From: Sasha Levin Date: Wed, 14 Aug 2019 02:33:31 +0000 (-0400) Subject: fixes for 4.19 X-Git-Tag: v5.2.9~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=72154bc005c70ab1837b26af283364e0cba41267;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-iort-fix-off-by-one-check-in-iort_dev_find_its_.patch b/queue-4.19/acpi-iort-fix-off-by-one-check-in-iort_dev_find_its_.patch new file mode 100644 index 00000000000..d98885d02b9 --- /dev/null +++ b/queue-4.19/acpi-iort-fix-off-by-one-check-in-iort_dev_find_its_.patch @@ -0,0 +1,48 @@ +From 62a8d241db98bc9845287b11a2245698f6685db7 Mon Sep 17 00:00:00 2001 +From: Lorenzo Pieralisi +Date: Mon, 22 Jul 2019 17:25:48 +0100 +Subject: ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() + +[ Upstream commit 5a46d3f71d5e5a9f82eabc682f996f1281705ac7 ] + +Static analysis identified that index comparison against ITS entries in +iort_dev_find_its_id() is off by one. + +Update the comparison condition and clarify the resulting error +message. + +Fixes: 4bf2efd26d76 ("ACPI: Add new IORT functions to support MSI domain handling") +Link: https://lore.kernel.org/linux-arm-kernel/20190613065410.GB16334@mwanda/ +Reviewed-by: Hanjun Guo +Reported-by: Dan Carpenter +Signed-off-by: Lorenzo Pieralisi +Cc: Dan Carpenter +Cc: Will Deacon +Cc: Hanjun Guo +Cc: Sudeep Holla +Cc: Catalin Marinas +Cc: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/acpi/arm64/iort.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c +index 43c2615434b48..e11b5da6f828f 100644 +--- a/drivers/acpi/arm64/iort.c ++++ b/drivers/acpi/arm64/iort.c +@@ -616,8 +616,8 @@ static int iort_dev_find_its_id(struct device *dev, u32 req_id, + + /* Move to ITS specific data */ + its = (struct acpi_iort_its_group *)node->node_data; +- if (idx > its->its_count) { +- dev_err(dev, "requested ITS ID index [%d] is greater than available [%d]\n", ++ if (idx >= its->its_count) { ++ dev_err(dev, "requested ITS ID index [%d] overruns ITS entries [%d]\n", + idx, its->its_count); + return -ENXIO; + } +-- +2.20.1 + diff --git a/queue-4.19/allocate_flower_entry-should-check-for-null-deref.patch b/queue-4.19/allocate_flower_entry-should-check-for-null-deref.patch new file mode 100644 index 00000000000..af93ea27559 --- /dev/null +++ b/queue-4.19/allocate_flower_entry-should-check-for-null-deref.patch @@ -0,0 +1,35 @@ +From 922247b951b2a376180bdd19afe62cfd1c2cb748 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Sun, 21 Jul 2019 01:37:31 -0500 +Subject: allocate_flower_entry: should check for null deref + +[ Upstream commit bb1320834b8a80c6ac2697ab418d066981ea08ba ] + +allocate_flower_entry does not check for allocation success, but tries +to deref the result. I only moved the spin_lock under null check, because + the caller is checking allocation's status at line 652. + +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c +index f2aba5b160c2d..d45c435a599d6 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c +@@ -67,7 +67,8 @@ static struct ch_tc_pedit_fields pedits[] = { + static struct ch_tc_flower_entry *allocate_flower_entry(void) + { + struct ch_tc_flower_entry *new = kzalloc(sizeof(*new), GFP_KERNEL); +- spin_lock_init(&new->lock); ++ if (new) ++ spin_lock_init(&new->lock); + return new; + } + +-- +2.20.1 + diff --git a/queue-4.19/alsa-compress-be-more-restrictive-about-when-a-drain.patch b/queue-4.19/alsa-compress-be-more-restrictive-about-when-a-drain.patch new file mode 100644 index 00000000000..cccfa489b1b --- /dev/null +++ b/queue-4.19/alsa-compress-be-more-restrictive-about-when-a-drain.patch @@ -0,0 +1,49 @@ +From c57006059ed2d669b86250477f4137c29cf2e418 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:36 +0100 +Subject: ALSA: compress: Be more restrictive about when a drain is allowed + +[ Upstream commit 3b8179944cb0dd53e5223996966746cdc8a60657 ] + +Draining makes little sense in the situation of hardware overrun, as the +hardware will have consumed all its available samples. Additionally, +draining whilst the stream is paused would presumably get stuck as no +data is being consumed on the DSP side. + +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 9c1684f01aca0..516ec35873256 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -812,7 +812,10 @@ static int snd_compr_drain(struct snd_compr_stream *stream) + case SNDRV_PCM_STATE_OPEN: + case SNDRV_PCM_STATE_SETUP: + case SNDRV_PCM_STATE_PREPARED: ++ case SNDRV_PCM_STATE_PAUSED: + return -EPERM; ++ case SNDRV_PCM_STATE_XRUN: ++ return -EPIPE; + default: + break; + } +@@ -861,7 +864,10 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream) + case SNDRV_PCM_STATE_OPEN: + case SNDRV_PCM_STATE_SETUP: + case SNDRV_PCM_STATE_PREPARED: ++ case SNDRV_PCM_STATE_PAUSED: + return -EPERM; ++ case SNDRV_PCM_STATE_XRUN: ++ return -EPIPE; + default: + break; + } +-- +2.20.1 + diff --git a/queue-4.19/alsa-compress-don-t-allow-paritial-drain-operations-.patch b/queue-4.19/alsa-compress-don-t-allow-paritial-drain-operations-.patch new file mode 100644 index 00000000000..ad5d24b6437 --- /dev/null +++ b/queue-4.19/alsa-compress-don-t-allow-paritial-drain-operations-.patch @@ -0,0 +1,49 @@ +From debbb5f52827e3b3d5b2adec70e469f2a0096144 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:35 +0100 +Subject: ALSA: compress: Don't allow paritial drain operations on capture + streams + +[ Upstream commit a70ab8a8645083f3700814e757f2940a88b7ef88 ] + +Partial drain and next track are intended for gapless playback and +don't really have an obvious interpretation for a capture stream, so +makes sense to not allow those operations on capture streams. + +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 5e74f518bd598..9c1684f01aca0 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -835,6 +835,10 @@ static int snd_compr_next_track(struct snd_compr_stream *stream) + if (stream->runtime->state != SNDRV_PCM_STATE_RUNNING) + return -EPERM; + ++ /* next track doesn't have any meaning for capture streams */ ++ if (stream->direction == SND_COMPRESS_CAPTURE) ++ return -EPERM; ++ + /* you can signal next track if this is intended to be a gapless stream + * and current track metadata is set + */ +@@ -862,6 +866,10 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream) + break; + } + ++ /* partial drain doesn't have any meaning for capture streams */ ++ if (stream->direction == SND_COMPRESS_CAPTURE) ++ return -EPERM; ++ + /* stream can be drained only when next track has been signalled */ + if (stream->next_track == false) + return -EPERM; +-- +2.20.1 + diff --git a/queue-4.19/alsa-compress-fix-regression-on-compressed-capture-s.patch b/queue-4.19/alsa-compress-fix-regression-on-compressed-capture-s.patch new file mode 100644 index 00000000000..3ac30d7d26d --- /dev/null +++ b/queue-4.19/alsa-compress-fix-regression-on-compressed-capture-s.patch @@ -0,0 +1,82 @@ +From 803b683930b12d82ab3e7e6b3b8417b03b5bdf55 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:33 +0100 +Subject: ALSA: compress: Fix regression on compressed capture streams + +[ Upstream commit 4475f8c4ab7b248991a60d9c02808dbb813d6be8 ] + +A previous fix to the stop handling on compressed capture streams causes +some knock on issues. The previous fix updated snd_compr_drain_notify to +set the state back to PREPARED for capture streams. This causes some +issues however as the handling for snd_compr_poll differs between the +two states and some user-space applications were relying on the poll +failing after the stream had been stopped. + +To correct this regression whilst still fixing the original problem the +patch was addressing, update the capture handling to skip the PREPARED +state rather than skipping the SETUP state as it has done until now. + +Fixes: 4f2ab5e1d13d ("ALSA: compress: Fix stop handling on compressed capture streams") +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/compress_driver.h | 5 +---- + sound/core/compress_offload.c | 16 +++++++++++----- + 2 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h +index e87f2d5b3cc65..127c2713b543a 100644 +--- a/include/sound/compress_driver.h ++++ b/include/sound/compress_driver.h +@@ -171,10 +171,7 @@ static inline void snd_compr_drain_notify(struct snd_compr_stream *stream) + if (snd_BUG_ON(!stream)) + return; + +- if (stream->direction == SND_COMPRESS_PLAYBACK) +- stream->runtime->state = SNDRV_PCM_STATE_SETUP; +- else +- stream->runtime->state = SNDRV_PCM_STATE_PREPARED; ++ stream->runtime->state = SNDRV_PCM_STATE_SETUP; + + wake_up(&stream->runtime->sleep); + } +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 8b78ddffa509a..44e81cf302401 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -575,10 +575,7 @@ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg) + stream->metadata_set = false; + stream->next_track = false; + +- if (stream->direction == SND_COMPRESS_PLAYBACK) +- stream->runtime->state = SNDRV_PCM_STATE_SETUP; +- else +- stream->runtime->state = SNDRV_PCM_STATE_PREPARED; ++ stream->runtime->state = SNDRV_PCM_STATE_SETUP; + } else { + return -EPERM; + } +@@ -694,8 +691,17 @@ static int snd_compr_start(struct snd_compr_stream *stream) + { + int retval; + +- if (stream->runtime->state != SNDRV_PCM_STATE_PREPARED) ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_SETUP: ++ if (stream->direction != SND_COMPRESS_CAPTURE) ++ return -EPERM; ++ break; ++ case SNDRV_PCM_STATE_PREPARED: ++ break; ++ default: + return -EPERM; ++ } ++ + retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_START); + if (!retval) + stream->runtime->state = SNDRV_PCM_STATE_RUNNING; +-- +2.20.1 + diff --git a/queue-4.19/alsa-compress-prevent-bypasses-of-set_params.patch b/queue-4.19/alsa-compress-prevent-bypasses-of-set_params.patch new file mode 100644 index 00000000000..e4c8540fc7e --- /dev/null +++ b/queue-4.19/alsa-compress-prevent-bypasses-of-set_params.patch @@ -0,0 +1,83 @@ +From d0b88fef45011042f482d5a2e8c1348168ff2e77 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:34 +0100 +Subject: ALSA: compress: Prevent bypasses of set_params + +[ Upstream commit 26c3f1542f5064310ad26794c09321780d00c57d ] + +Currently, whilst in SNDRV_PCM_STATE_OPEN it is possible to call +snd_compr_stop, snd_compr_drain and snd_compr_partial_drain, which +allow a transition to SNDRV_PCM_STATE_SETUP. The stream should +only be able to move to the setup state once it has received a +SNDRV_COMPRESS_SET_PARAMS ioctl. Fix this issue by not allowing +those ioctls whilst in the open state. + +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 44e81cf302401..5e74f518bd598 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -712,9 +712,15 @@ static int snd_compr_stop(struct snd_compr_stream *stream) + { + int retval; + +- if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED || +- stream->runtime->state == SNDRV_PCM_STATE_SETUP) ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_PREPARED: + return -EPERM; ++ default: ++ break; ++ } ++ + retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_STOP); + if (!retval) { + snd_compr_drain_notify(stream); +@@ -802,9 +808,14 @@ static int snd_compr_drain(struct snd_compr_stream *stream) + { + int retval; + +- if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED || +- stream->runtime->state == SNDRV_PCM_STATE_SETUP) ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_PREPARED: + return -EPERM; ++ default: ++ break; ++ } + + retval = stream->ops->trigger(stream, SND_COMPR_TRIGGER_DRAIN); + if (retval) { +@@ -841,9 +852,16 @@ static int snd_compr_next_track(struct snd_compr_stream *stream) + static int snd_compr_partial_drain(struct snd_compr_stream *stream) + { + int retval; +- if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED || +- stream->runtime->state == SNDRV_PCM_STATE_SETUP) ++ ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_PREPARED: + return -EPERM; ++ default: ++ break; ++ } ++ + /* stream can be drained only when next track has been signalled */ + if (stream->next_track == false) + return -EPERM; +-- +2.20.1 + diff --git a/queue-4.19/arm-davinci-fix-sleep.s-build-error-on-armv4.patch b/queue-4.19/arm-davinci-fix-sleep.s-build-error-on-armv4.patch new file mode 100644 index 00000000000..d48d51bb294 --- /dev/null +++ b/queue-4.19/arm-davinci-fix-sleep.s-build-error-on-armv4.patch @@ -0,0 +1,40 @@ +From ebcbe6a353897a25eb039f6865f4c888bd825209 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 22 Jul 2019 16:51:50 +0200 +Subject: ARM: davinci: fix sleep.S build error on ARMv4 + +[ Upstream commit d64b212ea960db4276a1d8372bd98cb861dfcbb0 ] + +When building a multiplatform kernel that includes armv4 support, +the default target CPU does not support the blx instruction, +which leads to a build failure: + +arch/arm/mach-davinci/sleep.S: Assembler messages: +arch/arm/mach-davinci/sleep.S:56: Error: selected processor does not support `blx ip' in ARM mode + +Add a .arch statement in the sources to make this file build. + +Link: https://lore.kernel.org/r/20190722145211.1154785-1-arnd@arndb.de +Acked-by: Sekhar Nori +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-davinci/sleep.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-davinci/sleep.S b/arch/arm/mach-davinci/sleep.S +index cd350dee4df37..efcd400b2abb3 100644 +--- a/arch/arm/mach-davinci/sleep.S ++++ b/arch/arm/mach-davinci/sleep.S +@@ -37,6 +37,7 @@ + #define DEEPSLEEP_SLEEPENABLE_BIT BIT(31) + + .text ++ .arch armv5te + /* + * Move DaVinci into deep sleep state + * +-- +2.20.1 + diff --git a/queue-4.19/arm-dts-bcm-bcm47094-add-missing-cells-for-mdio-bus-.patch b/queue-4.19/arm-dts-bcm-bcm47094-add-missing-cells-for-mdio-bus-.patch new file mode 100644 index 00000000000..8c5013833ff --- /dev/null +++ b/queue-4.19/arm-dts-bcm-bcm47094-add-missing-cells-for-mdio-bus-.patch @@ -0,0 +1,45 @@ +From 912922fcede162c8827a235abaad9142207da2fc Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 22 Jul 2019 16:55:52 +0200 +Subject: ARM: dts: bcm: bcm47094: add missing #cells for mdio-bus-mux + +[ Upstream commit 3a9d2569e45cb02769cda26fee4a02126867c934 ] + +The mdio-bus-mux has no #address-cells/#size-cells property, +which causes a few dtc warnings: + +arch/arm/boot/dts/bcm47094-linksys-panamera.dts:129.4-18: Warning (reg_format): /mdio-bus-mux/mdio@200:reg: property has invalid length (4 bytes) (#address-cells == 2, #size-cells == 1) +arch/arm/boot/dts/bcm47094-linksys-panamera.dtb: Warning (pci_device_bus_num): Failed prerequisite 'reg_format' +arch/arm/boot/dts/bcm47094-linksys-panamera.dtb: Warning (i2c_bus_reg): Failed prerequisite 'reg_format' +arch/arm/boot/dts/bcm47094-linksys-panamera.dtb: Warning (spi_bus_reg): Failed prerequisite 'reg_format' +arch/arm/boot/dts/bcm47094-linksys-panamera.dts:128.22-132.5: Warning (avoid_default_addr_size): /mdio-bus-mux/mdio@200: Relying on default #address-cells value +arch/arm/boot/dts/bcm47094-linksys-panamera.dts:128.22-132.5: Warning (avoid_default_addr_size): /mdio-bus-mux/mdio@200: Relying on default #size-cells value + +Add the normal cell numbers. + +Link: https://lore.kernel.org/r/20190722145618.1155492-1-arnd@arndb.de +Fixes: 2bebdfcdcd0f ("ARM: dts: BCM5301X: Add support for Linksys EA9500") +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm47094-linksys-panamera.dts | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/bcm47094-linksys-panamera.dts b/arch/arm/boot/dts/bcm47094-linksys-panamera.dts +index 36efe410dcd71..9e33c41f54112 100644 +--- a/arch/arm/boot/dts/bcm47094-linksys-panamera.dts ++++ b/arch/arm/boot/dts/bcm47094-linksys-panamera.dts +@@ -125,6 +125,9 @@ + }; + + mdio-bus-mux { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ + /* BIT(9) = 1 => external mdio */ + mdio_ext: mdio@200 { + reg = <0x200>; +-- +2.20.1 + diff --git a/queue-4.19/cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch b/queue-4.19/cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch new file mode 100644 index 00000000000..4fc451a2d95 --- /dev/null +++ b/queue-4.19/cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch @@ -0,0 +1,73 @@ +From a18cec4b64c68ead45f367daf0e9f583d91bb028 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Wed, 17 Jul 2019 11:55:04 +0800 +Subject: cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() + +[ Upstream commit e0a12445d1cb186d875410d093a00d215bec6a89 ] + +The cpu variable is still being used in the of_get_property() call +after the of_node_put() call, which may result in use-after-free. + +Fixes: a9acc26b75f6 ("cpufreq/pasemi: fix possible object reference leak") +Signed-off-by: Wen Yang +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/pasemi-cpufreq.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c +index c7710c149de85..a0620c9ec0649 100644 +--- a/drivers/cpufreq/pasemi-cpufreq.c ++++ b/drivers/cpufreq/pasemi-cpufreq.c +@@ -145,10 +145,18 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + int err = -ENODEV; + + cpu = of_get_cpu_node(policy->cpu, NULL); ++ if (!cpu) ++ goto out; + ++ max_freqp = of_get_property(cpu, "clock-frequency", NULL); + of_node_put(cpu); +- if (!cpu) ++ if (!max_freqp) { ++ err = -EINVAL; + goto out; ++ } ++ ++ /* we need the freq in kHz */ ++ max_freq = *max_freqp / 1000; + + dn = of_find_compatible_node(NULL, NULL, "1682m-sdc"); + if (!dn) +@@ -185,16 +193,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + } + + pr_debug("init cpufreq on CPU %d\n", policy->cpu); +- +- max_freqp = of_get_property(cpu, "clock-frequency", NULL); +- if (!max_freqp) { +- err = -EINVAL; +- goto out_unmap_sdcpwr; +- } +- +- /* we need the freq in kHz */ +- max_freq = *max_freqp / 1000; +- + pr_debug("max clock-frequency is at %u kHz\n", max_freq); + pr_debug("initializing frequency table\n"); + +@@ -212,9 +210,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + + return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency()); + +-out_unmap_sdcpwr: +- iounmap(sdcpwr_mapbase); +- + out_unmap_sdcasr: + iounmap(sdcasr_mapbase); + out: +-- +2.20.1 + diff --git a/queue-4.19/drbd-dynamically-allocate-shash-descriptor.patch b/queue-4.19/drbd-dynamically-allocate-shash-descriptor.patch new file mode 100644 index 00000000000..66ceb2991b0 --- /dev/null +++ b/queue-4.19/drbd-dynamically-allocate-shash-descriptor.patch @@ -0,0 +1,69 @@ +From 82d106a4587498c82b90c1206a6fe179a08b6a86 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 22 Jul 2019 14:26:34 +0200 +Subject: drbd: dynamically allocate shash descriptor + +[ Upstream commit 77ce56e2bfaa64127ae5e23ef136c0168b818777 ] + +Building with clang and KASAN, we get a warning about an overly large +stack frame on 32-bit architectures: + +drivers/block/drbd/drbd_receiver.c:921:31: error: stack frame size of 1280 bytes in function 'conn_connect' + [-Werror,-Wframe-larger-than=] + +We already allocate other data dynamically in this function, so +just do the same for the shash descriptor, which makes up most of +this memory. + +Link: https://lore.kernel.org/lkml/20190617132440.2721536-1-arnd@arndb.de/ +Reviewed-by: Kees Cook +Reviewed-by: Roland Kammerer +Signed-off-by: Arnd Bergmann +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_receiver.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index cb919b9640660..3cdadf75c82da 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -5240,7 +5240,7 @@ static int drbd_do_auth(struct drbd_connection *connection) + unsigned int key_len; + char secret[SHARED_SECRET_MAX]; /* 64 byte */ + unsigned int resp_size; +- SHASH_DESC_ON_STACK(desc, connection->cram_hmac_tfm); ++ struct shash_desc *desc; + struct packet_info pi; + struct net_conf *nc; + int err, rv; +@@ -5253,6 +5253,13 @@ static int drbd_do_auth(struct drbd_connection *connection) + memcpy(secret, nc->shared_secret, key_len); + rcu_read_unlock(); + ++ desc = kmalloc(sizeof(struct shash_desc) + ++ crypto_shash_descsize(connection->cram_hmac_tfm), ++ GFP_KERNEL); ++ if (!desc) { ++ rv = -1; ++ goto fail; ++ } + desc->tfm = connection->cram_hmac_tfm; + desc->flags = 0; + +@@ -5395,7 +5402,10 @@ static int drbd_do_auth(struct drbd_connection *connection) + kfree(peers_ch); + kfree(response); + kfree(right_response); +- shash_desc_zero(desc); ++ if (desc) { ++ shash_desc_zero(desc); ++ kfree(desc); ++ } + + return rv; + } +-- +2.20.1 + diff --git a/queue-4.19/drm-amd-display-fix-dc_create-failure-handling-and-6.patch b/queue-4.19/drm-amd-display-fix-dc_create-failure-handling-and-6.patch new file mode 100644 index 00000000000..1aaa571e021 --- /dev/null +++ b/queue-4.19/drm-amd-display-fix-dc_create-failure-handling-and-6.patch @@ -0,0 +1,63 @@ +From a8fc0e5bc202b6bf253a86605b1e13ff0419d876 Mon Sep 17 00:00:00 2001 +From: Julian Parkin +Date: Tue, 25 Jun 2019 14:55:53 -0400 +Subject: drm/amd/display: Fix dc_create failure handling and 666 color depths + +[ Upstream commit 0905f32977268149f06e3ce6ea4bd6d374dd891f ] + +[Why] +It is possible (but very unlikely) that constructing dc fails +before current_state is created. + +We support 666 color depth in some scenarios, but this +isn't handled in get_norm_pix_clk. It uses exactly the +same pixel clock as the 888 case. + +[How] +Check for non null current_state before destructing. + +Add case for 666 color depth to get_norm_pix_clk to +avoid assertion. + +Signed-off-by: Julian Parkin +Reviewed-by: Charlene Liu +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 6 ++++-- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 1 + + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index e3f5e5d6f0c18..f4b89d1ea6f6f 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -462,8 +462,10 @@ void dc_link_set_test_pattern(struct dc_link *link, + + static void destruct(struct dc *dc) + { +- dc_release_state(dc->current_state); +- dc->current_state = NULL; ++ if (dc->current_state) { ++ dc_release_state(dc->current_state); ++ dc->current_state = NULL; ++ } + + destroy_links(dc); + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index 06d5988dff723..19a951e5818ac 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -1872,6 +1872,7 @@ static int get_norm_pix_clk(const struct dc_crtc_timing *timing) + pix_clk /= 2; + if (timing->pixel_encoding != PIXEL_ENCODING_YCBCR422) { + switch (timing->display_color_depth) { ++ case COLOR_DEPTH_666: + case COLOR_DEPTH_888: + normalized_pix_clk = pix_clk; + break; +-- +2.20.1 + diff --git a/queue-4.19/drm-amd-display-increase-size-of-audios-array.patch b/queue-4.19/drm-amd-display-increase-size-of-audios-array.patch new file mode 100644 index 00000000000..a7162ec96f2 --- /dev/null +++ b/queue-4.19/drm-amd-display-increase-size-of-audios-array.patch @@ -0,0 +1,53 @@ +From 7c8c36e1b9f9a5394cb290df93cd09a5d95e7ff8 Mon Sep 17 00:00:00 2001 +From: Tai Man +Date: Fri, 28 Jun 2019 11:40:38 -0400 +Subject: drm/amd/display: Increase size of audios array + +[ Upstream commit 7352193a33dfc9b69ba3bf6a8caea925b96243b1 ] + +[Why] +The audios array defined in "struct resource_pool" is only 6 (MAX_PIPES) +but the max number of audio devices (num_audio) is 7. In some projects, +it will run out of audios array. + +[How] +Incraese the audios array size to 7. + +Signed-off-by: Tai Man +Reviewed-by: Joshua Aberback +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/inc/core_types.h | 2 +- + drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/inc/core_types.h b/drivers/gpu/drm/amd/display/dc/inc/core_types.h +index c0b9ca13393b6..f4469fa5afb55 100644 +--- a/drivers/gpu/drm/amd/display/dc/inc/core_types.h ++++ b/drivers/gpu/drm/amd/display/dc/inc/core_types.h +@@ -159,7 +159,7 @@ struct resource_pool { + struct clock_source *clock_sources[MAX_CLOCK_SOURCES]; + unsigned int clk_src_count; + +- struct audio *audios[MAX_PIPES]; ++ struct audio *audios[MAX_AUDIOS]; + unsigned int audio_count; + struct audio_support audio_support; + +diff --git a/drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h b/drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h +index cf7433ebf91a0..71901743a9387 100644 +--- a/drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h ++++ b/drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h +@@ -34,6 +34,7 @@ + * Data types shared between different Virtual HW blocks + ******************************************************************************/ + ++#define MAX_AUDIOS 7 + #define MAX_PIPES 6 + + struct gamma_curve { +-- +2.20.1 + diff --git a/queue-4.19/drm-amd-display-only-enable-audio-if-speaker-allocat.patch b/queue-4.19/drm-amd-display-only-enable-audio-if-speaker-allocat.patch new file mode 100644 index 00000000000..47de6173ea8 --- /dev/null +++ b/queue-4.19/drm-amd-display-only-enable-audio-if-speaker-allocat.patch @@ -0,0 +1,44 @@ +From 652ab09708ec16f7689373cda0fa9b9c545d59cb Mon Sep 17 00:00:00 2001 +From: Alvin Lee +Date: Thu, 4 Jul 2019 15:17:42 -0400 +Subject: drm/amd/display: Only enable audio if speaker allocation exists + +[ Upstream commit 6ac25e6d5b2fbf251e9fa2f4131d42c815b43867 ] + +[Why] + +In dm_helpers_parse_edid_caps, there is a corner case where no speakers +can be allocated even though the audio mode count is greater than 0. +Enabling audio when no speaker allocations exists can cause issues in +the video stream. + +[How] + +Add a check to not enable audio unless one or more speaker allocations +exist (since doing this can cause issues in the video stream). + +Signed-off-by: Alvin Lee +Reviewed-by: Jun Lei +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index 19a951e5818ac..f0d68aa7c8fcc 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -1956,7 +1956,7 @@ enum dc_status resource_map_pool_resources( + /* TODO: Add check if ASIC support and EDID audio */ + if (!stream->sink->converter_disable_audio && + dc_is_audio_capable_signal(pipe_ctx->stream->signal) && +- stream->audio_info.mode_count) { ++ stream->audio_info.mode_count && stream->audio_info.flags.all) { + pipe_ctx->stream_res.audio = find_first_free_audio( + &context->res_ctx, pool, pipe_ctx->stream_res.stream_enc->id); + +-- +2.20.1 + diff --git a/queue-4.19/drm-amd-display-use-encoder-s-engine-id-to-find-matc.patch b/queue-4.19/drm-amd-display-use-encoder-s-engine-id-to-find-matc.patch new file mode 100644 index 00000000000..a9233693f4a --- /dev/null +++ b/queue-4.19/drm-amd-display-use-encoder-s-engine-id-to-find-matc.patch @@ -0,0 +1,57 @@ +From 511248c1d64c7aa88b05da66750e501a44fdfabf Mon Sep 17 00:00:00 2001 +From: Tai Man +Date: Fri, 7 Jun 2019 17:32:27 -0400 +Subject: drm/amd/display: use encoder's engine id to find matched free audio + device + +[ Upstream commit 74eda776d7a4e69ec7aa1ce30a87636f14220fbb ] + +[Why] +On some platforms, the encoder id 3 is not populated. So the encoders +are not stored in right order as index (id: 0, 1, 2, 4, 5) at pool. This +would cause encoders id 4 & id 5 to fail when finding corresponding +audio device, defaulting to the first available audio device. As result, +we cannot stream audio into two DP ports with encoders id 4 & id 5. + +[How] +It need to create enough audio device objects (0 - 5) to perform matching. +Then use encoder engine id to find matched audio device. + +Signed-off-by: Tai Man +Reviewed-by: Charlene Liu +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index e0a96abb3c46c..06d5988dff723 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -222,7 +222,7 @@ bool resource_construct( + * PORT_CONNECTIVITY == 1 (as instructed by HW team). + */ + update_num_audio(&straps, &num_audio, &pool->audio_support); +- for (i = 0; i < pool->pipe_count && i < num_audio; i++) { ++ for (i = 0; i < caps->num_audio; i++) { + struct audio *aud = create_funcs->create_audio(ctx, i); + + if (aud == NULL) { +@@ -1713,6 +1713,12 @@ static struct audio *find_first_free_audio( + return pool->audios[i]; + } + } ++ ++ /* use engine id to find free audio */ ++ if ((id < pool->audio_count) && (res_ctx->is_audio_acquired[id] == false)) { ++ return pool->audios[id]; ++ } ++ + /*not found the matching one, first come first serve*/ + for (i = 0; i < pool->audio_count; i++) { + if (res_ctx->is_audio_acquired[i] == false) { +-- +2.20.1 + diff --git a/queue-4.19/drm-amd-display-wait-for-backlight-programming-compl.patch b/queue-4.19/drm-amd-display-wait-for-backlight-programming-compl.patch new file mode 100644 index 00000000000..e0bccbc916b --- /dev/null +++ b/queue-4.19/drm-amd-display-wait-for-backlight-programming-compl.patch @@ -0,0 +1,43 @@ +From c7b18dc01e43b0812025b37db4e4add5c7972e5f Mon Sep 17 00:00:00 2001 +From: SivapiriyanKumarasamy +Date: Fri, 14 Jun 2019 15:04:00 -0400 +Subject: drm/amd/display: Wait for backlight programming completion in set + backlight level + +[ Upstream commit c7990daebe71d11a9e360b5c3b0ecd1846a3a4bb ] + +[WHY] +Currently we don't wait for blacklight programming completion in DMCU +when setting backlight level. Some sequences such as PSR static screen +event trigger reprogramming requires it to be complete. + +[How] +Add generic wait for dmcu command completion in set backlight level. + +Signed-off-by: SivapiriyanKumarasamy +Reviewed-by: Anthony Koo +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dce/dce_abm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_abm.c b/drivers/gpu/drm/amd/display/dc/dce/dce_abm.c +index 070ab56a8aca7..da8b198538e5f 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_abm.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_abm.c +@@ -242,6 +242,10 @@ static void dmcu_set_backlight_level( + s2 |= (level << ATOM_S2_CURRENT_BL_LEVEL_SHIFT); + + REG_WRITE(BIOS_SCRATCH_2, s2); ++ ++ /* waitDMCUReadyForCmd */ ++ REG_WAIT(MASTER_COMM_CNTL_REG, MASTER_COMM_INTERRUPT, ++ 0, 1, 80000); + } + + static void dce_abm_init(struct abm *abm) +-- +2.20.1 + diff --git a/queue-4.19/drm-silence-variable-conn-set-but-not-used.patch b/queue-4.19/drm-silence-variable-conn-set-but-not-used.patch new file mode 100644 index 00000000000..d6e7ab5379b --- /dev/null +++ b/queue-4.19/drm-silence-variable-conn-set-but-not-used.patch @@ -0,0 +1,41 @@ +From d5b328f1a026d1ddaba2f972377156eda7506c21 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Mon, 22 Jul 2019 15:14:46 -0400 +Subject: drm: silence variable 'conn' set but not used + +[ Upstream commit bbb6fc43f131f77fcb7ae8081f6d7c51396a2120 ] + +The "struct drm_connector" iteration cursor from +"for_each_new_connector_in_state" is never used in atomic_remove_fb() +which generates a compilation warning, + +drivers/gpu/drm/drm_framebuffer.c: In function 'atomic_remove_fb': +drivers/gpu/drm/drm_framebuffer.c:838:24: warning: variable 'conn' set +but not used [-Wunused-but-set-variable] + +Silence it by marking "conn" __maybe_unused. + +Signed-off-by: Qian Cai +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/1563822886-13570-1-git-send-email-cai@lca.pw +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_framebuffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c +index 781af1d42d766..b64a6ffc0aed7 100644 +--- a/drivers/gpu/drm/drm_framebuffer.c ++++ b/drivers/gpu/drm/drm_framebuffer.c +@@ -793,7 +793,7 @@ static int atomic_remove_fb(struct drm_framebuffer *fb) + struct drm_device *dev = fb->dev; + struct drm_atomic_state *state; + struct drm_plane *plane; +- struct drm_connector *conn; ++ struct drm_connector *conn __maybe_unused; + struct drm_connector_state *conn_state; + int i, ret; + unsigned plane_mask; +-- +2.20.1 + diff --git a/queue-4.19/hwmon-nct6775-fix-register-address-and-added-missed-.patch b/queue-4.19/hwmon-nct6775-fix-register-address-and-added-missed-.patch new file mode 100644 index 00000000000..734bef469ae --- /dev/null +++ b/queue-4.19/hwmon-nct6775-fix-register-address-and-added-missed-.patch @@ -0,0 +1,43 @@ +From 08b1cfba19f06d40bb58975a31ec2b891950b08c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Gerhart?= +Date: Mon, 15 Jul 2019 18:33:55 +0200 +Subject: hwmon: (nct6775) Fix register address and added missed tolerance for + nct6106 + +[ Upstream commit f3d43e2e45fd9d44ba52d20debd12cd4ee9c89bf ] + +Fixed address of third NCT6106_REG_WEIGHT_DUTY_STEP, and +added missed NCT6106_REG_TOLERANCE_H. + +Fixes: 6c009501ff200 ("hwmon: (nct6775) Add support for NCT6102D/6106D") +Signed-off-by: Bjoern Gerhart +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/nct6775.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c +index 78603b78cf410..eba692cddbdee 100644 +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -818,7 +818,7 @@ static const u16 NCT6106_REG_TARGET[] = { 0x111, 0x121, 0x131 }; + static const u16 NCT6106_REG_WEIGHT_TEMP_SEL[] = { 0x168, 0x178, 0x188 }; + static const u16 NCT6106_REG_WEIGHT_TEMP_STEP[] = { 0x169, 0x179, 0x189 }; + static const u16 NCT6106_REG_WEIGHT_TEMP_STEP_TOL[] = { 0x16a, 0x17a, 0x18a }; +-static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x17c }; ++static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x18b }; + static const u16 NCT6106_REG_WEIGHT_TEMP_BASE[] = { 0x16c, 0x17c, 0x18c }; + static const u16 NCT6106_REG_WEIGHT_DUTY_BASE[] = { 0x16d, 0x17d, 0x18d }; + +@@ -3673,6 +3673,7 @@ static int nct6775_probe(struct platform_device *pdev) + data->REG_FAN_TIME[0] = NCT6106_REG_FAN_STOP_TIME; + data->REG_FAN_TIME[1] = NCT6106_REG_FAN_STEP_UP_TIME; + data->REG_FAN_TIME[2] = NCT6106_REG_FAN_STEP_DOWN_TIME; ++ data->REG_TOLERANCE_H = NCT6106_REG_TOLERANCE_H; + data->REG_PWM[0] = NCT6106_REG_PWM; + data->REG_PWM[1] = NCT6106_REG_FAN_START_OUTPUT; + data->REG_PWM[2] = NCT6106_REG_FAN_STOP_OUTPUT; +-- +2.20.1 + diff --git a/queue-4.19/iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch b/queue-4.19/iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch new file mode 100644 index 00000000000..7b5bf862fd3 --- /dev/null +++ b/queue-4.19/iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch @@ -0,0 +1,70 @@ +From ee3eaf56c94502657e97f0788b7c384b5f4b5c69 Mon Sep 17 00:00:00 2001 +From: Thomas Tai +Date: Thu, 18 Jul 2019 18:37:34 +0000 +Subject: iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND + +[ Upstream commit 94bccc34071094c165c79b515d21b63c78f7e968 ] + +iscsi_ibft can use ACPI to find the iBFT entry during bootup, +currently, ISCSI_IBFT depends on ISCSI_IBFT_FIND which is +a X86 legacy way to find the iBFT by searching through the +low memory. This patch changes the dependency so that other +arch like ARM64 can use ISCSI_IBFT as long as the arch supports +ACPI. + +ibft_init() needs to use the global variable ibft_addr declared +in iscsi_ibft_find.c. A #ifndef CONFIG_ISCSI_IBFT_FIND is needed +to declare the variable if CONFIG_ISCSI_IBFT_FIND is not selected. +Moving ibft_addr into the iscsi_ibft.c does not work because if +ISCSI_IBFT is selected as a module, the arch/x86/kernel/setup.c won't +be able to find the variable at compile time. + +Signed-off-by: Thomas Tai +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Sasha Levin +--- + drivers/firmware/Kconfig | 5 +++-- + drivers/firmware/iscsi_ibft.c | 4 ++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig +index 6e83880046d78..ed212c8b41083 100644 +--- a/drivers/firmware/Kconfig ++++ b/drivers/firmware/Kconfig +@@ -198,7 +198,7 @@ config DMI_SCAN_MACHINE_NON_EFI_FALLBACK + + config ISCSI_IBFT_FIND + bool "iSCSI Boot Firmware Table Attributes" +- depends on X86 && ACPI ++ depends on X86 && ISCSI_IBFT + default n + help + This option enables the kernel to find the region of memory +@@ -209,7 +209,8 @@ config ISCSI_IBFT_FIND + config ISCSI_IBFT + tristate "iSCSI Boot Firmware Table Attributes module" + select ISCSI_BOOT_SYSFS +- depends on ISCSI_IBFT_FIND && SCSI && SCSI_LOWLEVEL ++ select ISCSI_IBFT_FIND if X86 ++ depends on ACPI && SCSI && SCSI_LOWLEVEL + default n + help + This option enables support for detection and exposing of iSCSI +diff --git a/drivers/firmware/iscsi_ibft.c b/drivers/firmware/iscsi_ibft.c +index c51462f5aa1e4..966aef334c420 100644 +--- a/drivers/firmware/iscsi_ibft.c ++++ b/drivers/firmware/iscsi_ibft.c +@@ -93,6 +93,10 @@ MODULE_DESCRIPTION("sysfs interface to BIOS iBFT information"); + MODULE_LICENSE("GPL"); + MODULE_VERSION(IBFT_ISCSI_VERSION); + ++#ifndef CONFIG_ISCSI_IBFT_FIND ++struct acpi_table_ibft *ibft_addr; ++#endif ++ + struct ibft_hdr { + u8 id; + u8 version; +-- +2.20.1 + diff --git a/queue-4.19/mac80211-don-t-warn-about-cw-params-when-not-using-t.patch b/queue-4.19/mac80211-don-t-warn-about-cw-params-when-not-using-t.patch new file mode 100644 index 00000000000..abbdbeebfba --- /dev/null +++ b/queue-4.19/mac80211-don-t-warn-about-cw-params-when-not-using-t.patch @@ -0,0 +1,52 @@ +From 9c2306f3d7200ac61d3b27dd937389ccd4f761a8 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 17 Jul 2019 18:57:12 -0700 +Subject: mac80211: don't warn about CW params when not using them + +[ Upstream commit d2b3fe42bc629c2d4002f652b3abdfb2e72991c7 ] + +ieee80211_set_wmm_default() normally sets up the initial CW min/max for +each queue, except that it skips doing this if the driver doesn't +support ->conf_tx. We still end up calling drv_conf_tx() in some cases +(e.g., ieee80211_reconfig()), which also still won't do anything +useful...except it complains here about the invalid CW parameters. + +Let's just skip the WARN if we weren't going to do anything useful with +the parameters. + +Signed-off-by: Brian Norris +Link: https://lore.kernel.org/r/20190718015712.197499-1-briannorris@chromium.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c +index bb886e7db47f1..f783d1377d9a8 100644 +--- a/net/mac80211/driver-ops.c ++++ b/net/mac80211/driver-ops.c +@@ -169,11 +169,16 @@ int drv_conf_tx(struct ieee80211_local *local, + if (!check_sdata_in_driver(sdata)) + return -EIO; + +- if (WARN_ONCE(params->cw_min == 0 || +- params->cw_min > params->cw_max, +- "%s: invalid CW_min/CW_max: %d/%d\n", +- sdata->name, params->cw_min, params->cw_max)) ++ if (params->cw_min == 0 || params->cw_min > params->cw_max) { ++ /* ++ * If we can't configure hardware anyway, don't warn. We may ++ * never have initialized the CW parameters. ++ */ ++ WARN_ONCE(local->ops->conf_tx, ++ "%s: invalid CW_min/CW_max: %d/%d\n", ++ sdata->name, params->cw_min, params->cw_max); + return -EINVAL; ++ } + + trace_drv_conf_tx(local, sdata, ac, params); + if (local->ops->conf_tx) +-- +2.20.1 + diff --git a/queue-4.19/netfilter-conntrack-always-store-window-size-un-scal.patch b/queue-4.19/netfilter-conntrack-always-store-window-size-un-scal.patch new file mode 100644 index 00000000000..7d1978802c2 --- /dev/null +++ b/queue-4.19/netfilter-conntrack-always-store-window-size-un-scal.patch @@ -0,0 +1,80 @@ +From ffc6807f418c1d0fd4c5768a2a1b4e18cb5891e6 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 12 Jul 2019 00:29:05 +0200 +Subject: netfilter: conntrack: always store window size un-scaled + +[ Upstream commit 959b69ef57db00cb33e9c4777400ae7183ebddd3 ] + +Jakub Jankowski reported following oddity: + +After 3 way handshake completes, timeout of new connection is set to +max_retrans (300s) instead of established (5 days). + +shortened excerpt from pcap provided: +25.070622 IP (flags [DF], proto TCP (6), length 52) +10.8.5.4.1025 > 10.8.1.2.80: Flags [S], seq 11, win 64240, [wscale 8] +26.070462 IP (flags [DF], proto TCP (6), length 48) +10.8.1.2.80 > 10.8.5.4.1025: Flags [S.], seq 82, ack 12, win 65535, [wscale 3] +27.070449 IP (flags [DF], proto TCP (6), length 40) +10.8.5.4.1025 > 10.8.1.2.80: Flags [.], ack 83, win 512, length 0 + +Turns out the last_win is of u16 type, but we store the scaled value: +512 << 8 (== 0x20000) becomes 0 window. + +The Fixes tag is not correct, as the bug has existed forever, but +without that change all that this causes might cause is to mistake a +window update (to-nonzero-from-zero) for a retransmit. + +Fixes: fbcd253d2448b8 ("netfilter: conntrack: lower timeout to RETRANS seconds if window is 0") +Reported-by: Jakub Jankowski +Tested-by: Jakub Jankowski +Signed-off-by: Florian Westphal +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_tcp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c +index 842f3f86fb2e7..7011ab27c4371 100644 +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -480,6 +480,7 @@ static bool tcp_in_window(const struct nf_conn *ct, + struct ip_ct_tcp_state *receiver = &state->seen[!dir]; + const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple; + __u32 seq, ack, sack, end, win, swin; ++ u16 win_raw; + s32 receiver_offset; + bool res, in_recv_win; + +@@ -488,7 +489,8 @@ static bool tcp_in_window(const struct nf_conn *ct, + */ + seq = ntohl(tcph->seq); + ack = sack = ntohl(tcph->ack_seq); +- win = ntohs(tcph->window); ++ win_raw = ntohs(tcph->window); ++ win = win_raw; + end = segment_seq_plus_len(seq, skb->len, dataoff, tcph); + + if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM) +@@ -663,14 +665,14 @@ static bool tcp_in_window(const struct nf_conn *ct, + && state->last_seq == seq + && state->last_ack == ack + && state->last_end == end +- && state->last_win == win) ++ && state->last_win == win_raw) + state->retrans++; + else { + state->last_dir = dir; + state->last_seq = seq; + state->last_ack = ack; + state->last_end = end; +- state->last_win = win; ++ state->last_win = win_raw; + state->retrans = 0; + } + } +-- +2.20.1 + diff --git a/queue-4.19/netfilter-fix-rpfilter-dropping-vrf-packets-by-mista.patch b/queue-4.19/netfilter-fix-rpfilter-dropping-vrf-packets-by-mista.patch new file mode 100644 index 00000000000..4ee85cff02a --- /dev/null +++ b/queue-4.19/netfilter-fix-rpfilter-dropping-vrf-packets-by-mista.patch @@ -0,0 +1,64 @@ +From 63e9e7b01783e03315d5feba96203b39636f3b3d Mon Sep 17 00:00:00 2001 +From: Miaohe Lin +Date: Tue, 2 Jul 2019 03:59:36 +0000 +Subject: netfilter: Fix rpfilter dropping vrf packets by mistake + +[ Upstream commit b575b24b8eee37f10484e951b62ce2a31c579775 ] + +When firewalld is enabled with ipv4/ipv6 rpfilter, vrf +ipv4/ipv6 packets will be dropped. Vrf device will pass +through netfilter hook twice. One with enslaved device +and another one with l3 master device. So in device may +dismatch witch out device because out device is always +enslaved device.So failed with the check of the rpfilter +and drop the packets by mistake. + +Signed-off-by: Miaohe Lin +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/ipt_rpfilter.c | 1 + + net/ipv6/netfilter/ip6t_rpfilter.c | 8 ++++++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c +index 12843c9ef1421..74b19a5c572e9 100644 +--- a/net/ipv4/netfilter/ipt_rpfilter.c ++++ b/net/ipv4/netfilter/ipt_rpfilter.c +@@ -96,6 +96,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par) + flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0; + flow.flowi4_tos = RT_TOS(iph->tos); + flow.flowi4_scope = RT_SCOPE_UNIVERSE; ++ flow.flowi4_oif = l3mdev_master_ifindex_rcu(xt_in(par)); + + return rpfilter_lookup_reverse(xt_net(par), &flow, xt_in(par), info->flags) ^ invert; + } +diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c +index c3c6b09acdc4f..0f3407f2851ed 100644 +--- a/net/ipv6/netfilter/ip6t_rpfilter.c ++++ b/net/ipv6/netfilter/ip6t_rpfilter.c +@@ -58,7 +58,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb, + if (rpfilter_addr_linklocal(&iph->saddr)) { + lookup_flags |= RT6_LOOKUP_F_IFACE; + fl6.flowi6_oif = dev->ifindex; +- } else if ((flags & XT_RPFILTER_LOOSE) == 0) ++ /* Set flowi6_oif for vrf devices to lookup route in l3mdev domain. */ ++ } else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev) || ++ (flags & XT_RPFILTER_LOOSE) == 0) + fl6.flowi6_oif = dev->ifindex; + + rt = (void *)ip6_route_lookup(net, &fl6, skb, lookup_flags); +@@ -73,7 +75,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb, + goto out; + } + +- if (rt->rt6i_idev->dev == dev || (flags & XT_RPFILTER_LOOSE)) ++ if (rt->rt6i_idev->dev == dev || ++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == dev->ifindex || ++ (flags & XT_RPFILTER_LOOSE)) + ret = true; + out: + ip6_rt_put(rt); +-- +2.20.1 + diff --git a/queue-4.19/netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch b/queue-4.19/netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch new file mode 100644 index 00000000000..2e94f43744e --- /dev/null +++ b/queue-4.19/netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch @@ -0,0 +1,75 @@ +From 31e8aea5d23adb41a103a8e20921b85e115da7a2 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 2 Jul 2019 21:41:40 +0200 +Subject: netfilter: nfnetlink: avoid deadlock due to synchronous + request_module + +[ Upstream commit 1b0890cd60829bd51455dc5ad689ed58c4408227 ] + +Thomas and Juliana report a deadlock when running: + +(rmmod nf_conntrack_netlink/xfrm_user) + + conntrack -e NEW -E & + modprobe -v xfrm_user + +They provided following analysis: + +conntrack -e NEW -E + netlink_bind() + netlink_lock_table() -> increases "nl_table_users" + nfnetlink_bind() + # does not unlock the table as it's locked by netlink_bind() + __request_module() + call_usermodehelper_exec() + +This triggers "modprobe nf_conntrack_netlink" from kernel, netlink_bind() +won't return until modprobe process is done. + +"modprobe xfrm_user": + xfrm_user_init() + register_pernet_subsys() + -> grab pernet_ops_rwsem + .. + netlink_table_grab() + calls schedule() as "nl_table_users" is non-zero + +so modprobe is blocked because netlink_bind() increased +nl_table_users while also holding pernet_ops_rwsem. + +"modprobe nf_conntrack_netlink" runs and inits nf_conntrack_netlink: + ctnetlink_init() + register_pernet_subsys() + -> blocks on "pernet_ops_rwsem" thanks to xfrm_user module + +both modprobe processes wait on one another -- neither can make +progress. + +Switch netlink_bind() to "nowait" modprobe -- this releases the netlink +table lock, which then allows both modprobe instances to complete. + +Reported-by: Thomas Jarosch +Reported-by: Juliana Rodrigueiro +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c +index 916913454624f..7f2c1915763f8 100644 +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -575,7 +575,7 @@ static int nfnetlink_bind(struct net *net, int group) + ss = nfnetlink_get_subsys(type << 8); + rcu_read_unlock(); + if (!ss) +- request_module("nfnetlink-subsys-%d", type); ++ request_module_nowait("nfnetlink-subsys-%d", type); + return 0; + } + #endif +-- +2.20.1 + diff --git a/queue-4.19/netfilter-nft_hash-fix-symhash-with-modulus-one.patch b/queue-4.19/netfilter-nft_hash-fix-symhash-with-modulus-one.patch new file mode 100644 index 00000000000..90406c7a17e --- /dev/null +++ b/queue-4.19/netfilter-nft_hash-fix-symhash-with-modulus-one.patch @@ -0,0 +1,39 @@ +From a6d38b3d092d1884de42e2984b0c8dd5702f2a3b Mon Sep 17 00:00:00 2001 +From: Laura Garcia Liebana +Date: Mon, 15 Jul 2019 13:23:37 +0200 +Subject: netfilter: nft_hash: fix symhash with modulus one + +[ Upstream commit 28b1d6ef53e3303b90ca8924bb78f31fa527cafb ] + +The rule below doesn't work as the kernel raises -ERANGE. + +nft add rule netdev nftlb lb01 ip daddr set \ + symhash mod 1 map { 0 : 192.168.0.10 } fwd to "eth0" + +This patch allows to use the symhash modulus with one +element, in the same way that the other types of hashes and +algorithms that uses the modulus parameter. + +Signed-off-by: Laura Garcia Liebana +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c +index c2d237144f747..b8f23f75aea6c 100644 +--- a/net/netfilter/nft_hash.c ++++ b/net/netfilter/nft_hash.c +@@ -196,7 +196,7 @@ static int nft_symhash_init(const struct nft_ctx *ctx, + priv->dreg = nft_parse_register(tb[NFTA_HASH_DREG]); + + priv->modulus = ntohl(nla_get_be32(tb[NFTA_HASH_MODULUS])); +- if (priv->modulus <= 1) ++ if (priv->modulus < 1) + return -ERANGE; + + if (priv->offset + priv->modulus - 1 < priv->offset) +-- +2.20.1 + diff --git a/queue-4.19/nl80211-fix-nl80211_he_max_capability_len.patch b/queue-4.19/nl80211-fix-nl80211_he_max_capability_len.patch new file mode 100644 index 00000000000..86029b84de8 --- /dev/null +++ b/queue-4.19/nl80211-fix-nl80211_he_max_capability_len.patch @@ -0,0 +1,34 @@ +From 7d7b7fa36a25d249c9ae356deca895bd4027093d Mon Sep 17 00:00:00 2001 +From: John Crispin +Date: Thu, 27 Jun 2019 11:58:32 +0200 +Subject: nl80211: fix NL80211_HE_MAX_CAPABILITY_LEN + +[ Upstream commit 5edaac063bbf1267260ad2a5b9bb803399343e58 ] + +NL80211_HE_MAX_CAPABILITY_LEN has changed between D2.0 and D4.0. It is now +MAC (6) + PHY (11) + MCS (12) + PPE (25) = 54. + +Signed-off-by: John Crispin +Link: https://lore.kernel.org/r/20190627095832.19445-1-john@phrozen.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/uapi/linux/nl80211.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h +index 7acc16f349427..fa43dd5a7b3dc 100644 +--- a/include/uapi/linux/nl80211.h ++++ b/include/uapi/linux/nl80211.h +@@ -2732,7 +2732,7 @@ enum nl80211_attrs { + #define NL80211_HT_CAPABILITY_LEN 26 + #define NL80211_VHT_CAPABILITY_LEN 12 + #define NL80211_HE_MIN_CAPABILITY_LEN 16 +-#define NL80211_HE_MAX_CAPABILITY_LEN 51 ++#define NL80211_HE_MAX_CAPABILITY_LEN 54 + #define NL80211_MAX_NR_CIPHER_SUITES 5 + #define NL80211_MAX_NR_AKM_SUITES 2 + +-- +2.20.1 + diff --git a/queue-4.19/nvme-fix-multipath-crash-when-ana-is-deactivated.patch b/queue-4.19/nvme-fix-multipath-crash-when-ana-is-deactivated.patch new file mode 100644 index 00000000000..32f3b303197 --- /dev/null +++ b/queue-4.19/nvme-fix-multipath-crash-when-ana-is-deactivated.patch @@ -0,0 +1,125 @@ +From 714684451845f83e590ddf5d434c1dc24f35bcb9 Mon Sep 17 00:00:00 2001 +From: Marta Rybczynska +Date: Tue, 23 Jul 2019 07:41:20 +0200 +Subject: nvme: fix multipath crash when ANA is deactivated + +[ Upstream commit 66b20ac0a1a10769d059d6903202f53494e3d902 ] + +Fix a crash with multipath activated. It happends when ANA log +page is larger than MDTS and because of that ANA is disabled. +The driver then tries to access unallocated buffer when connecting +to a nvme target. The signature is as follows: + +[ 300.433586] nvme nvme0: ANA log page size (8208) larger than MDTS (8192). +[ 300.435387] nvme nvme0: disabling ANA support. +[ 300.437835] nvme nvme0: creating 4 I/O queues. +[ 300.459132] nvme nvme0: new ctrl: NQN "nqn.0.0.0", addr 10.91.0.1:8009 +[ 300.464609] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 +[ 300.466342] #PF error: [normal kernel read fault] +[ 300.467385] PGD 0 P4D 0 +[ 300.467987] Oops: 0000 [#1] SMP PTI +[ 300.468787] CPU: 3 PID: 50 Comm: kworker/u8:1 Not tainted 5.0.20kalray+ #4 +[ 300.470264] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +[ 300.471532] Workqueue: nvme-wq nvme_scan_work [nvme_core] +[ 300.472724] RIP: 0010:nvme_parse_ana_log+0x21/0x140 [nvme_core] +[ 300.474038] Code: 45 01 d2 d8 48 98 c3 66 90 0f 1f 44 00 00 41 57 41 56 41 55 41 54 55 53 48 89 fb 48 83 ec 08 48 8b af 20 0a 00 00 48 89 34 24 <66> 83 7d 08 00 0f 84 c6 00 00 00 44 8b 7d 14 49 89 d5 8b 55 10 48 +[ 300.477374] RSP: 0018:ffffa50e80fd7cb8 EFLAGS: 00010296 +[ 300.478334] RAX: 0000000000000001 RBX: ffff9130f1872258 RCX: 0000000000000000 +[ 300.479784] RDX: ffffffffc06c4c30 RSI: ffff9130edad4280 RDI: ffff9130f1872258 +[ 300.481488] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044 +[ 300.483203] R10: 0000000000000220 R11: 0000000000000040 R12: ffff9130f18722c0 +[ 300.484928] R13: ffff9130f18722d0 R14: ffff9130edad4280 R15: ffff9130f18722c0 +[ 300.486626] FS: 0000000000000000(0000) GS:ffff9130f7b80000(0000) knlGS:0000000000000000 +[ 300.488538] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 300.489907] CR2: 0000000000000008 CR3: 00000002365e6000 CR4: 00000000000006e0 +[ 300.491612] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 300.493303] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 300.494991] Call Trace: +[ 300.495645] nvme_mpath_add_disk+0x5c/0xb0 [nvme_core] +[ 300.496880] nvme_validate_ns+0x2ef/0x550 [nvme_core] +[ 300.498105] ? nvme_identify_ctrl.isra.45+0x6a/0xb0 [nvme_core] +[ 300.499539] nvme_scan_work+0x2b4/0x370 [nvme_core] +[ 300.500717] ? __switch_to_asm+0x35/0x70 +[ 300.501663] process_one_work+0x171/0x380 +[ 300.502340] worker_thread+0x49/0x3f0 +[ 300.503079] kthread+0xf8/0x130 +[ 300.503795] ? max_active_store+0x80/0x80 +[ 300.504690] ? kthread_bind+0x10/0x10 +[ 300.505502] ret_from_fork+0x35/0x40 +[ 300.506280] Modules linked in: nvme_tcp nvme_rdma rdma_cm iw_cm ib_cm ib_core nvme_fabrics nvme_core xt_physdev ip6table_raw ip6table_mangle ip6table_filter ip6_tables xt_comment iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_CHECKSUM iptable_mangle iptable_filter veth ebtable_filter ebtable_nat ebtables iptable_raw vxlan ip6_udp_tunnel udp_tunnel sunrpc joydev pcspkr virtio_balloon br_netfilter bridge stp llc ip_tables xfs libcrc32c ata_generic pata_acpi virtio_net virtio_console net_failover virtio_blk failover ata_piix serio_raw libata virtio_pci virtio_ring virtio +[ 300.514984] CR2: 0000000000000008 +[ 300.515569] ---[ end trace faa2eefad7e7f218 ]--- +[ 300.516354] RIP: 0010:nvme_parse_ana_log+0x21/0x140 [nvme_core] +[ 300.517330] Code: 45 01 d2 d8 48 98 c3 66 90 0f 1f 44 00 00 41 57 41 56 41 55 41 54 55 53 48 89 fb 48 83 ec 08 48 8b af 20 0a 00 00 48 89 34 24 <66> 83 7d 08 00 0f 84 c6 00 00 00 44 8b 7d 14 49 89 d5 8b 55 10 48 +[ 300.520353] RSP: 0018:ffffa50e80fd7cb8 EFLAGS: 00010296 +[ 300.521229] RAX: 0000000000000001 RBX: ffff9130f1872258 RCX: 0000000000000000 +[ 300.522399] RDX: ffffffffc06c4c30 RSI: ffff9130edad4280 RDI: ffff9130f1872258 +[ 300.523560] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044 +[ 300.524734] R10: 0000000000000220 R11: 0000000000000040 R12: ffff9130f18722c0 +[ 300.525915] R13: ffff9130f18722d0 R14: ffff9130edad4280 R15: ffff9130f18722c0 +[ 300.527084] FS: 0000000000000000(0000) GS:ffff9130f7b80000(0000) knlGS:0000000000000000 +[ 300.528396] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 300.529440] CR2: 0000000000000008 CR3: 00000002365e6000 CR4: 00000000000006e0 +[ 300.530739] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 300.531989] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 300.533264] Kernel panic - not syncing: Fatal exception +[ 300.534338] Kernel Offset: 0x17c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) +[ 300.536227] ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Condition check refactoring from Christoph Hellwig. + +Signed-off-by: Marta Rybczynska +Tested-by: Jean-Baptiste Riaux +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 8 ++------ + drivers/nvme/host/nvme.h | 6 +++++- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 260248fbb8feb..a11e210d173e4 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -20,11 +20,6 @@ module_param(multipath, bool, 0444); + MODULE_PARM_DESC(multipath, + "turn on native support for multiple controllers per subsystem"); + +-inline bool nvme_ctrl_use_ana(struct nvme_ctrl *ctrl) +-{ +- return multipath && ctrl->subsys && (ctrl->subsys->cmic & (1 << 3)); +-} +- + /* + * If multipathing is enabled we need to always use the subsystem instance + * number for numbering our devices to avoid conflicts between subsystems that +@@ -516,7 +511,8 @@ int nvme_mpath_init(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id) + { + int error; + +- if (!nvme_ctrl_use_ana(ctrl)) ++ /* check if multipath is enabled and we have the capability */ ++ if (!multipath || !ctrl->subsys || !(ctrl->subsys->cmic & (1 << 3))) + return 0; + + ctrl->anacap = id->anacap; +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index e82cdaec81c9c..d5e29b57eb340 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -464,7 +464,11 @@ extern const struct attribute_group nvme_ns_id_attr_group; + extern const struct block_device_operations nvme_ns_head_ops; + + #ifdef CONFIG_NVME_MULTIPATH +-bool nvme_ctrl_use_ana(struct nvme_ctrl *ctrl); ++static inline bool nvme_ctrl_use_ana(struct nvme_ctrl *ctrl) ++{ ++ return ctrl->ana_log_buf != NULL; ++} ++ + void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns, + struct nvme_ctrl *ctrl, int *flags); + void nvme_failover_req(struct request *req); +-- +2.20.1 + diff --git a/queue-4.19/perf-core-fix-creating-kernel-counters-for-pmus-that.patch b/queue-4.19/perf-core-fix-creating-kernel-counters-for-pmus-that.patch new file mode 100644 index 00000000000..f5d01bd266e --- /dev/null +++ b/queue-4.19/perf-core-fix-creating-kernel-counters-for-pmus-that.patch @@ -0,0 +1,61 @@ +From 98bc219f4bd4f7108c3d77fd2ae30beb96a75c50 Mon Sep 17 00:00:00 2001 +From: Leonard Crestez +Date: Wed, 24 Jul 2019 15:53:24 +0300 +Subject: perf/core: Fix creating kernel counters for PMUs that override + event->cpu + +[ Upstream commit 4ce54af8b33d3e21ca935fc1b89b58cbba956051 ] + +Some hardware PMU drivers will override perf_event.cpu inside their +event_init callback. This causes a lockdep splat when initialized through +the kernel API: + + WARNING: CPU: 0 PID: 250 at kernel/events/core.c:2917 ctx_sched_out+0x78/0x208 + pc : ctx_sched_out+0x78/0x208 + Call trace: + ctx_sched_out+0x78/0x208 + __perf_install_in_context+0x160/0x248 + remote_function+0x58/0x68 + generic_exec_single+0x100/0x180 + smp_call_function_single+0x174/0x1b8 + perf_install_in_context+0x178/0x188 + perf_event_create_kernel_counter+0x118/0x160 + +Fix this by calling perf_install_in_context with event->cpu, just like +perf_event_open + +Signed-off-by: Leonard Crestez +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Mark Rutland +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Frank Li +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Link: https://lkml.kernel.org/r/c4ebe0503623066896d7046def4d6b1e06e0eb2e.1563972056.git.leonard.crestez@nxp.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index e8979c72514be..7ca44b8523c81 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10957,7 +10957,7 @@ perf_event_create_kernel_counter(struct perf_event_attr *attr, int cpu, + goto err_unlock; + } + +- perf_install_in_context(ctx, event, cpu); ++ perf_install_in_context(ctx, event, event->cpu); + perf_unpin_context(ctx); + mutex_unlock(&ctx->mutex); + +-- +2.20.1 + diff --git a/queue-4.19/perf-probe-avoid-calling-freeing-routine-multiple-ti.patch b/queue-4.19/perf-probe-avoid-calling-freeing-routine-multiple-ti.patch new file mode 100644 index 00000000000..261f8b4f972 --- /dev/null +++ b/queue-4.19/perf-probe-avoid-calling-freeing-routine-multiple-ti.patch @@ -0,0 +1,50 @@ +From 8022f0b1779334ae3f18ef18858e1196df1bb2cd Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Thu, 18 Jul 2019 11:28:37 -0300 +Subject: perf probe: Avoid calling freeing routine multiple times for same + pointer + +[ Upstream commit d95daf5accf4a72005daa13fbb1d1bd8709f2861 ] + +When perf_add_probe_events() we call cleanup_perf_probe_events() for the +pev pointer it receives, then, as part of handling this failure the main +'perf probe' goes on and calls cleanup_params() and that will again call +cleanup_perf_probe_events()for the same pointer, so just set nevents to +zero when handling the failure of perf_add_probe_events() to avoid the +double free. + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Masami Hiramatsu +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-x8qgma4g813z96dvtw9w219q@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-probe.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/tools/perf/builtin-probe.c b/tools/perf/builtin-probe.c +index 99de91698de1e..0bdb34fee9d81 100644 +--- a/tools/perf/builtin-probe.c ++++ b/tools/perf/builtin-probe.c +@@ -711,6 +711,16 @@ __cmd_probe(int argc, const char **argv) + + ret = perf_add_probe_events(params.events, params.nevents); + if (ret < 0) { ++ ++ /* ++ * When perf_add_probe_events() fails it calls ++ * cleanup_perf_probe_events(pevs, npevs), i.e. ++ * cleanup_perf_probe_events(params.events, params.nevents), which ++ * will call clear_perf_probe_event(), so set nevents to zero ++ * to avoid cleanup_params() to call clear_perf_probe_event() again ++ * on the same pevs. ++ */ ++ params.nevents = 0; + pr_err_with_code(" Error: Failed to add events.", ret); + return ret; + } +-- +2.20.1 + diff --git a/queue-4.19/perf-tools-fix-proper-buffer-size-for-feature-proces.patch b/queue-4.19/perf-tools-fix-proper-buffer-size-for-feature-proces.patch new file mode 100644 index 00000000000..1cbf7fafadb --- /dev/null +++ b/queue-4.19/perf-tools-fix-proper-buffer-size-for-feature-proces.patch @@ -0,0 +1,50 @@ +From cb1e3027d27f6517703de6eea046922ffe9f861f Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Mon, 15 Jul 2019 16:04:26 +0200 +Subject: perf tools: Fix proper buffer size for feature processing + +[ Upstream commit 79b2fe5e756163897175a8f57d66b26cd9befd59 ] + +After Song Liu's segfault fix for pipe mode, Arnaldo reported following +error: + + # perf record -o - | perf script + 0x514 [0x1ac]: failed to process type: 80 + +It's caused by wrong buffer size setup in feature processing, which +makes cpu topology feature fail, because it's using buffer size to +recognize its header version. + +Reported-by: Arnaldo Carvalho de Melo +Signed-off-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: David Carrillo-Cisneros +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Fixes: e9def1b2e74e ("perf tools: Add feature header record to pipe-mode") +Link: http://lkml.kernel.org/r/20190715140426.32509-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/header.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index 7f2e3b1c746c9..a94bd6850a0b2 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -3472,7 +3472,7 @@ int perf_event__process_feature(struct perf_tool *tool, + return 0; + + ff.buf = (void *)fe->data; +- ff.size = event->header.size - sizeof(event->header); ++ ff.size = event->header.size - sizeof(*fe); + ff.ph = &session->header; + + if (feat_ops[feat].process(&ff, NULL)) +-- +2.20.1 + diff --git a/queue-4.19/s390-dma-provide-proper-arch_zone_dma_bits-value.patch b/queue-4.19/s390-dma-provide-proper-arch_zone_dma_bits-value.patch new file mode 100644 index 00000000000..026be2d2ce5 --- /dev/null +++ b/queue-4.19/s390-dma-provide-proper-arch_zone_dma_bits-value.patch @@ -0,0 +1,38 @@ +From acf11676ff0474e12d9cbac5d21148fb4e39b8ff Mon Sep 17 00:00:00 2001 +From: Halil Pasic +Date: Wed, 24 Jul 2019 00:51:55 +0200 +Subject: s390/dma: provide proper ARCH_ZONE_DMA_BITS value + +[ Upstream commit 1a2dcff881059dedc14fafc8a442664c8dbd60f1 ] + +On s390 ZONE_DMA is up to 2G, i.e. ARCH_ZONE_DMA_BITS should be 31 bits. +The current value is 24 and makes __dma_direct_alloc_pages() take a +wrong turn first (but __dma_direct_alloc_pages() recovers then). + +Let's correct ARCH_ZONE_DMA_BITS value and avoid wrong turns. + +Signed-off-by: Halil Pasic +Reported-by: Petr Tesarik +Fixes: c61e9637340e ("dma-direct: add support for allocation from ZONE_DMA and ZONE_DMA32") +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/page.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/include/asm/page.h b/arch/s390/include/asm/page.h +index 41e3908b397f8..0d753291c43c0 100644 +--- a/arch/s390/include/asm/page.h ++++ b/arch/s390/include/asm/page.h +@@ -176,6 +176,8 @@ static inline int devmem_is_allowed(unsigned long pfn) + #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | \ + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) + ++#define ARCH_ZONE_DMA_BITS 31 ++ + #include + #include + +-- +2.20.1 + diff --git a/queue-4.19/s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch b/queue-4.19/s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch new file mode 100644 index 00000000000..d849af37245 --- /dev/null +++ b/queue-4.19/s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch @@ -0,0 +1,50 @@ +From 966e5cc732bb9738ee0ca1f98e28a059995db30b Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Thu, 11 Jul 2019 18:17:36 +0200 +Subject: s390/qdio: add sanity checks to the fast-requeue path + +[ Upstream commit a6ec414a4dd529eeac5c3ea51c661daba3397108 ] + +If the device driver were to send out a full queue's worth of SBALs, +current code would end up discovering the last of those SBALs as PRIMED +and erroneously skip the SIGA-w. This immediately stalls the queue. + +Add a check to not attempt fast-requeue in this case. While at it also +make sure that the state of the previous SBAL was successfully extracted +before inspecting it. + +Signed-off-by: Julian Wiedmann +Reviewed-by: Jens Remus +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/qdio_main.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c +index 4ac4a73037f59..4b7cc8d425b1c 100644 +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -1569,13 +1569,13 @@ static int handle_outbound(struct qdio_q *q, unsigned int callflags, + rc = qdio_kick_outbound_q(q, phys_aob); + } else if (need_siga_sync(q)) { + rc = qdio_siga_sync_q(q); ++ } else if (count < QDIO_MAX_BUFFERS_PER_Q && ++ get_buf_state(q, prev_buf(bufnr), &state, 0) > 0 && ++ state == SLSB_CU_OUTPUT_PRIMED) { ++ /* The previous buffer is not processed yet, tack on. */ ++ qperf_inc(q, fast_requeue); + } else { +- /* try to fast requeue buffers */ +- get_buf_state(q, prev_buf(bufnr), &state, 0); +- if (state != SLSB_CU_OUTPUT_PRIMED) +- rc = qdio_kick_outbound_q(q, 0); +- else +- qperf_inc(q, fast_requeue); ++ rc = qdio_kick_outbound_q(q, 0); + } + + /* in case of SIGA errors we must process the error immediately */ +-- +2.20.1 + diff --git a/queue-4.19/scripts-sphinx-pre-install-fix-script-for-rhel-cento.patch b/queue-4.19/scripts-sphinx-pre-install-fix-script-for-rhel-cento.patch new file mode 100644 index 00000000000..81120767edf --- /dev/null +++ b/queue-4.19/scripts-sphinx-pre-install-fix-script-for-rhel-cento.patch @@ -0,0 +1,34 @@ +From 5bf37933a2e529c877f3f11ef30ce86a914b8dc9 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Sat, 13 Jul 2019 08:50:24 -0300 +Subject: scripts/sphinx-pre-install: fix script for RHEL/CentOS + +[ Upstream commit b308467c916aa7acc5069802ab76a9f657434701 ] + +There's a missing parenthesis at the script, with causes it to +fail to detect non-Fedora releases (e. g. RHEL/CentOS). + +Tested with Centos 7.6.1810. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + scripts/sphinx-pre-install | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install +index 067459760a7b0..3524dbc313163 100755 +--- a/scripts/sphinx-pre-install ++++ b/scripts/sphinx-pre-install +@@ -301,7 +301,7 @@ sub give_redhat_hints() + # + # Checks valid for RHEL/CentOS version 7.x. + # +- if (! $system_release =~ /Fedora/) { ++ if (!($system_release =~ /Fedora/)) { + $map{"virtualenv"} = "python-virtualenv"; + } + +-- +2.20.1 + diff --git a/queue-4.19/scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch b/queue-4.19/scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch new file mode 100644 index 00000000000..63124510fcc --- /dev/null +++ b/queue-4.19/scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch @@ -0,0 +1,73 @@ +From 19716d3fa540c62fee5945287f8a0158b8b3a1fc Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Wed, 17 Jul 2019 14:48:27 -0500 +Subject: scsi: ibmvfc: fix WARN_ON during event pool release + +[ Upstream commit 5578257ca0e21056821e6481bd534ba267b84e58 ] + +While removing an ibmvfc client adapter a WARN_ON like the following +WARN_ON is seen in the kernel log: + +WARNING: CPU: 6 PID: 5421 at ./include/linux/dma-mapping.h:541 +ibmvfc_free_event_pool+0x12c/0x1f0 [ibmvfc] +CPU: 6 PID: 5421 Comm: rmmod Tainted: G E 4.17.0-rc1-next-20180419-autotest #1 +NIP: d00000000290328c LR: d00000000290325c CTR: c00000000036ee20 +REGS: c000000288d1b7e0 TRAP: 0700 Tainted: G E (4.17.0-rc1-next-20180419-autotest) +MSR: 800000010282b033 CR: 44008828 XER: 20000000 +CFAR: c00000000036e408 SOFTE: 1 +GPR00: d00000000290325c c000000288d1ba60 d000000002917900 c000000289d75448 +GPR04: 0000000000000071 c0000000ff870000 0000000018040000 0000000000000001 +GPR08: 0000000000000000 c00000000156e838 0000000000000001 d00000000290c640 +GPR12: c00000000036ee20 c00000001ec4dc00 0000000000000000 0000000000000000 +GPR16: 0000000000000000 0000000000000000 00000100276901e0 0000000010020598 +GPR20: 0000000010020550 0000000010020538 0000000010020578 00000000100205b0 +GPR24: 0000000000000000 0000000000000000 0000000010020590 5deadbeef0000100 +GPR28: 5deadbeef0000200 d000000002910b00 0000000000000071 c0000002822f87d8 +NIP [d00000000290328c] ibmvfc_free_event_pool+0x12c/0x1f0 [ibmvfc] +LR [d00000000290325c] ibmvfc_free_event_pool+0xfc/0x1f0 [ibmvfc] +Call Trace: +[c000000288d1ba60] [d00000000290325c] ibmvfc_free_event_pool+0xfc/0x1f0 [ibmvfc] (unreliable) +[c000000288d1baf0] [d000000002909390] ibmvfc_abort_task_set+0x7b0/0x8b0 [ibmvfc] +[c000000288d1bb70] [c0000000000d8c68] vio_bus_remove+0x68/0x100 +[c000000288d1bbb0] [c0000000007da7c4] device_release_driver_internal+0x1f4/0x2d0 +[c000000288d1bc00] [c0000000007da95c] driver_detach+0x7c/0x100 +[c000000288d1bc40] [c0000000007d8af4] bus_remove_driver+0x84/0x140 +[c000000288d1bcb0] [c0000000007db6ac] driver_unregister+0x4c/0xa0 +[c000000288d1bd20] [c0000000000d6e7c] vio_unregister_driver+0x2c/0x50 +[c000000288d1bd50] [d00000000290ba0c] cleanup_module+0x24/0x15e0 [ibmvfc] +[c000000288d1bd70] [c0000000001dadb0] sys_delete_module+0x220/0x2d0 +[c000000288d1be30] [c00000000000b284] system_call+0x58/0x6c +Instruction dump: +e8410018 e87f0068 809f0078 e8bf0080 e8df0088 2fa30000 419e008c e9230200 +2fa90000 419e0080 894d098a 794a07e0 <0b0a0000> e9290008 2fa90000 419e0028 + +This is tripped as a result of irqs being disabled during the call to +dma_free_coherent() by ibmvfc_free_event_pool(). At this point in the code path +we have quiesced the adapter and its overly paranoid anyways to be holding the +host lock. + +Reported-by: Abdul Haleem +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c +index b64ca977825df..71d53bb239e25 100644 +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -4874,8 +4874,8 @@ static int ibmvfc_remove(struct vio_dev *vdev) + + spin_lock_irqsave(vhost->host->host_lock, flags); + ibmvfc_purge_requests(vhost, DID_ERROR); +- ibmvfc_free_event_pool(vhost); + spin_unlock_irqrestore(vhost->host->host_lock, flags); ++ ibmvfc_free_event_pool(vhost); + + ibmvfc_free_mem(vhost); + spin_lock(&ibmvfc_driver_lock); +-- +2.20.1 + diff --git a/queue-4.19/scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch b/queue-4.19/scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch new file mode 100644 index 00000000000..130252c9dfa --- /dev/null +++ b/queue-4.19/scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch @@ -0,0 +1,43 @@ +From d4166248f3bbbfa3be8c51fe9505968d5b814dd1 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Mon, 22 Jul 2019 09:15:24 -0700 +Subject: scsi: megaraid_sas: fix panic on loading firmware crashdump + +[ Upstream commit 3b5f307ef3cb5022bfe3c8ca5b8f2114d5bf6c29 ] + +While loading fw crashdump in function fw_crash_buffer_show(), left bytes +in one dma chunk was not checked, if copying size over it, overflow access +will cause kernel panic. + +Signed-off-by: Junxiao Bi +Acked-by: Sumit Saxena +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index e0c87228438d3..806ceabcabc3f 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -3025,6 +3025,7 @@ megasas_fw_crash_buffer_show(struct device *cdev, + u32 size; + unsigned long buff_addr; + unsigned long dmachunk = CRASH_DMA_BUF_SIZE; ++ unsigned long chunk_left_bytes; + unsigned long src_addr; + unsigned long flags; + u32 buff_offset; +@@ -3050,6 +3051,8 @@ megasas_fw_crash_buffer_show(struct device *cdev, + } + + size = (instance->fw_crash_buffer_size * dmachunk) - buff_offset; ++ chunk_left_bytes = dmachunk - (buff_offset % dmachunk); ++ size = (size > chunk_left_bytes) ? chunk_left_bytes : size; + size = (size >= PAGE_SIZE) ? (PAGE_SIZE - 1) : size; + + src_addr = (unsigned long)instance->crash_buf[buff_offset / dmachunk] + +-- +2.20.1 + diff --git a/queue-4.19/scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch b/queue-4.19/scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch new file mode 100644 index 00000000000..84c3208f800 --- /dev/null +++ b/queue-4.19/scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch @@ -0,0 +1,61 @@ +From afc487ba5a260bc98a42c12406bf9ab90f95e297 Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Fri, 12 Jul 2019 08:53:47 +0200 +Subject: scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG + +[ Upstream commit 20122994e38aef0ae50555884d287adde6641c94 ] + +Retrying immediately after we've received a 'transitioning' sense code is +pretty much pointless, we should always use a delay before retrying. So +ensure the default delay is applied before retrying. + +Signed-off-by: Hannes Reinecke +Tested-by: Zhangguanghui +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_alua.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index d1154baa9436a..9c21938ed67ed 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -54,6 +54,7 @@ + #define ALUA_FAILOVER_TIMEOUT 60 + #define ALUA_FAILOVER_RETRIES 5 + #define ALUA_RTPG_DELAY_MSECS 5 ++#define ALUA_RTPG_RETRY_DELAY 2 + + /* device handler flags */ + #define ALUA_OPTIMIZE_STPG 0x01 +@@ -696,7 +697,7 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg) + case SCSI_ACCESS_STATE_TRANSITIONING: + if (time_before(jiffies, pg->expiry)) { + /* State transition, retry */ +- pg->interval = 2; ++ pg->interval = ALUA_RTPG_RETRY_DELAY; + err = SCSI_DH_RETRY; + } else { + struct alua_dh_data *h; +@@ -821,6 +822,8 @@ static void alua_rtpg_work(struct work_struct *work) + spin_lock_irqsave(&pg->lock, flags); + pg->flags &= ~ALUA_PG_RUNNING; + pg->flags |= ALUA_PG_RUN_RTPG; ++ if (!pg->interval) ++ pg->interval = ALUA_RTPG_RETRY_DELAY; + spin_unlock_irqrestore(&pg->lock, flags); + queue_delayed_work(kaluad_wq, &pg->rtpg_work, + pg->interval * HZ); +@@ -832,6 +835,8 @@ static void alua_rtpg_work(struct work_struct *work) + spin_lock_irqsave(&pg->lock, flags); + if (err == SCSI_DH_RETRY || pg->flags & ALUA_PG_RUN_RTPG) { + pg->flags &= ~ALUA_PG_RUNNING; ++ if (!pg->interval && !(pg->flags & ALUA_PG_RUN_RTPG)) ++ pg->interval = ALUA_RTPG_RETRY_DELAY; + pg->flags |= ALUA_PG_RUN_RTPG; + spin_unlock_irqrestore(&pg->lock, flags); + queue_delayed_work(kaluad_wq, &pg->rtpg_work, +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index f37ee04168a..b9a6ca01e1d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -30,3 +30,40 @@ usb-typec-tcpm-add-null-check-before-dereferencing-config.patch usb-typec-tcpm-ignore-unsupported-unknown-alternate-mode-requests.patch can-rcar_canfd-fix-possible-irq-storm-on-high-load.patch can-peak_usb-fix-potential-double-kfree_skb.patch +netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch +vfio-ccw-set-pa_nr-to-0-if-memory-allocation-fails-f.patch +netfilter-fix-rpfilter-dropping-vrf-packets-by-mista.patch +netfilter-conntrack-always-store-window-size-un-scal.patch +netfilter-nft_hash-fix-symhash-with-modulus-one.patch +scripts-sphinx-pre-install-fix-script-for-rhel-cento.patch +drm-amd-display-wait-for-backlight-programming-compl.patch +drm-amd-display-use-encoder-s-engine-id-to-find-matc.patch +drm-amd-display-fix-dc_create-failure-handling-and-6.patch +drm-amd-display-only-enable-audio-if-speaker-allocat.patch +drm-amd-display-increase-size-of-audios-array.patch +iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch +nl80211-fix-nl80211_he_max_capability_len.patch +mac80211-don-t-warn-about-cw-params-when-not-using-t.patch +allocate_flower_entry-should-check-for-null-deref.patch +hwmon-nct6775-fix-register-address-and-added-missed-.patch +drm-silence-variable-conn-set-but-not-used.patch +cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch +s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch +alsa-compress-fix-regression-on-compressed-capture-s.patch +alsa-compress-prevent-bypasses-of-set_params.patch +alsa-compress-don-t-allow-paritial-drain-operations-.patch +alsa-compress-be-more-restrictive-about-when-a-drain.patch +perf-tools-fix-proper-buffer-size-for-feature-proces.patch +perf-probe-avoid-calling-freeing-routine-multiple-ti.patch +drbd-dynamically-allocate-shash-descriptor.patch +acpi-iort-fix-off-by-one-check-in-iort_dev_find_its_.patch +nvme-fix-multipath-crash-when-ana-is-deactivated.patch +arm-davinci-fix-sleep.s-build-error-on-armv4.patch +arm-dts-bcm-bcm47094-add-missing-cells-for-mdio-bus-.patch +scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch +scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch +scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch +test_firmware-fix-a-memory-leak-bug.patch +tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch +perf-core-fix-creating-kernel-counters-for-pmus-that.patch +s390-dma-provide-proper-arch_zone_dma_bits-value.patch diff --git a/queue-4.19/test_firmware-fix-a-memory-leak-bug.patch b/queue-4.19/test_firmware-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..bc8bc67bd60 --- /dev/null +++ b/queue-4.19/test_firmware-fix-a-memory-leak-bug.patch @@ -0,0 +1,46 @@ +From ba61e566cec6d539bc223cb6ba69d201c12fd71e Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Sun, 14 Jul 2019 01:11:35 -0500 +Subject: test_firmware: fix a memory leak bug + +[ Upstream commit d4fddac5a51c378c5d3e68658816c37132611e1f ] + +In test_firmware_init(), the buffer pointed to by the global pointer +'test_fw_config' is allocated through kzalloc(). Then, the buffer is +initialized in __test_firmware_config_init(). In the case that the +initialization fails, the following execution in test_firmware_init() needs +to be terminated with an error code returned to indicate this failure. +However, the allocated buffer is not freed on this execution path, leading +to a memory leak bug. + +To fix the above issue, free the allocated buffer before returning from +test_firmware_init(). + +Signed-off-by: Wenwen Wang +Link: https://lore.kernel.org/r/1563084696-6865-1-git-send-email-wang6495@umn.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/test_firmware.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/test_firmware.c b/lib/test_firmware.c +index fd48a15a0710c..a74b1aae74618 100644 +--- a/lib/test_firmware.c ++++ b/lib/test_firmware.c +@@ -894,8 +894,11 @@ static int __init test_firmware_init(void) + return -ENOMEM; + + rc = __test_firmware_config_init(); +- if (rc) ++ if (rc) { ++ kfree(test_fw_config); ++ pr_err("could not init firmware test config: %d\n", rc); + return rc; ++ } + + rc = misc_register(&test_fw_misc_device); + if (rc) { +-- +2.20.1 + diff --git a/queue-4.19/tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch b/queue-4.19/tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch new file mode 100644 index 00000000000..aba9661572a --- /dev/null +++ b/queue-4.19/tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch @@ -0,0 +1,75 @@ +From 9464495d0fa3423e14f4e29452495155c918122d Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 18 Jul 2019 15:03:15 +0200 +Subject: tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep + loop + +[ Upstream commit 952041a8639a7a3a73a2b6573cb8aa8518bc39f8 ] + +While reviewing rwsem down_slowpath, Will noticed ldsem had a copy of +a bug we just found for rwsem. + + X = 0; + + CPU0 CPU1 + + rwsem_down_read() + for (;;) { + set_current_state(TASK_UNINTERRUPTIBLE); + + X = 1; + rwsem_up_write(); + rwsem_mark_wake() + atomic_long_add(adjustment, &sem->count); + smp_store_release(&waiter->task, NULL); + + if (!waiter.task) + break; + + ... + } + + r = X; + +Allows 'r == 0'. + +Reported-by: Will Deacon +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Will Deacon +Cc: Linus Torvalds +Cc: Peter Hurley +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 4898e640caf0 ("tty: Add timed, writer-prioritized rw semaphore") +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_ldsem.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/tty_ldsem.c b/drivers/tty/tty_ldsem.c +index b989ca26fc788..2f0372976459e 100644 +--- a/drivers/tty/tty_ldsem.c ++++ b/drivers/tty/tty_ldsem.c +@@ -116,8 +116,7 @@ static void __ldsem_wake_readers(struct ld_semaphore *sem) + + list_for_each_entry_safe(waiter, next, &sem->read_wait, list) { + tsk = waiter->task; +- smp_mb(); +- waiter->task = NULL; ++ smp_store_release(&waiter->task, NULL); + wake_up_process(tsk); + put_task_struct(tsk); + } +@@ -217,7 +216,7 @@ down_read_failed(struct ld_semaphore *sem, long count, long timeout) + for (;;) { + set_current_state(TASK_UNINTERRUPTIBLE); + +- if (!waiter.task) ++ if (!smp_load_acquire(&waiter.task)) + break; + if (!timeout) + break; +-- +2.20.1 + diff --git a/queue-4.19/vfio-ccw-set-pa_nr-to-0-if-memory-allocation-fails-f.patch b/queue-4.19/vfio-ccw-set-pa_nr-to-0-if-memory-allocation-fails-f.patch new file mode 100644 index 00000000000..1bba6bb644e --- /dev/null +++ b/queue-4.19/vfio-ccw-set-pa_nr-to-0-if-memory-allocation-fails-f.patch @@ -0,0 +1,39 @@ +From b90e2692888495f5070cb76835de2f9d316ecb85 Mon Sep 17 00:00:00 2001 +From: Farhan Ali +Date: Thu, 11 Jul 2019 10:28:53 -0400 +Subject: vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn + +[ Upstream commit c1ab69268d124ebdbb3864580808188ccd3ea355 ] + +So we don't call try to call vfio_unpin_pages() incorrectly. + +Fixes: 0a19e61e6d4c ("vfio: ccw: introduce channel program interfaces") +Signed-off-by: Farhan Ali +Reviewed-by: Eric Farman +Reviewed-by: Cornelia Huck +Message-Id: <33a89467ad6369196ae6edf820cbcb1e2d8d050c.1562854091.git.alifm@linux.ibm.com> +Signed-off-by: Cornelia Huck +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/vfio_ccw_cp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c +index 70a006ba4d050..4fe06ff7b2c8b 100644 +--- a/drivers/s390/cio/vfio_ccw_cp.c ++++ b/drivers/s390/cio/vfio_ccw_cp.c +@@ -89,8 +89,10 @@ static int pfn_array_alloc_pin(struct pfn_array *pa, struct device *mdev, + sizeof(*pa->pa_iova_pfn) + + sizeof(*pa->pa_pfn), + GFP_KERNEL); +- if (unlikely(!pa->pa_iova_pfn)) ++ if (unlikely(!pa->pa_iova_pfn)) { ++ pa->pa_nr = 0; + return -ENOMEM; ++ } + pa->pa_pfn = pa->pa_iova_pfn + pa->pa_nr; + + pa->pa_iova_pfn[0] = pa->pa_iova >> PAGE_SHIFT; +-- +2.20.1 +