From: Greg Kroah-Hartman Date: Mon, 18 Feb 2019 12:04:57 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v3.18.135~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=574ed7f035035c34f6c470c8752e203596b782b3;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alpha-fix-eiger-nr_irqs-to-128.patch alpha-fix-page-fault-handling-for-r16-r18-targets.patch alsa-hda-add-quirk-for-hp-elitebook-840-g5.patch alsa-usb-audio-fix-implicit-fb-endpoint-setup-by-quirk.patch arm-omap5-fix-inverted-nirq-pin-interrupts-with-irq_set_type.patch asoc-hdmi-codec-fix-oops-on-re-probe.patch dm-crypt-don-t-overallocate-the-integrity-tag-space.patch dm-thin-fix-bug-where-bio-that-overwrites-thin-block-ignores-fua.patch drm-i915-block-fbdev-hpd-processing-during-suspend.patch drm-i915-prevent-a-race-during-i915_gem_mmap-ioctl-with-wc-set.patch drm-use-array_size-when-creating-lease.patch drm-vkms-fix-license-inconsistent.patch input-bma150-register-input-device-after-setting-private-data.patch input-elan_i2c-add-acpi-id-for-touchpad-in-lenovo-v330-15isk.patch input-elantech-enable-3rd-button-support-on-fujitsu-celsius-h780.patch kvm-vmx-fix-entry-number-check-for-add_atomic_switch_msr.patch md-raid1-don-t-clear-bitmap-bits-on-interrupted-recovery.patch mm-proc-smaps_rollup-fix-pss_locked-calculation.patch mmc-block-handle-complete_work-on-separate-workqueue.patch mmc-sunxi-filter-out-unsupported-modes-declared-in-the-device-tree.patch perf-core-fix-impossible-ring-buffer-sizes-warning.patch perf-x86-add-check_period-pmu-callback.patch revert-input-elan_i2c-add-acpi-id-for-touchpad-in-asus-aspire-f5-573g.patch revert-mm-don-t-reclaim-inodes-with-many-attached-pages.patch revert-mm-slowly-shrink-slabs-with-a-relatively-small-number-of-objects.patch revert-nfsd4-return-default-lease-period.patch riscv-add-pte-bit-to-distinguish-swap-from-invalid.patch s390-zcrypt-fix-specification-exception-on-z196-during-ap-probe.patch scsi-sd-fix-entropy-gathering-for-most-rotational-disks.patch signal-restore-the-stop-ptrace_event_exit.patch tools-uapi-fix-alpha-support.patch tracing-uprobes-fix-output-for-multiple-string-arguments.patch x86-a.out-clear-the-dump-structure-initially.patch x86-kvm-nvmx-read-from-msr_ia32_vmx_procbased_ctls2-only-when-it-is-available.patch x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls.patch --- diff --git a/queue-4.19/alpha-fix-eiger-nr_irqs-to-128.patch b/queue-4.19/alpha-fix-eiger-nr_irqs-to-128.patch new file mode 100644 index 00000000000..f60f708988f --- /dev/null +++ b/queue-4.19/alpha-fix-eiger-nr_irqs-to-128.patch @@ -0,0 +1,51 @@ +From bfc913682464f45bc4d6044084e370f9048de9d5 Mon Sep 17 00:00:00 2001 +From: Meelis Roos +Date: Fri, 12 Oct 2018 12:27:51 +0300 +Subject: alpha: Fix Eiger NR_IRQS to 128 + +From: Meelis Roos + +commit bfc913682464f45bc4d6044084e370f9048de9d5 upstream. + +Eiger machine vector definition has nr_irqs 128, and working 2.6.26 +boot shows SCSI getting IRQ-s 64 and 65. Current kernel boot fails +because Symbios SCSI fails to request IRQ-s and does not find the disks. +It has been broken at least since 3.18 - the earliest I could test with +my gcc-5. + +The headers have moved around and possibly another order of defines has +worked in the past - but since 128 seems to be correct and used, fix +arch/alpha/include/asm/irq.h to have NR_IRQS=128 for Eiger. + +This fixes 4.19-rc7 boot on my Force Flexor A264 (Eiger subarch). + +Cc: stable@vger.kernel.org # v3.18+ +Signed-off-by: Meelis Roos +Signed-off-by: Matt Turner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/include/asm/irq.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/alpha/include/asm/irq.h ++++ b/arch/alpha/include/asm/irq.h +@@ -56,15 +56,15 @@ + + #elif defined(CONFIG_ALPHA_DP264) || \ + defined(CONFIG_ALPHA_LYNX) || \ +- defined(CONFIG_ALPHA_SHARK) || \ +- defined(CONFIG_ALPHA_EIGER) ++ defined(CONFIG_ALPHA_SHARK) + # define NR_IRQS 64 + + #elif defined(CONFIG_ALPHA_TITAN) + #define NR_IRQS 80 + + #elif defined(CONFIG_ALPHA_RAWHIDE) || \ +- defined(CONFIG_ALPHA_TAKARA) ++ defined(CONFIG_ALPHA_TAKARA) || \ ++ defined(CONFIG_ALPHA_EIGER) + # define NR_IRQS 128 + + #elif defined(CONFIG_ALPHA_WILDFIRE) diff --git a/queue-4.19/alpha-fix-page-fault-handling-for-r16-r18-targets.patch b/queue-4.19/alpha-fix-page-fault-handling-for-r16-r18-targets.patch new file mode 100644 index 00000000000..8dd6245ebdd --- /dev/null +++ b/queue-4.19/alpha-fix-page-fault-handling-for-r16-r18-targets.patch @@ -0,0 +1,118 @@ +From 491af60ffb848b59e82f7c9145833222e0bf27a5 Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich +Date: Mon, 31 Dec 2018 11:53:55 +0000 +Subject: alpha: fix page fault handling for r16-r18 targets + +From: Sergei Trofimovich + +commit 491af60ffb848b59e82f7c9145833222e0bf27a5 upstream. + +Fix page fault handling code to fixup r16-r18 registers. +Before the patch code had off-by-two registers bug. +This bug caused overwriting of ps,pc,gp registers instead +of fixing intended r16,r17,r18 (see `struct pt_regs`). + +More details: + +Initially Dmitry noticed a kernel bug as a failure +on strace test suite. Test passes unmapped userspace +pointer to io_submit: + +```c + #include + #include + #include + #include + int main(void) + { + unsigned long ctx = 0; + if (syscall(__NR_io_setup, 1, &ctx)) + err(1, "io_setup"); + const size_t page_size = sysconf(_SC_PAGESIZE); + const size_t size = page_size * 2; + void *ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (MAP_FAILED == ptr) + err(1, "mmap(%zu)", size); + if (munmap(ptr, size)) + err(1, "munmap"); + syscall(__NR_io_submit, ctx, 1, ptr + page_size); + syscall(__NR_io_destroy, ctx); + return 0; + } +``` + +Running this test causes kernel to crash when handling page fault: + +``` + Unable to handle kernel paging request at virtual address ffffffffffff9468 + CPU 3 + aio(26027): Oops 0 + pc = [] ra = [] ps = 0000 Not tainted + pc is at sys_io_submit+0x108/0x200 + ra is at sys_io_submit+0x6c/0x200 + v0 = fffffc00c58e6300 t0 = fffffffffffffff2 t1 = 000002000025e000 + t2 = fffffc01f159fef8 t3 = fffffc0001009640 t4 = fffffc0000e0f6e0 + t5 = 0000020001002e9e t6 = 4c41564e49452031 t7 = fffffc01f159c000 + s0 = 0000000000000002 s1 = 000002000025e000 s2 = 0000000000000000 + s3 = 0000000000000000 s4 = 0000000000000000 s5 = fffffffffffffff2 + s6 = fffffc00c58e6300 + a0 = fffffc00c58e6300 a1 = 0000000000000000 a2 = 000002000025e000 + a3 = 00000200001ac260 a4 = 00000200001ac1e8 a5 = 0000000000000001 + t8 = 0000000000000008 t9 = 000000011f8bce30 t10= 00000200001ac440 + t11= 0000000000000000 pv = fffffc00006fd320 at = 0000000000000000 + gp = 0000000000000000 sp = 00000000265fd174 + Disabling lock debugging due to kernel taint + Trace: + [] entSys+0xa4/0xc0 +``` + +Here `gp` has invalid value. `gp is s overwritten by a fixup for the +following page fault handler in `io_submit` syscall handler: + +``` + __se_sys_io_submit + ... + ldq a1,0(t1) + bne t0,4280 <__se_sys_io_submit+0x180> +``` + +After a page fault `t0` should contain -EFALUT and `a1` is 0. +Instead `gp` was overwritten in place of `a1`. + +This happens due to a off-by-two bug in `dpf_reg()` for `r16-r18` +(aka `a0-a2`). + +I think the bug went unnoticed for a long time as `gp` is one +of scratch registers. Any kernel function call would re-calculate `gp`. + +Dmitry tracked down the bug origin back to 2.1.32 kernel version +where trap_a{0,1,2} fields were inserted into struct pt_regs. +And even before that `dpf_reg()` contained off-by-one error. + +Cc: Richard Henderson +Cc: Ivan Kokshaysky +Cc: linux-alpha@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Reported-and-reviewed-by: "Dmitry V. Levin" +Cc: stable@vger.kernel.org # v2.1.32+ +Bug: https://bugs.gentoo.org/672040 +Signed-off-by: Sergei Trofimovich +Signed-off-by: Matt Turner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/mm/fault.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/alpha/mm/fault.c ++++ b/arch/alpha/mm/fault.c +@@ -78,7 +78,7 @@ __load_new_mm_context(struct mm_struct * + /* Macro for exception fixup code to access integer registers. */ + #define dpf_reg(r) \ + (((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-16 : \ +- (r) <= 18 ? (r)+8 : (r)-10]) ++ (r) <= 18 ? (r)+10 : (r)-10]) + + asmlinkage void + do_page_fault(unsigned long address, unsigned long mmcsr, diff --git a/queue-4.19/alsa-hda-add-quirk-for-hp-elitebook-840-g5.patch b/queue-4.19/alsa-hda-add-quirk-for-hp-elitebook-840-g5.patch new file mode 100644 index 00000000000..f534d2b2f52 --- /dev/null +++ b/queue-4.19/alsa-hda-add-quirk-for-hp-elitebook-840-g5.patch @@ -0,0 +1,31 @@ +From 4cd3016ce996494f78fdfd87ea35c8ca5d0b413e Mon Sep 17 00:00:00 2001 +From: Jurica Vukadin +Date: Thu, 7 Feb 2019 16:29:37 +0100 +Subject: ALSA: hda - Add quirk for HP EliteBook 840 G5 + +From: Jurica Vukadin + +commit 4cd3016ce996494f78fdfd87ea35c8ca5d0b413e upstream. + +This enables mute LED support and fixes switching jacks when the laptop +is docked. + +Signed-off-by: Jurica Vukadin +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -924,6 +924,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x83b2, "HP EliteBook 840 G5", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), diff --git a/queue-4.19/alsa-usb-audio-fix-implicit-fb-endpoint-setup-by-quirk.patch b/queue-4.19/alsa-usb-audio-fix-implicit-fb-endpoint-setup-by-quirk.patch new file mode 100644 index 00000000000..a8898085c06 --- /dev/null +++ b/queue-4.19/alsa-usb-audio-fix-implicit-fb-endpoint-setup-by-quirk.patch @@ -0,0 +1,58 @@ +From 2bc16b9f3223d049b57202ee702fcb5b9b507019 Mon Sep 17 00:00:00 2001 +From: Manuel Reinhardt +Date: Thu, 31 Jan 2019 15:32:35 +0100 +Subject: ALSA: usb-audio: Fix implicit fb endpoint setup by quirk + +From: Manuel Reinhardt + +commit 2bc16b9f3223d049b57202ee702fcb5b9b507019 upstream. + +The commit a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to +separate function") introduced an error in the handling of quirks for +implicit feedback endpoints. This commit fixes this. + +If a quirk successfully sets up an implicit feedback endpoint, usb-audio +no longer tries to find the implicit fb endpoint itself. + +Fixes: a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to separate function") +Signed-off-by: Manuel Reinhardt +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/pcm.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -314,6 +314,9 @@ static int search_roland_implicit_fb(str + return 0; + } + ++/* Setup an implicit feedback endpoint from a quirk. Returns 0 if no quirk ++ * applies. Returns 1 if a quirk was found. ++ */ + static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs, + struct usb_device *dev, + struct usb_interface_descriptor *altsd, +@@ -384,7 +387,7 @@ add_sync_ep: + + subs->data_endpoint->sync_master = subs->sync_endpoint; + +- return 0; ++ return 1; + } + + static int set_sync_endpoint(struct snd_usb_substream *subs, +@@ -423,6 +426,10 @@ static int set_sync_endpoint(struct snd_ + if (err < 0) + return err; + ++ /* endpoint set by quirk */ ++ if (err > 0) ++ return 0; ++ + if (altsd->bNumEndpoints < 2) + return 0; + diff --git a/queue-4.19/arm-omap5-fix-inverted-nirq-pin-interrupts-with-irq_set_type.patch b/queue-4.19/arm-omap5-fix-inverted-nirq-pin-interrupts-with-irq_set_type.patch new file mode 100644 index 00000000000..a2e92a43ae8 --- /dev/null +++ b/queue-4.19/arm-omap5-fix-inverted-nirq-pin-interrupts-with-irq_set_type.patch @@ -0,0 +1,185 @@ +From d0243693fbf6fbd48b4efb2ba7210765983b03e3 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 15 Jan 2019 10:09:38 -0800 +Subject: ARM: OMAP5+: Fix inverted nirq pin interrupts with irq_set_type + +From: Tony Lindgren + +commit d0243693fbf6fbd48b4efb2ba7210765983b03e3 upstream. + +Commit 83a86fbb5b56 ("irqchip/gic: Loudly complain about the use of +IRQ_TYPE_NONE") started warning about incorrect dts usage for irqs. +ARM GIC only supports active-high interrupts for SPI (Shared Peripheral +Interrupts), and the Palmas PMIC by default is active-low. + +Palmas PMIC allows changing the interrupt polarity using register +PALMAS_POLARITY_CTRL_INT_POLARITY, but configuring sys_nirq1 with +a pull-down and setting PALMAS_POLARITY_CTRL_INT_POLARITY made the +Palmas RTC interrupts stop working. This can be easily tested with +kernel tools rtctest.c. + +Turns out the SoC inverts the sys_nirq pins for GIC as they do not go +through a peripheral device but go directly to the MPUSS wakeupgen. +I've verified this by muxing the interrupt line temporarily to gpio_wk16 +instead of sys_nirq1. with a gpio, the interrupt works fine both +active-low and active-high with the SoC internal pull configured and +palmas polarity configured. But as sys_nirq1, the interrupt only works +when configured ACTIVE_LOW for palmas, and ACTIVE_HIGH for GIC. + +Note that there was a similar issue earlier with tegra114 and palmas +interrupt polarity that got fixed by commit df545d1cd01a ("mfd: palmas: +Provide irq flags through DT/platform data"). However, the difference +between omap5 and tegra114 is that tegra inverts the palmas interrupt +twice, once when entering tegra PMC, and again when exiting tegra PMC +to GIC. + +Let's fix the issue by adding a custom wakeupgen_irq_set_type() for +wakeupgen and invert any interrupts with wrong polarity. Let's also +warn about any non-sysnirq pins using wrong polarity. Note that we +also need to update the dts for the level as IRQ_TYPE_NONE never +has irq_set_type() called, and let's add some comments and use proper +pin nameing to avoid more confusion later on. + +Cc: Belisko Marek +Cc: Dmitry Lifshitz +Cc: "Dr. H. Nikolaus Schaller" +Cc: Jon Hunter +Cc: Keerthy +Cc: Laxman Dewangan +Cc: Nishanth Menon +Cc: Peter Ujfalusi +Cc: Richard Woodruff +Cc: Santosh Shilimkar +Cc: Tero Kristo +Cc: Thierry Reding +Cc: stable@vger.kernel.org # v4.17+ +Reported-by: Belisko Marek +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/omap5-board-common.dtsi | 9 +++++-- + arch/arm/boot/dts/omap5-cm-t54.dts | 12 +++++++++- + arch/arm/mach-omap2/omap-wakeupgen.c | 36 +++++++++++++++++++++++++++++- + 3 files changed, 52 insertions(+), 5 deletions(-) + +--- a/arch/arm/boot/dts/omap5-board-common.dtsi ++++ b/arch/arm/boot/dts/omap5-board-common.dtsi +@@ -317,7 +317,8 @@ + + palmas_sys_nirq_pins: pinmux_palmas_sys_nirq_pins { + pinctrl-single,pins = < +- OMAP5_IOPAD(0x068, PIN_INPUT_PULLUP | MUX_MODE0) /* sys_nirq1 */ ++ /* sys_nirq1 is pulled down as the SoC is inverting it for GIC */ ++ OMAP5_IOPAD(0x068, PIN_INPUT_PULLUP | MUX_MODE0) + >; + }; + +@@ -385,7 +386,8 @@ + + palmas: palmas@48 { + compatible = "ti,palmas"; +- interrupts = ; /* IRQ_SYS_1N */ ++ /* sys_nirq/ext_sys_irq pins get inverted at mpuss wakeupgen */ ++ interrupts = ; + reg = <0x48>; + interrupt-controller; + #interrupt-cells = <2>; +@@ -651,7 +653,8 @@ + pinctrl-names = "default"; + pinctrl-0 = <&twl6040_pins>; + +- interrupts = ; /* IRQ_SYS_2N cascaded to gic */ ++ /* sys_nirq/ext_sys_irq pins get inverted at mpuss wakeupgen */ ++ interrupts = ; + + /* audpwron gpio defined in the board specific dts */ + +--- a/arch/arm/boot/dts/omap5-cm-t54.dts ++++ b/arch/arm/boot/dts/omap5-cm-t54.dts +@@ -181,6 +181,13 @@ + OMAP5_IOPAD(0x0042, PIN_INPUT_PULLDOWN | MUX_MODE6) /* llib_wakereqin.gpio1_wk15 */ + >; + }; ++ ++ palmas_sys_nirq_pins: pinmux_palmas_sys_nirq_pins { ++ pinctrl-single,pins = < ++ /* sys_nirq1 is pulled down as the SoC is inverting it for GIC */ ++ OMAP5_IOPAD(0x068, PIN_INPUT_PULLUP | MUX_MODE0) ++ >; ++ }; + }; + + &omap5_pmx_core { +@@ -414,8 +421,11 @@ + + palmas: palmas@48 { + compatible = "ti,palmas"; +- interrupts = ; /* IRQ_SYS_1N */ + reg = <0x48>; ++ pinctrl-0 = <&palmas_sys_nirq_pins>; ++ pinctrl-names = "default"; ++ /* sys_nirq/ext_sys_irq pins get inverted at mpuss wakeupgen */ ++ interrupts = ; + interrupt-controller; + #interrupt-cells = <2>; + ti,system-power-controller; +--- a/arch/arm/mach-omap2/omap-wakeupgen.c ++++ b/arch/arm/mach-omap2/omap-wakeupgen.c +@@ -50,6 +50,9 @@ + #define OMAP4_NR_BANKS 4 + #define OMAP4_NR_IRQS 128 + ++#define SYS_NIRQ1_EXT_SYS_IRQ_1 7 ++#define SYS_NIRQ2_EXT_SYS_IRQ_2 119 ++ + static void __iomem *wakeupgen_base; + static void __iomem *sar_base; + static DEFINE_RAW_SPINLOCK(wakeupgen_lock); +@@ -153,6 +156,37 @@ static void wakeupgen_unmask(struct irq_ + irq_chip_unmask_parent(d); + } + ++/* ++ * The sys_nirq pins bypass peripheral modules and are wired directly ++ * to MPUSS wakeupgen. They get automatically inverted for GIC. ++ */ ++static int wakeupgen_irq_set_type(struct irq_data *d, unsigned int type) ++{ ++ bool inverted = false; ++ ++ switch (type) { ++ case IRQ_TYPE_LEVEL_LOW: ++ type &= ~IRQ_TYPE_LEVEL_MASK; ++ type |= IRQ_TYPE_LEVEL_HIGH; ++ inverted = true; ++ break; ++ case IRQ_TYPE_EDGE_FALLING: ++ type &= ~IRQ_TYPE_EDGE_BOTH; ++ type |= IRQ_TYPE_EDGE_RISING; ++ inverted = true; ++ break; ++ default: ++ break; ++ } ++ ++ if (inverted && d->hwirq != SYS_NIRQ1_EXT_SYS_IRQ_1 && ++ d->hwirq != SYS_NIRQ2_EXT_SYS_IRQ_2) ++ pr_warn("wakeupgen: irq%li polarity inverted in dts\n", ++ d->hwirq); ++ ++ return irq_chip_set_type_parent(d, type); ++} ++ + #ifdef CONFIG_HOTPLUG_CPU + static DEFINE_PER_CPU(u32 [MAX_NR_REG_BANKS], irqmasks); + +@@ -446,7 +480,7 @@ static struct irq_chip wakeupgen_chip = + .irq_mask = wakeupgen_mask, + .irq_unmask = wakeupgen_unmask, + .irq_retrigger = irq_chip_retrigger_hierarchy, +- .irq_set_type = irq_chip_set_type_parent, ++ .irq_set_type = wakeupgen_irq_set_type, + .flags = IRQCHIP_SKIP_SET_WAKE | IRQCHIP_MASK_ON_SUSPEND, + #ifdef CONFIG_SMP + .irq_set_affinity = irq_chip_set_affinity_parent, diff --git a/queue-4.19/asoc-hdmi-codec-fix-oops-on-re-probe.patch b/queue-4.19/asoc-hdmi-codec-fix-oops-on-re-probe.patch new file mode 100644 index 00000000000..d7f993663a2 --- /dev/null +++ b/queue-4.19/asoc-hdmi-codec-fix-oops-on-re-probe.patch @@ -0,0 +1,72 @@ +From 0ce23d6d42147a692768e6baaaa3db75c44f4235 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Thu, 17 Jan 2019 17:32:05 +0000 +Subject: ASoC: hdmi-codec: fix oops on re-probe + +From: Russell King + +commit 0ce23d6d42147a692768e6baaaa3db75c44f4235 upstream. + +hdmi-codec oopses the kernel when it is unbound from a successfully +bound audio subsystem, and is then rebound: + +Unable to handle kernel NULL pointer dereference at virtual address 0000001c +pgd = ee3f0000 +[0000001c] *pgd=3cc59831 +Internal error: Oops: 817 [#1] PREEMPT ARM +Modules linked in: ext2 snd_soc_spdif_tx vmeta dove_thermal snd_soc_kirkwood ofpart marvell_cesa m25p80 orion_wdt mtd spi_nor des_generic gpio_ir_recv snd_soc_kirkwood_spdif bmm_dmabuf auth_rpcgss nfsd autofs4 etnaviv thermal_sys hwmon gpu_sched tda9950 +CPU: 0 PID: 1005 Comm: bash Not tainted 4.20.0+ #1762 +Hardware name: Marvell Dove (Cubox) +PC is at hdmi_dai_probe+0x68/0x80 +LR is at find_held_lock+0x20/0x94 +pc : [] lr : [] psr: 600f0013 +sp : ee15bd28 ip : eebd8b1c fp : c093b488 +r10: ee048000 r9 : eebdab18 r8 : ee048600 +r7 : 00000001 r6 : 00000000 r5 : 00000000 r4 : ee82c100 +r3 : 00000006 r2 : 00000001 r1 : c067e38c r0 : ee82c100 +Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none[ 297.318599] Control: 10c5387d Table: 2e3f0019 DAC: 00000051 +Process bash (pid: 1005, stack limit = 0xee15a248) +... +[] (hdmi_dai_probe) from [] (soc_probe_dai.part.9+0x34/0x70) +[] (soc_probe_dai.part.9) from [] (snd_soc_instantiate_card+0x734/0xc9c) +[] (snd_soc_instantiate_card) from [] (snd_soc_add_component+0x29c/0x378) +[] (snd_soc_add_component) from [] (snd_soc_register_component+0x44/0x54) +[] (snd_soc_register_component) from [] (devm_snd_soc_register_component+0x48/0x84) +[] (devm_snd_soc_register_component) from [] (hdmi_codec_probe+0x150/0x260) +[] (hdmi_codec_probe) from [] (platform_drv_probe+0x48/0x98) + +This happens because hdmi_dai_probe() attempts to access the HDMI +codec private data, but this has not been assigned by hdmi_dai_probe() +before it calls devm_snd_soc_register_component(). Move the call to +dev_set_drvdata() before devm_snd_soc_register_component() to avoid +this oops. + +Signed-off-by: Russell King +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/hdmi-codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/hdmi-codec.c ++++ b/sound/soc/codecs/hdmi-codec.c +@@ -795,6 +795,8 @@ static int hdmi_codec_probe(struct platf + if (hcd->spdif) + hcp->daidrv[i] = hdmi_spdif_dai; + ++ dev_set_drvdata(dev, hcp); ++ + ret = devm_snd_soc_register_component(dev, &hdmi_driver, hcp->daidrv, + dai_count); + if (ret) { +@@ -802,8 +804,6 @@ static int hdmi_codec_probe(struct platf + __func__, ret); + return ret; + } +- +- dev_set_drvdata(dev, hcp); + return 0; + } + diff --git a/queue-4.19/dm-crypt-don-t-overallocate-the-integrity-tag-space.patch b/queue-4.19/dm-crypt-don-t-overallocate-the-integrity-tag-space.patch new file mode 100644 index 00000000000..ebce280c7de --- /dev/null +++ b/queue-4.19/dm-crypt-don-t-overallocate-the-integrity-tag-space.patch @@ -0,0 +1,42 @@ +From ff0c129d3b5ecb3df7c8f5e2236582bf745b6c5f Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 8 Feb 2019 10:52:07 -0500 +Subject: dm crypt: don't overallocate the integrity tag space + +From: Mikulas Patocka + +commit ff0c129d3b5ecb3df7c8f5e2236582bf745b6c5f upstream. + +bio_sectors() returns the value in the units of 512-byte sectors (no +matter what the real sector size of the device). dm-crypt multiplies +bio_sectors() by on_disk_tag_size to calculate the space allocated for +integrity tags. If dm-crypt is running with sector size larger than +512b, it allocates more data than is needed. + +Device Mapper trims the extra space when passing the bio to +dm-integrity, so this bug didn't result in any visible misbehavior. +But it must be fixed to avoid wasteful memory allocation for the block +integrity payload. + +Fixes: ef43aa38063a6 ("dm crypt: add cryptographic data integrity protection (authenticated encryption)") +Cc: stable@vger.kernel.org # 4.12+ +Reported-by: Milan Broz +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-crypt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -932,7 +932,7 @@ static int dm_crypt_integrity_io_alloc(s + if (IS_ERR(bip)) + return PTR_ERR(bip); + +- tag_len = io->cc->on_disk_tag_size * bio_sectors(bio); ++ tag_len = io->cc->on_disk_tag_size * (bio_sectors(bio) >> io->cc->sector_shift); + + bip->bip_iter.bi_size = tag_len; + bip->bip_iter.bi_sector = io->cc->start + io->sector; diff --git a/queue-4.19/dm-thin-fix-bug-where-bio-that-overwrites-thin-block-ignores-fua.patch b/queue-4.19/dm-thin-fix-bug-where-bio-that-overwrites-thin-block-ignores-fua.patch new file mode 100644 index 00000000000..fa0c762a6cc --- /dev/null +++ b/queue-4.19/dm-thin-fix-bug-where-bio-that-overwrites-thin-block-ignores-fua.patch @@ -0,0 +1,156 @@ +From 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1 Mon Sep 17 00:00:00 2001 +From: Nikos Tsironis +Date: Thu, 14 Feb 2019 20:38:47 +0200 +Subject: dm thin: fix bug where bio that overwrites thin block ignores FUA + +From: Nikos Tsironis + +commit 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1 upstream. + +When provisioning a new data block for a virtual block, either because +the block was previously unallocated or because we are breaking sharing, +if the whole block of data is being overwritten the bio that triggered +the provisioning is issued immediately, skipping copying or zeroing of +the data block. + +When this bio completes the new mapping is inserted in to the pool's +metadata by process_prepared_mapping(), where the bio completion is +signaled to the upper layers. + +This completion is signaled without first committing the metadata. If +the bio in question has the REQ_FUA flag set and the system crashes +right after its completion and before the next metadata commit, then the +write is lost despite the REQ_FUA flag requiring that I/O completion for +this request must only be signaled after the data has been committed to +non-volatile storage. + +Fix this by deferring the completion of overwrite bios, with the REQ_FUA +flag set, until after the metadata has been committed. + +Cc: stable@vger.kernel.org +Signed-off-by: Nikos Tsironis +Acked-by: Joe Thornber +Acked-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 50 insertions(+), 5 deletions(-) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -257,6 +257,7 @@ struct pool { + + spinlock_t lock; + struct bio_list deferred_flush_bios; ++ struct bio_list deferred_flush_completions; + struct list_head prepared_mappings; + struct list_head prepared_discards; + struct list_head prepared_discards_pt2; +@@ -956,6 +957,39 @@ static void process_prepared_mapping_fai + mempool_free(m, &m->tc->pool->mapping_pool); + } + ++static void complete_overwrite_bio(struct thin_c *tc, struct bio *bio) ++{ ++ struct pool *pool = tc->pool; ++ unsigned long flags; ++ ++ /* ++ * If the bio has the REQ_FUA flag set we must commit the metadata ++ * before signaling its completion. ++ */ ++ if (!bio_triggers_commit(tc, bio)) { ++ bio_endio(bio); ++ return; ++ } ++ ++ /* ++ * Complete bio with an error if earlier I/O caused changes to the ++ * metadata that can't be committed, e.g, due to I/O errors on the ++ * metadata device. ++ */ ++ if (dm_thin_aborted_changes(tc->td)) { ++ bio_io_error(bio); ++ return; ++ } ++ ++ /* ++ * Batch together any bios that trigger commits and then issue a ++ * single commit for them in process_deferred_bios(). ++ */ ++ spin_lock_irqsave(&pool->lock, flags); ++ bio_list_add(&pool->deferred_flush_completions, bio); ++ spin_unlock_irqrestore(&pool->lock, flags); ++} ++ + static void process_prepared_mapping(struct dm_thin_new_mapping *m) + { + struct thin_c *tc = m->tc; +@@ -988,7 +1022,7 @@ static void process_prepared_mapping(str + */ + if (bio) { + inc_remap_and_issue_cell(tc, m->cell, m->data_block); +- bio_endio(bio); ++ complete_overwrite_bio(tc, bio); + } else { + inc_all_io_entry(tc->pool, m->cell->holder); + remap_and_issue(tc, m->cell->holder, m->data_block); +@@ -2317,7 +2351,7 @@ static void process_deferred_bios(struct + { + unsigned long flags; + struct bio *bio; +- struct bio_list bios; ++ struct bio_list bios, bio_completions; + struct thin_c *tc; + + tc = get_first_thin(pool); +@@ -2328,26 +2362,36 @@ static void process_deferred_bios(struct + } + + /* +- * If there are any deferred flush bios, we must commit +- * the metadata before issuing them. ++ * If there are any deferred flush bios, we must commit the metadata ++ * before issuing them or signaling their completion. + */ + bio_list_init(&bios); ++ bio_list_init(&bio_completions); ++ + spin_lock_irqsave(&pool->lock, flags); + bio_list_merge(&bios, &pool->deferred_flush_bios); + bio_list_init(&pool->deferred_flush_bios); ++ ++ bio_list_merge(&bio_completions, &pool->deferred_flush_completions); ++ bio_list_init(&pool->deferred_flush_completions); + spin_unlock_irqrestore(&pool->lock, flags); + +- if (bio_list_empty(&bios) && ++ if (bio_list_empty(&bios) && bio_list_empty(&bio_completions) && + !(dm_pool_changed_this_transaction(pool->pmd) && need_commit_due_to_time(pool))) + return; + + if (commit(pool)) { ++ bio_list_merge(&bios, &bio_completions); ++ + while ((bio = bio_list_pop(&bios))) + bio_io_error(bio); + return; + } + pool->last_commit_jiffies = jiffies; + ++ while ((bio = bio_list_pop(&bio_completions))) ++ bio_endio(bio); ++ + while ((bio = bio_list_pop(&bios))) + generic_make_request(bio); + } +@@ -2954,6 +2998,7 @@ static struct pool *pool_create(struct m + INIT_DELAYED_WORK(&pool->no_space_timeout, do_no_space_timeout); + spin_lock_init(&pool->lock); + bio_list_init(&pool->deferred_flush_bios); ++ bio_list_init(&pool->deferred_flush_completions); + INIT_LIST_HEAD(&pool->prepared_mappings); + INIT_LIST_HEAD(&pool->prepared_discards); + INIT_LIST_HEAD(&pool->prepared_discards_pt2); diff --git a/queue-4.19/drm-i915-block-fbdev-hpd-processing-during-suspend.patch b/queue-4.19/drm-i915-block-fbdev-hpd-processing-during-suspend.patch new file mode 100644 index 00000000000..640782d795d --- /dev/null +++ b/queue-4.19/drm-i915-block-fbdev-hpd-processing-during-suspend.patch @@ -0,0 +1,171 @@ +From e8a8fedd57fdcebf0e4f24ef0fc7e29323df8e66 Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Tue, 29 Jan 2019 14:09:59 -0500 +Subject: drm/i915: Block fbdev HPD processing during suspend + +From: Lyude Paul + +commit e8a8fedd57fdcebf0e4f24ef0fc7e29323df8e66 upstream. + +When resuming, we check whether or not any previously connected +MST topologies are still present and if so, attempt to resume them. If +this fails, we disable said MST topologies and fire off a hotplug event +so that userspace knows to reprobe. + +However, sending a hotplug event involves calling +drm_fb_helper_hotplug_event(), which in turn results in fbcon doing a +connector reprobe in the caller's thread - something we can't do at the +point in which i915 calls drm_dp_mst_topology_mgr_resume() since +hotplugging hasn't been fully initialized yet. + +This currently causes some rather subtle but fatal issues. For example, +on my T480s the laptop dock connected to it usually disappears during a +suspend cycle, and comes back up a short while after the system has been +resumed. This guarantees pretty much every suspend and resume cycle, +drm_dp_mst_topology_mgr_set_mst(mgr, false); will be caused and in turn, +a connector hotplug will occur. Now it's Rute Goldberg time: when the +connector hotplug occurs, i915 reprobes /all/ of the connectors, +including eDP. However, eDP probing requires that we power on the panel +VDD which in turn, grabs a wakeref to the appropriate power domain on +the GPU (on my T480s, this is the PORT_DDI_A_IO domain). This is where +things start breaking, since this all happens before +intel_power_domains_enable() is called we end up leaking the wakeref +that was acquired and never releasing it later. Come next suspend/resume +cycle, this causes us to fail to shut down the GPU properly, which +causes it not to resume properly and die a horrible complicated death. + +(as a note: this only happens when there's both an eDP panel and MST +topology connected which is removed mid-suspend. One or the other seems +to always be OK). + +We could try to fix the VDD wakeref leak, but this doesn't seem like +it's worth it at all since we aren't able to handle hotplug detection +while resuming anyway. So, let's go with a more robust solution inspired +by nouveau: block fbdev from handling hotplug events until we resume +fbdev. This allows us to still send sysfs hotplug events to be handled +later by user space while we're resuming, while also preventing us from +actually processing any hotplug events we receive until it's safe. + +This fixes the wakeref leak observed on the T480s and as such, also +fixes suspend/resume with MST topologies connected on this machine. + +Changes since v2: +* Don't call drm_fb_helper_hotplug_event() under lock, do it after lock + (Chris Wilson) +* Don't call drm_fb_helper_hotplug_event() in + intel_fbdev_output_poll_changed() under lock (Chris Wilson) +* Always set ifbdev->hpd_waiting (Chris Wilson) + +Signed-off-by: Lyude Paul +Fixes: 0e32b39ceed6 ("drm/i915: add DP 1.2 MST support (v0.7)") +Cc: Todd Previte +Cc: Dave Airlie +Cc: Jani Nikula +Cc: Joonas Lahtinen +Cc: Rodrigo Vivi +Cc: Imre Deak +Cc: intel-gfx@lists.freedesktop.org +Cc: # v3.17+ +Reviewed-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20190129191001.442-2-lyude@redhat.com +(cherry picked from commit fe5ec65668cdaa4348631d8ce1766eed43b33c10) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_drv.h | 10 ++++++++++ + drivers/gpu/drm/i915/intel_fbdev.c | 33 ++++++++++++++++++++++++++++++++- + 2 files changed, 42 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_drv.h ++++ b/drivers/gpu/drm/i915/intel_drv.h +@@ -209,6 +209,16 @@ struct intel_fbdev { + unsigned long vma_flags; + async_cookie_t cookie; + int preferred_bpp; ++ ++ /* Whether or not fbdev hpd processing is temporarily suspended */ ++ bool hpd_suspended : 1; ++ /* Set when a hotplug was received while HPD processing was ++ * suspended ++ */ ++ bool hpd_waiting : 1; ++ ++ /* Protects hpd_suspended */ ++ struct mutex hpd_lock; + }; + + struct intel_encoder { +--- a/drivers/gpu/drm/i915/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/intel_fbdev.c +@@ -677,6 +677,7 @@ int intel_fbdev_init(struct drm_device * + if (ifbdev == NULL) + return -ENOMEM; + ++ mutex_init(&ifbdev->hpd_lock); + drm_fb_helper_prepare(dev, &ifbdev->helper, &intel_fb_helper_funcs); + + if (!intel_fbdev_init_bios(dev, ifbdev)) +@@ -750,6 +751,26 @@ void intel_fbdev_fini(struct drm_i915_pr + intel_fbdev_destroy(ifbdev); + } + ++/* Suspends/resumes fbdev processing of incoming HPD events. When resuming HPD ++ * processing, fbdev will perform a full connector reprobe if a hotplug event ++ * was received while HPD was suspended. ++ */ ++static void intel_fbdev_hpd_set_suspend(struct intel_fbdev *ifbdev, int state) ++{ ++ bool send_hpd = false; ++ ++ mutex_lock(&ifbdev->hpd_lock); ++ ifbdev->hpd_suspended = state == FBINFO_STATE_SUSPENDED; ++ send_hpd = !ifbdev->hpd_suspended && ifbdev->hpd_waiting; ++ ifbdev->hpd_waiting = false; ++ mutex_unlock(&ifbdev->hpd_lock); ++ ++ if (send_hpd) { ++ DRM_DEBUG_KMS("Handling delayed fbcon HPD event\n"); ++ drm_fb_helper_hotplug_event(&ifbdev->helper); ++ } ++} ++ + void intel_fbdev_set_suspend(struct drm_device *dev, int state, bool synchronous) + { + struct drm_i915_private *dev_priv = to_i915(dev); +@@ -771,6 +792,7 @@ void intel_fbdev_set_suspend(struct drm_ + */ + if (state != FBINFO_STATE_RUNNING) + flush_work(&dev_priv->fbdev_suspend_work); ++ + console_lock(); + } else { + /* +@@ -798,17 +820,26 @@ void intel_fbdev_set_suspend(struct drm_ + + drm_fb_helper_set_suspend(&ifbdev->helper, state); + console_unlock(); ++ ++ intel_fbdev_hpd_set_suspend(ifbdev, state); + } + + void intel_fbdev_output_poll_changed(struct drm_device *dev) + { + struct intel_fbdev *ifbdev = to_i915(dev)->fbdev; ++ bool send_hpd; + + if (!ifbdev) + return; + + intel_fbdev_sync(ifbdev); +- if (ifbdev->vma || ifbdev->helper.deferred_setup) ++ ++ mutex_lock(&ifbdev->hpd_lock); ++ send_hpd = !ifbdev->hpd_suspended; ++ ifbdev->hpd_waiting = true; ++ mutex_unlock(&ifbdev->hpd_lock); ++ ++ if (send_hpd && (ifbdev->vma || ifbdev->helper.deferred_setup)) + drm_fb_helper_hotplug_event(&ifbdev->helper); + } + diff --git a/queue-4.19/drm-i915-prevent-a-race-during-i915_gem_mmap-ioctl-with-wc-set.patch b/queue-4.19/drm-i915-prevent-a-race-during-i915_gem_mmap-ioctl-with-wc-set.patch new file mode 100644 index 00000000000..049f444f304 --- /dev/null +++ b/queue-4.19/drm-i915-prevent-a-race-during-i915_gem_mmap-ioctl-with-wc-set.patch @@ -0,0 +1,67 @@ +From 2e7bd10e05afb866b5fb13eda25095c35d7a27cc Mon Sep 17 00:00:00 2001 +From: Joonas Lahtinen +Date: Thu, 7 Feb 2019 10:54:53 +0200 +Subject: drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set + +From: Joonas Lahtinen + +commit 2e7bd10e05afb866b5fb13eda25095c35d7a27cc upstream. + +Make sure the underlying VMA in the process address space is the +same as it was during vm_mmap to avoid applying WC to wrong VMA. + +A more long-term solution would be to have vm_mmap_locked variant +in linux/mmap.h for when caller wants to hold mmap_sem for an +extended duration. + +v2: +- Refactor the compare function + +Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects") +Reported-by: Adam Zabrocki +Suggested-by: Linus Torvalds +Signed-off-by: Joonas Lahtinen +Cc: # v4.0+ +Cc: Akash Goel +Cc: Chris Wilson +Cc: Tvrtko Ursulin +Cc: Adam Zabrocki +Reviewed-by: Chris Wilson +Reviewed-by: Tvrtko Ursulin #v1 +Link: https://patchwork.freedesktop.org/patch/msgid/20190207085454.10598-1-joonas.lahtinen@linux.intel.com +(cherry picked from commit 5c4604e757ba9b193b09768d75a7d2105a5b883f) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -1821,6 +1821,16 @@ i915_gem_sw_finish_ioctl(struct drm_devi + return 0; + } + ++static inline bool ++__vma_matches(struct vm_area_struct *vma, struct file *filp, ++ unsigned long addr, unsigned long size) ++{ ++ if (vma->vm_file != filp) ++ return false; ++ ++ return vma->vm_start == addr && (vma->vm_end - vma->vm_start) == size; ++} ++ + /** + * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address + * it is mapped to. +@@ -1879,7 +1889,7 @@ i915_gem_mmap_ioctl(struct drm_device *d + return -EINTR; + } + vma = find_vma(mm, addr); +- if (vma) ++ if (vma && __vma_matches(vma, obj->base.filp, addr, args->size)) + vma->vm_page_prot = + pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); + else diff --git a/queue-4.19/drm-use-array_size-when-creating-lease.patch b/queue-4.19/drm-use-array_size-when-creating-lease.patch new file mode 100644 index 00000000000..b21689dfa5a --- /dev/null +++ b/queue-4.19/drm-use-array_size-when-creating-lease.patch @@ -0,0 +1,39 @@ +From 69ef943dbc14b21987c79f8399ffea08f9a1b446 Mon Sep 17 00:00:00 2001 +From: Matthew Wilcox +Date: Thu, 14 Feb 2019 11:03:48 -0800 +Subject: drm: Use array_size() when creating lease + +From: Matthew Wilcox + +commit 69ef943dbc14b21987c79f8399ffea08f9a1b446 upstream. + +Passing an object_count of sufficient size will make +object_count * 4 wrap around to be very small, then a later function +will happily iterate off the end of the object_ids array. Using +array_size() will saturate at SIZE_MAX, the kmalloc() will fail and +we'll return an -ENOMEM to the norty userspace. + +Fixes: 62884cd386b8 ("drm: Add four ioctls for managing drm mode object leases [v7]") +Signed-off-by: Matthew Wilcox +Acked-by: Kees Cook +Acked-by: Daniel Vetter +Cc: # v4.15+ +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_lease.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_lease.c ++++ b/drivers/gpu/drm/drm_lease.c +@@ -521,7 +521,8 @@ int drm_mode_create_lease_ioctl(struct d + + object_count = cl->object_count; + +- object_ids = memdup_user(u64_to_user_ptr(cl->object_ids), object_count * sizeof(__u32)); ++ object_ids = memdup_user(u64_to_user_ptr(cl->object_ids), ++ array_size(object_count, sizeof(__u32))); + if (IS_ERR(object_ids)) + return PTR_ERR(object_ids); + diff --git a/queue-4.19/drm-vkms-fix-license-inconsistent.patch b/queue-4.19/drm-vkms-fix-license-inconsistent.patch new file mode 100644 index 00000000000..1f82154c8c7 --- /dev/null +++ b/queue-4.19/drm-vkms-fix-license-inconsistent.patch @@ -0,0 +1,106 @@ +From 7fd56e0260a22c0cfaf9adb94a2427b76e239dd0 Mon Sep 17 00:00:00 2001 +From: Rodrigo Siqueira +Date: Wed, 6 Feb 2019 12:01:16 -0200 +Subject: drm/vkms: Fix license inconsistent + +From: Rodrigo Siqueira + +commit 7fd56e0260a22c0cfaf9adb94a2427b76e239dd0 upstream. + +Fixes license inconsistent related to the VKMS driver and remove the +redundant boilerplate comment. + +Fixes: 854502fa0a38 ("drm/vkms: Add basic CRTC initialization") + +Cc: stable@vger.kernel.org +Signed-off-by: Rodrigo Siqueira +Acked-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20190206140116.7qvy2lpwbcd7wds6@smtp.gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vkms/vkms_crtc.c | 8 +------- + drivers/gpu/drm/vkms/vkms_drv.c | 7 +------ + drivers/gpu/drm/vkms/vkms_drv.h | 2 ++ + drivers/gpu/drm/vkms/vkms_gem.c | 8 +------- + drivers/gpu/drm/vkms/vkms_output.c | 8 +------- + drivers/gpu/drm/vkms/vkms_plane.c | 8 +------- + 6 files changed, 7 insertions(+), 34 deletions(-) + +--- a/drivers/gpu/drm/vkms/vkms_crtc.c ++++ b/drivers/gpu/drm/vkms/vkms_crtc.c +@@ -1,10 +1,4 @@ +-// SPDX-License-Identifier: GPL-2.0 +-/* +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- */ ++// SPDX-License-Identifier: GPL-2.0+ + + #include "vkms_drv.h" + #include +--- a/drivers/gpu/drm/vkms/vkms_drv.c ++++ b/drivers/gpu/drm/vkms/vkms_drv.c +@@ -1,9 +1,4 @@ +-/* +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- */ ++// SPDX-License-Identifier: GPL-2.0+ + + #include + #include +--- a/drivers/gpu/drm/vkms/vkms_drv.h ++++ b/drivers/gpu/drm/vkms/vkms_drv.h +@@ -1,3 +1,5 @@ ++/* SPDX-License-Identifier: GPL-2.0+ */ ++ + #ifndef _VKMS_DRV_H_ + #define _VKMS_DRV_H_ + +--- a/drivers/gpu/drm/vkms/vkms_gem.c ++++ b/drivers/gpu/drm/vkms/vkms_gem.c +@@ -1,10 +1,4 @@ +-// SPDX-License-Identifier: GPL-2.0 +-/* +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- */ ++// SPDX-License-Identifier: GPL-2.0+ + + #include + +--- a/drivers/gpu/drm/vkms/vkms_output.c ++++ b/drivers/gpu/drm/vkms/vkms_output.c +@@ -1,10 +1,4 @@ +-// SPDX-License-Identifier: GPL-2.0 +-/* +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- */ ++// SPDX-License-Identifier: GPL-2.0+ + + #include "vkms_drv.h" + #include +--- a/drivers/gpu/drm/vkms/vkms_plane.c ++++ b/drivers/gpu/drm/vkms/vkms_plane.c +@@ -1,10 +1,4 @@ +-// SPDX-License-Identifier: GPL-2.0 +-/* +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- */ ++// SPDX-License-Identifier: GPL-2.0+ + + #include "vkms_drv.h" + #include diff --git a/queue-4.19/input-bma150-register-input-device-after-setting-private-data.patch b/queue-4.19/input-bma150-register-input-device-after-setting-private-data.patch new file mode 100644 index 00000000000..629f9e9a7e7 --- /dev/null +++ b/queue-4.19/input-bma150-register-input-device-after-setting-private-data.patch @@ -0,0 +1,106 @@ +From 90cc55f067f6ca0e64e5e52883ece47d8af7b67b Mon Sep 17 00:00:00 2001 +From: Jonathan Bakker +Date: Wed, 6 Feb 2019 10:45:37 -0800 +Subject: Input: bma150 - register input device after setting private data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Bakker + +commit 90cc55f067f6ca0e64e5e52883ece47d8af7b67b upstream. + +Otherwise we introduce a race condition where userspace can request input +before we're ready leading to null pointer dereference such as + +input: bma150 as /devices/platform/i2c-gpio-2/i2c-5/5-0038/input/input3 +Unable to handle kernel NULL pointer dereference at virtual address 00000018 +pgd = (ptrval) +[00000018] *pgd=55dac831, *pte=00000000, *ppte=00000000 +Internal error: Oops: 17 [#1] PREEMPT ARM +Modules linked in: bma150 input_polldev [last unloaded: bma150] +CPU: 0 PID: 2870 Comm: accelerometer Not tainted 5.0.0-rc3-dirty #46 +Hardware name: Samsung S5PC110/S5PV210-based board +PC is at input_event+0x8/0x60 +LR is at bma150_report_xyz+0x9c/0xe0 [bma150] +pc : [<80450f70>] lr : [<7f0a614c>] psr: 800d0013 +sp : a4c1fd78 ip : 00000081 fp : 00020000 +r10: 00000000 r9 : a5e2944c r8 : a7455000 +r7 : 00000016 r6 : 00000101 r5 : a7617940 r4 : 80909048 +r3 : fffffff2 r2 : 00000000 r1 : 00000003 r0 : 00000000 +Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c5387d Table: 54e34019 DAC: 00000051 +Process accelerometer (pid: 2870, stack limit = 0x(ptrval)) +Stackck: (0xa4c1fd78 to 0xa4c20000) +fd60: fffffff3 fc813f6c +fd80: 40410581 d7530ce3 a5e2817c a7617f00 a5e29404 a5e2817c 00000000 7f008324 +fda0: a5e28000 8044f59c a5fdd9d0 a5e2945c a46a4a00 a5e29668 a7455000 80454f10 +fdc0: 80909048 a5e29668 a5fdd9d0 a46a4a00 806316d0 00000000 a46a4a00 801df5f0 +fde0: 00000000 d7530ce3 a4c1fec0 a46a4a00 00000000 a5fdd9d0 a46a4a08 801df53c +fe00: 00000000 801d74bc a4c1fec0 00000000 a4c1ff70 00000000 a7038da8 00000000 +fe20: a46a4a00 801e91fc a411bbe0 801f2e88 00000004 00000000 80909048 00000041 +fe40: 00000000 00020000 00000000 dead4ead a6a88da0 00000000 ffffe000 806fcae8 +fe60: a4c1fec8 00000000 80909048 00000002 a5fdd9d0 a7660110 a411bab0 00000001 +fe80: dead4ead ffffffff ffffffff a4c1fe8c a4c1fe8c d7530ce3 20000013 80909048 +fea0: 80909048 a4c1ff70 00000001 fffff000 a4c1e000 00000005 00026038 801eabd8 +fec0: a7660110 a411bab0 b9394901 00000006 a696201b 76fb3000 00000000 a7039720 +fee0: a5fdd9d0 00000101 00000002 00000096 00000000 00000000 00000000 a4c1ff00 +ff00: a6b310f4 805cb174 a6b310f4 00000010 00000fe0 00000010 a4c1e000 d7530ce3 +ff20: 00000003 a5f41400 a5f41424 00000000 a6962000 00000000 00000003 00000002 +ff40: ffffff9c 000a0000 80909048 d7530ce3 a6962000 00000003 80909048 ffffff9c +ff60: a6962000 801d890c 00000000 00000000 00020000 a7590000 00000004 00000100 +ff80: 00000001 d7530ce3 000288b8 00026320 000288b8 00000005 80101204 a4c1e000 +ffa0: 00000005 80101000 000288b8 00026320 000288b8 000a0000 00000000 00000000 +ffc0: 000288b8 00026320 000288b8 00000005 7eef3bac 000264e8 00028ad8 00026038 +ffe0: 00000005 7eef3300 76f76e91 76f78546 800d0030 000288b8 00000000 00000000 +[<80450f70>] (input_event) from [] (0xa5e2817c) +Code: e1a08148 eaffffa8 e351001f 812fff1e (e590c018) +---[ end trace 1c691ee85f2ff243 ]--- + +Signed-off-by: Jonathan Bakker +Signed-off-by: Paweł Chmiel +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/bma150.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/input/misc/bma150.c ++++ b/drivers/input/misc/bma150.c +@@ -481,13 +481,14 @@ static int bma150_register_input_device( + idev->close = bma150_irq_close; + input_set_drvdata(idev, bma150); + ++ bma150->input = idev; ++ + error = input_register_device(idev); + if (error) { + input_free_device(idev); + return error; + } + +- bma150->input = idev; + return 0; + } + +@@ -510,15 +511,15 @@ static int bma150_register_polled_device + + bma150_init_input_device(bma150, ipoll_dev->input); + ++ bma150->input_polled = ipoll_dev; ++ bma150->input = ipoll_dev->input; ++ + error = input_register_polled_device(ipoll_dev); + if (error) { + input_free_polled_device(ipoll_dev); + return error; + } + +- bma150->input_polled = ipoll_dev; +- bma150->input = ipoll_dev->input; +- + return 0; + } + diff --git a/queue-4.19/input-elan_i2c-add-acpi-id-for-touchpad-in-lenovo-v330-15isk.patch b/queue-4.19/input-elan_i2c-add-acpi-id-for-touchpad-in-lenovo-v330-15isk.patch new file mode 100644 index 00000000000..9362c024e0c --- /dev/null +++ b/queue-4.19/input-elan_i2c-add-acpi-id-for-touchpad-in-lenovo-v330-15isk.patch @@ -0,0 +1,31 @@ +From 7ad222b3aed350adfc27ee7eec4587ffe55dfdce Mon Sep 17 00:00:00 2001 +From: Mauro Ciancio +Date: Mon, 14 Jan 2019 10:24:53 -0300 +Subject: Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK + +From: Mauro Ciancio + +commit 7ad222b3aed350adfc27ee7eec4587ffe55dfdce upstream. + +This adds ELAN0617 to the ACPI table to support Elan touchpad found in +Lenovo V330-15ISK. + +Signed-off-by: Mauro Ciancio +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1345,6 +1345,7 @@ static const struct acpi_device_id elan_ + { "ELAN060C", 0 }, + { "ELAN0611", 0 }, + { "ELAN0612", 0 }, ++ { "ELAN0617", 0 }, + { "ELAN0618", 0 }, + { "ELAN061C", 0 }, + { "ELAN061D", 0 }, diff --git a/queue-4.19/input-elantech-enable-3rd-button-support-on-fujitsu-celsius-h780.patch b/queue-4.19/input-elantech-enable-3rd-button-support-on-fujitsu-celsius-h780.patch new file mode 100644 index 00000000000..1c708bc64a2 --- /dev/null +++ b/queue-4.19/input-elantech-enable-3rd-button-support-on-fujitsu-celsius-h780.patch @@ -0,0 +1,52 @@ +From e8b22d0a329f0fb5c7ef95406872d268f01ee3b1 Mon Sep 17 00:00:00 2001 +From: Matti Kurkela +Date: Thu, 7 Feb 2019 23:49:23 -0800 +Subject: Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 + +From: Matti Kurkela + +commit e8b22d0a329f0fb5c7ef95406872d268f01ee3b1 upstream. + +Like Fujitsu CELSIUS H760, the H780 also has a three-button Elantech +touchpad, but the driver needs to be told so to enable the middle touchpad +button. + +The elantech_dmi_force_crc_enabled quirk was not necessary with the H780. + +Also document the fw_version and caps values detected for both H760 and +H780 models. + +Signed-off-by: Matti Kurkela +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elantech.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1119,6 +1119,8 @@ static int elantech_get_resolution_v4(st + * Asus UX31 0x361f00 20, 15, 0e clickpad + * Asus UX32VD 0x361f02 00, 15, 0e clickpad + * Avatar AVIU-145A2 0x361f00 ? clickpad ++ * Fujitsu CELSIUS H760 0x570f02 40, 14, 0c 3 hw buttons (**) ++ * Fujitsu CELSIUS H780 0x5d0f02 41, 16, 0d 3 hw buttons (**) + * Fujitsu LIFEBOOK E544 0x470f00 d0, 12, 09 2 hw buttons + * Fujitsu LIFEBOOK E546 0x470f00 50, 12, 09 2 hw buttons + * Fujitsu LIFEBOOK E547 0x470f00 50, 12, 09 2 hw buttons +@@ -1171,6 +1173,13 @@ static const struct dmi_system_id elante + DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H760"), + }, + }, ++ { ++ /* Fujitsu H780 also has a middle button */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H780"), ++ }, ++ }, + #endif + { } + }; diff --git a/queue-4.19/kvm-vmx-fix-entry-number-check-for-add_atomic_switch_msr.patch b/queue-4.19/kvm-vmx-fix-entry-number-check-for-add_atomic_switch_msr.patch new file mode 100644 index 00000000000..2b5c4ec5ffe --- /dev/null +++ b/queue-4.19/kvm-vmx-fix-entry-number-check-for-add_atomic_switch_msr.patch @@ -0,0 +1,36 @@ +From 98ae70cc476e833332a2c6bb72f941a25f0de226 Mon Sep 17 00:00:00 2001 +From: Xiaoyao Li +Date: Thu, 14 Feb 2019 12:08:58 +0800 +Subject: kvm: vmx: Fix entry number check for add_atomic_switch_msr() + +From: Xiaoyao Li + +commit 98ae70cc476e833332a2c6bb72f941a25f0de226 upstream. + +Commit ca83b4a7f2d068da79a0 ("x86/KVM/VMX: Add find_msr() helper function") +introduces the helper function find_msr(), which returns -ENOENT when +not find the msr in vmx->msr_autoload.guest/host. Correct checking contion +of no more available entry in vmx->msr_autoload. + +Fixes: ca83b4a7f2d0 ("x86/KVM/VMX: Add find_msr() helper function") +Cc: stable@vger.kernel.org +Signed-off-by: Xiaoyao Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2757,7 +2757,8 @@ static void add_atomic_switch_msr(struct + if (!entry_only) + j = find_msr(&m->host, msr); + +- if (i == NR_AUTOLOAD_MSRS || j == NR_AUTOLOAD_MSRS) { ++ if ((i < 0 && m->guest.nr == NR_AUTOLOAD_MSRS) || ++ (j < 0 && m->host.nr == NR_AUTOLOAD_MSRS)) { + printk_once(KERN_WARNING "Not enough msr switch entries. " + "Can't add msr %x\n", msr); + return; diff --git a/queue-4.19/md-raid1-don-t-clear-bitmap-bits-on-interrupted-recovery.patch b/queue-4.19/md-raid1-don-t-clear-bitmap-bits-on-interrupted-recovery.patch new file mode 100644 index 00000000000..de271c15200 --- /dev/null +++ b/queue-4.19/md-raid1-don-t-clear-bitmap-bits-on-interrupted-recovery.patch @@ -0,0 +1,83 @@ +From dfcc34c99f3ebc16b787b118763bf9cb6b1efc7a Mon Sep 17 00:00:00 2001 +From: Nate Dailey +Date: Thu, 7 Feb 2019 14:19:01 -0500 +Subject: md/raid1: don't clear bitmap bits on interrupted recovery. + +From: Nate Dailey + +commit dfcc34c99f3ebc16b787b118763bf9cb6b1efc7a upstream. + +sync_request_write no longer submits writes to a Faulty device. This has +the unfortunate side effect that bitmap bits can be incorrectly cleared +if a recovery is interrupted (previously, end_sync_write would have +prevented this). This means the next recovery may not copy everything +it should, potentially corrupting data. + +Add a function for doing the proper md_bitmap_end_sync, called from +end_sync_write and the Faulty case in sync_request_write. + +backport note to 4.14: s/md_bitmap_end_sync/bitmap_end_sync +Cc: stable@vger.kernel.org 4.14+ +Fixes: 0c9d5b127f69 ("md/raid1: avoid reusing a resync bio after error handling.") +Reviewed-by: Jack Wang +Tested-by: Jack Wang +Signed-off-by: Nate Dailey +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1863,6 +1863,20 @@ static void end_sync_read(struct bio *bi + reschedule_retry(r1_bio); + } + ++static void abort_sync_write(struct mddev *mddev, struct r1bio *r1_bio) ++{ ++ sector_t sync_blocks = 0; ++ sector_t s = r1_bio->sector; ++ long sectors_to_go = r1_bio->sectors; ++ ++ /* make sure these bits don't get cleared. */ ++ do { ++ md_bitmap_end_sync(mddev->bitmap, s, &sync_blocks, 1); ++ s += sync_blocks; ++ sectors_to_go -= sync_blocks; ++ } while (sectors_to_go > 0); ++} ++ + static void end_sync_write(struct bio *bio) + { + int uptodate = !bio->bi_status; +@@ -1874,15 +1888,7 @@ static void end_sync_write(struct bio *b + struct md_rdev *rdev = conf->mirrors[find_bio_disk(r1_bio, bio)].rdev; + + if (!uptodate) { +- sector_t sync_blocks = 0; +- sector_t s = r1_bio->sector; +- long sectors_to_go = r1_bio->sectors; +- /* make sure these bits doesn't get cleared. */ +- do { +- md_bitmap_end_sync(mddev->bitmap, s, &sync_blocks, 1); +- s += sync_blocks; +- sectors_to_go -= sync_blocks; +- } while (sectors_to_go > 0); ++ abort_sync_write(mddev, r1_bio); + set_bit(WriteErrorSeen, &rdev->flags); + if (!test_and_set_bit(WantReplacement, &rdev->flags)) + set_bit(MD_RECOVERY_NEEDED, & +@@ -2172,8 +2178,10 @@ static void sync_request_write(struct md + (i == r1_bio->read_disk || + !test_bit(MD_RECOVERY_SYNC, &mddev->recovery)))) + continue; +- if (test_bit(Faulty, &conf->mirrors[i].rdev->flags)) ++ if (test_bit(Faulty, &conf->mirrors[i].rdev->flags)) { ++ abort_sync_write(mddev, r1_bio); + continue; ++ } + + bio_set_op_attrs(wbio, REQ_OP_WRITE, 0); + if (test_bit(FailFast, &conf->mirrors[i].rdev->flags)) diff --git a/queue-4.19/mm-proc-smaps_rollup-fix-pss_locked-calculation.patch b/queue-4.19/mm-proc-smaps_rollup-fix-pss_locked-calculation.patch new file mode 100644 index 00000000000..6127e974f15 --- /dev/null +++ b/queue-4.19/mm-proc-smaps_rollup-fix-pss_locked-calculation.patch @@ -0,0 +1,121 @@ +From 27dd768ed8db48beefc4d9e006c58e7a00342bde Mon Sep 17 00:00:00 2001 +From: Sandeep Patil +Date: Tue, 12 Feb 2019 15:36:11 -0800 +Subject: mm: proc: smaps_rollup: fix pss_locked calculation + +From: Sandeep Patil + +commit 27dd768ed8db48beefc4d9e006c58e7a00342bde upstream. + +The 'pss_locked' field of smaps_rollup was being calculated incorrectly. +It accumulated the current pss everytime a locked VMA was found. Fix +that by adding to 'pss_locked' the same time as that of 'pss' if the vma +being walked is locked. + +Link: http://lkml.kernel.org/r/20190203065425.14650-1-sspatil@android.com +Fixes: 493b0e9d945f ("mm: add /proc/pid/smaps_rollup") +Signed-off-by: Sandeep Patil +Acked-by: Vlastimil Babka +Reviewed-by: Joel Fernandes (Google) +Cc: Alexey Dobriyan +Cc: Daniel Colascione +Cc: [4.14.x, 4.19.x] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/task_mmu.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -423,7 +423,7 @@ struct mem_size_stats { + }; + + static void smaps_account(struct mem_size_stats *mss, struct page *page, +- bool compound, bool young, bool dirty) ++ bool compound, bool young, bool dirty, bool locked) + { + int i, nr = compound ? 1 << compound_order(page) : 1; + unsigned long size = nr * PAGE_SIZE; +@@ -450,24 +450,31 @@ static void smaps_account(struct mem_siz + else + mss->private_clean += size; + mss->pss += (u64)size << PSS_SHIFT; ++ if (locked) ++ mss->pss_locked += (u64)size << PSS_SHIFT; + return; + } + + for (i = 0; i < nr; i++, page++) { + int mapcount = page_mapcount(page); ++ unsigned long pss = (PAGE_SIZE << PSS_SHIFT); + + if (mapcount >= 2) { + if (dirty || PageDirty(page)) + mss->shared_dirty += PAGE_SIZE; + else + mss->shared_clean += PAGE_SIZE; +- mss->pss += (PAGE_SIZE << PSS_SHIFT) / mapcount; ++ mss->pss += pss / mapcount; ++ if (locked) ++ mss->pss_locked += pss / mapcount; + } else { + if (dirty || PageDirty(page)) + mss->private_dirty += PAGE_SIZE; + else + mss->private_clean += PAGE_SIZE; +- mss->pss += PAGE_SIZE << PSS_SHIFT; ++ mss->pss += pss; ++ if (locked) ++ mss->pss_locked += pss; + } + } + } +@@ -490,6 +497,7 @@ static void smaps_pte_entry(pte_t *pte, + { + struct mem_size_stats *mss = walk->private; + struct vm_area_struct *vma = walk->vma; ++ bool locked = !!(vma->vm_flags & VM_LOCKED); + struct page *page = NULL; + + if (pte_present(*pte)) { +@@ -532,7 +540,7 @@ static void smaps_pte_entry(pte_t *pte, + if (!page) + return; + +- smaps_account(mss, page, false, pte_young(*pte), pte_dirty(*pte)); ++ smaps_account(mss, page, false, pte_young(*pte), pte_dirty(*pte), locked); + } + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +@@ -541,6 +549,7 @@ static void smaps_pmd_entry(pmd_t *pmd, + { + struct mem_size_stats *mss = walk->private; + struct vm_area_struct *vma = walk->vma; ++ bool locked = !!(vma->vm_flags & VM_LOCKED); + struct page *page; + + /* FOLL_DUMP will return -EFAULT on huge zero page */ +@@ -555,7 +564,7 @@ static void smaps_pmd_entry(pmd_t *pmd, + /* pass */; + else + VM_BUG_ON_PAGE(1, page); +- smaps_account(mss, page, true, pmd_young(*pmd), pmd_dirty(*pmd)); ++ smaps_account(mss, page, true, pmd_young(*pmd), pmd_dirty(*pmd), locked); + } + #else + static void smaps_pmd_entry(pmd_t *pmd, unsigned long addr, +@@ -737,11 +746,8 @@ static void smap_gather_stats(struct vm_ + } + } + #endif +- + /* mmap_sem is held in m_start */ + walk_page_vma(vma, &smaps_walk); +- if (vma->vm_flags & VM_LOCKED) +- mss->pss_locked += mss->pss; + } + + #define SEQ_PUT_DEC(str, val) \ diff --git a/queue-4.19/mmc-block-handle-complete_work-on-separate-workqueue.patch b/queue-4.19/mmc-block-handle-complete_work-on-separate-workqueue.patch new file mode 100644 index 00000000000..d426d2936a8 --- /dev/null +++ b/queue-4.19/mmc-block-handle-complete_work-on-separate-workqueue.patch @@ -0,0 +1,90 @@ +From dcf6e2e38a1c7ccbc535de5e1d9b14998847499d Mon Sep 17 00:00:00 2001 +From: Zachary Hays +Date: Thu, 7 Feb 2019 10:03:08 -0500 +Subject: mmc: block: handle complete_work on separate workqueue + +From: Zachary Hays + +commit dcf6e2e38a1c7ccbc535de5e1d9b14998847499d upstream. + +The kblockd workqueue is created with the WQ_MEM_RECLAIM flag set. +This generates a rescuer thread for that queue that will trigger when +the CPU is under heavy load and collect the uncompleted work. + +In the case of mmc, this creates the possibility of a deadlock when +there are multiple partitions on the device as other blk-mq work is +also run on the same queue. For example: + +- worker 0 claims the mmc host to work on partition 1 +- worker 1 attempts to claim the host for partition 2 but has to wait + for worker 0 to finish +- worker 0 schedules complete_work to release the host +- rescuer thread is triggered after time-out and collects the dangling + work +- rescuer thread attempts to complete the work in order starting with + claim host +- the task to release host is now blocked by a task to claim it and + will never be called + +The above results in multiple hung tasks that lead to failures to +mount partitions. + +Handling complete_work on a separate workqueue avoids this by keeping +the work completion tasks separate from the other blk-mq work. This +allows the host to be released without getting blocked by other tasks +attempting to claim the host. + +Signed-off-by: Zachary Hays +Fixes: 81196976ed94 ("mmc: block: Add blk-mq support") +Cc: +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/block.c | 10 +++++++++- + include/linux/mmc/card.h | 1 + + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -2114,7 +2114,7 @@ static void mmc_blk_mq_req_done(struct m + if (waiting) + wake_up(&mq->wait); + else +- kblockd_schedule_work(&mq->complete_work); ++ queue_work(mq->card->complete_wq, &mq->complete_work); + + return; + } +@@ -2928,6 +2928,13 @@ static int mmc_blk_probe(struct mmc_card + + mmc_fixup_device(card, mmc_blk_fixups); + ++ card->complete_wq = alloc_workqueue("mmc_complete", ++ WQ_MEM_RECLAIM | WQ_HIGHPRI, 0); ++ if (unlikely(!card->complete_wq)) { ++ pr_err("Failed to create mmc completion workqueue"); ++ return -ENOMEM; ++ } ++ + md = mmc_blk_alloc(card); + if (IS_ERR(md)) + return PTR_ERR(md); +@@ -2991,6 +2998,7 @@ static void mmc_blk_remove(struct mmc_ca + pm_runtime_put_noidle(&card->dev); + mmc_blk_remove_req(md); + dev_set_drvdata(&card->dev, NULL); ++ destroy_workqueue(card->complete_wq); + } + + static int _mmc_blk_suspend(struct mmc_card *card) +--- a/include/linux/mmc/card.h ++++ b/include/linux/mmc/card.h +@@ -308,6 +308,7 @@ struct mmc_card { + unsigned int nr_parts; + + unsigned int bouncesz; /* Bounce buffer size */ ++ struct workqueue_struct *complete_wq; /* Private workqueue */ + }; + + static inline bool mmc_large_sector(struct mmc_card *card) diff --git a/queue-4.19/mmc-sunxi-filter-out-unsupported-modes-declared-in-the-device-tree.patch b/queue-4.19/mmc-sunxi-filter-out-unsupported-modes-declared-in-the-device-tree.patch new file mode 100644 index 00000000000..01d699ca4ed --- /dev/null +++ b/queue-4.19/mmc-sunxi-filter-out-unsupported-modes-declared-in-the-device-tree.patch @@ -0,0 +1,57 @@ +From d6f11e7d91f2ac85f66194fe3ef8789b49901d64 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Tue, 5 Feb 2019 23:42:24 +0800 +Subject: mmc: sunxi: Filter out unsupported modes declared in the device tree + +From: Chen-Yu Tsai + +commit d6f11e7d91f2ac85f66194fe3ef8789b49901d64 upstream. + +The MMC device tree bindings include properties used to signal various +signalling speed modes. Until now the sunxi driver was accepting them +without any further filtering, while the sunxi device trees were not +actually using them. + +Since some of the H5 boards can not run at higher speed modes stably, +we are resorting to declaring the higher speed modes per-board. + +Regardless, having boards declare modes and blindly following them, +even without proper support in the driver, is generally a bad thing. + +Filter out all unsupported modes from the capabilities mask after +the device tree properties have been parsed. + +Cc: +Signed-off-by: Chen-Yu Tsai +Acked-by: Maxime Ripard +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sunxi-mmc.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/mmc/host/sunxi-mmc.c ++++ b/drivers/mmc/host/sunxi-mmc.c +@@ -1394,6 +1394,21 @@ static int sunxi_mmc_probe(struct platfo + if (ret) + goto error_free_dma; + ++ /* ++ * If we don't support delay chains in the SoC, we can't use any ++ * of the higher speed modes. Mask them out in case the device ++ * tree specifies the properties for them, which gets added to ++ * the caps by mmc_of_parse() above. ++ */ ++ if (!(host->cfg->clk_delays || host->use_new_timings)) { ++ mmc->caps &= ~(MMC_CAP_3_3V_DDR | MMC_CAP_1_8V_DDR | ++ MMC_CAP_1_2V_DDR | MMC_CAP_UHS); ++ mmc->caps2 &= ~MMC_CAP2_HS200; ++ } ++ ++ /* TODO: This driver doesn't support HS400 mode yet */ ++ mmc->caps2 &= ~MMC_CAP2_HS400; ++ + ret = sunxi_mmc_init_host(host); + if (ret) + goto error_free_dma; diff --git a/queue-4.19/perf-core-fix-impossible-ring-buffer-sizes-warning.patch b/queue-4.19/perf-core-fix-impossible-ring-buffer-sizes-warning.patch new file mode 100644 index 00000000000..23463b27403 --- /dev/null +++ b/queue-4.19/perf-core-fix-impossible-ring-buffer-sizes-warning.patch @@ -0,0 +1,64 @@ +From 528871b456026e6127d95b1b2bd8e3a003dc1614 Mon Sep 17 00:00:00 2001 +From: Ingo Molnar +Date: Wed, 13 Feb 2019 07:57:02 +0100 +Subject: perf/core: Fix impossible ring-buffer sizes warning + +From: Ingo Molnar + +commit 528871b456026e6127d95b1b2bd8e3a003dc1614 upstream. + +The following commit: + + 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes") + +results in perf recording failures with larger mmap areas: + + root@skl:/tmp# perf record -g -a + failed to mmap with 12 (Cannot allocate memory) + +The root cause is that the following condition is buggy: + + if (order_base_2(size) >= MAX_ORDER) + goto fail; + +The problem is that @size is in bytes and MAX_ORDER is in pages, +so the right test is: + + if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER) + goto fail; + +Fix it. + +Reported-by: "Jin, Yao" +Bisected-by: Borislav Petkov +Analyzed-by: Peter Zijlstra +Cc: Julien Thierry +Cc: Mark Rutland +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Greg Kroah-Hartman +Cc: +Fixes: 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes") +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -724,7 +724,7 @@ struct ring_buffer *rb_alloc(int nr_page + size = sizeof(struct ring_buffer); + size += nr_pages * sizeof(void *); + +- if (order_base_2(size) >= MAX_ORDER) ++ if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER) + goto fail; + + rb = kzalloc(size, GFP_KERNEL); diff --git a/queue-4.19/perf-x86-add-check_period-pmu-callback.patch b/queue-4.19/perf-x86-add-check_period-pmu-callback.patch new file mode 100644 index 00000000000..e23e94fd8a7 --- /dev/null +++ b/queue-4.19/perf-x86-add-check_period-pmu-callback.patch @@ -0,0 +1,250 @@ +From 81ec3f3c4c4d78f2d3b6689c9816bfbdf7417dbb Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Mon, 4 Feb 2019 13:35:32 +0100 +Subject: perf/x86: Add check_period PMU callback + +From: Jiri Olsa + +commit 81ec3f3c4c4d78f2d3b6689c9816bfbdf7417dbb upstream. + +Vince (and later on Ravi) reported crashes in the BTS code during +fuzzing with the following backtrace: + + general protection fault: 0000 [#1] SMP PTI + ... + RIP: 0010:perf_prepare_sample+0x8f/0x510 + ... + Call Trace: + + ? intel_pmu_drain_bts_buffer+0x194/0x230 + intel_pmu_drain_bts_buffer+0x160/0x230 + ? tick_nohz_irq_exit+0x31/0x40 + ? smp_call_function_single_interrupt+0x48/0xe0 + ? call_function_single_interrupt+0xf/0x20 + ? call_function_single_interrupt+0xa/0x20 + ? x86_schedule_events+0x1a0/0x2f0 + ? x86_pmu_commit_txn+0xb4/0x100 + ? find_busiest_group+0x47/0x5d0 + ? perf_event_set_state.part.42+0x12/0x50 + ? perf_mux_hrtimer_restart+0x40/0xb0 + intel_pmu_disable_event+0xae/0x100 + ? intel_pmu_disable_event+0xae/0x100 + x86_pmu_stop+0x7a/0xb0 + x86_pmu_del+0x57/0x120 + event_sched_out.isra.101+0x83/0x180 + group_sched_out.part.103+0x57/0xe0 + ctx_sched_out+0x188/0x240 + ctx_resched+0xa8/0xd0 + __perf_event_enable+0x193/0x1e0 + event_function+0x8e/0xc0 + remote_function+0x41/0x50 + flush_smp_call_function_queue+0x68/0x100 + generic_smp_call_function_single_interrupt+0x13/0x30 + smp_call_function_single_interrupt+0x3e/0xe0 + call_function_single_interrupt+0xf/0x20 + + +The reason is that while event init code does several checks +for BTS events and prevents several unwanted config bits for +BTS event (like precise_ip), the PERF_EVENT_IOC_PERIOD allows +to create BTS event without those checks being done. + +Following sequence will cause the crash: + +If we create an 'almost' BTS event with precise_ip and callchains, +and it into a BTS event it will crash the perf_prepare_sample() +function because precise_ip events are expected to come +in with callchain data initialized, but that's not the +case for intel_pmu_drain_bts_buffer() caller. + +Adding a check_period callback to be called before the period +is changed via PERF_EVENT_IOC_PERIOD. It will deny the change +if the event would become BTS. Plus adding also the limit_period +check as well. + +Reported-by: Vince Weaver +Signed-off-by: Jiri Olsa +Acked-by: Peter Zijlstra +Cc: +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Naveen N. Rao +Cc: Ravi Bangoria +Cc: Stephane Eranian +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20190204123532.GA4794@krava +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/core.c | 14 ++++++++++++++ + arch/x86/events/intel/core.c | 9 +++++++++ + arch/x86/events/perf_event.h | 16 ++++++++++++++-- + include/linux/perf_event.h | 5 +++++ + kernel/events/core.c | 16 ++++++++++++++++ + 5 files changed, 58 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -2253,6 +2253,19 @@ void perf_check_microcode(void) + x86_pmu.check_microcode(); + } + ++static int x86_pmu_check_period(struct perf_event *event, u64 value) ++{ ++ if (x86_pmu.check_period && x86_pmu.check_period(event, value)) ++ return -EINVAL; ++ ++ if (value && x86_pmu.limit_period) { ++ if (x86_pmu.limit_period(event, value) > value) ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static struct pmu pmu = { + .pmu_enable = x86_pmu_enable, + .pmu_disable = x86_pmu_disable, +@@ -2277,6 +2290,7 @@ static struct pmu pmu = { + .event_idx = x86_pmu_event_idx, + .sched_task = x86_pmu_sched_task, + .task_ctx_size = sizeof(struct x86_perf_task_context), ++ .check_period = x86_pmu_check_period, + }; + + void arch_perf_update_userpage(struct perf_event *event, +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3465,6 +3465,11 @@ static void intel_pmu_sched_task(struct + intel_pmu_lbr_sched_task(ctx, sched_in); + } + ++static int intel_pmu_check_period(struct perf_event *event, u64 value) ++{ ++ return intel_pmu_has_bts_period(event, value) ? -EINVAL : 0; ++} ++ + PMU_FORMAT_ATTR(offcore_rsp, "config1:0-63"); + + PMU_FORMAT_ATTR(ldlat, "config1:0-15"); +@@ -3545,6 +3550,8 @@ static __initconst const struct x86_pmu + .cpu_starting = intel_pmu_cpu_starting, + .cpu_dying = intel_pmu_cpu_dying, + .cpu_dead = intel_pmu_cpu_dead, ++ ++ .check_period = intel_pmu_check_period, + }; + + static struct attribute *intel_pmu_attrs[]; +@@ -3589,6 +3596,8 @@ static __initconst const struct x86_pmu + + .guest_get_msrs = intel_guest_get_msrs, + .sched_task = intel_pmu_sched_task, ++ ++ .check_period = intel_pmu_check_period, + }; + + static __init void intel_clovertown_quirk(void) +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -644,6 +644,11 @@ struct x86_pmu { + * Intel host/guest support (KVM) + */ + struct perf_guest_switch_msr *(*guest_get_msrs)(int *nr); ++ ++ /* ++ * Check period value for PERF_EVENT_IOC_PERIOD ioctl. ++ */ ++ int (*check_period) (struct perf_event *event, u64 period); + }; + + struct x86_perf_task_context { +@@ -855,7 +860,7 @@ static inline int amd_pmu_init(void) + + #ifdef CONFIG_CPU_SUP_INTEL + +-static inline bool intel_pmu_has_bts(struct perf_event *event) ++static inline bool intel_pmu_has_bts_period(struct perf_event *event, u64 period) + { + struct hw_perf_event *hwc = &event->hw; + unsigned int hw_event, bts_event; +@@ -866,7 +871,14 @@ static inline bool intel_pmu_has_bts(str + hw_event = hwc->config & INTEL_ARCH_EVENT_MASK; + bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS); + +- return hw_event == bts_event && hwc->sample_period == 1; ++ return hw_event == bts_event && period == 1; ++} ++ ++static inline bool intel_pmu_has_bts(struct perf_event *event) ++{ ++ struct hw_perf_event *hwc = &event->hw; ++ ++ return intel_pmu_has_bts_period(event, hwc->sample_period); + } + + int intel_pmu_save_and_restart(struct perf_event *event); +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -447,6 +447,11 @@ struct pmu { + * Filter events for PMU-specific reasons. + */ + int (*filter_match) (struct perf_event *event); /* optional */ ++ ++ /* ++ * Check period value for PERF_EVENT_IOC_PERIOD ioctl. ++ */ ++ int (*check_period) (struct perf_event *event, u64 value); /* optional */ + }; + + enum perf_addr_filter_action_t { +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -4963,6 +4963,11 @@ static void __perf_event_period(struct p + } + } + ++static int perf_event_check_period(struct perf_event *event, u64 value) ++{ ++ return event->pmu->check_period(event, value); ++} ++ + static int perf_event_period(struct perf_event *event, u64 __user *arg) + { + u64 value; +@@ -4979,6 +4984,9 @@ static int perf_event_period(struct perf + if (event->attr.freq && value > sysctl_perf_event_sample_rate) + return -EINVAL; + ++ if (perf_event_check_period(event, value)) ++ return -EINVAL; ++ + event_function_call(event, __perf_event_period, &value); + + return 0; +@@ -9362,6 +9370,11 @@ static int perf_pmu_nop_int(struct pmu * + return 0; + } + ++static int perf_event_nop_int(struct perf_event *event, u64 value) ++{ ++ return 0; ++} ++ + static DEFINE_PER_CPU(unsigned int, nop_txn_flags); + + static void perf_pmu_start_txn(struct pmu *pmu, unsigned int flags) +@@ -9662,6 +9675,9 @@ got_cpu_context: + pmu->pmu_disable = perf_pmu_nop_void; + } + ++ if (!pmu->check_period) ++ pmu->check_period = perf_event_nop_int; ++ + if (!pmu->event_idx) + pmu->event_idx = perf_event_idx_default; + diff --git a/queue-4.19/revert-input-elan_i2c-add-acpi-id-for-touchpad-in-asus-aspire-f5-573g.patch b/queue-4.19/revert-input-elan_i2c-add-acpi-id-for-touchpad-in-asus-aspire-f5-573g.patch new file mode 100644 index 00000000000..8200f6ed6a0 --- /dev/null +++ b/queue-4.19/revert-input-elan_i2c-add-acpi-id-for-touchpad-in-asus-aspire-f5-573g.patch @@ -0,0 +1,34 @@ +From f420c54e4b12c1361c6ed313002ee7bd7ac58362 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 11 Feb 2019 14:32:40 -0800 +Subject: Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G" + +From: Dmitry Torokhov + +commit f420c54e4b12c1361c6ed313002ee7bd7ac58362 upstream. + +This reverts commit 7db54c89f0b30a101584e09d3729144e6170059d as it +breaks Acer Aspire V-371 and other devices. According to Elan: + +"Acer Aspire F5-573G is MS Precision touchpad which should use hid + multitouch driver. ELAN0501 should not be added in elan_i2c." + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202503 +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1336,7 +1336,6 @@ MODULE_DEVICE_TABLE(i2c, elan_id); + static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN0000", 0 }, + { "ELAN0100", 0 }, +- { "ELAN0501", 0 }, + { "ELAN0600", 0 }, + { "ELAN0602", 0 }, + { "ELAN0605", 0 }, diff --git a/queue-4.19/revert-mm-don-t-reclaim-inodes-with-many-attached-pages.patch b/queue-4.19/revert-mm-don-t-reclaim-inodes-with-many-attached-pages.patch new file mode 100644 index 00000000000..2a32fff2051 --- /dev/null +++ b/queue-4.19/revert-mm-don-t-reclaim-inodes-with-many-attached-pages.patch @@ -0,0 +1,57 @@ +From 69056ee6a8a3d576ed31e38b3b14c70d6c74edcc Mon Sep 17 00:00:00 2001 +From: Dave Chinner +Date: Tue, 12 Feb 2019 15:35:51 -0800 +Subject: Revert "mm: don't reclaim inodes with many attached pages" + +From: Dave Chinner + +commit 69056ee6a8a3d576ed31e38b3b14c70d6c74edcc upstream. + +This reverts commit a76cf1a474d7d ("mm: don't reclaim inodes with many +attached pages"). + +This change causes serious changes to page cache and inode cache +behaviour and balance, resulting in major performance regressions when +combining worklaods such as large file copies and kernel compiles. + + https://bugzilla.kernel.org/show_bug.cgi?id=202441 + +This change is a hack to work around the problems introduced by changing +how agressive shrinkers are on small caches in commit 172b06c32b94 ("mm: +slowly shrink slabs with a relatively small number of objects"). It +creates more problems than it solves, wasn't adequately reviewed or +tested, so it needs to be reverted. + +Link: http://lkml.kernel.org/r/20190130041707.27750-2-david@fromorbit.com +Fixes: a76cf1a474d7d ("mm: don't reclaim inodes with many attached pages") +Signed-off-by: Dave Chinner +Cc: Wolfgang Walter +Cc: Roman Gushchin +Cc: Spock +Cc: Rik van Riel +Cc: Michal Hocko +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/inode.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -730,11 +730,8 @@ static enum lru_status inode_lru_isolate + return LRU_REMOVED; + } + +- /* +- * Recently referenced inodes and inodes with many attached pages +- * get one more pass. +- */ +- if (inode->i_state & I_REFERENCED || inode->i_data.nrpages > 1) { ++ /* recently referenced inodes get one more pass */ ++ if (inode->i_state & I_REFERENCED) { + inode->i_state &= ~I_REFERENCED; + spin_unlock(&inode->i_lock); + return LRU_ROTATE; diff --git a/queue-4.19/revert-mm-slowly-shrink-slabs-with-a-relatively-small-number-of-objects.patch b/queue-4.19/revert-mm-slowly-shrink-slabs-with-a-relatively-small-number-of-objects.patch new file mode 100644 index 00000000000..3fc09394c0e --- /dev/null +++ b/queue-4.19/revert-mm-slowly-shrink-slabs-with-a-relatively-small-number-of-objects.patch @@ -0,0 +1,64 @@ +From a9a238e83fbb0df31c3b9b67003f8f9d1d1b6c96 Mon Sep 17 00:00:00 2001 +From: Dave Chinner +Date: Tue, 12 Feb 2019 15:35:55 -0800 +Subject: Revert "mm: slowly shrink slabs with a relatively small number of objects" + +From: Dave Chinner + +commit a9a238e83fbb0df31c3b9b67003f8f9d1d1b6c96 upstream. + +This reverts commit 172b06c32b9497 ("mm: slowly shrink slabs with a +relatively small number of objects"). + +This change changes the agressiveness of shrinker reclaim, causing small +cache and low priority reclaim to greatly increase scanning pressure on +small caches. As a result, light memory pressure has a disproportionate +affect on small caches, and causes large caches to be reclaimed much +faster than previously. + +As a result, it greatly perturbs the delicate balance of the VFS caches +(dentry/inode vs file page cache) such that the inode/dentry caches are +reclaimed much, much faster than the page cache and this drives us into +several other caching imbalance related problems. + +As such, this is a bad change and needs to be reverted. + +[ Needs some massaging to retain the later seekless shrinker + modifications.] + +Link: http://lkml.kernel.org/r/20190130041707.27750-3-david@fromorbit.com +Fixes: 172b06c32b9497 ("mm: slowly shrink slabs with a relatively small number of objects") +Signed-off-by: Dave Chinner +Cc: Wolfgang Walter +Cc: Roman Gushchin +Cc: Spock +Cc: Rik van Riel +Cc: Michal Hocko +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/vmscan.c | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -477,16 +477,6 @@ static unsigned long do_shrink_slab(stru + delta *= 4; + do_div(delta, shrinker->seeks); + +- /* +- * Make sure we apply some minimal pressure on default priority +- * even on small cgroups. Stale objects are not only consuming memory +- * by themselves, but can also hold a reference to a dying cgroup, +- * preventing it from being reclaimed. A dying cgroup with all +- * corresponding structures like per-cpu stats and kmem caches +- * can be really big, so it may lead to a significant waste of memory. +- */ +- delta = max_t(unsigned long long, delta, min(freeable, batch_size)); +- + total_scan += delta; + if (total_scan < 0) { + pr_err("shrink_slab: %pF negative objects to delete nr=%ld\n", diff --git a/queue-4.19/revert-nfsd4-return-default-lease-period.patch b/queue-4.19/revert-nfsd4-return-default-lease-period.patch new file mode 100644 index 00000000000..cf4d9bc77d8 --- /dev/null +++ b/queue-4.19/revert-nfsd4-return-default-lease-period.patch @@ -0,0 +1,48 @@ +From 3bf6b57ec2ec945e5a6edf5c202a754f1e852ecd Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 14 Feb 2019 12:33:19 -0500 +Subject: Revert "nfsd4: return default lease period" + +From: J. Bruce Fields + +commit 3bf6b57ec2ec945e5a6edf5c202a754f1e852ecd upstream. + +This reverts commit d6ebf5088f09472c1136cd506bdc27034a6763f8. + +I forgot that the kernel's default lease period should never be +decreased! + +After a kernel upgrade, the kernel has no way of knowing on its own what +the previous lease time was. Unless userspace tells it otherwise, it +will assume the previous lease period was the same. + +So if we decrease this value in a kernel upgrade, we end up enforcing a +grace period that's too short, and clients will fail to reclaim state in +time. Symptoms may include EIO and log messages like "NFS: +nfs4_reclaim_open_state: Lock reclaim failed!" + +There was no real justification for the lease period decrease anyway. + +Reported-by: Donald Buczek +Fixes: d6ebf5088f09 "nfsd4: return default lease period" +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfsctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1239,8 +1239,8 @@ static __net_init int nfsd_init_net(stru + retval = nfsd_idmap_init(net); + if (retval) + goto out_idmap_error; +- nn->nfsd4_lease = 45; /* default lease time */ +- nn->nfsd4_grace = 45; ++ nn->nfsd4_lease = 90; /* default lease time */ ++ nn->nfsd4_grace = 90; + nn->somebody_reclaimed = false; + nn->clverifier_counter = prandom_u32(); + nn->clientid_counter = prandom_u32(); diff --git a/queue-4.19/riscv-add-pte-bit-to-distinguish-swap-from-invalid.patch b/queue-4.19/riscv-add-pte-bit-to-distinguish-swap-from-invalid.patch new file mode 100644 index 00000000000..66fcdb16027 --- /dev/null +++ b/queue-4.19/riscv-add-pte-bit-to-distinguish-swap-from-invalid.patch @@ -0,0 +1,82 @@ +From e3613bb8afc2a9474c9214d65c8326c5ac02135e Mon Sep 17 00:00:00 2001 +From: Stefan O'Rear +Date: Sun, 16 Dec 2018 13:03:36 -0500 +Subject: riscv: Add pte bit to distinguish swap from invalid + +From: Stefan O'Rear + +commit e3613bb8afc2a9474c9214d65c8326c5ac02135e upstream. + +Previously, invalid PTEs and swap PTEs had the same binary +representation, causing errors when attempting to unmap PROT_NONE +mappings, including implicit unmap on exit. + +Typical error: + +swap_info_get: Bad swap file entry 40000000007a9879 +BUG: Bad page map in process a.out pte:3d4c3cc0 pmd:3e521401 + +Cc: stable@vger.kernel.org +Signed-off-by: Stefan O'Rear +Reviewed-by: Christoph Hellwig +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/riscv/include/asm/pgtable-bits.h | 6 ++++++ + arch/riscv/include/asm/pgtable.h | 8 ++++---- + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/arch/riscv/include/asm/pgtable-bits.h ++++ b/arch/riscv/include/asm/pgtable-bits.h +@@ -35,6 +35,12 @@ + #define _PAGE_SPECIAL _PAGE_SOFT + #define _PAGE_TABLE _PAGE_PRESENT + ++/* ++ * _PAGE_PROT_NONE is set on not-present pages (and ignored by the hardware) to ++ * distinguish them from swapped out pages ++ */ ++#define _PAGE_PROT_NONE _PAGE_READ ++ + #define _PAGE_PFN_SHIFT 10 + + /* Set of bits to preserve across pte_modify() */ +--- a/arch/riscv/include/asm/pgtable.h ++++ b/arch/riscv/include/asm/pgtable.h +@@ -44,7 +44,7 @@ + /* Page protection bits */ + #define _PAGE_BASE (_PAGE_PRESENT | _PAGE_ACCESSED | _PAGE_USER) + +-#define PAGE_NONE __pgprot(0) ++#define PAGE_NONE __pgprot(_PAGE_PROT_NONE) + #define PAGE_READ __pgprot(_PAGE_BASE | _PAGE_READ) + #define PAGE_WRITE __pgprot(_PAGE_BASE | _PAGE_READ | _PAGE_WRITE) + #define PAGE_EXEC __pgprot(_PAGE_BASE | _PAGE_EXEC) +@@ -98,7 +98,7 @@ extern unsigned long empty_zero_page[PAG + + static inline int pmd_present(pmd_t pmd) + { +- return (pmd_val(pmd) & _PAGE_PRESENT); ++ return (pmd_val(pmd) & (_PAGE_PRESENT | _PAGE_PROT_NONE)); + } + + static inline int pmd_none(pmd_t pmd) +@@ -178,7 +178,7 @@ static inline pte_t *pte_offset_kernel(p + + static inline int pte_present(pte_t pte) + { +- return (pte_val(pte) & _PAGE_PRESENT); ++ return (pte_val(pte) & (_PAGE_PRESENT | _PAGE_PROT_NONE)); + } + + static inline int pte_none(pte_t pte) +@@ -380,7 +380,7 @@ static inline int ptep_clear_flush_young + * + * Format of swap PTE: + * bit 0: _PAGE_PRESENT (zero) +- * bit 1: reserved for future use (zero) ++ * bit 1: _PAGE_PROT_NONE (zero) + * bits 2 to 6: swap type + * bits 7 to XLEN-1: swap offset + */ diff --git a/queue-4.19/s390-zcrypt-fix-specification-exception-on-z196-during-ap-probe.patch b/queue-4.19/s390-zcrypt-fix-specification-exception-on-z196-during-ap-probe.patch new file mode 100644 index 00000000000..167250b1175 --- /dev/null +++ b/queue-4.19/s390-zcrypt-fix-specification-exception-on-z196-during-ap-probe.patch @@ -0,0 +1,48 @@ +From 8f9aca0c45322a807a343fc32f95f2500f83b9ae Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Wed, 23 Jan 2019 13:41:35 +0100 +Subject: s390/zcrypt: fix specification exception on z196 during ap probe + +From: Harald Freudenberger + +commit 8f9aca0c45322a807a343fc32f95f2500f83b9ae upstream. + +The older machines don't have the QCI instruction available. +With support for up to 256 crypto cards the probing of each +card has been extended to check card ids from 0 up to 255. +For machines with QCI support there is a filter limiting the +range of probed cards. The older machines (z196 and older) +don't have this filter and so since support for 256 cards is +in the driver all cards are probed. However, these machines +also require to have the card id fit into 6 bits. Exceeding +this limit results in a specification exception which happens +on every kernel startup even when there is no crypto configured +and used at all. + +This fix limits the range of probed crypto cards to 64 if +there is no QCI instruction available to obey to the older +ap architecture and so fixes the specification exceptions +on z196 machines. + +Cc: stable@vger.kernel.org # v4.17+ +Fixes: af4a72276d49 ("s390/zcrypt: Support up to 256 crypto adapters.") +Signed-off-by: Harald Freudenberger +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/crypto/ap_bus.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/s390/crypto/ap_bus.c ++++ b/drivers/s390/crypto/ap_bus.c +@@ -249,7 +249,8 @@ static inline int ap_test_config(unsigne + static inline int ap_test_config_card_id(unsigned int id) + { + if (!ap_configuration) /* QCI not supported */ +- return 1; ++ /* only ids 0...3F may be probed */ ++ return id < 0x40 ? 1 : 0; + return ap_test_config(ap_configuration->apm, id); + } + diff --git a/queue-4.19/scsi-sd-fix-entropy-gathering-for-most-rotational-disks.patch b/queue-4.19/scsi-sd-fix-entropy-gathering-for-most-rotational-disks.patch new file mode 100644 index 00000000000..13b0c1c45ce --- /dev/null +++ b/queue-4.19/scsi-sd-fix-entropy-gathering-for-most-rotational-disks.patch @@ -0,0 +1,69 @@ +From e4a056987c86f402f1286e050b1dee3f4ce7c7eb Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Tue, 12 Feb 2019 08:05:25 -0800 +Subject: scsi: sd: fix entropy gathering for most rotational disks + +From: James Bottomley + +commit e4a056987c86f402f1286e050b1dee3f4ce7c7eb upstream. + +The problem is that the default for MQ is not to gather entropy, whereas +the default for the legacy queue was always to gather it. The original +attempt to fix entropy gathering for rotational disks under MQ added an +else branch in sd_read_block_characteristics(). Unfortunately, the entire +check isn't reached if the device has no characteristics VPD page. Since +this page was only introduced in SBC-3 and its optional anyway, most less +expensive rotational disks don't have one, meaning they all stopped +gathering entropy when we made MQ the default. In a wholly unrelated +change, openssl and openssh won't function until the random number +generator is initialised, meaning lots of people have been seeing large +delays before they could log into systems with default MQ kernels due to +this lack of entropy, because it now can take tens of minutes to initialise +the kernel random number generator. + +The fix is to set the non-rotational and add-randomness flags +unconditionally early on in the disk initialization path, so they can be +reset only if the device actually reports being non-rotational via the VPD +page. + +Reported-by: Mikael Pettersson +Fixes: 83e32a591077 ("scsi: sd: Contribute to randomness when running rotational device") +Cc: stable@vger.kernel.org +Signed-off-by: James Bottomley +Reviewed-by: Jens Axboe +Reviewed-by: Xuewei Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2970,9 +2970,6 @@ static void sd_read_block_characteristic + if (rot == 1) { + blk_queue_flag_set(QUEUE_FLAG_NONROT, q); + blk_queue_flag_clear(QUEUE_FLAG_ADD_RANDOM, q); +- } else { +- blk_queue_flag_clear(QUEUE_FLAG_NONROT, q); +- blk_queue_flag_set(QUEUE_FLAG_ADD_RANDOM, q); + } + + if (sdkp->device->type == TYPE_ZBC) { +@@ -3109,6 +3106,15 @@ static int sd_revalidate_disk(struct gen + if (sdkp->media_present) { + sd_read_capacity(sdkp, buffer); + ++ /* ++ * set the default to rotational. All non-rotational devices ++ * support the block characteristics VPD page, which will ++ * cause this to be updated correctly and any device which ++ * doesn't support it should be treated as rotational. ++ */ ++ blk_queue_flag_clear(QUEUE_FLAG_NONROT, q); ++ blk_queue_flag_set(QUEUE_FLAG_ADD_RANDOM, q); ++ + if (scsi_device_supports_vpd(sdp)) { + sd_read_block_provisioning(sdkp); + sd_read_block_limits(sdkp); diff --git a/queue-4.19/series b/queue-4.19/series index a56f4366966..6d8428eb21f 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -48,3 +48,38 @@ cifs-limit-memory-used-by-lock-request-calls-to-a-pa.patch kvm-sev-fail-kvm_sev_init-if-already-initialized.patch cifs-do-not-assume-one-credit-for-async-responses.patch gpio-mxc-move-gpio-noirq-suspend-resume-to-syscore-p.patch +revert-input-elan_i2c-add-acpi-id-for-touchpad-in-asus-aspire-f5-573g.patch +input-elan_i2c-add-acpi-id-for-touchpad-in-lenovo-v330-15isk.patch +arm-omap5-fix-inverted-nirq-pin-interrupts-with-irq_set_type.patch +perf-core-fix-impossible-ring-buffer-sizes-warning.patch +perf-x86-add-check_period-pmu-callback.patch +alsa-hda-add-quirk-for-hp-elitebook-840-g5.patch +alsa-usb-audio-fix-implicit-fb-endpoint-setup-by-quirk.patch +asoc-hdmi-codec-fix-oops-on-re-probe.patch +tools-uapi-fix-alpha-support.patch +riscv-add-pte-bit-to-distinguish-swap-from-invalid.patch +x86-kvm-nvmx-read-from-msr_ia32_vmx_procbased_ctls2-only-when-it-is-available.patch +kvm-vmx-fix-entry-number-check-for-add_atomic_switch_msr.patch +mmc-sunxi-filter-out-unsupported-modes-declared-in-the-device-tree.patch +mmc-block-handle-complete_work-on-separate-workqueue.patch +input-bma150-register-input-device-after-setting-private-data.patch +input-elantech-enable-3rd-button-support-on-fujitsu-celsius-h780.patch +revert-nfsd4-return-default-lease-period.patch +revert-mm-don-t-reclaim-inodes-with-many-attached-pages.patch +revert-mm-slowly-shrink-slabs-with-a-relatively-small-number-of-objects.patch +alpha-fix-page-fault-handling-for-r16-r18-targets.patch +alpha-fix-eiger-nr_irqs-to-128.patch +s390-zcrypt-fix-specification-exception-on-z196-during-ap-probe.patch +tracing-uprobes-fix-output-for-multiple-string-arguments.patch +x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls.patch +scsi-sd-fix-entropy-gathering-for-most-rotational-disks.patch +signal-restore-the-stop-ptrace_event_exit.patch +md-raid1-don-t-clear-bitmap-bits-on-interrupted-recovery.patch +x86-a.out-clear-the-dump-structure-initially.patch +dm-crypt-don-t-overallocate-the-integrity-tag-space.patch +dm-thin-fix-bug-where-bio-that-overwrites-thin-block-ignores-fua.patch +drm-use-array_size-when-creating-lease.patch +drm-vkms-fix-license-inconsistent.patch +drm-i915-block-fbdev-hpd-processing-during-suspend.patch +drm-i915-prevent-a-race-during-i915_gem_mmap-ioctl-with-wc-set.patch +mm-proc-smaps_rollup-fix-pss_locked-calculation.patch diff --git a/queue-4.19/signal-restore-the-stop-ptrace_event_exit.patch b/queue-4.19/signal-restore-the-stop-ptrace_event_exit.patch new file mode 100644 index 00000000000..2fbee64ed1e --- /dev/null +++ b/queue-4.19/signal-restore-the-stop-ptrace_event_exit.patch @@ -0,0 +1,58 @@ +From cf43a757fd49442bc38f76088b70c2299eed2c2f Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 11 Feb 2019 23:27:42 -0600 +Subject: signal: Restore the stop PTRACE_EVENT_EXIT + +From: Eric W. Biederman + +commit cf43a757fd49442bc38f76088b70c2299eed2c2f upstream. + +In the middle of do_exit() there is there is a call +"ptrace_event(PTRACE_EVENT_EXIT, code);" That call places the process +in TACKED_TRACED aka "(TASK_WAKEKILL | __TASK_TRACED)" and waits for +for the debugger to release the task or SIGKILL to be delivered. + +Skipping past dequeue_signal when we know a fatal signal has already +been delivered resulted in SIGKILL remaining pending and +TIF_SIGPENDING remaining set. This in turn caused the +scheduler to not sleep in PTACE_EVENT_EXIT as it figured +a fatal signal was pending. This also caused ptrace_freeze_traced +in ptrace_check_attach to fail because it left a per thread +SIGKILL pending which is what fatal_signal_pending tests for. + +This difference in signal state caused strace to report +strace: Exit of unknown pid NNNNN ignored + +Therefore update the signal handling state like dequeue_signal +would when removing a per thread SIGKILL, by removing SIGKILL +from the per thread signal mask and clearing TIF_SIGPENDING. + +Acked-by: Oleg Nesterov +Reported-by: Oleg Nesterov +Reported-by: Ivan Delalande +Cc: stable@vger.kernel.org +Fixes: 35634ffa1751 ("signal: Always notice exiting tasks") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2433,9 +2433,12 @@ relock: + } + + /* Has this task already been marked for death? */ +- ksig->info.si_signo = signr = SIGKILL; +- if (signal_group_exit(signal)) ++ if (signal_group_exit(signal)) { ++ ksig->info.si_signo = signr = SIGKILL; ++ sigdelset(¤t->pending.signal, SIGKILL); ++ recalc_sigpending(); + goto fatal; ++ } + + for (;;) { + struct k_sigaction *ka; diff --git a/queue-4.19/tools-uapi-fix-alpha-support.patch b/queue-4.19/tools-uapi-fix-alpha-support.patch new file mode 100644 index 00000000000..f52121de0b7 --- /dev/null +++ b/queue-4.19/tools-uapi-fix-alpha-support.patch @@ -0,0 +1,29 @@ +From 842fc0f5dc5c9f9bd91f891554996d903c40cf35 Mon Sep 17 00:00:00 2001 +From: Bob Tracy +Date: Mon, 21 Jan 2019 21:09:14 -0800 +Subject: tools uapi: fix Alpha support + +From: Bob Tracy + +commit 842fc0f5dc5c9f9bd91f891554996d903c40cf35 upstream. + +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Bob Tracy +Signed-off-by: Matt Turner +Signed-off-by: Greg Kroah-Hartman + +--- + tools/include/uapi/asm/bitsperlong.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/include/uapi/asm/bitsperlong.h ++++ b/tools/include/uapi/asm/bitsperlong.h +@@ -15,6 +15,8 @@ + #include "../../arch/ia64/include/uapi/asm/bitsperlong.h" + #elif defined(__riscv) + #include "../../arch/riscv/include/uapi/asm/bitsperlong.h" ++#elif defined(__alpha__) ++#include "../../arch/alpha/include/uapi/asm/bitsperlong.h" + #else + #include + #endif diff --git a/queue-4.19/tracing-uprobes-fix-output-for-multiple-string-arguments.patch b/queue-4.19/tracing-uprobes-fix-output-for-multiple-string-arguments.patch new file mode 100644 index 00000000000..8e4f78ac57b --- /dev/null +++ b/queue-4.19/tracing-uprobes-fix-output-for-multiple-string-arguments.patch @@ -0,0 +1,79 @@ +From 0722069a5374b904ec1a67f91249f90e1cfae259 Mon Sep 17 00:00:00 2001 +From: Andreas Ziegler +Date: Wed, 16 Jan 2019 15:16:29 +0100 +Subject: tracing/uprobes: Fix output for multiple string arguments + +From: Andreas Ziegler + +commit 0722069a5374b904ec1a67f91249f90e1cfae259 upstream. + +When printing multiple uprobe arguments as strings the output for the +earlier arguments would also include all later string arguments. + +This is best explained in an example: + +Consider adding a uprobe to a function receiving two strings as +parameters which is at offset 0xa0 in strlib.so and we want to print +both parameters when the uprobe is hit (on x86_64): + +$ echo 'p:func /lib/strlib.so:0xa0 +0(%di):string +0(%si):string' > \ + /sys/kernel/debug/tracing/uprobe_events + +When the function is called as func("foo", "bar") and we hit the probe, +the trace file shows a line like the following: + + [...] func: (0x7f7e683706a0) arg1="foobar" arg2="bar" + +Note the extra "bar" printed as part of arg1. This behaviour stacks up +for additional string arguments. + +The strings are stored in a dynamically growing part of the uprobe +buffer by fetch_store_string() after copying them from userspace via +strncpy_from_user(). The return value of strncpy_from_user() is then +directly used as the required size for the string. However, this does +not take the terminating null byte into account as the documentation +for strncpy_from_user() cleary states that it "[...] returns the +length of the string (not including the trailing NUL)" even though the +null byte will be copied to the destination. + +Therefore, subsequent calls to fetch_store_string() will overwrite +the terminating null byte of the most recently fetched string with +the first character of the current string, leading to the +"accumulation" of strings in earlier arguments in the output. + +Fix this by incrementing the return value of strncpy_from_user() by +one if we did not hit the maximum buffer size. + +Link: http://lkml.kernel.org/r/20190116141629.5752-1-andreas.ziegler@fau.de + +Cc: Ingo Molnar +Cc: stable@vger.kernel.org +Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes") +Acked-by: Masami Hiramatsu +Signed-off-by: Andreas Ziegler +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Masami Hiramatsu +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_uprobe.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -141,7 +141,14 @@ static void FETCH_FUNC_NAME(memory, stri + + ret = strncpy_from_user(dst, src, maxlen); + if (ret == maxlen) +- dst[--ret] = '\0'; ++ dst[ret - 1] = '\0'; ++ else if (ret >= 0) ++ /* ++ * Include the terminating null byte. In this case it ++ * was copied by strncpy_from_user but not accounted ++ * for in ret. ++ */ ++ ret++; + + if (ret < 0) { /* Failed to fetch string */ + ((u8 *)get_rloc_data(dest))[0] = '\0'; diff --git a/queue-4.19/x86-a.out-clear-the-dump-structure-initially.patch b/queue-4.19/x86-a.out-clear-the-dump-structure-initially.patch new file mode 100644 index 00000000000..21f85234d62 --- /dev/null +++ b/queue-4.19/x86-a.out-clear-the-dump-structure-initially.patch @@ -0,0 +1,59 @@ +From 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Tue, 12 Feb 2019 14:28:03 +0100 +Subject: x86/a.out: Clear the dump structure initially + +From: Borislav Petkov + +commit 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c upstream. + +dump_thread32() in aout_core_dump() does not clear the user32 structure +allocated on the stack as the first thing on function entry. + +As a result, the dump.u_comm, dump.u_ar0 and dump.signal which get +assigned before the clearing, get overwritten. + +Rename that function to fill_dump() to make it clear what it does and +call it first thing. + +This was caught while staring at a patch by Derek Robson +. + +Signed-off-by: Borislav Petkov +Cc: Derek Robson +Cc: Linus Torvalds +Cc: Michael Matz +Cc: x86@kernel.org +Cc: +Link: https://lkml.kernel.org/r/20190202005512.3144-1-robsonde@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/ia32/ia32_aout.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/ia32/ia32_aout.c ++++ b/arch/x86/ia32/ia32_aout.c +@@ -51,7 +51,7 @@ static unsigned long get_dr(int n) + /* + * fill in the user structure for a core dump.. + */ +-static void dump_thread32(struct pt_regs *regs, struct user32 *dump) ++static void fill_dump(struct pt_regs *regs, struct user32 *dump) + { + u32 fs, gs; + memset(dump, 0, sizeof(*dump)); +@@ -157,10 +157,12 @@ static int aout_core_dump(struct coredum + fs = get_fs(); + set_fs(KERNEL_DS); + has_dumped = 1; ++ ++ fill_dump(cprm->regs, &dump); ++ + strncpy(dump.u_comm, current->comm, sizeof(current->comm)); + dump.u_ar0 = offsetof(struct user32, regs); + dump.signal = cprm->siginfo->si_signo; +- dump_thread32(cprm->regs, &dump); + + /* + * If the size of the dump file exceeds the rlimit, then see diff --git a/queue-4.19/x86-kvm-nvmx-read-from-msr_ia32_vmx_procbased_ctls2-only-when-it-is-available.patch b/queue-4.19/x86-kvm-nvmx-read-from-msr_ia32_vmx_procbased_ctls2-only-when-it-is-available.patch new file mode 100644 index 00000000000..87d5e5b18d8 --- /dev/null +++ b/queue-4.19/x86-kvm-nvmx-read-from-msr_ia32_vmx_procbased_ctls2-only-when-it-is-available.patch @@ -0,0 +1,43 @@ +From 6b1971c694975e49af302229202c0043568b1791 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Thu, 7 Feb 2019 11:42:14 +0100 +Subject: x86/kvm/nVMX: read from MSR_IA32_VMX_PROCBASED_CTLS2 only when it is available + +From: Vitaly Kuznetsov + +commit 6b1971c694975e49af302229202c0043568b1791 upstream. + +SDM says MSR_IA32_VMX_PROCBASED_CTLS2 is only available "If +(CPUID.01H:ECX.[5] && IA32_VMX_PROCBASED_CTLS[63])". It was found that +some old cpus (namely "Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (family: 0x6, +model: 0xf, stepping: 0x6") don't have it. Add the missing check. + +Reported-by: Zdenek Kaspar +Tested-by: Zdenek Kaspar +Signed-off-by: Vitaly Kuznetsov +Reviewed-by: Jim Mattson +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -3601,9 +3601,11 @@ static void nested_vmx_setup_ctls_msrs(s + * secondary cpu-based controls. Do not include those that + * depend on CPUID bits, they are added later by vmx_cpuid_update. + */ +- rdmsr(MSR_IA32_VMX_PROCBASED_CTLS2, +- msrs->secondary_ctls_low, +- msrs->secondary_ctls_high); ++ if (msrs->procbased_ctls_high & CPU_BASED_ACTIVATE_SECONDARY_CONTROLS) ++ rdmsr(MSR_IA32_VMX_PROCBASED_CTLS2, ++ msrs->secondary_ctls_low, ++ msrs->secondary_ctls_high); ++ + msrs->secondary_ctls_low = 0; + msrs->secondary_ctls_high &= + SECONDARY_EXEC_DESC | diff --git a/queue-4.19/x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls.patch b/queue-4.19/x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls.patch new file mode 100644 index 00000000000..e65e8783486 --- /dev/null +++ b/queue-4.19/x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls.patch @@ -0,0 +1,126 @@ +From f331e766c4be33f4338574f3c9f7f77e98ab4571 Mon Sep 17 00:00:00 2001 +From: Hedi Berriche +Date: Wed, 13 Feb 2019 19:34:13 +0000 +Subject: x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls + +From: Hedi Berriche + +commit f331e766c4be33f4338574f3c9f7f77e98ab4571 upstream. + +Calls into UV firmware must be protected against concurrency, expose the +efi_runtime_lock to the UV platform, and use it to serialise UV BIOS +calls. + +Signed-off-by: Hedi Berriche +Signed-off-by: Borislav Petkov +Reviewed-by: Ard Biesheuvel +Reviewed-by: Russ Anderson +Reviewed-by: Dimitri Sivanich +Reviewed-by: Mike Travis +Cc: Andy Shevchenko +Cc: Bhupesh Sharma +Cc: Darren Hart +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: linux-efi +Cc: platform-driver-x86@vger.kernel.org +Cc: stable@vger.kernel.org # v4.9+ +Cc: Steve Wahl +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190213193413.25560-5-hedi.berriche@hpe.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/uv/bios.h | 8 +++++++- + arch/x86/platform/uv/bios_uv.c | 23 +++++++++++++++++++++-- + drivers/firmware/efi/runtime-wrappers.c | 7 +++++++ + 3 files changed, 35 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/uv/bios.h ++++ b/arch/x86/include/asm/uv/bios.h +@@ -48,7 +48,8 @@ enum { + BIOS_STATUS_SUCCESS = 0, + BIOS_STATUS_UNIMPLEMENTED = -ENOSYS, + BIOS_STATUS_EINVAL = -EINVAL, +- BIOS_STATUS_UNAVAIL = -EBUSY ++ BIOS_STATUS_UNAVAIL = -EBUSY, ++ BIOS_STATUS_ABORT = -EINTR, + }; + + /* Address map parameters */ +@@ -167,4 +168,9 @@ extern long system_serial_number; + + extern struct kobject *sgi_uv_kobj; /* /sys/firmware/sgi_uv */ + ++/* ++ * EFI runtime lock; cf. firmware/efi/runtime-wrappers.c for details ++ */ ++extern struct semaphore __efi_uv_runtime_lock; ++ + #endif /* _ASM_X86_UV_BIOS_H */ +--- a/arch/x86/platform/uv/bios_uv.c ++++ b/arch/x86/platform/uv/bios_uv.c +@@ -29,7 +29,8 @@ + + struct uv_systab *uv_systab; + +-s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5) ++static s64 __uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, ++ u64 a4, u64 a5) + { + struct uv_systab *tab = uv_systab; + s64 ret; +@@ -51,6 +52,19 @@ s64 uv_bios_call(enum uv_bios_cmd which, + + return ret; + } ++ ++s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5) ++{ ++ s64 ret; ++ ++ if (down_interruptible(&__efi_uv_runtime_lock)) ++ return BIOS_STATUS_ABORT; ++ ++ ret = __uv_bios_call(which, a1, a2, a3, a4, a5); ++ up(&__efi_uv_runtime_lock); ++ ++ return ret; ++} + EXPORT_SYMBOL_GPL(uv_bios_call); + + s64 uv_bios_call_irqsave(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, +@@ -59,10 +73,15 @@ s64 uv_bios_call_irqsave(enum uv_bios_cm + unsigned long bios_flags; + s64 ret; + ++ if (down_interruptible(&__efi_uv_runtime_lock)) ++ return BIOS_STATUS_ABORT; ++ + local_irq_save(bios_flags); +- ret = uv_bios_call(which, a1, a2, a3, a4, a5); ++ ret = __uv_bios_call(which, a1, a2, a3, a4, a5); + local_irq_restore(bios_flags); + ++ up(&__efi_uv_runtime_lock); ++ + return ret; + } + +--- a/drivers/firmware/efi/runtime-wrappers.c ++++ b/drivers/firmware/efi/runtime-wrappers.c +@@ -173,6 +173,13 @@ void efi_call_virt_check_flags(unsigned + static DEFINE_SEMAPHORE(efi_runtime_lock); + + /* ++ * Expose the EFI runtime lock to the UV platform ++ */ ++#ifdef CONFIG_X86_UV ++extern struct semaphore __efi_uv_runtime_lock __alias(efi_runtime_lock); ++#endif ++ ++/* + * Calls the appropriate efi_runtime_service() with the appropriate + * arguments. + *