From: Sasha Levin Date: Thu, 13 Dec 2018 15:21:13 +0000 (-0500) Subject: patches for 4.19 X-Git-Tag: v4.19.10~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=63df2a2f99323d61b21aa958a34fd3f711645315;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-iort-fix-iort_get_platform_device_domain-uninit.patch b/queue-4.19/acpi-iort-fix-iort_get_platform_device_domain-uninit.patch new file mode 100644 index 00000000000..978b43a78b8 --- /dev/null +++ b/queue-4.19/acpi-iort-fix-iort_get_platform_device_domain-uninit.patch @@ -0,0 +1,54 @@ +From eb33c358a1aab43a70edad48d37279c9a3a24f8b Mon Sep 17 00:00:00 2001 +From: Lorenzo Pieralisi +Date: Thu, 29 Nov 2018 09:55:59 +0000 +Subject: ACPI/IORT: Fix iort_get_platform_device_domain() uninitialized + pointer value + +[ Upstream commit ea2412dc21cc790335d319181dddc43682aef164 ] + +Running the Clang static analyzer on IORT code detected the following +error: + +Logic error: Branch condition evaluates to a garbage value + +in + +iort_get_platform_device_domain() + +If the named component associated with a given device has no IORT +mappings, iort_get_platform_device_domain() exits its MSI mapping loop +with msi_parent pointer containing garbage, which can lead to erroneous +code path execution. + +Initialize the msi_parent pointer, fixing the bug. + +Fixes: d4f54a186667 ("ACPI: platform: setup MSI domain for ACPI based +platform device") +Reported-by: Patrick Bellasi +Reviewed-by: Hanjun Guo +Acked-by: Will Deacon +Cc: Sudeep Holla +Cc: "Rafael J. Wysocki" +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + drivers/acpi/arm64/iort.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c +index 08f26db2da7e..e938576e58cb 100644 +--- a/drivers/acpi/arm64/iort.c ++++ b/drivers/acpi/arm64/iort.c +@@ -700,7 +700,7 @@ static void iort_set_device_domain(struct device *dev, + */ + static struct irq_domain *iort_get_platform_device_domain(struct device *dev) + { +- struct acpi_iort_node *node, *msi_parent; ++ struct acpi_iort_node *node, *msi_parent = NULL; + struct fwnode_handle *iort_fwnode; + struct acpi_iort_its_group *its; + int i; +-- +2.19.1 + diff --git a/queue-4.19/afs-fix-validation-callback-interaction.patch b/queue-4.19/afs-fix-validation-callback-interaction.patch new file mode 100644 index 00000000000..cbbaf9628bf --- /dev/null +++ b/queue-4.19/afs-fix-validation-callback-interaction.patch @@ -0,0 +1,96 @@ +From 1844d539f4dfa95f4118b54816b540e014cefc29 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 13 Nov 2018 23:20:21 +0000 +Subject: afs: Fix validation/callback interaction + +[ Upstream commit ae3b7361dc0ee9a425bf7d77ce211f533500b39b ] + +When afs_validate() is called to validate a vnode (inode), there are two +unhandled cases in the fastpath at the top of the function: + + (1) If the vnode is promised (AFS_VNODE_CB_PROMISED is set), the break + counters match and the data has expired, then there's an implicit case + in which the vnode needs revalidating. + + This has no consequences since the default "valid = false" set at the + top of the function happens to do the right thing. + + (2) If the vnode is not promised and it hasn't been deleted + (AFS_VNODE_DELETED is not set) then there's a default case we're not + handling in which the vnode is invalid. If the vnode is invalid, we + need to bring cb_s_break and cb_v_break up to date before we refetch + the status. + + As a consequence, once the server loses track of the client + (ie. sufficient time has passed since we last sent it an operation), + it will send us a CB.InitCallBackState* operation when we next try to + talk to it. This calls afs_init_callback_state() which increments + afs_server::cb_s_break, but this then doesn't propagate to the + afs_vnode record. + + The result being that every afs_validate() call thereafter sends a + status fetch operation to the server. + +Clarify and fix this by: + + (A) Setting valid in all the branches rather than initialising it at the + top so that the compiler catches where we've missed. + + (B) Restructuring the logic in the 'promised' branch so that we set valid + to false if the callback is due to expire (or has expired) and so that + the final case is that the vnode is still valid. + + (C) Adding an else-statement that ups cb_s_break and cb_v_break if the + promised and deleted cases don't match. + +Fixes: c435ee34551e ("afs: Overhaul the callback handling") +Signed-off-by: David Howells +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/afs/inode.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/fs/afs/inode.c b/fs/afs/inode.c +index 479b7fdda124..071075d775a9 100644 +--- a/fs/afs/inode.c ++++ b/fs/afs/inode.c +@@ -379,7 +379,7 @@ void afs_zap_data(struct afs_vnode *vnode) + int afs_validate(struct afs_vnode *vnode, struct key *key) + { + time64_t now = ktime_get_real_seconds(); +- bool valid = false; ++ bool valid; + int ret; + + _enter("{v={%x:%u} fl=%lx},%x", +@@ -399,15 +399,21 @@ int afs_validate(struct afs_vnode *vnode, struct key *key) + vnode->cb_v_break = vnode->volume->cb_v_break; + valid = false; + } else if (vnode->status.type == AFS_FTYPE_DIR && +- test_bit(AFS_VNODE_DIR_VALID, &vnode->flags) && +- vnode->cb_expires_at - 10 > now) { +- valid = true; +- } else if (!test_bit(AFS_VNODE_ZAP_DATA, &vnode->flags) && +- vnode->cb_expires_at - 10 > now) { ++ (!test_bit(AFS_VNODE_DIR_VALID, &vnode->flags) || ++ vnode->cb_expires_at - 10 <= now)) { ++ valid = false; ++ } else if (test_bit(AFS_VNODE_ZAP_DATA, &vnode->flags) || ++ vnode->cb_expires_at - 10 <= now) { ++ valid = false; ++ } else { + valid = true; + } + } else if (test_bit(AFS_VNODE_DELETED, &vnode->flags)) { + valid = true; ++ } else { ++ vnode->cb_s_break = vnode->cb_interest->server->cb_s_break; ++ vnode->cb_v_break = vnode->volume->cb_v_break; ++ valid = false; + } + + read_sequnlock_excl(&vnode->cb_lock); +-- +2.19.1 + diff --git a/queue-4.19/aio-fix-failure-to-put-the-file-pointer.patch b/queue-4.19/aio-fix-failure-to-put-the-file-pointer.patch new file mode 100644 index 00000000000..363bdcc5a53 --- /dev/null +++ b/queue-4.19/aio-fix-failure-to-put-the-file-pointer.patch @@ -0,0 +1,33 @@ +From c43bb2ffdba06a58c8f031b19d7db6f5d6e6259c Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sat, 17 Nov 2018 07:43:42 -0700 +Subject: aio: fix failure to put the file pointer + +[ Upstream commit 53fffe29a9e664a999dd3787e4428da8c30533e0 ] + +If the ioprio capability check fails, we return without putting +the file pointer. + +Fixes: d9a08a9e616b ("fs: Add aio iopriority support") +Signed-off-by: Jens Axboe +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/aio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/aio.c b/fs/aio.c +index b9350f3360c6..04c4d6218978 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1436,6 +1436,7 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb) + ret = ioprio_check_cap(iocb->aio_reqprio); + if (ret) { + pr_debug("aio ioprio check cap error: %d\n", ret); ++ fput(req->ki_filp); + return ret; + } + +-- +2.19.1 + diff --git a/queue-4.19/alsa-usb-audio-add-vendor-and-product-name-for-dell-.patch b/queue-4.19/alsa-usb-audio-add-vendor-and-product-name-for-dell-.patch new file mode 100644 index 00000000000..0196042be25 --- /dev/null +++ b/queue-4.19/alsa-usb-audio-add-vendor-and-product-name-for-dell-.patch @@ -0,0 +1,41 @@ +From b4a058e11778693f2d7ba962f888813eae6c247b Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Wed, 28 Nov 2018 17:11:26 +0800 +Subject: ALSA: usb-audio: Add vendor and product name for Dell WD19 Dock + +[ Upstream commit 8159a6a4a7d2a092d5375f695ecfca22b4562b5f ] + +Like the Dell WD15 Dock, the WD19 Dock (0bda:402e) doens't provide +useful string for the vendor and product names too. In order to share +the UCM with WD15, here we keep the profile_name same as the WD15. + +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks-table.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index 08aa78007020..1c73b9ed44a6 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3387,5 +3387,15 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"), + .ifnum = QUIRK_NO_INTERFACE + } + }, ++/* Dell WD19 Dock */ ++{ ++ USB_DEVICE(0x0bda, 0x402e), ++ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { ++ .vendor_name = "Dell", ++ .product_name = "WD19 Dock", ++ .profile_name = "Dell-WD15-Dock", ++ .ifnum = QUIRK_NO_INTERFACE ++ } ++}, + + #undef USB_DEVICE_VENDOR_SPEC +-- +2.19.1 + diff --git a/queue-4.19/arm-dts-am3517-fix-pinmuxing-for-cd-on-mmc1.patch b/queue-4.19/arm-dts-am3517-fix-pinmuxing-for-cd-on-mmc1.patch new file mode 100644 index 00000000000..5101e0f04a7 --- /dev/null +++ b/queue-4.19/arm-dts-am3517-fix-pinmuxing-for-cd-on-mmc1.patch @@ -0,0 +1,37 @@ +From 217e4d85d891eccf34f46e85b76de5843b739bac Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Sun, 28 Oct 2018 15:13:48 -0500 +Subject: ARM: dts: am3517: Fix pinmuxing for CD on MMC1 + +[ Upstream commit e7f4ffffa972db4820c23ff9831a6a4f3f6d8cc5 ] + +The MMC1 is active low, not active high. For some reason, +this worked with different combination of U-Boot and kernels, +but it's supposed to be active low and is currently broken. + +Fixes: cfaa856a2510 ("ARM: dts: am3517: Add pinmuxing, CD and +WP for MMC1") #kernel 4.18+ + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am3517-evm.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/am3517-evm.dts b/arch/arm/boot/dts/am3517-evm.dts +index 1d158cfda15f..c45aef806870 100644 +--- a/arch/arm/boot/dts/am3517-evm.dts ++++ b/arch/arm/boot/dts/am3517-evm.dts +@@ -227,7 +227,7 @@ + vmmc-supply = <&vmmc_fixed>; + bus-width = <4>; + wp-gpios = <&gpio4 30 GPIO_ACTIVE_HIGH>; /* gpio_126 */ +- cd-gpios = <&gpio4 31 GPIO_ACTIVE_HIGH>; /* gpio_127 */ ++ cd-gpios = <&gpio4 31 GPIO_ACTIVE_LOW>; /* gpio_127 */ + }; + + &mmc3 { +-- +2.19.1 + diff --git a/queue-4.19/arm-dts-am3517-som-fix-wl127x-wifi-interrupt.patch b/queue-4.19/arm-dts-am3517-som-fix-wl127x-wifi-interrupt.patch new file mode 100644 index 00000000000..537bc44fb99 --- /dev/null +++ b/queue-4.19/arm-dts-am3517-som-fix-wl127x-wifi-interrupt.patch @@ -0,0 +1,37 @@ +From daaa2401404b998a91c3754a1c5c95d95b815b2e Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Sun, 28 Oct 2018 15:34:21 -0500 +Subject: ARM: dts: am3517-som: Fix WL127x Wifi interrupt + +[ Upstream commit 419b194cdedc76d0d3cd5b0900db0fa8177c4a52 ] + +At the same time the AM3517 EVM was gaining WiFi support, +separate patches were introduced to move the interrupt +from HIGH to RISING. Because they overlapped, this was not +done to the AM3517-EVM. This patch fixes Kernel 4.19+ + +Fixes: 6bf5e3410f19 ("ARM: dts: am3517-som: Add WL127x Wifi") + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am3517-som.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/am3517-som.dtsi b/arch/arm/boot/dts/am3517-som.dtsi +index dae6e458e59f..b1c988eed87c 100644 +--- a/arch/arm/boot/dts/am3517-som.dtsi ++++ b/arch/arm/boot/dts/am3517-som.dtsi +@@ -163,7 +163,7 @@ + compatible = "ti,wl1271"; + reg = <2>; + interrupt-parent = <&gpio6>; +- interrupts = <10 IRQ_TYPE_LEVEL_HIGH>; /* gpio_170 */ ++ interrupts = <10 IRQ_TYPE_EDGE_RISING>; /* gpio_170 */ + ref-clock-frequency = <26000000>; + tcxo-clock-frequency = <26000000>; + }; +-- +2.19.1 + diff --git a/queue-4.19/arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch b/queue-4.19/arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch new file mode 100644 index 00000000000..f1ca01b0e62 --- /dev/null +++ b/queue-4.19/arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch @@ -0,0 +1,41 @@ +From d9c51d3a71436881a4f5f3037bc861037489c25f Mon Sep 17 00:00:00 2001 +From: Romain Izard +Date: Tue, 20 Nov 2018 17:57:37 +0100 +Subject: ARM: dts: at91: sama5d2: use the divided clock for SMC + +[ Upstream commit 4ab7ca092c3c7ac8b16aa28eba723a8868f82f14 ] + +The SAMA5D2 is different from SAMA5D3 and SAMA5D4, as there are two +different clocks for the peripherals in the SoC. The Static Memory +controller is connected to the divided master clock. + +Unfortunately, the device tree does not correctly show this and uses the +master clock directly. This clock is then used by the code for the NAND +controller to calculate the timings for the controller, and we end up with +slow NAND Flash access. + +Fix the device tree, and the performance of Flash access is improved. + +Signed-off-by: Romain Izard +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/sama5d2.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/sama5d2.dtsi b/arch/arm/boot/dts/sama5d2.dtsi +index 61f68e5c48e9..b405992eb601 100644 +--- a/arch/arm/boot/dts/sama5d2.dtsi ++++ b/arch/arm/boot/dts/sama5d2.dtsi +@@ -308,7 +308,7 @@ + 0x1 0x0 0x60000000 0x10000000 + 0x2 0x0 0x70000000 0x10000000 + 0x3 0x0 0x80000000 0x10000000>; +- clocks = <&mck>; ++ clocks = <&h32ck>; + status = "disabled"; + + nand_controller: nand-controller { +-- +2.19.1 + diff --git a/queue-4.19/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch b/queue-4.19/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch new file mode 100644 index 00000000000..9857abc7bc4 --- /dev/null +++ b/queue-4.19/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch @@ -0,0 +1,36 @@ +From 2eabbdfd02f281c324d6fddfb7d2cf202c2d9489 Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Sun, 28 Oct 2018 15:29:27 -0500 +Subject: ARM: dts: logicpd-somlv: Fix interrupt on mmc3_dat1 + +[ Upstream commit 3d8b804bc528d3720ec0c39c212af92dafaf6e84 ] + +The interrupt on mmc3_dat1 is wrong which prevents this from +appearing in /proc/interrupts. + +Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic PD +DM3730 SOM-LV") #Kernel 4.9+ + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/logicpd-som-lv.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/logicpd-som-lv.dtsi b/arch/arm/boot/dts/logicpd-som-lv.dtsi +index ac343330d0c8..98b682a8080c 100644 +--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi ++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi +@@ -129,7 +129,7 @@ + }; + + &mmc3 { +- interrupts-extended = <&intc 94 &omap3_pmx_core2 0x46>; ++ interrupts-extended = <&intc 94 &omap3_pmx_core 0x136>; + pinctrl-0 = <&mmc3_pins &wl127x_gpio>; + pinctrl-names = "default"; + vmmc-supply = <&wl12xx_vmmc>; +-- +2.19.1 + diff --git a/queue-4.19/arm-dts-logicpd-torpedo-fix-mmc3_dat1-interrupt.patch b/queue-4.19/arm-dts-logicpd-torpedo-fix-mmc3_dat1-interrupt.patch new file mode 100644 index 00000000000..d7314499373 --- /dev/null +++ b/queue-4.19/arm-dts-logicpd-torpedo-fix-mmc3_dat1-interrupt.patch @@ -0,0 +1,39 @@ +From f519b2e3e1eb90b58853ff03e596e1f8eeff4fad Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Sun, 28 Oct 2018 15:28:32 -0500 +Subject: ARM: dts: LogicPD Torpedo: Fix mmc3_dat1 interrupt + +[ Upstream commit 6809564d64ff1301d44c13334cc0e8369e825a20 ] + +When the Torpedo was first introduced back at Kernel 4.2, +the interrupt extended flag has been set incorrectly. + +It was subsequently moved, so this patch corrects Kernel +4.18+ + +Fixes: a38867305203 ("ARM: dts: Move move WiFi bindings to +logicpd-torpedo-37xx-devkit") # v4.18+ + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/logicpd-torpedo-37xx-devkit.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/logicpd-torpedo-37xx-devkit.dts b/arch/arm/boot/dts/logicpd-torpedo-37xx-devkit.dts +index 9d5d53fbe9c0..c39cf2ca54da 100644 +--- a/arch/arm/boot/dts/logicpd-torpedo-37xx-devkit.dts ++++ b/arch/arm/boot/dts/logicpd-torpedo-37xx-devkit.dts +@@ -35,7 +35,7 @@ + * jumpering combinations for the long run. + */ + &mmc3 { +- interrupts-extended = <&intc 94 &omap3_pmx_core2 0x46>; ++ interrupts-extended = <&intc 94 &omap3_pmx_core 0x136>; + pinctrl-0 = <&mmc3_pins &mmc3_core2_pins>; + pinctrl-names = "default"; + vmmc-supply = <&wl12xx_vmmc>; +-- +2.19.1 + diff --git a/queue-4.19/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch b/queue-4.19/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch new file mode 100644 index 00000000000..6f4cd5c2929 --- /dev/null +++ b/queue-4.19/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch @@ -0,0 +1,40 @@ +From 5389060d245b661aca161b96933863137d5eb1ee Mon Sep 17 00:00:00 2001 +From: Janusz Krzysztofik +Date: Wed, 7 Nov 2018 22:30:31 +0100 +Subject: ARM: OMAP1: ams-delta: Fix possible use of uninitialized field + +[ Upstream commit cec83ff1241ec98113a19385ea9e9cfa9aa4125b ] + +While playing with initialization order of modem device, it has been +discovered that under some circumstances (early console init, I +believe) its .pm() callback may be called before the +uart_port->private_data pointer is initialized from +plat_serial8250_port->private_data, resulting in NULL pointer +dereference. Fix it by checking for uninitialized pointer before using +it in modem_pm(). + +Fixes: aabf31737a6a ("ARM: OMAP1: ams-delta: update the modem to use regulator API") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/board-ams-delta.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/mach-omap1/board-ams-delta.c b/arch/arm/mach-omap1/board-ams-delta.c +index dd28d2614d7f..d10d8831f527 100644 +--- a/arch/arm/mach-omap1/board-ams-delta.c ++++ b/arch/arm/mach-omap1/board-ams-delta.c +@@ -726,6 +726,9 @@ static void modem_pm(struct uart_port *port, unsigned int state, unsigned old) + struct modem_private_data *priv = port->private_data; + int ret; + ++ if (!priv) ++ return; ++ + if (IS_ERR(priv->regulator)) + return; + +-- +2.19.1 + diff --git a/queue-4.19/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch b/queue-4.19/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch new file mode 100644 index 00000000000..a1cbcca7045 --- /dev/null +++ b/queue-4.19/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch @@ -0,0 +1,45 @@ +From 4f69d6aff7f4064dbfb26c48e9497c009c7df43a Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 17 Oct 2018 17:54:00 -0700 +Subject: ARM: OMAP2+: prm44xx: Fix section annotation on + omap44xx_prm_enable_io_wakeup + +[ Upstream commit eef3dc34a1e0b01d53328b88c25237bcc7323777 ] + +When building the kernel with Clang, the following section mismatch +warning appears: + +WARNING: vmlinux.o(.text+0x38b3c): Section mismatch in reference from +the function omap44xx_prm_late_init() to the function +.init.text:omap44xx_prm_enable_io_wakeup() +The function omap44xx_prm_late_init() references +the function __init omap44xx_prm_enable_io_wakeup(). +This is often because omap44xx_prm_late_init lacks a __init +annotation or the annotation of omap44xx_prm_enable_io_wakeup is wrong. + +Remove the __init annotation from omap44xx_prm_enable_io_wakeup so there +is no more mismatch. + +Signed-off-by: Nathan Chancellor +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/prm44xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/prm44xx.c b/arch/arm/mach-omap2/prm44xx.c +index 7b95729e8359..38a1be6c3694 100644 +--- a/arch/arm/mach-omap2/prm44xx.c ++++ b/arch/arm/mach-omap2/prm44xx.c +@@ -351,7 +351,7 @@ static void omap44xx_prm_reconfigure_io_chain(void) + * to occur, WAKEUPENABLE bits must be set in the pad mux registers, and + * omap44xx_prm_reconfigure_io_chain() must be called. No return value. + */ +-static void __init omap44xx_prm_enable_io_wakeup(void) ++static void omap44xx_prm_enable_io_wakeup(void) + { + s32 inst = omap4_prmst_get_prm_dev_inst(); + +-- +2.19.1 + diff --git a/queue-4.19/arm64-dts-sdm845-mtp-reserve-reserved-gpios.patch b/queue-4.19/arm64-dts-sdm845-mtp-reserve-reserved-gpios.patch new file mode 100644 index 00000000000..36b298ee1d5 --- /dev/null +++ b/queue-4.19/arm64-dts-sdm845-mtp-reserve-reserved-gpios.patch @@ -0,0 +1,42 @@ +From d3d7cce7ee2fc18c9682b6edcbd3e50eea7fc2e1 Mon Sep 17 00:00:00 2001 +From: Bjorn Andersson +Date: Fri, 2 Nov 2018 14:45:32 -0700 +Subject: arm64: dts: sdm845-mtp: Reserve reserved gpios + +[ Upstream commit 5f8d3ab136d0ccb59c4d628d8f85e0d8f2761d07 ] + +With the introduction of commit 3edfb7bd76bd ("gpiolib: Show correct +direction from the beginning") the gpiolib will attempt to read the +direction of all pins, which triggers a read from protected register +regions. + +The pins 0 through 3 and 81 through 84 are protected, so mark these as +reserved. + +Signed-off-by: Bjorn Andersson +Reviewed-by: Stephen Boyd +Reviewed-by: Linus Walleij +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-mtp.dts | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-mtp.dts b/arch/arm64/boot/dts/qcom/sdm845-mtp.dts +index 6d651f314193..6921f8dc5ebb 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-mtp.dts ++++ b/arch/arm64/boot/dts/qcom/sdm845-mtp.dts +@@ -31,6 +31,10 @@ + status = "okay"; + }; + ++&tlmm { ++ gpio-reserved-ranges = <0 4>, <81 4>; ++}; ++ + &uart9 { + status = "okay"; + }; +-- +2.19.1 + diff --git a/queue-4.19/asoc-acpi-fix-continue-searching-when-machine-is-ign.patch b/queue-4.19/asoc-acpi-fix-continue-searching-when-machine-is-ign.patch new file mode 100644 index 00000000000..ba2fb5fa1e1 --- /dev/null +++ b/queue-4.19/asoc-acpi-fix-continue-searching-when-machine-is-ign.patch @@ -0,0 +1,46 @@ +From 8313511d7735170f77365d85bb49a20b74b8f683 Mon Sep 17 00:00:00 2001 +From: Keyon Jie +Date: Fri, 16 Nov 2018 18:47:04 -0600 +Subject: ASoC: acpi: fix: continue searching when machine is ignored + +[ Upstream commit a3e620f8422832afd832ad5e20aa97d0c72bada8 ] + +The machine_quirk may return NULL which means the acpi entries should be +skipped and search for next matched entry is needed, here add return +check here and continue for NULL case. + +Signed-off-by: Keyon Jie +Signed-off-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-acpi.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/soc-acpi.c b/sound/soc/soc-acpi.c +index b8e72b52db30..4fb29f0e561e 100644 +--- a/sound/soc/soc-acpi.c ++++ b/sound/soc/soc-acpi.c +@@ -10,11 +10,17 @@ struct snd_soc_acpi_mach * + snd_soc_acpi_find_machine(struct snd_soc_acpi_mach *machines) + { + struct snd_soc_acpi_mach *mach; ++ struct snd_soc_acpi_mach *mach_alt; + + for (mach = machines; mach->id[0]; mach++) { + if (acpi_dev_present(mach->id, NULL, -1)) { +- if (mach->machine_quirk) +- mach = mach->machine_quirk(mach); ++ if (mach->machine_quirk) { ++ mach_alt = mach->machine_quirk(mach); ++ if (!mach_alt) ++ continue; /* not full match, ignore */ ++ mach = mach_alt; ++ } ++ + return mach; + } + } +-- +2.19.1 + diff --git a/queue-4.19/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch b/queue-4.19/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch new file mode 100644 index 00000000000..8ba5c5c3b81 --- /dev/null +++ b/queue-4.19/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch @@ -0,0 +1,57 @@ +From 5add10a494771d00ee2da25715cf54848a69237b Mon Sep 17 00:00:00 2001 +From: Tzung-Bi Shih +Date: Wed, 14 Nov 2018 17:06:13 +0800 +Subject: ASoC: dapm: Recalculate audio map forcely when card instantiated + +[ Upstream commit 882eab6c28d23a970ae73b7eb831b169a672d456 ] + +Audio map are possible in wrong state before card->instantiated has +been set to true. Imaging the following examples: + +time 1: at the beginning + + in:-1 in:-1 in:-1 in:-1 + out:-1 out:-1 out:-1 out:-1 + SIGGEN A B Spk + +time 2: after someone called snd_soc_dapm_new_widgets() +(e.g. create_fill_widget_route_map() in sound/soc/codecs/hdac_hdmi.c) + + in:1 in:0 in:0 in:0 + out:0 out:0 out:0 out:1 + SIGGEN A B Spk + +time 3: routes added + + in:1 in:0 in:0 in:0 + out:0 out:0 out:0 out:1 + SIGGEN -----> A -----> B ---> Spk + +In the end, the path should be powered on but it did not. At time 3, +"in" of SIGGEN and "out" of Spk did not propagate to their neighbors +because snd_soc_dapm_add_path() will not invalidate the paths if +the card has not instantiated (i.e. card->instantiated is false). +To correct the state of audio map, recalculate the whole map forcely. + +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 473eefe8658e..62aa320c2070 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2126,6 +2126,7 @@ static int snd_soc_instantiate_card(struct snd_soc_card *card) + } + + card->instantiated = 1; ++ dapm_mark_endpoints_dirty(card); + snd_soc_dapm_sync(&card->dapm); + mutex_unlock(&card->mutex); + mutex_unlock(&client_mutex); +-- +2.19.1 + diff --git a/queue-4.19/asoc-intel-power-down-links-before-turning-off-displ.patch b/queue-4.19/asoc-intel-power-down-links-before-turning-off-displ.patch new file mode 100644 index 00000000000..3742ed0e2d7 --- /dev/null +++ b/queue-4.19/asoc-intel-power-down-links-before-turning-off-displ.patch @@ -0,0 +1,90 @@ +From 8d43187e6809fe4f1095cffe12fead9c446ea427 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Fri, 9 Nov 2018 13:39:23 -0600 +Subject: ASoC: Intel: Power down links before turning off display audio power + +[ Upstream commit 4c10473d6ddf12ec124c9ff71a5d23bb5388478b ] + +On certain platforms, Display HDMI HDA codec was not going to sleep state +after the use when links are powered down after turning off the display +power. As per the HW recommendation, links are powered down before turning +off the display power to ensure that the codec goes to sleep state. + +This patch was updated from an earlier version submitted upstream [1] +which conflicted with the changes merged for HDaudio codec support +with the Intel DSP. + +[1] https://patchwork.kernel.org/patch/10540213/ + +Signed-off-by: Sriram Periyasamy +Signed-off-by: Sanyog Kale +Signed-off-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/hdac_hdmi.c | 11 +++++------ + sound/soc/intel/skylake/skl.c | 12 ++++++------ + 2 files changed, 11 insertions(+), 12 deletions(-) + +diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c +index 7b8533abf637..b61d518f4fef 100644 +--- a/sound/soc/codecs/hdac_hdmi.c ++++ b/sound/soc/codecs/hdac_hdmi.c +@@ -2184,11 +2184,6 @@ static int hdac_hdmi_runtime_suspend(struct device *dev) + */ + snd_hdac_codec_read(hdev, hdev->afg, 0, AC_VERB_SET_POWER_STATE, + AC_PWRST_D3); +- err = snd_hdac_display_power(bus, false); +- if (err < 0) { +- dev_err(dev, "Cannot turn on display power on i915\n"); +- return err; +- } + + hlink = snd_hdac_ext_bus_get_link(bus, dev_name(dev)); + if (!hlink) { +@@ -2198,7 +2193,11 @@ static int hdac_hdmi_runtime_suspend(struct device *dev) + + snd_hdac_ext_bus_link_put(bus, hlink); + +- return 0; ++ err = snd_hdac_display_power(bus, false); ++ if (err < 0) ++ dev_err(dev, "Cannot turn off display power on i915\n"); ++ ++ return err; + } + + static int hdac_hdmi_runtime_resume(struct device *dev) +diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c +index 1d17be0f78a0..50f16a0f6535 100644 +--- a/sound/soc/intel/skylake/skl.c ++++ b/sound/soc/intel/skylake/skl.c +@@ -752,6 +752,12 @@ static void skl_probe_work(struct work_struct *work) + } + } + ++ /* ++ * we are done probing so decrement link counts ++ */ ++ list_for_each_entry(hlink, &bus->hlink_list, list) ++ snd_hdac_ext_bus_link_put(bus, hlink); ++ + if (IS_ENABLED(CONFIG_SND_SOC_HDAC_HDMI)) { + err = snd_hdac_display_power(bus, false); + if (err < 0) { +@@ -761,12 +767,6 @@ static void skl_probe_work(struct work_struct *work) + } + } + +- /* +- * we are done probing so decrement link counts +- */ +- list_for_each_entry(hlink, &bus->hlink_list, list) +- snd_hdac_ext_bus_link_put(bus, hlink); +- + /* configure PM */ + pm_runtime_put_noidle(bus->dev); + pm_runtime_allow(bus->dev); +-- +2.19.1 + diff --git a/queue-4.19/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch b/queue-4.19/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch new file mode 100644 index 00000000000..1150a67b865 --- /dev/null +++ b/queue-4.19/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch @@ -0,0 +1,159 @@ +From 4ec85beb0a8f315511f549d5696af79450ca13db Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 14:58:20 +0200 +Subject: ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred + probing + +[ Upstream commit 76836fd354922ebe4798a64fda01f8dc6a8b0984 ] + +The machine driver fails to probe in next-20181113 with: + +[ 2.539093] omap-abe-twl6040 sound: ASoC: CODEC DAI twl6040-legacy not registered +[ 2.546630] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -517 +... +[ 3.693206] omap-abe-twl6040 sound: ASoC: Both platform name/of_node are set for TWL6040 +[ 3.701446] omap-abe-twl6040 sound: ASoC: failed to init link TWL6040 +[ 3.708007] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -22 +[ 3.715148] omap-abe-twl6040: probe of sound failed with error -22 + +Bisect pointed to a merge commit: +first bad commit: [0f688ab20a540aafa984c5dbd68a71debebf4d7f] Merge remote-tracking branch 'net-next/master' + +and a diff between a working kernel does not reveal anything which would +explain the change in behavior. + +Further investigation showed that on the second try of loading fails +because the dai_link->platform is no longer NULL and it might be pointing +to uninitialized memory. + +The fix is to move the snd_soc_dai_link and snd_soc_card inside of the +abe_twl6040 struct, which is dynamically allocated every time the driver +probes. + +Signed-off-by: Peter Ujfalusi +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-abe-twl6040.c | 67 +++++++++++++------------------ + 1 file changed, 29 insertions(+), 38 deletions(-) + +diff --git a/sound/soc/omap/omap-abe-twl6040.c b/sound/soc/omap/omap-abe-twl6040.c +index d5ae9eb8c756..fed45b41f9d3 100644 +--- a/sound/soc/omap/omap-abe-twl6040.c ++++ b/sound/soc/omap/omap-abe-twl6040.c +@@ -36,6 +36,8 @@ + #include "../codecs/twl6040.h" + + struct abe_twl6040 { ++ struct snd_soc_card card; ++ struct snd_soc_dai_link dai_links[2]; + int jack_detection; /* board can detect jack events */ + int mclk_freq; /* MCLK frequency speed for twl6040 */ + }; +@@ -208,40 +210,10 @@ static int omap_abe_dmic_init(struct snd_soc_pcm_runtime *rtd) + ARRAY_SIZE(dmic_audio_map)); + } + +-/* Digital audio interface glue - connects codec <--> CPU */ +-static struct snd_soc_dai_link abe_twl6040_dai_links[] = { +- { +- .name = "TWL6040", +- .stream_name = "TWL6040", +- .codec_dai_name = "twl6040-legacy", +- .codec_name = "twl6040-codec", +- .init = omap_abe_twl6040_init, +- .ops = &omap_abe_ops, +- }, +- { +- .name = "DMIC", +- .stream_name = "DMIC Capture", +- .codec_dai_name = "dmic-hifi", +- .codec_name = "dmic-codec", +- .init = omap_abe_dmic_init, +- .ops = &omap_abe_dmic_ops, +- }, +-}; +- +-/* Audio machine driver */ +-static struct snd_soc_card omap_abe_card = { +- .owner = THIS_MODULE, +- +- .dapm_widgets = twl6040_dapm_widgets, +- .num_dapm_widgets = ARRAY_SIZE(twl6040_dapm_widgets), +- .dapm_routes = audio_map, +- .num_dapm_routes = ARRAY_SIZE(audio_map), +-}; +- + static int omap_abe_probe(struct platform_device *pdev) + { + struct device_node *node = pdev->dev.of_node; +- struct snd_soc_card *card = &omap_abe_card; ++ struct snd_soc_card *card; + struct device_node *dai_node; + struct abe_twl6040 *priv; + int num_links = 0; +@@ -252,12 +224,18 @@ static int omap_abe_probe(struct platform_device *pdev) + return -ENODEV; + } + +- card->dev = &pdev->dev; +- + priv = devm_kzalloc(&pdev->dev, sizeof(struct abe_twl6040), GFP_KERNEL); + if (priv == NULL) + return -ENOMEM; + ++ card = &priv->card; ++ card->dev = &pdev->dev; ++ card->owner = THIS_MODULE; ++ card->dapm_widgets = twl6040_dapm_widgets; ++ card->num_dapm_widgets = ARRAY_SIZE(twl6040_dapm_widgets); ++ card->dapm_routes = audio_map; ++ card->num_dapm_routes = ARRAY_SIZE(audio_map); ++ + if (snd_soc_of_parse_card_name(card, "ti,model")) { + dev_err(&pdev->dev, "Card name is not provided\n"); + return -ENODEV; +@@ -274,14 +252,27 @@ static int omap_abe_probe(struct platform_device *pdev) + dev_err(&pdev->dev, "McPDM node is not provided\n"); + return -EINVAL; + } +- abe_twl6040_dai_links[0].cpu_of_node = dai_node; +- abe_twl6040_dai_links[0].platform_of_node = dai_node; ++ ++ priv->dai_links[0].name = "DMIC"; ++ priv->dai_links[0].stream_name = "TWL6040"; ++ priv->dai_links[0].cpu_of_node = dai_node; ++ priv->dai_links[0].platform_of_node = dai_node; ++ priv->dai_links[0].codec_dai_name = "twl6040-legacy"; ++ priv->dai_links[0].codec_name = "twl6040-codec"; ++ priv->dai_links[0].init = omap_abe_twl6040_init; ++ priv->dai_links[0].ops = &omap_abe_ops; + + dai_node = of_parse_phandle(node, "ti,dmic", 0); + if (dai_node) { + num_links = 2; +- abe_twl6040_dai_links[1].cpu_of_node = dai_node; +- abe_twl6040_dai_links[1].platform_of_node = dai_node; ++ priv->dai_links[1].name = "TWL6040"; ++ priv->dai_links[1].stream_name = "DMIC Capture"; ++ priv->dai_links[1].cpu_of_node = dai_node; ++ priv->dai_links[1].platform_of_node = dai_node; ++ priv->dai_links[1].codec_dai_name = "dmic-hifi"; ++ priv->dai_links[1].codec_name = "dmic-codec"; ++ priv->dai_links[1].init = omap_abe_dmic_init; ++ priv->dai_links[1].ops = &omap_abe_dmic_ops; + } else { + num_links = 1; + } +@@ -300,7 +291,7 @@ static int omap_abe_probe(struct platform_device *pdev) + return -ENODEV; + } + +- card->dai_link = abe_twl6040_dai_links; ++ card->dai_link = priv->dai_links; + card->num_links = num_links; + + snd_soc_card_set_drvdata(card, priv); +-- +2.19.1 + diff --git a/queue-4.19/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch b/queue-4.19/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch new file mode 100644 index 00000000000..1703269d0eb --- /dev/null +++ b/queue-4.19/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch @@ -0,0 +1,63 @@ +From 518c3d10766fa7ffba1659678f47ba99c4c1af16 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 13:06:23 +0200 +Subject: ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE + +[ Upstream commit ffdcc3638c58d55a6fa68b6e5dfd4fb4109652eb ] + +We need to block sleep states which would require longer time to leave than +the time the DMA must react to the DMA request in order to keep the FIFO +serviced without overrun. + +Signed-off-by: Peter Ujfalusi +Acked-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-dmic.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sound/soc/omap/omap-dmic.c b/sound/soc/omap/omap-dmic.c +index fe966272bd0c..cba9645b6487 100644 +--- a/sound/soc/omap/omap-dmic.c ++++ b/sound/soc/omap/omap-dmic.c +@@ -48,6 +48,8 @@ struct omap_dmic { + struct device *dev; + void __iomem *io_base; + struct clk *fclk; ++ struct pm_qos_request pm_qos_req; ++ int latency; + int fclk_freq; + int out_freq; + int clk_div; +@@ -124,6 +126,8 @@ static void omap_dmic_dai_shutdown(struct snd_pcm_substream *substream, + + mutex_lock(&dmic->mutex); + ++ pm_qos_remove_request(&dmic->pm_qos_req); ++ + if (!dai->active) + dmic->active = 0; + +@@ -228,6 +232,8 @@ static int omap_dmic_dai_hw_params(struct snd_pcm_substream *substream, + /* packet size is threshold * channels */ + dma_data = snd_soc_dai_get_dma_data(dai, substream); + dma_data->maxburst = dmic->threshold * channels; ++ dmic->latency = (OMAP_DMIC_THRES_MAX - dmic->threshold) * USEC_PER_SEC / ++ params_rate(params); + + return 0; + } +@@ -238,6 +244,9 @@ static int omap_dmic_dai_prepare(struct snd_pcm_substream *substream, + struct omap_dmic *dmic = snd_soc_dai_get_drvdata(dai); + u32 ctrl; + ++ if (pm_qos_request_active(&dmic->pm_qos_req)) ++ pm_qos_update_request(&dmic->pm_qos_req, dmic->latency); ++ + /* Configure uplink threshold */ + omap_dmic_write(dmic, OMAP_DMIC_FIFO_CTRL_REG, dmic->threshold); + +-- +2.19.1 + diff --git a/queue-4.19/asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch b/queue-4.19/asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch new file mode 100644 index 00000000000..ead64731797 --- /dev/null +++ b/queue-4.19/asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch @@ -0,0 +1,38 @@ +From a466847241853ff2cfa7b9c0a89ff5bbf73e89cd Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 13:06:21 +0200 +Subject: ASoC: omap-mcbsp: Fix latency value calculation for pm_qos + +[ Upstream commit dd2f52d8991af9fe0928d59ec502ba52be7bc38d ] + +The latency number is in usec for the pm_qos. Correct the calculation to +give us the time in usec + +Signed-off-by: Peter Ujfalusi +Acked-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-mcbsp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/omap/omap-mcbsp.c b/sound/soc/omap/omap-mcbsp.c +index d0ebb6b9bfac..2d6decbfc99e 100644 +--- a/sound/soc/omap/omap-mcbsp.c ++++ b/sound/soc/omap/omap-mcbsp.c +@@ -308,9 +308,9 @@ static int omap_mcbsp_dai_hw_params(struct snd_pcm_substream *substream, + pkt_size = channels; + } + +- latency = ((((buffer_size - pkt_size) / channels) * 1000) +- / (params->rate_num / params->rate_den)); +- ++ latency = (buffer_size - pkt_size) / channels; ++ latency = latency * USEC_PER_SEC / ++ (params->rate_num / params->rate_den); + mcbsp->latency[substream->stream] = latency; + + omap_mcbsp_set_threshold(substream, pkt_size); +-- +2.19.1 + diff --git a/queue-4.19/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch b/queue-4.19/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch new file mode 100644 index 00000000000..f5f5ce2a640 --- /dev/null +++ b/queue-4.19/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch @@ -0,0 +1,127 @@ +From dc36d5423e671bec4551d73d2b50529dc4256f7e Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 13:06:22 +0200 +Subject: ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with + CPU_IDLE + +[ Upstream commit 373a500e34aea97971c9d71e45edad458d3da98f ] + +We need to block sleep states which would require longer time to leave than +the time the DMA must react to the DMA request in order to keep the FIFO +serviced without under of overrun. + +Signed-off-by: Peter Ujfalusi +Acked-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-mcpdm.c | 43 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 42 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/omap/omap-mcpdm.c b/sound/soc/omap/omap-mcpdm.c +index 4c1be36c2207..7d5bdc5a2890 100644 +--- a/sound/soc/omap/omap-mcpdm.c ++++ b/sound/soc/omap/omap-mcpdm.c +@@ -54,6 +54,8 @@ struct omap_mcpdm { + unsigned long phys_base; + void __iomem *io_base; + int irq; ++ struct pm_qos_request pm_qos_req; ++ int latency[2]; + + struct mutex mutex; + +@@ -277,6 +279,9 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { + struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai); ++ int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK); ++ int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE; ++ int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; + + mutex_lock(&mcpdm->mutex); + +@@ -289,6 +294,14 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream, + } + } + ++ if (mcpdm->latency[stream2]) ++ pm_qos_update_request(&mcpdm->pm_qos_req, ++ mcpdm->latency[stream2]); ++ else if (mcpdm->latency[stream1]) ++ pm_qos_remove_request(&mcpdm->pm_qos_req); ++ ++ mcpdm->latency[stream1] = 0; ++ + mutex_unlock(&mcpdm->mutex); + } + +@@ -300,7 +313,7 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream, + int stream = substream->stream; + struct snd_dmaengine_dai_dma_data *dma_data; + u32 threshold; +- int channels; ++ int channels, latency; + int link_mask = 0; + + channels = params_channels(params); +@@ -344,14 +357,25 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream, + + dma_data->maxburst = + (MCPDM_DN_THRES_MAX - threshold) * channels; ++ latency = threshold; + } else { + /* If playback is not running assume a stereo stream to come */ + if (!mcpdm->config[!stream].link_mask) + mcpdm->config[!stream].link_mask = (0x3 << 3); + + dma_data->maxburst = threshold * channels; ++ latency = (MCPDM_DN_THRES_MAX - threshold); + } + ++ /* ++ * The DMA must act to a DMA request within latency time (usec) to avoid ++ * under/overflow ++ */ ++ mcpdm->latency[stream] = latency * USEC_PER_SEC / params_rate(params); ++ ++ if (!mcpdm->latency[stream]) ++ mcpdm->latency[stream] = 10; ++ + /* Check if we need to restart McPDM with this stream */ + if (mcpdm->config[stream].link_mask && + mcpdm->config[stream].link_mask != link_mask) +@@ -366,6 +390,20 @@ static int omap_mcpdm_prepare(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { + struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai); ++ struct pm_qos_request *pm_qos_req = &mcpdm->pm_qos_req; ++ int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK); ++ int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE; ++ int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; ++ int latency = mcpdm->latency[stream2]; ++ ++ /* Prevent omap hardware from hitting off between FIFO fills */ ++ if (!latency || mcpdm->latency[stream1] < latency) ++ latency = mcpdm->latency[stream1]; ++ ++ if (pm_qos_request_active(pm_qos_req)) ++ pm_qos_update_request(pm_qos_req, latency); ++ else if (latency) ++ pm_qos_add_request(pm_qos_req, PM_QOS_CPU_DMA_LATENCY, latency); + + if (!omap_mcpdm_active(mcpdm)) { + omap_mcpdm_start(mcpdm); +@@ -427,6 +465,9 @@ static int omap_mcpdm_remove(struct snd_soc_dai *dai) + free_irq(mcpdm->irq, (void *)mcpdm); + pm_runtime_disable(mcpdm->dev); + ++ if (pm_qos_request_active(&mcpdm->pm_qos_req)) ++ pm_qos_remove_request(&mcpdm->pm_qos_req); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.19/asoc-qcom-set-dai_link-id-to-each-dai_link.patch b/queue-4.19/asoc-qcom-set-dai_link-id-to-each-dai_link.patch new file mode 100644 index 00000000000..3ddf17f6399 --- /dev/null +++ b/queue-4.19/asoc-qcom-set-dai_link-id-to-each-dai_link.patch @@ -0,0 +1,54 @@ +From 459b736c3e3dc1e480d5f21efd3430a2c46d74d8 Mon Sep 17 00:00:00 2001 +From: Rohit kumar +Date: Thu, 8 Nov 2018 19:11:40 +0530 +Subject: ASoC: qcom: Set dai_link id to each dai_link + +[ Upstream commit 67fd1437d11620de8768b22fe20942e752ed52e9 ] + +Frontend dai_link id is used for closing ADM sessions. +During concurrent usecase when one session is closed, +it closes other ADM session associated with other usecase +too. Dai_link->id should always point to Frontend dai id. +Set cpu_dai id as dai_link id to fix the issue. + +Signed-off-by: Rohit kumar +Acked-by: Srinivas Kandagatla +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/common.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/qcom/common.c b/sound/soc/qcom/common.c +index eb1b9da05dd4..4715527054e5 100644 +--- a/sound/soc/qcom/common.c ++++ b/sound/soc/qcom/common.c +@@ -13,6 +13,7 @@ int qcom_snd_parse_of(struct snd_soc_card *card) + struct device_node *cpu = NULL; + struct device *dev = card->dev; + struct snd_soc_dai_link *link; ++ struct of_phandle_args args; + int ret, num_links; + + ret = snd_soc_of_parse_card_name(card, "model"); +@@ -47,12 +48,14 @@ int qcom_snd_parse_of(struct snd_soc_card *card) + goto err; + } + +- link->cpu_of_node = of_parse_phandle(cpu, "sound-dai", 0); +- if (!link->cpu_of_node) { ++ ret = of_parse_phandle_with_args(cpu, "sound-dai", ++ "#sound-dai-cells", 0, &args); ++ if (ret) { + dev_err(card->dev, "error getting cpu phandle\n"); +- ret = -EINVAL; + goto err; + } ++ link->cpu_of_node = args.np; ++ link->id = args.args[0]; + + ret = snd_soc_of_get_dai_name(cpu, &link->cpu_dai_name); + if (ret) { +-- +2.19.1 + diff --git a/queue-4.19/asoc-qdsp6-q6afe-dai-fix-the-dai-widgets.patch b/queue-4.19/asoc-qdsp6-q6afe-dai-fix-the-dai-widgets.patch new file mode 100644 index 00000000000..be973965a19 --- /dev/null +++ b/queue-4.19/asoc-qdsp6-q6afe-dai-fix-the-dai-widgets.patch @@ -0,0 +1,338 @@ +From b9dfc0db344bb5045042696ed6e9dbdd4fe4949a Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Tue, 6 Nov 2018 11:38:57 +0000 +Subject: ASoC: qdsp6: q6afe-dai: Fix the dai widgets + +[ Upstream commit e14856f6cfbb1b96aa45a68f188b147b5bde76b4 ] + +For some reason the dapm widgets are incorrectly defined from the start, +Not sure how we ended up with such thing. Fix them now! + +Without this fix the backend dais are always powered up even if there +is no active stream. + +Reported-by: Jimmy Cheng-Yi Chiang +Reported-by: Rohit kumar +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6afe-dai.c | 208 +++++++++++++++---------------- + 1 file changed, 104 insertions(+), 104 deletions(-) + +diff --git a/sound/soc/qcom/qdsp6/q6afe-dai.c b/sound/soc/qcom/qdsp6/q6afe-dai.c +index 60ff4a2d3577..8f6c8fc073a9 100644 +--- a/sound/soc/qcom/qdsp6/q6afe-dai.c ++++ b/sound/soc/qcom/qdsp6/q6afe-dai.c +@@ -1112,204 +1112,204 @@ static int q6afe_of_xlate_dai_name(struct snd_soc_component *component, + } + + static const struct snd_soc_dapm_widget q6afe_dai_widgets[] = { +- SND_SOC_DAPM_AIF_OUT("HDMI_RX", "HDMI Playback", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_0_RX", "Slimbus Playback", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_1_RX", "Slimbus1 Playback", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_2_RX", "Slimbus2 Playback", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_3_RX", "Slimbus3 Playback", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_4_RX", "Slimbus4 Playback", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_5_RX", "Slimbus5 Playback", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SLIMBUS_6_RX", "Slimbus6 Playback", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_0_TX", "Slimbus Capture", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_1_TX", "Slimbus1 Capture", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_2_TX", "Slimbus2 Capture", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_3_TX", "Slimbus3 Capture", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_4_TX", "Slimbus4 Capture", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_5_TX", "Slimbus5 Capture", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SLIMBUS_6_TX", "Slimbus6 Capture", 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUAT_MI2S_RX", "Quaternary MI2S Playback", ++ SND_SOC_DAPM_AIF_IN("HDMI_RX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_0_RX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_1_RX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_2_RX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_3_RX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_4_RX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_5_RX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_IN("SLIMBUS_6_RX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_0_TX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_1_TX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_2_TX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_3_TX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_4_TX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_5_TX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_6_TX", NULL, 0, 0, 0, 0), ++ SND_SOC_DAPM_AIF_IN("QUAT_MI2S_RX", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUAT_MI2S_TX", "Quaternary MI2S Capture", ++ SND_SOC_DAPM_AIF_OUT("QUAT_MI2S_TX", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("TERT_MI2S_RX", "Tertiary MI2S Playback", ++ SND_SOC_DAPM_AIF_IN("TERT_MI2S_RX", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("TERT_MI2S_TX", "Tertiary MI2S Capture", ++ SND_SOC_DAPM_AIF_OUT("TERT_MI2S_TX", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SEC_MI2S_RX", "Secondary MI2S Playback", ++ SND_SOC_DAPM_AIF_IN("SEC_MI2S_RX", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SEC_MI2S_TX", "Secondary MI2S Capture", ++ SND_SOC_DAPM_AIF_OUT("SEC_MI2S_TX", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SEC_MI2S_RX_SD1", ++ SND_SOC_DAPM_AIF_IN("SEC_MI2S_RX_SD1", + "Secondary MI2S Playback SD1", + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("PRI_MI2S_RX", "Primary MI2S Playback", ++ SND_SOC_DAPM_AIF_IN("PRI_MI2S_RX", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("PRI_MI2S_TX", "Primary MI2S Capture", ++ SND_SOC_DAPM_AIF_OUT("PRI_MI2S_TX", NULL, + 0, 0, 0, 0), + +- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_0", "Primary TDM0 Playback", ++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_0", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_1", "Primary TDM1 Playback", ++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_1", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_2", "Primary TDM2 Playback", ++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_2", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_3", "Primary TDM3 Playback", ++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_3", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_4", "Primary TDM4 Playback", ++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_4", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_5", "Primary TDM5 Playback", ++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_5", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_6", "Primary TDM6 Playback", ++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_6", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_7", "Primary TDM7 Playback", ++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_7", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_0", "Primary TDM0 Capture", ++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_0", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_1", "Primary TDM1 Capture", ++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_1", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_2", "Primary TDM2 Capture", ++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_2", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_3", "Primary TDM3 Capture", ++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_3", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_4", "Primary TDM4 Capture", ++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_4", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_5", "Primary TDM5 Capture", ++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_5", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_6", "Primary TDM6 Capture", ++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_6", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_7", "Primary TDM7 Capture", ++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_7", NULL, + 0, 0, 0, 0), + +- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_0", "Secondary TDM0 Playback", ++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_0", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_1", "Secondary TDM1 Playback", ++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_1", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_2", "Secondary TDM2 Playback", ++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_2", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_3", "Secondary TDM3 Playback", ++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_3", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_4", "Secondary TDM4 Playback", ++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_4", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_5", "Secondary TDM5 Playback", ++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_5", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_6", "Secondary TDM6 Playback", ++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_6", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_7", "Secondary TDM7 Playback", ++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_7", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_0", "Secondary TDM0 Capture", ++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_0", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_1", "Secondary TDM1 Capture", ++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_1", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_2", "Secondary TDM2 Capture", ++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_2", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_3", "Secondary TDM3 Capture", ++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_3", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_4", "Secondary TDM4 Capture", ++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_4", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_5", "Secondary TDM5 Capture", ++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_5", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_6", "Secondary TDM6 Capture", ++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_6", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_7", "Secondary TDM7 Capture", ++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_7", NULL, + 0, 0, 0, 0), + +- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_0", "Tertiary TDM0 Playback", ++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_0", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_1", "Tertiary TDM1 Playback", ++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_1", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_2", "Tertiary TDM2 Playback", ++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_2", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_3", "Tertiary TDM3 Playback", ++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_3", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_4", "Tertiary TDM4 Playback", ++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_4", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_5", "Tertiary TDM5 Playback", ++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_5", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_6", "Tertiary TDM6 Playback", ++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_6", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_7", "Tertiary TDM7 Playback", ++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_7", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_0", "Tertiary TDM0 Capture", ++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_0", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_1", "Tertiary TDM1 Capture", ++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_1", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_2", "Tertiary TDM2 Capture", ++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_2", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_3", "Tertiary TDM3 Capture", ++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_3", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_4", "Tertiary TDM4 Capture", ++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_4", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_5", "Tertiary TDM5 Capture", ++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_5", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_6", "Tertiary TDM6 Capture", ++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_6", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_7", "Tertiary TDM7 Capture", ++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_7", NULL, + 0, 0, 0, 0), + +- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_0", "Quaternary TDM0 Playback", ++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_0", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_1", "Quaternary TDM1 Playback", ++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_1", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_2", "Quaternary TDM2 Playback", ++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_2", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_3", "Quaternary TDM3 Playback", ++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_3", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_4", "Quaternary TDM4 Playback", ++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_4", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_5", "Quaternary TDM5 Playback", ++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_5", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_6", "Quaternary TDM6 Playback", ++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_6", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_7", "Quaternary TDM7 Playback", ++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_7", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_0", "Quaternary TDM0 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_0", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_1", "Quaternary TDM1 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_1", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_2", "Quaternary TDM2 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_2", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_3", "Quaternary TDM3 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_3", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_4", "Quaternary TDM4 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_4", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_5", "Quaternary TDM5 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_5", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_6", "Quaternary TDM6 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_6", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_7", "Quaternary TDM7 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_7", NULL, + 0, 0, 0, 0), + +- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_0", "Quinary TDM0 Playback", ++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_0", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_1", "Quinary TDM1 Playback", ++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_1", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_2", "Quinary TDM2 Playback", ++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_2", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_3", "Quinary TDM3 Playback", ++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_3", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_4", "Quinary TDM4 Playback", ++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_4", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_5", "Quinary TDM5 Playback", ++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_5", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_6", "Quinary TDM6 Playback", ++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_6", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_7", "Quinary TDM7 Playback", ++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_7", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_0", "Quinary TDM0 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_0", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_1", "Quinary TDM1 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_1", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_2", "Quinary TDM2 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_2", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_3", "Quinary TDM3 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_3", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_4", "Quinary TDM4 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_4", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_5", "Quinary TDM5 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_5", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_6", "Quinary TDM6 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_6", NULL, + 0, 0, 0, 0), +- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_7", "Quinary TDM7 Capture", ++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_7", NULL, + 0, 0, 0, 0), + }; + +-- +2.19.1 + diff --git a/queue-4.19/asoc-qdsp6-q6afe-fix-wrong-mi2s-sd-line-mask.patch b/queue-4.19/asoc-qdsp6-q6afe-fix-wrong-mi2s-sd-line-mask.patch new file mode 100644 index 00000000000..161151e846c --- /dev/null +++ b/queue-4.19/asoc-qdsp6-q6afe-fix-wrong-mi2s-sd-line-mask.patch @@ -0,0 +1,47 @@ +From 74b7a90dceac1a76917588c3b6be7dad7ab803cc Mon Sep 17 00:00:00 2001 +From: Rohit kumar +Date: Thu, 1 Nov 2018 17:21:07 +0530 +Subject: ASoC: qdsp6: q6afe: Fix wrong MI2S SD line mask + +[ Upstream commit 112b57fa737445b2361be332ce8cc0fd3e2b994e ] + +SD line mask for MI2S starts from BIT 0 instead of BIT 1. +Fix all bit mask for MI2S SD lines. + +Signed-off-by: Rohit kumar +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6afe.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/qcom/qdsp6/q6afe.c b/sound/soc/qcom/qdsp6/q6afe.c +index 000775b4bba8..829b5e987b2a 100644 +--- a/sound/soc/qcom/qdsp6/q6afe.c ++++ b/sound/soc/qcom/qdsp6/q6afe.c +@@ -49,14 +49,14 @@ + #define AFE_PORT_I2S_SD1 0x2 + #define AFE_PORT_I2S_SD2 0x3 + #define AFE_PORT_I2S_SD3 0x4 +-#define AFE_PORT_I2S_SD0_MASK BIT(0x1) +-#define AFE_PORT_I2S_SD1_MASK BIT(0x2) +-#define AFE_PORT_I2S_SD2_MASK BIT(0x3) +-#define AFE_PORT_I2S_SD3_MASK BIT(0x4) +-#define AFE_PORT_I2S_SD0_1_MASK GENMASK(2, 1) +-#define AFE_PORT_I2S_SD2_3_MASK GENMASK(4, 3) +-#define AFE_PORT_I2S_SD0_1_2_MASK GENMASK(3, 1) +-#define AFE_PORT_I2S_SD0_1_2_3_MASK GENMASK(4, 1) ++#define AFE_PORT_I2S_SD0_MASK BIT(0x0) ++#define AFE_PORT_I2S_SD1_MASK BIT(0x1) ++#define AFE_PORT_I2S_SD2_MASK BIT(0x2) ++#define AFE_PORT_I2S_SD3_MASK BIT(0x3) ++#define AFE_PORT_I2S_SD0_1_MASK GENMASK(1, 0) ++#define AFE_PORT_I2S_SD2_3_MASK GENMASK(3, 2) ++#define AFE_PORT_I2S_SD0_1_2_MASK GENMASK(2, 0) ++#define AFE_PORT_I2S_SD0_1_2_3_MASK GENMASK(3, 0) + #define AFE_PORT_I2S_QUAD01 0x5 + #define AFE_PORT_I2S_QUAD23 0x6 + #define AFE_PORT_I2S_6CHS 0x7 +-- +2.19.1 + diff --git a/queue-4.19/asoc-rockchip-add-missing-slave_config-setting-for-i.patch b/queue-4.19/asoc-rockchip-add-missing-slave_config-setting-for-i.patch new file mode 100644 index 00000000000..93f58f4d161 --- /dev/null +++ b/queue-4.19/asoc-rockchip-add-missing-slave_config-setting-for-i.patch @@ -0,0 +1,32 @@ +From d41d5ef7811fee66a2323ed1831921a83996beb8 Mon Sep 17 00:00:00 2001 +From: Katsuhiro Suzuki +Date: Sun, 11 Nov 2018 00:18:44 +0900 +Subject: ASoC: rockchip: add missing slave_config setting for I2S + +[ Upstream commit 16a8ee4c80b45984b6de1f90a49edcf336b7c621 ] + +This patch adds missing prepare_sleve_config that is needed for +setup the DMA slave channel for I2S. + +Signed-off-by: Katsuhiro Suzuki +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/rockchip/rockchip_pcm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/rockchip/rockchip_pcm.c b/sound/soc/rockchip/rockchip_pcm.c +index f77538319221..7029e0b85f9e 100644 +--- a/sound/soc/rockchip/rockchip_pcm.c ++++ b/sound/soc/rockchip/rockchip_pcm.c +@@ -32,6 +32,7 @@ static const struct snd_pcm_hardware snd_rockchip_hardware = { + + static const struct snd_dmaengine_pcm_config rk_dmaengine_pcm_config = { + .pcm_hardware = &snd_rockchip_hardware, ++ .prepare_slave_config = snd_dmaengine_pcm_prepare_slave_config, + .prealloc_buffer_size = 32 * 1024, + }; + +-- +2.19.1 + diff --git a/queue-4.19/asoc-rsnd-fixup-clock-start-checker.patch b/queue-4.19/asoc-rsnd-fixup-clock-start-checker.patch new file mode 100644 index 00000000000..b1bec6e90a6 --- /dev/null +++ b/queue-4.19/asoc-rsnd-fixup-clock-start-checker.patch @@ -0,0 +1,43 @@ +From 2a3b31f5ba09ddced70072625fab8fea54ba35b8 Mon Sep 17 00:00:00 2001 +From: Kuninori Morimoto +Date: Wed, 31 Oct 2018 00:48:12 +0000 +Subject: ASoC: rsnd: fixup clock start checker + +[ Upstream commit 3ee9a76a8c5a10e1bfb04b81db767c6d562ddaf3 ] + +commit 4d230d12710646 ("ASoC: rsnd: fixup not to call clk_get/set under +non-atomic") fixuped clock start timing. But it exchanged clock start +checker from ssi->usrcnt to ssi->rate. + +Current rsnd_ssi_master_clk_start() is called from .prepare, +but some player (for example GStreamer) might calls it many times. +In such case, the checker might returns error even though it was not +error. It should check ssi->usrcnt instead of ssi->rate. +This patch fixup it. Without this patch, GStreamer can't switch +48kHz / 44.1kHz. + +Reported-by: Yusuke Goda +Signed-off-by: Kuninori Morimoto +Tested-by: Yusuke Goda +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/ssi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c +index 3f880ec66459..a566dae3ec8a 100644 +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -283,7 +283,7 @@ static int rsnd_ssi_master_clk_start(struct rsnd_mod *mod, + if (rsnd_ssi_is_multi_slave(mod, io)) + return 0; + +- if (ssi->rate) { ++ if (ssi->usrcnt > 1) { + if (ssi->rate != rate) { + dev_err(dev, "SSI parent/child should use same rate\n"); + return -EINVAL; +-- +2.19.1 + diff --git a/queue-4.19/asoc-sun8i-codec-fix-crash-on-module-removal.patch b/queue-4.19/asoc-sun8i-codec-fix-crash-on-module-removal.patch new file mode 100644 index 00000000000..9c58e565bd1 --- /dev/null +++ b/queue-4.19/asoc-sun8i-codec-fix-crash-on-module-removal.patch @@ -0,0 +1,49 @@ +From 7798407fa8c9dde56bde0e22bafd1520f5662ae7 Mon Sep 17 00:00:00 2001 +From: Vasily Khoruzhick +Date: Thu, 8 Nov 2018 20:31:35 -0800 +Subject: ASoC: sun8i-codec: fix crash on module removal + +[ Upstream commit 278df5e5527b633f4882f1680ad58b62a7c07bfe ] + +drvdata is actually sun8i_codec, not snd_soc_card, so it crashes +when calling snd_soc_card_get_drvdata(). + +Drop card and scodec vars anyway since we don't need to +disable/unprepare clocks - it's already done by calling +runtime_suspend() + +Drop clk_disable_unprepare() calls for the same reason. + +Fixes: 36c684936fae7 ("ASoC: Add sun8i digital audio codec") +Signed-off-by: Vasily Khoruzhick +Acked-by: Maxime Ripard +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sunxi/sun8i-codec.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/sound/soc/sunxi/sun8i-codec.c b/sound/soc/sunxi/sun8i-codec.c +index fb37dd927e33..bf615fa16dc8 100644 +--- a/sound/soc/sunxi/sun8i-codec.c ++++ b/sound/soc/sunxi/sun8i-codec.c +@@ -589,16 +589,10 @@ static int sun8i_codec_probe(struct platform_device *pdev) + + static int sun8i_codec_remove(struct platform_device *pdev) + { +- struct snd_soc_card *card = platform_get_drvdata(pdev); +- struct sun8i_codec *scodec = snd_soc_card_get_drvdata(card); +- + pm_runtime_disable(&pdev->dev); + if (!pm_runtime_status_suspended(&pdev->dev)) + sun8i_codec_runtime_suspend(&pdev->dev); + +- clk_disable_unprepare(scodec->clk_module); +- clk_disable_unprepare(scodec->clk_bus); +- + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.19/asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch b/queue-4.19/asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch new file mode 100644 index 00000000000..57482847d0d --- /dev/null +++ b/queue-4.19/asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch @@ -0,0 +1,88 @@ +From 86614b1ecb60bd19f94b5937bfa01d9185c76f88 Mon Sep 17 00:00:00 2001 +From: Richard Fitzgerald +Date: Mon, 12 Nov 2018 13:36:38 +0000 +Subject: ASoC: wm_adsp: Fix dma-unsafe read of scratch registers + +[ Upstream commit 20e00db2f59bdddf8a8e241473ef8be94631d3ae ] + +Stack memory isn't DMA-safe so it isn't safe to use either +regmap_raw_read or regmap_bulk_read to read into stack memory. + +The two functions to read the scratch registers were using +stack memory and regmap_raw_read. It's not worth allocating +memory just for this trivial read, and it isn't time-critical. +A simple regmap_read for each register is sufficient. + +Signed-off-by: Richard Fitzgerald +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm_adsp.c | 37 ++++++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 17 deletions(-) + +diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c +index f61656070225..4d3ec295679d 100644 +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -765,38 +765,41 @@ static unsigned int wm_adsp_region_to_reg(struct wm_adsp_region const *mem, + + static void wm_adsp2_show_fw_status(struct wm_adsp *dsp) + { +- u16 scratch[4]; ++ unsigned int scratch[4]; ++ unsigned int addr = dsp->base + ADSP2_SCRATCH0; ++ unsigned int i; + int ret; + +- ret = regmap_raw_read(dsp->regmap, dsp->base + ADSP2_SCRATCH0, +- scratch, sizeof(scratch)); +- if (ret) { +- adsp_err(dsp, "Failed to read SCRATCH regs: %d\n", ret); +- return; ++ for (i = 0; i < ARRAY_SIZE(scratch); ++i) { ++ ret = regmap_read(dsp->regmap, addr + i, &scratch[i]); ++ if (ret) { ++ adsp_err(dsp, "Failed to read SCRATCH%u: %d\n", i, ret); ++ return; ++ } + } + + adsp_dbg(dsp, "FW SCRATCH 0:0x%x 1:0x%x 2:0x%x 3:0x%x\n", +- be16_to_cpu(scratch[0]), +- be16_to_cpu(scratch[1]), +- be16_to_cpu(scratch[2]), +- be16_to_cpu(scratch[3])); ++ scratch[0], scratch[1], scratch[2], scratch[3]); + } + + static void wm_adsp2v2_show_fw_status(struct wm_adsp *dsp) + { +- u32 scratch[2]; ++ unsigned int scratch[2]; + int ret; + +- ret = regmap_raw_read(dsp->regmap, dsp->base + ADSP2V2_SCRATCH0_1, +- scratch, sizeof(scratch)); +- ++ ret = regmap_read(dsp->regmap, dsp->base + ADSP2V2_SCRATCH0_1, ++ &scratch[0]); + if (ret) { +- adsp_err(dsp, "Failed to read SCRATCH regs: %d\n", ret); ++ adsp_err(dsp, "Failed to read SCRATCH0_1: %d\n", ret); + return; + } + +- scratch[0] = be32_to_cpu(scratch[0]); +- scratch[1] = be32_to_cpu(scratch[1]); ++ ret = regmap_read(dsp->regmap, dsp->base + ADSP2V2_SCRATCH2_3, ++ &scratch[1]); ++ if (ret) { ++ adsp_err(dsp, "Failed to read SCRATCH2_3: %d\n", ret); ++ return; ++ } + + adsp_dbg(dsp, "FW SCRATCH 0:0x%x 1:0x%x 2:0x%x 3:0x%x\n", + scratch[0] & 0xFFFF, +-- +2.19.1 + diff --git a/queue-4.19/bpf-allocate-local-storage-buffers-using-gfp_atomic.patch b/queue-4.19/bpf-allocate-local-storage-buffers-using-gfp_atomic.patch new file mode 100644 index 00000000000..50dc2727ea3 --- /dev/null +++ b/queue-4.19/bpf-allocate-local-storage-buffers-using-gfp_atomic.patch @@ -0,0 +1,58 @@ +From 4d09bea1feaec0a217ab901fda7a75a0b4a34c3d Mon Sep 17 00:00:00 2001 +From: Roman Gushchin +Date: Wed, 14 Nov 2018 10:00:34 -0800 +Subject: bpf: allocate local storage buffers using GFP_ATOMIC + +[ Upstream commit 569a933b03f3c48b392fe67c0086b3a6b9306b5a ] + +Naresh reported an issue with the non-atomic memory allocation of +cgroup local storage buffers: + +[ 73.047526] BUG: sleeping function called from invalid context at +/srv/oe/build/tmp-rpb-glibc/work-shared/intel-corei7-64/kernel-source/mm/slab.h:421 +[ 73.060915] in_atomic(): 1, irqs_disabled(): 0, pid: 3157, name: test_cgroup_sto +[ 73.068342] INFO: lockdep is turned off. +[ 73.072293] CPU: 2 PID: 3157 Comm: test_cgroup_sto Not tainted +4.20.0-rc2-next-20181113 #1 +[ 73.080548] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS +2.0b 07/27/2017 +[ 73.088018] Call Trace: +[ 73.090463] dump_stack+0x70/0xa5 +[ 73.093783] ___might_sleep+0x152/0x240 +[ 73.097619] __might_sleep+0x4a/0x80 +[ 73.101191] __kmalloc_node+0x1cf/0x2f0 +[ 73.105031] ? cgroup_storage_update_elem+0x46/0x90 +[ 73.109909] cgroup_storage_update_elem+0x46/0x90 + +cgroup_storage_update_elem() (as well as other update map update +callbacks) is called with disabled preemption, so GFP_ATOMIC +allocation should be used: e.g. alloc_htab_elem() in hashtab.c. + +Reported-by: Naresh Kamboju +Tested-by: Naresh Kamboju +Signed-off-by: Roman Gushchin +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/local_storage.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/local_storage.c b/kernel/bpf/local_storage.c +index 830d7f095748..fc1605aee5ea 100644 +--- a/kernel/bpf/local_storage.c ++++ b/kernel/bpf/local_storage.c +@@ -138,7 +138,8 @@ static int cgroup_storage_update_elem(struct bpf_map *map, void *_key, + return -ENOENT; + + new = kmalloc_node(sizeof(struct bpf_storage_buffer) + +- map->value_size, __GFP_ZERO | GFP_USER, ++ map->value_size, ++ __GFP_ZERO | GFP_ATOMIC | __GFP_NOWARN, + map->numa_node); + if (!new) + return -ENOMEM; +-- +2.19.1 + diff --git a/queue-4.19/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch b/queue-4.19/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch new file mode 100644 index 00000000000..ae9fa5fc181 --- /dev/null +++ b/queue-4.19/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch @@ -0,0 +1,44 @@ +From 4233cd140e00454aa2de06f8f7c0f9778ce1e0b7 Mon Sep 17 00:00:00 2001 +From: Martynas Pumputis +Date: Fri, 23 Nov 2018 17:43:26 +0100 +Subject: bpf: fix check of allowed specifiers in bpf_trace_printk + +[ Upstream commit 1efb6ee3edea57f57f9fb05dba8dcb3f7333f61f ] + +A format string consisting of "%p" or "%s" followed by an invalid +specifier (e.g. "%p%\n" or "%s%") could pass the check which +would make format_decode (lib/vsprintf.c) to warn. + +Fixes: 9c959c863f82 ("tracing: Allow BPF programs to call bpf_trace_printk()") +Reported-by: syzbot+1ec5c5ec949c4adaa0c4@syzkaller.appspotmail.com +Signed-off-by: Martynas Pumputis +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 08fcfe440c63..9864a35c8bb5 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -196,11 +196,13 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1, + i++; + } else if (fmt[i] == 'p' || fmt[i] == 's') { + mod[fmt_cnt]++; +- i++; +- if (!isspace(fmt[i]) && !ispunct(fmt[i]) && fmt[i] != 0) ++ /* disallow any further format extensions */ ++ if (fmt[i + 1] != 0 && ++ !isspace(fmt[i + 1]) && ++ !ispunct(fmt[i + 1])) + return -EINVAL; + fmt_cnt++; +- if (fmt[i - 1] == 's') { ++ if (fmt[i] == 's') { + if (str_seen) + /* allow only one '%s' per fmt string */ + return -EINVAL; +-- +2.19.1 + diff --git a/queue-4.19/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch b/queue-4.19/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch new file mode 100644 index 00000000000..489b427afe4 --- /dev/null +++ b/queue-4.19/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch @@ -0,0 +1,200 @@ +From 70d42cd259e02cb2f982091c524c51720e9a65cf Mon Sep 17 00:00:00 2001 +From: Robbie Ko +Date: Wed, 14 Nov 2018 18:32:37 +0000 +Subject: Btrfs: send, fix infinite loop due to directory rename dependencies + +[ Upstream commit a4390aee72713d9e73f1132bcdeb17d72fbbf974 ] + +When doing an incremental send, due to the need of delaying directory move +(rename) operations we can end up in infinite loop at +apply_children_dir_moves(). + +An example scenario that triggers this problem is described below, where +directory names correspond to the numbers of their respective inodes. + +Parent snapshot: + + . + |--- 261/ + |--- 271/ + |--- 266/ + |--- 259/ + |--- 260/ + | |--- 267 + | + |--- 264/ + | |--- 258/ + | |--- 257/ + | + |--- 265/ + |--- 268/ + |--- 269/ + | |--- 262/ + | + |--- 270/ + |--- 272/ + | |--- 263/ + | |--- 275/ + | + |--- 274/ + |--- 273/ + +Send snapshot: + + . + |-- 275/ + |-- 274/ + |-- 273/ + |-- 262/ + |-- 269/ + |-- 258/ + |-- 271/ + |-- 268/ + |-- 267/ + |-- 270/ + |-- 259/ + | |-- 265/ + | + |-- 272/ + |-- 257/ + |-- 260/ + |-- 264/ + |-- 263/ + |-- 261/ + |-- 266/ + +When processing inode 257 we delay its move (rename) operation because its +new parent in the send snapshot, inode 272, was not yet processed. Then +when processing inode 272, we delay the move operation for that inode +because inode 274 is its ancestor in the send snapshot. Finally we delay +the move operation for inode 274 when processing it because inode 275 is +its new parent in the send snapshot and was not yet moved. + +When finishing processing inode 275, we start to do the move operations +that were previously delayed (at apply_children_dir_moves()), resulting in +the following iterations: + +1) We issue the move operation for inode 274; + +2) Because inode 262 depended on the move operation of inode 274 (it was + delayed because 274 is its ancestor in the send snapshot), we issue the + move operation for inode 262; + +3) We issue the move operation for inode 272, because it was delayed by + inode 274 too (ancestor of 272 in the send snapshot); + +4) We issue the move operation for inode 269 (it was delayed by 262); + +5) We issue the move operation for inode 257 (it was delayed by 272); + +6) We issue the move operation for inode 260 (it was delayed by 272); + +7) We issue the move operation for inode 258 (it was delayed by 269); + +8) We issue the move operation for inode 264 (it was delayed by 257); + +9) We issue the move operation for inode 271 (it was delayed by 258); + +10) We issue the move operation for inode 263 (it was delayed by 264); + +11) We issue the move operation for inode 268 (it was delayed by 271); + +12) We verify if we can issue the move operation for inode 270 (it was + delayed by 271). We detect a path loop in the current state, because + inode 267 needs to be moved first before we can issue the move + operation for inode 270. So we delay again the move operation for + inode 270, this time we will attempt to do it after inode 267 is + moved; + +13) We issue the move operation for inode 261 (it was delayed by 263); + +14) We verify if we can issue the move operation for inode 266 (it was + delayed by 263). We detect a path loop in the current state, because + inode 270 needs to be moved first before we can issue the move + operation for inode 266. So we delay again the move operation for + inode 266, this time we will attempt to do it after inode 270 is + moved (its move operation was delayed in step 12); + +15) We issue the move operation for inode 267 (it was delayed by 268); + +16) We verify if we can issue the move operation for inode 266 (it was + delayed by 270). We detect a path loop in the current state, because + inode 270 needs to be moved first before we can issue the move + operation for inode 266. So we delay again the move operation for + inode 266, this time we will attempt to do it after inode 270 is + moved (its move operation was delayed in step 12). So here we added + again the same delayed move operation that we added in step 14; + +17) We attempt again to see if we can issue the move operation for inode + 266, and as in step 16, we realize we can not due to a path loop in + the current state due to a dependency on inode 270. Again we delay + inode's 266 rename to happen after inode's 270 move operation, adding + the same dependency to the empty stack that we did in steps 14 and 16. + The next iteration will pick the same move dependency on the stack + (the only entry) and realize again there is still a path loop and then + again the same dependency to the stack, over and over, resulting in + an infinite loop. + +So fix this by preventing adding the same move dependency entries to the +stack by removing each pending move record from the red black tree of +pending moves. This way the next call to get_pending_dir_moves() will +not return anything for the current parent inode. + +A test case for fstests, with this reproducer, follows soon. + +Signed-off-by: Robbie Ko +Reviewed-by: Filipe Manana +[Wrote changelog with example and more clear explanation] +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index ba8950bfd9c7..84cb6e5ef36c 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -3344,7 +3344,8 @@ static void free_pending_move(struct send_ctx *sctx, struct pending_dir_move *m) + kfree(m); + } + +-static void tail_append_pending_moves(struct pending_dir_move *moves, ++static void tail_append_pending_moves(struct send_ctx *sctx, ++ struct pending_dir_move *moves, + struct list_head *stack) + { + if (list_empty(&moves->list)) { +@@ -3355,6 +3356,10 @@ static void tail_append_pending_moves(struct pending_dir_move *moves, + list_add_tail(&moves->list, stack); + list_splice_tail(&list, stack); + } ++ if (!RB_EMPTY_NODE(&moves->node)) { ++ rb_erase(&moves->node, &sctx->pending_dir_moves); ++ RB_CLEAR_NODE(&moves->node); ++ } + } + + static int apply_children_dir_moves(struct send_ctx *sctx) +@@ -3369,7 +3374,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx) + return 0; + + INIT_LIST_HEAD(&stack); +- tail_append_pending_moves(pm, &stack); ++ tail_append_pending_moves(sctx, pm, &stack); + + while (!list_empty(&stack)) { + pm = list_first_entry(&stack, struct pending_dir_move, list); +@@ -3380,7 +3385,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx) + goto out; + pm = get_pending_dir_moves(sctx, parent_ino); + if (pm) +- tail_append_pending_moves(pm, &stack); ++ tail_append_pending_moves(sctx, pm, &stack); + } + return 0; + +-- +2.19.1 + diff --git a/queue-4.19/cachefiles-explicitly-cast-enumerated-type-in-put_ob.patch b/queue-4.19/cachefiles-explicitly-cast-enumerated-type-in-put_ob.patch new file mode 100644 index 00000000000..ce57c80c945 --- /dev/null +++ b/queue-4.19/cachefiles-explicitly-cast-enumerated-type-in-put_ob.patch @@ -0,0 +1,49 @@ +From e8a038ec54774a0123d08c067c9bd605e6867040 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 24 Sep 2018 10:33:44 -0700 +Subject: cachefiles: Explicitly cast enumerated type in put_object + +[ Upstream commit b7e768b7e3522695ed36dcb48ecdcd344bd30a9b ] + +Clang warns when one enumerated type is implicitly converted to another. + +fs/cachefiles/namei.c:247:50: warning: implicit conversion from +enumeration type 'enum cachefiles_obj_ref_trace' to different +enumeration type 'enum fscache_obj_ref_trace' [-Wenum-conversion] + cache->cache.ops->put_object(&xobject->fscache, +cachefiles_obj_put_wait_retry); + +Silence this warning by explicitly casting to fscache_obj_ref_trace, +which is also done in put_object. + +Reported-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/cachefiles/namei.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c +index 95983c744164..5ab411d4bc59 100644 +--- a/fs/cachefiles/namei.c ++++ b/fs/cachefiles/namei.c +@@ -244,11 +244,13 @@ static int cachefiles_mark_object_active(struct cachefiles_cache *cache, + + ASSERT(!test_bit(CACHEFILES_OBJECT_ACTIVE, &xobject->flags)); + +- cache->cache.ops->put_object(&xobject->fscache, cachefiles_obj_put_wait_retry); ++ cache->cache.ops->put_object(&xobject->fscache, ++ (enum fscache_obj_ref_trace)cachefiles_obj_put_wait_retry); + goto try_again; + + requeue: +- cache->cache.ops->put_object(&xobject->fscache, cachefiles_obj_put_wait_timeo); ++ cache->cache.ops->put_object(&xobject->fscache, ++ (enum fscache_obj_ref_trace)cachefiles_obj_put_wait_timeo); + _leave(" = -ETIMEDOUT"); + return -ETIMEDOUT; + } +-- +2.19.1 + diff --git a/queue-4.19/cachefiles-fix-an-assertion-failure-when-trying-to-u.patch b/queue-4.19/cachefiles-fix-an-assertion-failure-when-trying-to-u.patch new file mode 100644 index 00000000000..0a2bf85e18c --- /dev/null +++ b/queue-4.19/cachefiles-fix-an-assertion-failure-when-trying-to-u.patch @@ -0,0 +1,80 @@ +From ddec8f24cf7baee5f9839109234c32a351b8d9d7 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 27 Nov 2018 16:34:55 +0000 +Subject: cachefiles: Fix an assertion failure when trying to update a failed + object + +[ Upstream commit e6bc06faf64a83384cc0abc537df954c9d3ff942 ] + +If cachefiles gets an error other then ENOENT when trying to look up an +object in the cache (in this case, EACCES), the object state machine will +eventually transition to the DROP_OBJECT state. + +This state invokes fscache_drop_object() which tries to sync the auxiliary +data with the cache (this is done lazily since commit 402cb8dda949d) on an +incomplete cache object struct. + +The problem comes when cachefiles_update_object_xattr() is called to +rewrite the xattr holding the data. There's an assertion there that the +cache object points to a dentry as we're going to update its xattr. The +assertion trips, however, as dentry didn't get set. + +Fix the problem by skipping the update in cachefiles if the object doesn't +refer to a dentry. A better way to do it could be to skip the update from +the DROP_OBJECT state handler in fscache, but that might deny the cache the +opportunity to update intermediate state. + +If this error occurs, the kernel log includes lines that look like the +following: + + CacheFiles: Lookup failed error -13 + CacheFiles: + CacheFiles: Assertion failed + ------------[ cut here ]------------ + kernel BUG at fs/cachefiles/xattr.c:138! + ... + Workqueue: fscache_object fscache_object_work_func [fscache] + RIP: 0010:cachefiles_update_object_xattr.cold.4+0x18/0x1a [cachefiles] + ... + Call Trace: + cachefiles_update_object+0xdd/0x1c0 [cachefiles] + fscache_update_aux_data+0x23/0x30 [fscache] + fscache_drop_object+0x18e/0x1c0 [fscache] + fscache_object_work_func+0x74/0x2b0 [fscache] + process_one_work+0x18d/0x340 + worker_thread+0x2e/0x390 + ? pwq_unbound_release_workfn+0xd0/0xd0 + kthread+0x112/0x130 + ? kthread_bind+0x30/0x30 + ret_from_fork+0x35/0x40 + +Note that there are actually two issues here: (1) EACCES happened on a +cache object and (2) an oops occurred. I think that the second is a +consequence of the first (it certainly looks like it ought to be). This +patch only deals with the second. + +Fixes: 402cb8dda949 ("fscache: Attach the index key and aux data to the cookie") +Reported-by: Zhibin Li +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/cachefiles/xattr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/cachefiles/xattr.c b/fs/cachefiles/xattr.c +index 0a29a00aed2e..511e6c68156a 100644 +--- a/fs/cachefiles/xattr.c ++++ b/fs/cachefiles/xattr.c +@@ -135,7 +135,8 @@ int cachefiles_update_object_xattr(struct cachefiles_object *object, + struct dentry *dentry = object->dentry; + int ret; + +- ASSERT(dentry); ++ if (!dentry) ++ return -ESTALE; + + _enter("%p,#%d", object, auxdata->len); + +-- +2.19.1 + diff --git a/queue-4.19/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch b/queue-4.19/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch new file mode 100644 index 00000000000..f6d20904e32 --- /dev/null +++ b/queue-4.19/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch @@ -0,0 +1,87 @@ +From 50c4d248e42c43c37acb459ef0695db34b71ef87 Mon Sep 17 00:00:00 2001 +From: Kiran Kumar Modukuri +Date: Mon, 24 Sep 2018 12:02:39 +1000 +Subject: cachefiles: Fix page leak in cachefiles_read_backing_file while + vmscan is active + +[ Upstream commit 9a24ce5b66f9c8190d63b15f4473600db4935f1f ] + +[Description] + +In a heavily loaded system where the system pagecache is nearing memory +limits and fscache is enabled, pages can be leaked by fscache while trying +read pages from cachefiles backend. This can happen because two +applications can be reading same page from a single mount, two threads can +be trying to read the backing page at same time. This results in one of +the threads finding that a page for the backing file or netfs file is +already in the radix tree. During the error handling cachefiles does not +clean up the reference on backing page, leading to page leak. + +[Fix] +The fix is straightforward, to decrement the reference when error is +encountered. + + [dhowells: Note that I've removed the clearance and put of newpage as + they aren't attested in the commit message and don't appear to actually + achieve anything since a new page is only allocated is newpage!=NULL and + any residual new page is cleared before returning.] + +[Testing] +I have tested the fix using following method for 12+ hrs. + +1) mkdir -p /mnt/nfs ; mount -o vers=3,fsc :/export /mnt/nfs +2) create 10000 files of 2.8MB in a NFS mount. +3) start a thread to simulate heavy VM presssure + (while true ; do echo 3 > /proc/sys/vm/drop_caches ; sleep 1 ; done)& +4) start multiple parallel reader for data set at same time + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & + .. + .. + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & +5) finally check using cat /proc/fs/fscache/stats | grep -i pages ; + free -h , cat /proc/meminfo and page-types -r -b lru + to ensure all pages are freed. + +Reviewed-by: Daniel Axtens +Signed-off-by: Shantanu Goel +Signed-off-by: Kiran Kumar Modukuri +[dja: forward ported to current upstream] +Signed-off-by: Daniel Axtens +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/cachefiles/rdwr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c +index 40f7595aad10..db233588a69a 100644 +--- a/fs/cachefiles/rdwr.c ++++ b/fs/cachefiles/rdwr.c +@@ -535,7 +535,10 @@ static int cachefiles_read_backing_file(struct cachefiles_object *object, + netpage->index, cachefiles_gfp); + if (ret < 0) { + if (ret == -EEXIST) { ++ put_page(backpage); ++ backpage = NULL; + put_page(netpage); ++ netpage = NULL; + fscache_retrieval_complete(op, 1); + continue; + } +@@ -608,7 +611,10 @@ static int cachefiles_read_backing_file(struct cachefiles_object *object, + netpage->index, cachefiles_gfp); + if (ret < 0) { + if (ret == -EEXIST) { ++ put_page(backpage); ++ backpage = NULL; + put_page(netpage); ++ netpage = NULL; + fscache_retrieval_complete(op, 1); + continue; + } +-- +2.19.1 + diff --git a/queue-4.19/debugobjects-avoid-recursive-calls-with-kmemleak.patch b/queue-4.19/debugobjects-avoid-recursive-calls-with-kmemleak.patch new file mode 100644 index 00000000000..38e89a725b3 --- /dev/null +++ b/queue-4.19/debugobjects-avoid-recursive-calls-with-kmemleak.patch @@ -0,0 +1,74 @@ +From 58e64214a7b5424f5f2d839270428056ac313523 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Fri, 30 Nov 2018 14:09:48 -0800 +Subject: debugobjects: avoid recursive calls with kmemleak + +[ Upstream commit 8de456cf87ba863e028c4dd01bae44255ce3d835 ] + +CONFIG_DEBUG_OBJECTS_RCU_HEAD does not play well with kmemleak due to +recursive calls. + +fill_pool + kmemleak_ignore + make_black_object + put_object + __call_rcu (kernel/rcu/tree.c) + debug_rcu_head_queue + debug_object_activate + debug_object_init + fill_pool + kmemleak_ignore + make_black_object + ... + +So add SLAB_NOLEAKTRACE to kmem_cache_create() to not register newly +allocated debug objects at all. + +Link: http://lkml.kernel.org/r/20181126165343.2339-1-cai@gmx.us +Signed-off-by: Qian Cai +Suggested-by: Catalin Marinas +Acked-by: Waiman Long +Acked-by: Catalin Marinas +Cc: Thomas Gleixner +Cc: Yang Shi +Cc: Arnd Bergmann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/debugobjects.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/lib/debugobjects.c b/lib/debugobjects.c +index 70935ed91125..14afeeb7d6ef 100644 +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -135,7 +135,6 @@ static void fill_pool(void) + if (!new) + return; + +- kmemleak_ignore(new); + raw_spin_lock_irqsave(&pool_lock, flags); + hlist_add_head(&new->node, &obj_pool); + debug_objects_allocated++; +@@ -1128,7 +1127,6 @@ static int __init debug_objects_replace_static_objects(void) + obj = kmem_cache_zalloc(obj_cache, GFP_KERNEL); + if (!obj) + goto free; +- kmemleak_ignore(obj); + hlist_add_head(&obj->node, &objects); + } + +@@ -1184,7 +1182,8 @@ void __init debug_objects_mem_init(void) + + obj_cache = kmem_cache_create("debug_objects_cache", + sizeof (struct debug_obj), 0, +- SLAB_DEBUG_OBJECTS, NULL); ++ SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE, ++ NULL); + + if (!obj_cache || debug_objects_replace_static_objects()) { + debug_objects_enabled = 0; +-- +2.19.1 + diff --git a/queue-4.19/drm-amdgpu-add-delay-after-enable-rlc-ucode.patch b/queue-4.19/drm-amdgpu-add-delay-after-enable-rlc-ucode.patch new file mode 100644 index 00000000000..e9feb71f8c4 --- /dev/null +++ b/queue-4.19/drm-amdgpu-add-delay-after-enable-rlc-ucode.patch @@ -0,0 +1,49 @@ +From 827c50b9f40faec7daf548d8f31d745ce3dcaf93 Mon Sep 17 00:00:00 2001 +From: shaoyunl +Date: Thu, 22 Nov 2018 11:45:24 -0500 +Subject: drm/amdgpu: Add delay after enable RLC ucode + +[ Upstream commit ad97d9de45835b6a0f71983b0ae0cffd7306730a ] + +Driver shouldn't try to access any GFX registers until RLC is idle. +During the test, it took 12 seconds for RLC to clear the BUSY bit +in RLC_GPM_STAT register which is un-acceptable for driver. +As per RLC engineer, it would take RLC Ucode less than 10,000 GFXCLK +cycles to finish its critical section. In a lowest 300M enginer clock +setting(default from vbios), 50 us delay is enough. + +This commit fix the hang when RLC introduce the work around for XGMI +which requires more cycles to setup more registers than normal + +Signed-off-by: shaoyunl +Acked-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +index ef00d14f8645..325e2213cac5 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -2243,12 +2243,13 @@ static void gfx_v9_0_rlc_start(struct amdgpu_device *adev) + #endif + + WREG32_FIELD15(GC, 0, RLC_CNTL, RLC_ENABLE_F32, 1); ++ udelay(50); + + /* carrizo do enable cp interrupt after cp inited */ +- if (!(adev->flags & AMD_IS_APU)) ++ if (!(adev->flags & AMD_IS_APU)) { + gfx_v9_0_enable_gui_idle_interrupt(adev, true); +- +- udelay(50); ++ udelay(50); ++ } + + #ifdef AMDGPU_RLC_DEBUG_RETRY + /* RLC_GPM_GENERAL_6 : RLC Ucode version */ +-- +2.19.1 + diff --git a/queue-4.19/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch b/queue-4.19/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch new file mode 100644 index 00000000000..5f205de9cc4 --- /dev/null +++ b/queue-4.19/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch @@ -0,0 +1,94 @@ +From d3c8d93d380cf583b41e211518598c1fd11427a0 Mon Sep 17 00:00:00 2001 +From: "Y.C. Chen" +Date: Thu, 22 Nov 2018 11:56:28 +0800 +Subject: drm/ast: fixed reading monitor EDID not stable issue + +[ Upstream commit 300625620314194d9e6d4f6dda71f2dc9cf62d9f ] + +v1: over-sample data to increase the stability with some specific monitors +v2: refine to avoid infinite loop +v3: remove un-necessary "volatile" declaration + +[airlied: fix two checkpatch warnings] + +Signed-off-by: Y.C. Chen +Signed-off-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/1542858988-1127-1-git-send-email-yc_chen@aspeedtech.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ast/ast_mode.c | 36 ++++++++++++++++++++++++++++------ + 1 file changed, 30 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c +index 7c6ac3cadb6b..8bb355d5d43d 100644 +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -973,9 +973,21 @@ static int get_clock(void *i2c_priv) + { + struct ast_i2c_chan *i2c = i2c_priv; + struct ast_private *ast = i2c->dev->dev_private; +- uint32_t val; ++ uint32_t val, val2, count, pass; ++ ++ count = 0; ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01; ++ do { ++ val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01; ++ if (val == val2) { ++ pass++; ++ } else { ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01; ++ } ++ } while ((pass < 5) && (count++ < 0x10000)); + +- val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4; + return val & 1 ? 1 : 0; + } + +@@ -983,9 +995,21 @@ static int get_data(void *i2c_priv) + { + struct ast_i2c_chan *i2c = i2c_priv; + struct ast_private *ast = i2c->dev->dev_private; +- uint32_t val; ++ uint32_t val, val2, count, pass; ++ ++ count = 0; ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01; ++ do { ++ val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01; ++ if (val == val2) { ++ pass++; ++ } else { ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01; ++ } ++ } while ((pass < 5) && (count++ < 0x10000)); + +- val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5; + return val & 1 ? 1 : 0; + } + +@@ -998,7 +1022,7 @@ static void set_clock(void *i2c_priv, int clock) + + for (i = 0; i < 0x10000; i++) { + ujcrb7 = ((clock & 0x01) ? 0 : 1); +- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfe, ujcrb7); ++ ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf4, ujcrb7); + jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x01); + if (ujcrb7 == jtemp) + break; +@@ -1014,7 +1038,7 @@ static void set_data(void *i2c_priv, int data) + + for (i = 0; i < 0x10000; i++) { + ujcrb7 = ((data & 0x01) ? 0 : 1) << 2; +- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfb, ujcrb7); ++ ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf1, ujcrb7); + jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x04); + if (ujcrb7 == jtemp) + break; +-- +2.19.1 + diff --git a/queue-4.19/drm-meson-add-support-for-1080p25-mode.patch b/queue-4.19/drm-meson-add-support-for-1080p25-mode.patch new file mode 100644 index 00000000000..9ce9ef664f0 --- /dev/null +++ b/queue-4.19/drm-meson-add-support-for-1080p25-mode.patch @@ -0,0 +1,35 @@ +From 2eb71633ee7efa791841a2571b36dcc5c3f6d0e8 Mon Sep 17 00:00:00 2001 +From: Christian Hewitt +Date: Wed, 21 Nov 2018 13:39:29 +0400 +Subject: drm/meson: add support for 1080p25 mode + +[ Upstream commit 31e1ab494559fb46de304cc6c2aed1528f94b298 ] + +This essential mode for PAL users is missing, so add it. + +Fixes: 335e3713afb87 ("drm/meson: Add support for HDMI venc modes and settings") +Signed-off-by: Christian Hewitt +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/1542793169-13008-1-git-send-email-christianshewitt@gmail.com +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_venc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/meson/meson_venc.c b/drivers/gpu/drm/meson/meson_venc.c +index 14aac661f38b..7a3a6ed9f27b 100644 +--- a/drivers/gpu/drm/meson/meson_venc.c ++++ b/drivers/gpu/drm/meson/meson_venc.c +@@ -715,6 +715,7 @@ struct meson_hdmi_venc_vic_mode { + { 5, &meson_hdmi_encp_mode_1080i60 }, + { 20, &meson_hdmi_encp_mode_1080i50 }, + { 32, &meson_hdmi_encp_mode_1080p24 }, ++ { 33, &meson_hdmi_encp_mode_1080p50 }, + { 34, &meson_hdmi_encp_mode_1080p30 }, + { 31, &meson_hdmi_encp_mode_1080p50 }, + { 16, &meson_hdmi_encp_mode_1080p60 }, +-- +2.19.1 + diff --git a/queue-4.19/exportfs-do-not-read-dentry-after-free.patch b/queue-4.19/exportfs-do-not-read-dentry-after-free.patch new file mode 100644 index 00000000000..bd82a25ca8e --- /dev/null +++ b/queue-4.19/exportfs-do-not-read-dentry-after-free.patch @@ -0,0 +1,40 @@ +From e840124b0666cdd77b6667e5ebb1f2b8f168439c Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 23 Nov 2018 15:56:33 +0800 +Subject: exportfs: do not read dentry after free + +[ Upstream commit 2084ac6c505a58f7efdec13eba633c6aaa085ca5 ] + +The function dentry_connected calls dput(dentry) to drop the previously +acquired reference to dentry. In this case, dentry can be released. +After that, IS_ROOT(dentry) checks the condition +(dentry == dentry->d_parent), which may result in a use-after-free bug. +This patch directly compares dentry with its parent obtained before +dropping the reference. + +Fixes: a056cc8934c("exportfs: stop retrying once we race with +rename/remove") + +Signed-off-by: Pan Bian +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/exportfs/expfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c +index 645158dc33f1..63707abcbeb3 100644 +--- a/fs/exportfs/expfs.c ++++ b/fs/exportfs/expfs.c +@@ -77,7 +77,7 @@ static bool dentry_connected(struct dentry *dentry) + struct dentry *parent = dget_parent(dentry); + + dput(dentry); +- if (IS_ROOT(dentry)) { ++ if (dentry == parent) { + dput(parent); + return false; + } +-- +2.19.1 + diff --git a/queue-4.19/fscache-cachefiles-remove-redundant-variable-cache.patch b/queue-4.19/fscache-cachefiles-remove-redundant-variable-cache.patch new file mode 100644 index 00000000000..2499467d541 --- /dev/null +++ b/queue-4.19/fscache-cachefiles-remove-redundant-variable-cache.patch @@ -0,0 +1,39 @@ +From 6666d1050d29fdf595827f9ce2b305efb4c5bd09 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 17 Jul 2018 09:53:42 +0100 +Subject: fscache, cachefiles: remove redundant variable 'cache' + +[ Upstream commit 31ffa563833576bd49a8bf53120568312755e6e2 ] + +Variable 'cache' is being assigned but is never used hence it is +redundant and can be removed. + +Cleans up clang warning: +warning: variable 'cache' set but not used [-Wunused-but-set-variable] + +Signed-off-by: Colin Ian King +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/cachefiles/rdwr.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c +index db233588a69a..8a577409d030 100644 +--- a/fs/cachefiles/rdwr.c ++++ b/fs/cachefiles/rdwr.c +@@ -968,11 +968,8 @@ void cachefiles_uncache_page(struct fscache_object *_object, struct page *page) + __releases(&object->fscache.cookie->lock) + { + struct cachefiles_object *object; +- struct cachefiles_cache *cache; + + object = container_of(_object, struct cachefiles_object, fscache); +- cache = container_of(object->fscache.cache, +- struct cachefiles_cache, cache); + + _enter("%p,{%lu}", object, page->index); + +-- +2.19.1 + diff --git a/queue-4.19/fscache-fix-race-between-enablement-and-dropping-of-.patch b/queue-4.19/fscache-fix-race-between-enablement-and-dropping-of-.patch new file mode 100644 index 00000000000..1263eef0ca7 --- /dev/null +++ b/queue-4.19/fscache-fix-race-between-enablement-and-dropping-of-.patch @@ -0,0 +1,74 @@ +From 4f9798644aa313f0534e361d0f59847ee43973a8 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 26 Oct 2018 17:16:29 +1100 +Subject: fscache: fix race between enablement and dropping of object + +[ Upstream commit c5a94f434c82529afda290df3235e4d85873c5b4 ] + +It was observed that a process blocked indefintely in +__fscache_read_or_alloc_page(), waiting for FSCACHE_COOKIE_LOOKING_UP +to be cleared via fscache_wait_for_deferred_lookup(). + +At this time, ->backing_objects was empty, which would normaly prevent +__fscache_read_or_alloc_page() from getting to the point of waiting. +This implies that ->backing_objects was cleared *after* +__fscache_read_or_alloc_page was was entered. + +When an object is "killed" and then "dropped", +FSCACHE_COOKIE_LOOKING_UP is cleared in fscache_lookup_failure(), then +KILL_OBJECT and DROP_OBJECT are "called" and only in DROP_OBJECT is +->backing_objects cleared. This leaves a window where +something else can set FSCACHE_COOKIE_LOOKING_UP and +__fscache_read_or_alloc_page() can start waiting, before +->backing_objects is cleared + +There is some uncertainty in this analysis, but it seems to be fit the +observations. Adding the wake in this patch will be handled correctly +by __fscache_read_or_alloc_page(), as it checks if ->backing_objects +is empty again, after waiting. + +Customer which reported the hang, also report that the hang cannot be +reproduced with this fix. + +The backtrace for the blocked process looked like: + +PID: 29360 TASK: ffff881ff2ac0f80 CPU: 3 COMMAND: "zsh" + #0 [ffff881ff43efbf8] schedule at ffffffff815e56f1 + #1 [ffff881ff43efc58] bit_wait at ffffffff815e64ed + #2 [ffff881ff43efc68] __wait_on_bit at ffffffff815e61b8 + #3 [ffff881ff43efca0] out_of_line_wait_on_bit at ffffffff815e625e + #4 [ffff881ff43efd08] fscache_wait_for_deferred_lookup at ffffffffa04f2e8f [fscache] + #5 [ffff881ff43efd18] __fscache_read_or_alloc_page at ffffffffa04f2ffe [fscache] + #6 [ffff881ff43efd58] __nfs_readpage_from_fscache at ffffffffa0679668 [nfs] + #7 [ffff881ff43efd78] nfs_readpage at ffffffffa067092b [nfs] + #8 [ffff881ff43efda0] generic_file_read_iter at ffffffff81187a73 + #9 [ffff881ff43efe50] nfs_file_read at ffffffffa066544b [nfs] +#10 [ffff881ff43efe70] __vfs_read at ffffffff811fc756 +#11 [ffff881ff43efee8] vfs_read at ffffffff811fccfa +#12 [ffff881ff43eff18] sys_read at ffffffff811fda62 +#13 [ffff881ff43eff50] entry_SYSCALL_64_fastpath at ffffffff815e986e + +Signed-off-by: NeilBrown +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/fscache/object.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/fscache/object.c b/fs/fscache/object.c +index 9edc920f651f..6d9cb1719de5 100644 +--- a/fs/fscache/object.c ++++ b/fs/fscache/object.c +@@ -730,6 +730,9 @@ static const struct fscache_state *fscache_drop_object(struct fscache_object *ob + + if (awaken) + wake_up_bit(&cookie->flags, FSCACHE_COOKIE_INVALIDATING); ++ if (test_and_clear_bit(FSCACHE_COOKIE_LOOKING_UP, &cookie->flags)) ++ wake_up_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP); ++ + + /* Prevent a race with our last child, which has to signal EV_CLEARED + * before dropping our spinlock. +-- +2.19.1 + diff --git a/queue-4.19/fscache-fix-race-in-fscache_op_complete-due-to-split.patch b/queue-4.19/fscache-fix-race-in-fscache_op_complete-due-to-split.patch new file mode 100644 index 00000000000..bbade47dc96 --- /dev/null +++ b/queue-4.19/fscache-fix-race-in-fscache_op_complete-due-to-split.patch @@ -0,0 +1,74 @@ +From da05fc423ed975225c330cda1817d74329cf3b2f Mon Sep 17 00:00:00 2001 +From: "kiran.modukuri" +Date: Mon, 26 Nov 2018 15:41:48 +0000 +Subject: fscache: Fix race in fscache_op_complete() due to split atomic_sub & + read + +[ Upstream commit 3f2b7b9035107d6096ea438ea3d97dcf0481b6d2 ] + +The code in fscache_retrieval_complete is using atomic_sub followed by an +atomic_read: + + atomic_sub(n_pages, &op->n_pages); + if (atomic_read(&op->n_pages) <= 0) + fscache_op_complete(&op->op, true); + +This causes two threads doing a decrement of n_pages to race with each +other seeing the op->refcount 0 at same time - and they end up calling +fscache_op_complete() in both the threads leading to an assertion failure. + +Fix this by using atomic_sub_return_relaxed() instead of two calls. Note +that I'm using 'relaxed' rather than, say, 'release' as there aren't +multiple variables that appear to need ordering across the release. + +The oops looks something like: + +FS-Cache: Assertion failed +FS-Cache: 0 > 0 is false +... +kernel BUG at /usr/src/linux-4.4.0/fs/fscache/operation.c:449! +... +Workqueue: fscache_operation fscache_op_work_func [fscache] +... +RIP: 0010:[] fscache_op_complete+0x10d/0x180 [fscache] +... +Call Trace: + [] cachefiles_read_copier+0x3a9/0x410 [cachefiles] + [] fscache_op_work_func+0x22/0x50 [fscache] + [] process_one_work+0x150/0x3f0 + [] worker_thread+0x11a/0x470 + [] ? __schedule+0x359/0x980 + [] ? rescuer_thread+0x310/0x310 + [] kthread+0xd6/0xf0 + [] ? kthread_park+0x60/0x60 + [] ret_from_fork+0x3f/0x70 + [] ? kthread_park+0x60/0x60 + +This seen this in 4.4.x kernels and the same bug affects fscache in latest +upstreams kernels. + +Fixes: 1bb4b7f98f36 ("FS-Cache: The retrieval remaining-pages counter needs to be atomic_t") +Signed-off-by: Kiran Kumar Modukuri +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + include/linux/fscache-cache.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/include/linux/fscache-cache.h b/include/linux/fscache-cache.h +index 34cf0fdd7dc7..610815e3f1aa 100644 +--- a/include/linux/fscache-cache.h ++++ b/include/linux/fscache-cache.h +@@ -196,8 +196,7 @@ static inline void fscache_enqueue_retrieval(struct fscache_retrieval *op) + static inline void fscache_retrieval_complete(struct fscache_retrieval *op, + int n_pages) + { +- atomic_sub(n_pages, &op->n_pages); +- if (atomic_read(&op->n_pages) <= 0) ++ if (atomic_sub_return_relaxed(n_pages, &op->n_pages) <= 0) + fscache_op_complete(&op->op, false); + } + +-- +2.19.1 + diff --git a/queue-4.19/fsi-master-ast-cf-select-generic_allocator.patch b/queue-4.19/fsi-master-ast-cf-select-generic_allocator.patch new file mode 100644 index 00000000000..787de32b01e --- /dev/null +++ b/queue-4.19/fsi-master-ast-cf-select-generic_allocator.patch @@ -0,0 +1,40 @@ +From c0f8a06fdb21bf218bc3fc010ee1f75137dda66a Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 14 Aug 2018 00:37:18 +0200 +Subject: fsi: master-ast-cf: select GENERIC_ALLOCATOR + +[ Upstream commit 64999fa7aa2c076ec6d05aee481f11f5296ceb8c ] + +In randconfig builds without CONFIG_GENERIC_ALLOCATOR, this driver +fails to link: + +ERROR: "gen_pool_alloc_algo" [drivers/fsi/fsi-master-ast-cf.ko] undefined! +ERROR: "gen_pool_fixed_alloc" [drivers/fsi/fsi-master-ast-cf.ko] undefined! +ERROR: "of_gen_pool_get" [drivers/fsi/fsi-master-ast-cf.ko] undefined! +ERROR: "gen_pool_free" [drivers/fsi/fsi-master-ast-cf.ko] undefined! + +Select the dependency as all other users do. + +Fixes: 6a794a27daca ("fsi: master-ast-cf: Add new FSI master using Aspeed ColdFire") +Signed-off-by: Arnd Bergmann +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Sasha Levin +--- + drivers/fsi/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/fsi/Kconfig b/drivers/fsi/Kconfig +index af3a20dd5aa4..99c99a5d57fe 100644 +--- a/drivers/fsi/Kconfig ++++ b/drivers/fsi/Kconfig +@@ -46,6 +46,7 @@ config FSI_MASTER_AST_CF + tristate "FSI master based on Aspeed ColdFire coprocessor" + depends on GPIOLIB + depends on GPIO_ASPEED ++ select GENERIC_ALLOCATOR + ---help--- + This option enables a FSI master using the AST2400 and AST2500 GPIO + lines driven by the internal ColdFire coprocessor. This requires +-- +2.19.1 + diff --git a/queue-4.19/hfs-do-not-free-node-before-using.patch b/queue-4.19/hfs-do-not-free-node-before-using.patch new file mode 100644 index 00000000000..48d55d8df0a --- /dev/null +++ b/queue-4.19/hfs-do-not-free-node-before-using.patch @@ -0,0 +1,49 @@ +From 8d5b5385c2f0469fc4aaaec837de3770eb02f878 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 30 Nov 2018 14:09:14 -0800 +Subject: hfs: do not free node before using + +[ Upstream commit ce96a407adef126870b3f4a1b73529dd8aa80f49 ] + +hfs_bmap_free() frees the node via hfs_bnode_put(node). However, it +then reads node->this when dumping error message on an error path, which +may result in a use-after-free bug. This patch frees the node only when +it is never again used. + +Link: http://lkml.kernel.org/r/1542963889-128825-1-git-send-email-bianpan2016@163.com +Fixes: a1185ffa2fc ("HFS rewrite") +Signed-off-by: Pan Bian +Reviewed-by: Andrew Morton +Cc: Joe Perches +Cc: Ernesto A. Fernandez +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfs/btree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c +index 374b5688e29e..9bdff5e40626 100644 +--- a/fs/hfs/btree.c ++++ b/fs/hfs/btree.c +@@ -329,13 +329,14 @@ void hfs_bmap_free(struct hfs_bnode *node) + + nidx -= len * 8; + i = node->next; +- hfs_bnode_put(node); + if (!i) { + /* panic */; + pr_crit("unable to free bnode %u. bmap not found!\n", + node->this); ++ hfs_bnode_put(node); + return; + } ++ hfs_bnode_put(node); + node = hfs_bnode_find(tree, i); + if (IS_ERR(node)) + return; +-- +2.19.1 + diff --git a/queue-4.19/hfsplus-do-not-free-node-before-using.patch b/queue-4.19/hfsplus-do-not-free-node-before-using.patch new file mode 100644 index 00000000000..9b56148c772 --- /dev/null +++ b/queue-4.19/hfsplus-do-not-free-node-before-using.patch @@ -0,0 +1,49 @@ +From 9eb2900004b9eae8c22d2afdbf29882154966501 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 30 Nov 2018 14:09:18 -0800 +Subject: hfsplus: do not free node before using + +[ Upstream commit c7d7d620dcbd2a1c595092280ca943f2fced7bbd ] + +hfs_bmap_free() frees node via hfs_bnode_put(node). However it then +reads node->this when dumping error message on an error path, which may +result in a use-after-free bug. This patch frees node only when it is +never used. + +Link: http://lkml.kernel.org/r/1543053441-66942-1-git-send-email-bianpan2016@163.com +Signed-off-by: Pan Bian +Reviewed-by: Andrew Morton +Cc: Ernesto A. Fernandez +Cc: Joe Perches +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfsplus/btree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c +index de14b2b6881b..3de3bc4918b5 100644 +--- a/fs/hfsplus/btree.c ++++ b/fs/hfsplus/btree.c +@@ -454,14 +454,15 @@ void hfs_bmap_free(struct hfs_bnode *node) + + nidx -= len * 8; + i = node->next; +- hfs_bnode_put(node); + if (!i) { + /* panic */; + pr_crit("unable to free bnode %u. " + "bmap not found!\n", + node->this); ++ hfs_bnode_put(node); + return; + } ++ hfs_bnode_put(node); + node = hfs_bnode_find(tree, i); + if (IS_ERR(node)) + return; +-- +2.19.1 + diff --git a/queue-4.19/hwmon-ina2xx-fix-current-value-calculation.patch b/queue-4.19/hwmon-ina2xx-fix-current-value-calculation.patch new file mode 100644 index 00000000000..c3b9bce706d --- /dev/null +++ b/queue-4.19/hwmon-ina2xx-fix-current-value-calculation.patch @@ -0,0 +1,39 @@ +From d89e1a4c2b1bcc9ce077262abe18121284ea16eb Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Tue, 13 Nov 2018 19:48:54 -0800 +Subject: hwmon: (ina2xx) Fix current value calculation + +[ Upstream commit 38cd989ee38c16388cde89db5b734f9d55b905f9 ] + +The current register (04h) has a sign bit at MSB. The comments +for this calculation also mention that it's a signed register. + +However, the regval is unsigned type so result of calculation +turns out to be an incorrect value when current is negative. + +This patch simply fixes this by adding a casting to s16. + +Fixes: 5d389b125186c ("hwmon: (ina2xx) Make calibration register value fixed") +Signed-off-by: Nicolin Chen +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ina2xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c +index c2252cf452f5..07ee19573b3f 100644 +--- a/drivers/hwmon/ina2xx.c ++++ b/drivers/hwmon/ina2xx.c +@@ -274,7 +274,7 @@ static int ina2xx_get_value(struct ina2xx_data *data, u8 reg, + break; + case INA2XX_CURRENT: + /* signed register, result in mA */ +- val = regval * data->current_lsb_uA; ++ val = (s16)regval * data->current_lsb_uA; + val = DIV_ROUND_CLOSEST(val, 1000); + break; + case INA2XX_CALIBRATION: +-- +2.19.1 + diff --git a/queue-4.19/hwmon-ina2xx-fix-null-id-pointer-in-probe.patch b/queue-4.19/hwmon-ina2xx-fix-null-id-pointer-in-probe.patch new file mode 100644 index 00000000000..dff7247b29f --- /dev/null +++ b/queue-4.19/hwmon-ina2xx-fix-null-id-pointer-in-probe.patch @@ -0,0 +1,68 @@ +From a5620f19d11da3c6ffc610239906515cbf10364b Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Fri, 9 Nov 2018 16:42:14 -0800 +Subject: hwmon (ina2xx) Fix NULL id pointer in probe() + +[ Upstream commit 70df9ebbd82c794ddfbb49d45b337f18d5588dc2 ] + +When using DT configurations, the id pointer might turn out to +be NULL. Then the driver encounters NULL pointer access: + + Unable to handle kernel read from unreadable memory at vaddr 00000018 + [...] + PC is at ina2xx_probe+0x114/0x200 + LR is at ina2xx_probe+0x10c/0x200 + [...] + Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b + +The reason is that i2c core returns the id pointer by matching +id_table with client->name, while the client->name is actually +using the name from the first string in the DT compatible list, +not the best one. So i2c core would fail to match the id_table +if the best matched compatible string isn't the first one, and +then would return a NULL id pointer. + +This probably should be fixed in i2c core. But it doesn't hurt +to make the driver robust. So this patch fixes it by using the +"chip" that's added to unify both DT and non-DT configurations. + +Additionally, since id pointer could be null, so as id->name: + ina2xx 10-0047: power monitor (null) (Rshunt = 1000 uOhm) + ina2xx 10-0048: power monitor (null) (Rshunt = 10000 uOhm) + +So this patch also fixes NULL name pointer, using client->name +to play safe and to align with hwmon->name. + +Fixes: bd0ddd4d0883 ("hwmon: (ina2xx) Add OF device ID table") +Signed-off-by: Nicolin Chen +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ina2xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c +index 71d3445ba869..c2252cf452f5 100644 +--- a/drivers/hwmon/ina2xx.c ++++ b/drivers/hwmon/ina2xx.c +@@ -491,7 +491,7 @@ static int ina2xx_probe(struct i2c_client *client, + } + + data->groups[group++] = &ina2xx_group; +- if (id->driver_data == ina226) ++ if (chip == ina226) + data->groups[group++] = &ina226_group; + + hwmon_dev = devm_hwmon_device_register_with_groups(dev, client->name, +@@ -500,7 +500,7 @@ static int ina2xx_probe(struct i2c_client *client, + return PTR_ERR(hwmon_dev); + + dev_info(dev, "power monitor %s (Rshunt = %li uOhm)\n", +- id->name, data->rshunt); ++ client->name, data->rshunt); + + return 0; + } +-- +2.19.1 + diff --git a/queue-4.19/hwmon-mlxreg-fan-fix-macros-for-tacho-fault-reading.patch b/queue-4.19/hwmon-mlxreg-fan-fix-macros-for-tacho-fault-reading.patch new file mode 100644 index 00000000000..c9391b60395 --- /dev/null +++ b/queue-4.19/hwmon-mlxreg-fan-fix-macros-for-tacho-fault-reading.patch @@ -0,0 +1,36 @@ +From e74fe3b18642646f5fc9028ffb58ddb69216151e Mon Sep 17 00:00:00 2001 +From: Vadim Pasternak +Date: Fri, 16 Nov 2018 13:47:11 +0000 +Subject: hwmon: (mlxreg-fan) Fix macros for tacho fault reading + +[ Upstream commit 243cfe3fb8978c7eec24511aba7dac98819ed896 ] + +Fix macros for tacometer fault reading. +This fix is relevant for three Mellanox systems MQMB7, MSN37, MSN34, +which are about to be released to the customers. +At the moment, none of them is at customers sites. + +Fixes: 65afb4c8e7e4 ("hwmon: (mlxreg-fan) Add support for Mellanox FAN driver") +Signed-off-by: Vadim Pasternak +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/mlxreg-fan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/mlxreg-fan.c b/drivers/hwmon/mlxreg-fan.c +index de46577c7d5a..d8fa4bea4bc8 100644 +--- a/drivers/hwmon/mlxreg-fan.c ++++ b/drivers/hwmon/mlxreg-fan.c +@@ -51,7 +51,7 @@ + */ + #define MLXREG_FAN_GET_RPM(rval, d, s) (DIV_ROUND_CLOSEST(15000000 * 100, \ + ((rval) + (s)) * (d))) +-#define MLXREG_FAN_GET_FAULT(val, mask) (!!((val) ^ (mask))) ++#define MLXREG_FAN_GET_FAULT(val, mask) (!((val) ^ (mask))) + #define MLXREG_FAN_PWM_DUTY2STATE(duty) (DIV_ROUND_CLOSEST((duty) * \ + MLXREG_FAN_MAX_STATE, \ + MLXREG_FAN_MAX_DUTY)) +-- +2.19.1 + diff --git a/queue-4.19/hwmon-raspberrypi-fix-initial-notify.patch b/queue-4.19/hwmon-raspberrypi-fix-initial-notify.patch new file mode 100644 index 00000000000..5c36ccd0308 --- /dev/null +++ b/queue-4.19/hwmon-raspberrypi-fix-initial-notify.patch @@ -0,0 +1,50 @@ +From d28d3f1f607e956446e584ea82fe836bfe0fa376 Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Sun, 11 Nov 2018 13:01:11 +0100 +Subject: hwmon: (raspberrypi) Fix initial notify +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 35fdc3902179366489a12cae4cb3ccc3b95f0afe ] + +In case an under-voltage happens before probing the driver wont +write the critical warning into the kernel log. So don't init +of last_throttled during probe and fix this issue. + +Fixes: 74d1e007915f ("hwmon: Add support for RPi voltage sensor") +Reported-by: "Noralf Trønnes" +Signed-off-by: Stefan Wahren +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/raspberrypi-hwmon.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/hwmon/raspberrypi-hwmon.c b/drivers/hwmon/raspberrypi-hwmon.c +index be5ba4690895..0d0457245e7d 100644 +--- a/drivers/hwmon/raspberrypi-hwmon.c ++++ b/drivers/hwmon/raspberrypi-hwmon.c +@@ -115,7 +115,6 @@ static int rpi_hwmon_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct rpi_hwmon_data *data; +- int ret; + + data = devm_kzalloc(dev, sizeof(*data), GFP_KERNEL); + if (!data) +@@ -124,11 +123,6 @@ static int rpi_hwmon_probe(struct platform_device *pdev) + /* Parent driver assure that firmware is correct */ + data->fw = dev_get_drvdata(dev->parent); + +- /* Init throttled */ +- ret = rpi_firmware_property(data->fw, RPI_FIRMWARE_GET_THROTTLED, +- &data->last_throttled, +- sizeof(data->last_throttled)); +- + data->hwmon_dev = devm_hwmon_device_register_with_info(dev, "rpi_volt", + data, + &rpi_chip_info, +-- +2.19.1 + diff --git a/queue-4.19/hwmon-w83795-temp4_type-has-writable-permission.patch b/queue-4.19/hwmon-w83795-temp4_type-has-writable-permission.patch new file mode 100644 index 00000000000..2ce12ffbb6d --- /dev/null +++ b/queue-4.19/hwmon-w83795-temp4_type-has-writable-permission.patch @@ -0,0 +1,35 @@ +From 8fccc4e864ec621dc7af94a5031bbedb8e74d425 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 15 Nov 2018 10:44:57 +0800 +Subject: hwmon: (w83795) temp4_type has writable permission + +[ Upstream commit 09aaf6813cfca4c18034fda7a43e68763f34abb1 ] + +Both datasheet and comments of store_temp_mode() tell us that temp1~4_type +is writable, so fix it. + +Signed-off-by: Yao Wang +Signed-off-by: Huacai Chen +Fixes: 39deb6993e7c (" hwmon: (w83795) Simplify temperature sensor type handling") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/w83795.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/w83795.c b/drivers/hwmon/w83795.c +index 49276bbdac3d..1bb80f992aa8 100644 +--- a/drivers/hwmon/w83795.c ++++ b/drivers/hwmon/w83795.c +@@ -1691,7 +1691,7 @@ store_sf_setup(struct device *dev, struct device_attribute *attr, + * somewhere else in the code + */ + #define SENSOR_ATTR_TEMP(index) { \ +- SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 4 ? S_IWUSR : 0), \ ++ SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 5 ? S_IWUSR : 0), \ + show_temp_mode, store_temp_mode, NOT_USED, index - 1), \ + SENSOR_ATTR_2(temp##index##_input, S_IRUGO, show_temp, \ + NULL, TEMP_READ, index - 1), \ +-- +2.19.1 + diff --git a/queue-4.19/ib-mlx5-fix-page-fault-handling-for-mw.patch b/queue-4.19/ib-mlx5-fix-page-fault-handling-for-mw.patch new file mode 100644 index 00000000000..2fd2de85bb3 --- /dev/null +++ b/queue-4.19/ib-mlx5-fix-page-fault-handling-for-mw.patch @@ -0,0 +1,40 @@ +From ee96ae20d8b7ee24f8a8fc240767ea1a5697bbf9 Mon Sep 17 00:00:00 2001 +From: Artemy Kovalyov +Date: Sun, 25 Nov 2018 20:34:26 +0200 +Subject: IB/mlx5: Fix page fault handling for MW + +[ Upstream commit 75b7b86bdb0df37e08e44b6c1f99010967f81944 ] + +Memory windows are implemented with an indirect MKey, when a page fault +event comes for a MW Mkey we need to find the MR at the end of the list of +the indirect MKeys by iterating on all items from the first to the last. + +The offset calculated during this process has to be zeroed after the first +iteration or the next iteration will start from a wrong address, resulting +incorrect ODP faulting behavior. + +Fixes: db570d7deafb ("IB/mlx5: Add ODP support to MW") +Signed-off-by: Artemy Kovalyov +Signed-off-by: Moni Shoua +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/odp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c +index d216e0d2921d..9e1cac8cb260 100644 +--- a/drivers/infiniband/hw/mlx5/odp.c ++++ b/drivers/infiniband/hw/mlx5/odp.c +@@ -724,6 +724,7 @@ static int pagefault_single_data_segment(struct mlx5_ib_dev *dev, + head = frame; + + bcnt -= frame->bcnt; ++ offset = 0; + } + break; + +-- +2.19.1 + diff --git a/queue-4.19/igb-fix-uninitialized-variables.patch b/queue-4.19/igb-fix-uninitialized-variables.patch new file mode 100644 index 00000000000..cac60831daf --- /dev/null +++ b/queue-4.19/igb-fix-uninitialized-variables.patch @@ -0,0 +1,32 @@ +From 14a9b22a882094265cb0597aa5c71913d2b56dd8 Mon Sep 17 00:00:00 2001 +From: Yunjian Wang +Date: Tue, 6 Nov 2018 16:27:12 +0800 +Subject: igb: fix uninitialized variables + +[ Upstream commit e4c39f7926b4de355f7df75651d75003806aae09 ] + +This patch fixes the variable 'phy_word' may be used uninitialized. + +Signed-off-by: Yunjian Wang +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/e1000_i210.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_i210.c b/drivers/net/ethernet/intel/igb/e1000_i210.c +index c54ebedca6da..c393cb2c0f16 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_i210.c ++++ b/drivers/net/ethernet/intel/igb/e1000_i210.c +@@ -842,6 +842,7 @@ s32 igb_pll_workaround_i210(struct e1000_hw *hw) + nvm_word = E1000_INVM_DEFAULT_AL; + tmp_nvm = nvm_word | E1000_INVM_PLL_WO_VAL; + igb_write_phy_reg_82580(hw, I347AT4_PAGE_SELECT, E1000_PHY_PLL_FREQ_PAGE); ++ phy_word = E1000_PHY_PLL_UNCONF; + for (i = 0; i < E1000_MAX_PLL_TRIES; i++) { + /* check current state directly from internal PHY */ + igb_read_phy_reg_82580(hw, E1000_PHY_PLL_FREQ_REG, &phy_word); +-- +2.19.1 + diff --git a/queue-4.19/initramfs-clean-old-path-before-creating-a-hardlink.patch b/queue-4.19/initramfs-clean-old-path-before-creating-a-hardlink.patch new file mode 100644 index 00000000000..da2645cd877 --- /dev/null +++ b/queue-4.19/initramfs-clean-old-path-before-creating-a-hardlink.patch @@ -0,0 +1,111 @@ +From 6eb7c9ff098ab24db87212744846a76db523a86a Mon Sep 17 00:00:00 2001 +From: Li Zhijian +Date: Fri, 30 Nov 2018 14:10:09 -0800 +Subject: initramfs: clean old path before creating a hardlink + +[ Upstream commit 7c0950d455d6ab610d2990a13120f935b75abf2c ] + +sys_link() can fail due to the new path already existing. This case +ofen occurs when we use a concated initrd, for example: + +1) prepare a basic rootfs, it contains a regular files rc.local +lizhijian@:~/yocto-tiny-i386-2016-04-22$ cat etc/rc.local + #!/bin/sh + echo "Running /etc/rc.local..." +yocto-tiny-i386-2016-04-22$ find . | sed 's,^\./,,' | cpio -o -H newc | gzip -n -9 >../rootfs.cgz + +2) create a extra initrd which also includes a etc/rc.local +lizhijian@:~/lkp-x86_64/etc$ echo "append initrd" >rc.local +lizhijian@:~/lkp/lkp-x86_64/etc$ cat rc.local +append initrd +lizhijian@:~/lkp/lkp-x86_64/etc$ ln rc.local rc.local.hardlink +append initrd +lizhijian@:~/lkp/lkp-x86_64/etc$ stat rc.local rc.local.hardlink + File: 'rc.local' + Size: 14 Blocks: 8 IO Block: 4096 regular file +Device: 801h/2049d Inode: 11296086 Links: 2 +Access: (0664/-rw-rw-r--) Uid: ( 1002/lizhijian) Gid: ( 1002/lizhijian) +Access: 2018-11-15 16:08:28.654464815 +0800 +Modify: 2018-11-15 16:07:57.514903210 +0800 +Change: 2018-11-15 16:08:24.180228872 +0800 + Birth: - + File: 'rc.local.hardlink' + Size: 14 Blocks: 8 IO Block: 4096 regular file +Device: 801h/2049d Inode: 11296086 Links: 2 +Access: (0664/-rw-rw-r--) Uid: ( 1002/lizhijian) Gid: ( 1002/lizhijian) +Access: 2018-11-15 16:08:28.654464815 +0800 +Modify: 2018-11-15 16:07:57.514903210 +0800 +Change: 2018-11-15 16:08:24.180228872 +0800 + Birth: - + +lizhijian@:~/lkp/lkp-x86_64$ find . | sed 's,^\./,,' | cpio -o -H newc | gzip -n -9 >../rc-local.cgz +lizhijian@:~/lkp/lkp-x86_64$ gzip -dc ../rc-local.cgz | cpio -t +. +etc +etc/rc.local.hardlink <<< it will be extracted first at this initrd +etc/rc.local + +3) concate 2 initrds and boot +lizhijian@:~/lkp$ cat rootfs.cgz rc-local.cgz >concate-initrd.cgz +lizhijian@:~/lkp$ qemu-system-x86_64 -nographic -enable-kvm -cpu host -smp 1 -m 1024 -kernel ~/lkp/linux/arch/x86/boot/bzImage -append "console=ttyS0 earlyprint=ttyS0 ignore_loglevel" -initrd ./concate-initr.cgz -serial stdio -nodefaults + +In this case, sys_link(2) will fail and return -EEXIST, so we can only get +the rc.local at rootfs.cgz instead of rc-local.cgz + +[akpm@linux-foundation.org: move code to avoid forward declaration] +Link: http://lkml.kernel.org/r/1542352368-13299-1-git-send-email-lizhijian@cn.fujitsu.com +Signed-off-by: Li Zhijian +Cc: Philip Li +Cc: Dominik Brodowski +Cc: Li Zhijian +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + init/initramfs.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/init/initramfs.c b/init/initramfs.c +index 640557788026..f6f4a1e4cd54 100644 +--- a/init/initramfs.c ++++ b/init/initramfs.c +@@ -291,16 +291,6 @@ static int __init do_reset(void) + return 1; + } + +-static int __init maybe_link(void) +-{ +- if (nlink >= 2) { +- char *old = find_link(major, minor, ino, mode, collected); +- if (old) +- return (ksys_link(old, collected) < 0) ? -1 : 1; +- } +- return 0; +-} +- + static void __init clean_path(char *path, umode_t fmode) + { + struct kstat st; +@@ -313,6 +303,18 @@ static void __init clean_path(char *path, umode_t fmode) + } + } + ++static int __init maybe_link(void) ++{ ++ if (nlink >= 2) { ++ char *old = find_link(major, minor, ino, mode, collected); ++ if (old) { ++ clean_path(collected, 0); ++ return (ksys_link(old, collected) < 0) ? -1 : 1; ++ } ++ } ++ return 0; ++} ++ + static __initdata int wfd; + + static int __init do_name(void) +-- +2.19.1 + diff --git a/queue-4.19/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch b/queue-4.19/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch new file mode 100644 index 00000000000..b2f2edb1f58 --- /dev/null +++ b/queue-4.19/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch @@ -0,0 +1,57 @@ +From b5602aa13f4bc86504c75522bc84b4b10deb5a30 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Thu, 15 Nov 2018 15:14:30 +0800 +Subject: ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf + +[ Upstream commit 2a31e4bd9ad255ee40809b5c798c4b1c2b09703b ] + +ip_vs_dst_event is supposed to clean up all dst used in ipvs' +destinations when a net dev is going down. But it works only +when the dst's dev is the same as the dev from the event. + +Now with the same priority but late registration, +ip_vs_dst_notifier is always called later than ipv6_dev_notf +where the dst's dev is set to lo for NETDEV_DOWN event. + +As the dst's dev lo is not the same as the dev from the event +in ip_vs_dst_event, ip_vs_dst_notifier doesn't actually work. +Also as these dst have to wait for dest_trash_timer to clean +them up. It would cause some non-permanent kernel warnings: + + unregister_netdevice: waiting for br0 to become free. Usage count = 3 + +To fix it, call ip_vs_dst_notifier earlier than ipv6_dev_notf +by increasing its priority to ADDRCONF_NOTIFY_PRIORITY + 5. + +Note that for ipv4 route fib_netdev_notifier doesn't set dst's +dev to lo in NETDEV_DOWN event, so this fix is only needed when +IP_VS_IPV6 is defined. + +Fixes: 7a4f0761fce3 ("IPVS: init and cleanup restructuring") +Reported-by: Li Shuang +Signed-off-by: Xin Long +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 62eefea48973..518364f4abcc 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -3980,6 +3980,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct netns_ipvs *ipvs) + + static struct notifier_block ip_vs_dst_notifier = { + .notifier_call = ip_vs_dst_event, ++#ifdef CONFIG_IP_VS_IPV6 ++ .priority = ADDRCONF_NOTIFY_PRIORITY + 5, ++#endif + }; + + int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs) +-- +2.19.1 + diff --git a/queue-4.19/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch b/queue-4.19/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch new file mode 100644 index 00000000000..8d285d77f21 --- /dev/null +++ b/queue-4.19/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch @@ -0,0 +1,43 @@ +From 1aa80f0ab108714eac06af9919ec59a8ad1b56d0 Mon Sep 17 00:00:00 2001 +From: Josh Elsasser +Date: Sat, 24 Nov 2018 12:57:33 -0800 +Subject: ixgbe: recognize 1000BaseLX SFP modules as 1Gbps +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a8bf879af7b1999eba36303ce9cc60e0e7dd816c ] + +Add the two 1000BaseLX enum values to the X550's check for 1Gbps modules, +allowing the core driver code to establish a link over this SFP type. + +This is done by the out-of-tree driver but the fix wasn't in mainline. + +Fixes: e23f33367882 ("ixgbe: Fix 1G and 10G link stability for X550EM_x SFP+”) +Fixes: 6a14ee0cfb19 ("ixgbe: Add X550 support function pointers") +Signed-off-by: Josh Elsasser +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +index a8148c7126e5..9772016222c3 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +@@ -2248,7 +2248,9 @@ static s32 ixgbe_get_link_capabilities_X550em(struct ixgbe_hw *hw, + *autoneg = false; + + if (hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core0 || +- hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1) { ++ hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1 || ++ hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core0 || ++ hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core1) { + *speed = IXGBE_LINK_SPEED_1GB_FULL; + return 0; + } +-- +2.19.1 + diff --git a/queue-4.19/kernel-kcov.c-mark-funcs-in-__sanitizer_cov_trace_pc.patch b/queue-4.19/kernel-kcov.c-mark-funcs-in-__sanitizer_cov_trace_pc.patch new file mode 100644 index 00000000000..6c5db7b0517 --- /dev/null +++ b/queue-4.19/kernel-kcov.c-mark-funcs-in-__sanitizer_cov_trace_pc.patch @@ -0,0 +1,63 @@ +From d1c6b074da852de703048d1b0485c2acce367236 Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Fri, 30 Nov 2018 14:10:05 -0800 +Subject: kernel/kcov.c: mark funcs in __sanitizer_cov_trace_pc() as notrace + +[ Upstream commit 903e8ff86753e6f327bb92166a0665e4ecb8e2e7 ] + +Since __sanitizer_cov_trace_pc() is marked as notrace, function calls in +__sanitizer_cov_trace_pc() shouldn't be traced either. +ftrace_graph_caller() gets called for each function that isn't marked +'notrace', like canonicalize_ip(). This is the call trace from a run: + +[ 139.644550] ftrace_graph_caller+0x1c/0x24 +[ 139.648352] canonicalize_ip+0x18/0x28 +[ 139.652313] __sanitizer_cov_trace_pc+0x14/0x58 +[ 139.656184] sched_clock+0x34/0x1e8 +[ 139.659759] trace_clock_local+0x40/0x88 +[ 139.663722] ftrace_push_return_trace+0x8c/0x1f0 +[ 139.667767] prepare_ftrace_return+0xa8/0x100 +[ 139.671709] ftrace_graph_caller+0x1c/0x24 + +Rework so that check_kcov_mode() and canonicalize_ip() that are called +from __sanitizer_cov_trace_pc() are also marked as notrace. + +Link: http://lkml.kernel.org/r/20181128081239.18317-1-anders.roxell@linaro.org +Signed-off-by: Arnd Bergmann +Signen-off-by: Anders Roxell +Co-developed-by: Arnd Bergmann +Acked-by: Steven Rostedt (VMware) +Cc: Dmitry Vyukov +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/kcov.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/kcov.c b/kernel/kcov.c +index 3ebd09efe72a..97959d7b77e2 100644 +--- a/kernel/kcov.c ++++ b/kernel/kcov.c +@@ -56,7 +56,7 @@ struct kcov { + struct task_struct *t; + }; + +-static bool check_kcov_mode(enum kcov_mode needed_mode, struct task_struct *t) ++static notrace bool check_kcov_mode(enum kcov_mode needed_mode, struct task_struct *t) + { + unsigned int mode; + +@@ -78,7 +78,7 @@ static bool check_kcov_mode(enum kcov_mode needed_mode, struct task_struct *t) + return mode == needed_mode; + } + +-static unsigned long canonicalize_ip(unsigned long ip) ++static notrace unsigned long canonicalize_ip(unsigned long ip) + { + #ifdef CONFIG_RANDOMIZE_BASE + ip -= kaslr_offset(); +-- +2.19.1 + diff --git a/queue-4.19/kvm-vmx-update-shared-msrs-to-be-saved-restored-on-m.patch b/queue-4.19/kvm-vmx-update-shared-msrs-to-be-saved-restored-on-m.patch new file mode 100644 index 00000000000..4b11ccaa312 --- /dev/null +++ b/queue-4.19/kvm-vmx-update-shared-msrs-to-be-saved-restored-on-m.patch @@ -0,0 +1,102 @@ +From c6b670be13c881215375233781a2559aea38fad9 Mon Sep 17 00:00:00 2001 +From: Liran Alon +Date: Tue, 20 Nov 2018 18:03:25 +0200 +Subject: KVM: VMX: Update shared MSRs to be saved/restored on MSR_EFER.LMA + changes + +[ Upstream commit f48b4711dd6e1cf282f9dfd159c14a305909c97c ] + +When guest transitions from/to long-mode by modifying MSR_EFER.LMA, +the list of shared MSRs to be saved/restored on guest<->host +transitions is updated (See vmx_set_efer() call to setup_msrs()). + +On every entry to guest, vcpu_enter_guest() calls +vmx_prepare_switch_to_guest(). This function should also take care +of setting the shared MSRs to be saved/restored. However, the +function does nothing in case we are already running with loaded +guest state (vmx->loaded_cpu_state != NULL). + +This means that even when guest modifies MSR_EFER.LMA which results +in updating the list of shared MSRs, it isn't being taken into account +by vmx_prepare_switch_to_guest() because it happens while we are +running with loaded guest state. + +To fix above mentioned issue, add a flag to mark that the list of +shared MSRs has been updated and modify vmx_prepare_switch_to_guest() +to set shared MSRs when running with host state *OR* list of shared +MSRs has been updated. + +Note that this issue was mistakenly introduced by commit +678e315e78a7 ("KVM: vmx: add dedicated utility to access guest's +kernel_gs_base") because previously vmx_set_efer() always called +vmx_load_host_state() which resulted in vmx_prepare_switch_to_guest() to +set shared MSRs. + +Fixes: 678e315e78a7 ("KVM: vmx: add dedicated utility to access guest's kernel_gs_base") +Reported-by: Eyal Moscovici +Reviewed-by: Mihai Carabas +Reviewed-by: Liam Merwick +Reviewed-by: Jim Mattson +Signed-off-by: Liran Alon +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index e55f7a90d4b2..b1aef90aab91 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -962,6 +962,7 @@ struct vcpu_vmx { + struct shared_msr_entry *guest_msrs; + int nmsrs; + int save_nmsrs; ++ bool guest_msrs_dirty; + unsigned long host_idt_base; + #ifdef CONFIG_X86_64 + u64 msr_host_kernel_gs_base; +@@ -2874,6 +2875,20 @@ static void vmx_prepare_switch_to_guest(struct kvm_vcpu *vcpu) + + vmx->req_immediate_exit = false; + ++ /* ++ * Note that guest MSRs to be saved/restored can also be changed ++ * when guest state is loaded. This happens when guest transitions ++ * to/from long-mode by setting MSR_EFER.LMA. ++ */ ++ if (!vmx->loaded_cpu_state || vmx->guest_msrs_dirty) { ++ vmx->guest_msrs_dirty = false; ++ for (i = 0; i < vmx->save_nmsrs; ++i) ++ kvm_set_shared_msr(vmx->guest_msrs[i].index, ++ vmx->guest_msrs[i].data, ++ vmx->guest_msrs[i].mask); ++ ++ } ++ + if (vmx->loaded_cpu_state) + return; + +@@ -2934,11 +2949,6 @@ static void vmx_prepare_switch_to_guest(struct kvm_vcpu *vcpu) + vmcs_writel(HOST_GS_BASE, gs_base); + host_state->gs_base = gs_base; + } +- +- for (i = 0; i < vmx->save_nmsrs; ++i) +- kvm_set_shared_msr(vmx->guest_msrs[i].index, +- vmx->guest_msrs[i].data, +- vmx->guest_msrs[i].mask); + } + + static void vmx_prepare_switch_to_host(struct vcpu_vmx *vmx) +@@ -3418,6 +3428,7 @@ static void setup_msrs(struct vcpu_vmx *vmx) + move_msr_up(vmx, index, save_nmsrs++); + + vmx->save_nmsrs = save_nmsrs; ++ vmx->guest_msrs_dirty = true; + + if (cpu_has_vmx_msr_bitmap()) + vmx_update_msr_bitmap(&vmx->vcpu); +-- +2.19.1 + diff --git a/queue-4.19/kvm-x86-fix-empty-body-warnings.patch b/queue-4.19/kvm-x86-fix-empty-body-warnings.patch new file mode 100644 index 00000000000..1f466b7c25f --- /dev/null +++ b/queue-4.19/kvm-x86-fix-empty-body-warnings.patch @@ -0,0 +1,43 @@ +From 4a6844169dbf87a23ac59a11fc696c269d8e5b05 Mon Sep 17 00:00:00 2001 +From: Yi Wang +Date: Thu, 8 Nov 2018 16:48:36 +0800 +Subject: KVM: x86: fix empty-body warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 354cb410d87314e2eda344feea84809e4261570a ] + +We get the following warnings about empty statements when building +with 'W=1': + +arch/x86/kvm/lapic.c:632:53: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1907:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1936:65: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1975:44: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + +Rework the debug helper macro to get rid of these warnings. + +Signed-off-by: Yi Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/lapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 2216d21e955d..3692de84c420 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -55,7 +55,7 @@ + #define PRIo64 "o" + + /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */ +-#define apic_debug(fmt, arg...) ++#define apic_debug(fmt, arg...) do {} while (0) + + /* 14 is the version for Xeon and Pentium 8.4.8*/ + #define APIC_VERSION (0x14UL | ((KVM_APIC_LVT_NUM - 1) << 16)) +-- +2.19.1 + diff --git a/queue-4.19/mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch b/queue-4.19/mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch new file mode 100644 index 00000000000..4011f2cc84e --- /dev/null +++ b/queue-4.19/mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch @@ -0,0 +1,88 @@ +From ba15ca978a3292802ca8ef2b6fb1a82e1a20dd6b Mon Sep 17 00:00:00 2001 +From: Wei Yang +Date: Fri, 30 Nov 2018 14:09:07 -0800 +Subject: mm/page_alloc.c: fix calculation of pgdat->nr_zones + +[ Upstream commit 8f416836c0d50b198cad1225132e5abebf8980dc ] + +init_currently_empty_zone() will adjust pgdat->nr_zones and set it to +'zone_idx(zone) + 1' unconditionally. This is correct in the normal +case, while not exact in hot-plug situation. + +This function is used in two places: + + * free_area_init_core() + * move_pfn_range_to_zone() + +In the first case, we are sure zone index increase monotonically. While +in the second one, this is under users control. + +One way to reproduce this is: +---------------------------- + +1. create a virtual machine with empty node1 + + -m 4G,slots=32,maxmem=32G \ + -smp 4,maxcpus=8 \ + -numa node,nodeid=0,mem=4G,cpus=0-3 \ + -numa node,nodeid=1,mem=0G,cpus=4-7 + +2. hot-add cpu 3-7 + + cpu-add [3-7] + +2. hot-add memory to nod1 + + object_add memory-backend-ram,id=ram0,size=1G + device_add pc-dimm,id=dimm0,memdev=ram0,node=1 + +3. online memory with following order + + echo online_movable > memory47/state + echo online > memory40/state + +After this, node1 will have its nr_zones equals to (ZONE_NORMAL + 1) +instead of (ZONE_MOVABLE + 1). + +Michal said: + "Having an incorrect nr_zones might result in all sorts of problems + which would be quite hard to debug (e.g. reclaim not considering the + movable zone). I do not expect many users would suffer from this it + but still this is trivial and obviously right thing to do so + backporting to the stable tree shouldn't be harmful (last famous + words)" + +Link: http://lkml.kernel.org/r/20181117022022.9956-1-richard.weiyang@gmail.com +Fixes: f1dd2cd13c4b ("mm, memory_hotplug: do not associate hotadded memory to zones until online") +Signed-off-by: Wei Yang +Acked-by: Michal Hocko +Reviewed-by: Oscar Salvador +Cc: Anshuman Khandual +Cc: Dave Hansen +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds + +Signed-off-by: Sasha Levin +--- + mm/page_alloc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index b721631d78ab..6a62b2421cdf 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -5733,8 +5733,10 @@ void __meminit init_currently_empty_zone(struct zone *zone, + unsigned long size) + { + struct pglist_data *pgdat = zone->zone_pgdat; ++ int zone_idx = zone_idx(zone) + 1; + +- pgdat->nr_zones = zone_idx(zone) + 1; ++ if (zone_idx > pgdat->nr_zones) ++ pgdat->nr_zones = zone_idx; + + zone->zone_start_pfn = zone_start_pfn; + +-- +2.19.1 + diff --git a/queue-4.19/net-hisilicon-remove-unexpected-free_netdev.patch b/queue-4.19/net-hisilicon-remove-unexpected-free_netdev.patch new file mode 100644 index 00000000000..4774da1e523 --- /dev/null +++ b/queue-4.19/net-hisilicon-remove-unexpected-free_netdev.patch @@ -0,0 +1,37 @@ +From e5d98c3955f998d0aac2e8d8cc6f094b9b517069 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Wed, 28 Nov 2018 15:30:24 +0800 +Subject: net: hisilicon: remove unexpected free_netdev + +[ Upstream commit c758940158bf29fe14e9d0f89d5848f227b48134 ] + +The net device ndev is freed via free_netdev when failing to register +the device. The control flow then jumps to the error handling code +block. ndev is used and freed again. Resulting in a use-after-free bug. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 14374a856d30..6127697ede12 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -914,10 +914,8 @@ static int hip04_mac_probe(struct platform_device *pdev) + } + + ret = register_netdev(ndev); +- if (ret) { +- free_netdev(ndev); ++ if (ret) + goto alloc_fail; +- } + + return 0; + +-- +2.19.1 + diff --git a/queue-4.19/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch b/queue-4.19/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch new file mode 100644 index 00000000000..887954de22c --- /dev/null +++ b/queue-4.19/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch @@ -0,0 +1,82 @@ +From 1774276589c0cb8e7e8ecbed4d8518eb6cc1cc26 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Mon, 26 Nov 2018 15:07:16 +0100 +Subject: net: thunderx: fix NULL pointer dereference in nic_remove + +[ Upstream commit 24a6d2dd263bc910de018c78d1148b3e33b94512 ] + +Fix a possible NULL pointer dereference in nic_remove routine +removing the nicpf module if nic_probe fails. +The issue can be triggered with the following reproducer: + +$rmmod nicvf +$rmmod nicpf + +[ 521.412008] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000014 +[ 521.422777] Mem abort info: +[ 521.425561] ESR = 0x96000004 +[ 521.428624] Exception class = DABT (current EL), IL = 32 bits +[ 521.434535] SET = 0, FnV = 0 +[ 521.437579] EA = 0, S1PTW = 0 +[ 521.440730] Data abort info: +[ 521.443603] ISV = 0, ISS = 0x00000004 +[ 521.447431] CM = 0, WnR = 0 +[ 521.450417] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000072a3da42 +[ 521.457022] [0000000000000014] pgd=0000000000000000 +[ 521.461916] Internal error: Oops: 96000004 [#1] SMP +[ 521.511801] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018 +[ 521.518664] pstate: 80400005 (Nzcv daif +PAN -UAO) +[ 521.523451] pc : nic_remove+0x24/0x88 [nicpf] +[ 521.527808] lr : pci_device_remove+0x48/0xd8 +[ 521.532066] sp : ffff000013433cc0 +[ 521.535370] x29: ffff000013433cc0 x28: ffff810f6ac50000 +[ 521.540672] x27: 0000000000000000 x26: 0000000000000000 +[ 521.545974] x25: 0000000056000000 x24: 0000000000000015 +[ 521.551274] x23: ffff8007ff89a110 x22: ffff000001667070 +[ 521.556576] x21: ffff8007ffb170b0 x20: ffff8007ffb17000 +[ 521.561877] x19: 0000000000000000 x18: 0000000000000025 +[ 521.567178] x17: 0000000000000000 x16: 000000000000010ffc33ff98 x8 : 0000000000000000 +[ 521.593683] x7 : 0000000000000000 x6 : 0000000000000001 +[ 521.598983] x5 : 0000000000000002 x4 : 0000000000000003 +[ 521.604284] x3 : ffff8007ffb17184 x2 : ffff8007ffb17184 +[ 521.609585] x1 : ffff000001662118 x0 : ffff000008557be0 +[ 521.614887] Process rmmod (pid: 1897, stack limit = 0x00000000859535c3) +[ 521.621490] Call trace: +[ 521.623928] nic_remove+0x24/0x88 [nicpf] +[ 521.627927] pci_device_remove+0x48/0xd8 +[ 521.631847] device_release_driver_internal+0x1b0/0x248 +[ 521.637062] driver_detach+0x50/0xc0 +[ 521.640628] bus_remove_driver+0x60/0x100 +[ 521.644627] driver_unregister+0x34/0x60 +[ 521.648538] pci_unregister_driver+0x24/0xd8 +[ 521.652798] nic_cleanup_module+0x14/0x111c [nicpf] +[ 521.657672] __arm64_sys_delete_module+0x150/0x218 +[ 521.662460] el0_svc_handler+0x94/0x110 +[ 521.666287] el0_svc+0x8/0xc +[ 521.669160] Code: aa1e03e0 9102c295 d503201f f9404eb3 (b9401660) + +Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/nic_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/cavium/thunder/nic_main.c b/drivers/net/ethernet/cavium/thunder/nic_main.c +index 55af04fa03a7..6c8dcb65ff03 100644 +--- a/drivers/net/ethernet/cavium/thunder/nic_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c +@@ -1441,6 +1441,9 @@ static void nic_remove(struct pci_dev *pdev) + { + struct nicpf *nic = pci_get_drvdata(pdev); + ++ if (!nic) ++ return; ++ + if (nic->flags & NIC_SRIOV_ENABLED) + pci_disable_sriov(pdev); + +-- +2.19.1 + diff --git a/queue-4.19/netfilter-add-missing-error-handling-code-for-regist.patch b/queue-4.19/netfilter-add-missing-error-handling-code-for-regist.patch new file mode 100644 index 00000000000..ff32a46622f --- /dev/null +++ b/queue-4.19/netfilter-add-missing-error-handling-code-for-regist.patch @@ -0,0 +1,248 @@ +From c6430f7afdfc5bf934af176b551ac8928a567d9d Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Thu, 22 Nov 2018 19:59:46 +0900 +Subject: netfilter: add missing error handling code for register functions + +[ Upstream commit 584eab291c67894cb17cc87544b9d086228ea70f ] + +register_{netdevice/inetaddr/inet6addr}_notifier may return an error +value, this patch adds the code to handle these error paths. + +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + .../net/netfilter/ipv4/nf_nat_masquerade.h | 2 +- + .../net/netfilter/ipv6/nf_nat_masquerade.h | 2 +- + net/ipv4/netfilter/ipt_MASQUERADE.c | 7 ++-- + net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 21 +++++++++--- + net/ipv4/netfilter/nft_masq_ipv4.c | 4 ++- + net/ipv6/netfilter/ip6t_MASQUERADE.c | 8 +++-- + net/ipv6/netfilter/nf_nat_masquerade_ipv6.c | 32 +++++++++++++------ + net/ipv6/netfilter/nft_masq_ipv6.c | 4 ++- + net/netfilter/nft_flow_offload.c | 5 ++- + 9 files changed, 63 insertions(+), 22 deletions(-) + +diff --git a/include/net/netfilter/ipv4/nf_nat_masquerade.h b/include/net/netfilter/ipv4/nf_nat_masquerade.h +index cd24be4c4a99..13d55206bb9f 100644 +--- a/include/net/netfilter/ipv4/nf_nat_masquerade.h ++++ b/include/net/netfilter/ipv4/nf_nat_masquerade.h +@@ -9,7 +9,7 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum, + const struct nf_nat_range2 *range, + const struct net_device *out); + +-void nf_nat_masquerade_ipv4_register_notifier(void); ++int nf_nat_masquerade_ipv4_register_notifier(void); + void nf_nat_masquerade_ipv4_unregister_notifier(void); + + #endif /*_NF_NAT_MASQUERADE_IPV4_H_ */ +diff --git a/include/net/netfilter/ipv6/nf_nat_masquerade.h b/include/net/netfilter/ipv6/nf_nat_masquerade.h +index 0c3b5ebf0bb8..2917bf95c437 100644 +--- a/include/net/netfilter/ipv6/nf_nat_masquerade.h ++++ b/include/net/netfilter/ipv6/nf_nat_masquerade.h +@@ -5,7 +5,7 @@ + unsigned int + nf_nat_masquerade_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range, + const struct net_device *out); +-void nf_nat_masquerade_ipv6_register_notifier(void); ++int nf_nat_masquerade_ipv6_register_notifier(void); + void nf_nat_masquerade_ipv6_unregister_notifier(void); + + #endif /* _NF_NAT_MASQUERADE_IPV6_H_ */ +diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c +index ce1512b02cb2..fd3f9e8a74da 100644 +--- a/net/ipv4/netfilter/ipt_MASQUERADE.c ++++ b/net/ipv4/netfilter/ipt_MASQUERADE.c +@@ -81,9 +81,12 @@ static int __init masquerade_tg_init(void) + int ret; + + ret = xt_register_target(&masquerade_tg_reg); ++ if (ret) ++ return ret; + +- if (ret == 0) +- nf_nat_masquerade_ipv4_register_notifier(); ++ ret = nf_nat_masquerade_ipv4_register_notifier(); ++ if (ret) ++ xt_unregister_target(&masquerade_tg_reg); + + return ret; + } +diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c +index ad3aeff152ed..4a7c1f207d6e 100644 +--- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c ++++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c +@@ -133,16 +133,29 @@ static struct notifier_block masq_inet_notifier = { + + static atomic_t masquerade_notifier_refcount = ATOMIC_INIT(0); + +-void nf_nat_masquerade_ipv4_register_notifier(void) ++int nf_nat_masquerade_ipv4_register_notifier(void) + { ++ int ret; ++ + /* check if the notifier was already set */ + if (atomic_inc_return(&masquerade_notifier_refcount) > 1) +- return; ++ return 0; + + /* Register for device down reports */ +- register_netdevice_notifier(&masq_dev_notifier); ++ ret = register_netdevice_notifier(&masq_dev_notifier); ++ if (ret) ++ goto err_dec; + /* Register IP address change reports */ +- register_inetaddr_notifier(&masq_inet_notifier); ++ ret = register_inetaddr_notifier(&masq_inet_notifier); ++ if (ret) ++ goto err_unregister; ++ ++ return ret; ++err_unregister: ++ unregister_netdevice_notifier(&masq_dev_notifier); ++err_dec: ++ atomic_dec(&masquerade_notifier_refcount); ++ return ret; + } + EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4_register_notifier); + +diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c +index f1193e1e928a..6847de1d1db8 100644 +--- a/net/ipv4/netfilter/nft_masq_ipv4.c ++++ b/net/ipv4/netfilter/nft_masq_ipv4.c +@@ -69,7 +69,9 @@ static int __init nft_masq_ipv4_module_init(void) + if (ret < 0) + return ret; + +- nf_nat_masquerade_ipv4_register_notifier(); ++ ret = nf_nat_masquerade_ipv4_register_notifier(); ++ if (ret) ++ nft_unregister_expr(&nft_masq_ipv4_type); + + return ret; + } +diff --git a/net/ipv6/netfilter/ip6t_MASQUERADE.c b/net/ipv6/netfilter/ip6t_MASQUERADE.c +index 491f808e356a..29c7f1915a96 100644 +--- a/net/ipv6/netfilter/ip6t_MASQUERADE.c ++++ b/net/ipv6/netfilter/ip6t_MASQUERADE.c +@@ -58,8 +58,12 @@ static int __init masquerade_tg6_init(void) + int err; + + err = xt_register_target(&masquerade_tg6_reg); +- if (err == 0) +- nf_nat_masquerade_ipv6_register_notifier(); ++ if (err) ++ return err; ++ ++ err = nf_nat_masquerade_ipv6_register_notifier(); ++ if (err) ++ xt_unregister_target(&masquerade_tg6_reg); + + return err; + } +diff --git a/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c b/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c +index e6eb7cf9b54f..10012fc687b6 100644 +--- a/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c ++++ b/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c +@@ -120,8 +120,8 @@ static void iterate_cleanup_work(struct work_struct *work) + * of ipv6 addresses being deleted), we also need to add an upper + * limit to the number of queued work items. + */ +-static int masq_inet_event(struct notifier_block *this, +- unsigned long event, void *ptr) ++static int masq_inet6_event(struct notifier_block *this, ++ unsigned long event, void *ptr) + { + struct inet6_ifaddr *ifa = ptr; + const struct net_device *dev; +@@ -158,20 +158,34 @@ static int masq_inet_event(struct notifier_block *this, + return NOTIFY_DONE; + } + +-static struct notifier_block masq_inet_notifier = { +- .notifier_call = masq_inet_event, ++static struct notifier_block masq_inet6_notifier = { ++ .notifier_call = masq_inet6_event, + }; + + static atomic_t masquerade_notifier_refcount = ATOMIC_INIT(0); + +-void nf_nat_masquerade_ipv6_register_notifier(void) ++int nf_nat_masquerade_ipv6_register_notifier(void) + { ++ int ret; ++ + /* check if the notifier is already set */ + if (atomic_inc_return(&masquerade_notifier_refcount) > 1) +- return; ++ return 0; + +- register_netdevice_notifier(&masq_dev_notifier); +- register_inet6addr_notifier(&masq_inet_notifier); ++ ret = register_netdevice_notifier(&masq_dev_notifier); ++ if (ret) ++ goto err_dec; ++ ++ ret = register_inet6addr_notifier(&masq_inet6_notifier); ++ if (ret) ++ goto err_unregister; ++ ++ return ret; ++err_unregister: ++ unregister_netdevice_notifier(&masq_dev_notifier); ++err_dec: ++ atomic_dec(&masquerade_notifier_refcount); ++ return ret; + } + EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_register_notifier); + +@@ -181,7 +195,7 @@ void nf_nat_masquerade_ipv6_unregister_notifier(void) + if (atomic_dec_return(&masquerade_notifier_refcount) > 0) + return; + +- unregister_inet6addr_notifier(&masq_inet_notifier); ++ unregister_inet6addr_notifier(&masq_inet6_notifier); + unregister_netdevice_notifier(&masq_dev_notifier); + } + EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_unregister_notifier); +diff --git a/net/ipv6/netfilter/nft_masq_ipv6.c b/net/ipv6/netfilter/nft_masq_ipv6.c +index dd0122f3cffe..e06c82e9dfcd 100644 +--- a/net/ipv6/netfilter/nft_masq_ipv6.c ++++ b/net/ipv6/netfilter/nft_masq_ipv6.c +@@ -70,7 +70,9 @@ static int __init nft_masq_ipv6_module_init(void) + if (ret < 0) + return ret; + +- nf_nat_masquerade_ipv6_register_notifier(); ++ ret = nf_nat_masquerade_ipv6_register_notifier(); ++ if (ret) ++ nft_unregister_expr(&nft_masq_ipv6_type); + + return ret; + } +diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c +index d6bab8c3cbb0..5fd4c57c79cc 100644 +--- a/net/netfilter/nft_flow_offload.c ++++ b/net/netfilter/nft_flow_offload.c +@@ -214,7 +214,9 @@ static int __init nft_flow_offload_module_init(void) + { + int err; + +- register_netdevice_notifier(&flow_offload_netdev_notifier); ++ err = register_netdevice_notifier(&flow_offload_netdev_notifier); ++ if (err) ++ goto err; + + err = nft_register_expr(&nft_flow_offload_type); + if (err < 0) +@@ -224,6 +226,7 @@ static int __init nft_flow_offload_module_init(void) + + register_expr: + unregister_netdevice_notifier(&flow_offload_netdev_notifier); ++err: + return err; + } + +-- +2.19.1 + diff --git a/queue-4.19/netfilter-ipv6-preserve-link-scope-traffic-original-.patch b/queue-4.19/netfilter-ipv6-preserve-link-scope-traffic-original-.patch new file mode 100644 index 00000000000..dcaf2fafc0a --- /dev/null +++ b/queue-4.19/netfilter-ipv6-preserve-link-scope-traffic-original-.patch @@ -0,0 +1,40 @@ +From 3de772a245ca92d97209c19dc2258226a38e4c71 Mon Sep 17 00:00:00 2001 +From: Alin Nastac +Date: Wed, 21 Nov 2018 14:00:30 +0100 +Subject: netfilter: ipv6: Preserve link scope traffic original oif + +[ Upstream commit 508b09046c0f21678652fb66fd1e9959d55591d2 ] + +When ip6_route_me_harder is invoked, it resets outgoing interface of: + - link-local scoped packets sent by neighbor discovery + - multicast packets sent by MLD host + - multicast packets send by MLD proxy daemon that sets outgoing + interface through IPV6_PKTINFO ipi6_ifindex + +Link-local and multicast packets must keep their original oif after +ip6_route_me_harder is called. + +Signed-off-by: Alin Nastac +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c +index 5ae8e1c51079..8b075f0bc351 100644 +--- a/net/ipv6/netfilter.c ++++ b/net/ipv6/netfilter.c +@@ -24,7 +24,8 @@ int ip6_route_me_harder(struct net *net, struct sk_buff *skb) + unsigned int hh_len; + struct dst_entry *dst; + struct flowi6 fl6 = { +- .flowi6_oif = sk ? sk->sk_bound_dev_if : 0, ++ .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if : ++ rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0, + .flowi6_mark = skb->mark, + .flowi6_uid = sock_net_uid(net, sk), + .daddr = iph->daddr, +-- +2.19.1 + diff --git a/queue-4.19/netfilter-nat-fix-double-register-in-masquerade-modu.patch b/queue-4.19/netfilter-nat-fix-double-register-in-masquerade-modu.patch new file mode 100644 index 00000000000..afd9e67b5ea --- /dev/null +++ b/queue-4.19/netfilter-nat-fix-double-register-in-masquerade-modu.patch @@ -0,0 +1,208 @@ +From 9207dc81ad2b5495206d0554c826bf2767ee6535 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Thu, 22 Nov 2018 19:59:57 +0900 +Subject: netfilter: nat: fix double register in masquerade modules + +[ Upstream commit 095faf45e64be00bff4da2d6182dface3d69c9b7 ] + +There is a reference counter to ensure that masquerade modules register +notifiers only once. However, the existing reference counter approach is +not safe, test commands are: + + while : + do + modprobe ip6t_MASQUERADE & + modprobe nft_masq_ipv6 & + modprobe -rv ip6t_MASQUERADE & + modprobe -rv nft_masq_ipv6 & + done + +numbers below represent the reference counter. +-------------------------------------------------------- +CPU0 CPU1 CPU2 CPU3 CPU4 +[insmod] [insmod] [rmmod] [rmmod] [insmod] +-------------------------------------------------------- +0->1 +register 1->2 + returns 2->1 + returns 1->0 + 0->1 + register <-- + unregister +-------------------------------------------------------- + +The unregistation of CPU3 should be processed before the +registration of CPU4. + +In order to fix this, use a mutex instead of reference counter. + +splat looks like: +[ 323.869557] watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [modprobe:1381] +[ 323.869574] Modules linked in: nf_tables(+) nf_nat_ipv6(-) nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 n] +[ 323.869574] irq event stamp: 194074 +[ 323.898930] hardirqs last enabled at (194073): [] trace_hardirqs_on_thunk+0x1a/0x1c +[ 323.898930] hardirqs last disabled at (194074): [] trace_hardirqs_off_thunk+0x1a/0x1c +[ 323.898930] softirqs last enabled at (182132): [] __do_softirq+0x6ec/0xa3b +[ 323.898930] softirqs last disabled at (182109): [] irq_exit+0x1a6/0x1e0 +[ 323.898930] CPU: 0 PID: 1381 Comm: modprobe Not tainted 4.20.0-rc2+ #27 +[ 323.898930] RIP: 0010:raw_notifier_chain_register+0xea/0x240 +[ 323.898930] Code: 3c 03 0f 8e f2 00 00 00 44 3b 6b 10 7f 4d 49 bc 00 00 00 00 00 fc ff df eb 22 48 8d 7b 10 488 +[ 323.898930] RSP: 0018:ffff888101597218 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13 +[ 323.898930] RAX: 0000000000000000 RBX: ffffffffc04361c0 RCX: 0000000000000000 +[ 323.898930] RDX: 1ffffffff26132ae RSI: ffffffffc04aa3c0 RDI: ffffffffc04361d0 +[ 323.898930] RBP: ffffffffc04361c8 R08: 0000000000000000 R09: 0000000000000001 +[ 323.898930] R10: ffff8881015972b0 R11: fffffbfff26132c4 R12: dffffc0000000000 +[ 323.898930] R13: 0000000000000000 R14: 1ffff110202b2e44 R15: ffffffffc04aa3c0 +[ 323.898930] FS: 00007f813ed41540(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000 +[ 323.898930] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 323.898930] CR2: 0000559bf2c9f120 CR3: 000000010bc80000 CR4: 00000000001006f0 +[ 323.898930] Call Trace: +[ 323.898930] ? atomic_notifier_chain_register+0x2d0/0x2d0 +[ 323.898930] ? down_read+0x150/0x150 +[ 323.898930] ? sched_clock_cpu+0x126/0x170 +[ 323.898930] ? nf_tables_core_module_init+0xe4/0xe4 [nf_tables] +[ 323.898930] ? nf_tables_core_module_init+0xe4/0xe4 [nf_tables] +[ 323.898930] register_netdevice_notifier+0xbb/0x790 +[ 323.898930] ? __dev_close_many+0x2d0/0x2d0 +[ 323.898930] ? __mutex_unlock_slowpath+0x17f/0x740 +[ 323.898930] ? wait_for_completion+0x710/0x710 +[ 323.898930] ? nf_tables_core_module_init+0xe4/0xe4 [nf_tables] +[ 323.898930] ? up_write+0x6c/0x210 +[ 323.898930] ? nf_tables_core_module_init+0xe4/0xe4 [nf_tables] +[ 324.127073] ? nf_tables_core_module_init+0xe4/0xe4 [nf_tables] +[ 324.127073] nft_chain_filter_init+0x1e/0xe8a [nf_tables] +[ 324.127073] nf_tables_module_init+0x37/0x92 [nf_tables] +[ ... ] + +Fixes: 8dd33cc93ec9 ("netfilter: nf_nat: generalize IPv4 masquerading support for nf_tables") +Fixes: be6b635cd674 ("netfilter: nf_nat: generalize IPv6 masquerading support for nf_tables") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 23 ++++++++++++++------- + net/ipv6/netfilter/nf_nat_masquerade_ipv6.c | 23 ++++++++++++++------- + 2 files changed, 32 insertions(+), 14 deletions(-) + +diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c +index 4a7c1f207d6e..4c7fcd32f8e6 100644 +--- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c ++++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c +@@ -131,15 +131,17 @@ static struct notifier_block masq_inet_notifier = { + .notifier_call = masq_inet_event, + }; + +-static atomic_t masquerade_notifier_refcount = ATOMIC_INIT(0); ++static int masq_refcnt; ++static DEFINE_MUTEX(masq_mutex); + + int nf_nat_masquerade_ipv4_register_notifier(void) + { +- int ret; ++ int ret = 0; + ++ mutex_lock(&masq_mutex); + /* check if the notifier was already set */ +- if (atomic_inc_return(&masquerade_notifier_refcount) > 1) +- return 0; ++ if (++masq_refcnt > 1) ++ goto out_unlock; + + /* Register for device down reports */ + ret = register_netdevice_notifier(&masq_dev_notifier); +@@ -150,22 +152,29 @@ int nf_nat_masquerade_ipv4_register_notifier(void) + if (ret) + goto err_unregister; + ++ mutex_unlock(&masq_mutex); + return ret; ++ + err_unregister: + unregister_netdevice_notifier(&masq_dev_notifier); + err_dec: +- atomic_dec(&masquerade_notifier_refcount); ++ masq_refcnt--; ++out_unlock: ++ mutex_unlock(&masq_mutex); + return ret; + } + EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4_register_notifier); + + void nf_nat_masquerade_ipv4_unregister_notifier(void) + { ++ mutex_lock(&masq_mutex); + /* check if the notifier still has clients */ +- if (atomic_dec_return(&masquerade_notifier_refcount) > 0) +- return; ++ if (--masq_refcnt > 0) ++ goto out_unlock; + + unregister_netdevice_notifier(&masq_dev_notifier); + unregister_inetaddr_notifier(&masq_inet_notifier); ++out_unlock: ++ mutex_unlock(&masq_mutex); + } + EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4_unregister_notifier); +diff --git a/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c b/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c +index 10012fc687b6..37b1d413c825 100644 +--- a/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c ++++ b/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c +@@ -162,15 +162,17 @@ static struct notifier_block masq_inet6_notifier = { + .notifier_call = masq_inet6_event, + }; + +-static atomic_t masquerade_notifier_refcount = ATOMIC_INIT(0); ++static int masq_refcnt; ++static DEFINE_MUTEX(masq_mutex); + + int nf_nat_masquerade_ipv6_register_notifier(void) + { +- int ret; ++ int ret = 0; + ++ mutex_lock(&masq_mutex); + /* check if the notifier is already set */ +- if (atomic_inc_return(&masquerade_notifier_refcount) > 1) +- return 0; ++ if (++masq_refcnt > 1) ++ goto out_unlock; + + ret = register_netdevice_notifier(&masq_dev_notifier); + if (ret) +@@ -180,22 +182,29 @@ int nf_nat_masquerade_ipv6_register_notifier(void) + if (ret) + goto err_unregister; + ++ mutex_unlock(&masq_mutex); + return ret; ++ + err_unregister: + unregister_netdevice_notifier(&masq_dev_notifier); + err_dec: +- atomic_dec(&masquerade_notifier_refcount); ++ masq_refcnt--; ++out_unlock: ++ mutex_unlock(&masq_mutex); + return ret; + } + EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_register_notifier); + + void nf_nat_masquerade_ipv6_unregister_notifier(void) + { ++ mutex_lock(&masq_mutex); + /* check if the notifier still has clients */ +- if (atomic_dec_return(&masquerade_notifier_refcount) > 0) +- return; ++ if (--masq_refcnt > 0) ++ goto out_unlock; + + unregister_inet6addr_notifier(&masq_inet6_notifier); + unregister_netdevice_notifier(&masq_dev_notifier); ++out_unlock: ++ mutex_unlock(&masq_mutex); + } + EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_unregister_notifier); +-- +2.19.1 + diff --git a/queue-4.19/netfilter-nf_conncount-fix-list_del-corruption-in-co.patch b/queue-4.19/netfilter-nf_conncount-fix-list_del-corruption-in-co.patch new file mode 100644 index 00000000000..de637c7d16f --- /dev/null +++ b/queue-4.19/netfilter-nf_conncount-fix-list_del-corruption-in-co.patch @@ -0,0 +1,103 @@ +From fc2d841cf9269dfa5146ec7f09a859b0994c3ff0 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Mon, 5 Nov 2018 03:44:11 +0900 +Subject: netfilter: nf_conncount: fix list_del corruption in conn_free + +[ Upstream commit 31568ec09ea02a050249921698c9729419539cce ] + +nf_conncount_tuple is an element of nft_connlimit and that is deleted by +conn_free(). Elements can be deleted by both GC routine and data path +functions (nf_conncount_lookup, nf_conncount_add) and they call +conn_free() to free elements. But conn_free() only protects lists, not +each element. So that list_del corruption could occurred. + +The conn_free() doesn't check whether element is already deleted. In +order to protect elements, dead flag is added. If an element is deleted, +dead flag is set. The only conn_free() can delete elements so that both +list lock and dead flag are enough to protect it. + +test commands: + %nft add table ip filter + %nft add chain ip filter input { type filter hook input priority 0\; } + %nft add rule filter input meter test { ip id ct count over 2 } counter + +splat looks like: +[ 1779.495778] list_del corruption, ffff8800b6e12008->prev is LIST_POISON2 (dead000000000200) +[ 1779.505453] ------------[ cut here ]------------ +[ 1779.506260] kernel BUG at lib/list_debug.c:50! +[ 1779.515831] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +[ 1779.516772] CPU: 0 PID: 33 Comm: kworker/0:2 Not tainted 4.19.0-rc6+ #22 +[ 1779.516772] Workqueue: events_power_efficient nft_rhash_gc [nf_tables_set] +[ 1779.516772] RIP: 0010:__list_del_entry_valid+0xd8/0x150 +[ 1779.516772] Code: 39 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 ea 48 c7 c7 00 c3 5b 98 e8 0f dc 40 ff 0f 0b 48 c7 c7 60 c3 5b 98 e8 01 dc 40 ff <0f> 0b 48 c7 c7 c0 c3 5b 98 e8 f3 db 40 ff 0f 0b 48 c7 c7 20 c4 5b +[ 1779.516772] RSP: 0018:ffff880119127420 EFLAGS: 00010286 +[ 1779.516772] RAX: 000000000000004e RBX: dead000000000200 RCX: 0000000000000000 +[ 1779.516772] RDX: 000000000000004e RSI: 0000000000000008 RDI: ffffed0023224e7a +[ 1779.516772] RBP: ffff88011934bc10 R08: ffffed002367cea9 R09: ffffed002367cea9 +[ 1779.516772] R10: 0000000000000001 R11: ffffed002367cea8 R12: ffff8800b6e12008 +[ 1779.516772] R13: ffff8800b6e12010 R14: ffff88011934bc20 R15: ffff8800b6e12008 +[ 1779.516772] FS: 0000000000000000(0000) GS:ffff88011b200000(0000) knlGS:0000000000000000 +[ 1779.516772] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1779.516772] CR2: 00007fc876534010 CR3: 000000010da16000 CR4: 00000000001006f0 +[ 1779.516772] Call Trace: +[ 1779.516772] conn_free+0x9f/0x2b0 [nf_conncount] +[ 1779.516772] ? nf_ct_tmpl_alloc+0x2a0/0x2a0 [nf_conntrack] +[ 1779.516772] ? nf_conncount_add+0x520/0x520 [nf_conncount] +[ 1779.516772] ? do_raw_spin_trylock+0x1a0/0x1a0 +[ 1779.516772] ? do_raw_spin_trylock+0x10/0x1a0 +[ 1779.516772] find_or_evict+0xe5/0x150 [nf_conncount] +[ 1779.516772] nf_conncount_gc_list+0x162/0x360 [nf_conncount] +[ 1779.516772] ? nf_conncount_lookup+0xee0/0xee0 [nf_conncount] +[ 1779.516772] ? _raw_spin_unlock_irqrestore+0x45/0x50 +[ 1779.516772] ? trace_hardirqs_off+0x6b/0x220 +[ 1779.516772] ? trace_hardirqs_on_caller+0x220/0x220 +[ 1779.516772] nft_rhash_gc+0x16b/0x540 [nf_tables_set] +[ ... ] + +Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index 71b1f4f99580..cb33709138df 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -49,6 +49,7 @@ struct nf_conncount_tuple { + struct nf_conntrack_zone zone; + int cpu; + u32 jiffies32; ++ bool dead; + struct rcu_head rcu_head; + }; + +@@ -106,6 +107,7 @@ nf_conncount_add(struct nf_conncount_list *list, + conn->zone = *zone; + conn->cpu = raw_smp_processor_id(); + conn->jiffies32 = (u32)jiffies; ++ conn->dead = false; + spin_lock_bh(&list->list_lock); + if (list->dead == true) { + kmem_cache_free(conncount_conn_cachep, conn); +@@ -134,12 +136,13 @@ static bool conn_free(struct nf_conncount_list *list, + + spin_lock_bh(&list->list_lock); + +- if (list->count == 0) { ++ if (conn->dead) { + spin_unlock_bh(&list->list_lock); +- return free_entry; ++ return free_entry; + } + + list->count--; ++ conn->dead = true; + list_del_rcu(&conn->node); + if (list->count == 0) + free_entry = true; +-- +2.19.1 + diff --git a/queue-4.19/netfilter-nf_conncount-fix-unexpected-permanent-node.patch b/queue-4.19/netfilter-nf_conncount-fix-unexpected-permanent-node.patch new file mode 100644 index 00000000000..f38f1a7dbb4 --- /dev/null +++ b/queue-4.19/netfilter-nf_conncount-fix-unexpected-permanent-node.patch @@ -0,0 +1,85 @@ +From 3b676aa685ed43e0da4752f3b9f83344560d1e99 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Mon, 5 Nov 2018 03:44:39 +0900 +Subject: netfilter: nf_conncount: fix unexpected permanent node of list. + +[ Upstream commit 3c5cdb17c3be76714dfd0d03e384f70579545614 ] + +When list->count is 0, the list is deleted by GC. But list->count is +never reached 0 because initial count value is 1 and it is increased +when node is inserted. So that initial value of list->count should be 0. + +Originally GC always finds zero count list through deleting node and +decreasing count. However, list may be left empty since node insertion +may fail eg. allocaton problem. In order to solve this problem, GC +routine also finds zero count list without deleting node. + +Fixes: cb2b36f5a97d ("netfilter: nf_conncount: Switch to plain list") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index cb33709138df..8acae4a3e4c0 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -144,8 +144,10 @@ static bool conn_free(struct nf_conncount_list *list, + list->count--; + conn->dead = true; + list_del_rcu(&conn->node); +- if (list->count == 0) ++ if (list->count == 0) { ++ list->dead = true; + free_entry = true; ++ } + + spin_unlock_bh(&list->list_lock); + call_rcu(&conn->rcu_head, __conn_free); +@@ -248,7 +250,7 @@ void nf_conncount_list_init(struct nf_conncount_list *list) + { + spin_lock_init(&list->list_lock); + INIT_LIST_HEAD(&list->head); +- list->count = 1; ++ list->count = 0; + list->dead = false; + } + EXPORT_SYMBOL_GPL(nf_conncount_list_init); +@@ -262,6 +264,7 @@ bool nf_conncount_gc_list(struct net *net, + struct nf_conn *found_ct; + unsigned int collected = 0; + bool free_entry = false; ++ bool ret = false; + + list_for_each_entry_safe(conn, conn_n, &list->head, node) { + found = find_or_evict(net, list, conn, &free_entry); +@@ -291,7 +294,15 @@ bool nf_conncount_gc_list(struct net *net, + if (collected > CONNCOUNT_GC_MAX_NODES) + return false; + } +- return false; ++ ++ spin_lock_bh(&list->list_lock); ++ if (!list->count) { ++ list->dead = true; ++ ret = true; ++ } ++ spin_unlock_bh(&list->list_lock); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(nf_conncount_gc_list); + +@@ -417,6 +428,7 @@ insert_tree(struct net *net, + nf_conncount_list_init(&rbconn->list); + list_add(&conn->node, &rbconn->list.head); + count = 1; ++ rbconn->list.count = count; + + rb_link_node(&rbconn->node, parent, rbnode); + rb_insert_color(&rbconn->node, root); +-- +2.19.1 + diff --git a/queue-4.19/netfilter-nf_conncount-remove-wrong-condition-check-.patch b/queue-4.19/netfilter-nf_conncount-remove-wrong-condition-check-.patch new file mode 100644 index 00000000000..3c63eb92415 --- /dev/null +++ b/queue-4.19/netfilter-nf_conncount-remove-wrong-condition-check-.patch @@ -0,0 +1,42 @@ +From 46360cc58485b23f37664053c0548527ac15fab9 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Sun, 25 Nov 2018 18:47:13 +0900 +Subject: netfilter: nf_conncount: remove wrong condition check routine + +[ Upstream commit 53ca0f2fec39c80ccd19e6e3f30cc8daef174b70 ] + +All lists that reach the tree_nodes_free() function have both zero +counter and true dead flag. The reason for this is that lists to be +release are selected by nf_conncount_gc_list() which already decrements +the list counter and sets on the dead flag. Therefore, this if statement +in tree_nodes_free() is unnecessary and wrong. + +Fixes: 31568ec09ea0 ("netfilter: nf_conncount: fix list_del corruption in conn_free") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index 8acae4a3e4c0..b6d0f6deea86 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -323,11 +323,8 @@ static void tree_nodes_free(struct rb_root *root, + while (gc_count) { + rbconn = gc_nodes[--gc_count]; + spin_lock(&rbconn->list.list_lock); +- if (rbconn->list.count == 0 && rbconn->list.dead == false) { +- rbconn->list.dead = true; +- rb_erase(&rbconn->node, root); +- call_rcu(&rbconn->rcu_head, __tree_nodes_free); +- } ++ rb_erase(&rbconn->node, root); ++ call_rcu(&rbconn->rcu_head, __tree_nodes_free); + spin_unlock(&rbconn->list.list_lock); + } + } +-- +2.19.1 + diff --git a/queue-4.19/netfilter-nf_conncount-use-spin_lock_bh-instead-of-s.patch b/queue-4.19/netfilter-nf_conncount-use-spin_lock_bh-instead-of-s.patch new file mode 100644 index 00000000000..c705a276dec --- /dev/null +++ b/queue-4.19/netfilter-nf_conncount-use-spin_lock_bh-instead-of-s.patch @@ -0,0 +1,105 @@ +From 0836e35ed65aaa1e8ef08d8b01b96b3ca87c432d Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Mon, 5 Nov 2018 03:43:19 +0900 +Subject: netfilter: nf_conncount: use spin_lock_bh instead of spin_lock + +[ Upstream commit fd3e71a9f71e232181a225301a75936373636ccc ] + +conn_free() holds lock with spin_lock() and it is called by both +nf_conncount_lookup() and nf_conncount_gc_list(). nf_conncount_lookup() +is called from bottom-half context and nf_conncount_gc_list() from +process context. So that spin_lock() call is not safe. Hence +conn_free() should use spin_lock_bh() instead of spin_lock(). + +test commands: + %nft add table ip filter + %nft add chain ip filter input { type filter hook input priority 0\; } + %nft add rule filter input meter test { ip saddr ct count over 2 } \ + counter + +splat looks like: +[ 461.996507] ================================ +[ 461.998999] WARNING: inconsistent lock state +[ 461.998999] 4.19.0-rc6+ #22 Not tainted +[ 461.998999] -------------------------------- +[ 461.998999] inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. +[ 461.998999] kworker/0:2/134 [HC0[0]:SC0[0]:HE1:SE1] takes: +[ 461.998999] 00000000a71a559a (&(&list->list_lock)->rlock){+.?.}, at: conn_free+0x69/0x2b0 [nf_conncount] +[ 461.998999] {IN-SOFTIRQ-W} state was registered at: +[ 461.998999] _raw_spin_lock+0x30/0x70 +[ 461.998999] nf_conncount_add+0x28a/0x520 [nf_conncount] +[ 461.998999] nft_connlimit_eval+0x401/0x580 [nft_connlimit] +[ 461.998999] nft_dynset_eval+0x32b/0x590 [nf_tables] +[ 461.998999] nft_do_chain+0x497/0x1430 [nf_tables] +[ 461.998999] nft_do_chain_ipv4+0x255/0x330 [nf_tables] +[ 461.998999] nf_hook_slow+0xb1/0x160 +[ ... ] +[ 461.998999] other info that might help us debug this: +[ 461.998999] Possible unsafe locking scenario: +[ 461.998999] +[ 461.998999] CPU0 +[ 461.998999] ---- +[ 461.998999] lock(&(&list->list_lock)->rlock); +[ 461.998999] +[ 461.998999] lock(&(&list->list_lock)->rlock); +[ 461.998999] +[ 461.998999] *** DEADLOCK *** +[ 461.998999] +[ ... ] + +Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index 02ca7df793f5..71b1f4f99580 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -106,15 +106,15 @@ nf_conncount_add(struct nf_conncount_list *list, + conn->zone = *zone; + conn->cpu = raw_smp_processor_id(); + conn->jiffies32 = (u32)jiffies; +- spin_lock(&list->list_lock); ++ spin_lock_bh(&list->list_lock); + if (list->dead == true) { + kmem_cache_free(conncount_conn_cachep, conn); +- spin_unlock(&list->list_lock); ++ spin_unlock_bh(&list->list_lock); + return NF_CONNCOUNT_SKIP; + } + list_add_tail(&conn->node, &list->head); + list->count++; +- spin_unlock(&list->list_lock); ++ spin_unlock_bh(&list->list_lock); + return NF_CONNCOUNT_ADDED; + } + EXPORT_SYMBOL_GPL(nf_conncount_add); +@@ -132,10 +132,10 @@ static bool conn_free(struct nf_conncount_list *list, + { + bool free_entry = false; + +- spin_lock(&list->list_lock); ++ spin_lock_bh(&list->list_lock); + + if (list->count == 0) { +- spin_unlock(&list->list_lock); ++ spin_unlock_bh(&list->list_lock); + return free_entry; + } + +@@ -144,7 +144,7 @@ static bool conn_free(struct nf_conncount_list *list, + if (list->count == 0) + free_entry = true; + +- spin_unlock(&list->list_lock); ++ spin_unlock_bh(&list->list_lock); + call_rcu(&conn->rcu_head, __conn_free); + return free_entry; + } +-- +2.19.1 + diff --git a/queue-4.19/netfilter-nf_tables-deactivate-expressions-in-rule-r.patch b/queue-4.19/netfilter-nf_tables-deactivate-expressions-in-rule-r.patch new file mode 100644 index 00000000000..cce2a0b0c41 --- /dev/null +++ b/queue-4.19/netfilter-nf_tables-deactivate-expressions-in-rule-r.patch @@ -0,0 +1,94 @@ +From c6bfb45ccb834dfe7970fddc084e7aeb88548377 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 28 Nov 2018 11:27:28 +0900 +Subject: netfilter: nf_tables: deactivate expressions in rule replecement + routine + +[ Upstream commit ca08987885a147643817d02bf260bc4756ce8cd4 ] + +There is no expression deactivation call from the rule replacement path, +hence, chain counter is not decremented. A few steps to reproduce the +problem: + + %nft add table ip filter + %nft add chain ip filter c1 + %nft add chain ip filter c1 + %nft add rule ip filter c1 jump c2 + %nft replace rule ip filter c1 handle 3 accept + %nft flush ruleset + + expression means immediate NFT_JUMP to chain c2. +Reference count of chain c2 is increased when the rule is added. + +When rule is deleted or replaced, the reference counter of c2 should be +decreased via nft_rule_expr_deactivate() which calls +nft_immediate_deactivate(). + +Splat looks like: +[ 214.396453] WARNING: CPU: 1 PID: 21 at net/netfilter/nf_tables_api.c:1432 nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables] +[ 214.398983] Modules linked in: nf_tables nfnetlink +[ 214.398983] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 4.20.0-rc2+ #44 +[ 214.398983] Workqueue: events nf_tables_trans_destroy_work [nf_tables] +[ 214.398983] RIP: 0010:nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables] +[ 214.398983] Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 8e 00 00 00 48 8b 7b 58 e8 e1 2c 4e c6 48 89 df e8 d9 2c 4e c6 eb 9a <0f> 0b eb 96 0f 0b e9 7e fe ff ff e8 a7 7e 4e c6 e9 a4 fe ff ff e8 +[ 214.398983] RSP: 0018:ffff8881152874e8 EFLAGS: 00010202 +[ 214.398983] RAX: 0000000000000001 RBX: ffff88810ef9fc28 RCX: ffff8881152876f0 +[ 214.398983] RDX: dffffc0000000000 RSI: 1ffff11022a50ede RDI: ffff88810ef9fc78 +[ 214.398983] RBP: 1ffff11022a50e9d R08: 0000000080000000 R09: 0000000000000000 +[ 214.398983] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff11022a50eba +[ 214.398983] R13: ffff888114446e08 R14: ffff8881152876f0 R15: ffffed1022a50ed6 +[ 214.398983] FS: 0000000000000000(0000) GS:ffff888116400000(0000) knlGS:0000000000000000 +[ 214.398983] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 214.398983] CR2: 00007fab9bb5f868 CR3: 000000012aa16000 CR4: 00000000001006e0 +[ 214.398983] Call Trace: +[ 214.398983] ? nf_tables_table_destroy.isra.37+0x100/0x100 [nf_tables] +[ 214.398983] ? __kasan_slab_free+0x145/0x180 +[ 214.398983] ? nf_tables_trans_destroy_work+0x439/0x830 [nf_tables] +[ 214.398983] ? kfree+0xdb/0x280 +[ 214.398983] nf_tables_trans_destroy_work+0x5f5/0x830 [nf_tables] +[ ... ] + +Fixes: bb7b40aecbf7 ("netfilter: nf_tables: bogus EBUSY in chain deletions") +Reported by: Christoph Anton Mitterer +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914505 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=201791 +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 06ed55cef962..fe0558b15fd3 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2646,21 +2646,14 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, + } + + if (nlh->nlmsg_flags & NLM_F_REPLACE) { +- if (!nft_is_active_next(net, old_rule)) { +- err = -ENOENT; +- goto err2; +- } +- trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE, +- old_rule); ++ trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); + if (trans == NULL) { + err = -ENOMEM; + goto err2; + } +- nft_deactivate_next(net, old_rule); +- chain->use--; +- +- if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { +- err = -ENOMEM; ++ err = nft_delrule(&ctx, old_rule); ++ if (err < 0) { ++ nft_trans_destroy(trans); + goto err2; + } + +-- +2.19.1 + diff --git a/queue-4.19/netfilter-nf_tables-don-t-skip-inactive-chains-durin.patch b/queue-4.19/netfilter-nf_tables-don-t-skip-inactive-chains-durin.patch new file mode 100644 index 00000000000..7e09d11ecc3 --- /dev/null +++ b/queue-4.19/netfilter-nf_tables-don-t-skip-inactive-chains-durin.patch @@ -0,0 +1,70 @@ +From 165ed0da4008dc5ef9ee1e5493e2f669b7475654 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 31 Oct 2018 18:26:20 +0100 +Subject: netfilter: nf_tables: don't skip inactive chains during update + +[ Upstream commit 0fb39bbe43d4481fcf300d2b5822de60942fd189 ] + +There is no synchronization between packet path and the configuration plane. + +The packet path uses two arrays with rules, one contains the current (active) +generation. The other either contains the last (obsolete) generation or +the future one. + +Consider: +cpu1 cpu2 + nft_do_chain(c); +delete c +net->gen++; + genbit = !!net->gen; + rules = c->rg[genbit]; + +cpu1 ignores c when updating if c is not active anymore in the new +generation. + +On cpu2, we now use rules from wrong generation, as c->rg[old] +contains the rules matching 'c' whereas c->rg[new] was not updated and +can even point to rules that have been free'd already, causing a crash. + +To fix this, make sure that 'current' to the 'next' generation are +identical for chains that are going away so that c->rg[new] will just +use the matching rules even if genbit was incremented already. + +Fixes: 0cbc06b3faba7 ("netfilter: nf_tables: remove synchronize_rcu in commit phase") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 2cfb173cd0b2..4c016b49fe2b 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6277,7 +6277,7 @@ static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules) + call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old); + } + +-static void nf_tables_commit_chain_active(struct net *net, struct nft_chain *chain) ++static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) + { + struct nft_rule **g0, **g1; + bool next_genbit; +@@ -6363,11 +6363,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + + /* step 2. Make rules_gen_X visible to packet path */ + list_for_each_entry(table, &net->nft.tables, list) { +- list_for_each_entry(chain, &table->chains, list) { +- if (!nft_is_active_next(net, chain)) +- continue; +- nf_tables_commit_chain_active(net, chain); +- } ++ list_for_each_entry(chain, &table->chains, list) ++ nf_tables_commit_chain(net, chain); + } + + /* +-- +2.19.1 + diff --git a/queue-4.19/netfilter-nf_tables-fix-use-after-free-when-deleting.patch b/queue-4.19/netfilter-nf_tables-fix-use-after-free-when-deleting.patch new file mode 100644 index 00000000000..85c7c460382 --- /dev/null +++ b/queue-4.19/netfilter-nf_tables-fix-use-after-free-when-deleting.patch @@ -0,0 +1,78 @@ +From 82a415c594681097758f4b096bc32592daad0c0e Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 12 Nov 2018 22:43:45 +0100 +Subject: netfilter: nf_tables: fix use-after-free when deleting compat + expressions + +[ Upstream commit 29e3880109e357fdc607b4393f8308cef6af9413 ] + +nft_compat ops do not have static storage duration, unlike all other +expressions. + +When nf_tables_expr_destroy() returns, expr->ops might have been +free'd already, so we need to store next address before calling +expression destructor. + +For same reason, we can't deref match pointer after nft_xt_put(). + +This can be easily reproduced by adding msleep() before +nft_match_destroy() returns. + +Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") +Reported-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 5 +++-- + net/netfilter/nft_compat.c | 3 ++- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 4c016b49fe2b..06ed55cef962 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2432,7 +2432,7 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk, + static void nf_tables_rule_destroy(const struct nft_ctx *ctx, + struct nft_rule *rule) + { +- struct nft_expr *expr; ++ struct nft_expr *expr, *next; + + lockdep_assert_held(&ctx->net->nft.commit_mutex); + /* +@@ -2441,8 +2441,9 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx, + */ + expr = nft_expr_first(rule); + while (expr != nft_expr_last(rule) && expr->ops) { ++ next = nft_expr_next(expr); + nf_tables_expr_destroy(ctx, expr); +- expr = nft_expr_next(expr); ++ expr = next; + } + kfree(rule); + } +diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c +index ad2fe6a7e47d..29d6fc73caf9 100644 +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -501,6 +501,7 @@ __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr, + void *info) + { + struct xt_match *match = expr->ops->data; ++ struct module *me = match->me; + struct xt_mtdtor_param par; + + par.net = ctx->net; +@@ -511,7 +512,7 @@ __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr, + par.match->destroy(&par); + + if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops))) +- module_put(match->me); ++ module_put(me); + } + + static void +-- +2.19.1 + diff --git a/queue-4.19/netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch b/queue-4.19/netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch new file mode 100644 index 00000000000..0b08c41ce2b --- /dev/null +++ b/queue-4.19/netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch @@ -0,0 +1,71 @@ +From ca7112daa7952aee536c62f215de77f95ad82fd0 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Fri, 16 Nov 2018 21:32:35 +0900 +Subject: netfilter: xt_hashlimit: fix a possible memory leak in + htable_create() + +[ Upstream commit b4e955e9f372035361fbc6f07b21fe2cc6a5be4a ] + +In the htable_create(), hinfo is allocated by vmalloc() +So that if error occurred, hinfo should be freed. + +Fixes: 11d5f15723c9 ("netfilter: xt_hashlimit: Create revision 2 to support higher pps rates") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_hashlimit.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c +index 3e7d259e5d8d..1ad4017f9b73 100644 +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -295,9 +295,10 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg, + + /* copy match config into hashtable config */ + ret = cfg_copy(&hinfo->cfg, (void *)cfg, 3); +- +- if (ret) ++ if (ret) { ++ vfree(hinfo); + return ret; ++ } + + hinfo->cfg.size = size; + if (hinfo->cfg.max == 0) +@@ -814,7 +815,6 @@ hashlimit_mt_v1(const struct sk_buff *skb, struct xt_action_param *par) + int ret; + + ret = cfg_copy(&cfg, (void *)&info->cfg, 1); +- + if (ret) + return ret; + +@@ -830,7 +830,6 @@ hashlimit_mt_v2(const struct sk_buff *skb, struct xt_action_param *par) + int ret; + + ret = cfg_copy(&cfg, (void *)&info->cfg, 2); +- + if (ret) + return ret; + +@@ -921,7 +920,6 @@ static int hashlimit_mt_check_v1(const struct xt_mtchk_param *par) + return ret; + + ret = cfg_copy(&cfg, (void *)&info->cfg, 1); +- + if (ret) + return ret; + +@@ -940,7 +938,6 @@ static int hashlimit_mt_check_v2(const struct xt_mtchk_param *par) + return ret; + + ret = cfg_copy(&cfg, (void *)&info->cfg, 2); +- + if (ret) + return ret; + +-- +2.19.1 + diff --git a/queue-4.19/netfilter-xt_rateest-remove-netns-exit-routine.patch b/queue-4.19/netfilter-xt_rateest-remove-netns-exit-routine.patch new file mode 100644 index 00000000000..c8d96044d2e --- /dev/null +++ b/queue-4.19/netfilter-xt_rateest-remove-netns-exit-routine.patch @@ -0,0 +1,93 @@ +From 3dde7cc41b79a9cfe1f13b998f08805ac10aa8a3 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Fri, 19 Oct 2018 00:27:57 +0900 +Subject: netfilter: xt_RATEEST: remove netns exit routine + +[ Upstream commit 0fbcc5b568edab7d848b7c7fa66d44ffbd4133c0 ] + +xt_rateest_net_exit() was added to check whether rules are flushed +successfully. but ->net_exit() callback is called earlier than +->destroy() callback. +So that ->net_exit() callback can't check that. + +test commands: + %ip netns add vm1 + %ip netns exec vm1 iptables -t mangle -I PREROUTING -p udp \ + --dport 1111 -j RATEEST --rateest-name ap \ + --rateest-interval 250ms --rateest-ewma 0.5s + %ip netns del vm1 + +splat looks like: +[ 668.813518] WARNING: CPU: 0 PID: 87 at net/netfilter/xt_RATEEST.c:210 xt_rateest_net_exit+0x210/0x340 [xt_RATEEST] +[ 668.813518] Modules linked in: xt_RATEEST xt_tcpudp iptable_mangle bpfilter ip_tables x_tables +[ 668.813518] CPU: 0 PID: 87 Comm: kworker/u4:2 Not tainted 4.19.0-rc7+ #21 +[ 668.813518] Workqueue: netns cleanup_net +[ 668.813518] RIP: 0010:xt_rateest_net_exit+0x210/0x340 [xt_RATEEST] +[ 668.813518] Code: 00 48 8b 85 30 ff ff ff 4c 8b 23 80 38 00 0f 85 24 01 00 00 48 8b 85 30 ff ff ff 4d 85 e4 4c 89 a5 58 ff ff ff c6 00 f8 74 b2 <0f> 0b 48 83 c3 08 4c 39 f3 75 b0 48 b8 00 00 00 00 00 fc ff df 49 +[ 668.813518] RSP: 0018:ffff8801156c73f8 EFLAGS: 00010282 +[ 668.813518] RAX: ffffed0022ad8e85 RBX: ffff880118928e98 RCX: 5db8012a00000000 +[ 668.813518] RDX: ffff8801156c7428 RSI: 00000000cb1d185f RDI: ffff880115663b74 +[ 668.813518] RBP: ffff8801156c74d0 R08: ffff8801156633c0 R09: 1ffff100236440be +[ 668.813518] R10: 0000000000000001 R11: ffffed002367d852 R12: ffff880115142b08 +[ 668.813518] R13: 1ffff10022ad8e81 R14: ffff880118928ea8 R15: dffffc0000000000 +[ 668.813518] FS: 0000000000000000(0000) GS:ffff88011b200000(0000) knlGS:0000000000000000 +[ 668.813518] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 668.813518] CR2: 0000563aa69f4f28 CR3: 0000000105a16000 CR4: 00000000001006f0 +[ 668.813518] Call Trace: +[ 668.813518] ? unregister_netdevice_many+0xe0/0xe0 +[ 668.813518] ? xt_rateest_net_init+0x2c0/0x2c0 [xt_RATEEST] +[ 668.813518] ? default_device_exit+0x1ca/0x270 +[ 668.813518] ? remove_proc_entry+0x1cd/0x390 +[ 668.813518] ? dev_change_net_namespace+0xd00/0xd00 +[ 668.813518] ? __init_waitqueue_head+0x130/0x130 +[ 668.813518] ops_exit_list.isra.10+0x94/0x140 +[ 668.813518] cleanup_net+0x45b/0x900 +[ 668.813518] ? net_drop_ns+0x110/0x110 +[ 668.813518] ? swapgs_restore_regs_and_return_to_usermode+0x3c/0x80 +[ 668.813518] ? save_trace+0x300/0x300 +[ 668.813518] ? lock_acquire+0x196/0x470 +[ 668.813518] ? lock_acquire+0x196/0x470 +[ 668.813518] ? process_one_work+0xb60/0x1de0 +[ 668.813518] ? _raw_spin_unlock_irq+0x29/0x40 +[ 668.813518] ? _raw_spin_unlock_irq+0x29/0x40 +[ 668.813518] ? __lock_acquire+0x4500/0x4500 +[ 668.813518] ? __lock_is_held+0xb4/0x140 +[ 668.813518] process_one_work+0xc13/0x1de0 +[ 668.813518] ? pwq_dec_nr_in_flight+0x3c0/0x3c0 +[ 668.813518] ? set_load_weight+0x270/0x270 +[ ... ] + +Fixes: 3427b2ab63fa ("netfilter: make xt_rateest hash table per net") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_RATEEST.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c +index dec843cadf46..9e05c86ba5c4 100644 +--- a/net/netfilter/xt_RATEEST.c ++++ b/net/netfilter/xt_RATEEST.c +@@ -201,18 +201,8 @@ static __net_init int xt_rateest_net_init(struct net *net) + return 0; + } + +-static void __net_exit xt_rateest_net_exit(struct net *net) +-{ +- struct xt_rateest_net *xn = net_generic(net, xt_rateest_id); +- int i; +- +- for (i = 0; i < ARRAY_SIZE(xn->hash); i++) +- WARN_ON_ONCE(!hlist_empty(&xn->hash[i])); +-} +- + static struct pernet_operations xt_rateest_net_ops = { + .init = xt_rateest_net_init, +- .exit = xt_rateest_net_exit, + .id = &xt_rateest_id, + .size = sizeof(struct xt_rateest_net), + }; +-- +2.19.1 + diff --git a/queue-4.19/nvme-flush-namespace-scanning-work-just-before-remov.patch b/queue-4.19/nvme-flush-namespace-scanning-work-just-before-remov.patch new file mode 100644 index 00000000000..8ed9e344543 --- /dev/null +++ b/queue-4.19/nvme-flush-namespace-scanning-work-just-before-remov.patch @@ -0,0 +1,53 @@ +From 49e07c35cddfdbb3dde6854c236a07ae7c7de30f Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Wed, 21 Nov 2018 15:17:37 -0800 +Subject: nvme: flush namespace scanning work just before removing namespaces + +[ Upstream commit f6c8e432cb0479255322c5d0335b9f1699a0270c ] + +nvme_stop_ctrl can be called also for reset flow and there is no need to +flush the scan_work as namespaces are not being removed. This can cause +deadlock in rdma, fc and loop drivers since nvme_stop_ctrl barriers +before controller teardown (and specifically I/O cancellation of the +scan_work itself) takes place, but the scan_work will be blocked anyways +so there is no need to flush it. + +Instead, move scan_work flush to nvme_remove_namespaces() where it really +needs to flush. + +Reported-by: Ming Lei +Signed-off-by: Sagi Grimberg +Reviewed-by: Keith Busch +Reviewed by: James Smart +Tested-by: Ewan D. Milne +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 0ba301f7e8b4..b7b2659e02fa 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3308,6 +3308,9 @@ void nvme_remove_namespaces(struct nvme_ctrl *ctrl) + struct nvme_ns *ns, *next; + LIST_HEAD(ns_list); + ++ /* prevent racing with ns scanning */ ++ flush_work(&ctrl->scan_work); ++ + /* + * The dead states indicates the controller was not gracefully + * disconnected. In that case, we won't be able to flush any data while +@@ -3463,7 +3466,6 @@ void nvme_stop_ctrl(struct nvme_ctrl *ctrl) + nvme_mpath_stop(ctrl); + nvme_stop_keep_alive(ctrl); + flush_work(&ctrl->async_event_work); +- flush_work(&ctrl->scan_work); + cancel_work_sync(&ctrl->fw_act_work); + if (ctrl->ops->stop_ctrl) + ctrl->ops->stop_ctrl(ctrl); +-- +2.19.1 + diff --git a/queue-4.19/nvme-rdma-fix-double-freeing-of-async-event-data.patch b/queue-4.19/nvme-rdma-fix-double-freeing-of-async-event-data.patch new file mode 100644 index 00000000000..cd0a88752fc --- /dev/null +++ b/queue-4.19/nvme-rdma-fix-double-freeing-of-async-event-data.patch @@ -0,0 +1,43 @@ +From a9ff39294bd6e563df8c61d81a170d1e735fc5ad Mon Sep 17 00:00:00 2001 +From: Prabhath Sajeepa +Date: Wed, 28 Nov 2018 11:11:29 -0700 +Subject: nvme-rdma: fix double freeing of async event data + +[ Upstream commit 6344d02dc8f886b6bbcd922ae1a17e4a41500f2d ] + +Some error paths in configuration of admin queue free data buffer +associated with async request SQE without resetting the data buffer +pointer to NULL, This buffer is also freed up again if the controller +is shutdown or reset. + +Signed-off-by: Prabhath Sajeepa +Reviewed-by: Roland Dreier +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index dc042017c293..b6a28de682e8 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -184,6 +184,7 @@ static int nvme_rdma_alloc_qe(struct ib_device *ibdev, struct nvme_rdma_qe *qe, + qe->dma = ib_dma_map_single(ibdev, qe->data, capsule_size, dir); + if (ib_dma_mapping_error(ibdev, qe->dma)) { + kfree(qe->data); ++ qe->data = NULL; + return -ENOMEM; + } + +@@ -816,6 +817,7 @@ static int nvme_rdma_configure_admin_queue(struct nvme_rdma_ctrl *ctrl, + out_free_async_qe: + nvme_rdma_free_qe(ctrl->device->dev, &ctrl->async_event_sqe, + sizeof(struct nvme_command), DMA_TO_DEVICE); ++ ctrl->async_event_sqe.data = NULL; + out_free_queue: + nvme_rdma_free_queue(&ctrl->queues[0]); + return error; +-- +2.19.1 + diff --git a/queue-4.19/nvme-warn-when-finding-multi-port-subsystems-without.patch b/queue-4.19/nvme-warn-when-finding-multi-port-subsystems-without.patch new file mode 100644 index 00000000000..f67d5863a2a --- /dev/null +++ b/queue-4.19/nvme-warn-when-finding-multi-port-subsystems-without.patch @@ -0,0 +1,35 @@ +From 40e6bd729afb999a7de639f4ce456ce465c831da Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Tue, 20 Nov 2018 16:57:54 +0100 +Subject: nvme: warn when finding multi-port subsystems without multipathing + enabled + +[ Upstream commit 14a1336e6fff47dd1028b484d6c802105c58e2ee ] + +Without CONFIG_NVME_MULTIPATH enabled a multi-port subsystem might +show up as invididual devices and cause problems, warn about it. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/nvme.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index bb4a2003c097..60220de2db52 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -537,6 +537,9 @@ static inline void nvme_mpath_check_last_path(struct nvme_ns *ns) + static inline int nvme_mpath_init(struct nvme_ctrl *ctrl, + struct nvme_id_ctrl *id) + { ++ if (ctrl->subsys->cmic & (1 << 3)) ++ dev_warn(ctrl->device, ++"Please enable CONFIG_NVME_MULTIPATH for full support of multi-port devices.\n"); + return 0; + } + static inline void nvme_mpath_uninit(struct nvme_ctrl *ctrl) +-- +2.19.1 + diff --git a/queue-4.19/objtool-fix-double-free-in-.cold-detection-error-pat.patch b/queue-4.19/objtool-fix-double-free-in-.cold-detection-error-pat.patch new file mode 100644 index 00000000000..c331f1f53ed --- /dev/null +++ b/queue-4.19/objtool-fix-double-free-in-.cold-detection-error-pat.patch @@ -0,0 +1,42 @@ +From 361ce06ae59108c91e46920e37e6ca4562a33226 Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Tue, 20 Nov 2018 11:52:15 -0600 +Subject: objtool: Fix double-free in .cold detection error path + +[ Upstream commit 0b9301fb632f7111a3293a30cc5b20f1b82ed08d ] + +If read_symbols() fails during second list traversal (the one dealing +with ".cold" subfunctions) it frees the symbol, but never deletes it +from the list/hash_table resulting in symbol being freed again in +elf_close(). Fix it by just returning an error, leaving cleanup to +elf_close(). + +Signed-off-by: Artem Savkov +Signed-off-by: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions") +Link: http://lkml.kernel.org/r/beac5a9b7da9e8be90223459dcbe07766ae437dd.1542736240.git.jpoimboe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + tools/objtool/elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c +index 7ec85d567598..a6f543e0b387 100644 +--- a/tools/objtool/elf.c ++++ b/tools/objtool/elf.c +@@ -312,7 +312,7 @@ static int read_symbols(struct elf *elf) + if (!pfunc) { + WARN("%s(): can't find parent function", + sym->name); +- goto err; ++ return -1; + } + + sym->pfunc = pfunc; +-- +2.19.1 + diff --git a/queue-4.19/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch b/queue-4.19/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch new file mode 100644 index 00000000000..2d730a230ed --- /dev/null +++ b/queue-4.19/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch @@ -0,0 +1,76 @@ +From 566e76d72bdcab5db30086354c24f6e95ca8839d Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Tue, 20 Nov 2018 11:52:16 -0600 +Subject: objtool: Fix segfault in .cold detection with -ffunction-sections + +[ Upstream commit 22566c1603030f0a036ad564634b064ad1a55db2 ] + +Because find_symbol_by_name() traverses the same lists as +read_symbols(), changing sym->name in place without copying it affects +the result of find_symbol_by_name(). In the case where a ".cold" +function precedes its parent in sec->symbol_list, it can result in a +function being considered a parent of itself. This leads to function +length being set to 0 and other consequent side-effects including a +segfault in add_switch_table(). The effects of this bug are only +visible when building with -ffunction-sections in KCFLAGS. + +Fix by copying the search string instead of modifying it in place. + +Signed-off-by: Artem Savkov +Signed-off-by: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions") +Link: http://lkml.kernel.org/r/910abd6b5a4945130fd44f787c24e07b9e07c8da.1542736240.git.jpoimboe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + tools/objtool/elf.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c +index a6f543e0b387..b75d004f6482 100644 +--- a/tools/objtool/elf.c ++++ b/tools/objtool/elf.c +@@ -31,6 +31,8 @@ + #include "elf.h" + #include "warn.h" + ++#define MAX_NAME_LEN 128 ++ + struct section *find_section_by_name(struct elf *elf, const char *name) + { + struct section *sec; +@@ -298,6 +300,8 @@ static int read_symbols(struct elf *elf) + /* Create parent/child links for any cold subfunctions */ + list_for_each_entry(sec, &elf->sections, list) { + list_for_each_entry(sym, &sec->symbol_list, list) { ++ char pname[MAX_NAME_LEN + 1]; ++ size_t pnamelen; + if (sym->type != STT_FUNC) + continue; + sym->pfunc = sym->cfunc = sym; +@@ -305,9 +309,16 @@ static int read_symbols(struct elf *elf) + if (!coldstr) + continue; + +- coldstr[0] = '\0'; +- pfunc = find_symbol_by_name(elf, sym->name); +- coldstr[0] = '.'; ++ pnamelen = coldstr - sym->name; ++ if (pnamelen > MAX_NAME_LEN) { ++ WARN("%s(): parent function name exceeds maximum length of %d characters", ++ sym->name, MAX_NAME_LEN); ++ return -1; ++ } ++ ++ strncpy(pname, sym->name, pnamelen); ++ pname[pnamelen] = '\0'; ++ pfunc = find_symbol_by_name(elf, pname); + + if (!pfunc) { + WARN("%s(): can't find parent function", +-- +2.19.1 + diff --git a/queue-4.19/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch b/queue-4.19/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch new file mode 100644 index 00000000000..5e20768c5ea --- /dev/null +++ b/queue-4.19/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch @@ -0,0 +1,147 @@ +From 30bb0e1b2db63dcaae21c43cccd57ce7ab9a0675 Mon Sep 17 00:00:00 2001 +From: Larry Chen +Date: Fri, 30 Nov 2018 14:08:56 -0800 +Subject: ocfs2: fix deadlock caused by ocfs2_defrag_extent() + +[ Upstream commit e21e57445a64598b29a6f629688f9b9a39e7242a ] + +ocfs2_defrag_extent may fall into deadlock. + +ocfs2_ioctl_move_extents + ocfs2_ioctl_move_extents + ocfs2_move_extents + ocfs2_defrag_extent + ocfs2_lock_allocators_move_extents + + ocfs2_reserve_clusters + inode_lock GLOBAL_BITMAP_SYSTEM_INODE + + __ocfs2_flush_truncate_log + inode_lock GLOBAL_BITMAP_SYSTEM_INODE + +As backtrace shows above, ocfs2_reserve_clusters() will call inode_lock +against the global bitmap if local allocator has not sufficient cluters. +Once global bitmap could meet the demand, ocfs2_reserve_cluster will +return success with global bitmap locked. + +After ocfs2_reserve_cluster(), if truncate log is full, +__ocfs2_flush_truncate_log() will definitely fall into deadlock because +it needs to inode_lock global bitmap, which has already been locked. + +To fix this bug, we could remove from +ocfs2_lock_allocators_move_extents() the code which intends to lock +global allocator, and put the removed code after +__ocfs2_flush_truncate_log(). + +ocfs2_lock_allocators_move_extents() is referred by 2 places, one is +here, the other does not need the data allocator context, which means +this patch does not affect the caller so far. + +Link: http://lkml.kernel.org/r/20181101071422.14470-1-lchen@suse.com +Signed-off-by: Larry Chen +Reviewed-by: Changwei Ge +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/move_extents.c | 47 +++++++++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 21 deletions(-) + +diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c +index 7eb3b0a6347e..f55f82ca3425 100644 +--- a/fs/ocfs2/move_extents.c ++++ b/fs/ocfs2/move_extents.c +@@ -156,18 +156,14 @@ static int __ocfs2_move_extent(handle_t *handle, + } + + /* +- * lock allocators, and reserving appropriate number of bits for +- * meta blocks and data clusters. +- * +- * in some cases, we don't need to reserve clusters, just let data_ac +- * be NULL. ++ * lock allocator, and reserve appropriate number of bits for ++ * meta blocks. + */ +-static int ocfs2_lock_allocators_move_extents(struct inode *inode, ++static int ocfs2_lock_meta_allocator_move_extents(struct inode *inode, + struct ocfs2_extent_tree *et, + u32 clusters_to_move, + u32 extents_to_split, + struct ocfs2_alloc_context **meta_ac, +- struct ocfs2_alloc_context **data_ac, + int extra_blocks, + int *credits) + { +@@ -192,13 +188,6 @@ static int ocfs2_lock_allocators_move_extents(struct inode *inode, + goto out; + } + +- if (data_ac) { +- ret = ocfs2_reserve_clusters(osb, clusters_to_move, data_ac); +- if (ret) { +- mlog_errno(ret); +- goto out; +- } +- } + + *credits += ocfs2_calc_extend_credits(osb->sb, et->et_root_el); + +@@ -257,10 +246,10 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context, + } + } + +- ret = ocfs2_lock_allocators_move_extents(inode, &context->et, *len, 1, +- &context->meta_ac, +- &context->data_ac, +- extra_blocks, &credits); ++ ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et, ++ *len, 1, ++ &context->meta_ac, ++ extra_blocks, &credits); + if (ret) { + mlog_errno(ret); + goto out; +@@ -283,6 +272,21 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context, + } + } + ++ /* ++ * Make sure ocfs2_reserve_cluster is called after ++ * __ocfs2_flush_truncate_log, otherwise, dead lock may happen. ++ * ++ * If ocfs2_reserve_cluster is called ++ * before __ocfs2_flush_truncate_log, dead lock on global bitmap ++ * may happen. ++ * ++ */ ++ ret = ocfs2_reserve_clusters(osb, *len, &context->data_ac); ++ if (ret) { ++ mlog_errno(ret); ++ goto out_unlock_mutex; ++ } ++ + handle = ocfs2_start_trans(osb, credits); + if (IS_ERR(handle)) { + ret = PTR_ERR(handle); +@@ -600,9 +604,10 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context, + } + } + +- ret = ocfs2_lock_allocators_move_extents(inode, &context->et, len, 1, +- &context->meta_ac, +- NULL, extra_blocks, &credits); ++ ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et, ++ len, 1, ++ &context->meta_ac, ++ extra_blocks, &credits); + if (ret) { + mlog_errno(ret); + goto out; +-- +2.19.1 + diff --git a/queue-4.19/ocfs2-fix-potential-use-after-free.patch b/queue-4.19/ocfs2-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..246511bc8a7 --- /dev/null +++ b/queue-4.19/ocfs2-fix-potential-use-after-free.patch @@ -0,0 +1,47 @@ +From 38a1e411bb4791ccf2a2873e949a7777107ed11e Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 30 Nov 2018 14:10:54 -0800 +Subject: ocfs2: fix potential use after free + +[ Upstream commit 164f7e586739d07eb56af6f6d66acebb11f315c8 ] + +ocfs2_get_dentry() calls iput(inode) to drop the reference count of +inode, and if the reference count hits 0, inode is freed. However, in +this function, it then reads inode->i_generation, which may result in a +use after free bug. Move the put operation later. + +Link: http://lkml.kernel.org/r/1543109237-110227-1-git-send-email-bianpan2016@163.com +Fixes: 781f200cb7a("ocfs2: Remove masklog ML_EXPORT.") +Signed-off-by: Pan Bian +Reviewed-by: Andrew Morton +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/export.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ocfs2/export.c b/fs/ocfs2/export.c +index 9f88188060db..4bf8d5854b27 100644 +--- a/fs/ocfs2/export.c ++++ b/fs/ocfs2/export.c +@@ -125,10 +125,10 @@ static struct dentry *ocfs2_get_dentry(struct super_block *sb, + + check_gen: + if (handle->ih_generation != inode->i_generation) { +- iput(inode); + trace_ocfs2_get_dentry_generation((unsigned long long)blkno, + handle->ih_generation, + inode->i_generation); ++ iput(inode); + result = ERR_PTR(-ESTALE); + goto bail; + } +-- +2.19.1 + diff --git a/queue-4.19/pci-imx6-fix-link-training-status-detection-in-link-.patch b/queue-4.19/pci-imx6-fix-link-training-status-detection-in-link-.patch new file mode 100644 index 00000000000..30deaffc15a --- /dev/null +++ b/queue-4.19/pci-imx6-fix-link-training-status-detection-in-link-.patch @@ -0,0 +1,89 @@ +From fd803c2b7c2d8e6eae715337960803d44649f3f9 Mon Sep 17 00:00:00 2001 +From: Trent Piepho +Date: Mon, 5 Nov 2018 18:11:36 +0000 +Subject: PCI: imx6: Fix link training status detection in link up check + +[ Upstream commit 68bc10bf992180f269816ff3d22eb30383138577 ] + +This bug was introduced in the interaction for two commits on either +branch of the merge commit 562df5c8521e ("Merge branch +'pci/host-designware' into next"). + +Commit 4d107d3b5a68 ("PCI: imx6: Move link up check into +imx6_pcie_wait_for_link()"), changed imx6_pcie_wait_for_link() to poll +the link status register directly, checking for link up and not +training, and made imx6_pcie_link_up() only check the link up bit (once, +not a polling loop). + +While commit 886bc5ceb5cc ("PCI: designware: Add generic +dw_pcie_wait_for_link()"), replaced the loop in +imx6_pcie_wait_for_link() with a call to a new dwc core function, which +polled imx6_pcie_link_up(), which still checked both link up and not +training in a loop. + +When these two commits were merged, the version of +imx6_pcie_wait_for_link() from 886bc5ceb5cc was kept, which eliminated +the link training check placed there by 4d107d3b5a68. However, the +version of imx6_pcie_link_up() from 4d107d3b5a68 was kept, which +eliminated the link training check that had been there and was moved to +imx6_pcie_wait_for_link(). + +The result was the link training check got lost for the imx6 driver. + +Eliminate imx6_pcie_link_up() so that the default handler, +dw_pcie_link_up(), is used instead. The default handler has the correct +code, which checks for link up and also that it still is not training, +fixing the regression. + +Fixes: 562df5c8521e ("Merge branch 'pci/host-designware' into next") +Signed-off-by: Trent Piepho +[lorenzo.pieralisi@arm.com: rewrote the commit log] +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Lucas Stach +Cc: Bjorn Helgaas +Cc: Joao Pinto +Cc: Lorenzo Pieralisi +Cc: Richard Zhu +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pci-imx6.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c +index 4a9a673b4777..975050a69494 100644 +--- a/drivers/pci/controller/dwc/pci-imx6.c ++++ b/drivers/pci/controller/dwc/pci-imx6.c +@@ -80,8 +80,6 @@ struct imx6_pcie { + #define PCIE_PL_PFLR_FORCE_LINK (1 << 15) + #define PCIE_PHY_DEBUG_R0 (PL_OFFSET + 0x28) + #define PCIE_PHY_DEBUG_R1 (PL_OFFSET + 0x2c) +-#define PCIE_PHY_DEBUG_R1_XMLH_LINK_IN_TRAINING (1 << 29) +-#define PCIE_PHY_DEBUG_R1_XMLH_LINK_UP (1 << 4) + + #define PCIE_PHY_CTRL (PL_OFFSET + 0x114) + #define PCIE_PHY_CTRL_DATA_LOC 0 +@@ -641,12 +639,6 @@ static int imx6_pcie_host_init(struct pcie_port *pp) + return 0; + } + +-static int imx6_pcie_link_up(struct dw_pcie *pci) +-{ +- return dw_pcie_readl_dbi(pci, PCIE_PHY_DEBUG_R1) & +- PCIE_PHY_DEBUG_R1_XMLH_LINK_UP; +-} +- + static const struct dw_pcie_host_ops imx6_pcie_host_ops = { + .host_init = imx6_pcie_host_init, + }; +@@ -679,7 +671,7 @@ static int imx6_add_pcie_port(struct imx6_pcie *imx6_pcie, + } + + static const struct dw_pcie_ops dw_pcie_ops = { +- .link_up = imx6_pcie_link_up, ++ /* No special ops needed, but pcie-designware still expects this struct */ + }; + + static int imx6_pcie_probe(struct platform_device *pdev) +-- +2.19.1 + diff --git a/queue-4.19/perf-tools-fix-crash-on-synthesizing-the-unit.patch b/queue-4.19/perf-tools-fix-crash-on-synthesizing-the-unit.patch new file mode 100644 index 00000000000..f366d53f0a2 --- /dev/null +++ b/queue-4.19/perf-tools-fix-crash-on-synthesizing-the-unit.patch @@ -0,0 +1,73 @@ +From 64c752af476f0cfe9d694a6e1727081aee31bef8 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Mon, 12 Nov 2018 14:00:12 +0100 +Subject: perf tools: Fix crash on synthesizing the unit + +[ Upstream commit fb50c09e923870a358d68b0d58891bd145b8d7c7 ] + +Adam reported a record command crash for simple session like: + + $ perf record -e cpu-clock ls + +with following backtrace: + + Program received signal SIGSEGV, Segmentation fault. + 3543 ev = event_update_event__new(size + 1, PERF_EVENT_UPDATE__UNIT, evsel->id[0]); + (gdb) bt + #0 perf_event__synthesize_event_update_unit + #1 0x000000000051e469 in perf_event__synthesize_extra_attr + #2 0x00000000004445cb in record__synthesize + #3 0x0000000000444bc5 in __cmd_record + ... + +We synthesize an update event that needs to touch the evsel id array, +which is not defined at that time. Fix this by forcing the id allocation +for events with their unit defined. + +Reflecting possible read_format ID bit in the attr tests. + +Reported-by: Yongxin Liu +Signed-off-by: Jiri Olsa +Cc: Adam Lee +Cc: Alexander Shishkin +Cc: Namhyung Kim +Cc: Peter Zijlstra +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201477 +Fixes: bfd8f72c2778 ("perf record: Synthesize unit/scale/... in event update") +Link: http://lkml.kernel.org/r/20181112130012.5424-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/attr/base-record | 2 +- + tools/perf/util/evsel.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/tests/attr/base-record b/tools/perf/tests/attr/base-record +index 37940665f736..efd0157b9d22 100644 +--- a/tools/perf/tests/attr/base-record ++++ b/tools/perf/tests/attr/base-record +@@ -9,7 +9,7 @@ size=112 + config=0 + sample_period=* + sample_type=263 +-read_format=0 ++read_format=0|4 + disabled=1 + inherit=1 + pinned=0 +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index 03a72310315f..e7dbdcc8d465 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -1088,7 +1088,7 @@ void perf_evsel__config(struct perf_evsel *evsel, struct record_opts *opts, + attr->exclude_user = 1; + } + +- if (evsel->own_cpus) ++ if (evsel->own_cpus || evsel->unit) + evsel->attr.read_format |= PERF_FORMAT_ID; + + /* +-- +2.19.1 + diff --git a/queue-4.19/perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch b/queue-4.19/perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch new file mode 100644 index 00000000000..a4ebbfb19a4 --- /dev/null +++ b/queue-4.19/perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch @@ -0,0 +1,129 @@ +From 74ee76b3b9c5cde20a9850ee5401e98bac71bef7 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Thu, 1 Nov 2018 18:00:01 +0100 +Subject: perf tools: Restore proper cwd on return from mnt namespace + +[ Upstream commit b01c1f69c8660eaeab7d365cd570103c5c073a02 ] + +When reporting on 'record' server we try to retrieve/use the mnt +namespace of the profiled tasks. We use following API with cookie to +hold the return namespace, roughly: + + nsinfo__mountns_enter(struct nsinfo *nsi, struct nscookie *nc) + setns(newns, 0); + ... + new ns related open.. + ... + nsinfo__mountns_exit(struct nscookie *nc) + setns(nc->oldns) + +Once finished we setns to old namespace, which also sets the current +working directory (cwd) to "/", trashing the cwd we had. + +This is mostly fine, because we use absolute paths almost everywhere, +but it screws up 'perf diff': + + # perf diff + failed to open perf.data: No such file or directory (try 'perf record' first) + ... + +Adding the current working directory to be part of the cookie and +restoring it in the nsinfo__mountns_exit call. + +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Krister Johansen +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: 843ff37bb59e ("perf symbols: Find symbols in different mount namespace") +Link: http://lkml.kernel.org/r/20181101170001.30019-1-jolsa@kernel.org +[ No need to check for NULL args for free(), use zfree() for struct members ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/namespaces.c | 17 +++++++++++++++-- + tools/perf/util/namespaces.h | 1 + + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/namespaces.c b/tools/perf/util/namespaces.c +index cf8bd123cf73..aed170bd4384 100644 +--- a/tools/perf/util/namespaces.c ++++ b/tools/perf/util/namespaces.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + struct namespaces *namespaces__new(struct namespaces_event *event) + { +@@ -186,6 +187,7 @@ void nsinfo__mountns_enter(struct nsinfo *nsi, + char curpath[PATH_MAX]; + int oldns = -1; + int newns = -1; ++ char *oldcwd = NULL; + + if (nc == NULL) + return; +@@ -199,9 +201,13 @@ void nsinfo__mountns_enter(struct nsinfo *nsi, + if (snprintf(curpath, PATH_MAX, "/proc/self/ns/mnt") >= PATH_MAX) + return; + ++ oldcwd = get_current_dir_name(); ++ if (!oldcwd) ++ return; ++ + oldns = open(curpath, O_RDONLY); + if (oldns < 0) +- return; ++ goto errout; + + newns = open(nsi->mntns_path, O_RDONLY); + if (newns < 0) +@@ -210,11 +216,13 @@ void nsinfo__mountns_enter(struct nsinfo *nsi, + if (setns(newns, CLONE_NEWNS) < 0) + goto errout; + ++ nc->oldcwd = oldcwd; + nc->oldns = oldns; + nc->newns = newns; + return; + + errout: ++ free(oldcwd); + if (oldns > -1) + close(oldns); + if (newns > -1) +@@ -223,11 +231,16 @@ void nsinfo__mountns_enter(struct nsinfo *nsi, + + void nsinfo__mountns_exit(struct nscookie *nc) + { +- if (nc == NULL || nc->oldns == -1 || nc->newns == -1) ++ if (nc == NULL || nc->oldns == -1 || nc->newns == -1 || !nc->oldcwd) + return; + + setns(nc->oldns, CLONE_NEWNS); + ++ if (nc->oldcwd) { ++ WARN_ON_ONCE(chdir(nc->oldcwd)); ++ zfree(&nc->oldcwd); ++ } ++ + if (nc->oldns > -1) { + close(nc->oldns); + nc->oldns = -1; +diff --git a/tools/perf/util/namespaces.h b/tools/perf/util/namespaces.h +index cae1a9a39722..d5f46c09ea31 100644 +--- a/tools/perf/util/namespaces.h ++++ b/tools/perf/util/namespaces.h +@@ -38,6 +38,7 @@ struct nsinfo { + struct nscookie { + int oldns; + int newns; ++ char *oldcwd; + }; + + int nsinfo__init(struct nsinfo *nsi); +-- +2.19.1 + diff --git a/queue-4.19/phy-qcom-qusb2-fix-hstx_trim-tuning-with-fused-value.patch b/queue-4.19/phy-qcom-qusb2-fix-hstx_trim-tuning-with-fused-value.patch new file mode 100644 index 00000000000..03762d08598 --- /dev/null +++ b/queue-4.19/phy-qcom-qusb2-fix-hstx_trim-tuning-with-fused-value.patch @@ -0,0 +1,37 @@ +From 034b52121d2df30df87b4f8fc1056b2ccd13dfec Mon Sep 17 00:00:00 2001 +From: Manu Gautam +Date: Tue, 16 Oct 2018 12:52:07 +0530 +Subject: phy: qcom-qusb2: Fix HSTX_TRIM tuning with fused value for SDM845 + +[ Upstream commit c88520db18ba0b9a41326c3b8680e7c09eb4c381 ] + +Tune1 register on sdm845 is used to update HSTX_TRIM with fused +setting. Enable same by specifying update_tune1_with_efuse flag +for sdm845, otherwise driver ends up programming tune2 register. + +Fixes: ef17f6e212ca ("phy: qcom-qusb2: Add QUSB2 PHYs support for sdm845") +Signed-off-by: Manu Gautam +Reviewed-by: Douglas Anderson +Reviewed-by: Stephen Boyd +Acked-by: Vivek Gautam +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qusb2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c +index 9d6c88064158..69c92843eb3b 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c +@@ -231,6 +231,7 @@ static const struct qusb2_phy_cfg sdm845_phy_cfg = { + .mask_core_ready = CORE_READY_STATUS, + .has_pll_override = true, + .autoresume_en = BIT(0), ++ .update_tune1_with_efuse = true, + }; + + static const char * const qusb2_phy_vreg_names[] = { +-- +2.19.1 + diff --git a/queue-4.19/phy-qcom-qusb2-use-hstx_trim-fused-value-as-is.patch b/queue-4.19/phy-qcom-qusb2-use-hstx_trim-fused-value-as-is.patch new file mode 100644 index 00000000000..3bcfade27e1 --- /dev/null +++ b/queue-4.19/phy-qcom-qusb2-use-hstx_trim-fused-value-as-is.patch @@ -0,0 +1,63 @@ +From 0897707f8a0d1dfb2246258956a198042c91d7a0 Mon Sep 17 00:00:00 2001 +From: Manu Gautam +Date: Tue, 16 Oct 2018 12:52:06 +0530 +Subject: phy: qcom-qusb2: Use HSTX_TRIM fused value as is + +[ Upstream commit 6e34d358b24ffc40764eb3681164c79091765429 ] + +Fix HSTX_TRIM tuning logic which instead of using fused value +as HSTX_TRIM, incorrectly performs bitwise OR operation with +existing default value. + +Fixes: ca04d9d3e1b1 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips") +Signed-off-by: Manu Gautam +Reviewed-by: Douglas Anderson +Reviewed-by: Stephen Boyd +Acked-by: Vivek Gautam +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qusb2.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c +index e70e425f26f5..9d6c88064158 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c +@@ -402,10 +402,10 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) + + /* + * Read efuse register having TUNE2/1 parameter's high nibble. +- * If efuse register shows value as 0x0, or if we fail to find +- * a valid efuse register settings, then use default value +- * as 0xB for high nibble that we have already set while +- * configuring phy. ++ * If efuse register shows value as 0x0 (indicating value is not ++ * fused), or if we fail to find a valid efuse register setting, ++ * then use default value for high nibble that we have already ++ * set while configuring the phy. + */ + val = nvmem_cell_read(qphy->cell, NULL); + if (IS_ERR(val) || !val[0]) { +@@ -415,12 +415,13 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) + + /* Fused TUNE1/2 value is the higher nibble only */ + if (cfg->update_tune1_with_efuse) +- qusb2_setbits(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE1], +- val[0] << 0x4); ++ qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE1], ++ val[0] << HSTX_TRIM_SHIFT, ++ HSTX_TRIM_MASK); + else +- qusb2_setbits(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE2], +- val[0] << 0x4); +- ++ qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE2], ++ val[0] << HSTX_TRIM_SHIFT, ++ HSTX_TRIM_MASK); + } + + static int qusb2_phy_set_mode(struct phy *phy, enum phy_mode mode) +-- +2.19.1 + diff --git a/queue-4.19/proc-fixup-map_files-test-on-arm.patch b/queue-4.19/proc-fixup-map_files-test-on-arm.patch new file mode 100644 index 00000000000..48d3bf1814f --- /dev/null +++ b/queue-4.19/proc-fixup-map_files-test-on-arm.patch @@ -0,0 +1,62 @@ +From 3fcb9164e8f24281fd5d0a57b1d01af1a0a8ba1c Mon Sep 17 00:00:00 2001 +From: Alexey Dobriyan +Date: Fri, 30 Nov 2018 14:09:53 -0800 +Subject: proc: fixup map_files test on arm + +[ Upstream commit dbd4af54745fc0c805217693c807a3928b2d408b ] + +https://bugs.linaro.org/show_bug.cgi?id=3782 + +Turns out arm doesn't permit mapping address 0, so try minimum virtual +address instead. + +Link: http://lkml.kernel.org/r/20181113165446.GA28157@avx2 +Signed-off-by: Alexey Dobriyan +Reported-by: Rafael David Tinoco +Tested-by: Rafael David Tinoco +Acked-by: Cyrill Gorcunov +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/proc/proc-self-map-files-002.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/proc/proc-self-map-files-002.c b/tools/testing/selftests/proc/proc-self-map-files-002.c +index 6f1f4a6e1ecb..85744425b08d 100644 +--- a/tools/testing/selftests/proc/proc-self-map-files-002.c ++++ b/tools/testing/selftests/proc/proc-self-map-files-002.c +@@ -13,7 +13,7 @@ + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +-/* Test readlink /proc/self/map_files/... with address 0. */ ++/* Test readlink /proc/self/map_files/... with minimum address. */ + #include + #include + #include +@@ -47,6 +47,11 @@ static void fail(const char *fmt, unsigned long a, unsigned long b) + int main(void) + { + const unsigned int PAGE_SIZE = sysconf(_SC_PAGESIZE); ++#ifdef __arm__ ++ unsigned long va = 2 * PAGE_SIZE; ++#else ++ unsigned long va = 0; ++#endif + void *p; + int fd; + unsigned long a, b; +@@ -55,7 +60,7 @@ int main(void) + if (fd == -1) + return 1; + +- p = mmap(NULL, PAGE_SIZE, PROT_NONE, MAP_PRIVATE|MAP_FILE|MAP_FIXED, fd, 0); ++ p = mmap((void *)va, PAGE_SIZE, PROT_NONE, MAP_PRIVATE|MAP_FILE|MAP_FIXED, fd, 0); + if (p == MAP_FAILED) { + if (errno == EPERM) + return 2; +-- +2.19.1 + diff --git a/queue-4.19/pstore-ram-correctly-calculate-usable-prz-bytes.patch b/queue-4.19/pstore-ram-correctly-calculate-usable-prz-bytes.patch new file mode 100644 index 00000000000..dd0be01889d --- /dev/null +++ b/queue-4.19/pstore-ram-correctly-calculate-usable-prz-bytes.patch @@ -0,0 +1,80 @@ +From a08ea45cb45835fc3734198af3a9a0cd4ff1824c Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 1 Nov 2018 16:17:22 -0700 +Subject: pstore/ram: Correctly calculate usable PRZ bytes + +[ Upstream commit 89d328f637b9904b6d4c9af73c8a608b8dd4d6f8 ] + +The actual number of bytes stored in a PRZ is smaller than the +bytes requested by platform data, since there is a header on each +PRZ. Additionally, if ECC is enabled, there are trailing bytes used +as well. Normally this mismatch doesn't matter since PRZs are circular +buffers and the leading "overflow" bytes are just thrown away. However, in +the case of a compressed record, this rather badly corrupts the results. + +This corruption was visible with "ramoops.mem_size=204800 ramoops.ecc=1". +Any stored crashes would not be uncompressable (producing a pstorefs +"dmesg-*.enc.z" file), and triggering errors at boot: + + [ 2.790759] pstore: crypto_comp_decompress failed, ret = -22! + +Backporting this depends on commit 70ad35db3321 ("pstore: Convert console +write to use ->write_buf") + +Reported-by: Joel Fernandes +Fixes: b0aad7a99c1d ("pstore: Add compression support to pstore") +Signed-off-by: Kees Cook +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Sasha Levin +--- + fs/pstore/ram.c | 15 ++++++--------- + include/linux/pstore.h | 5 ++++- + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c +index f4fd2e72add4..03cd59375abe 100644 +--- a/fs/pstore/ram.c ++++ b/fs/pstore/ram.c +@@ -806,17 +806,14 @@ static int ramoops_probe(struct platform_device *pdev) + + cxt->pstore.data = cxt; + /* +- * Console can handle any buffer size, so prefer LOG_LINE_MAX. If we +- * have to handle dumps, we must have at least record_size buffer. And +- * for ftrace, bufsize is irrelevant (if bufsize is 0, buf will be +- * ZERO_SIZE_PTR). ++ * Since bufsize is only used for dmesg crash dumps, it ++ * must match the size of the dprz record (after PRZ header ++ * and ECC bytes have been accounted for). + */ +- if (cxt->console_size) +- cxt->pstore.bufsize = 1024; /* LOG_LINE_MAX */ +- cxt->pstore.bufsize = max(cxt->record_size, cxt->pstore.bufsize); +- cxt->pstore.buf = kmalloc(cxt->pstore.bufsize, GFP_KERNEL); ++ cxt->pstore.bufsize = cxt->dprzs[0]->buffer_size; ++ cxt->pstore.buf = kzalloc(cxt->pstore.bufsize, GFP_KERNEL); + if (!cxt->pstore.buf) { +- pr_err("cannot allocate pstore buffer\n"); ++ pr_err("cannot allocate pstore crash dump buffer\n"); + err = -ENOMEM; + goto fail_clear; + } +diff --git a/include/linux/pstore.h b/include/linux/pstore.h +index a15bc4d48752..30fcec375a3a 100644 +--- a/include/linux/pstore.h ++++ b/include/linux/pstore.h +@@ -90,7 +90,10 @@ struct pstore_record { + * + * @buf_lock: spinlock to serialize access to @buf + * @buf: preallocated crash dump buffer +- * @bufsize: size of @buf available for crash dump writes ++ * @bufsize: size of @buf available for crash dump bytes (must match ++ * smallest number of bytes available for writing to a ++ * backend entry, since compressed bytes don't take kindly ++ * to being truncated) + * + * @read_mutex: serializes @open, @read, @close, and @erase callbacks + * @flags: bitfield of frontends the backend can accept writes for +-- +2.19.1 + diff --git a/queue-4.19/pvcalls-front-fixes-incorrect-error-handling.patch b/queue-4.19/pvcalls-front-fixes-incorrect-error-handling.patch new file mode 100644 index 00000000000..a4535c22de6 --- /dev/null +++ b/queue-4.19/pvcalls-front-fixes-incorrect-error-handling.patch @@ -0,0 +1,37 @@ +From acd297eeac40d5d6676403af3c9e4ac8f5f9d176 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 22 Nov 2018 10:07:12 +0800 +Subject: pvcalls-front: fixes incorrect error handling + +[ Upstream commit 975ef94a0284648fb0137bd5e949b18cef604e33 ] + +kfree() is incorrectly used to release the pages allocated by +__get_free_page() and __get_free_pages(). Use the matching deallocators +i.e., free_page() and free_pages(), respectively. + +Signed-off-by: Pan Bian +Reviewed-by: Stefano Stabellini +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/pvcalls-front.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/xen/pvcalls-front.c b/drivers/xen/pvcalls-front.c +index 2f11ca72a281..77224d8f3e6f 100644 +--- a/drivers/xen/pvcalls-front.c ++++ b/drivers/xen/pvcalls-front.c +@@ -385,8 +385,8 @@ static int create_active(struct sock_mapping *map, int *evtchn) + out_error: + if (*evtchn >= 0) + xenbus_free_evtchn(pvcalls_front_dev, *evtchn); +- kfree(map->active.data.in); +- kfree(map->active.ring); ++ free_pages((unsigned long)map->active.data.in, PVCALLS_RING_ORDER); ++ free_page((unsigned long)map->active.ring); + return ret; + } + +-- +2.19.1 + diff --git a/queue-4.19/rdma-bnxt_re-avoid-accessing-the-device-structure-af.patch b/queue-4.19/rdma-bnxt_re-avoid-accessing-the-device-structure-af.patch new file mode 100644 index 00000000000..b2e9844c5d3 --- /dev/null +++ b/queue-4.19/rdma-bnxt_re-avoid-accessing-the-device-structure-af.patch @@ -0,0 +1,74 @@ +From d3fa4e9e71c2dec1ea42132a9416b0489088d7fe Mon Sep 17 00:00:00 2001 +From: Selvin Xavier +Date: Wed, 21 Nov 2018 00:05:01 -0800 +Subject: RDMA/bnxt_re: Avoid accessing the device structure after it is freed + +[ Upstream commit a6c66d6a08b88cc10aca9d3f65cfae31e7652a99 ] + +When bnxt_re_ib_reg returns failure, the device structure gets +freed. Driver tries to access the device pointer +after it is freed. + +[ 4871.034744] Failed to register with netedev: 0xffffffa1 +[ 4871.034765] infiniband (null): Failed to register with IB: 0xffffffea +[ 4871.046430] ================================================================== +[ 4871.046437] BUG: KASAN: use-after-free in bnxt_re_task+0x63/0x180 [bnxt_re] +[ 4871.046439] Write of size 4 at addr ffff880fa8406f48 by task kworker/u48:2/17813 + +[ 4871.046443] CPU: 20 PID: 17813 Comm: kworker/u48:2 Kdump: loaded Tainted: G B OE 4.20.0-rc1+ #42 +[ 4871.046444] Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.0.4 08/28/2014 +[ 4871.046447] Workqueue: bnxt_re bnxt_re_task [bnxt_re] +[ 4871.046449] Call Trace: +[ 4871.046454] dump_stack+0x91/0xeb +[ 4871.046458] print_address_description+0x6a/0x2a0 +[ 4871.046461] kasan_report+0x176/0x2d0 +[ 4871.046463] ? bnxt_re_task+0x63/0x180 [bnxt_re] +[ 4871.046466] bnxt_re_task+0x63/0x180 [bnxt_re] +[ 4871.046470] process_one_work+0x216/0x5b0 +[ 4871.046471] ? process_one_work+0x189/0x5b0 +[ 4871.046475] worker_thread+0x4e/0x3d0 +[ 4871.046479] kthread+0x10e/0x140 +[ 4871.046480] ? process_one_work+0x5b0/0x5b0 +[ 4871.046482] ? kthread_stop+0x220/0x220 +[ 4871.046486] ret_from_fork+0x3a/0x50 + +[ 4871.046492] The buggy address belongs to the page: +[ 4871.046494] page:ffffea003ea10180 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +[ 4871.046495] flags: 0x57ffffc0000000() +[ 4871.046498] raw: 0057ffffc0000000 0000000000000000 ffffea003ea10188 0000000000000000 +[ 4871.046500] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 4871.046501] page dumped because: kasan: bad access detected + +Avoid accessing the device structure once it is freed. + +Fixes: 497158aa5f52 ("RDMA/bnxt_re: Fix the ib_reg failure cleanup") +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index bb3f16273938..22bd9784fa2e 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -1462,6 +1462,7 @@ static void bnxt_re_task(struct work_struct *work) + "Failed to register with IB: %#x", rc); + bnxt_re_remove_one(rdev); + bnxt_re_dev_unreg(rdev); ++ goto exit; + } + break; + case NETDEV_UP: +@@ -1485,6 +1486,7 @@ static void bnxt_re_task(struct work_struct *work) + } + smp_mb__before_atomic(); + atomic_dec(&rdev->sched_count); ++exit: + kfree(re_work); + } + +-- +2.19.1 + diff --git a/queue-4.19/rdma-bnxt_re-fix-system-hang-when-registration-with-.patch b/queue-4.19/rdma-bnxt_re-fix-system-hang-when-registration-with-.patch new file mode 100644 index 00000000000..ef31172b4e4 --- /dev/null +++ b/queue-4.19/rdma-bnxt_re-fix-system-hang-when-registration-with-.patch @@ -0,0 +1,60 @@ +From b93fd823e2b6acc6ee6b06ad7d8483cc72f3a781 Mon Sep 17 00:00:00 2001 +From: Selvin Xavier +Date: Wed, 21 Nov 2018 00:05:00 -0800 +Subject: RDMA/bnxt_re: Fix system hang when registration with L2 driver fails + +[ Upstream commit 3c4b1419c33c2417836a63f8126834ee36968321 ] + +Driver doesn't release rtnl lock if registration with +L2 driver (bnxt_re_register_netdev) fais and this causes +hang while requesting for the next lock. + +[ 371.635416] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 371.635417] kworker/u48:1 D 0 634 2 0x80000000 +[ 371.635423] Workqueue: bnxt_re bnxt_re_task [bnxt_re] +[ 371.635424] Call Trace: +[ 371.635426] ? __schedule+0x36b/0xbd0 +[ 371.635429] schedule+0x39/0x90 +[ 371.635430] schedule_preempt_disabled+0x11/0x20 +[ 371.635431] __mutex_lock+0x45b/0x9c0 +[ 371.635433] ? __mutex_lock+0x16d/0x9c0 +[ 371.635435] ? bnxt_re_ib_reg+0x2b/0xb30 [bnxt_re] +[ 371.635438] ? wake_up_klogd+0x37/0x40 +[ 371.635442] bnxt_re_ib_reg+0x2b/0xb30 [bnxt_re] +[ 371.635447] bnxt_re_task+0xfd/0x180 [bnxt_re] +[ 371.635449] process_one_work+0x216/0x5b0 +[ 371.635450] ? process_one_work+0x189/0x5b0 +[ 371.635453] worker_thread+0x4e/0x3d0 +[ 371.635455] kthread+0x10e/0x140 +[ 371.635456] ? process_one_work+0x5b0/0x5b0 +[ 371.635458] ? kthread_stop+0x220/0x220 +[ 371.635460] ret_from_fork+0x3a/0x50 +[ 371.635477] INFO: task NetworkManager:1228 blocked for more than 120 seconds. +[ 371.635478] Tainted: G B OE 4.20.0-rc1+ #42 +[ 371.635479] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + +Release the rtnl_lock correctly in the failure path. + +Fixes: de5c95d0f518 ("RDMA/bnxt_re: Fix system crash during RDMA resource initialization") +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index 85cd1a3593d6..bb3f16273938 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -1252,6 +1252,7 @@ static int bnxt_re_ib_reg(struct bnxt_re_dev *rdev) + /* Registered a new RoCE device instance to netdev */ + rc = bnxt_re_register_netdev(rdev); + if (rc) { ++ rtnl_unlock(); + pr_err("Failed to register with netedev: %#x\n", rc); + return -EINVAL; + } +-- +2.19.1 + diff --git a/queue-4.19/rdma-core-add-gids-while-changing-mac-addr-only-for-.patch b/queue-4.19/rdma-core-add-gids-while-changing-mac-addr-only-for-.patch new file mode 100644 index 00000000000..48f40946b76 --- /dev/null +++ b/queue-4.19/rdma-core-add-gids-while-changing-mac-addr-only-for-.patch @@ -0,0 +1,57 @@ +From cd9c013241b8c4c9184d162de5bbd056e8c0a5b4 Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Mon, 19 Nov 2018 09:58:24 +0200 +Subject: RDMA/core: Add GIDs while changing MAC addr only for registered ndev + +[ Upstream commit d52ef88a9f4be523425730da3239cf87bee936da ] + +Currently when MAC address is changed, regardless of the netdev reg_state, +GID entries are removed and added to reflect the new MAC address and new +default GID entries. + +When a bonding device is used and the underlying PCI device is removed +several netdevice events are generated. Two events of the interest are +CHANGEADDR and UNREGISTER event on lower(slave) netdevice of the bond +netdevice. + +Sometimes CHANGEADDR event is generated when netdev state is +UNREGISTERING (after UNREGISTER event is generated). In this scenario, GID +entries for default GIDs are added and never deleted because GID entries +are deleted only when netdev state is < UNREGISTERED. + +This leads to non zero reference count on the netdevice. Due to this, PCI +device unbind operation is getting stuck. + +To avoid it, when changing mac address, add GID entries only if netdev is +in REGISTERED state. + +Fixes: 03db3a2d81e6 ("IB/core: Add RoCE GID table management") +Signed-off-by: Parav Pandit +Reviewed-by: Mark Bloch +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/roce_gid_mgmt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/roce_gid_mgmt.c b/drivers/infiniband/core/roce_gid_mgmt.c +index ee366199b169..25d43c8f1c2a 100644 +--- a/drivers/infiniband/core/roce_gid_mgmt.c ++++ b/drivers/infiniband/core/roce_gid_mgmt.c +@@ -767,8 +767,10 @@ static int netdevice_event(struct notifier_block *this, unsigned long event, + + case NETDEV_CHANGEADDR: + cmds[0] = netdev_del_cmd; +- cmds[1] = add_default_gid_cmd; +- cmds[2] = add_cmd; ++ if (ndev->reg_state == NETREG_REGISTERED) { ++ cmds[1] = add_default_gid_cmd; ++ cmds[2] = add_cmd; ++ } + break; + + case NETDEV_CHANGEUPPER: +-- +2.19.1 + diff --git a/queue-4.19/rdma-hns-bugfix-pbl-configuration-for-rereg-mr.patch b/queue-4.19/rdma-hns-bugfix-pbl-configuration-for-rereg-mr.patch new file mode 100644 index 00000000000..fd8eae4dfa8 --- /dev/null +++ b/queue-4.19/rdma-hns-bugfix-pbl-configuration-for-rereg-mr.patch @@ -0,0 +1,226 @@ +From 39ffebbe93980a7688666300a63d6d52b96b4ff4 Mon Sep 17 00:00:00 2001 +From: Yixian Liu +Date: Fri, 23 Nov 2018 15:46:07 +0800 +Subject: RDMA/hns: Bugfix pbl configuration for rereg mr + +[ Upstream commit ca088320a02537f36c243ac21794525d8eabb3bd ] + +Current hns driver assigned the first two PBL page addresses from previous +registered MR to the hardware when reregister MR changing the memory +locations occurred. This will lead to PBL addressing error as the PBL has +already been released. This patch fixes this wrong assignment by using the +page address from new allocated PBL. + +Fixes: a2c80b7b4119 ("RDMA/hns: Add rereg mr support for hip08") +Signed-off-by: Yixian Liu +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 128 ++++++++++----------- + 1 file changed, 60 insertions(+), 68 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 0218c0f8c2a7..a442b29e7611 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -1661,10 +1661,9 @@ static int hns_roce_v2_set_mac(struct hns_roce_dev *hr_dev, u8 phy_port, + return hns_roce_cmq_send(hr_dev, &desc, 1); + } + +-static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr, +- unsigned long mtpt_idx) ++static int set_mtpt_pbl(struct hns_roce_v2_mpt_entry *mpt_entry, ++ struct hns_roce_mr *mr) + { +- struct hns_roce_v2_mpt_entry *mpt_entry; + struct scatterlist *sg; + u64 page_addr; + u64 *pages; +@@ -1672,6 +1671,53 @@ static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr, + int len; + int entry; + ++ mpt_entry->pbl_size = cpu_to_le32(mr->pbl_size); ++ mpt_entry->pbl_ba_l = cpu_to_le32(lower_32_bits(mr->pbl_ba >> 3)); ++ roce_set_field(mpt_entry->byte_48_mode_ba, ++ V2_MPT_BYTE_48_PBL_BA_H_M, V2_MPT_BYTE_48_PBL_BA_H_S, ++ upper_32_bits(mr->pbl_ba >> 3)); ++ ++ pages = (u64 *)__get_free_page(GFP_KERNEL); ++ if (!pages) ++ return -ENOMEM; ++ ++ i = 0; ++ for_each_sg(mr->umem->sg_head.sgl, sg, mr->umem->nmap, entry) { ++ len = sg_dma_len(sg) >> PAGE_SHIFT; ++ for (j = 0; j < len; ++j) { ++ page_addr = sg_dma_address(sg) + ++ (j << mr->umem->page_shift); ++ pages[i] = page_addr >> 6; ++ /* Record the first 2 entry directly to MTPT table */ ++ if (i >= HNS_ROCE_V2_MAX_INNER_MTPT_NUM - 1) ++ goto found; ++ i++; ++ } ++ } ++found: ++ mpt_entry->pa0_l = cpu_to_le32(lower_32_bits(pages[0])); ++ roce_set_field(mpt_entry->byte_56_pa0_h, V2_MPT_BYTE_56_PA0_H_M, ++ V2_MPT_BYTE_56_PA0_H_S, upper_32_bits(pages[0])); ++ ++ mpt_entry->pa1_l = cpu_to_le32(lower_32_bits(pages[1])); ++ roce_set_field(mpt_entry->byte_64_buf_pa1, V2_MPT_BYTE_64_PA1_H_M, ++ V2_MPT_BYTE_64_PA1_H_S, upper_32_bits(pages[1])); ++ roce_set_field(mpt_entry->byte_64_buf_pa1, ++ V2_MPT_BYTE_64_PBL_BUF_PG_SZ_M, ++ V2_MPT_BYTE_64_PBL_BUF_PG_SZ_S, ++ mr->pbl_buf_pg_sz + PG_SHIFT_OFFSET); ++ ++ free_page((unsigned long)pages); ++ ++ return 0; ++} ++ ++static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr, ++ unsigned long mtpt_idx) ++{ ++ struct hns_roce_v2_mpt_entry *mpt_entry; ++ int ret; ++ + mpt_entry = mb_buf; + memset(mpt_entry, 0, sizeof(*mpt_entry)); + +@@ -1686,7 +1732,6 @@ static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr, + mr->pbl_ba_pg_sz + PG_SHIFT_OFFSET); + roce_set_field(mpt_entry->byte_4_pd_hop_st, V2_MPT_BYTE_4_PD_M, + V2_MPT_BYTE_4_PD_S, mr->pd); +- mpt_entry->byte_4_pd_hop_st = cpu_to_le32(mpt_entry->byte_4_pd_hop_st); + + roce_set_bit(mpt_entry->byte_8_mw_cnt_en, V2_MPT_BYTE_8_RA_EN_S, 0); + roce_set_bit(mpt_entry->byte_8_mw_cnt_en, V2_MPT_BYTE_8_R_INV_EN_S, 1); +@@ -1700,13 +1745,11 @@ static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr, + (mr->access & IB_ACCESS_REMOTE_WRITE ? 1 : 0)); + roce_set_bit(mpt_entry->byte_8_mw_cnt_en, V2_MPT_BYTE_8_LW_EN_S, + (mr->access & IB_ACCESS_LOCAL_WRITE ? 1 : 0)); +- mpt_entry->byte_8_mw_cnt_en = cpu_to_le32(mpt_entry->byte_8_mw_cnt_en); + + roce_set_bit(mpt_entry->byte_12_mw_pa, V2_MPT_BYTE_12_PA_S, + mr->type == MR_TYPE_MR ? 0 : 1); + roce_set_bit(mpt_entry->byte_12_mw_pa, V2_MPT_BYTE_12_INNER_PA_VLD_S, + 1); +- mpt_entry->byte_12_mw_pa = cpu_to_le32(mpt_entry->byte_12_mw_pa); + + mpt_entry->len_l = cpu_to_le32(lower_32_bits(mr->size)); + mpt_entry->len_h = cpu_to_le32(upper_32_bits(mr->size)); +@@ -1717,53 +1760,9 @@ static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr, + if (mr->type == MR_TYPE_DMA) + return 0; + +- mpt_entry->pbl_size = cpu_to_le32(mr->pbl_size); +- +- mpt_entry->pbl_ba_l = cpu_to_le32(lower_32_bits(mr->pbl_ba >> 3)); +- roce_set_field(mpt_entry->byte_48_mode_ba, V2_MPT_BYTE_48_PBL_BA_H_M, +- V2_MPT_BYTE_48_PBL_BA_H_S, +- upper_32_bits(mr->pbl_ba >> 3)); +- mpt_entry->byte_48_mode_ba = cpu_to_le32(mpt_entry->byte_48_mode_ba); +- +- pages = (u64 *)__get_free_page(GFP_KERNEL); +- if (!pages) +- return -ENOMEM; +- +- i = 0; +- for_each_sg(mr->umem->sg_head.sgl, sg, mr->umem->nmap, entry) { +- len = sg_dma_len(sg) >> PAGE_SHIFT; +- for (j = 0; j < len; ++j) { +- page_addr = sg_dma_address(sg) + +- (j << mr->umem->page_shift); +- pages[i] = page_addr >> 6; +- +- /* Record the first 2 entry directly to MTPT table */ +- if (i >= HNS_ROCE_V2_MAX_INNER_MTPT_NUM - 1) +- goto found; +- i++; +- } +- } ++ ret = set_mtpt_pbl(mpt_entry, mr); + +-found: +- mpt_entry->pa0_l = cpu_to_le32(lower_32_bits(pages[0])); +- roce_set_field(mpt_entry->byte_56_pa0_h, V2_MPT_BYTE_56_PA0_H_M, +- V2_MPT_BYTE_56_PA0_H_S, +- upper_32_bits(pages[0])); +- mpt_entry->byte_56_pa0_h = cpu_to_le32(mpt_entry->byte_56_pa0_h); +- +- mpt_entry->pa1_l = cpu_to_le32(lower_32_bits(pages[1])); +- roce_set_field(mpt_entry->byte_64_buf_pa1, V2_MPT_BYTE_64_PA1_H_M, +- V2_MPT_BYTE_64_PA1_H_S, upper_32_bits(pages[1])); +- +- free_page((unsigned long)pages); +- +- roce_set_field(mpt_entry->byte_64_buf_pa1, +- V2_MPT_BYTE_64_PBL_BUF_PG_SZ_M, +- V2_MPT_BYTE_64_PBL_BUF_PG_SZ_S, +- mr->pbl_buf_pg_sz + PG_SHIFT_OFFSET); +- mpt_entry->byte_64_buf_pa1 = cpu_to_le32(mpt_entry->byte_64_buf_pa1); +- +- return 0; ++ return ret; + } + + static int hns_roce_v2_rereg_write_mtpt(struct hns_roce_dev *hr_dev, +@@ -1772,6 +1771,7 @@ static int hns_roce_v2_rereg_write_mtpt(struct hns_roce_dev *hr_dev, + u64 size, void *mb_buf) + { + struct hns_roce_v2_mpt_entry *mpt_entry = mb_buf; ++ int ret = 0; + + if (flags & IB_MR_REREG_PD) { + roce_set_field(mpt_entry->byte_4_pd_hop_st, V2_MPT_BYTE_4_PD_M, +@@ -1784,14 +1784,14 @@ static int hns_roce_v2_rereg_write_mtpt(struct hns_roce_dev *hr_dev, + V2_MPT_BYTE_8_BIND_EN_S, + (mr_access_flags & IB_ACCESS_MW_BIND ? 1 : 0)); + roce_set_bit(mpt_entry->byte_8_mw_cnt_en, +- V2_MPT_BYTE_8_ATOMIC_EN_S, +- (mr_access_flags & IB_ACCESS_REMOTE_ATOMIC ? 1 : 0)); ++ V2_MPT_BYTE_8_ATOMIC_EN_S, ++ mr_access_flags & IB_ACCESS_REMOTE_ATOMIC ? 1 : 0); + roce_set_bit(mpt_entry->byte_8_mw_cnt_en, V2_MPT_BYTE_8_RR_EN_S, +- (mr_access_flags & IB_ACCESS_REMOTE_READ ? 1 : 0)); ++ mr_access_flags & IB_ACCESS_REMOTE_READ ? 1 : 0); + roce_set_bit(mpt_entry->byte_8_mw_cnt_en, V2_MPT_BYTE_8_RW_EN_S, +- (mr_access_flags & IB_ACCESS_REMOTE_WRITE ? 1 : 0)); ++ mr_access_flags & IB_ACCESS_REMOTE_WRITE ? 1 : 0); + roce_set_bit(mpt_entry->byte_8_mw_cnt_en, V2_MPT_BYTE_8_LW_EN_S, +- (mr_access_flags & IB_ACCESS_LOCAL_WRITE ? 1 : 0)); ++ mr_access_flags & IB_ACCESS_LOCAL_WRITE ? 1 : 0); + } + + if (flags & IB_MR_REREG_TRANS) { +@@ -1800,21 +1800,13 @@ static int hns_roce_v2_rereg_write_mtpt(struct hns_roce_dev *hr_dev, + mpt_entry->len_l = cpu_to_le32(lower_32_bits(size)); + mpt_entry->len_h = cpu_to_le32(upper_32_bits(size)); + +- mpt_entry->pbl_size = cpu_to_le32(mr->pbl_size); +- mpt_entry->pbl_ba_l = +- cpu_to_le32(lower_32_bits(mr->pbl_ba >> 3)); +- roce_set_field(mpt_entry->byte_48_mode_ba, +- V2_MPT_BYTE_48_PBL_BA_H_M, +- V2_MPT_BYTE_48_PBL_BA_H_S, +- upper_32_bits(mr->pbl_ba >> 3)); +- mpt_entry->byte_48_mode_ba = +- cpu_to_le32(mpt_entry->byte_48_mode_ba); +- + mr->iova = iova; + mr->size = size; ++ ++ ret = set_mtpt_pbl(mpt_entry, mr); + } + +- return 0; ++ return ret; + } + + static void *get_cqe_v2(struct hns_roce_cq *hr_cq, int n) +-- +2.19.1 + diff --git a/queue-4.19/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch b/queue-4.19/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch new file mode 100644 index 00000000000..4a0cadfed78 --- /dev/null +++ b/queue-4.19/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch @@ -0,0 +1,67 @@ +From 603fc6390c5c85ffd1eddab1d8c812e4b2a76471 Mon Sep 17 00:00:00 2001 +From: Majd Dibbiny +Date: Mon, 5 Nov 2018 08:07:37 +0200 +Subject: RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR + +[ Upstream commit 074fca3a18e7e1e0d4d7dcc9d7badc43b90232f4 ] + +Currently, for IB_WR_LOCAL_INV WR, when the next fence is None, the +current fence will be SMALL instead of Normal Fence. + +Without this patch krping doesn't work on CX-5 devices and throws +following error: + +The error messages are from CX5 driver are: (from server side) +[ 710.434014] mlx5_0:dump_cqe:278:(pid 2712): dump error cqe +[ 710.434016] 00000000 00000000 00000000 00000000 +[ 710.434016] 00000000 00000000 00000000 00000000 +[ 710.434017] 00000000 00000000 00000000 00000000 +[ 710.434018] 00000000 93003204 100000b8 000524d2 +[ 710.434019] krping: cq completion failed with wr_id 0 status 4 opcode 128 vender_err 32 + +Fixed the logic to set the correct fence type. + +Fixes: 6e8484c5cf07 ("RDMA/mlx5: set UMR wqe fence according to HCA cap") +Signed-off-by: Majd Dibbiny +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/qp.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index d53d954ac8af..183fe5c8ceb7 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -4413,17 +4413,18 @@ static int _mlx5_ib_post_send(struct ib_qp *ibqp, const struct ib_send_wr *wr, + goto out; + } + +- if (wr->opcode == IB_WR_LOCAL_INV || +- wr->opcode == IB_WR_REG_MR) { ++ if (wr->opcode == IB_WR_REG_MR) { + fence = dev->umr_fence; + next_fence = MLX5_FENCE_MODE_INITIATOR_SMALL; +- } else if (wr->send_flags & IB_SEND_FENCE) { +- if (qp->next_fence) +- fence = MLX5_FENCE_MODE_SMALL_AND_FENCE; +- else +- fence = MLX5_FENCE_MODE_FENCE; +- } else { +- fence = qp->next_fence; ++ } else { ++ if (wr->send_flags & IB_SEND_FENCE) { ++ if (qp->next_fence) ++ fence = MLX5_FENCE_MODE_SMALL_AND_FENCE; ++ else ++ fence = MLX5_FENCE_MODE_FENCE; ++ } else { ++ fence = qp->next_fence; ++ } + } + + switch (ibqp->qp_type) { +-- +2.19.1 + diff --git a/queue-4.19/rdma-rdmavt-fix-rvt_create_ah-function-signature.patch b/queue-4.19/rdma-rdmavt-fix-rvt_create_ah-function-signature.patch new file mode 100644 index 00000000000..cf156e775d3 --- /dev/null +++ b/queue-4.19/rdma-rdmavt-fix-rvt_create_ah-function-signature.patch @@ -0,0 +1,63 @@ +From 2a8d625b5a663d4749ef34030dffd6dea2deeb39 Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Thu, 15 Nov 2018 09:49:38 -0800 +Subject: RDMA/rdmavt: Fix rvt_create_ah function signature + +[ Upstream commit 4f32fb921b153ae9ea280e02a3e91509fffc03d3 ] + +rdmavt uses a crazy system that looses the type checking when assinging +functions to struct ib_device function pointers. Because of this the +signature to this function was not changed when the below commit revised +things. + +Fix the signature so we are not calling a function pointer with a +mismatched signature. + +Fixes: 477864c8fcd9 ("IB/core: Let create_ah return extended response to user") +Signed-off-by: Kamal Heib +Reviewed-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rdmavt/ah.c | 4 +++- + drivers/infiniband/sw/rdmavt/ah.h | 3 ++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rdmavt/ah.c b/drivers/infiniband/sw/rdmavt/ah.c +index 89ec0f64abfc..084bb4baebb5 100644 +--- a/drivers/infiniband/sw/rdmavt/ah.c ++++ b/drivers/infiniband/sw/rdmavt/ah.c +@@ -91,13 +91,15 @@ EXPORT_SYMBOL(rvt_check_ah); + * rvt_create_ah - create an address handle + * @pd: the protection domain + * @ah_attr: the attributes of the AH ++ * @udata: pointer to user's input output buffer information. + * + * This may be called from interrupt context. + * + * Return: newly allocated ah + */ + struct ib_ah *rvt_create_ah(struct ib_pd *pd, +- struct rdma_ah_attr *ah_attr) ++ struct rdma_ah_attr *ah_attr, ++ struct ib_udata *udata) + { + struct rvt_ah *ah; + struct rvt_dev_info *dev = ib_to_rvt(pd->device); +diff --git a/drivers/infiniband/sw/rdmavt/ah.h b/drivers/infiniband/sw/rdmavt/ah.h +index 16105af99189..25271b48a683 100644 +--- a/drivers/infiniband/sw/rdmavt/ah.h ++++ b/drivers/infiniband/sw/rdmavt/ah.h +@@ -51,7 +51,8 @@ + #include + + struct ib_ah *rvt_create_ah(struct ib_pd *pd, +- struct rdma_ah_attr *ah_attr); ++ struct rdma_ah_attr *ah_attr, ++ struct ib_udata *udata); + int rvt_destroy_ah(struct ib_ah *ibah); + int rvt_modify_ah(struct ib_ah *ibah, struct rdma_ah_attr *ah_attr); + int rvt_query_ah(struct ib_ah *ibah, struct rdma_ah_attr *ah_attr); +-- +2.19.1 + diff --git a/queue-4.19/revert-xen-balloon-mark-unallocated-host-memory-as-u.patch b/queue-4.19/revert-xen-balloon-mark-unallocated-host-memory-as-u.patch new file mode 100644 index 00000000000..5e6553da593 --- /dev/null +++ b/queue-4.19/revert-xen-balloon-mark-unallocated-host-memory-as-u.patch @@ -0,0 +1,266 @@ +From f25bbc0b688e702d614d129b205313e00b1ff1f5 Mon Sep 17 00:00:00 2001 +From: Igor Druzhinin +Date: Tue, 27 Nov 2018 20:58:21 +0000 +Subject: Revert "xen/balloon: Mark unallocated host memory as UNUSABLE" + +[ Upstream commit 123664101aa2156d05251704fc63f9bcbf77741a ] + +This reverts commit b3cf8528bb21febb650a7ecbf080d0647be40b9f. + +That commit unintentionally broke Xen balloon memory hotplug with +"hotplug_unpopulated" set to 1. As long as "System RAM" resource +got assigned under a new "Unusable memory" resource in IO/Mem tree +any attempt to online this memory would fail due to general kernel +restrictions on having "System RAM" resources as 1st level only. + +The original issue that commit has tried to workaround fa564ad96366 +("x86/PCI: Enable a 64bit BAR on AMD Family 15h (Models 00-1f, 30-3f, +60-7f)") also got amended by the following 03a551734 ("x86/PCI: Move +and shrink AMD 64-bit window to avoid conflict") which made the +original fix to Xen ballooning unnecessary. + +Signed-off-by: Igor Druzhinin +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/enlighten.c | 78 ---------------------------------------- + arch/x86/xen/setup.c | 6 ++-- + drivers/xen/balloon.c | 65 +++++---------------------------- + include/xen/balloon.h | 5 --- + 4 files changed, 13 insertions(+), 141 deletions(-) + +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index 2eeddd814653..c6c7c9b7b5c1 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -7,7 +7,6 @@ + + #include + #include +-#include + + #include + #include +@@ -343,80 +342,3 @@ void xen_arch_unregister_cpu(int num) + } + EXPORT_SYMBOL(xen_arch_unregister_cpu); + #endif +- +-#ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG +-void __init arch_xen_balloon_init(struct resource *hostmem_resource) +-{ +- struct xen_memory_map memmap; +- int rc; +- unsigned int i, last_guest_ram; +- phys_addr_t max_addr = PFN_PHYS(max_pfn); +- struct e820_table *xen_e820_table; +- const struct e820_entry *entry; +- struct resource *res; +- +- if (!xen_initial_domain()) +- return; +- +- xen_e820_table = kmalloc(sizeof(*xen_e820_table), GFP_KERNEL); +- if (!xen_e820_table) +- return; +- +- memmap.nr_entries = ARRAY_SIZE(xen_e820_table->entries); +- set_xen_guest_handle(memmap.buffer, xen_e820_table->entries); +- rc = HYPERVISOR_memory_op(XENMEM_machine_memory_map, &memmap); +- if (rc) { +- pr_warn("%s: Can't read host e820 (%d)\n", __func__, rc); +- goto out; +- } +- +- last_guest_ram = 0; +- for (i = 0; i < memmap.nr_entries; i++) { +- if (xen_e820_table->entries[i].addr >= max_addr) +- break; +- if (xen_e820_table->entries[i].type == E820_TYPE_RAM) +- last_guest_ram = i; +- } +- +- entry = &xen_e820_table->entries[last_guest_ram]; +- if (max_addr >= entry->addr + entry->size) +- goto out; /* No unallocated host RAM. */ +- +- hostmem_resource->start = max_addr; +- hostmem_resource->end = entry->addr + entry->size; +- +- /* +- * Mark non-RAM regions between the end of dom0 RAM and end of host RAM +- * as unavailable. The rest of that region can be used for hotplug-based +- * ballooning. +- */ +- for (; i < memmap.nr_entries; i++) { +- entry = &xen_e820_table->entries[i]; +- +- if (entry->type == E820_TYPE_RAM) +- continue; +- +- if (entry->addr >= hostmem_resource->end) +- break; +- +- res = kzalloc(sizeof(*res), GFP_KERNEL); +- if (!res) +- goto out; +- +- res->name = "Unavailable host RAM"; +- res->start = entry->addr; +- res->end = (entry->addr + entry->size < hostmem_resource->end) ? +- entry->addr + entry->size : hostmem_resource->end; +- rc = insert_resource(hostmem_resource, res); +- if (rc) { +- pr_warn("%s: Can't insert [%llx - %llx) (%d)\n", +- __func__, res->start, res->end, rc); +- kfree(res); +- goto out; +- } +- } +- +- out: +- kfree(xen_e820_table); +-} +-#endif /* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG */ +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index 1163e33121fb..075ed47993bb 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -808,6 +808,7 @@ char * __init xen_memory_setup(void) + addr = xen_e820_table.entries[0].addr; + size = xen_e820_table.entries[0].size; + while (i < xen_e820_table.nr_entries) { ++ bool discard = false; + + chunk_size = size; + type = xen_e820_table.entries[i].type; +@@ -823,10 +824,11 @@ char * __init xen_memory_setup(void) + xen_add_extra_mem(pfn_s, n_pfns); + xen_max_p2m_pfn = pfn_s + n_pfns; + } else +- type = E820_TYPE_UNUSABLE; ++ discard = true; + } + +- xen_align_and_add_e820_region(addr, chunk_size, type); ++ if (!discard) ++ xen_align_and_add_e820_region(addr, chunk_size, type); + + addr += chunk_size; + size -= chunk_size; +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index e12bb256036f..7ab6caef599c 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -251,25 +251,10 @@ static void release_memory_resource(struct resource *resource) + kfree(resource); + } + +-/* +- * Host memory not allocated to dom0. We can use this range for hotplug-based +- * ballooning. +- * +- * It's a type-less resource. Setting IORESOURCE_MEM will make resource +- * management algorithms (arch_remove_reservations()) look into guest e820, +- * which we don't want. +- */ +-static struct resource hostmem_resource = { +- .name = "Host RAM", +-}; +- +-void __attribute__((weak)) __init arch_xen_balloon_init(struct resource *res) +-{} +- + static struct resource *additional_memory_resource(phys_addr_t size) + { +- struct resource *res, *res_hostmem; +- int ret = -ENOMEM; ++ struct resource *res; ++ int ret; + + res = kzalloc(sizeof(*res), GFP_KERNEL); + if (!res) +@@ -278,42 +263,13 @@ static struct resource *additional_memory_resource(phys_addr_t size) + res->name = "System RAM"; + res->flags = IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY; + +- res_hostmem = kzalloc(sizeof(*res), GFP_KERNEL); +- if (res_hostmem) { +- /* Try to grab a range from hostmem */ +- res_hostmem->name = "Host memory"; +- ret = allocate_resource(&hostmem_resource, res_hostmem, +- size, 0, -1, +- PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL); +- } +- +- if (!ret) { +- /* +- * Insert this resource into iomem. Because hostmem_resource +- * tracks portion of guest e820 marked as UNUSABLE noone else +- * should try to use it. +- */ +- res->start = res_hostmem->start; +- res->end = res_hostmem->end; +- ret = insert_resource(&iomem_resource, res); +- if (ret < 0) { +- pr_err("Can't insert iomem_resource [%llx - %llx]\n", +- res->start, res->end); +- release_memory_resource(res_hostmem); +- res_hostmem = NULL; +- res->start = res->end = 0; +- } +- } +- +- if (ret) { +- ret = allocate_resource(&iomem_resource, res, +- size, 0, -1, +- PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL); +- if (ret < 0) { +- pr_err("Cannot allocate new System RAM resource\n"); +- kfree(res); +- return NULL; +- } ++ ret = allocate_resource(&iomem_resource, res, ++ size, 0, -1, ++ PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL); ++ if (ret < 0) { ++ pr_err("Cannot allocate new System RAM resource\n"); ++ kfree(res); ++ return NULL; + } + + #ifdef CONFIG_SPARSEMEM +@@ -325,7 +281,6 @@ static struct resource *additional_memory_resource(phys_addr_t size) + pr_err("New System RAM resource outside addressable RAM (%lu > %lu)\n", + pfn, limit); + release_memory_resource(res); +- release_memory_resource(res_hostmem); + return NULL; + } + } +@@ -747,8 +702,6 @@ static int __init balloon_init(void) + set_online_page_callback(&xen_online_page); + register_memory_notifier(&xen_memory_nb); + register_sysctl_table(xen_root); +- +- arch_xen_balloon_init(&hostmem_resource); + #endif + + #ifdef CONFIG_XEN_PV +diff --git a/include/xen/balloon.h b/include/xen/balloon.h +index 61f410fd74e4..4914b93a23f2 100644 +--- a/include/xen/balloon.h ++++ b/include/xen/balloon.h +@@ -44,8 +44,3 @@ static inline void xen_balloon_init(void) + { + } + #endif +- +-#ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG +-struct resource; +-void arch_xen_balloon_init(struct resource *hostmem_resource); +-#endif +-- +2.19.1 + diff --git a/queue-4.19/s390-cio-fix-cleanup-of-pfn_array-alloc-failure.patch b/queue-4.19/s390-cio-fix-cleanup-of-pfn_array-alloc-failure.patch new file mode 100644 index 00000000000..7bb1b3cd1a1 --- /dev/null +++ b/queue-4.19/s390-cio-fix-cleanup-of-pfn_array-alloc-failure.patch @@ -0,0 +1,35 @@ +From 584b9b67c3db2be97d65d4e6731333c4d7e80774 Mon Sep 17 00:00:00 2001 +From: Eric Farman +Date: Fri, 9 Nov 2018 03:39:28 +0100 +Subject: s390/cio: Fix cleanup of pfn_array alloc failure + +[ Upstream commit 806212f91c874b24cf9eb4a9f180323671b6c5ed ] + +If pfn_array_alloc fails somehow, we need to release the pfn_array_table +that was malloc'd earlier. + +Signed-off-by: Eric Farman +Message-Id: <20181109023937.96105-2-farman@linux.ibm.com> +Acked-by: Halil Pasic +Signed-off-by: Cornelia Huck +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/vfio_ccw_cp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c +index fd77e46eb3b2..ef5ab45d94b3 100644 +--- a/drivers/s390/cio/vfio_ccw_cp.c ++++ b/drivers/s390/cio/vfio_ccw_cp.c +@@ -528,7 +528,7 @@ static int ccwchain_fetch_direct(struct ccwchain *chain, + + ret = pfn_array_alloc_pin(pat->pat_pa, cp->mdev, ccw->cda, ccw->count); + if (ret < 0) +- goto out_init; ++ goto out_unpin; + + /* Translate this direct ccw to a idal ccw. */ + idaws = kcalloc(ret, sizeof(*idaws), GFP_DMA | GFP_KERNEL); +-- +2.19.1 + diff --git a/queue-4.19/s390-cio-fix-cleanup-when-unsupported-ida-format-is-.patch b/queue-4.19/s390-cio-fix-cleanup-when-unsupported-ida-format-is-.patch new file mode 100644 index 00000000000..0118b83ef9e --- /dev/null +++ b/queue-4.19/s390-cio-fix-cleanup-when-unsupported-ida-format-is-.patch @@ -0,0 +1,40 @@ +From 20b63fa594c0c294aa8c75d535a3d76ddc717516 Mon Sep 17 00:00:00 2001 +From: Eric Farman +Date: Fri, 9 Nov 2018 03:39:29 +0100 +Subject: s390/cio: Fix cleanup when unsupported IDA format is used + +[ Upstream commit b89e242eee8d4cd8261d8d821c62c5d1efc454d0 ] + +Direct returns from within a loop are rude, but it doesn't mean it gets +to avoid releasing the memory acquired beforehand. + +Signed-off-by: Eric Farman +Message-Id: <20181109023937.96105-3-farman@linux.ibm.com> +Reviewed-by: Farhan Ali +Reviewed-by: Pierre Morel +Acked-by: Halil Pasic +Signed-off-by: Cornelia Huck +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/vfio_ccw_cp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c +index ef5ab45d94b3..70a006ba4d05 100644 +--- a/drivers/s390/cio/vfio_ccw_cp.c ++++ b/drivers/s390/cio/vfio_ccw_cp.c +@@ -387,8 +387,10 @@ static int ccwchain_calc_length(u64 iova, struct channel_program *cp) + * orb specified one of the unsupported formats, we defer + * checking for IDAWs in unsupported formats to here. + */ +- if ((!cp->orb.cmd.c64 || cp->orb.cmd.i2k) && ccw_is_idal(ccw)) ++ if ((!cp->orb.cmd.c64 || cp->orb.cmd.i2k) && ccw_is_idal(ccw)) { ++ kfree(p); + return -EOPNOTSUPP; ++ } + + if ((!ccw_is_chain(ccw)) && (!ccw_is_tic(ccw))) + break; +-- +2.19.1 + diff --git a/queue-4.19/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch b/queue-4.19/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch new file mode 100644 index 00000000000..8f2cbf59c43 --- /dev/null +++ b/queue-4.19/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch @@ -0,0 +1,113 @@ +From 43a60b563cb5dfd699a691ca94d60cb133e3c5e0 Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Tue, 13 Nov 2018 15:38:22 +0000 +Subject: s390/cpum_cf: Reject request for sampling in event initialization + +[ Upstream commit 613a41b0d16e617f46776a93b975a1eeea96417c ] + +On s390 command perf top fails +[root@s35lp76 perf] # ./perf top -F100000 --stdio + Error: + cycles: PMU Hardware doesn't support sampling/overflow-interrupts. + Try 'perf stat' +[root@s35lp76 perf] # + +Using event -e rb0000 works as designed. Event rb0000 is the event +number of the sampling facility for basic sampling. + +During system start up the following PMUs are installed in the kernel's +PMU list (from head to tail): + cpum_cf --> s390 PMU counter facility device driver + cpum_sf --> s390 PMU sampling facility device driver + uprobe + kprobe + tracepoint + task_clock + cpu_clock + +Perf top executes following functions and calls perf_event_open(2) system +call with different parameters many times: + +cmd_top +--> __cmd_top + --> perf_evlist__add_default + --> __perf_evlist__add_default + --> perf_evlist__new_cycles (creates event type:0 (HW) + config 0 (CPU_CYCLES) + --> perf_event_attr__set_max_precise_ip + Uses perf_event_open(2) to detect correct + precise_ip level. Fails 3 times on s390 which is ok. + +Then functions cmd_top +--> __cmd_top + --> perf_top__start_counters + -->perf_evlist__config + --> perf_can_comm_exec + --> perf_probe_api + This functions test support for the following events: + "cycles:u", "instructions:u", "cpu-clock:u" using + --> perf_do_probe_api + --> perf_event_open_cloexec + Test the close on exec flag support with + perf_event_open(2). + perf_do_probe_api returns true if the event is + supported. + The function returns true because event cpu-clock is + supported by the PMU cpu_clock. + This is achieved by many calls to perf_event_open(2). + +Function perf_top__start_counters now calls perf_evsel__open() for every +event, which is the default event cpu_cycles (config:0) and type HARDWARE +(type:0) which a predfined frequence of 4000. + +Given the above order of the PMU list, the PMU cpum_cf gets called first +and returns 0, which indicates support for this sampling. The event is +fully allocated in the function perf_event_open (file kernel/event/core.c +near line 10521 and the following check fails: + + event = perf_event_alloc(&attr, cpu, task, group_leader, NULL, + NULL, NULL, cgroup_fd); + if (IS_ERR(event)) { + err = PTR_ERR(event); + goto err_cred; + } + + if (is_sampling_event(event)) { + if (event->pmu->capabilities & PERF_PMU_CAP_NO_INTERRUPT) { + err = -EOPNOTSUPP; + goto err_alloc; + } + } + +The check for the interrupt capabilities fails and the system call +perf_event_open() returns -EOPNOTSUPP (-95). + +Add a check to return -ENODEV when sampling is requested in PMU cpum_cf. +This allows common kernel code in the perf_event_open() system call to +test the next PMU in above list. + +Fixes: 97b1198fece0 (" "s390, perf: Use common PMU interrupt disabled code") +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_cf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c +index 74091fd3101e..d5523adeddbf 100644 +--- a/arch/s390/kernel/perf_cpum_cf.c ++++ b/arch/s390/kernel/perf_cpum_cf.c +@@ -346,6 +346,8 @@ static int __hw_perf_event_init(struct perf_event *event) + break; + + case PERF_TYPE_HARDWARE: ++ if (is_sampling_event(event)) /* No sampling support */ ++ return -ENOENT; + ev = attr->config; + /* Count user space (problem-state) only */ + if (!attr->exclude_user && attr->exclude_kernel) { +-- +2.19.1 + diff --git a/queue-4.19/selftests-add-script-to-stress-test-nft-packet-path-.patch b/queue-4.19/selftests-add-script-to-stress-test-nft-packet-path-.patch new file mode 100644 index 00000000000..7f8402ae3fb --- /dev/null +++ b/queue-4.19/selftests-add-script-to-stress-test-nft-packet-path-.patch @@ -0,0 +1,150 @@ +From ba327f91f72b18437f0978cf06bc21b57085f95b Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 31 Oct 2018 18:26:21 +0100 +Subject: selftests: add script to stress-test nft packet path vs. control + plane + +[ Upstream commit 25d8bcedbf4329895dbaf9dd67baa6f18dad918c ] + +Start flood ping for each cpu while loading/flushing rulesets to make +sure we do not access already-free'd rules from nf_tables evaluation loop. + +Also add this to TARGETS so 'make run_tests' in selftest dir runs it +automatically. + +This would have caught the bug fixed in previous change +("netfilter: nf_tables: do not skip inactive chains during generation update") +sooner. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/Makefile | 1 + + tools/testing/selftests/netfilter/Makefile | 6 ++ + tools/testing/selftests/netfilter/config | 2 + + .../selftests/netfilter/nft_trans_stress.sh | 78 +++++++++++++++++++ + 4 files changed, 87 insertions(+) + create mode 100644 tools/testing/selftests/netfilter/Makefile + create mode 100644 tools/testing/selftests/netfilter/config + create mode 100755 tools/testing/selftests/netfilter/nft_trans_stress.sh + +diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile +index f1fe492c8e17..f0017c831e57 100644 +--- a/tools/testing/selftests/Makefile ++++ b/tools/testing/selftests/Makefile +@@ -24,6 +24,7 @@ TARGETS += memory-hotplug + TARGETS += mount + TARGETS += mqueue + TARGETS += net ++TARGETS += netfilter + TARGETS += nsfs + TARGETS += powerpc + TARGETS += proc +diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile +new file mode 100644 +index 000000000000..47ed6cef93fb +--- /dev/null ++++ b/tools/testing/selftests/netfilter/Makefile +@@ -0,0 +1,6 @@ ++# SPDX-License-Identifier: GPL-2.0 ++# Makefile for netfilter selftests ++ ++TEST_PROGS := nft_trans_stress.sh ++ ++include ../lib.mk +diff --git a/tools/testing/selftests/netfilter/config b/tools/testing/selftests/netfilter/config +new file mode 100644 +index 000000000000..1017313e41a8 +--- /dev/null ++++ b/tools/testing/selftests/netfilter/config +@@ -0,0 +1,2 @@ ++CONFIG_NET_NS=y ++NF_TABLES_INET=y +diff --git a/tools/testing/selftests/netfilter/nft_trans_stress.sh b/tools/testing/selftests/netfilter/nft_trans_stress.sh +new file mode 100755 +index 000000000000..f1affd12c4b1 +--- /dev/null ++++ b/tools/testing/selftests/netfilter/nft_trans_stress.sh +@@ -0,0 +1,78 @@ ++#!/bin/bash ++# ++# This test is for stress-testing the nf_tables config plane path vs. ++# packet path processing: Make sure we never release rules that are ++# still visible to other cpus. ++# ++# set -e ++ ++# Kselftest framework requirement - SKIP code is 4. ++ksft_skip=4 ++ ++testns=testns1 ++tables="foo bar baz quux" ++ ++nft --version > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: Could not run test without nft tool" ++ exit $ksft_skip ++fi ++ ++ip -Version > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: Could not run test without ip tool" ++ exit $ksft_skip ++fi ++ ++tmp=$(mktemp) ++ ++for table in $tables; do ++ echo add table inet "$table" >> "$tmp" ++ echo flush table inet "$table" >> "$tmp" ++ ++ echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp" ++ echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp" ++ for c in $(seq 1 400); do ++ chain=$(printf "chain%03u" "$c") ++ echo "add chain inet $table $chain" >> "$tmp" ++ done ++ ++ for c in $(seq 1 400); do ++ chain=$(printf "chain%03u" "$c") ++ for BASE in INPUT OUTPUT; do ++ echo "add rule inet $table $BASE counter jump $chain" >> "$tmp" ++ done ++ echo "add rule inet $table $chain counter return" >> "$tmp" ++ done ++done ++ ++ip netns add "$testns" ++ip -netns "$testns" link set lo up ++ ++lscpu | grep ^CPU\(s\): | ( read cpu cpunum ; ++cpunum=$((cpunum-1)) ++for i in $(seq 0 $cpunum);do ++ mask=$(printf 0x%x $((1<<$i))) ++ ip netns exec "$testns" taskset $mask ping -4 127.0.0.1 -fq > /dev/null & ++ ip netns exec "$testns" taskset $mask ping -6 ::1 -fq > /dev/null & ++done) ++ ++sleep 1 ++ ++for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done ++ ++for table in $tables;do ++ randsleep=$((RANDOM%10)) ++ sleep $randsleep ++ ip netns exec "$testns" nft delete table inet $table 2>/dev/null ++done ++ ++randsleep=$((RANDOM%10)) ++sleep $randsleep ++ ++pkill -9 ping ++ ++wait ++ ++rm -f "$tmp" ++ip netns del "$testns" +-- +2.19.1 + diff --git a/queue-4.19/series b/queue-4.19/series index a7358cf3256..ad6d624cd20 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -19,3 +19,114 @@ net-phy-sfp-correct-store-of-detected-link-modes.patch sctp-update-frag_point-when-stream_interleave-is-set.patch net-restore-call-to-netdev_queue_numa_node_write-when-resetting-xps.patch net-fix-xps-static_key-accounting.patch +arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch +asoc-rsnd-fixup-clock-start-checker.patch +asoc-qdsp6-q6afe-fix-wrong-mi2s-sd-line-mask.patch +asoc-qdsp6-q6afe-dai-fix-the-dai-widgets.patch +staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch +arm-dts-am3517-fix-pinmuxing-for-cd-on-mmc1.patch +arm-dts-logicpd-torpedo-fix-mmc3_dat1-interrupt.patch +arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch +arm-dts-am3517-som-fix-wl127x-wifi-interrupt.patch +arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch +tools-bpftool-prevent-infinite-loop-in-get_fdinfo.patch +asoc-sun8i-codec-fix-crash-on-module-removal.patch +arm64-dts-sdm845-mtp-reserve-reserved-gpios.patch +sysv-return-err-instead-of-0-in-__sysv_write_inode.patch +netfilter-nf_conncount-use-spin_lock_bh-instead-of-s.patch +netfilter-nf_conncount-fix-list_del-corruption-in-co.patch +netfilter-nf_conncount-fix-unexpected-permanent-node.patch +netfilter-nf_tables-don-t-skip-inactive-chains-durin.patch +selftests-add-script-to-stress-test-nft-packet-path-.patch +perf-tools-fix-crash-on-synthesizing-the-unit.patch +netfilter-xt_rateest-remove-netns-exit-routine.patch +netfilter-nf_tables-fix-use-after-free-when-deleting.patch +s390-cio-fix-cleanup-of-pfn_array-alloc-failure.patch +s390-cio-fix-cleanup-when-unsupported-ida-format-is-.patch +hwmon-ina2xx-fix-null-id-pointer-in-probe.patch +hwmon-raspberrypi-fix-initial-notify.patch +asoc-rockchip-add-missing-slave_config-setting-for-i.patch +asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch +asoc-intel-power-down-links-before-turning-off-displ.patch +asoc-qcom-set-dai_link-id-to-each-dai_link.patch +s390-cpum_cf-reject-request-for-sampling-in-event-in.patch +hwmon-ina2xx-fix-current-value-calculation.patch +asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch +asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch +spi-omap2-mcspi-add-missing-suspend-and-resume-calls.patch +hwmon-mlxreg-fan-fix-macros-for-tacho-fault-reading.patch +bpf-allocate-local-storage-buffers-using-gfp_atomic.patch +aio-fix-failure-to-put-the-file-pointer.patch +netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch +hwmon-w83795-temp4_type-has-writable-permission.patch +perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch +pci-imx6-fix-link-training-status-detection-in-link-.patch +asoc-acpi-fix-continue-searching-when-machine-is-ign.patch +objtool-fix-double-free-in-.cold-detection-error-pat.patch +objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch +phy-qcom-qusb2-use-hstx_trim-fused-value-as-is.patch +phy-qcom-qusb2-fix-hstx_trim-tuning-with-fused-value.patch +arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch +btrfs-send-fix-infinite-loop-due-to-directory-rename.patch +rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch +rdma-core-add-gids-while-changing-mac-addr-only-for-.patch +rdma-bnxt_re-fix-system-hang-when-registration-with-.patch +rdma-bnxt_re-avoid-accessing-the-device-structure-af.patch +rdma-rdmavt-fix-rvt_create_ah-function-signature.patch +tools-bpftool-fix-potential-null-pointer-dereference.patch +asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch +asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch +asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch +exportfs-do-not-read-dentry-after-free.patch +rdma-hns-bugfix-pbl-configuration-for-rereg-mr.patch +bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch +fsi-master-ast-cf-select-generic_allocator.patch +ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch +usb-omap_udc-use-devm_request_irq.patch +usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch +usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch +usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch +usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch +thunderbolt-prevent-root-port-runtime-suspend-during.patch +drm-meson-add-support-for-1080p25-mode.patch +netfilter-ipv6-preserve-link-scope-traffic-original-.patch +ib-mlx5-fix-page-fault-handling-for-mw.patch +netfilter-add-missing-error-handling-code-for-regist.patch +netfilter-nat-fix-double-register-in-masquerade-modu.patch +netfilter-nf_conncount-remove-wrong-condition-check-.patch +kvm-vmx-update-shared-msrs-to-be-saved-restored-on-m.patch +kvm-x86-fix-empty-body-warnings.patch +x86-kvm-vmx-fix-old-style-function-declaration.patch +net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch +usb-gadget-u_ether-fix-unsafe-list-iteration.patch +netfilter-nf_tables-deactivate-expressions-in-rule-r.patch +alsa-usb-audio-add-vendor-and-product-name-for-dell-.patch +cachefiles-fix-an-assertion-failure-when-trying-to-u.patch +fscache-fix-race-in-fscache_op_complete-due-to-split.patch +cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch +igb-fix-uninitialized-variables.patch +ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch +net-hisilicon-remove-unexpected-free_netdev.patch +drm-amdgpu-add-delay-after-enable-rlc-ucode.patch +drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch +xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch +revert-xen-balloon-mark-unallocated-host-memory-as-u.patch +pvcalls-front-fixes-incorrect-error-handling.patch +pstore-ram-correctly-calculate-usable-prz-bytes.patch +afs-fix-validation-callback-interaction.patch +fscache-fix-race-between-enablement-and-dropping-of-.patch +cachefiles-explicitly-cast-enumerated-type-in-put_ob.patch +fscache-cachefiles-remove-redundant-variable-cache.patch +nvme-warn-when-finding-multi-port-subsystems-without.patch +nvme-flush-namespace-scanning-work-just-before-remov.patch +nvme-rdma-fix-double-freeing-of-async-event-data.patch +acpi-iort-fix-iort_get_platform_device_domain-uninit.patch +ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch +mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch +hfs-do-not-free-node-before-using.patch +hfsplus-do-not-free-node-before-using.patch +debugobjects-avoid-recursive-calls-with-kmemleak.patch +proc-fixup-map_files-test-on-arm.patch +kernel-kcov.c-mark-funcs-in-__sanitizer_cov_trace_pc.patch +initramfs-clean-old-path-before-creating-a-hardlink.patch +ocfs2-fix-potential-use-after-free.patch diff --git a/queue-4.19/spi-omap2-mcspi-add-missing-suspend-and-resume-calls.patch b/queue-4.19/spi-omap2-mcspi-add-missing-suspend-and-resume-calls.patch new file mode 100644 index 00000000000..f154a8f2c92 --- /dev/null +++ b/queue-4.19/spi-omap2-mcspi-add-missing-suspend-and-resume-calls.patch @@ -0,0 +1,87 @@ +From a7aeaa076969e02d6a2791c8f6ee3fad6e5720c3 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Thu, 15 Nov 2018 15:59:39 -0800 +Subject: spi: omap2-mcspi: Add missing suspend and resume calls + +[ Upstream commit 91b9deefedf4c35a01027ce38bed7299605026a3 ] + +I've been wondering still about omap2-mcspi related suspend and resume +flakeyness and looks like we're missing calls to spi_master_suspend() +and spi_master_resume(). Adding those and using pm_runtime_force_suspend() +and pm_runtime_force_resume() makes things work for suspend and resume +and allows us to stop using noirq suspend and resume. + +And while at it, let's use SET_SYSTEM_SLEEP_PM_OPS to simplify things +further. + +Signed-off-by: Tony Lindgren +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-omap2-mcspi.c | 37 +++++++++++++++++++++++------------ + 1 file changed, 25 insertions(+), 12 deletions(-) + +diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c +index 508c61c669e7..e2be7da74343 100644 +--- a/drivers/spi/spi-omap2-mcspi.c ++++ b/drivers/spi/spi-omap2-mcspi.c +@@ -1455,13 +1455,26 @@ static int omap2_mcspi_remove(struct platform_device *pdev) + /* work with hotplug and coldplug */ + MODULE_ALIAS("platform:omap2_mcspi"); + +-#ifdef CONFIG_SUSPEND +-static int omap2_mcspi_suspend_noirq(struct device *dev) ++static int __maybe_unused omap2_mcspi_suspend(struct device *dev) + { +- return pinctrl_pm_select_sleep_state(dev); ++ struct spi_master *master = dev_get_drvdata(dev); ++ struct omap2_mcspi *mcspi = spi_master_get_devdata(master); ++ int error; ++ ++ error = pinctrl_pm_select_sleep_state(dev); ++ if (error) ++ dev_warn(mcspi->dev, "%s: failed to set pins: %i\n", ++ __func__, error); ++ ++ error = spi_master_suspend(master); ++ if (error) ++ dev_warn(mcspi->dev, "%s: master suspend failed: %i\n", ++ __func__, error); ++ ++ return pm_runtime_force_suspend(dev); + } + +-static int omap2_mcspi_resume_noirq(struct device *dev) ++static int __maybe_unused omap2_mcspi_resume(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct omap2_mcspi *mcspi = spi_master_get_devdata(master); +@@ -1472,17 +1485,17 @@ static int omap2_mcspi_resume_noirq(struct device *dev) + dev_warn(mcspi->dev, "%s: failed to set pins: %i\n", + __func__, error); + +- return 0; +-} ++ error = spi_master_resume(master); ++ if (error) ++ dev_warn(mcspi->dev, "%s: master resume failed: %i\n", ++ __func__, error); + +-#else +-#define omap2_mcspi_suspend_noirq NULL +-#define omap2_mcspi_resume_noirq NULL +-#endif ++ return pm_runtime_force_resume(dev); ++} + + static const struct dev_pm_ops omap2_mcspi_pm_ops = { +- .suspend_noirq = omap2_mcspi_suspend_noirq, +- .resume_noirq = omap2_mcspi_resume_noirq, ++ SET_SYSTEM_SLEEP_PM_OPS(omap2_mcspi_suspend, ++ omap2_mcspi_resume) + .runtime_resume = omap_mcspi_runtime_resume, + }; + +-- +2.19.1 + diff --git a/queue-4.19/staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch b/queue-4.19/staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch new file mode 100644 index 00000000000..2c4f196ea35 --- /dev/null +++ b/queue-4.19/staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch @@ -0,0 +1,37 @@ +From 8352931fe187a9c48862022580aae2727c92035d Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Wed, 17 Oct 2018 10:15:34 +0200 +Subject: staging: rtl8723bs: Fix the return value in case of error in + 'rtw_wx_read32()' + +[ Upstream commit c3e43d8b958bd6849817393483e805d8638a8ab7 ] + +We return 0 unconditionally in 'rtw_wx_read32()'. +However, 'ret' is set to some error codes in several error handling paths. + +Return 'ret' instead to propagate the error code. + +Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +index c38298d960ff..4f120e72c7d2 100644 +--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c ++++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +@@ -2289,7 +2289,7 @@ static int rtw_wx_read32(struct net_device *dev, + exit: + kfree(ptmp); + +- return 0; ++ return ret; + } + + static int rtw_wx_write32(struct net_device *dev, +-- +2.19.1 + diff --git a/queue-4.19/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch b/queue-4.19/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch new file mode 100644 index 00000000000..89e35ab927e --- /dev/null +++ b/queue-4.19/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch @@ -0,0 +1,39 @@ +From c0e4de751f2add4158d7a35cffaef265346e2c58 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 10 Nov 2018 04:13:24 +0000 +Subject: sysv: return 'err' instead of 0 in __sysv_write_inode + +[ Upstream commit c4b7d1ba7d263b74bb72e9325262a67139605cde ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +fs/sysv/inode.c: In function '__sysv_write_inode': +fs/sysv/inode.c:239:6: warning: + variable 'err' set but not used [-Wunused-but-set-variable] + +__sysv_write_inode should return 'err' instead of 0 + +Fixes: 05459ca81ac3 ("repair sysv_write_inode(), switch sysv to simple_fsync()") +Signed-off-by: YueHaibing +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/sysv/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c +index 499a20a5a010..273736f41be3 100644 +--- a/fs/sysv/inode.c ++++ b/fs/sysv/inode.c +@@ -275,7 +275,7 @@ static int __sysv_write_inode(struct inode *inode, int wait) + } + } + brelse(bh); +- return 0; ++ return err; + } + + int sysv_write_inode(struct inode *inode, struct writeback_control *wbc) +-- +2.19.1 + diff --git a/queue-4.19/thunderbolt-prevent-root-port-runtime-suspend-during.patch b/queue-4.19/thunderbolt-prevent-root-port-runtime-suspend-during.patch new file mode 100644 index 00000000000..90d32683b1e --- /dev/null +++ b/queue-4.19/thunderbolt-prevent-root-port-runtime-suspend-during.patch @@ -0,0 +1,94 @@ +From a8f22d0b719727b629a2d998f33d074b81a77d02 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Mon, 26 Nov 2018 12:47:46 +0300 +Subject: thunderbolt: Prevent root port runtime suspend during NVM upgrade + +[ Upstream commit 1830b6eeda1fed42d85f2388f79c926331a9b2d0 ] + +During NVM upgrade process the host router is hot-removed for a short +while. During this time it is possible that the root port is moved into +D3cold which would be fine if the root port could trigger PME on itself. +However, many systems actually do not implement it so what happens is +that the root port goes into D3cold and never wakes up unless userspace +does PCI config space access, such as running 'lscpi'. + +For this reason we explicitly prevent the root port from runtime +suspending during NVM upgrade. + +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/switch.c | 40 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 38 insertions(+), 2 deletions(-) + +diff --git a/drivers/thunderbolt/switch.c b/drivers/thunderbolt/switch.c +index 7442bc4c6433..dd9ae6f5d19c 100644 +--- a/drivers/thunderbolt/switch.c ++++ b/drivers/thunderbolt/switch.c +@@ -864,6 +864,30 @@ static ssize_t key_store(struct device *dev, struct device_attribute *attr, + } + static DEVICE_ATTR(key, 0600, key_show, key_store); + ++static void nvm_authenticate_start(struct tb_switch *sw) ++{ ++ struct pci_dev *root_port; ++ ++ /* ++ * During host router NVM upgrade we should not allow root port to ++ * go into D3cold because some root ports cannot trigger PME ++ * itself. To be on the safe side keep the root port in D0 during ++ * the whole upgrade process. ++ */ ++ root_port = pci_find_pcie_root_port(sw->tb->nhi->pdev); ++ if (root_port) ++ pm_runtime_get_noresume(&root_port->dev); ++} ++ ++static void nvm_authenticate_complete(struct tb_switch *sw) ++{ ++ struct pci_dev *root_port; ++ ++ root_port = pci_find_pcie_root_port(sw->tb->nhi->pdev); ++ if (root_port) ++ pm_runtime_put(&root_port->dev); ++} ++ + static ssize_t nvm_authenticate_show(struct device *dev, + struct device_attribute *attr, char *buf) + { +@@ -913,10 +937,18 @@ static ssize_t nvm_authenticate_store(struct device *dev, + + sw->nvm->authenticating = true; + +- if (!tb_route(sw)) ++ if (!tb_route(sw)) { ++ /* ++ * Keep root port from suspending as long as the ++ * NVM upgrade process is running. ++ */ ++ nvm_authenticate_start(sw); + ret = nvm_authenticate_host(sw); +- else ++ if (ret) ++ nvm_authenticate_complete(sw); ++ } else { + ret = nvm_authenticate_device(sw); ++ } + pm_runtime_mark_last_busy(&sw->dev); + pm_runtime_put_autosuspend(&sw->dev); + } +@@ -1336,6 +1368,10 @@ static int tb_switch_add_dma_port(struct tb_switch *sw) + if (ret <= 0) + return ret; + ++ /* Now we can allow root port to suspend again */ ++ if (!tb_route(sw)) ++ nvm_authenticate_complete(sw); ++ + if (status) { + tb_sw_info(sw, "switch flash authentication failed\n"); + tb_switch_set_uuid(sw); +-- +2.19.1 + diff --git a/queue-4.19/tools-bpftool-fix-potential-null-pointer-dereference.patch b/queue-4.19/tools-bpftool-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..c6085a6952d --- /dev/null +++ b/queue-4.19/tools-bpftool-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,71 @@ +From 32ddf804a888faa0b294a85542ec3dc6a2e127a7 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Wed, 21 Nov 2018 13:53:17 -0800 +Subject: tools: bpftool: fix potential NULL pointer dereference in do_load + +[ Upstream commit dde7011a824cfa815b03f853ec985ff46b740939 ] + +This patch fixes a possible null pointer dereference in +do_load, detected by the semantic patch deref_null.cocci, +with the following warning: + +./tools/bpf/bpftool/prog.c:1021:23-25: ERROR: map_replace is NULL but dereferenced. + +The following code has potential null pointer references: +881 map_replace = reallocarray(map_replace, old_map_fds + 1, +882 sizeof(*map_replace)); +883 if (!map_replace) { +884 p_err("mem alloc failed"); +885 goto err_free_reuse_maps; +886 } + +... +1019 err_free_reuse_maps: +1020 for (i = 0; i < old_map_fds; i++) +1021 close(map_replace[i].fd); +1022 free(map_replace); + +Fixes: 3ff5a4dc5d89 ("tools: bpftool: allow reuse of maps with bpftool prog load") +Co-developed-by: Wen Yang +Signed-off-by: Wen Yang +Signed-off-by: Jakub Kicinski +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/prog.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c +index dce960d22106..0de024a6cc2b 100644 +--- a/tools/bpf/bpftool/prog.c ++++ b/tools/bpf/bpftool/prog.c +@@ -749,6 +749,7 @@ static int do_load(int argc, char **argv) + } + NEXT_ARG(); + } else if (is_prefix(*argv, "map")) { ++ void *new_map_replace; + char *endptr, *name; + int fd; + +@@ -782,12 +783,15 @@ static int do_load(int argc, char **argv) + if (fd < 0) + goto err_free_reuse_maps; + +- map_replace = reallocarray(map_replace, old_map_fds + 1, +- sizeof(*map_replace)); +- if (!map_replace) { ++ new_map_replace = reallocarray(map_replace, ++ old_map_fds + 1, ++ sizeof(*map_replace)); ++ if (!new_map_replace) { + p_err("mem alloc failed"); + goto err_free_reuse_maps; + } ++ map_replace = new_map_replace; ++ + map_replace[old_map_fds].idx = idx; + map_replace[old_map_fds].name = name; + map_replace[old_map_fds].fd = fd; +-- +2.19.1 + diff --git a/queue-4.19/tools-bpftool-prevent-infinite-loop-in-get_fdinfo.patch b/queue-4.19/tools-bpftool-prevent-infinite-loop-in-get_fdinfo.patch new file mode 100644 index 00000000000..02925a1f3bd --- /dev/null +++ b/queue-4.19/tools-bpftool-prevent-infinite-loop-in-get_fdinfo.patch @@ -0,0 +1,39 @@ +From e3eb747cc1fae15b65e871487d91165daa139b21 Mon Sep 17 00:00:00 2001 +From: Quentin Monnet +Date: Thu, 8 Nov 2018 11:52:25 +0000 +Subject: tools: bpftool: prevent infinite loop in get_fdinfo() + +[ Upstream commit 53909030aa29bffe1f8490df62176c2375135652 ] + +Function getline() returns -1 on failure to read a line, thus creating +an infinite loop in get_fdinfo() if the key is not found. Fix it by +calling the function only as long as we get a strictly positive return +value. + +Found by copying the code for a key which is not always present... + +Fixes: 71bb428fe2c1 ("tools: bpf: add bpftool") +Signed-off-by: Quentin Monnet +Reviewed-by: Jakub Kicinski +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c +index b3a0709ea7ed..fcaf00621102 100644 +--- a/tools/bpf/bpftool/common.c ++++ b/tools/bpf/bpftool/common.c +@@ -304,7 +304,7 @@ char *get_fdinfo(int fd, const char *key) + return NULL; + } + +- while ((n = getline(&line, &line_n, fdi))) { ++ while ((n = getline(&line, &line_n, fdi)) > 0) { + char *value; + int len; + +-- +2.19.1 + diff --git a/queue-4.19/usb-gadget-u_ether-fix-unsafe-list-iteration.patch b/queue-4.19/usb-gadget-u_ether-fix-unsafe-list-iteration.patch new file mode 100644 index 00000000000..0ba6ff9db66 --- /dev/null +++ b/queue-4.19/usb-gadget-u_ether-fix-unsafe-list-iteration.patch @@ -0,0 +1,103 @@ +From 5692f4cae8d11961e3afbe716ad9b91e57f226e2 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Mon, 19 Nov 2018 16:49:05 +0100 +Subject: usb: gadget: u_ether: fix unsafe list iteration + +[ Upstream commit c9287fa657b3328b4549c0ab39ea7f197a3d6a50 ] + +list_for_each_entry_safe() is not safe for deleting entries from the +list if the spin lock, which protects it, is released and reacquired during +the list iteration. Fix this issue by replacing this construction with +a simple check if list is empty and removing the first entry in each +iteration. This is almost equivalent to a revert of the commit mentioned in +the Fixes: tag. + +This patch fixes following issue: +--->8--- +Unable to handle kernel NULL pointer dereference at virtual address 00000104 +pgd = (ptrval) +[00000104] *pgd=00000000 +Internal error: Oops: 817 [#1] PREEMPT SMP ARM +Modules linked in: +CPU: 1 PID: 84 Comm: kworker/1:1 Not tainted 4.20.0-rc2-next-20181114-00009-g8266b35ec404 #1061 +Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) +Workqueue: events eth_work +PC is at rx_fill+0x60/0xac +LR is at _raw_spin_lock_irqsave+0x50/0x5c +pc : [] lr : [] psr: 80000093 +sp : ee7fbee8 ip : 00000100 fp : 00000000 +r10: 006000c0 r9 : c10b0ab0 r8 : ee7eb5c0 +r7 : ee7eb614 r6 : ee7eb5ec r5 : 000000dc r4 : ee12ac00 +r3 : ee12ac24 r2 : 00000200 r1 : 60000013 r0 : ee7eb5ec +Flags: Nzcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c5387d Table: 6d5dc04a DAC: 00000051 +Process kworker/1:1 (pid: 84, stack limit = 0x(ptrval)) +Stack: (0xee7fbee8 to 0xee7fc000) +... +[] (rx_fill) from [] (process_one_work+0x200/0x738) +[] (process_one_work) from [] (worker_thread+0x2c/0x4c8) +[] (worker_thread) from [] (kthread+0x128/0x164) +[] (kthread) from [] (ret_from_fork+0x14/0x20) +Exception stack(0xee7fbfb0 to 0xee7fbff8) +... +---[ end trace 64480bc835eba7d6 ]--- + +Fixes: fea14e68ff5e ("usb: gadget: u_ether: use better list accessors") +Signed-off-by: Marek Szyprowski +Signed-off-by: Felipe Balbi + +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/u_ether.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c +index 1000d864929c..0f026d445e31 100644 +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -401,12 +401,12 @@ static int alloc_requests(struct eth_dev *dev, struct gether *link, unsigned n) + static void rx_fill(struct eth_dev *dev, gfp_t gfp_flags) + { + struct usb_request *req; +- struct usb_request *tmp; + unsigned long flags; + + /* fill unused rxq slots with some skb */ + spin_lock_irqsave(&dev->req_lock, flags); +- list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) { ++ while (!list_empty(&dev->rx_reqs)) { ++ req = list_first_entry(&dev->rx_reqs, struct usb_request, list); + list_del_init(&req->list); + spin_unlock_irqrestore(&dev->req_lock, flags); + +@@ -1125,7 +1125,6 @@ void gether_disconnect(struct gether *link) + { + struct eth_dev *dev = link->ioport; + struct usb_request *req; +- struct usb_request *tmp; + + WARN_ON(!dev); + if (!dev) +@@ -1142,7 +1141,8 @@ void gether_disconnect(struct gether *link) + */ + usb_ep_disable(link->in_ep); + spin_lock(&dev->req_lock); +- list_for_each_entry_safe(req, tmp, &dev->tx_reqs, list) { ++ while (!list_empty(&dev->tx_reqs)) { ++ req = list_first_entry(&dev->tx_reqs, struct usb_request, list); + list_del(&req->list); + + spin_unlock(&dev->req_lock); +@@ -1154,7 +1154,8 @@ void gether_disconnect(struct gether *link) + + usb_ep_disable(link->out_ep); + spin_lock(&dev->req_lock); +- list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) { ++ while (!list_empty(&dev->rx_reqs)) { ++ req = list_first_entry(&dev->rx_reqs, struct usb_request, list); + list_del(&req->list); + + spin_unlock(&dev->req_lock); +-- +2.19.1 + diff --git a/queue-4.19/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch b/queue-4.19/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch new file mode 100644 index 00000000000..5cf20db6b9a --- /dev/null +++ b/queue-4.19/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch @@ -0,0 +1,114 @@ +From 910ee6c9c9fd49a19036d3f7e5aa8950de3d9265 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:05 +0200 +Subject: USB: omap_udc: fix crashes on probe error and module removal + +[ Upstream commit 99f700366fcea1aa2fa3c49c99f371670c3c62f8 ] + +We currently crash if usb_add_gadget_udc_release() fails, since the +udc->done is not initialized until in the remove function. +Furthermore, on module removal the udc data is accessed although +the release function is already triggered by usb_del_gadget_udc() +early in the function. + +Fix by rewriting the release and remove functions, basically moving +all the cleanup into the release function, and doing the completion +only in the module removal case. + +The patch fixes omap_udc module probe with a failing gadged, and also +allows the removal of omap_udc. Tested by running "modprobe omap_udc; +modprobe -r omap_udc" in a loop. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 50 ++++++++++++------------------- + 1 file changed, 19 insertions(+), 31 deletions(-) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index 1c77218c82af..240ccba44592 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2593,9 +2593,22 @@ omap_ep_setup(char *name, u8 addr, u8 type, + + static void omap_udc_release(struct device *dev) + { +- complete(udc->done); ++ pullup_disable(udc); ++ if (!IS_ERR_OR_NULL(udc->transceiver)) { ++ usb_put_phy(udc->transceiver); ++ udc->transceiver = NULL; ++ } ++ omap_writew(0, UDC_SYSCON1); ++ remove_proc_file(); ++ if (udc->dc_clk) { ++ if (udc->clk_requested) ++ omap_udc_enable_clock(0); ++ clk_put(udc->hhc_clk); ++ clk_put(udc->dc_clk); ++ } ++ if (udc->done) ++ complete(udc->done); + kfree(udc); +- udc = NULL; + } + + static int +@@ -2900,12 +2913,8 @@ static int omap_udc_probe(struct platform_device *pdev) + } + + create_proc_file(); +- status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget, +- omap_udc_release); +- if (!status) +- return 0; +- +- remove_proc_file(); ++ return usb_add_gadget_udc_release(&pdev->dev, &udc->gadget, ++ omap_udc_release); + + cleanup1: + kfree(udc); +@@ -2932,36 +2941,15 @@ static int omap_udc_remove(struct platform_device *pdev) + { + DECLARE_COMPLETION_ONSTACK(done); + +- if (!udc) +- return -ENODEV; +- +- usb_del_gadget_udc(&udc->gadget); +- if (udc->driver) +- return -EBUSY; +- + udc->done = &done; + +- pullup_disable(udc); +- if (!IS_ERR_OR_NULL(udc->transceiver)) { +- usb_put_phy(udc->transceiver); +- udc->transceiver = NULL; +- } +- omap_writew(0, UDC_SYSCON1); +- +- remove_proc_file(); ++ usb_del_gadget_udc(&udc->gadget); + +- if (udc->dc_clk) { +- if (udc->clk_requested) +- omap_udc_enable_clock(0); +- clk_put(udc->hhc_clk); +- clk_put(udc->dc_clk); +- } ++ wait_for_completion(&done); + + release_mem_region(pdev->resource[0].start, + pdev->resource[0].end - pdev->resource[0].start + 1); + +- wait_for_completion(&done); +- + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.19/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch b/queue-4.19/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch new file mode 100644 index 00000000000..ac1e7995b8b --- /dev/null +++ b/queue-4.19/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch @@ -0,0 +1,41 @@ +From 7550fda6f46ccec179ca323d0a38f53ae73c3a9e Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:06 +0200 +Subject: USB: omap_udc: fix omap_udc_start() on 15xx machines + +[ Upstream commit 6ca6695f576b8453fe68865e84d25946d63b10ad ] + +On OMAP 15xx machines there are no transceivers, and omap_udc_start() +always fails as it forgot to adjust the default return value. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index 240ccba44592..33250e569af8 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2041,7 +2041,7 @@ static inline int machine_without_vbus_sense(void) + static int omap_udc_start(struct usb_gadget *g, + struct usb_gadget_driver *driver) + { +- int status = -ENODEV; ++ int status; + struct omap_ep *ep; + unsigned long flags; + +@@ -2079,6 +2079,7 @@ static int omap_udc_start(struct usb_gadget *g, + goto done; + } + } else { ++ status = 0; + if (can_pullup(udc)) + pullup_enable(udc); + else +-- +2.19.1 + diff --git a/queue-4.19/usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch b/queue-4.19/usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch new file mode 100644 index 00000000000..e78a9b2389f --- /dev/null +++ b/queue-4.19/usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch @@ -0,0 +1,35 @@ +From 5b81c8678c8ee48c52de58e85ecb313212f682e0 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:08 +0200 +Subject: USB: omap_udc: fix rejection of out transfers when DMA is used + +[ Upstream commit 069caf5950dfa75d0526cd89c439ff9d9d3136d8 ] + +Commit 387f869d2579 ("usb: gadget: u_ether: conditionally align +transfer size") started aligning transfer size only if requested, +breaking omap_udc DMA mode. Set quirk_ep_out_aligned_size to restore +the old behaviour. + +Fixes: 387f869d2579 ("usb: gadget: u_ether: conditionally align transfer size") +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index 9b23e04c8f02..fcf13ef33b31 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2642,6 +2642,7 @@ omap_udc_setup(struct platform_device *odev, struct usb_phy *xceiv) + udc->gadget.speed = USB_SPEED_UNKNOWN; + udc->gadget.max_speed = USB_SPEED_FULL; + udc->gadget.name = driver_name; ++ udc->gadget.quirk_ep_out_aligned_size = 1; + udc->transceiver = xceiv; + + /* ep0 is special; put it right after the SETUP buffer */ +-- +2.19.1 + diff --git a/queue-4.19/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch b/queue-4.19/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch new file mode 100644 index 00000000000..340a6724a49 --- /dev/null +++ b/queue-4.19/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch @@ -0,0 +1,32 @@ +From 112aaf8d7a186deccdf8256ab2dd7caf199a6cef Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:07 +0200 +Subject: USB: omap_udc: fix USB gadget functionality on Palm Tungsten E + +[ Upstream commit 2c2322fbcab8102b8cadc09d66714700a2da42c2 ] + +On Palm TE nothing happens when you try to use gadget drivers and plug +the USB cable. Fix by adding the board to the vbus sense quirk list. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index 33250e569af8..9b23e04c8f02 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2033,6 +2033,7 @@ static inline int machine_without_vbus_sense(void) + { + return machine_is_omap_innovator() + || machine_is_omap_osk() ++ || machine_is_omap_palmte() + || machine_is_sx1() + /* No known omap7xx boards with vbus sense */ + || cpu_is_omap7xx(); +-- +2.19.1 + diff --git a/queue-4.19/usb-omap_udc-use-devm_request_irq.patch b/queue-4.19/usb-omap_udc-use-devm_request_irq.patch new file mode 100644 index 00000000000..df0f3c14673 --- /dev/null +++ b/queue-4.19/usb-omap_udc-use-devm_request_irq.patch @@ -0,0 +1,102 @@ +From 71fb97ad5d3b64b08f25517cdb01963fd69989dc Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:04 +0200 +Subject: USB: omap_udc: use devm_request_irq() + +[ Upstream commit 286afdde1640d8ea8916a0f05e811441fbbf4b9d ] + +The current code fails to release the third irq on the error path +(observed by reading the code), and we get also multiple WARNs with +failing gadget drivers due to duplicate IRQ releases. Fix by using +devm_request_irq(). + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 37 +++++++++---------------------- + 1 file changed, 10 insertions(+), 27 deletions(-) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index 3a16431da321..1c77218c82af 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2867,8 +2867,8 @@ static int omap_udc_probe(struct platform_device *pdev) + udc->clr_halt = UDC_RESET_EP; + + /* USB general purpose IRQ: ep0, state changes, dma, etc */ +- status = request_irq(pdev->resource[1].start, omap_udc_irq, +- 0, driver_name, udc); ++ status = devm_request_irq(&pdev->dev, pdev->resource[1].start, ++ omap_udc_irq, 0, driver_name, udc); + if (status != 0) { + ERR("can't get irq %d, err %d\n", + (int) pdev->resource[1].start, status); +@@ -2876,20 +2876,20 @@ static int omap_udc_probe(struct platform_device *pdev) + } + + /* USB "non-iso" IRQ (PIO for all but ep0) */ +- status = request_irq(pdev->resource[2].start, omap_udc_pio_irq, +- 0, "omap_udc pio", udc); ++ status = devm_request_irq(&pdev->dev, pdev->resource[2].start, ++ omap_udc_pio_irq, 0, "omap_udc pio", udc); + if (status != 0) { + ERR("can't get irq %d, err %d\n", + (int) pdev->resource[2].start, status); +- goto cleanup2; ++ goto cleanup1; + } + #ifdef USE_ISO +- status = request_irq(pdev->resource[3].start, omap_udc_iso_irq, +- 0, "omap_udc iso", udc); ++ status = devm_request_irq(&pdev->dev, pdev->resource[3].start, ++ omap_udc_iso_irq, 0, "omap_udc iso", udc); + if (status != 0) { + ERR("can't get irq %d, err %d\n", + (int) pdev->resource[3].start, status); +- goto cleanup3; ++ goto cleanup1; + } + #endif + if (cpu_is_omap16xx() || cpu_is_omap7xx()) { +@@ -2902,22 +2902,11 @@ static int omap_udc_probe(struct platform_device *pdev) + create_proc_file(); + status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget, + omap_udc_release); +- if (status) +- goto cleanup4; +- +- return 0; ++ if (!status) ++ return 0; + +-cleanup4: + remove_proc_file(); + +-#ifdef USE_ISO +-cleanup3: +- free_irq(pdev->resource[2].start, udc); +-#endif +- +-cleanup2: +- free_irq(pdev->resource[1].start, udc); +- + cleanup1: + kfree(udc); + udc = NULL; +@@ -2961,12 +2950,6 @@ static int omap_udc_remove(struct platform_device *pdev) + + remove_proc_file(); + +-#ifdef USE_ISO +- free_irq(pdev->resource[3].start, udc); +-#endif +- free_irq(pdev->resource[2].start, udc); +- free_irq(pdev->resource[1].start, udc); +- + if (udc->dc_clk) { + if (udc->clk_requested) + omap_udc_enable_clock(0); +-- +2.19.1 + diff --git a/queue-4.19/x86-kvm-vmx-fix-old-style-function-declaration.patch b/queue-4.19/x86-kvm-vmx-fix-old-style-function-declaration.patch new file mode 100644 index 00000000000..13ed4ed9509 --- /dev/null +++ b/queue-4.19/x86-kvm-vmx-fix-old-style-function-declaration.patch @@ -0,0 +1,68 @@ +From 37644e22c64075b6095153c4fb45a9903dba2100 Mon Sep 17 00:00:00 2001 +From: Yi Wang +Date: Thu, 8 Nov 2018 11:22:21 +0800 +Subject: x86/kvm/vmx: fix old-style function declaration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 1e4329ee2c52692ea42cc677fb2133519718b34a ] + +The inline keyword which is not at the beginning of the function +declaration may trigger the following build warnings, so let's fix it: + +arch/x86/kvm/vmx.c:1309:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:5947:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:5985:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:6023:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] + +Signed-off-by: Yi Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index b1aef90aab91..c97a9d60d305 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1285,7 +1285,7 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked); + static bool nested_vmx_is_page_fault_vmexit(struct vmcs12 *vmcs12, + u16 error_code); + static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu); +-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type); + + static DEFINE_PER_CPU(struct vmcs *, vmxarea); +@@ -5935,7 +5935,7 @@ static void free_vpid(int vpid) + spin_unlock(&vmx_vpid_lock); + } + +-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type) + { + int f = sizeof(unsigned long); +@@ -5973,7 +5973,7 @@ static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bit + } + } + +-static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_enable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type) + { + int f = sizeof(unsigned long); +@@ -6011,7 +6011,7 @@ static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitm + } + } + +-static void __always_inline vmx_set_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_set_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type, bool value) + { + if (value) +-- +2.19.1 + diff --git a/queue-4.19/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch b/queue-4.19/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch new file mode 100644 index 00000000000..3e06335ee44 --- /dev/null +++ b/queue-4.19/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch @@ -0,0 +1,37 @@ +From 17d803b3196ba92908fa79255737b60664592c9f Mon Sep 17 00:00:00 2001 +From: Srikanth Boddepalli +Date: Tue, 27 Nov 2018 19:53:27 +0530 +Subject: xen: xlate_mmu: add missing header to fix 'W=1' warning + +[ Upstream commit 72791ac854fea36034fa7976b748fde585008e78 ] + +Add a missing header otherwise compiler warns about missed prototype: + +drivers/xen/xlate_mmu.c:183:5: warning: no previous prototype for 'xen_xlate_unmap_gfn_range?' [-Wmissing-prototypes] + int xen_xlate_unmap_gfn_range(struct vm_area_struct *vma, + ^~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Srikanth Boddepalli +Reviewed-by: Boris Ostrovsky +Reviewed-by: Joey Pabalinas +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/xlate_mmu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/xen/xlate_mmu.c b/drivers/xen/xlate_mmu.c +index 23f1387b3ef7..e7df65d32c91 100644 +--- a/drivers/xen/xlate_mmu.c ++++ b/drivers/xen/xlate_mmu.c +@@ -36,6 +36,7 @@ + #include + + #include ++#include + #include + #include + #include +-- +2.19.1 +