From: Greg Kroah-Hartman Date: Mon, 23 Mar 2020 14:57:54 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.19.113~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6c1a7def3638a4eb9961a47294b609da39821ad1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: iio-magnetometer-ak8974-fix-negative-raw-values-in-sysfs.patch intel_th-fix-user-visible-error-codes.patch memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch mm-slub-be-more-careful-about-the-double-cmpxchg-of-freelist.patch mm-slub-prevent-kmalloc_node-crashes-and-memory-leaks.patch mmc-sdhci-of-at91-fix-cd-gpios-for-sama5d2.patch rtc-max8907-add-missing-select-regmap_irq.patch staging-rtl8188eu-add-device-id-for-mercusys-mw150us-v2.patch staging-speakup-fix-get_word-non-space-look-ahead.patch x86-mm-split-vmalloc_sync_all.patch --- diff --git a/queue-4.9/iio-magnetometer-ak8974-fix-negative-raw-values-in-sysfs.patch b/queue-4.9/iio-magnetometer-ak8974-fix-negative-raw-values-in-sysfs.patch new file mode 100644 index 00000000000..f6217b0ab72 --- /dev/null +++ b/queue-4.9/iio-magnetometer-ak8974-fix-negative-raw-values-in-sysfs.patch @@ -0,0 +1,41 @@ +From b500c086e4110829a308c23e83a7cdc65b26228a Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Fri, 14 Feb 2020 12:03:24 +0100 +Subject: iio: magnetometer: ak8974: Fix negative raw values in sysfs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stephan Gerhold + +commit b500c086e4110829a308c23e83a7cdc65b26228a upstream. + +At the moment, reading from in_magn_*_raw in sysfs tends to return +large values around 65000, even though the output of ak8974 is actually +limited to ±32768. This happens because the value is never converted +to the signed 16-bit integer variant. + +Add an explicit cast to s16 to fix this. + +Fixes: 7c94a8b2ee8c ("iio: magn: add a driver for AK8974") +Signed-off-by: Stephan Gerhold +Reviewed-by: Linus Waleij +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/magnetometer/ak8974.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/magnetometer/ak8974.c ++++ b/drivers/iio/magnetometer/ak8974.c +@@ -477,7 +477,7 @@ static int ak8974_read_raw(struct iio_de + * We read all axes and discard all but one, for optimized + * reading, use the triggered buffer. + */ +- *val = le16_to_cpu(hw_values[chan->address]); ++ *val = (s16)le16_to_cpu(hw_values[chan->address]); + + ret = IIO_VAL_INT; + } diff --git a/queue-4.9/intel_th-fix-user-visible-error-codes.patch b/queue-4.9/intel_th-fix-user-visible-error-codes.patch new file mode 100644 index 00000000000..a0933e8ae7a --- /dev/null +++ b/queue-4.9/intel_th-fix-user-visible-error-codes.patch @@ -0,0 +1,52 @@ +From ce666be89a8a09c5924ff08fc32e119f974bdab6 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 17 Mar 2020 08:22:14 +0200 +Subject: intel_th: Fix user-visible error codes + +From: Alexander Shishkin + +commit ce666be89a8a09c5924ff08fc32e119f974bdab6 upstream. + +There are a few places in the driver that end up returning ENOTSUPP to +the user, replace those with EINVAL. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver") +Cc: stable@vger.kernel.org # v4.4+ +Link: https://lore.kernel.org/r/20200317062215.15598-6-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/msu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hwtracing/intel_th/msu.c ++++ b/drivers/hwtracing/intel_th/msu.c +@@ -497,7 +497,7 @@ static int msc_configure(struct msc *msc + lockdep_assert_held(&msc->buf_mutex); + + if (msc->mode > MSC_MODE_MULTI) +- return -ENOTSUPP; ++ return -EINVAL; + + if (msc->mode == MSC_MODE_MULTI) + msc_buffer_clear_hw_header(msc); +@@ -948,7 +948,7 @@ static int msc_buffer_alloc(struct msc * + } else if (msc->mode == MSC_MODE_MULTI) { + ret = msc_buffer_multi_alloc(msc, nr_pages, nr_wins); + } else { +- ret = -ENOTSUPP; ++ ret = -EINVAL; + } + + if (!ret) { +@@ -1171,7 +1171,7 @@ static ssize_t intel_th_msc_read(struct + if (ret >= 0) + *ppos = iter->offset; + } else { +- ret = -ENOTSUPP; ++ ret = -EINVAL; + } + + put_count: diff --git a/queue-4.9/memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch b/queue-4.9/memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch new file mode 100644 index 00000000000..5348bd71f0b --- /dev/null +++ b/queue-4.9/memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch @@ -0,0 +1,123 @@ +From 7d36665a5886c27ca4c4d0afd3ecc50b400f3587 Mon Sep 17 00:00:00 2001 +From: Chunguang Xu +Date: Sat, 21 Mar 2020 18:22:10 -0700 +Subject: memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chunguang Xu + +commit 7d36665a5886c27ca4c4d0afd3ecc50b400f3587 upstream. + +An eventfd monitors multiple memory thresholds of the cgroup, closes them, +the kernel deletes all events related to this eventfd. Before all events +are deleted, another eventfd monitors the memory threshold of this cgroup, +leading to a crash: + + BUG: kernel NULL pointer dereference, address: 0000000000000004 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 800000033058e067 P4D 800000033058e067 PUD 3355ce067 PMD 0 + Oops: 0002 [#1] SMP PTI + CPU: 2 PID: 14012 Comm: kworker/2:6 Kdump: loaded Not tainted 5.6.0-rc4 #3 + Hardware name: LENOVO 20AWS01K00/20AWS01K00, BIOS GLET70WW (2.24 ) 05/21/2014 + Workqueue: events memcg_event_remove + RIP: 0010:__mem_cgroup_usage_unregister_event+0xb3/0x190 + RSP: 0018:ffffb47e01c4fe18 EFLAGS: 00010202 + RAX: 0000000000000001 RBX: ffff8bb223a8a000 RCX: 0000000000000001 + RDX: 0000000000000001 RSI: ffff8bb22fb83540 RDI: 0000000000000001 + RBP: ffffb47e01c4fe48 R08: 0000000000000000 R09: 0000000000000010 + R10: 000000000000000c R11: 071c71c71c71c71c R12: ffff8bb226aba880 + R13: ffff8bb223a8a480 R14: 0000000000000000 R15: 0000000000000000 + FS:  0000000000000000(0000) GS:ffff8bb242680000(0000) knlGS:0000000000000000 + CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000004 CR3: 000000032c29c003 CR4: 00000000001606e0 + Call Trace: + memcg_event_remove+0x32/0x90 + process_one_work+0x172/0x380 + worker_thread+0x49/0x3f0 + kthread+0xf8/0x130 + ret_from_fork+0x35/0x40 + CR2: 0000000000000004 + +We can reproduce this problem in the following ways: + +1. We create a new cgroup subdirectory and a new eventfd, and then we + monitor multiple memory thresholds of the cgroup through this eventfd. + +2. closing this eventfd, and __mem_cgroup_usage_unregister_event () + will be called multiple times to delete all events related to this + eventfd. + +The first time __mem_cgroup_usage_unregister_event() is called, the +kernel will clear all items related to this eventfd in thresholds-> +primary. + +Since there is currently only one eventfd, thresholds-> primary becomes +empty, so the kernel will set thresholds-> primary and hresholds-> spare +to NULL. If at this time, the user creates a new eventfd and monitor +the memory threshold of this cgroup, kernel will re-initialize +thresholds-> primary. + +Then when __mem_cgroup_usage_unregister_event () is called for the +second time, because thresholds-> primary is not empty, the system will +access thresholds-> spare, but thresholds-> spare is NULL, which will +trigger a crash. + +In general, the longer it takes to delete all events related to this +eventfd, the easier it is to trigger this problem. + +The solution is to check whether the thresholds associated with the +eventfd has been cleared when deleting the event. If so, we do nothing. + +[akpm@linux-foundation.org: fix comment, per Kirill] +Fixes: 907860ed381a ("cgroups: make cftype.unregister_event() void-returning") +Signed-off-by: Chunguang Xu +Signed-off-by: Andrew Morton +Acked-by: Michal Hocko +Acked-by: Kirill A. Shutemov +Cc: Johannes Weiner +Cc: Vladimir Davydov +Cc: +Link: http://lkml.kernel.org/r/077a6f67-aefa-4591-efec-f2f3af2b0b02@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -3481,7 +3481,7 @@ static void __mem_cgroup_usage_unregiste + struct mem_cgroup_thresholds *thresholds; + struct mem_cgroup_threshold_ary *new; + unsigned long usage; +- int i, j, size; ++ int i, j, size, entries; + + mutex_lock(&memcg->thresholds_lock); + +@@ -3501,14 +3501,20 @@ static void __mem_cgroup_usage_unregiste + __mem_cgroup_threshold(memcg, type == _MEMSWAP); + + /* Calculate new number of threshold */ +- size = 0; ++ size = entries = 0; + for (i = 0; i < thresholds->primary->size; i++) { + if (thresholds->primary->entries[i].eventfd != eventfd) + size++; ++ else ++ entries++; + } + + new = thresholds->spare; + ++ /* If no items related to eventfd have been cleared, nothing to do */ ++ if (!entries) ++ goto unlock; ++ + /* Set thresholds array to NULL if we don't have thresholds */ + if (!size) { + kfree(new); diff --git a/queue-4.9/mm-slub-be-more-careful-about-the-double-cmpxchg-of-freelist.patch b/queue-4.9/mm-slub-be-more-careful-about-the-double-cmpxchg-of-freelist.patch new file mode 100644 index 00000000000..8fec2132bee --- /dev/null +++ b/queue-4.9/mm-slub-be-more-careful-about-the-double-cmpxchg-of-freelist.patch @@ -0,0 +1,52 @@ +From 5076190daded2197f62fe92cf69674488be44175 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Tue, 17 Mar 2020 11:04:09 -0700 +Subject: mm: slub: be more careful about the double cmpxchg of freelist + +From: Linus Torvalds + +commit 5076190daded2197f62fe92cf69674488be44175 upstream. + +This is just a cleanup addition to Jann's fix to properly update the +transaction ID for the slub slowpath in commit fd4d9c7d0c71 ("mm: slub: +add missing TID bump.."). + +The transaction ID is what protects us against any concurrent accesses, +but we should really also make sure to make the 'freelist' comparison +itself always use the same freelist value that we then used as the new +next free pointer. + +Jann points out that if we do all of this carefully, we could skip the +transaction ID update for all the paths that only remove entries from +the lists, and only update the TID when adding entries (to avoid the ABA +issue with cmpxchg and list handling re-adding a previously seen value). + +But this patch just does the "make sure to cmpxchg the same value we +used" rather than then try to be clever. + +Acked-by: Jann Horn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -2935,11 +2935,13 @@ redo: + barrier(); + + if (likely(page == c->page)) { +- set_freepointer(s, tail_obj, c->freelist); ++ void **freelist = READ_ONCE(c->freelist); ++ ++ set_freepointer(s, tail_obj, freelist); + + if (unlikely(!this_cpu_cmpxchg_double( + s->cpu_slab->freelist, s->cpu_slab->tid, +- c->freelist, tid, ++ freelist, tid, + head, next_tid(tid)))) { + + note_cmpxchg_failure("slab_free", s, tid); diff --git a/queue-4.9/mm-slub-prevent-kmalloc_node-crashes-and-memory-leaks.patch b/queue-4.9/mm-slub-prevent-kmalloc_node-crashes-and-memory-leaks.patch new file mode 100644 index 00000000000..65ef26a6723 --- /dev/null +++ b/queue-4.9/mm-slub-prevent-kmalloc_node-crashes-and-memory-leaks.patch @@ -0,0 +1,169 @@ +From 0715e6c516f106ed553828a671d30ad9a3431536 Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Sat, 21 Mar 2020 18:22:37 -0700 +Subject: mm, slub: prevent kmalloc_node crashes and memory leaks + +From: Vlastimil Babka + +commit 0715e6c516f106ed553828a671d30ad9a3431536 upstream. + +Sachin reports [1] a crash in SLUB __slab_alloc(): + + BUG: Kernel NULL pointer dereference on read at 0x000073b0 + Faulting instruction address: 0xc0000000003d55f4 + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: + CPU: 19 PID: 1 Comm: systemd Not tainted 5.6.0-rc2-next-20200218-autotest #1 + NIP: c0000000003d55f4 LR: c0000000003d5b94 CTR: 0000000000000000 + REGS: c0000008b37836d0 TRAP: 0300 Not tainted (5.6.0-rc2-next-20200218-autotest) + MSR: 8000000000009033 CR: 24004844 XER: 00000000 + CFAR: c00000000000dec4 DAR: 00000000000073b0 DSISR: 40000000 IRQMASK: 1 + GPR00: c0000000003d5b94 c0000008b3783960 c00000000155d400 c0000008b301f500 + GPR04: 0000000000000dc0 0000000000000002 c0000000003443d8 c0000008bb398620 + GPR08: 00000008ba2f0000 0000000000000001 0000000000000000 0000000000000000 + GPR12: 0000000024004844 c00000001ec52a00 0000000000000000 0000000000000000 + GPR16: c0000008a1b20048 c000000001595898 c000000001750c18 0000000000000002 + GPR20: c000000001750c28 c000000001624470 0000000fffffffe0 5deadbeef0000122 + GPR24: 0000000000000001 0000000000000dc0 0000000000000002 c0000000003443d8 + GPR28: c0000008b301f500 c0000008bb398620 0000000000000000 c00c000002287180 + NIP ___slab_alloc+0x1f4/0x760 + LR __slab_alloc+0x34/0x60 + Call Trace: + ___slab_alloc+0x334/0x760 (unreliable) + __slab_alloc+0x34/0x60 + __kmalloc_node+0x110/0x490 + kvmalloc_node+0x58/0x110 + mem_cgroup_css_online+0x108/0x270 + online_css+0x48/0xd0 + cgroup_apply_control_enable+0x2ec/0x4d0 + cgroup_mkdir+0x228/0x5f0 + kernfs_iop_mkdir+0x90/0xf0 + vfs_mkdir+0x110/0x230 + do_mkdirat+0xb0/0x1a0 + system_call+0x5c/0x68 + +This is a PowerPC platform with following NUMA topology: + + available: 2 nodes (0-1) + node 0 cpus: + node 0 size: 0 MB + node 0 free: 0 MB + node 1 cpus: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 + node 1 size: 35247 MB + node 1 free: 30907 MB + node distances: + node 0 1 + 0: 10 40 + 1: 40 10 + + possible numa nodes: 0-31 + +This only happens with a mmotm patch "mm/memcontrol.c: allocate +shrinker_map on appropriate NUMA node" [2] which effectively calls +kmalloc_node for each possible node. SLUB however only allocates +kmem_cache_node on online N_NORMAL_MEMORY nodes, and relies on +node_to_mem_node to return such valid node for other nodes since commit +a561ce00b09e ("slub: fall back to node_to_mem_node() node if allocating +on memoryless node"). This is however not true in this configuration +where the _node_numa_mem_ array is not initialized for nodes 0 and 2-31, +thus it contains zeroes and get_partial() ends up accessing +non-allocated kmem_cache_node. + +A related issue was reported by Bharata (originally by Ramachandran) [3] +where a similar PowerPC configuration, but with mainline kernel without +patch [2] ends up allocating large amounts of pages by kmalloc-1k +kmalloc-512. This seems to have the same underlying issue with +node_to_mem_node() not behaving as expected, and might probably also +lead to an infinite loop with CONFIG_SLUB_CPU_PARTIAL [4]. + +This patch should fix both issues by not relying on node_to_mem_node() +anymore and instead simply falling back to NUMA_NO_NODE, when +kmalloc_node(node) is attempted for a node that's not online, or has no +usable memory. The "usable memory" condition is also changed from +node_present_pages() to N_NORMAL_MEMORY node state, as that is exactly +the condition that SLUB uses to allocate kmem_cache_node structures. +The check in get_partial() is removed completely, as the checks in +___slab_alloc() are now sufficient to prevent get_partial() being +reached with an invalid node. + +[1] https://lore.kernel.org/linux-next/3381CD91-AB3D-4773-BA04-E7A072A63968@linux.vnet.ibm.com/ +[2] https://lore.kernel.org/linux-mm/fff0e636-4c36-ed10-281c-8cdb0687c839@virtuozzo.com/ +[3] https://lore.kernel.org/linux-mm/20200317092624.GB22538@in.ibm.com/ +[4] https://lore.kernel.org/linux-mm/088b5996-faae-8a56-ef9c-5b567125ae54@suse.cz/ + +Fixes: a561ce00b09e ("slub: fall back to node_to_mem_node() node if allocating on memoryless node") +Reported-by: Sachin Sant +Reported-by: PUVICHAKRAVARTHY RAMACHANDRAN +Signed-off-by: Vlastimil Babka +Signed-off-by: Andrew Morton +Tested-by: Sachin Sant +Tested-by: Bharata B Rao +Reviewed-by: Srikar Dronamraju +Cc: Mel Gorman +Cc: Michael Ellerman +Cc: Michal Hocko +Cc: Christopher Lameter +Cc: linuxppc-dev@lists.ozlabs.org +Cc: Joonsoo Kim +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Kirill Tkhai +Cc: Vlastimil Babka +Cc: Nathan Lynch +Cc: +Link: http://lkml.kernel.org/r/20200320115533.9604-1-vbabka@suse.cz +Debugged-by: Srikar Dronamraju +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1909,8 +1909,6 @@ static void *get_partial(struct kmem_cac + + if (node == NUMA_NO_NODE) + searchnode = numa_mem_id(); +- else if (!node_present_pages(node)) +- searchnode = node_to_mem_node(node); + + object = get_partial_node(s, get_node(s, searchnode), c, flags); + if (object || node != NUMA_NO_NODE) +@@ -2506,17 +2504,27 @@ static void *___slab_alloc(struct kmem_c + struct page *page; + + page = c->page; +- if (!page) ++ if (!page) { ++ /* ++ * if the node is not online or has no normal memory, just ++ * ignore the node constraint ++ */ ++ if (unlikely(node != NUMA_NO_NODE && ++ !node_state(node, N_NORMAL_MEMORY))) ++ node = NUMA_NO_NODE; + goto new_slab; ++ } + redo: + + if (unlikely(!node_match(page, node))) { +- int searchnode = node; +- +- if (node != NUMA_NO_NODE && !node_present_pages(node)) +- searchnode = node_to_mem_node(node); +- +- if (unlikely(!node_match(page, searchnode))) { ++ /* ++ * same as above but node_match() being false already ++ * implies node != NUMA_NO_NODE ++ */ ++ if (!node_state(node, N_NORMAL_MEMORY)) { ++ node = NUMA_NO_NODE; ++ goto redo; ++ } else { + stat(s, ALLOC_NODE_MISMATCH); + deactivate_slab(s, page, c->freelist); + c->page = NULL; diff --git a/queue-4.9/mmc-sdhci-of-at91-fix-cd-gpios-for-sama5d2.patch b/queue-4.9/mmc-sdhci-of-at91-fix-cd-gpios-for-sama5d2.patch new file mode 100644 index 00000000000..052d5f78149 --- /dev/null +++ b/queue-4.9/mmc-sdhci-of-at91-fix-cd-gpios-for-sama5d2.patch @@ -0,0 +1,56 @@ +From 53dd0a7cd65edc83b0c243d1c08377c8b876b2ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= +Date: Sun, 15 Mar 2020 17:44:25 +0100 +Subject: mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Mirosław + +commit 53dd0a7cd65edc83b0c243d1c08377c8b876b2ee upstream. + +SAMA5D2x doesn't drive CMD line if GPIO is used as CD line (at least +SAMA5D27 doesn't). Fix this by forcing card-detect in the module +if module-controlled CD is not used. + +Fixed commit addresses the problem only for non-removable cards. This +amends it to also cover gpio-cd case. + +Cc: stable@vger.kernel.org +Fixes: 7a1e3f143176 ("mmc: sdhci-of-at91: force card detect value for non removable devices") +Signed-off-by: Michał Mirosław +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/8d10950d9940468577daef4772b82a071b204716.1584290561.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-of-at91.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/sdhci-of-at91.c ++++ b/drivers/mmc/host/sdhci-of-at91.c +@@ -126,7 +126,8 @@ static void sdhci_at91_reset(struct sdhc + { + sdhci_reset(host, mask); + +- if (host->mmc->caps & MMC_CAP_NONREMOVABLE) ++ if ((host->mmc->caps & MMC_CAP_NONREMOVABLE) ++ || mmc_gpio_get_cd(host->mmc) >= 0) + sdhci_at91_set_force_card_detect(host); + } + +@@ -354,8 +355,11 @@ static int sdhci_at91_probe(struct platf + * detection procedure using the SDMCC_CD signal is bypassed. + * This bit is reset when a software reset for all command is performed + * so we need to implement our own reset function to set back this bit. ++ * ++ * WA: SAMA5D2 doesn't drive CMD if using CD GPIO line. + */ +- if (host->mmc->caps & MMC_CAP_NONREMOVABLE) ++ if ((host->mmc->caps & MMC_CAP_NONREMOVABLE) ++ || mmc_gpio_get_cd(host->mmc) >= 0) + sdhci_at91_set_force_card_detect(host); + + pm_runtime_put_autosuspend(&pdev->dev); diff --git a/queue-4.9/rtc-max8907-add-missing-select-regmap_irq.patch b/queue-4.9/rtc-max8907-add-missing-select-regmap_irq.patch new file mode 100644 index 00000000000..9189ac4d9e5 --- /dev/null +++ b/queue-4.9/rtc-max8907-add-missing-select-regmap_irq.patch @@ -0,0 +1,36 @@ +From 5d892919fdd0cefd361697472d4e1b174a594991 Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Wed, 18 Mar 2020 15:26:49 +0000 +Subject: rtc: max8907: add missing select REGMAP_IRQ + +From: Corentin Labbe + +commit 5d892919fdd0cefd361697472d4e1b174a594991 upstream. + +I have hit the following build error: + + armv7a-hardfloat-linux-gnueabi-ld: drivers/rtc/rtc-max8907.o: in function `max8907_rtc_probe': + rtc-max8907.c:(.text+0x400): undefined reference to `regmap_irq_get_virq' + +max8907 should select REGMAP_IRQ + +Fixes: 94c01ab6d7544 ("rtc: add MAX8907 RTC driver") +Cc: stable +Signed-off-by: Corentin Labbe +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/rtc/Kconfig ++++ b/drivers/rtc/Kconfig +@@ -304,6 +304,7 @@ config RTC_DRV_MAX6900 + config RTC_DRV_MAX8907 + tristate "Maxim MAX8907" + depends on MFD_MAX8907 ++ select REGMAP_IRQ + help + If you say yes here you will get support for the + RTC of Maxim MAX8907 PMIC. diff --git a/queue-4.9/series b/queue-4.9/series index 7df5e477d82..554bd08b074 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -15,3 +15,13 @@ alsa-seq-virmidi-fix-running-status-after-receiving-sysex.patch alsa-seq-oss-fix-running-status-after-receiving-sysex.patch alsa-pcm-oss-avoid-plugin-buffer-overflow.patch alsa-pcm-oss-remove-warning-from-snd_pcm_plug_alloc-checks.patch +iio-magnetometer-ak8974-fix-negative-raw-values-in-sysfs.patch +mmc-sdhci-of-at91-fix-cd-gpios-for-sama5d2.patch +staging-rtl8188eu-add-device-id-for-mercusys-mw150us-v2.patch +staging-speakup-fix-get_word-non-space-look-ahead.patch +intel_th-fix-user-visible-error-codes.patch +rtc-max8907-add-missing-select-regmap_irq.patch +memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch +mm-slub-be-more-careful-about-the-double-cmpxchg-of-freelist.patch +mm-slub-prevent-kmalloc_node-crashes-and-memory-leaks.patch +x86-mm-split-vmalloc_sync_all.patch diff --git a/queue-4.9/staging-rtl8188eu-add-device-id-for-mercusys-mw150us-v2.patch b/queue-4.9/staging-rtl8188eu-add-device-id-for-mercusys-mw150us-v2.patch new file mode 100644 index 00000000000..5310f98aa88 --- /dev/null +++ b/queue-4.9/staging-rtl8188eu-add-device-id-for-mercusys-mw150us-v2.patch @@ -0,0 +1,32 @@ +From bb5786b9286c253557a0115bc8d21879e61b7b94 Mon Sep 17 00:00:00 2001 +From: Michael Straube +Date: Thu, 12 Mar 2020 10:36:52 +0100 +Subject: staging: rtl8188eu: Add device id for MERCUSYS MW150US v2 + +From: Michael Straube + +commit bb5786b9286c253557a0115bc8d21879e61b7b94 upstream. + +This device was added to the stand-alone driver on github. +Add it to the staging driver as well. + +Link: https://github.com/lwfinger/rtl8188eu/commit/2141f244c3e7 +Signed-off-by: Michael Straube +Cc: stable +Link: https://lore.kernel.org/r/20200312093652.13918-1-straube.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -46,6 +46,7 @@ static struct usb_device_id rtw_usb_id_t + {USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */ + {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */ + {USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */ ++ {USB_DEVICE(0x2C4E, 0x0102)}, /* MERCUSYS MW150US v2 */ + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ + {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */ + {} /* Terminating entry */ diff --git a/queue-4.9/staging-speakup-fix-get_word-non-space-look-ahead.patch b/queue-4.9/staging-speakup-fix-get_word-non-space-look-ahead.patch new file mode 100644 index 00000000000..40085db7a8b --- /dev/null +++ b/queue-4.9/staging-speakup-fix-get_word-non-space-look-ahead.patch @@ -0,0 +1,44 @@ +From 9d32c0cde4e2d1343dfb88a67b2ec6397705b32b Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Fri, 6 Mar 2020 01:30:47 +0100 +Subject: staging/speakup: fix get_word non-space look-ahead + +From: Samuel Thibault + +commit 9d32c0cde4e2d1343dfb88a67b2ec6397705b32b upstream. + +get_char was erroneously given the address of the pointer to the text +instead of the address of the text, thus leading to random crashes when +the user requests speaking a word while the current position is on a space +character and say_word_ctl is not enabled. + +Reported-on: https://github.com/bytefire/speakup/issues/1 +Reported-by: Kirk Reiser +Reported-by: Janina Sajka +Reported-by: Alexandr Epaneshnikov +Reported-by: Gregory Nowak +Reported-by: deedra waters +Signed-off-by: Samuel Thibault +Tested-by: Alexandr Epaneshnikov +Tested-by: Gregory Nowak +Tested-by: Michael Taboada +Cc: stable +Link: https://lore.kernel.org/r/20200306003047.thijtmqrnayd3dmw@function +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/speakup/main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/staging/speakup/main.c ++++ b/drivers/staging/speakup/main.c +@@ -565,8 +565,7 @@ static u_long get_word(struct vc_data *v + return 0; + } else if ((tmpx < vc->vc_cols - 2) + && (ch == SPACE || ch == 0 || IS_WDLM(ch)) +- && ((char)get_char(vc, (u_short *) &tmp_pos + 1, &temp) > +- SPACE)) { ++ && ((char)get_char(vc, (u_short *)tmp_pos + 1, &temp) > SPACE)) { + tmp_pos += 2; + tmpx++; + } else diff --git a/queue-4.9/x86-mm-split-vmalloc_sync_all.patch b/queue-4.9/x86-mm-split-vmalloc_sync_all.patch new file mode 100644 index 00000000000..17b61282ae6 --- /dev/null +++ b/queue-4.9/x86-mm-split-vmalloc_sync_all.patch @@ -0,0 +1,205 @@ +From 763802b53a427ed3cbd419dbba255c414fdd9e7c Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Sat, 21 Mar 2020 18:22:41 -0700 +Subject: x86/mm: split vmalloc_sync_all() + +From: Joerg Roedel + +commit 763802b53a427ed3cbd419dbba255c414fdd9e7c upstream. + +Commit 3f8fd02b1bf1 ("mm/vmalloc: Sync unmappings in +__purge_vmap_area_lazy()") introduced a call to vmalloc_sync_all() in +the vunmap() code-path. While this change was necessary to maintain +correctness on x86-32-pae kernels, it also adds additional cycles for +architectures that don't need it. + +Specifically on x86-64 with CONFIG_VMAP_STACK=y some people reported +severe performance regressions in micro-benchmarks because it now also +calls the x86-64 implementation of vmalloc_sync_all() on vunmap(). But +the vmalloc_sync_all() implementation on x86-64 is only needed for newly +created mappings. + +To avoid the unnecessary work on x86-64 and to gain the performance +back, split up vmalloc_sync_all() into two functions: + + * vmalloc_sync_mappings(), and + * vmalloc_sync_unmappings() + +Most call-sites to vmalloc_sync_all() only care about new mappings being +synchronized. The only exception is the new call-site added in the +above mentioned commit. + +Shile Zhang directed us to a report of an 80% regression in reaim +throughput. + +Fixes: 3f8fd02b1bf1 ("mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy()") +Reported-by: kernel test robot +Reported-by: Shile Zhang +Signed-off-by: Joerg Roedel +Signed-off-by: Andrew Morton +Tested-by: Borislav Petkov +Acked-by: Rafael J. Wysocki [GHES] +Cc: Dave Hansen +Cc: Andy Lutomirski +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: +Link: http://lkml.kernel.org/r/20191009124418.8286-1-joro@8bytes.org +Link: https://lists.01.org/hyperkitty/list/lkp@lists.01.org/thread/4D3JPPHBNOSPFK2KEPC6KGKS6J25AIDB/ +Link: http://lkml.kernel.org/r/20191113095530.228959-1-shile.zhang@linux.alibaba.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/fault.c | 26 ++++++++++++++++++++++++-- + drivers/acpi/apei/ghes.c | 2 +- + include/linux/vmalloc.h | 5 +++-- + kernel/notifier.c | 2 +- + mm/nommu.c | 10 +++++++--- + mm/vmalloc.c | 11 +++++++---- + 6 files changed, 43 insertions(+), 13 deletions(-) + +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -285,7 +285,7 @@ static inline pmd_t *vmalloc_sync_one(pg + return pmd_k; + } + +-void vmalloc_sync_all(void) ++static void vmalloc_sync(void) + { + unsigned long address; + +@@ -312,6 +312,16 @@ void vmalloc_sync_all(void) + } + } + ++void vmalloc_sync_mappings(void) ++{ ++ vmalloc_sync(); ++} ++ ++void vmalloc_sync_unmappings(void) ++{ ++ vmalloc_sync(); ++} ++ + /* + * 32-bit: + * +@@ -406,11 +416,23 @@ out: + + #else /* CONFIG_X86_64: */ + +-void vmalloc_sync_all(void) ++void vmalloc_sync_mappings(void) + { ++ /* ++ * 64-bit mappings might allocate new p4d/pud pages ++ * that need to be propagated to all tasks' PGDs. ++ */ + sync_global_pgds(VMALLOC_START & PGDIR_MASK, VMALLOC_END, 0); + } + ++void vmalloc_sync_unmappings(void) ++{ ++ /* ++ * Unmappings never allocate or free p4d/pud pages. ++ * No work is required here. ++ */ ++} ++ + /* + * 64-bit: + * +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -234,7 +234,7 @@ static int ghes_estatus_pool_expand(unsi + * New allocation must be visible in all pgd before it can be found by + * an NMI allocating from the pool. + */ +- vmalloc_sync_all(); ++ vmalloc_sync_mappings(); + + return gen_pool_add(ghes_estatus_pool, addr, PAGE_ALIGN(len), -1); + } +--- a/include/linux/vmalloc.h ++++ b/include/linux/vmalloc.h +@@ -93,8 +93,9 @@ extern int remap_vmalloc_range_partial(s + + extern int remap_vmalloc_range(struct vm_area_struct *vma, void *addr, + unsigned long pgoff); +-void vmalloc_sync_all(void); +- ++void vmalloc_sync_mappings(void); ++void vmalloc_sync_unmappings(void); ++ + /* + * Lowlevel-APIs (not for driver use!) + */ +--- a/kernel/notifier.c ++++ b/kernel/notifier.c +@@ -552,7 +552,7 @@ NOKPROBE_SYMBOL(notify_die); + + int register_die_notifier(struct notifier_block *nb) + { +- vmalloc_sync_all(); ++ vmalloc_sync_mappings(); + return atomic_notifier_chain_register(&die_chain, nb); + } + EXPORT_SYMBOL_GPL(register_die_notifier); +--- a/mm/nommu.c ++++ b/mm/nommu.c +@@ -445,10 +445,14 @@ void vm_unmap_aliases(void) + EXPORT_SYMBOL_GPL(vm_unmap_aliases); + + /* +- * Implement a stub for vmalloc_sync_all() if the architecture chose not to +- * have one. ++ * Implement a stub for vmalloc_sync_[un]mapping() if the architecture ++ * chose not to have one. + */ +-void __weak vmalloc_sync_all(void) ++void __weak vmalloc_sync_mappings(void) ++{ ++} ++ ++void __weak vmalloc_sync_unmappings(void) + { + } + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -1711,7 +1711,7 @@ void *__vmalloc_node_range(unsigned long + * First make sure the mappings are removed from all page-tables + * before they are freed. + */ +- vmalloc_sync_all(); ++ vmalloc_sync_unmappings(); + + /* + * In this function, newly allocated vm_struct has VM_UNINITIALIZED +@@ -2247,16 +2247,19 @@ int remap_vmalloc_range(struct vm_area_s + EXPORT_SYMBOL(remap_vmalloc_range); + + /* +- * Implement a stub for vmalloc_sync_all() if the architecture chose not to +- * have one. ++ * Implement stubs for vmalloc_sync_[un]mappings () if the architecture chose ++ * not to have one. + * + * The purpose of this function is to make sure the vmalloc area + * mappings are identical in all page-tables in the system. + */ +-void __weak vmalloc_sync_all(void) ++void __weak vmalloc_sync_mappings(void) + { + } + ++void __weak vmalloc_sync_unmappings(void) ++{ ++} + + static int f(pte_t *pte, pgtable_t table, unsigned long addr, void *data) + {