sizeof(buf)); + if (err != 0) { +- pr_err("Failed to look up CPU type\n"); +- return err; ++ pr_err("Failed to look up CPU type: %s\n", ++ str_error_r(err, buf, sizeof(buf))); ++ return -err; + } + cpuid = buf; + } else +-- +2.20.1 + diff --git a/queue-4.19/perf-x86-amd-change-fix-nmi-latency-mitigation-to-us.patch b/queue-4.19/perf-x86-amd-change-fix-nmi-latency-mitigation-to-us.patch new file mode 100644 index 00000000000..4a34a7817cc --- /dev/null +++ b/queue-4.19/perf-x86-amd-change-fix-nmi-latency-mitigation-to-us.patch @@ -0,0 +1,131 @@ +From 842b44b69b54d8550896c3568b0ec1acfd16f0f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2019 18:57:41 +0000 +Subject: perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp + +From: Tom Lendacky + +[ Upstream commit df4d29732fdad43a51284f826bec3e6ded177540 ] + +It turns out that the NMI latency workaround from commit: + + 6d3edaae16c6 ("x86/perf/amd: Resolve NMI latency issues for active PMCs") + +ends up being too conservative and results in the perf NMI handler claiming +NMIs too easily on AMD hardware when the NMI watchdog is active. + +This has an impact, for example, on the hpwdt (HPE watchdog timer) module. +This module can produce an NMI that is used to reset the system. It +registers an NMI handler for the NMI_UNKNOWN type and relies on the fact +that nothing has claimed an NMI so that its handler will be invoked when +the watchdog device produces an NMI. After the referenced commit, the +hpwdt module is unable to process its generated NMI if the NMI watchdog is +active, because the current NMI latency mitigation results in the NMI +being claimed by the perf NMI handler. + +Update the AMD perf NMI latency mitigation workaround to, instead, use a +window of time. Whenever a PMC is handled in the perf NMI handler, set a +timestamp which will act as a perf NMI window. Any NMIs arriving within +that window will be claimed by perf. Anything outside that window will +not be claimed by perf. The value for the NMI window is set to 100 msecs. +This is a conservative value that easily covers any NMI latency in the +hardware. While this still results in a window in which the hpwdt module +will not receive its NMI, the window is now much, much smaller. + +Signed-off-by: Tom Lendacky +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: Jerry Hoemann +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 6d3edaae16c6 ("x86/perf/amd: Resolve NMI latency issues for active PMCs") +Link: https://lkml.kernel.org/r/Message-ID: +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/core.c | 30 +++++++++++++++++------------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c +index 27ade3cb6482c..defb536aebce2 100644 +--- a/arch/x86/events/amd/core.c ++++ b/arch/x86/events/amd/core.c +@@ -4,12 +4,14 @@ + #include + #include + #include ++#include + #include + #include + + #include "../perf_event.h" + +-static DEFINE_PER_CPU(unsigned int, perf_nmi_counter); ++static DEFINE_PER_CPU(unsigned long, perf_nmi_tstamp); ++static unsigned long perf_nmi_window; + + static __initconst const u64 amd_hw_cache_event_ids + [PERF_COUNT_HW_CACHE_MAX] +@@ -640,11 +642,12 @@ static void amd_pmu_disable_event(struct perf_event *event) + * handler when multiple PMCs are active or PMC overflow while handling some + * other source of an NMI. + * +- * Attempt to mitigate this by using the number of active PMCs to determine +- * whether to return NMI_HANDLED if the perf NMI handler did not handle/reset +- * any PMCs. The per-CPU perf_nmi_counter variable is set to a minimum of the +- * number of active PMCs or 2. The value of 2 is used in case an NMI does not +- * arrive at the LAPIC in time to be collapsed into an already pending NMI. ++ * Attempt to mitigate this by creating an NMI window in which un-handled NMIs ++ * received during this window will be claimed. This prevents extending the ++ * window past when it is possible that latent NMIs should be received. The ++ * per-CPU perf_nmi_tstamp will be set to the window end time whenever perf has ++ * handled a counter. When an un-handled NMI is received, it will be claimed ++ * only if arriving within that window. + */ + static int amd_pmu_handle_irq(struct pt_regs *regs) + { +@@ -662,21 +665,19 @@ static int amd_pmu_handle_irq(struct pt_regs *regs) + handled = x86_pmu_handle_irq(regs); + + /* +- * If a counter was handled, record the number of possible remaining +- * NMIs that can occur. ++ * If a counter was handled, record a timestamp such that un-handled ++ * NMIs will be claimed if arriving within that window. + */ + if (handled) { +- this_cpu_write(perf_nmi_counter, +- min_t(unsigned int, 2, active)); ++ this_cpu_write(perf_nmi_tstamp, ++ jiffies + perf_nmi_window); + + return handled; + } + +- if (!this_cpu_read(perf_nmi_counter)) ++ if (time_after(jiffies, this_cpu_read(perf_nmi_tstamp))) + return NMI_DONE; + +- this_cpu_dec(perf_nmi_counter); +- + return NMI_HANDLED; + } + +@@ -908,6 +909,9 @@ static int __init amd_core_pmu_init(void) + if (!boot_cpu_has(X86_FEATURE_PERFCTR_CORE)) + return 0; + ++ /* Avoid calulating the value each time in the NMI handler */ ++ perf_nmi_window = msecs_to_jiffies(100); ++ + switch (boot_cpu_data.x86) { + case 0x15: + pr_cont("Fam15h "); +-- +2.20.1 + diff --git a/queue-4.19/platform-x86-add-the-vlv-isp-pci-id-to-atomisp2_pm.patch b/queue-4.19/platform-x86-add-the-vlv-isp-pci-id-to-atomisp2_pm.patch new file mode 100644 index 00000000000..15133aa950e --- /dev/null +++ b/queue-4.19/platform-x86-add-the-vlv-isp-pci-id-to-atomisp2_pm.patch @@ -0,0 +1,43 @@ +From 31e7d17f84c335ea82d3f3d2346e7aca18ecda20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Nov 2018 19:44:44 +0200 +Subject: platform/x86: Add the VLV ISP PCI ID to atomisp2_pm +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit 8a7d7141528ad67e465bc6afacc6a3144d1fe320 ] + +If the ISP is exposed as a PCI device VLV machines need the +same treatment as CHV machines to power gate the ISP. Otherwise +s0ix will not work. + +Cc: Hans de Goede +Cc: Alan Cox +Cc: Andy Shevchenko +Cc: Darren Hart +Signed-off-by: Ville Syrjälä +Reviewed-by: Hans de Goede +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_atomisp2_pm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/intel_atomisp2_pm.c b/drivers/platform/x86/intel_atomisp2_pm.c +index 9371603a0ac90..4a2ec5eeb6d8a 100644 +--- a/drivers/platform/x86/intel_atomisp2_pm.c ++++ b/drivers/platform/x86/intel_atomisp2_pm.c +@@ -99,6 +99,7 @@ static UNIVERSAL_DEV_PM_OPS(isp_pm_ops, isp_pci_suspend, + isp_pci_resume, NULL); + + static const struct pci_device_id isp_id_table[] = { ++ { PCI_VDEVICE(INTEL, 0x0f38), }, + { PCI_VDEVICE(INTEL, 0x22b8), }, + { 0, } + }; +-- +2.20.1 + diff --git a/queue-4.19/platform-x86-fix-config-space-access-for-intel_atomi.patch b/queue-4.19/platform-x86-fix-config-space-access-for-intel_atomi.patch new file mode 100644 index 00000000000..5e9d5095fc8 --- /dev/null +++ b/queue-4.19/platform-x86-fix-config-space-access-for-intel_atomi.patch @@ -0,0 +1,159 @@ +From 84fc47c4966cc08de099bc1d69766c767ad4ec3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Nov 2018 19:44:45 +0200 +Subject: platform/x86: Fix config space access for intel_atomisp2_pm +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit 6a31061833a52a79c99221b6251db08cf377470e ] + +We lose even config space access when we power gate the ISP +via the PUNIT. That makes lspci & co. produce gibberish. + +To fix that let's try to implement actual runtime pm hooks +and inform the pci core that the device always goes to +D3cold. That will cause the pci core to resume the device +before attempting config space access. + +This introduces another annoyance though. We get the +following error every time we try to resume the device: +intel_atomisp2_pm 0000:00:03.0: Refused to change power state, currently in D3 + +The reason being that the pci core tries to put the device +back into D0 via the standard PCI PM mechanism before +calling the driver resume hook. To fix this properly +we'd need to infiltrate the platform pm hooks (could +turn ugly real fast), or use pm domains (which don't +seem to exist on x86), or some extra early resume +hook for the driver (which doesn't exist either). +So maybe we just choose to live with the error? + +Cc: Hans de Goede +Cc: Alan Cox +Cc: Andy Shevchenko +Cc: Darren Hart +Signed-off-by: Ville Syrjälä +Signed-off-by: Andy Shevchenko +Reviewed-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_atomisp2_pm.c | 68 +++++++++++++++++------- + 1 file changed, 48 insertions(+), 20 deletions(-) + +diff --git a/drivers/platform/x86/intel_atomisp2_pm.c b/drivers/platform/x86/intel_atomisp2_pm.c +index 4a2ec5eeb6d8a..b0f421fea2a58 100644 +--- a/drivers/platform/x86/intel_atomisp2_pm.c ++++ b/drivers/platform/x86/intel_atomisp2_pm.c +@@ -33,46 +33,45 @@ + #define ISPSSPM0_IUNIT_POWER_ON 0x0 + #define ISPSSPM0_IUNIT_POWER_OFF 0x3 + +-static int isp_probe(struct pci_dev *dev, const struct pci_device_id *id) ++static int isp_set_power(struct pci_dev *dev, bool enable) + { + unsigned long timeout; +- u32 val; +- +- pci_write_config_dword(dev, PCI_INTERRUPT_CTRL, 0); +- +- /* +- * MRFLD IUNIT DPHY is located in an always-power-on island +- * MRFLD HW design need all CSI ports are disabled before +- * powering down the IUNIT. +- */ +- pci_read_config_dword(dev, PCI_CSI_CONTROL, &val); +- val |= PCI_CSI_CONTROL_PORTS_OFF_MASK; +- pci_write_config_dword(dev, PCI_CSI_CONTROL, val); ++ u32 val = enable ? ISPSSPM0_IUNIT_POWER_ON : ++ ISPSSPM0_IUNIT_POWER_OFF; + +- /* Write 0x3 to ISPSSPM0 bit[1:0] to power off the IUNIT */ ++ /* Write to ISPSSPM0 bit[1:0] to power on/off the IUNIT */ + iosf_mbi_modify(BT_MBI_UNIT_PMC, MBI_REG_READ, ISPSSPM0, +- ISPSSPM0_IUNIT_POWER_OFF, ISPSSPM0_ISPSSC_MASK); ++ val, ISPSSPM0_ISPSSC_MASK); + + /* + * There should be no IUNIT access while power-down is + * in progress HW sighting: 4567865 + * Wait up to 50 ms for the IUNIT to shut down. ++ * And we do the same for power on. + */ + timeout = jiffies + msecs_to_jiffies(50); + while (1) { +- /* Wait until ISPSSPM0 bit[25:24] shows 0x3 */ +- iosf_mbi_read(BT_MBI_UNIT_PMC, MBI_REG_READ, ISPSSPM0, &val); +- val = (val & ISPSSPM0_ISPSSS_MASK) >> ISPSSPM0_ISPSSS_OFFSET; +- if (val == ISPSSPM0_IUNIT_POWER_OFF) ++ u32 tmp; ++ ++ /* Wait until ISPSSPM0 bit[25:24] shows the right value */ ++ iosf_mbi_read(BT_MBI_UNIT_PMC, MBI_REG_READ, ISPSSPM0, &tmp); ++ tmp = (tmp & ISPSSPM0_ISPSSS_MASK) >> ISPSSPM0_ISPSSS_OFFSET; ++ if (tmp == val) + break; + + if (time_after(jiffies, timeout)) { +- dev_err(&dev->dev, "IUNIT power-off timeout.\n"); ++ dev_err(&dev->dev, "IUNIT power-%s timeout.\n", ++ enable ? "on" : "off"); + return -EBUSY; + } + usleep_range(1000, 2000); + } + ++ return 0; ++} ++ ++static int isp_probe(struct pci_dev *dev, const struct pci_device_id *id) ++{ + pm_runtime_allow(&dev->dev); + pm_runtime_put_sync_suspend(&dev->dev); + +@@ -87,11 +86,40 @@ static void isp_remove(struct pci_dev *dev) + + static int isp_pci_suspend(struct device *dev) + { ++ struct pci_dev *pdev = to_pci_dev(dev); ++ u32 val; ++ ++ pci_write_config_dword(pdev, PCI_INTERRUPT_CTRL, 0); ++ ++ /* ++ * MRFLD IUNIT DPHY is located in an always-power-on island ++ * MRFLD HW design need all CSI ports are disabled before ++ * powering down the IUNIT. ++ */ ++ pci_read_config_dword(pdev, PCI_CSI_CONTROL, &val); ++ val |= PCI_CSI_CONTROL_PORTS_OFF_MASK; ++ pci_write_config_dword(pdev, PCI_CSI_CONTROL, val); ++ ++ /* ++ * We lose config space access when punit power gates ++ * the ISP. Can't use pci_set_power_state() because ++ * pmcsr won't actually change when we write to it. ++ */ ++ pci_save_state(pdev); ++ pdev->current_state = PCI_D3cold; ++ isp_set_power(pdev, false); ++ + return 0; + } + + static int isp_pci_resume(struct device *dev) + { ++ struct pci_dev *pdev = to_pci_dev(dev); ++ ++ isp_set_power(pdev, true); ++ pdev->current_state = PCI_D0; ++ pci_restore_state(pdev); ++ + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.19/power-supply-max14656-fix-potential-use-after-free.patch b/queue-4.19/power-supply-max14656-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..8817a78713b --- /dev/null +++ b/queue-4.19/power-supply-max14656-fix-potential-use-after-free.patch @@ -0,0 +1,71 @@ +From 30f534a2a33d193bcd1ac2a91dd5d7716b049d6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Feb 2019 16:43:03 -0500 +Subject: power: supply: max14656: fix potential use-after-free + +From: Sven Van Asbroeck + +[ Upstream commit 252fbeb86ceffa549af9842cefca2412d53a7653 ] + +Explicitly cancel/sync the irq_work delayed work, otherwise +there's a chance that it will run after the device is removed, +which would result in a use-after-free. + +Note that cancel/sync should happen: +- after irq's have been disabled, as the isr re-schedules the work +- before the power supply is unregistered, because the work func + uses the power supply handle. + +Cc: Alexander Kurz +Signed-off-by: Sven Van Asbroeck +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + .../power/supply/max14656_charger_detector.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/max14656_charger_detector.c b/drivers/power/supply/max14656_charger_detector.c +index d19307f791c68..9e6472834e373 100644 +--- a/drivers/power/supply/max14656_charger_detector.c ++++ b/drivers/power/supply/max14656_charger_detector.c +@@ -240,6 +240,14 @@ static enum power_supply_property max14656_battery_props[] = { + POWER_SUPPLY_PROP_MANUFACTURER, + }; + ++static void stop_irq_work(void *data) ++{ ++ struct max14656_chip *chip = data; ++ ++ cancel_delayed_work_sync(&chip->irq_work); ++} ++ ++ + static int max14656_probe(struct i2c_client *client, + const struct i2c_device_id *id) + { +@@ -278,8 +286,6 @@ static int max14656_probe(struct i2c_client *client, + if (ret) + return -ENODEV; + +- INIT_DELAYED_WORK(&chip->irq_work, max14656_irq_worker); +- + chip->detect_psy = devm_power_supply_register(dev, + &chip->psy_desc, &psy_cfg); + if (IS_ERR(chip->detect_psy)) { +@@ -287,6 +293,13 @@ static int max14656_probe(struct i2c_client *client, + return -EINVAL; + } + ++ INIT_DELAYED_WORK(&chip->irq_work, max14656_irq_worker); ++ ret = devm_add_action(dev, stop_irq_work, chip); ++ if (ret) { ++ dev_err(dev, "devm_add_action %d failed\n", ret); ++ return ret; ++ } ++ + ret = devm_request_irq(dev, chip->irq, max14656_irq, + IRQF_TRIGGER_FALLING, + MAX14656_NAME, chip); +-- +2.20.1 + diff --git a/queue-4.19/powerpc-powernv-hold-device_hotplug_lock-when-callin.patch b/queue-4.19/powerpc-powernv-hold-device_hotplug_lock-when-callin.patch new file mode 100644 index 00000000000..99c395c3eab --- /dev/null +++ b/queue-4.19/powerpc-powernv-hold-device_hotplug_lock-when-callin.patch @@ -0,0 +1,96 @@ +From f4ce8d37b16ebc967709f092a973f7097c75d8a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:10:39 -0700 +Subject: powerpc/powernv: hold device_hotplug_lock when calling + memtrace_offline_pages() + +From: David Hildenbrand + +[ Upstream commit 5666848774ef43d3db5151ec518f1deb63515c20 ] + +Let's perform all checking + offlining + removing under +device_hotplug_lock, so nobody can mess with these devices via sysfs +concurrently. + +[david@redhat.com: take device_hotplug_lock outside of loop] + Link: http://lkml.kernel.org/r/20180927092554.13567-6-david@redhat.com +Link: http://lkml.kernel.org/r/20180925091457.28651-6-david@redhat.com +Signed-off-by: David Hildenbrand +Reviewed-by: Pavel Tatashin +Reviewed-by: Rashmica Gupta +Acked-by: Balbir Singh +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Michael Ellerman +Cc: Rashmica Gupta +Cc: Michael Neuling +Cc: Boris Ostrovsky +Cc: Dan Williams +Cc: Greg Kroah-Hartman +Cc: Haiyang Zhang +Cc: Heiko Carstens +Cc: John Allen +Cc: Jonathan Corbet +Cc: Joonsoo Kim +Cc: Juergen Gross +Cc: Kate Stewart +Cc: "K. Y. Srinivasan" +Cc: Len Brown +Cc: Martin Schwidefsky +Cc: Mathieu Malaterre +Cc: Michal Hocko +Cc: Nathan Fontenot +Cc: Oscar Salvador +Cc: Philippe Ombredanne +Cc: Rafael J. Wysocki +Cc: "Rafael J. Wysocki" +Cc: Stephen Hemminger +Cc: Thomas Gleixner +Cc: Vlastimil Babka +Cc: YASUAKI ISHIMATSU +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/memtrace.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/powernv/memtrace.c b/arch/powerpc/platforms/powernv/memtrace.c +index a29fdf8a2e56e..232bf5987f91d 100644 +--- a/arch/powerpc/platforms/powernv/memtrace.c ++++ b/arch/powerpc/platforms/powernv/memtrace.c +@@ -70,6 +70,7 @@ static int change_memblock_state(struct memory_block *mem, void *arg) + return 0; + } + ++/* called with device_hotplug_lock held */ + static bool memtrace_offline_pages(u32 nid, u64 start_pfn, u64 nr_pages) + { + u64 end_pfn = start_pfn + nr_pages - 1; +@@ -110,6 +111,7 @@ static u64 memtrace_alloc_node(u32 nid, u64 size) + /* Trace memory needs to be aligned to the size */ + end_pfn = round_down(end_pfn - nr_pages, nr_pages); + ++ lock_device_hotplug(); + for (base_pfn = end_pfn; base_pfn > start_pfn; base_pfn -= nr_pages) { + if (memtrace_offline_pages(nid, base_pfn, nr_pages) == true) { + /* +@@ -118,7 +120,6 @@ static u64 memtrace_alloc_node(u32 nid, u64 size) + * we never try to remove memory that spans two iomem + * resources. + */ +- lock_device_hotplug(); + end_pfn = base_pfn + nr_pages; + for (pfn = base_pfn; pfn < end_pfn; pfn += bytes>> PAGE_SHIFT) { + remove_memory(nid, pfn << PAGE_SHIFT, bytes); +@@ -127,6 +128,7 @@ static u64 memtrace_alloc_node(u32 nid, u64 size) + return base_pfn << PAGE_SHIFT; + } + } ++ unlock_device_hotplug(); + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.19/rdma-hfi1-prevent-memory-leak-in-sdma_init.patch b/queue-4.19/rdma-hfi1-prevent-memory-leak-in-sdma_init.patch new file mode 100644 index 00000000000..f60f4a4a9bb --- /dev/null +++ b/queue-4.19/rdma-hfi1-prevent-memory-leak-in-sdma_init.patch @@ -0,0 +1,42 @@ +From bf68bb0cf3d70ba651cbfe486e20d91662428086 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2019 09:45:42 -0500 +Subject: RDMA/hfi1: Prevent memory leak in sdma_init + +From: Navid Emamdoost + +[ Upstream commit 34b3be18a04ecdc610aae4c48e5d1b799d8689f6 ] + +In sdma_init if rhashtable_init fails the allocated memory for +tmp_sdma_rht should be released. + +Fixes: 5a52a7acf7e2 ("IB/hfi1: NULL pointer dereference when freeing rhashtable") +Link: https://lore.kernel.org/r/20190925144543.10141-1-navid.emamdoost@gmail.com +Signed-off-by: Navid Emamdoost +Acked-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/sdma.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c +index d648a4167832c..64ab92f8a4a28 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -1518,8 +1518,11 @@ int sdma_init(struct hfi1_devdata *dd, u8 port) + } + + ret = rhashtable_init(tmp_sdma_rht, &sdma_rht_params); +- if (ret < 0) ++ if (ret < 0) { ++ kfree(tmp_sdma_rht); + goto bail; ++ } ++ + dd->sdma_rht = tmp_sdma_rht; + + dd_dev_info(dd, "SDMA num_sdma: %u\n", dd->num_sdma); +-- +2.20.1 + diff --git a/queue-4.19/rdma-iwcm-fix-a-lock-inversion-issue.patch b/queue-4.19/rdma-iwcm-fix-a-lock-inversion-issue.patch new file mode 100644 index 00000000000..40f409527c0 --- /dev/null +++ b/queue-4.19/rdma-iwcm-fix-a-lock-inversion-issue.patch @@ -0,0 +1,87 @@ +From aa6586f9338c1c9c0d1a14ec7e7b72928d01d7e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 16:16:54 -0700 +Subject: RDMA/iwcm: Fix a lock inversion issue + +From: Bart Van Assche + +[ Upstream commit b66f31efbdad95ec274345721d99d1d835e6de01 ] + +This patch fixes the lock inversion complaint: + +============================================ +WARNING: possible recursive locking detected +5.3.0-rc7-dbg+ #1 Not tainted +-------------------------------------------- +kworker/u16:6/171 is trying to acquire lock: +00000000035c6e6c (&id_priv->handler_mutex){+.+.}, at: rdma_destroy_id+0x78/0x4a0 [rdma_cm] + +but task is already holding lock: +00000000bc7c307d (&id_priv->handler_mutex){+.+.}, at: iw_conn_req_handler+0x151/0x680 [rdma_cm] + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&id_priv->handler_mutex); + lock(&id_priv->handler_mutex); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + +3 locks held by kworker/u16:6/171: + #0: 00000000e2eaa773 ((wq_completion)iw_cm_wq){+.+.}, at: process_one_work+0x472/0xac0 + #1: 000000001efd357b ((work_completion)(&work->work)#3){+.+.}, at: process_one_work+0x476/0xac0 + #2: 00000000bc7c307d (&id_priv->handler_mutex){+.+.}, at: iw_conn_req_handler+0x151/0x680 [rdma_cm] + +stack backtrace: +CPU: 3 PID: 171 Comm: kworker/u16:6 Not tainted 5.3.0-rc7-dbg+ #1 +Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +Workqueue: iw_cm_wq cm_work_handler [iw_cm] +Call Trace: + dump_stack+0x8a/0xd6 + __lock_acquire.cold+0xe1/0x24d + lock_acquire+0x106/0x240 + __mutex_lock+0x12e/0xcb0 + mutex_lock_nested+0x1f/0x30 + rdma_destroy_id+0x78/0x4a0 [rdma_cm] + iw_conn_req_handler+0x5c9/0x680 [rdma_cm] + cm_work_handler+0xe62/0x1100 [iw_cm] + process_one_work+0x56d/0xac0 + worker_thread+0x7a/0x5d0 + kthread+0x1bc/0x210 + ret_from_fork+0x24/0x30 + +This is not a bug as there are actually two lock classes here. + +Link: https://lore.kernel.org/r/20190930231707.48259-3-bvanassche@acm.org +Fixes: de910bd92137 ("RDMA/cma: Simplify locking needed for serialization of callbacks") +Signed-off-by: Bart Van Assche +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 6257be21cbedd..1f373ba573b6d 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -2270,9 +2270,10 @@ static int iw_conn_req_handler(struct iw_cm_id *cm_id, + conn_id->cm_id.iw = NULL; + cma_exch(conn_id, RDMA_CM_DESTROYING); + mutex_unlock(&conn_id->handler_mutex); ++ mutex_unlock(&listen_id->handler_mutex); + cma_deref_id(conn_id); + rdma_destroy_id(&conn_id->id); +- goto out; ++ return ret; + } + + mutex_unlock(&conn_id->handler_mutex); +-- +2.20.1 + diff --git a/queue-4.19/rtc-pcf8523-set-xtal-load-capacitance-from-dt.patch b/queue-4.19/rtc-pcf8523-set-xtal-load-capacitance-from-dt.patch new file mode 100644 index 00000000000..6ffc22937f0 --- /dev/null +++ b/queue-4.19/rtc-pcf8523-set-xtal-load-capacitance-from-dt.patch @@ -0,0 +1,90 @@ +From 7bd6907559c187c896a366402726bacb8581a08d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jan 2019 10:00:30 +0100 +Subject: rtc: pcf8523: set xtal load capacitance from DT + +From: Sam Ravnborg + +[ Upstream commit 189927e719e36ceefbb8037f23d3849e47833aef ] + +Add support for specifying the xtal load capacitance in the DT node. +The pcf8523 supports xtal load capacitance of 7pF or 12.5pF. +If the rtc has the wrong configuration the time will +drift several hours/week. + +The driver use the default value 12.5pF. + +The DT may specify either 7000fF or 12500fF. +(The DT uses femto Farad to avoid decimal numbers). +Other values are warned and the driver uses the default value. + +Signed-off-by: Sam Ravnborg +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-pcf8523.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/rtc/rtc-pcf8523.c b/drivers/rtc/rtc-pcf8523.c +index 3fcd2cbafc845..2e03021f15d13 100644 +--- a/drivers/rtc/rtc-pcf8523.c ++++ b/drivers/rtc/rtc-pcf8523.c +@@ -97,8 +97,9 @@ static int pcf8523_voltage_low(struct i2c_client *client) + return !!(value & REG_CONTROL3_BLF); + } + +-static int pcf8523_select_capacitance(struct i2c_client *client, bool high) ++static int pcf8523_load_capacitance(struct i2c_client *client) + { ++ u32 load; + u8 value; + int err; + +@@ -106,14 +107,24 @@ static int pcf8523_select_capacitance(struct i2c_client *client, bool high) + if (err < 0) + return err; + +- if (!high) +- value &= ~REG_CONTROL1_CAP_SEL; +- else ++ load = 12500; ++ of_property_read_u32(client->dev.of_node, "quartz-load-femtofarads", ++ &load); ++ ++ switch (load) { ++ default: ++ dev_warn(&client->dev, "Unknown quartz-load-femtofarads value: %d. Assuming 12500", ++ load); ++ /* fall through */ ++ case 12500: + value |= REG_CONTROL1_CAP_SEL; ++ break; ++ case 7000: ++ value &= ~REG_CONTROL1_CAP_SEL; ++ break; ++ } + + err = pcf8523_write(client, REG_CONTROL1, value); +- if (err < 0) +- return err; + + return err; + } +@@ -347,9 +358,10 @@ static int pcf8523_probe(struct i2c_client *client, + if (!pcf) + return -ENOMEM; + +- err = pcf8523_select_capacitance(client, true); ++ err = pcf8523_load_capacitance(client); + if (err < 0) +- return err; ++ dev_warn(&client->dev, "failed to set xtal load capacitance: %d", ++ err); + + err = pcf8523_set_pm(client, 0); + if (err < 0) +-- +2.20.1 + diff --git a/queue-4.19/s390-uaccess-avoid-false-positive-compiler-warnings.patch b/queue-4.19/s390-uaccess-avoid-false-positive-compiler-warnings.patch new file mode 100644 index 00000000000..0df9134a83f --- /dev/null +++ b/queue-4.19/s390-uaccess-avoid-false-positive-compiler-warnings.patch @@ -0,0 +1,60 @@ +From a6c2f3b898ad374c54e5feaf1e4a62d50bfa8b6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2019 17:02:32 +0200 +Subject: s390/uaccess: avoid (false positive) compiler warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian Borntraeger + +[ Upstream commit 062795fcdcb2d22822fb42644b1d76a8ad8439b3 ] + +Depending on inlining decisions by the compiler, __get/put_user_fn +might become out of line. Then the compiler is no longer able to tell +that size can only be 1,2,4 or 8 due to the check in __get/put_user +resulting in false positives like + +./arch/s390/include/asm/uaccess.h: In function ‘__put_user_fn’: +./arch/s390/include/asm/uaccess.h:113:9: warning: ‘rc’ may be used uninitialized in this function [-Wmaybe-uninitialized] + 113 | return rc; + | ^~ +./arch/s390/include/asm/uaccess.h: In function ‘__get_user_fn’: +./arch/s390/include/asm/uaccess.h:143:9: warning: ‘rc’ may be used uninitialized in this function [-Wmaybe-uninitialized] + 143 | return rc; + | ^~ + +These functions are supposed to be always inlined. Mark it as such. + +Signed-off-by: Christian Borntraeger +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/uaccess.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h +index 5332f628c1edc..40194f8c772a0 100644 +--- a/arch/s390/include/asm/uaccess.h ++++ b/arch/s390/include/asm/uaccess.h +@@ -84,7 +84,7 @@ raw_copy_to_user(void __user *to, const void *from, unsigned long n); + __rc; \ + }) + +-static inline int __put_user_fn(void *x, void __user *ptr, unsigned long size) ++static __always_inline int __put_user_fn(void *x, void __user *ptr, unsigned long size) + { + unsigned long spec = 0x010000UL; + int rc; +@@ -114,7 +114,7 @@ static inline int __put_user_fn(void *x, void __user *ptr, unsigned long size) + return rc; + } + +-static inline int __get_user_fn(void *x, const void __user *ptr, unsigned long size) ++static __always_inline int __get_user_fn(void *x, const void __user *ptr, unsigned long size) + { + unsigned long spec = 0x01UL; + int rc; +-- +2.20.1 + diff --git a/queue-4.19/samples-bpf-fix-seg-fault-with-null-pointer-arg.patch b/queue-4.19/samples-bpf-fix-seg-fault-with-null-pointer-arg.patch new file mode 100644 index 00000000000..81bfdbdca0b --- /dev/null +++ b/queue-4.19/samples-bpf-fix-seg-fault-with-null-pointer-arg.patch @@ -0,0 +1,41 @@ +From 64ca358394866e827071461f787e1b5886dd556f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Dec 2018 19:39:30 +0900 +Subject: samples: bpf: fix: seg fault with NULL pointer arg + +From: Daniel T. Lee + +[ Upstream commit d59dd69d5576d699d7d3f5da0b4738c3a36d0133 ] + +When NULL pointer accidentally passed to write_kprobe_events, +due to strlen(NULL), segmentation fault happens. +Changed code returns -1 to deal with this situation. + +Bug issued with Smatch, static analysis. + +Signed-off-by: Daniel T. Lee +Acked-by: Song Liu +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + samples/bpf/bpf_load.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c +index 5061a2ec45646..176c04a454dc9 100644 +--- a/samples/bpf/bpf_load.c ++++ b/samples/bpf/bpf_load.c +@@ -59,7 +59,9 @@ static int write_kprobe_events(const char *val) + { + int fd, ret, flags; + +- if ((val != NULL) && (val[0] == '\0')) ++ if (val == NULL) ++ return -1; ++ else if (val[0] == '\0') + flags = O_WRONLY | O_TRUNC; + else + flags = O_WRONLY | O_APPEND; +-- +2.20.1 + diff --git a/queue-4.19/sc16is7xx-fix-for-unexpected-interrupt-8.patch b/queue-4.19/sc16is7xx-fix-for-unexpected-interrupt-8.patch new file mode 100644 index 00000000000..6a2254e9e0f --- /dev/null +++ b/queue-4.19/sc16is7xx-fix-for-unexpected-interrupt-8.patch @@ -0,0 +1,121 @@ +From bcb14e921e32208b00ce31db459418503d2df049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Sep 2018 15:31:56 +0100 +Subject: sc16is7xx: Fix for "Unexpected interrupt: 8" + +From: Phil Elwell + +[ Upstream commit 30ec514d440cf2c472c8e4b0079af2c731f71a3e ] + +The SC16IS752 has an Enhanced Feature Register which is aliased at the +same address as the Interrupt Identification Register; accessing it +requires that a magic value is written to the Line Configuration +Register. If an interrupt is raised while the EFR is mapped in then +the ISR won't be able to access the IIR, leading to the "Unexpected +interrupt" error messages. + +Avoid the problem by claiming a mutex around accesses to the EFR +register, also claiming the mutex in the interrupt handler work +item (this is equivalent to disabling interrupts to interlock against +a non-threaded interrupt handler). + +See: https://github.com/raspberrypi/linux/issues/2529 + +Signed-off-by: Phil Elwell +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sc16is7xx.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c +index 372cc7ff228fc..ebea4a9d8e694 100644 +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -328,6 +328,7 @@ struct sc16is7xx_port { + struct kthread_worker kworker; + struct task_struct *kworker_task; + struct kthread_work irq_work; ++ struct mutex efr_lock; + struct sc16is7xx_one p[0]; + }; + +@@ -499,6 +500,21 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) + div /= 4; + } + ++ /* In an amazing feat of design, the Enhanced Features Register shares ++ * the address of the Interrupt Identification Register, and is ++ * switched in by writing a magic value (0xbf) to the Line Control ++ * Register. Any interrupt firing during this time will see the EFR ++ * where it expects the IIR to be, leading to "Unexpected interrupt" ++ * messages. ++ * ++ * Prevent this possibility by claiming a mutex while accessing the ++ * EFR, and claiming the same mutex from within the interrupt handler. ++ * This is similar to disabling the interrupt, but that doesn't work ++ * because the bulk of the interrupt processing is run as a workqueue ++ * job in thread context. ++ */ ++ mutex_lock(&s->efr_lock); ++ + lcr = sc16is7xx_port_read(port, SC16IS7XX_LCR_REG); + + /* Open the LCR divisors for configuration */ +@@ -514,6 +530,8 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) + /* Put LCR back to the normal mode */ + sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr); + ++ mutex_unlock(&s->efr_lock); ++ + sc16is7xx_port_update(port, SC16IS7XX_MCR_REG, + SC16IS7XX_MCR_CLKSEL_BIT, + prescaler); +@@ -696,6 +714,8 @@ static void sc16is7xx_ist(struct kthread_work *ws) + { + struct sc16is7xx_port *s = to_sc16is7xx_port(ws, irq_work); + ++ mutex_lock(&s->efr_lock); ++ + while (1) { + bool keep_polling = false; + int i; +@@ -705,6 +725,8 @@ static void sc16is7xx_ist(struct kthread_work *ws) + if (!keep_polling) + break; + } ++ ++ mutex_unlock(&s->efr_lock); + } + + static irqreturn_t sc16is7xx_irq(int irq, void *dev_id) +@@ -899,6 +921,9 @@ static void sc16is7xx_set_termios(struct uart_port *port, + if (!(termios->c_cflag & CREAD)) + port->ignore_status_mask |= SC16IS7XX_LSR_BRK_ERROR_MASK; + ++ /* As above, claim the mutex while accessing the EFR. */ ++ mutex_lock(&s->efr_lock); ++ + sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, + SC16IS7XX_LCR_CONF_MODE_B); + +@@ -920,6 +945,8 @@ static void sc16is7xx_set_termios(struct uart_port *port, + /* Update LCR register */ + sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr); + ++ mutex_unlock(&s->efr_lock); ++ + /* Get baud rate generator configuration */ + baud = uart_get_baud_rate(port, termios, old, + port->uartclk / 16 / 4 / 0xffff, +@@ -1185,6 +1212,7 @@ static int sc16is7xx_probe(struct device *dev, + s->regmap = regmap; + s->devtype = devtype; + dev_set_drvdata(dev, s); ++ mutex_init(&s->efr_lock); + + kthread_init_worker(&s->kworker); + kthread_init_work(&s->irq_work, sc16is7xx_ist); +-- +2.20.1 + diff --git a/queue-4.19/sched-vtime-fix-guest-system-mis-accounting-on-task-.patch b/queue-4.19/sched-vtime-fix-guest-system-mis-accounting-on-task-.patch new file mode 100644 index 00000000000..a371e7a9e6a --- /dev/null +++ b/queue-4.19/sched-vtime-fix-guest-system-mis-accounting-on-task-.patch @@ -0,0 +1,79 @@ +From f38e80727c9ab4f362d9350e8faac0d20cdfbc7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2019 23:42:42 +0200 +Subject: sched/vtime: Fix guest/system mis-accounting on task switch + +From: Frederic Weisbecker + +[ Upstream commit 68e7a4d66b0ce04bf18ff2ffded5596ab3618585 ] + +vtime_account_system() assumes that the target task to account cputime +to is always the current task. This is most often true indeed except on +task switch where we call: + + vtime_common_task_switch(prev) + vtime_account_system(prev) + +Here prev is the scheduling-out task where we account the cputime to. It +doesn't match current that is already the scheduling-in task at this +stage of the context switch. + +So we end up checking the wrong task flags to determine if we are +accounting guest or system time to the previous task. + +As a result the wrong task is used to check if the target is running in +guest mode. We may then spuriously account or leak either system or +guest time on task switch. + +Fix this assumption and also turn vtime_guest_enter/exit() to use the +task passed in parameter as well to avoid future similar issues. + +Signed-off-by: Frederic Weisbecker +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Rik van Riel +Cc: Thomas Gleixner +Cc: Wanpeng Li +Fixes: 2a42eb9594a1 ("sched/cputime: Accumulate vtime on top of nsec clocksource") +Link: https://lkml.kernel.org/r/20190925214242.21873-1-frederic@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/cputime.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/sched/cputime.c b/kernel/sched/cputime.c +index 0796f938c4f0d..54eb9457b21d3 100644 +--- a/kernel/sched/cputime.c ++++ b/kernel/sched/cputime.c +@@ -739,7 +739,7 @@ void vtime_account_system(struct task_struct *tsk) + + write_seqcount_begin(&vtime->seqcount); + /* We might have scheduled out from guest path */ +- if (current->flags & PF_VCPU) ++ if (tsk->flags & PF_VCPU) + vtime_account_guest(tsk, vtime); + else + __vtime_account_system(tsk, vtime); +@@ -782,7 +782,7 @@ void vtime_guest_enter(struct task_struct *tsk) + */ + write_seqcount_begin(&vtime->seqcount); + __vtime_account_system(tsk, vtime); +- current->flags |= PF_VCPU; ++ tsk->flags |= PF_VCPU; + write_seqcount_end(&vtime->seqcount); + } + EXPORT_SYMBOL_GPL(vtime_guest_enter); +@@ -793,7 +793,7 @@ void vtime_guest_exit(struct task_struct *tsk) + + write_seqcount_begin(&vtime->seqcount); + vtime_account_guest(tsk, vtime); +- current->flags &= ~PF_VCPU; ++ tsk->flags &= ~PF_VCPU; + write_seqcount_end(&vtime->seqcount); + } + EXPORT_SYMBOL_GPL(vtime_guest_exit); +-- +2.20.1 + diff --git a/queue-4.19/scripts-setlocalversion-improve-dirty-check-with-git.patch b/queue-4.19/scripts-setlocalversion-improve-dirty-check-with-git.patch new file mode 100644 index 00000000000..54fae12b8f9 --- /dev/null +++ b/queue-4.19/scripts-setlocalversion-improve-dirty-check-with-git.patch @@ -0,0 +1,69 @@ +From 44f993a588e298471689e98801cc24e89b9bce3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Nov 2018 18:11:18 -0800 +Subject: scripts/setlocalversion: Improve -dirty check with git-status + --no-optional-locks + +From: Brian Norris + +[ Upstream commit ff64dd4857303dd5550faed9fd598ac90f0f2238 ] + +git-diff-index does not refresh the index for you, so using it for a +"-dirty" check can give misleading results. Commit 6147b1cf19651 +("scripts/setlocalversion: git: Make -dirty check more robust") tried to +fix this by switching to git-status, but it overlooked the fact that +git-status also writes to the .git directory of the source tree, which +is definitely not kosher for an out-of-tree (O=) build. That is getting +reverted. + +Fortunately, git-status now supports avoiding writing to the index via +the --no-optional-locks flag, as of git 2.14. It still calculates an +up-to-date index, but it avoids writing it out to the .git directory. + +So, let's retry the solution from commit 6147b1cf19651 using this new +flag first, and if it fails, we assume this is an older version of git +and just use the old git-diff-index method. + +It's hairy to get the 'grep -vq' (inverted matching) correct by stashing +the output of git-status (you have to be careful about the difference +betwen "empty stdin" and "blank line on stdin"), so just pipe the output +directly to grep and use a regex that's good enough for both the +git-status and git-diff-index version. + +Cc: Christian Kujau +Cc: Guenter Roeck +Suggested-by: Alexander Kapshuk +Signed-off-by: Brian Norris +Tested-by: Genki Sky +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/setlocalversion | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/scripts/setlocalversion b/scripts/setlocalversion +index 71f39410691b6..365b3c2b8f431 100755 +--- a/scripts/setlocalversion ++++ b/scripts/setlocalversion +@@ -73,8 +73,16 @@ scm_version() + printf -- '-svn%s' "`git svn find-rev $head`" + fi + +- # Check for uncommitted changes +- if git diff-index --name-only HEAD | grep -qv "^scripts/package"; then ++ # Check for uncommitted changes. ++ # First, with git-status, but --no-optional-locks is only ++ # supported in git >= 2.14, so fall back to git-diff-index if ++ # it fails. Note that git-diff-index does not refresh the ++ # index, so it may give misleading results. See ++ # git-update-index(1), git-diff-index(1), and git-status(1). ++ if { ++ git --no-optional-locks status -uno --porcelain 2>/dev/null || ++ git diff-index --name-only HEAD ++ } | grep -qvE '^(.. )?scripts/package'; then + printf '%s' -dirty + fi + +-- +2.20.1 + diff --git a/queue-4.19/scsi-lpfc-correct-localport-timeout-duration-error.patch b/queue-4.19/scsi-lpfc-correct-localport-timeout-duration-error.patch new file mode 100644 index 00000000000..70a53b3b586 --- /dev/null +++ b/queue-4.19/scsi-lpfc-correct-localport-timeout-duration-error.patch @@ -0,0 +1,58 @@ +From c9c4f0b8aa2465aefd93ca510fa45e74341d86e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Mar 2019 16:30:16 -0700 +Subject: scsi: lpfc: Correct localport timeout duration error + +From: James Smart + +[ Upstream commit 2a0fb340fcc816975b8b0f2fef913d11999c39cf ] + +Current code incorrectly specifies a completion wait timeout duration in 5 +jiffies, when it should have been 5 seconds. + +Fix the adjust for units for the completion timeout call. + +[mkp: manual merge] + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nvmet.c | 6 +++++- + drivers/scsi/lpfc/lpfc_nvmet.h | 2 ++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c +index e2575c8ec93e8..22efefcc6cd84 100644 +--- a/drivers/scsi/lpfc/lpfc_nvmet.c ++++ b/drivers/scsi/lpfc/lpfc_nvmet.c +@@ -1713,7 +1713,11 @@ lpfc_nvmet_destroy_targetport(struct lpfc_hba *phba) + } + tgtp->tport_unreg_cmp = &tport_unreg_cmp; + nvmet_fc_unregister_targetport(phba->targetport); +- wait_for_completion_timeout(&tport_unreg_cmp, 5); ++ if (!wait_for_completion_timeout(tgtp->tport_unreg_cmp, ++ msecs_to_jiffies(LPFC_NVMET_WAIT_TMO))) ++ lpfc_printf_log(phba, KERN_ERR, LOG_NVME, ++ "6179 Unreg targetport %p timeout " ++ "reached.\n", phba->targetport); + lpfc_nvmet_cleanup_io_context(phba); + } + phba->targetport = NULL; +diff --git a/drivers/scsi/lpfc/lpfc_nvmet.h b/drivers/scsi/lpfc/lpfc_nvmet.h +index 0ec1082ce7ef6..3b170284a0e59 100644 +--- a/drivers/scsi/lpfc/lpfc_nvmet.h ++++ b/drivers/scsi/lpfc/lpfc_nvmet.h +@@ -31,6 +31,8 @@ + #define LPFC_NVMET_MRQ_AUTO 0 + #define LPFC_NVMET_MRQ_MAX 16 + ++#define LPFC_NVMET_WAIT_TMO (5 * MSEC_PER_SEC) ++ + /* Used for NVME Target */ + struct lpfc_nvmet_tgtport { + struct lpfc_hba *phba; +-- +2.20.1 + diff --git a/queue-4.19/scsi-lpfc-fix-a-duplicate-0711-log-message-number.patch b/queue-4.19/scsi-lpfc-fix-a-duplicate-0711-log-message-number.patch new file mode 100644 index 00000000000..af92a781409 --- /dev/null +++ b/queue-4.19/scsi-lpfc-fix-a-duplicate-0711-log-message-number.patch @@ -0,0 +1,35 @@ +From 756ebac19bcac2103451e89531979b01066d71d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Nov 2018 16:09:31 -0800 +Subject: scsi: lpfc: Fix a duplicate 0711 log message number. + +From: James Smart + +[ Upstream commit 2c4c91415a05677acc5c8131a5eb472d4aa96ae1 ] + +Renumber one of the 0711 log messages so there isn't a duplication. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index 200b5bca1f5f4..666495f21c246 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -4161,7 +4161,7 @@ lpfc_scsi_cmd_iocb_cmpl(struct lpfc_hba *phba, struct lpfc_iocbq *pIocbIn, + /* If pCmd was set to NULL from abort path, do not call scsi_done */ + if (xchg(&lpfc_cmd->pCmd, NULL) == NULL) { + lpfc_printf_vlog(vport, KERN_INFO, LOG_FCP, +- "0711 FCP cmd already NULL, sid: 0x%06x, " ++ "5688 FCP cmd already NULL, sid: 0x%06x, " + "did: 0x%06x, oxid: 0x%04x\n", + vport->fc_myDID, + (pnode) ? pnode->nlp_DID : 0, +-- +2.20.1 + diff --git a/queue-4.19/serial-mctrl_gpio-check-for-null-pointer.patch b/queue-4.19/serial-mctrl_gpio-check-for-null-pointer.patch new file mode 100644 index 00000000000..c8fda147813 --- /dev/null +++ b/queue-4.19/serial-mctrl_gpio-check-for-null-pointer.patch @@ -0,0 +1,40 @@ +From bb16107227c5ee1876c9e8e21dd0d3c4f4ed267d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2019 11:33:11 -0500 +Subject: serial: mctrl_gpio: Check for NULL pointer + +From: Adam Ford + +[ Upstream commit 37e3ab00e4734acc15d96b2926aab55c894f4d9c ] + +When using mctrl_gpio_to_gpiod, it dereferences gpios into a single +requested GPIO. This dereferencing can break if gpios is NULL, +so this patch adds a NULL check before dereferencing it. If +gpios is NULL, this function will also return NULL. + +Signed-off-by: Adam Ford +Reviewed-by: Yegor Yefremov +Link: https://lore.kernel.org/r/20191006163314.23191-1-aford173@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial_mctrl_gpio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/serial/serial_mctrl_gpio.c b/drivers/tty/serial/serial_mctrl_gpio.c +index 07f318603e740..af0412a784d27 100644 +--- a/drivers/tty/serial/serial_mctrl_gpio.c ++++ b/drivers/tty/serial/serial_mctrl_gpio.c +@@ -60,6 +60,9 @@ EXPORT_SYMBOL_GPL(mctrl_gpio_set); + struct gpio_desc *mctrl_gpio_to_gpiod(struct mctrl_gpios *gpios, + enum mctrl_gpio_idx gidx) + { ++ if (gpios == NULL) ++ return NULL; ++ + return gpios->gpio[gidx]; + } + EXPORT_SYMBOL_GPL(mctrl_gpio_to_gpiod); +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..ddbfe15bb4d --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,100 @@ +zram-fix-race-between-backing_dev_show-and-backing_d.patch +dm-snapshot-introduce-account_start_copy-and-account.patch +dm-snapshot-rework-cow-throttling-to-fix-deadlock.patch +btrfs-fix-inode-cache-block-reserve-leak-on-failure-.patch +btrfs-fix-memory-leak-due-to-concurrent-append-write.patch +btrfs-qgroup-always-free-prealloc-meta-reserve-in-bt.patch +btrfs-tracepoints-fix-wrong-parameter-order-for-qgro.patch +wil6210-fix-freeing-of-rx-buffers-in-edma-mode.patch +f2fs-flush-quota-blocks-after-turnning-it-off.patch +scsi-lpfc-fix-a-duplicate-0711-log-message-number.patch +sc16is7xx-fix-for-unexpected-interrupt-8.patch +powerpc-powernv-hold-device_hotplug_lock-when-callin.patch +f2fs-fix-to-recover-inode-s-i_gc_failures-during-por.patch +f2fs-fix-to-recover-inode-i_flags-of-inode-block-dur.patch +hid-i2c-hid-add-direkt-tek-dtlapy133-1-to-descriptor.patch +usb-dwc2-fix-unbalanced-use-of-external-vbus-supply.patch +tools-power-turbostat-fix-goldmont-c-state-limit-dec.patch +x86-cpu-add-atom-tremont-jacobsville.patch +drm-msm-dpu-handle-failures-while-initializing-displ.patch +bcache-fix-input-overflow-to-writeback_rate_minimum.patch +pci-fix-switchtec-dma-aliasing-quirk-dmesg-noise.patch +btrfs-fix-deadlock-on-tree-root-leaf-when-finding-fr.patch +netfilter-ipset-make-invalid-mac-address-checks-cons.patch +hid-i2c-hid-disable-runtime-pm-for-lg-touchscreen.patch +hid-i2c-hid-ignore-input-report-if-there-s-no-data-p.patch +hid-i2c-hid-add-odys-winbook-13-to-descriptor-overri.patch +platform-x86-add-the-vlv-isp-pci-id-to-atomisp2_pm.patch +platform-x86-fix-config-space-access-for-intel_atomi.patch +ath10k-assign-n_cipher_suites-11-for-wcn3990-to-enab.patch +clk-boston-unregister-clks-on-failure-in-clk_boston_.patch +scripts-setlocalversion-improve-dirty-check-with-git.patch +staging-mt7621-pinctrl-use-pinconf-generic-for-dt_no.patch +hid-add-asus-t100chi-keyboard-dock-battery-quirks.patch +nfsv4-ensure-that-the-state-manager-exits-the-loop-o.patch +hid-steam-fix-boot-loop-with-bluetooth-firmware.patch +hid-steam-fix-deadlock-with-input-devices.patch +samples-bpf-fix-seg-fault-with-null-pointer-arg.patch +usb-dwc3-gadget-early-giveback-if-end-transfer-alrea.patch +usb-dwc3-gadget-clear-dwc3_ep_transfer_started-on-cm.patch +alsa-usb-audio-cleanup-dsd-whitelist.patch +usb-handle-warm-reset-port-requests-on-hub-resume.patch +rtc-pcf8523-set-xtal-load-capacitance-from-dt.patch +arm64-kpti-whitelist-hisilicon-taishan-v110-cpus.patch +mlxsw-spectrum-set-lag-port-collector-only-when-acti.patch +net-stmmac-fix-napi-poll-in-tx-path-when-in-multi-qu.patch +scsi-lpfc-correct-localport-timeout-duration-error.patch +cifs-respect-smb2-hdr-preamble-size-in-read-response.patch +cifs-add-credits-from-unmatched-responses-messages.patch +alsa-hda-realtek-apply-alc294-hp-init-also-for-s4-re.patch +media-vimc-remove-unused-but-set-variables.patch +ext4-disallow-files-with-ext4_journal_data_fl-from-e.patch +exec-load_script-do-not-exec-truncated-interpreter-p.patch +net-dsa-mv88e6xxx-release-lock-while-requesting-irq.patch +pci-pme-fix-possible-use-after-free-on-remove.patch +drm-amd-display-fix-odm-combine-pipe-reset.patch +power-supply-max14656-fix-potential-use-after-free.patch +iio-adc-meson_saradc-fix-memory-allocation-order.patch +iio-fix-center-temperature-of-bmc150-accel-core.patch +libsubcmd-make-_fortify_source-defines-dependent-on-.patch +perf-tests-avoid-raising-segv-using-an-obvious-null-.patch +perf-map-fix-overlapped-map-handling.patch +perf-script-brstackinsn-fix-recovery-from-lbr-binary.patch +perf-jevents-fix-period-for-intel-fixed-counters.patch +perf-tools-propagate-get_cpuid-error.patch +perf-annotate-propagate-perf_env__arch-error.patch +perf-annotate-fix-the-signedness-of-failure-returns.patch +perf-annotate-propagate-the-symbol__annotate-error-r.patch +perf-annotate-return-appropriate-error-code-for-allo.patch +staging-rtl8188eu-fix-null-dereference-when-kzalloc-.patch +rdma-hfi1-prevent-memory-leak-in-sdma_init.patch +rdma-iwcm-fix-a-lock-inversion-issue.patch +hid-hyperv-use-in-place-iterator-api-in-the-channel-.patch +nfs-fix-nfsi-nrequests-count-error-on-nfs_inode_remo.patch +arm64-ftrace-ensure-synchronisation-in-plt-setup-for.patch +tty-serial-owl-fix-the-link-time-qualifier-of-owl_ua.patch +tty-n_hdlc-fix-build-on-sparc.patch +gpio-max77620-use-correct-unit-for-debounce-times.patch +fs-cifs-mute-wunused-const-variable-message.patch +serial-mctrl_gpio-check-for-null-pointer.patch +efi-cper-fix-endianness-of-pcie-class-code.patch +efi-x86-do-not-clean-dummy-variable-in-kexec-path.patch +mips-include-mark-__cmpxchg-as-__always_inline.patch +x86-xen-return-from-panic-notifier.patch +ocfs2-clear-zero-in-unaligned-direct-io.patch +fs-ocfs2-fix-possible-null-pointer-dereferences-in-o.patch +fs-ocfs2-fix-a-possible-null-pointer-dereference-in-.patch +fs-ocfs2-fix-a-possible-null-pointer-dereference-in-.patch-767 +arm64-armv8_deprecated-checking-return-value-for-mem.patch +x86-cpu-add-comet-lake-to-the-intel-cpu-models-heade.patch +sched-vtime-fix-guest-system-mis-accounting-on-task-.patch +perf-x86-amd-change-fix-nmi-latency-mitigation-to-us.patch +drm-amdgpu-fix-memory-leak.patch +iio-imu-adis16400-release-allocated-memory-on-failur.patch +mips-include-mark-__xchg-as-__always_inline.patch +mips-fw-sni-fix-out-of-bounds-init-of-o32-stack.patch +virt-vbox-fix-memory-leak-in-hgcm_call_preprocess_li.patch +nbd-fix-possible-sysfs-duplicate-warning.patch +nfsv4-fix-leak-of-clp-cl_acceptor-string.patch +s390-uaccess-avoid-false-positive-compiler-warnings.patch +tracing-initialize-iter-seq-after-zeroing-in-tracing.patch diff --git a/queue-4.19/staging-mt7621-pinctrl-use-pinconf-generic-for-dt_no.patch b/queue-4.19/staging-mt7621-pinctrl-use-pinconf-generic-for-dt_no.patch new file mode 100644 index 00000000000..908c1b0d051 --- /dev/null +++ b/queue-4.19/staging-mt7621-pinctrl-use-pinconf-generic-for-dt_no.patch @@ -0,0 +1,117 @@ +From 9a1d176e9182e42746c89684c2abca8e9b0c7dba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jan 2019 12:34:08 +0100 +Subject: staging: mt7621-pinctrl: use pinconf-generic for 'dt_node_to_map' and + 'dt_free_map' + +From: Sergio Paracuellos + +[ Upstream commit 0ca1f90861b6d64386261096b42bfc81ce11948a ] + +Instead of reimplement afunction to do 'dt_node_to_map' task like +'rt2880_pinctrl_dt_node_to_map' make use of 'pinconf_generic_dt_node_to_map_all' +generic function for this task. Also use its equivalent function for free which +is 'pinconf_generic_dt_free_map'. Remove 'rt2880_pinctrl_dt_node_to_map' function +which is not needed anymore. This decrease a bit driver LOC and make it more +generic. To properly compile this changes 'GENERIC_PINCONF' option is selected +with the driver in its Kconfig file. + +This also fix a problem with function 'rt2880_pinctrl_dt_node_to_map' which was +calling internally 'pinctrl_utils_reserve_map' which expects 'num_maps' to be initialized. +It does a memory allocation based on the value, and triggers the following +warning if is not properly set: + +if (unlikely(order >= MAX_ORDER)) { + WARN_ON_ONCE(!(gfp_mask & __GFP_NOWARN)); + return NULL; +} + +Generic function 'pinconf_generic_dt_node_to_map_all' initializes properly +'num_maps' to zero fixing the problem. + +Fixes: e12a1a6e087b ("staging: mt7621-pinctrl: refactor rt2880_pinctrl_dt_node_to_map function") +Reported-by: NeilBrown +Tested-by: NeilBrown +Signed-off-by: Sergio Paracuellos +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/mt7621-pinctrl/Kconfig | 1 + + .../staging/mt7621-pinctrl/pinctrl-rt2880.c | 41 ++----------------- + 2 files changed, 4 insertions(+), 38 deletions(-) + +diff --git a/drivers/staging/mt7621-pinctrl/Kconfig b/drivers/staging/mt7621-pinctrl/Kconfig +index 37cf9c3273beb..fc36127113072 100644 +--- a/drivers/staging/mt7621-pinctrl/Kconfig ++++ b/drivers/staging/mt7621-pinctrl/Kconfig +@@ -2,3 +2,4 @@ config PINCTRL_RT2880 + bool "RT2800 pinctrl driver for RALINK/Mediatek SOCs" + depends on RALINK + select PINMUX ++ select GENERIC_PINCONF +diff --git a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c +index aa98fbb170139..80e7067cfb797 100644 +--- a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c ++++ b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -73,48 +74,12 @@ static int rt2880_get_group_pins(struct pinctrl_dev *pctrldev, + return 0; + } + +-static int rt2880_pinctrl_dt_node_to_map(struct pinctrl_dev *pctrldev, +- struct device_node *np_config, +- struct pinctrl_map **map, +- unsigned int *num_maps) +-{ +- struct rt2880_priv *p = pinctrl_dev_get_drvdata(pctrldev); +- struct property *prop; +- const char *function_name, *group_name; +- int ret; +- int ngroups = 0; +- unsigned int reserved_maps = 0; +- +- for_each_node_with_property(np_config, "group") +- ngroups++; +- +- *map = NULL; +- ret = pinctrl_utils_reserve_map(pctrldev, map, &reserved_maps, +- num_maps, ngroups); +- if (ret) { +- dev_err(p->dev, "can't reserve map: %d\n", ret); +- return ret; +- } +- +- of_property_for_each_string(np_config, "group", prop, group_name) { +- ret = pinctrl_utils_add_map_mux(pctrldev, map, &reserved_maps, +- num_maps, group_name, +- function_name); +- if (ret) { +- dev_err(p->dev, "can't add map: %d\n", ret); +- return ret; +- } +- } +- +- return 0; +-} +- + static const struct pinctrl_ops rt2880_pctrl_ops = { + .get_groups_count = rt2880_get_group_count, + .get_group_name = rt2880_get_group_name, + .get_group_pins = rt2880_get_group_pins, +- .dt_node_to_map = rt2880_pinctrl_dt_node_to_map, +- .dt_free_map = pinctrl_utils_free_map, ++ .dt_node_to_map = pinconf_generic_dt_node_to_map_all, ++ .dt_free_map = pinconf_generic_dt_free_map, + }; + + static int rt2880_pmx_func_count(struct pinctrl_dev *pctrldev) +-- +2.20.1 + diff --git a/queue-4.19/staging-rtl8188eu-fix-null-dereference-when-kzalloc-.patch b/queue-4.19/staging-rtl8188eu-fix-null-dereference-when-kzalloc-.patch new file mode 100644 index 00000000000..fa8b6146408 --- /dev/null +++ b/queue-4.19/staging-rtl8188eu-fix-null-dereference-when-kzalloc-.patch @@ -0,0 +1,48 @@ +From 1a9121aa0b8ff13f4d63b149dfe705a52a4def7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 14:44:15 -0700 +Subject: staging: rtl8188eu: fix null dereference when kzalloc fails + +From: Connor Kuehl + +[ Upstream commit 955c1532a34305f2f780b47f0c40cc7c65500810 ] + +If kzalloc() returns NULL, the error path doesn't stop the flow of +control from entering rtw_hal_read_chip_version() which dereferences the +null pointer. Fix this by adding a 'goto' to the error path to more +gracefully handle the issue and avoid proceeding with initialization +steps that we're no longer prepared to handle. + +Also update the debug message to be more consistent with the other debug +messages in this function. + +Addresses-Coverity: ("Dereference after null check") + +Signed-off-by: Connor Kuehl +Link: https://lore.kernel.org/r/20190927214415.899-1-connor.kuehl@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +index dfee6985efa61..8ef7b44b6abc1 100644 +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -348,8 +348,10 @@ static struct adapter *rtw_usb_if1_init(struct dvobj_priv *dvobj, + } + + padapter->HalData = kzalloc(sizeof(struct hal_data_8188e), GFP_KERNEL); +- if (!padapter->HalData) +- DBG_88E("cant not alloc memory for HAL DATA\n"); ++ if (!padapter->HalData) { ++ DBG_88E("Failed to allocate memory for HAL data\n"); ++ goto free_adapter; ++ } + + /* step read_chip_version */ + rtw_hal_read_chip_version(padapter); +-- +2.20.1 + diff --git a/queue-4.19/tools-power-turbostat-fix-goldmont-c-state-limit-dec.patch b/queue-4.19/tools-power-turbostat-fix-goldmont-c-state-limit-dec.patch new file mode 100644 index 00000000000..2119b05a42f --- /dev/null +++ b/queue-4.19/tools-power-turbostat-fix-goldmont-c-state-limit-dec.patch @@ -0,0 +1,59 @@ +From dfd1254a4643adea93d37b8fb7212972dcacab21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Dec 2018 20:02:27 -0500 +Subject: tools/power turbostat: fix goldmont C-state limit decoding + +From: Len Brown + +[ Upstream commit 445640a563493f28d15f47e151e671281101e7dc ] + +When the C-state limit is 8 on Goldmont, PC10 is enabled. +Previously turbostat saw this as "undefined", and thus assumed +it should not show some counters, such as pc3, pc6, pc7. + +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 71cf7e77291ad..823bbc741ad7a 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -1953,11 +1953,12 @@ done: + #define PCL_7S 11 /* PC7 Shrink */ + #define PCL__8 12 /* PC8 */ + #define PCL__9 13 /* PC9 */ +-#define PCLUNL 14 /* Unlimited */ ++#define PCL_10 14 /* PC10 */ ++#define PCLUNL 15 /* Unlimited */ + + int pkg_cstate_limit = PCLUKN; + char *pkg_cstate_limit_strings[] = { "reserved", "unknown", "pc0", "pc1", "pc2", +- "pc3", "pc4", "pc6", "pc6n", "pc6r", "pc7", "pc7s", "pc8", "pc9", "unlimited"}; ++ "pc3", "pc4", "pc6", "pc6n", "pc6r", "pc7", "pc7s", "pc8", "pc9", "pc10", "unlimited"}; + + int nhm_pkg_cstate_limits[16] = {PCL__0, PCL__1, PCL__3, PCL__6, PCL__7, PCLRSV, PCLRSV, PCLUNL, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV}; + int snb_pkg_cstate_limits[16] = {PCL__0, PCL__2, PCL_6N, PCL_6R, PCL__7, PCL_7S, PCLRSV, PCLUNL, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV}; +@@ -1965,7 +1966,7 @@ int hsw_pkg_cstate_limits[16] = {PCL__0, PCL__2, PCL__3, PCL__6, PCL__7, PCL_7S, + int slv_pkg_cstate_limits[16] = {PCL__0, PCL__1, PCLRSV, PCLRSV, PCL__4, PCLRSV, PCL__6, PCL__7, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCL__6, PCL__7}; + int amt_pkg_cstate_limits[16] = {PCLUNL, PCL__1, PCL__2, PCLRSV, PCLRSV, PCLRSV, PCL__6, PCL__7, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV}; + int phi_pkg_cstate_limits[16] = {PCL__0, PCL__2, PCL_6N, PCL_6R, PCLRSV, PCLRSV, PCLRSV, PCLUNL, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV}; +-int bxt_pkg_cstate_limits[16] = {PCL__0, PCL__2, PCLUNL, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV}; ++int glm_pkg_cstate_limits[16] = {PCLUNL, PCL__1, PCL__3, PCL__6, PCL__7, PCL_7S, PCL__8, PCL__9, PCL_10, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV}; + int skx_pkg_cstate_limits[16] = {PCL__0, PCL__2, PCL_6N, PCL_6R, PCLRSV, PCLRSV, PCLRSV, PCLUNL, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV, PCLRSV}; + + +@@ -3165,7 +3166,7 @@ int probe_nhm_msrs(unsigned int family, unsigned int model) + case INTEL_FAM6_ATOM_GOLDMONT: /* BXT */ + case INTEL_FAM6_ATOM_GOLDMONT_PLUS: + case INTEL_FAM6_ATOM_GOLDMONT_X: /* DNV */ +- pkg_cstate_limits = bxt_pkg_cstate_limits; ++ pkg_cstate_limits = glm_pkg_cstate_limits; + break; + default: + return 0; +-- +2.20.1 + diff --git a/queue-4.19/tracing-initialize-iter-seq-after-zeroing-in-tracing.patch b/queue-4.19/tracing-initialize-iter-seq-after-zeroing-in-tracing.patch new file mode 100644 index 00000000000..fae65341ff9 --- /dev/null +++ b/queue-4.19/tracing-initialize-iter-seq-after-zeroing-in-tracing.patch @@ -0,0 +1,82 @@ +From ccb570dcb75e17a040cb37ab41a396cc4d08564d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2019 16:21:34 +0200 +Subject: tracing: Initialize iter->seq after zeroing in tracing_read_pipe() + +From: Petr Mladek + +[ Upstream commit d303de1fcf344ff7c15ed64c3f48a991c9958775 ] + +A customer reported the following softlockup: + +[899688.160002] NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [test.sh:16464] +[899688.160002] CPU: 0 PID: 16464 Comm: test.sh Not tainted 4.12.14-6.23-azure #1 SLE12-SP4 +[899688.160002] RIP: 0010:up_write+0x1a/0x30 +[899688.160002] Kernel panic - not syncing: softlockup: hung tasks +[899688.160002] RIP: 0010:up_write+0x1a/0x30 +[899688.160002] RSP: 0018:ffffa86784d4fde8 EFLAGS: 00000257 ORIG_RAX: ffffffffffffff12 +[899688.160002] RAX: ffffffff970fea00 RBX: 0000000000000001 RCX: 0000000000000000 +[899688.160002] RDX: ffffffff00000001 RSI: 0000000000000080 RDI: ffffffff970fea00 +[899688.160002] RBP: ffffffffffffffff R08: ffffffffffffffff R09: 0000000000000000 +[899688.160002] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8b59014720d8 +[899688.160002] R13: ffff8b59014720c0 R14: ffff8b5901471090 R15: ffff8b5901470000 +[899688.160002] tracing_read_pipe+0x336/0x3c0 +[899688.160002] __vfs_read+0x26/0x140 +[899688.160002] vfs_read+0x87/0x130 +[899688.160002] SyS_read+0x42/0x90 +[899688.160002] do_syscall_64+0x74/0x160 + +It caught the process in the middle of trace_access_unlock(). There is +no loop. So, it must be looping in the caller tracing_read_pipe() +via the "waitagain" label. + +Crashdump analyze uncovered that iter->seq was completely zeroed +at this point, including iter->seq.seq.size. It means that +print_trace_line() was never able to print anything and +there was no forward progress. + +The culprit seems to be in the code: + + /* reset all but tr, trace, and overruns */ + memset(&iter->seq, 0, + sizeof(struct trace_iterator) - + offsetof(struct trace_iterator, seq)); + +It was added by the commit 53d0aa773053ab182877 ("ftrace: +add logic to record overruns"). It was v2.6.27-rc1. +It was the time when iter->seq looked like: + + struct trace_seq { + unsigned char buffer[PAGE_SIZE]; + unsigned int len; + }; + +There was no "size" variable and zeroing was perfectly fine. + +The solution is to reinitialize the structure after or without +zeroing. + +Link: http://lkml.kernel.org/r/20191011142134.11997-1-pmladek@suse.com + +Signed-off-by: Petr Mladek +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 27b17ea44f745..bdd7f3d78724e 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -5766,6 +5766,7 @@ waitagain: + sizeof(struct trace_iterator) - + offsetof(struct trace_iterator, seq)); + cpumask_clear(iter->started); ++ trace_seq_init(&iter->seq); + iter->pos = -1; + + trace_event_read_lock(); +-- +2.20.1 + diff --git a/queue-4.19/tty-n_hdlc-fix-build-on-sparc.patch b/queue-4.19/tty-n_hdlc-fix-build-on-sparc.patch new file mode 100644 index 00000000000..4f92faca9b8 --- /dev/null +++ b/queue-4.19/tty-n_hdlc-fix-build-on-sparc.patch @@ -0,0 +1,52 @@ +From 00fdca347d36dab9e8b63a297a22e2e0fbb77221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 19:15:12 -0700 +Subject: tty: n_hdlc: fix build on SPARC + +From: Randy Dunlap + +[ Upstream commit 47a7e5e97d4edd7b14974d34f0e5a5560fad2915 ] + +Fix tty driver build on SPARC by not using __exitdata. +It appears that SPARC does not support section .exit.data. + +Fixes these build errors: + +`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o +`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o +`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o +`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o + +Reported-by: kbuild test robot +Fixes: 063246641d4a ("format-security: move static strings to const") +Signed-off-by: Randy Dunlap +Cc: Kees Cook +Cc: Greg Kroah-Hartman +Cc: "David S. Miller" +Cc: Andrew Morton +Link: https://lore.kernel.org/r/675e7bd9-955b-3ff3-1101-a973b58b5b75@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_hdlc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c +index bb63519db7ae4..c943716c019e4 100644 +--- a/drivers/tty/n_hdlc.c ++++ b/drivers/tty/n_hdlc.c +@@ -968,6 +968,11 @@ static int __init n_hdlc_init(void) + + } /* end of init_module() */ + ++#ifdef CONFIG_SPARC ++#undef __exitdata ++#define __exitdata ++#endif ++ + static const char hdlc_unregister_ok[] __exitdata = + KERN_INFO "N_HDLC: line discipline unregistered\n"; + static const char hdlc_unregister_fail[] __exitdata = +-- +2.20.1 + diff --git a/queue-4.19/tty-serial-owl-fix-the-link-time-qualifier-of-owl_ua.patch b/queue-4.19/tty-serial-owl-fix-the-link-time-qualifier-of-owl_ua.patch new file mode 100644 index 00000000000..7e5667bb45b --- /dev/null +++ b/queue-4.19/tty-serial-owl-fix-the-link-time-qualifier-of-owl_ua.patch @@ -0,0 +1,36 @@ +From 1683618ee5304b3c8e0e643d3a57811146e133b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2019 06:11:29 +0200 +Subject: tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()' + +From: Christophe JAILLET + +[ Upstream commit 6264dab6efd6069f0387efb078a9960b5642377b ] + +'exit' functions should be marked as __exit, not __init. + +Fixes: fc60a8b675bd ("tty: serial: owl: Implement console driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20190910041129.6978-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/owl-uart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/owl-uart.c b/drivers/tty/serial/owl-uart.c +index 29a6dc6a8d23c..73fcc6bdb0312 100644 +--- a/drivers/tty/serial/owl-uart.c ++++ b/drivers/tty/serial/owl-uart.c +@@ -742,7 +742,7 @@ static int __init owl_uart_init(void) + return ret; + } + +-static void __init owl_uart_exit(void) ++static void __exit owl_uart_exit(void) + { + platform_driver_unregister(&owl_uart_platform_driver); + uart_unregister_driver(&owl_uart_driver); +-- +2.20.1 + diff --git a/queue-4.19/usb-dwc2-fix-unbalanced-use-of-external-vbus-supply.patch b/queue-4.19/usb-dwc2-fix-unbalanced-use-of-external-vbus-supply.patch new file mode 100644 index 00000000000..8e28869cb7a --- /dev/null +++ b/queue-4.19/usb-dwc2-fix-unbalanced-use-of-external-vbus-supply.patch @@ -0,0 +1,141 @@ +From 4aa112f8b4a6279f44bf6e33ecd84070019b8c6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Sep 2018 13:40:05 +0200 +Subject: usb: dwc2: fix unbalanced use of external vbus-supply + +From: Fabrice Gasnier + +[ Upstream commit cd7cd0e6cedfda8da6668a4af6748f96bbb6fed4 ] + +When using external vbus supply regulator, it should be enabled +synchronously with PWR bit in HPRT register. This also fixes +unbalanced use of this optional regulator (This can be reproduced +easily when unbinding the driver). + +Fixes: 531ef5ebea96 ("usb: dwc2: add support for host mode external +vbus supply") + +Tested-by: Artur Petrosyan +Acked-by: Minas Harutyunyan +Signed-off-by: Fabrice Gasnier +Signed-off-by: Amelie Delaunay +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/hcd.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c +index aad7edc29bddd..a5c8329fd4625 100644 +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -3568,6 +3568,7 @@ static int dwc2_hcd_hub_control(struct dwc2_hsotg *hsotg, u16 typereq, + u32 port_status; + u32 speed; + u32 pcgctl; ++ u32 pwr; + + switch (typereq) { + case ClearHubFeature: +@@ -3616,8 +3617,11 @@ static int dwc2_hcd_hub_control(struct dwc2_hsotg *hsotg, u16 typereq, + dev_dbg(hsotg->dev, + "ClearPortFeature USB_PORT_FEAT_POWER\n"); + hprt0 = dwc2_read_hprt0(hsotg); ++ pwr = hprt0 & HPRT0_PWR; + hprt0 &= ~HPRT0_PWR; + dwc2_writel(hsotg, hprt0, HPRT0); ++ if (pwr) ++ dwc2_vbus_supply_exit(hsotg); + break; + + case USB_PORT_FEAT_INDICATOR: +@@ -3827,8 +3831,11 @@ static int dwc2_hcd_hub_control(struct dwc2_hsotg *hsotg, u16 typereq, + dev_dbg(hsotg->dev, + "SetPortFeature - USB_PORT_FEAT_POWER\n"); + hprt0 = dwc2_read_hprt0(hsotg); ++ pwr = hprt0 & HPRT0_PWR; + hprt0 |= HPRT0_PWR; + dwc2_writel(hsotg, hprt0, HPRT0); ++ if (!pwr) ++ dwc2_vbus_supply_init(hsotg); + break; + + case USB_PORT_FEAT_RESET: +@@ -3845,6 +3852,7 @@ static int dwc2_hcd_hub_control(struct dwc2_hsotg *hsotg, u16 typereq, + dwc2_writel(hsotg, 0, PCGCTL); + + hprt0 = dwc2_read_hprt0(hsotg); ++ pwr = hprt0 & HPRT0_PWR; + /* Clear suspend bit if resetting from suspend state */ + hprt0 &= ~HPRT0_SUSP; + +@@ -3858,6 +3866,8 @@ static int dwc2_hcd_hub_control(struct dwc2_hsotg *hsotg, u16 typereq, + dev_dbg(hsotg->dev, + "In host mode, hprt0=%08x\n", hprt0); + dwc2_writel(hsotg, hprt0, HPRT0); ++ if (!pwr) ++ dwc2_vbus_supply_init(hsotg); + } + + /* Clear reset bit in 10ms (FS/LS) or 50ms (HS) */ +@@ -4400,6 +4410,7 @@ static int _dwc2_hcd_start(struct usb_hcd *hcd) + struct dwc2_hsotg *hsotg = dwc2_hcd_to_hsotg(hcd); + struct usb_bus *bus = hcd_to_bus(hcd); + unsigned long flags; ++ u32 hprt0; + int ret; + + dev_dbg(hsotg->dev, "DWC OTG HCD START\n"); +@@ -4416,12 +4427,16 @@ static int _dwc2_hcd_start(struct usb_hcd *hcd) + + dwc2_hcd_reinit(hsotg); + +- /* enable external vbus supply before resuming root hub */ +- spin_unlock_irqrestore(&hsotg->lock, flags); +- ret = dwc2_vbus_supply_init(hsotg); +- if (ret) +- return ret; +- spin_lock_irqsave(&hsotg->lock, flags); ++ hprt0 = dwc2_read_hprt0(hsotg); ++ /* Has vbus power been turned on in dwc2_core_host_init ? */ ++ if (hprt0 & HPRT0_PWR) { ++ /* Enable external vbus supply before resuming root hub */ ++ spin_unlock_irqrestore(&hsotg->lock, flags); ++ ret = dwc2_vbus_supply_init(hsotg); ++ if (ret) ++ return ret; ++ spin_lock_irqsave(&hsotg->lock, flags); ++ } + + /* Initialize and connect root hub if one is not already attached */ + if (bus->root_hub) { +@@ -4443,6 +4458,7 @@ static void _dwc2_hcd_stop(struct usb_hcd *hcd) + { + struct dwc2_hsotg *hsotg = dwc2_hcd_to_hsotg(hcd); + unsigned long flags; ++ u32 hprt0; + + /* Turn off all host-specific interrupts */ + dwc2_disable_host_interrupts(hsotg); +@@ -4451,6 +4467,7 @@ static void _dwc2_hcd_stop(struct usb_hcd *hcd) + synchronize_irq(hcd->irq); + + spin_lock_irqsave(&hsotg->lock, flags); ++ hprt0 = dwc2_read_hprt0(hsotg); + /* Ensure hcd is disconnected */ + dwc2_hcd_disconnect(hsotg, true); + dwc2_hcd_stop(hsotg); +@@ -4459,7 +4476,9 @@ static void _dwc2_hcd_stop(struct usb_hcd *hcd) + clear_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags); + spin_unlock_irqrestore(&hsotg->lock, flags); + +- dwc2_vbus_supply_exit(hsotg); ++ /* keep balanced supply init/exit by checking HPRT0_PWR */ ++ if (hprt0 & HPRT0_PWR) ++ dwc2_vbus_supply_exit(hsotg); + + usleep_range(1000, 3000); + } +-- +2.20.1 + diff --git a/queue-4.19/usb-dwc3-gadget-clear-dwc3_ep_transfer_started-on-cm.patch b/queue-4.19/usb-dwc3-gadget-clear-dwc3_ep_transfer_started-on-cm.patch new file mode 100644 index 00000000000..699cb828cbc --- /dev/null +++ b/queue-4.19/usb-dwc3-gadget-clear-dwc3_ep_transfer_started-on-cm.patch @@ -0,0 +1,62 @@ +From 180d1a6da372f2ad442ff65b619af8a7522eb6be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jan 2019 12:58:27 +0200 +Subject: usb: dwc3: gadget: clear DWC3_EP_TRANSFER_STARTED on cmd complete + +From: Felipe Balbi + +[ Upstream commit acbfa6c26f21a18830ee064b588c92334305b6af ] + +We must wait until End Transfer completes in order to clear +DWC3_EP_TRANSFER_STARTED, otherwise we may confuse the driver. + +This patch is in preparation to fix a rare race condition that happens +upon Disconnect Interrupt. + +Tested-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 7b0957c530485..54de732550648 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -375,19 +375,9 @@ int dwc3_send_gadget_ep_cmd(struct dwc3_ep *dep, unsigned cmd, + + trace_dwc3_gadget_ep_cmd(dep, cmd, params, cmd_status); + +- if (ret == 0) { +- switch (DWC3_DEPCMD_CMD(cmd)) { +- case DWC3_DEPCMD_STARTTRANSFER: +- dep->flags |= DWC3_EP_TRANSFER_STARTED; +- dwc3_gadget_ep_get_transfer_index(dep); +- break; +- case DWC3_DEPCMD_ENDTRANSFER: +- dep->flags &= ~DWC3_EP_TRANSFER_STARTED; +- break; +- default: +- /* nothing */ +- break; +- } ++ if (ret == 0 && DWC3_DEPCMD_CMD(cmd) == DWC3_DEPCMD_STARTTRANSFER) { ++ dep->flags |= DWC3_EP_TRANSFER_STARTED; ++ dwc3_gadget_ep_get_transfer_index(dep); + } + + if (unlikely(susphy)) { +@@ -2417,7 +2407,8 @@ static void dwc3_endpoint_interrupt(struct dwc3 *dwc, + cmd = DEPEVT_PARAMETER_CMD(event->parameters); + + if (cmd == DWC3_DEPCMD_ENDTRANSFER) { +- dep->flags &= ~DWC3_EP_END_TRANSFER_PENDING; ++ dep->flags &= ~(DWC3_EP_END_TRANSFER_PENDING | ++ DWC3_EP_TRANSFER_STARTED); + dwc3_gadget_ep_cleanup_cancelled_requests(dep); + } + break; +-- +2.20.1 + diff --git a/queue-4.19/usb-dwc3-gadget-early-giveback-if-end-transfer-alrea.patch b/queue-4.19/usb-dwc3-gadget-early-giveback-if-end-transfer-alrea.patch new file mode 100644 index 00000000000..46548555314 --- /dev/null +++ b/queue-4.19/usb-dwc3-gadget-early-giveback-if-end-transfer-alrea.patch @@ -0,0 +1,52 @@ +From b11a7aabd8526175deeec382c085844dc63cbbaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jan 2019 13:01:16 +0200 +Subject: usb: dwc3: gadget: early giveback if End Transfer already completed + +From: Felipe Balbi + +[ Upstream commit 9f45581f5eec6786c6eded2b3c85345d82a910c9 ] + +There is a rare race condition that may happen during a Disconnect +Interrupt if we have a started request that happens to be +dequeued *after* completion of End Transfer command. If that happens, +that request will be left waiting for completion of an End Transfer +command that will never happen. + +If End Transfer command has already completed before, we are safe to +giveback the request straight away. + +Tested-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index e7461c995116a..7b0957c530485 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1410,7 +1410,10 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep *ep, + goto out0; + + dwc3_gadget_move_cancelled_request(req); +- goto out0; ++ if (dep->flags & DWC3_EP_TRANSFER_STARTED) ++ goto out0; ++ else ++ goto out1; + } + dev_err(dwc->dev, "request %pK was not queued to %s\n", + request, ep->name); +@@ -1418,6 +1421,7 @@ static int dwc3_gadget_ep_dequeue(struct usb_ep *ep, + goto out0; + } + ++out1: + dwc3_gadget_giveback(dep, req, -ECONNRESET); + + out0: +-- +2.20.1 + diff --git a/queue-4.19/usb-handle-warm-reset-port-requests-on-hub-resume.patch b/queue-4.19/usb-handle-warm-reset-port-requests-on-hub-resume.patch new file mode 100644 index 00000000000..02c71ecfe1d --- /dev/null +++ b/queue-4.19/usb-handle-warm-reset-port-requests-on-hub-resume.patch @@ -0,0 +1,55 @@ +From ba13f40a742b9fdc4014b98e07a4958bb61f003b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Feb 2019 13:52:31 +0100 +Subject: usb: handle warm-reset port requests on hub resume + +From: Jan-Marek Glogowski + +[ Upstream commit 4fdc1790e6a9ef22399c6bc6e63b80f4609f3b7e ] + +On plug-in of my USB-C device, its USB_SS_PORT_LS_SS_INACTIVE +link state bit is set. Greping all the kernel for this bit shows +that the port status requests a warm-reset this way. + +This just happens, if its the only device on the root hub, the hub +therefore resumes and the HCDs status_urb isn't yet available. +If a warm-reset request is detected, this sets the hubs event_bits, +which will prevent any auto-suspend and allows the hubs workqueue +to warm-reset the port later in port_event. + +Signed-off-by: Jan-Marek Glogowski +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 8018f813972e0..d5fbd36cf4624 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -107,6 +107,8 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem); + static void hub_release(struct kref *kref); + static int usb_reset_and_verify_device(struct usb_device *udev); + static int hub_port_disable(struct usb_hub *hub, int port1, int set_state); ++static bool hub_port_warm_reset_required(struct usb_hub *hub, int port1, ++ u16 portstatus); + + static inline char *portspeed(struct usb_hub *hub, int portstatus) + { +@@ -1111,6 +1113,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + USB_PORT_FEAT_ENABLE); + } + ++ /* Make sure a warm-reset request is handled by port_event */ ++ if (type == HUB_RESUME && ++ hub_port_warm_reset_required(hub, port1, portstatus)) ++ set_bit(port1, hub->event_bits); ++ + /* + * Add debounce if USB3 link is in polling/link training state. + * Link will automatically transition to Enabled state after +-- +2.20.1 + diff --git a/queue-4.19/virt-vbox-fix-memory-leak-in-hgcm_call_preprocess_li.patch b/queue-4.19/virt-vbox-fix-memory-leak-in-hgcm_call_preprocess_li.patch new file mode 100644 index 00000000000..9a7fcdaa3a4 --- /dev/null +++ b/queue-4.19/virt-vbox-fix-memory-leak-in-hgcm_call_preprocess_li.patch @@ -0,0 +1,49 @@ +From a8b03b3a6900ee950e16b78e3d44f7c58d26671a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 15:42:22 -0500 +Subject: virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr + +From: Navid Emamdoost + +[ Upstream commit e0b0cb9388642c104838fac100a4af32745621e2 ] + +In hgcm_call_preprocess_linaddr memory is allocated for bounce_buf but +is not released if copy_form_user fails. In order to prevent memory leak +in case of failure, the assignment to bounce_buf_ret is moved before the +error check. This way the allocated bounce_buf will be released by the +caller. + +Fixes: 579db9d45cb4 ("virt: Add vboxguest VMMDEV communication code") +Signed-off-by: Navid Emamdoost +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20190930204223.3660-1-navid.emamdoost@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/virt/vboxguest/vboxguest_utils.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/virt/vboxguest/vboxguest_utils.c b/drivers/virt/vboxguest/vboxguest_utils.c +index bf4474214b4d3..92091006589a9 100644 +--- a/drivers/virt/vboxguest/vboxguest_utils.c ++++ b/drivers/virt/vboxguest/vboxguest_utils.c +@@ -217,6 +217,8 @@ static int hgcm_call_preprocess_linaddr( + if (!bounce_buf) + return -ENOMEM; + ++ *bounce_buf_ret = bounce_buf; ++ + if (copy_in) { + ret = copy_from_user(bounce_buf, (void __user *)buf, len); + if (ret) +@@ -225,7 +227,6 @@ static int hgcm_call_preprocess_linaddr( + memset(bounce_buf, 0, len); + } + +- *bounce_buf_ret = bounce_buf; + hgcm_call_add_pagelist_size(bounce_buf, len, extra); + return 0; + } +-- +2.20.1 + diff --git a/queue-4.19/wil6210-fix-freeing-of-rx-buffers-in-edma-mode.patch b/queue-4.19/wil6210-fix-freeing-of-rx-buffers-in-edma-mode.patch new file mode 100644 index 00000000000..d075d46eefd --- /dev/null +++ b/queue-4.19/wil6210-fix-freeing-of-rx-buffers-in-edma-mode.patch @@ -0,0 +1,97 @@ +From 1d7faaad7b711216f5c76333c196f6390de5ef34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Oct 2018 10:52:23 +0200 +Subject: wil6210: fix freeing of rx buffers in EDMA mode + +From: Ahmad Masri + +[ Upstream commit 6470f31927b46846d957628b719dcfda05446664 ] + +After being associated with some EDMA rx traffic, upon "down" driver +doesn't free all skbs in the rx ring. +Modify wil_move_all_rx_buff_to_free_list to loop on active list of rx +buffers, unmap the physical memory and free the skb. + +Signed-off-by: Ahmad Masri +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/txrx_edma.c | 44 +++++++------------- + 1 file changed, 14 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/wireless/ath/wil6210/txrx_edma.c b/drivers/net/wireless/ath/wil6210/txrx_edma.c +index 3e7fc2983cbb3..409a6fa8b6c8f 100644 +--- a/drivers/net/wireless/ath/wil6210/txrx_edma.c ++++ b/drivers/net/wireless/ath/wil6210/txrx_edma.c +@@ -234,9 +234,10 @@ static int wil_rx_refill_edma(struct wil6210_priv *wil) + struct wil_ring *ring = &wil->ring_rx; + u32 next_head; + int rc = 0; +- u32 swtail = *ring->edma_rx_swtail.va; ++ ring->swtail = *ring->edma_rx_swtail.va; + +- for (; next_head = wil_ring_next_head(ring), (next_head != swtail); ++ for (; next_head = wil_ring_next_head(ring), ++ (next_head != ring->swtail); + ring->swhead = next_head) { + rc = wil_ring_alloc_skb_edma(wil, ring, ring->swhead); + if (unlikely(rc)) { +@@ -264,43 +265,26 @@ static void wil_move_all_rx_buff_to_free_list(struct wil6210_priv *wil, + struct wil_ring *ring) + { + struct device *dev = wil_to_dev(wil); +- u32 next_tail; +- u32 swhead = (ring->swhead + 1) % ring->size; ++ struct list_head *active = &wil->rx_buff_mgmt.active; + dma_addr_t pa; +- u16 dmalen; + +- for (; next_tail = wil_ring_next_tail(ring), (next_tail != swhead); +- ring->swtail = next_tail) { +- struct wil_rx_enhanced_desc dd, *d = ⅆ +- struct wil_rx_enhanced_desc *_d = +- (struct wil_rx_enhanced_desc *) +- &ring->va[ring->swtail].rx.enhanced; +- struct sk_buff *skb; +- u16 buff_id; ++ while (!list_empty(active)) { ++ struct wil_rx_buff *rx_buff = ++ list_first_entry(active, struct wil_rx_buff, list); ++ struct sk_buff *skb = rx_buff->skb; + +- *d = *_d; +- +- /* Extract the SKB from the rx_buff management array */ +- buff_id = __le16_to_cpu(d->mac.buff_id); +- if (buff_id >= wil->rx_buff_mgmt.size) { +- wil_err(wil, "invalid buff_id %d\n", buff_id); +- continue; +- } +- skb = wil->rx_buff_mgmt.buff_arr[buff_id].skb; +- wil->rx_buff_mgmt.buff_arr[buff_id].skb = NULL; + if (unlikely(!skb)) { +- wil_err(wil, "No Rx skb at buff_id %d\n", buff_id); ++ wil_err(wil, "No Rx skb at buff_id %d\n", rx_buff->id); + } else { +- pa = wil_rx_desc_get_addr_edma(&d->dma); +- dmalen = le16_to_cpu(d->dma.length); +- dma_unmap_single(dev, pa, dmalen, DMA_FROM_DEVICE); +- ++ rx_buff->skb = NULL; ++ memcpy(&pa, skb->cb, sizeof(pa)); ++ dma_unmap_single(dev, pa, wil->rx_buf_len, ++ DMA_FROM_DEVICE); + kfree_skb(skb); + } + + /* Move the buffer from the active to the free list */ +- list_move(&wil->rx_buff_mgmt.buff_arr[buff_id].list, +- &wil->rx_buff_mgmt.free); ++ list_move(&rx_buff->list, &wil->rx_buff_mgmt.free); + } + } + +-- +2.20.1 + diff --git a/queue-4.19/x86-cpu-add-atom-tremont-jacobsville.patch b/queue-4.19/x86-cpu-add-atom-tremont-jacobsville.patch new file mode 100644 index 00000000000..917695c4f8c --- /dev/null +++ b/queue-4.19/x86-cpu-add-atom-tremont-jacobsville.patch @@ -0,0 +1,60 @@ +From ced6ff43769742aaec3a8c14106a534560af3726 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jan 2019 11:59:01 -0800 +Subject: x86/cpu: Add Atom Tremont (Jacobsville) + +From: Kan Liang + +[ Upstream commit 00ae831dfe4474ef6029558f5eb3ef0332d80043 ] + +Add the Atom Tremont model number to the Intel family list. + +[ Tony: Also update comment at head of file to say "_X" suffix is + also used for microserver parts. ] + +Signed-off-by: Kan Liang +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Signed-off-by: Borislav Petkov +Cc: Andy Shevchenko +Cc: Aristeu Rozanski +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: linux-edac +Cc: Mauro Carvalho Chehab +Cc: Megha Dey +Cc: Peter Zijlstra +Cc: Qiuxu Zhuo +Cc: Rajneesh Bhardwaj +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190125195902.17109-4-tony.luck@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/intel-family.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h +index 5d0b72f281402..82a57d344b9bc 100644 +--- a/arch/x86/include/asm/intel-family.h ++++ b/arch/x86/include/asm/intel-family.h +@@ -6,7 +6,7 @@ + * "Big Core" Processors (Branded as Core, Xeon, etc...) + * + * The "_X" parts are generally the EP and EX Xeons, or the +- * "Extreme" ones, like Broadwell-E. ++ * "Extreme" ones, like Broadwell-E, or Atom microserver. + * + * While adding a new CPUID for a new microarchitecture, add a new + * group to keep logically sorted out in chronological order. Within +@@ -80,6 +80,7 @@ + #define INTEL_FAM6_ATOM_GOLDMONT 0x5C /* Apollo Lake */ + #define INTEL_FAM6_ATOM_GOLDMONT_X 0x5F /* Denverton */ + #define INTEL_FAM6_ATOM_GOLDMONT_PLUS 0x7A /* Gemini Lake */ ++#define INTEL_FAM6_ATOM_TREMONT_X 0x86 /* Jacobsville */ + + /* Xeon Phi */ + +-- +2.20.1 + diff --git a/queue-4.19/x86-cpu-add-comet-lake-to-the-intel-cpu-models-heade.patch b/queue-4.19/x86-cpu-add-comet-lake-to-the-intel-cpu-models-heade.patch new file mode 100644 index 00000000000..74fc47539da --- /dev/null +++ b/queue-4.19/x86-cpu-add-comet-lake-to-the-intel-cpu-models-heade.patch @@ -0,0 +1,49 @@ +From 5171414a93e50294d64d1d9ee786fd3db4d530a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2019 08:50:02 -0700 +Subject: x86/cpu: Add Comet Lake to the Intel CPU models header + +From: Kan Liang + +[ Upstream commit 8d7c6ac3b2371eb1cbc9925a88f4d10efff374de ] + +Comet Lake is the new 10th Gen Intel processor. Add two new CPU model +numbers to the Intel family list. + +The CPU model numbers are not published in the SDM yet but they come +from an authoritative internal source. + + [ bp: Touch up commit message. ] + +Signed-off-by: Kan Liang +Signed-off-by: Borislav Petkov +Reviewed-by: Tony Luck +Cc: ak@linux.intel.com +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/1570549810-25049-2-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/intel-family.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h +index 82a57d344b9bc..2a8e5f78e23c4 100644 +--- a/arch/x86/include/asm/intel-family.h ++++ b/arch/x86/include/asm/intel-family.h +@@ -61,6 +61,9 @@ + #define INTEL_FAM6_TIGERLAKE_L 0x8C + #define INTEL_FAM6_TIGERLAKE 0x8D + ++#define INTEL_FAM6_COMETLAKE 0xA5 ++#define INTEL_FAM6_COMETLAKE_L 0xA6 ++ + /* "Small Core" Processors (Atom) */ + + #define INTEL_FAM6_ATOM_BONNELL 0x1C /* Diamondville, Pineview */ +-- +2.20.1 + diff --git a/queue-4.19/x86-xen-return-from-panic-notifier.patch b/queue-4.19/x86-xen-return-from-panic-notifier.patch new file mode 100644 index 00000000000..93f6bc222a7 --- /dev/null +++ b/queue-4.19/x86-xen-return-from-panic-notifier.patch @@ -0,0 +1,102 @@ +From 08f26efe512de7ff93853123263e6a0cd274cff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 16:44:41 -0400 +Subject: x86/xen: Return from panic notifier + +From: Boris Ostrovsky + +[ Upstream commit c6875f3aacf2a5a913205accddabf0bfb75cac76 ] + +Currently execution of panic() continues until Xen's panic notifier +(xen_panic_event()) is called at which point we make a hypercall that +never returns. + +This means that any notifier that is supposed to be called later as +well as significant part of panic() code (such as pstore writes from +kmsg_dump()) is never executed. + +There is no reason for xen_panic_event() to be this last point in +execution since panic()'s emergency_restart() will call into +xen_emergency_restart() from where we can perform our hypercall. + +Nevertheless, we will provide xen_legacy_crash boot option that will +preserve original behavior during crash. This option could be used, +for example, if running kernel dumper (which happens after panic +notifiers) is undesirable. + +Reported-by: James Dingwall +Signed-off-by: Boris Ostrovsky +Reviewed-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + .../admin-guide/kernel-parameters.txt | 4 +++ + arch/x86/xen/enlighten.c | 28 +++++++++++++++++-- + 2 files changed, 29 insertions(+), 3 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index 16607b178b474..a855f83defa6c 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -5117,6 +5117,10 @@ + the unplug protocol + never -- do not unplug even if version check succeeds + ++ xen_legacy_crash [X86,XEN] ++ Crash from Xen panic notifier, without executing late ++ panic() code such as dumping handler. ++ + xen_nopvspin [X86,XEN] + Disables the ticketlock slowpath using Xen PV + optimizations. +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index c6c7c9b7b5c19..2483ff345bbcd 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -266,19 +266,41 @@ void xen_reboot(int reason) + BUG(); + } + ++static int reboot_reason = SHUTDOWN_reboot; ++static bool xen_legacy_crash; + void xen_emergency_restart(void) + { +- xen_reboot(SHUTDOWN_reboot); ++ xen_reboot(reboot_reason); + } + + static int + xen_panic_event(struct notifier_block *this, unsigned long event, void *ptr) + { +- if (!kexec_crash_loaded()) +- xen_reboot(SHUTDOWN_crash); ++ if (!kexec_crash_loaded()) { ++ if (xen_legacy_crash) ++ xen_reboot(SHUTDOWN_crash); ++ ++ reboot_reason = SHUTDOWN_crash; ++ ++ /* ++ * If panic_timeout==0 then we are supposed to wait forever. ++ * However, to preserve original dom0 behavior we have to drop ++ * into hypervisor. (domU behavior is controlled by its ++ * config file) ++ */ ++ if (panic_timeout == 0) ++ panic_timeout = -1; ++ } + return NOTIFY_DONE; + } + ++static int __init parse_xen_legacy_crash(char *arg) ++{ ++ xen_legacy_crash = true; ++ return 0; ++} ++early_param("xen_legacy_crash", parse_xen_legacy_crash); ++ + static struct notifier_block xen_panic_block = { + .notifier_call = xen_panic_event, + .priority = INT_MIN +-- +2.20.1 + diff --git a/queue-4.19/zram-fix-race-between-backing_dev_show-and-backing_d.patch b/queue-4.19/zram-fix-race-between-backing_dev_show-and-backing_d.patch new file mode 100644 index 00000000000..9a56de40f52 --- /dev/null +++ b/queue-4.19/zram-fix-race-between-backing_dev_show-and-backing_d.patch @@ -0,0 +1,68 @@ +From 0ad4520ac469c7ff846d4f7496484e419257588a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Oct 2019 04:59:17 -0400 +Subject: zram: fix race between backing_dev_show and backing_dev_store + +[ Upstream commit f7daefe4231e57381d92c2e2ad905a899c28e402 ] + +CPU0: CPU1: +backing_dev_show backing_dev_store + ...... ...... + file = zram->backing_dev; + down_read(&zram->init_lock); down_read(&zram->init_init_lock) + file_path(file, ...); zram->backing_dev = backing_dev; + up_read(&zram->init_lock); up_read(&zram->init_lock); + +gets the value of zram->backing_dev too early in backing_dev_show, which +resultin the value being NULL at the beginning, and not NULL later. + +backtrace: + d_path+0xcc/0x174 + file_path+0x10/0x18 + backing_dev_show+0x40/0xb4 + dev_attr_show+0x20/0x54 + sysfs_kf_seq_show+0x9c/0x10c + kernfs_seq_show+0x28/0x30 + seq_read+0x184/0x488 + kernfs_fop_read+0x5c/0x1a4 + __vfs_read+0x44/0x128 + vfs_read+0xa0/0x138 + SyS_read+0x54/0xb4 + +Link: http://lkml.kernel.org/r/1571046839-16814-1-git-send-email-chenwandun@huawei.com +Signed-off-by: Chenwandun +Acked-by: Minchan Kim +Cc: Sergey Senozhatsky +Cc: Jens Axboe +Cc: [4.14+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/zram/zram_drv.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c +index 70cbd0ee1b076..76abe40bfa83b 100644 +--- a/drivers/block/zram/zram_drv.c ++++ b/drivers/block/zram/zram_drv.c +@@ -312,13 +312,14 @@ static void reset_bdev(struct zram *zram) + static ssize_t backing_dev_show(struct device *dev, + struct device_attribute *attr, char *buf) + { ++ struct file *file; + struct zram *zram = dev_to_zram(dev); +- struct file *file = zram->backing_dev; + char *p; + ssize_t ret; + + down_read(&zram->init_lock); +- if (!zram_wb_enabled(zram)) { ++ file = zram->backing_dev; ++ if (!file) { + memcpy(buf, "none\n", 5); + up_read(&zram->init_lock); + return 5; +-- +2.20.1 +