From: Sasha Levin Date: Sun, 4 Aug 2019 15:43:03 +0000 (-0400) Subject: fixes for 4.14 X-Git-Tag: v4.4.188~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=77d859e97c7a6d9788cc28b0dc376b2a5f310958;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch b/queue-4.14/acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch new file mode 100644 index 00000000000..5329a346f5a --- /dev/null +++ b/queue-4.14/acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch @@ -0,0 +1,51 @@ +From cb8d5ba0b3560bf198c41e0c43bbff05462d4652 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 10 Jul 2019 15:05:43 +0200 +Subject: ACPI: blacklist: fix clang warning for unused DMI table + +[ Upstream commit b80d6a42bdc97bdb6139107d6034222e9843c6e2 ] + +When CONFIG_DMI is disabled, we only have a tentative declaration, +which causes a warning from clang: + +drivers/acpi/blacklist.c:20:35: error: tentative array definition assumed to have one element [-Werror] +static const struct dmi_system_id acpi_rev_dmi_table[] __initconst; + +As the variable is not actually used here, hide it entirely +in an #ifdef to shut up the warning. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/blacklist.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c +index 995c4d8922b12..761f0c19a4512 100644 +--- a/drivers/acpi/blacklist.c ++++ b/drivers/acpi/blacklist.c +@@ -30,7 +30,9 @@ + + #include "internal.h" + ++#ifdef CONFIG_DMI + static const struct dmi_system_id acpi_rev_dmi_table[] __initconst; ++#endif + + /* + * POLICY: If *anything* doesn't work, put it on the blacklist. +@@ -74,7 +76,9 @@ int __init acpi_blacklisted(void) + } + + (void)early_acpi_osi_init(); ++#ifdef CONFIG_DMI + dmi_check_system(acpi_rev_dmi_table); ++#endif + + return blacklisted; + } +-- +2.20.1 + diff --git a/queue-4.14/acpi-fix-false-positive-wuninitialized-warning.patch b/queue-4.14/acpi-fix-false-positive-wuninitialized-warning.patch new file mode 100644 index 00000000000..f0716feba04 --- /dev/null +++ b/queue-4.14/acpi-fix-false-positive-wuninitialized-warning.patch @@ -0,0 +1,58 @@ +From ccf3c2b11f46469aa07fa6dca34ba82b6cf31127 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:01:21 +0200 +Subject: ACPI: fix false-positive -Wuninitialized warning + +[ Upstream commit dfd6f9ad36368b8dbd5f5a2b2f0a4705ae69a323 ] + +clang gets confused by an uninitialized variable in what looks +to it like a never executed code path: + +arch/x86/kernel/acpi/boot.c:618:13: error: variable 'polarity' is uninitialized when used here [-Werror,-Wuninitialized] + polarity = polarity ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH; + ^~~~~~~~ +arch/x86/kernel/acpi/boot.c:606:32: note: initialize the variable 'polarity' to silence this warning + int rc, irq, trigger, polarity; + ^ + = 0 +arch/x86/kernel/acpi/boot.c:617:12: error: variable 'trigger' is uninitialized when used here [-Werror,-Wuninitialized] + trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE; + ^~~~~~~ +arch/x86/kernel/acpi/boot.c:606:22: note: initialize the variable 'trigger' to silence this warning + int rc, irq, trigger, polarity; + ^ + = 0 + +This is unfortunately a design decision in clang and won't be fixed. + +Changing the acpi_get_override_irq() macro to an inline function +reliably avoids the issue. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Andy Shevchenko +Reviewed-by: Nathan Chancellor +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + include/linux/acpi.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index 13c105121a185..d7a9700b93339 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -324,7 +324,10 @@ void acpi_set_irq_model(enum acpi_irq_model_id model, + #ifdef CONFIG_X86_IO_APIC + extern int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity); + #else +-#define acpi_get_override_irq(gsi, trigger, polarity) (-1) ++static inline int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity) ++{ ++ return -1; ++} + #endif + /* + * This function undoes the effect of one call to acpi_register_gsi(). +-- +2.20.1 + diff --git a/queue-4.14/arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch b/queue-4.14/arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch new file mode 100644 index 00000000000..72a6bbe8d7a --- /dev/null +++ b/queue-4.14/arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch @@ -0,0 +1,66 @@ +From fa88853f1e31f416c5eb6878c8176aa7baebe92b Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 3 May 2019 16:45:37 -0700 +Subject: ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again + +[ Upstream commit 99fa066710f75f18f4d9a5bc5f6a711968a581d5 ] + +When I try to boot rk3288-veyron-mickey I totally fail to make the +eMMC work. Specifically my logs (on Chrome OS 4.19): + + mmc_host mmc1: card is non-removable. + mmc_host mmc1: Bus speed (slot 0) = 400000Hz (slot req 400000Hz, actual 400000HZ div = 0) + mmc_host mmc1: Bus speed (slot 0) = 50000000Hz (slot req 52000000Hz, actual 50000000HZ div = 0) + mmc1: switch to bus width 8 failed + mmc1: switch to bus width 4 failed + mmc1: new high speed MMC card at address 0001 + mmcblk1: mmc1:0001 HAG2e 14.7 GiB + mmcblk1boot0: mmc1:0001 HAG2e partition 1 4.00 MiB + mmcblk1boot1: mmc1:0001 HAG2e partition 2 4.00 MiB + mmcblk1rpmb: mmc1:0001 HAG2e partition 3 4.00 MiB, chardev (243:0) + mmc_host mmc1: Bus speed (slot 0) = 400000Hz (slot req 400000Hz, actual 400000HZ div = 0) + mmc_host mmc1: Bus speed (slot 0) = 50000000Hz (slot req 52000000Hz, actual 50000000HZ div = 0) + mmc1: switch to bus width 8 failed + mmc1: switch to bus width 4 failed + mmc1: tried to HW reset card, got error -110 + mmcblk1: error -110 requesting status + mmcblk1: recovery failed! + print_req_error: I/O error, dev mmcblk1, sector 0 + ... + +When I remove the '/delete-property/mmc-hs200-1_8v' then everything is +hunky dory. + +That line comes from the original submission of the mickey dts +upstream, so presumably at the time the HS200 was failing and just +enumerating things as a high speed device was fine. ...or maybe it's +just that some mickey devices work when enumerating at "high speed", +just not mine? + +In any case, hs200 seems good now. Let's turn it on. + +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288-veyron-mickey.dts | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/arm/boot/dts/rk3288-veyron-mickey.dts b/arch/arm/boot/dts/rk3288-veyron-mickey.dts +index f0994f0e57745..d6ca67866bc00 100644 +--- a/arch/arm/boot/dts/rk3288-veyron-mickey.dts ++++ b/arch/arm/boot/dts/rk3288-veyron-mickey.dts +@@ -161,10 +161,6 @@ + }; + }; + +-&emmc { +- /delete-property/mmc-hs200-1_8v; +-}; +- + &i2c2 { + status = "disabled"; + }; +-- +2.20.1 + diff --git a/queue-4.14/arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch b/queue-4.14/arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch new file mode 100644 index 00000000000..3ce05e1ae5b --- /dev/null +++ b/queue-4.14/arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch @@ -0,0 +1,57 @@ +From 21a923dad7d97c5614553894603c2772f1ba0d4f Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 3 May 2019 16:41:42 -0700 +Subject: ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200 + +[ Upstream commit 1c0479023412ab7834f2e98b796eb0d8c627cd62 ] + +As some point hs200 was failing on rk3288-veyron-minnie. See commit +984926781122 ("ARM: dts: rockchip: temporarily remove emmc hs200 speed +from rk3288 minnie"). Although I didn't track down exactly when it +started working, it seems to work OK now, so let's turn it back on. + +To test this, I booted from SD card and then used this script to +stress the enumeration process after fixing a memory leak [1]: + cd /sys/bus/platform/drivers/dwmmc_rockchip + for i in $(seq 1 3000); do + echo "========================" $i + echo ff0f0000.dwmmc > unbind + sleep .5 + echo ff0f0000.dwmmc > bind + while true; do + if [ -e /dev/mmcblk2 ]; then + break; + fi + sleep .1 + done + done + +It worked fine. + +[1] https://lkml.kernel.org/r/20190503233526.226272-1-dianders@chromium.org + +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288-veyron-minnie.dts | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/arm/boot/dts/rk3288-veyron-minnie.dts b/arch/arm/boot/dts/rk3288-veyron-minnie.dts +index 544de6027aaa0..6000dca1cf054 100644 +--- a/arch/arm/boot/dts/rk3288-veyron-minnie.dts ++++ b/arch/arm/boot/dts/rk3288-veyron-minnie.dts +@@ -125,10 +125,6 @@ + power-supply = <&backlight_regulator>; + }; + +-&emmc { +- /delete-property/mmc-hs200-1_8v; +-}; +- + &gpio_keys { + pinctrl-0 = <&pwr_key_l &ap_lid_int_l &volum_down_l &volum_up_l>; + +-- +2.20.1 + diff --git a/queue-4.14/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch b/queue-4.14/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch new file mode 100644 index 00000000000..673af720b90 --- /dev/null +++ b/queue-4.14/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch @@ -0,0 +1,48 @@ +From b68d54fabc71008220da80ba6c499a15658dfd4d Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 21 May 2019 16:49:33 -0700 +Subject: ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend + +[ Upstream commit 8ef1ba39a9fa53d2205e633bc9b21840a275908e ] + +This is similar to commit e6186820a745 ("arm64: dts: rockchip: Arch +counter doesn't tick in system suspend"). Specifically on the rk3288 +it can be seen that the timer stops ticking in suspend if we end up +running through the "osc_disable" path in rk3288_slp_mode_set(). In +that path the 24 MHz clock will turn off and the timer stops. + +To test this, I ran this on a Chrome OS filesystem: + before=$(date); \ + suspend_stress_test -c1 --suspend_min=30 --suspend_max=31; \ + echo ${before}; date + +...and I found that unless I plug in a device that requests USB wakeup +to be active that the two calls to "date" would show that fewer than +30 seconds passed. + +NOTE: deep suspend (where the 24 MHz clock gets disabled) isn't +supported yet on upstream Linux so this was tested on a downstream +kernel. + +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi +index 5a7888581eea9..23907d9ce89ad 100644 +--- a/arch/arm/boot/dts/rk3288.dtsi ++++ b/arch/arm/boot/dts/rk3288.dtsi +@@ -213,6 +213,7 @@ + , + ; + clock-frequency = <24000000>; ++ arm,no-tick-in-suspend; + }; + + timer: timer@ff810000 { +-- +2.20.1 + diff --git a/queue-4.14/arm-riscpc-fix-dma.patch b/queue-4.14/arm-riscpc-fix-dma.patch new file mode 100644 index 00000000000..5706296836d --- /dev/null +++ b/queue-4.14/arm-riscpc-fix-dma.patch @@ -0,0 +1,48 @@ +From 41c6170a2a7702d73a7a4371c8ddb44c899fbdec Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Thu, 2 May 2019 17:19:18 +0100 +Subject: ARM: riscpc: fix DMA + +[ Upstream commit ffd9a1ba9fdb7f2bd1d1ad9b9243d34e96756ba2 ] + +DMA got broken a while back in two different ways: +1) a change in the behaviour of disable_irq() to wait for the interrupt + to finish executing causes us to deadlock at the end of DMA. +2) a change to avoid modifying the scatterlist left the first transfer + uninitialised. + +DMA is only used with expansion cards, so has gone unnoticed. + +Fixes: fa4e99899932 ("[ARM] dma: RiscPC: don't modify DMA SG entries") +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mach-rpc/dma.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-rpc/dma.c b/arch/arm/mach-rpc/dma.c +index fb48f3141fb4d..c4c96661eb89a 100644 +--- a/arch/arm/mach-rpc/dma.c ++++ b/arch/arm/mach-rpc/dma.c +@@ -131,7 +131,7 @@ static irqreturn_t iomd_dma_handle(int irq, void *dev_id) + } while (1); + + idma->state = ~DMA_ST_AB; +- disable_irq(irq); ++ disable_irq_nosync(irq); + + return IRQ_HANDLED; + } +@@ -174,6 +174,9 @@ static void iomd_enable_dma(unsigned int chan, dma_t *dma) + DMA_FROM_DEVICE : DMA_TO_DEVICE); + } + ++ idma->dma_addr = idma->dma.sg->dma_address; ++ idma->dma_len = idma->dma.sg->length; ++ + iomd_writeb(DMA_CR_C, dma_base + CR); + idma->state = DMA_ST_AB; + } +-- +2.20.1 + diff --git a/queue-4.14/be2net-signal-that-the-device-cannot-transmit-during.patch b/queue-4.14/be2net-signal-that-the-device-cannot-transmit-during.patch new file mode 100644 index 00000000000..20be320f533 --- /dev/null +++ b/queue-4.14/be2net-signal-that-the-device-cannot-transmit-during.patch @@ -0,0 +1,44 @@ +From 4fcc9c5ed76e0dd31e66efdd5b01334b75adedad Mon Sep 17 00:00:00 2001 +From: Benjamin Poirier +Date: Tue, 16 Jul 2019 17:16:55 +0900 +Subject: be2net: Signal that the device cannot transmit during reconfiguration + +[ Upstream commit 7429c6c0d9cb086d8e79f0d2a48ae14851d2115e ] + +While changing the number of interrupt channels, be2net stops adapter +operation (including netif_tx_disable()) but it doesn't signal that it +cannot transmit. This may lead dev_watchdog() to falsely trigger during +that time. + +Add the missing call to netif_carrier_off(), following the pattern used in +many other drivers. netif_carrier_on() is already taken care of in +be_open(). + +Signed-off-by: Benjamin Poirier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 39f399741647f..cabeb1790db76 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -4600,8 +4600,12 @@ int be_update_queues(struct be_adapter *adapter) + struct net_device *netdev = adapter->netdev; + int status; + +- if (netif_running(netdev)) ++ if (netif_running(netdev)) { ++ /* device cannot transmit now, avoid dev_watchdog timeouts */ ++ netif_carrier_off(netdev); ++ + be_close(netdev); ++ } + + be_cancel_worker(adapter); + +-- +2.20.1 + diff --git a/queue-4.14/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch b/queue-4.14/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch new file mode 100644 index 00000000000..57b18585ac1 --- /dev/null +++ b/queue-4.14/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch @@ -0,0 +1,48 @@ +From 76720a33b0423e43fd6686b5ceaaaafd719c2b0f Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Fri, 17 May 2019 11:43:13 +0200 +Subject: btrfs: fix minimum number of chunk errors for DUP + +[ Upstream commit 0ee5f8ae082e1f675a2fb6db601c31ac9958a134 ] + +The list of profiles in btrfs_chunk_max_errors lists DUP as a profile +DUP able to tolerate 1 device missing. Though this profile is special +with 2 copies, it still needs the device, unlike the others. + +Looking at the history of changes, thre's no clear reason why DUP is +there, functions were refactored and blocks of code merged to one +helper. + +d20983b40e828 Btrfs: fix writing data into the seed filesystem + - factor code to a helper + +de11cc12df173 Btrfs: don't pre-allocate btrfs bio + - unrelated change, DUP still in the list with max errors 1 + +a236aed14ccb0 Btrfs: Deal with failed writes in mirrored configurations + - introduced the max errors, leaves DUP and RAID1 in the same group + +Reviewed-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 85294fef10514..358e930df4acd 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -5019,8 +5019,7 @@ static inline int btrfs_chunk_max_errors(struct map_lookup *map) + + if (map->type & (BTRFS_BLOCK_GROUP_RAID1 | + BTRFS_BLOCK_GROUP_RAID10 | +- BTRFS_BLOCK_GROUP_RAID5 | +- BTRFS_BLOCK_GROUP_DUP)) { ++ BTRFS_BLOCK_GROUP_RAID5)) { + max_errors = 1; + } else if (map->type & BTRFS_BLOCK_GROUP_RAID6) { + max_errors = 2; +-- +2.20.1 + diff --git a/queue-4.14/ceph-fix-improper-use-of-smp_mb__before_atomic.patch b/queue-4.14/ceph-fix-improper-use-of-smp_mb__before_atomic.patch new file mode 100644 index 00000000000..fd6ef007efc --- /dev/null +++ b/queue-4.14/ceph-fix-improper-use-of-smp_mb__before_atomic.patch @@ -0,0 +1,44 @@ +From 612ef6b5afd60316fb852e892024199adbb7c28c Mon Sep 17 00:00:00 2001 +From: Andrea Parri +Date: Mon, 20 May 2019 19:23:58 +0200 +Subject: ceph: fix improper use of smp_mb__before_atomic() + +[ Upstream commit 749607731e26dfb2558118038c40e9c0c80d23b5 ] + +This barrier only applies to the read-modify-write operations; in +particular, it does not apply to the atomic64_set() primitive. + +Replace the barrier with an smp_mb(). + +Fixes: fdd4e15838e59 ("ceph: rework dcache readdir") +Reported-by: "Paul E. McKenney" +Reported-by: Peter Zijlstra +Signed-off-by: Andrea Parri +Reviewed-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/super.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/super.h b/fs/ceph/super.h +index 3e27a28aa44ad..60b70f0985f67 100644 +--- a/fs/ceph/super.h ++++ b/fs/ceph/super.h +@@ -517,7 +517,12 @@ static inline void __ceph_dir_set_complete(struct ceph_inode_info *ci, + long long release_count, + long long ordered_count) + { +- smp_mb__before_atomic(); ++ /* ++ * Makes sure operations that setup readdir cache (update page ++ * cache and i_size) are strongly ordered w.r.t. the following ++ * atomic64_set() operations. ++ */ ++ smp_mb(); + atomic64_set(&ci->i_complete_seq[0], release_count); + atomic64_set(&ci->i_complete_seq[1], ordered_count); + } +-- +2.20.1 + diff --git a/queue-4.14/ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch b/queue-4.14/ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch new file mode 100644 index 00000000000..bc10408906f --- /dev/null +++ b/queue-4.14/ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch @@ -0,0 +1,69 @@ +From 22ecd7f90ea1a823d374231db171456eea0fca1a Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Thu, 13 Jun 2019 15:17:00 -0400 +Subject: ceph: return -ERANGE if virtual xattr value didn't fit in buffer + +[ Upstream commit 3b421018f48c482bdc9650f894aa1747cf90e51d ] + +The getxattr manpage states that we should return ERANGE if the +destination buffer size is too small to hold the value. +ceph_vxattrcb_layout does this internally, but we should be doing +this for all vxattrs. + +Fix the only caller of getxattr_cb to check the returned size +against the buffer length and return -ERANGE if it doesn't fit. +Drop the same check in ceph_vxattrcb_layout and just rely on the +caller to handle it. + +Signed-off-by: Jeff Layton +Reviewed-by: "Yan, Zheng" +Acked-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/xattr.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c +index e1c4e0b12b4cd..0376db8a74f85 100644 +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -75,7 +75,7 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val, + const char *ns_field = " pool_namespace="; + char buf[128]; + size_t len, total_len = 0; +- int ret; ++ ssize_t ret; + + pool_ns = ceph_try_get_string(ci->i_layout.pool_ns); + +@@ -99,11 +99,8 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val, + if (pool_ns) + total_len += strlen(ns_field) + pool_ns->len; + +- if (!size) { +- ret = total_len; +- } else if (total_len > size) { +- ret = -ERANGE; +- } else { ++ ret = total_len; ++ if (size >= total_len) { + memcpy(val, buf, len); + ret = len; + if (pool_name) { +@@ -761,8 +758,11 @@ ssize_t __ceph_getxattr(struct inode *inode, const char *name, void *value, + if (err) + return err; + err = -ENODATA; +- if (!(vxattr->exists_cb && !vxattr->exists_cb(ci))) ++ if (!(vxattr->exists_cb && !vxattr->exists_cb(ci))) { + err = vxattr->getxattr_cb(ci, value, size); ++ if (size && size < err) ++ err = -ERANGE; ++ } + return err; + } + +-- +2.20.1 + diff --git a/queue-4.14/cifs-fix-a-race-condition-with-cifs_echo_request.patch b/queue-4.14/cifs-fix-a-race-condition-with-cifs_echo_request.patch new file mode 100644 index 00000000000..ed4703a99fe --- /dev/null +++ b/queue-4.14/cifs-fix-a-race-condition-with-cifs_echo_request.patch @@ -0,0 +1,63 @@ +From 78e811656566abeadb2b1ecab351df6cd5045889 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Sat, 6 Jul 2019 06:52:46 +1000 +Subject: cifs: Fix a race condition with cifs_echo_request + +[ Upstream commit f2caf901c1b7ce65f9e6aef4217e3241039db768 ] + +There is a race condition with how we send (or supress and don't send) +smb echos that will cause the client to incorrectly think the +server is unresponsive and thus needs to be reconnected. + +Summary of the race condition: + 1) Daisy chaining scheduling creates a gap. + 2) If traffic comes unfortunate shortly after + the last echo, the planned echo is suppressed. + 3) Due to the gap, the next echo transmission is delayed + until after the timeout, which is set hard to twice + the echo interval. + +This is fixed by changing the timeouts from 2 to three times the echo interval. + +Detailed description of the bug: https://lutz.donnerhacke.de/eng/Blog/Groundhog-Day-with-SMB-remount + +Signed-off-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 33cd844579aed..57c62ff4e8d6d 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -554,10 +554,10 @@ static bool + server_unresponsive(struct TCP_Server_Info *server) + { + /* +- * We need to wait 2 echo intervals to make sure we handle such ++ * We need to wait 3 echo intervals to make sure we handle such + * situations right: + * 1s client sends a normal SMB request +- * 2s client gets a response ++ * 3s client gets a response + * 30s echo workqueue job pops, and decides we got a response recently + * and don't need to send another + * ... +@@ -566,9 +566,9 @@ server_unresponsive(struct TCP_Server_Info *server) + */ + if ((server->tcpStatus == CifsGood || + server->tcpStatus == CifsNeedNegotiate) && +- time_after(jiffies, server->lstrp + 2 * server->echo_interval)) { ++ time_after(jiffies, server->lstrp + 3 * server->echo_interval)) { + cifs_dbg(VFS, "Server %s has not responded in %lu seconds. Reconnecting...\n", +- server->hostname, (2 * server->echo_interval) / HZ); ++ server->hostname, (3 * server->echo_interval) / HZ); + cifs_reconnect(server); + wake_up(&server->response_q); + return true; +-- +2.20.1 + diff --git a/queue-4.14/clk-tegra210-fix-pllu-and-pllu_out1.patch b/queue-4.14/clk-tegra210-fix-pllu-and-pllu_out1.patch new file mode 100644 index 00000000000..61381401e85 --- /dev/null +++ b/queue-4.14/clk-tegra210-fix-pllu-and-pllu_out1.patch @@ -0,0 +1,75 @@ +From 84b61a94bb138d953a45660459149783147679e5 Mon Sep 17 00:00:00 2001 +From: JC Kuo +Date: Wed, 12 Jun 2019 11:14:34 +0800 +Subject: clk: tegra210: fix PLLU and PLLU_OUT1 + +[ Upstream commit 0d34dfbf3023cf119b83f6470692c0b10c832495 ] + +Full-speed and low-speed USB devices do not work with Tegra210 +platforms because of incorrect PLLU/PLLU_OUT1 clock settings. + +When full-speed device is connected: +[ 14.059886] usb 1-3: new full-speed USB device number 2 using tegra-xusb +[ 14.196295] usb 1-3: device descriptor read/64, error -71 +[ 14.436311] usb 1-3: device descriptor read/64, error -71 +[ 14.675749] usb 1-3: new full-speed USB device number 3 using tegra-xusb +[ 14.812335] usb 1-3: device descriptor read/64, error -71 +[ 15.052316] usb 1-3: device descriptor read/64, error -71 +[ 15.164799] usb usb1-port3: attempt power cycle + +When low-speed device is connected: +[ 37.610949] usb usb1-port3: Cannot enable. Maybe the USB cable is bad? +[ 38.557376] usb usb1-port3: Cannot enable. Maybe the USB cable is bad? +[ 38.564977] usb usb1-port3: attempt power cycle + +This commit fixes the issue by: + 1. initializing PLLU_OUT1 before initializing XUSB_FS_SRC clock + because PLLU_OUT1 is parent of XUSB_FS_SRC. + 2. changing PLLU post-divider to /2 (DIVP=1) according to Technical + Reference Manual. + +Fixes: e745f992cf4b ("clk: tegra: Rework pll_u") +Signed-off-by: JC Kuo +Acked-By: Peter De Schrijver +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra210.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c +index b92867814e2d5..cb2be154db3bc 100644 +--- a/drivers/clk/tegra/clk-tegra210.c ++++ b/drivers/clk/tegra/clk-tegra210.c +@@ -2057,9 +2057,9 @@ static struct div_nmp pllu_nmp = { + }; + + static struct tegra_clk_pll_freq_table pll_u_freq_table[] = { +- { 12000000, 480000000, 40, 1, 0, 0 }, +- { 13000000, 480000000, 36, 1, 0, 0 }, /* actual: 468.0 MHz */ +- { 38400000, 480000000, 25, 2, 0, 0 }, ++ { 12000000, 480000000, 40, 1, 1, 0 }, ++ { 13000000, 480000000, 36, 1, 1, 0 }, /* actual: 468.0 MHz */ ++ { 38400000, 480000000, 25, 2, 1, 0 }, + { 0, 0, 0, 0, 0, 0 }, + }; + +@@ -2983,6 +2983,7 @@ static struct tegra_clk_init_table init_table[] __initdata = { + { TEGRA210_CLK_DFLL_REF, TEGRA210_CLK_PLL_P, 51000000, 1 }, + { TEGRA210_CLK_SBC4, TEGRA210_CLK_PLL_P, 12000000, 1 }, + { TEGRA210_CLK_PLL_RE_VCO, TEGRA210_CLK_CLK_MAX, 672000000, 1 }, ++ { TEGRA210_CLK_PLL_U_OUT1, TEGRA210_CLK_CLK_MAX, 48000000, 1 }, + { TEGRA210_CLK_XUSB_GATE, TEGRA210_CLK_CLK_MAX, 0, 1 }, + { TEGRA210_CLK_XUSB_SS_SRC, TEGRA210_CLK_PLL_U_480M, 120000000, 0 }, + { TEGRA210_CLK_XUSB_FS_SRC, TEGRA210_CLK_PLL_U_48M, 48000000, 0 }, +@@ -3008,7 +3009,6 @@ static struct tegra_clk_init_table init_table[] __initdata = { + { TEGRA210_CLK_PLL_DP, TEGRA210_CLK_CLK_MAX, 270000000, 0 }, + { TEGRA210_CLK_SOC_THERM, TEGRA210_CLK_PLL_P, 51000000, 0 }, + { TEGRA210_CLK_CCLK_G, TEGRA210_CLK_CLK_MAX, 0, 1 }, +- { TEGRA210_CLK_PLL_U_OUT1, TEGRA210_CLK_CLK_MAX, 48000000, 1 }, + { TEGRA210_CLK_PLL_U_OUT2, TEGRA210_CLK_CLK_MAX, 60000000, 1 }, + /* This MUST be the last entry. */ + { TEGRA210_CLK_CLK_MAX, TEGRA210_CLK_CLK_MAX, 0, 0 }, +-- +2.20.1 + diff --git a/queue-4.14/coda-add-error-handling-for-fget.patch b/queue-4.14/coda-add-error-handling-for-fget.patch new file mode 100644 index 00000000000..5dfa691ed78 --- /dev/null +++ b/queue-4.14/coda-add-error-handling-for-fget.patch @@ -0,0 +1,50 @@ +From 456c705d2e430d015822a834ea6275cb218e97c6 Mon Sep 17 00:00:00 2001 +From: Zhouyang Jia +Date: Tue, 16 Jul 2019 16:28:13 -0700 +Subject: coda: add error handling for fget + +[ Upstream commit 02551c23bcd85f0c68a8259c7b953d49d44f86af ] + +When fget fails, the lack of error-handling code may cause unexpected +results. + +This patch adds error-handling code after calling fget. + +Link: http://lkml.kernel.org/r/2514ec03df9c33b86e56748513267a80dd8004d9.1558117389.git.jaharkes@cs.cmu.edu +Signed-off-by: Zhouyang Jia +Signed-off-by: Jan Harkes +Cc: Arnd Bergmann +Cc: Colin Ian King +Cc: Dan Carpenter +Cc: David Howells +Cc: Fabian Frederick +Cc: Mikko Rapeli +Cc: Sam Protsenko +Cc: Yann Droneaud +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/coda/psdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c +index f40e3953e7fe3..a6d9e841a375c 100644 +--- a/fs/coda/psdev.c ++++ b/fs/coda/psdev.c +@@ -187,8 +187,11 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf, + if (req->uc_opcode == CODA_OPEN_BY_FD) { + struct coda_open_by_fd_out *outp = + (struct coda_open_by_fd_out *)req->uc_data; +- if (!outp->oh.result) ++ if (!outp->oh.result) { + outp->fh = fget(outp->fd); ++ if (!outp->fh) ++ return -EBADF; ++ } + } + + wake_up(&req->uc_sleep); +-- +2.20.1 + diff --git a/queue-4.14/coda-fix-build-using-bare-metal-toolchain.patch b/queue-4.14/coda-fix-build-using-bare-metal-toolchain.patch new file mode 100644 index 00000000000..6eb699e5856 --- /dev/null +++ b/queue-4.14/coda-fix-build-using-bare-metal-toolchain.patch @@ -0,0 +1,48 @@ +From 97ea29f4c3beacaf03faeebc82a2c193ecdf7159 Mon Sep 17 00:00:00 2001 +From: Sam Protsenko +Date: Tue, 16 Jul 2019 16:28:20 -0700 +Subject: coda: fix build using bare-metal toolchain + +[ Upstream commit b2a57e334086602be56b74958d9f29b955cd157f ] + +The kernel is self-contained project and can be built with bare-metal +toolchain. But bare-metal toolchain doesn't define __linux__. Because +of this u_quad_t type is not defined when using bare-metal toolchain and +codafs build fails. This patch fixes it by defining u_quad_t type +unconditionally. + +Link: http://lkml.kernel.org/r/3cbb40b0a57b6f9923a9d67b53473c0b691a3eaa.1558117389.git.jaharkes@cs.cmu.edu +Signed-off-by: Sam Protsenko +Signed-off-by: Jan Harkes +Cc: Arnd Bergmann +Cc: Colin Ian King +Cc: Dan Carpenter +Cc: David Howells +Cc: Fabian Frederick +Cc: Mikko Rapeli +Cc: Yann Droneaud +Cc: Zhouyang Jia +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/coda.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/include/linux/coda.h b/include/linux/coda.h +index d30209b9cef81..0ca0c83fdb1c4 100644 +--- a/include/linux/coda.h ++++ b/include/linux/coda.h +@@ -58,8 +58,7 @@ Mellon the rights to redistribute these changes without encumbrance. + #ifndef _CODA_HEADER_ + #define _CODA_HEADER_ + +-#if defined(__linux__) + typedef unsigned long long u_quad_t; +-#endif ++ + #include + #endif +-- +2.20.1 + diff --git a/queue-4.14/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch b/queue-4.14/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch new file mode 100644 index 00000000000..44099ce3ea0 --- /dev/null +++ b/queue-4.14/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch @@ -0,0 +1,46 @@ +From 2bd52e44fd1e8dbb06217b240cdd050cae8c05ac Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 24 Jun 2019 14:38:18 +0200 +Subject: dmaengine: rcar-dmac: Reject zero-length slave DMA requests + +[ Upstream commit 78efb76ab4dfb8f74f290ae743f34162cd627f19 ] + +While the .device_prep_slave_sg() callback rejects empty scatterlists, +it still accepts single-entry scatterlists with a zero-length segment. +These may happen if a driver calls dmaengine_prep_slave_single() with a +zero len parameter. The corresponding DMA request will never complete, +leading to messages like: + + rcar-dmac e7300000.dma-controller: Channel Address Error happen + +and DMA timeouts. + +Although requesting a zero-length DMA request is a driver bug, rejecting +it early eases debugging. Note that the .device_prep_dma_memcpy() +callback already rejects requests to copy zero bytes. + +Reported-by: Eugeniu Rosca +Analyzed-by: Yoshihiro Shimoda +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sh/rcar-dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c +index 77b126525daca..19c7433e83097 100644 +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1129,7 +1129,7 @@ rcar_dmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, + struct rcar_dmac_chan *rchan = to_rcar_dmac_chan(chan); + + /* Someone calling slave DMA on a generic channel? */ +- if (rchan->mid_rid < 0 || !sg_len) { ++ if (rchan->mid_rid < 0 || !sg_len || !sg_dma_len(sgl)) { + dev_warn(chan->device->dev, + "%s: bad parameter: len=%d, id=%d\n", + __func__, sg_len, rchan->mid_rid); +-- +2.20.1 + diff --git a/queue-4.14/drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch b/queue-4.14/drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch new file mode 100644 index 00000000000..70013a4a13d --- /dev/null +++ b/queue-4.14/drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch @@ -0,0 +1,47 @@ +From 66a146a0e0636eb541771ce3c7ddd373de75c906 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 16 Jul 2019 16:30:03 -0700 +Subject: drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings + +[ Upstream commit 156e0b1a8112b76e351684ac948c59757037ac36 ] + +The dev_info.name[] array has space for RIO_MAX_DEVNAME_SZ + 1 +characters. But the problem here is that we don't ensure that the user +put a NUL terminator on the end of the string. It could lead to an out +of bounds read. + +Link: http://lkml.kernel.org/r/20190529110601.GB19119@mwanda +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Signed-off-by: Dan Carpenter +Acked-by: Alexandre Bounine +Cc: Ira Weiny +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index 76afe1449cab1..ecd71efe8ea00 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1742,6 +1742,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, + + if (copy_from_user(&dev_info, arg, sizeof(dev_info))) + return -EFAULT; ++ dev_info.name[sizeof(dev_info.name) - 1] = '\0'; + + rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name, + dev_info.comptag, dev_info.destid, dev_info.hopcount); +@@ -1873,6 +1874,7 @@ static int rio_mport_del_riodev(struct mport_cdev_priv *priv, void __user *arg) + + if (copy_from_user(&dev_info, arg, sizeof(dev_info))) + return -EFAULT; ++ dev_info.name[sizeof(dev_info.name) - 1] = '\0'; + + mport = priv->md->mport; + +-- +2.20.1 + diff --git a/queue-4.14/drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch b/queue-4.14/drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch new file mode 100644 index 00000000000..eb57190a9e0 --- /dev/null +++ b/queue-4.14/drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch @@ -0,0 +1,61 @@ +From 658d90e8ec46f832cb541259388ec62424c62126 Mon Sep 17 00:00:00 2001 +From: Yongxin Liu +Date: Mon, 1 Jul 2019 09:46:22 +0800 +Subject: drm/nouveau: fix memory leak in nouveau_conn_reset() + +[ Upstream commit 09b90e2fe35faeace2488234e2a7728f2ea8ba26 ] + +In nouveau_conn_reset(), if connector->state is true, +__drm_atomic_helper_connector_destroy_state() will be called, +but the memory pointed by asyc isn't freed. Memory leak happens +in the following function __drm_atomic_helper_connector_reset(), +where newly allocated asyc->state will be assigned to connector->state. + +So using nouveau_conn_atomic_destroy_state() instead of +__drm_atomic_helper_connector_destroy_state to free the "old" asyc. + +Here the is the log showing memory leak. + +unreferenced object 0xffff8c5480483c80 (size 192): + comm "kworker/0:2", pid 188, jiffies 4294695279 (age 53.179s) + hex dump (first 32 bytes): + 00 f0 ba 7b 54 8c ff ff 00 00 00 00 00 00 00 00 ...{T........... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000005005c0d0>] kmem_cache_alloc_trace+0x195/0x2c0 + [<00000000a122baed>] nouveau_conn_reset+0x25/0xc0 [nouveau] + [<000000004fd189a2>] nouveau_connector_create+0x3a7/0x610 [nouveau] + [<00000000c73343a8>] nv50_display_create+0x343/0x980 [nouveau] + [<000000002e2b03c3>] nouveau_display_create+0x51f/0x660 [nouveau] + [<00000000c924699b>] nouveau_drm_device_init+0x182/0x7f0 [nouveau] + [<00000000cc029436>] nouveau_drm_probe+0x20c/0x2c0 [nouveau] + [<000000007e961c3e>] local_pci_probe+0x47/0xa0 + [<00000000da14d569>] work_for_cpu_fn+0x1a/0x30 + [<0000000028da4805>] process_one_work+0x27c/0x660 + [<000000001d415b04>] worker_thread+0x22b/0x3f0 + [<0000000003b69f1f>] kthread+0x12f/0x150 + [<00000000c94c29b7>] ret_from_fork+0x3a/0x50 + +Signed-off-by: Yongxin Liu +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c +index 2c6d196836886..4a7d50a96d36f 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -251,7 +251,7 @@ nouveau_conn_reset(struct drm_connector *connector) + return; + + if (connector->state) +- __drm_atomic_helper_connector_destroy_state(connector->state); ++ nouveau_conn_atomic_destroy_state(connector, connector->state); + __drm_atomic_helper_connector_reset(connector, &asyc->state); + asyc->dither.mode = DITHERING_MODE_AUTO; + asyc->dither.depth = DITHERING_DEPTH_AUTO; +-- +2.20.1 + diff --git a/queue-4.14/fs-adfs-super-fix-use-after-free-bug.patch b/queue-4.14/fs-adfs-super-fix-use-after-free-bug.patch new file mode 100644 index 00000000000..95e7a408729 --- /dev/null +++ b/queue-4.14/fs-adfs-super-fix-use-after-free-bug.patch @@ -0,0 +1,45 @@ +From 9587804889a80d8c07dee634de1169cbcbfa03e3 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 4 Jun 2019 14:50:14 +0100 +Subject: fs/adfs: super: fix use-after-free bug + +[ Upstream commit 5808b14a1f52554de612fee85ef517199855e310 ] + +Fix a use-after-free bug during filesystem initialisation, where we +access the disc record (which is stored in a buffer) after we have +released the buffer. + +Signed-off-by: Russell King +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/adfs/super.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/adfs/super.c b/fs/adfs/super.c +index c9fdfb1129335..e42c300015090 100644 +--- a/fs/adfs/super.c ++++ b/fs/adfs/super.c +@@ -368,6 +368,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) + struct buffer_head *bh; + struct object_info root_obj; + unsigned char *b_data; ++ unsigned int blocksize; + struct adfs_sb_info *asb; + struct inode *root; + int ret = -EINVAL; +@@ -419,8 +420,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) + goto error_free_bh; + } + ++ blocksize = 1 << dr->log2secsize; + brelse(bh); +- if (sb_set_blocksize(sb, 1 << dr->log2secsize)) { ++ ++ if (sb_set_blocksize(sb, blocksize)) { + bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize); + if (!bh) { + adfs_error(sb, "couldn't read superblock on " +-- +2.20.1 + diff --git a/queue-4.14/ftrace-enable-trampoline-when-rec-count-returns-back.patch b/queue-4.14/ftrace-enable-trampoline-when-rec-count-returns-back.patch new file mode 100644 index 00000000000..145134d50c5 --- /dev/null +++ b/queue-4.14/ftrace-enable-trampoline-when-rec-count-returns-back.patch @@ -0,0 +1,105 @@ +From 636255d58ee7fc8a4018b6c312348db60799d009 Mon Sep 17 00:00:00 2001 +From: Cheng Jian +Date: Sat, 4 May 2019 19:39:39 +0800 +Subject: ftrace: Enable trampoline when rec count returns back to one + +[ Upstream commit a124692b698b00026a58d89831ceda2331b2e1d0 ] + +Custom trampolines can only be enabled if there is only a single ops +attached to it. If there's only a single callback registered to a function, +and the ops has a trampoline registered for it, then we can call the +trampoline directly. This is very useful for improving the performance of +ftrace and livepatch. + +If more than one callback is registered to a function, the general +trampoline is used, and the custom trampoline is not restored back to the +direct call even if all the other callbacks were unregistered and we are +back to one callback for the function. + +To fix this, set FTRACE_FL_TRAMP flag if rec count is decremented +to one, and the ops that left has a trampoline. + +Testing After this patch : + +insmod livepatch_unshare_files.ko +cat /sys/kernel/debug/tracing/enabled_functions + + unshare_files (1) R I tramp: 0xffffffffc0000000(klp_ftrace_handler+0x0/0xa0) ->ftrace_ops_assist_func+0x0/0xf0 + +echo unshare_files > /sys/kernel/debug/tracing/set_ftrace_filter +echo function > /sys/kernel/debug/tracing/current_tracer +cat /sys/kernel/debug/tracing/enabled_functions + + unshare_files (2) R I ->ftrace_ops_list_func+0x0/0x150 + +echo nop > /sys/kernel/debug/tracing/current_tracer +cat /sys/kernel/debug/tracing/enabled_functions + + unshare_files (1) R I tramp: 0xffffffffc0000000(klp_ftrace_handler+0x0/0xa0) ->ftrace_ops_assist_func+0x0/0xf0 + +Link: http://lkml.kernel.org/r/1556969979-111047-1-git-send-email-cj.chengjian@huawei.com + +Signed-off-by: Cheng Jian +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/ftrace.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index c4a0ad18c8593..7420f5f360947 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1712,6 +1712,11 @@ static bool test_rec_ops_needs_regs(struct dyn_ftrace *rec) + return keep_regs; + } + ++static struct ftrace_ops * ++ftrace_find_tramp_ops_any(struct dyn_ftrace *rec); ++static struct ftrace_ops * ++ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops); ++ + static bool __ftrace_hash_rec_update(struct ftrace_ops *ops, + int filter_hash, + bool inc) +@@ -1840,15 +1845,17 @@ static bool __ftrace_hash_rec_update(struct ftrace_ops *ops, + } + + /* +- * If the rec had TRAMP enabled, then it needs to +- * be cleared. As TRAMP can only be enabled iff +- * there is only a single ops attached to it. +- * In otherwords, always disable it on decrementing. +- * In the future, we may set it if rec count is +- * decremented to one, and the ops that is left +- * has a trampoline. ++ * The TRAMP needs to be set only if rec count ++ * is decremented to one, and the ops that is ++ * left has a trampoline. As TRAMP can only be ++ * enabled if there is only a single ops attached ++ * to it. + */ +- rec->flags &= ~FTRACE_FL_TRAMP; ++ if (ftrace_rec_count(rec) == 1 && ++ ftrace_find_tramp_ops_any(rec)) ++ rec->flags |= FTRACE_FL_TRAMP; ++ else ++ rec->flags &= ~FTRACE_FL_TRAMP; + + /* + * flags will be cleared in ftrace_check_record() +@@ -2041,11 +2048,6 @@ static void print_ip_ins(const char *fmt, const unsigned char *p) + printk(KERN_CONT "%s%02x", i ? ":" : "", p[i]); + } + +-static struct ftrace_ops * +-ftrace_find_tramp_ops_any(struct dyn_ftrace *rec); +-static struct ftrace_ops * +-ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops); +- + enum ftrace_bug_type ftrace_bug_type; + const void *ftrace_expected; + +-- +2.20.1 + diff --git a/queue-4.14/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch b/queue-4.14/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch new file mode 100644 index 00000000000..268ed645904 --- /dev/null +++ b/queue-4.14/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch @@ -0,0 +1,103 @@ +From 3daaacb2337d7fd9780c298d140a0b5700217f85 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 16 Jul 2019 16:30:21 -0700 +Subject: ipc/mqueue.c: only perform resource calculation if user valid + +[ Upstream commit a318f12ed8843cfac53198390c74a565c632f417 ] + +Andreas Christoforou reported: + + UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow: + 9 * 2305843009213693951 cannot be represented in type 'long int' + ... + Call Trace: + mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414 + evict+0x472/0x8c0 fs/inode.c:558 + iput_final fs/inode.c:1547 [inline] + iput+0x51d/0x8c0 fs/inode.c:1573 + mqueue_get_inode+0x8eb/0x1070 ipc/mqueue.c:320 + mqueue_create_attr+0x198/0x440 ipc/mqueue.c:459 + vfs_mkobj+0x39e/0x580 fs/namei.c:2892 + prepare_open ipc/mqueue.c:731 [inline] + do_mq_open+0x6da/0x8e0 ipc/mqueue.c:771 + +Which could be triggered by: + + struct mq_attr attr = { + .mq_flags = 0, + .mq_maxmsg = 9, + .mq_msgsize = 0x1fffffffffffffff, + .mq_curmsgs = 0, + }; + + if (mq_open("/testing", 0x40, 3, &attr) == (mqd_t) -1) + perror("mq_open"); + +mqueue_get_inode() was correctly rejecting the giant mq_msgsize, and +preparing to return -EINVAL. During the cleanup, it calls +mqueue_evict_inode() which performed resource usage tracking math for +updating "user", before checking if there was a valid "user" at all +(which would indicate that the calculations would be sane). Instead, +delay this check to after seeing a valid "user". + +The overflow was real, but the results went unused, so while the flaw is +harmless, it's noisy for kernel fuzzers, so just fix it by moving the +calculation under the non-NULL "user" where it actually gets used. + +Link: http://lkml.kernel.org/r/201906072207.ECB65450@keescook +Signed-off-by: Kees Cook +Reported-by: Andreas Christoforou +Acked-by: "Eric W. Biederman" +Cc: Al Viro +Cc: Arnd Bergmann +Cc: Davidlohr Bueso +Cc: Manfred Spraul +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + ipc/mqueue.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/ipc/mqueue.c b/ipc/mqueue.c +index 5c0ae912f2f25..dccd4ecb786ac 100644 +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -372,7 +372,6 @@ static void mqueue_evict_inode(struct inode *inode) + { + struct mqueue_inode_info *info; + struct user_struct *user; +- unsigned long mq_bytes, mq_treesize; + struct ipc_namespace *ipc_ns; + struct msg_msg *msg, *nmsg; + LIST_HEAD(tmp_msg); +@@ -395,16 +394,18 @@ static void mqueue_evict_inode(struct inode *inode) + free_msg(msg); + } + +- /* Total amount of bytes accounted for the mqueue */ +- mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + +- min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * +- sizeof(struct posix_msg_tree_node); +- +- mq_bytes = mq_treesize + (info->attr.mq_maxmsg * +- info->attr.mq_msgsize); +- + user = info->user; + if (user) { ++ unsigned long mq_bytes, mq_treesize; ++ ++ /* Total amount of bytes accounted for the mqueue */ ++ mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + ++ min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * ++ sizeof(struct posix_msg_tree_node); ++ ++ mq_bytes = mq_treesize + (info->attr.mq_maxmsg * ++ info->attr.mq_msgsize); ++ + spin_lock(&mq_lock); + user->mq_bytes -= mq_bytes; + /* +-- +2.20.1 + diff --git a/queue-4.14/kernel-module.c-only-return-eexist-for-modules-that-.patch b/queue-4.14/kernel-module.c-only-return-eexist-for-modules-that-.patch new file mode 100644 index 00000000000..cc4b2766325 --- /dev/null +++ b/queue-4.14/kernel-module.c-only-return-eexist-for-modules-that-.patch @@ -0,0 +1,74 @@ +From a62c1266c9835ba870e83fdc6350f923f1a1dddf Mon Sep 17 00:00:00 2001 +From: Prarit Bhargava +Date: Wed, 29 May 2019 07:26:25 -0400 +Subject: kernel/module.c: Only return -EEXIST for modules that have finished + loading + +[ Upstream commit 6e6de3dee51a439f76eb73c22ae2ffd2c9384712 ] + +Microsoft HyperV disables the X86_FEATURE_SMCA bit on AMD systems, and +linux guests boot with repeated errors: + +amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2) +amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2) + +The warnings occur because the module code erroneously returns -EEXIST +for modules that have failed to load and are in the process of being +removed from the module list. + +module amd64_edac_mod has a dependency on module edac_mce_amd. Using +modules.dep, systemd will load edac_mce_amd for every request of +amd64_edac_mod. When the edac_mce_amd module loads, the module has +state MODULE_STATE_UNFORMED and once the module load fails and the state +becomes MODULE_STATE_GOING. Another request for edac_mce_amd module +executes and add_unformed_module() will erroneously return -EEXIST even +though the previous instance of edac_mce_amd has MODULE_STATE_GOING. +Upon receiving -EEXIST, systemd attempts to load amd64_edac_mod, which +fails because of unknown symbols from edac_mce_amd. + +add_unformed_module() must wait to return for any case other than +MODULE_STATE_LIVE to prevent a race between multiple loads of +dependent modules. + +Signed-off-by: Prarit Bhargava +Signed-off-by: Barret Rhoden +Cc: David Arcari +Cc: Jessica Yu +Cc: Heiko Carstens +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +--- + kernel/module.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/kernel/module.c b/kernel/module.c +index 94528b8910278..4b372c14d9a1f 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3391,8 +3391,7 @@ static bool finished_loading(const char *name) + sched_annotate_sleep(); + mutex_lock(&module_mutex); + mod = find_module_all(name, strlen(name), true); +- ret = !mod || mod->state == MODULE_STATE_LIVE +- || mod->state == MODULE_STATE_GOING; ++ ret = !mod || mod->state == MODULE_STATE_LIVE; + mutex_unlock(&module_mutex); + + return ret; +@@ -3560,8 +3559,7 @@ again: + mutex_lock(&module_mutex); + old = find_module_all(mod->name, strlen(mod->name), true); + if (old != NULL) { +- if (old->state == MODULE_STATE_COMING +- || old->state == MODULE_STATE_UNFORMED) { ++ if (old->state != MODULE_STATE_LIVE) { + /* Wait in case it fails to load. */ + mutex_unlock(&module_mutex); + err = wait_event_interruptible(module_wq, +-- +2.20.1 + diff --git a/queue-4.14/mips-lantiq-fix-bitfield-masking.patch b/queue-4.14/mips-lantiq-fix-bitfield-masking.patch new file mode 100644 index 00000000000..bf747f82a17 --- /dev/null +++ b/queue-4.14/mips-lantiq-fix-bitfield-masking.patch @@ -0,0 +1,42 @@ +From 668b905170d4efbfb23864f8a3098454113b13b2 Mon Sep 17 00:00:00 2001 +From: Petr Cvek +Date: Thu, 20 Jun 2019 23:39:37 +0200 +Subject: MIPS: lantiq: Fix bitfield masking + +[ Upstream commit ba1bc0fcdeaf3bf583c1517bd2e3e29cf223c969 ] + +The modification of EXIN register doesn't clean the bitfield before +the writing of a new value. After a few modifications the bitfield would +accumulate only '1's. + +Signed-off-by: Petr Cvek +Signed-off-by: Paul Burton +Cc: hauke@hauke-m.de +Cc: john@phrozen.org +Cc: linux-mips@vger.kernel.org +Cc: openwrt-devel@lists.openwrt.org +Cc: pakahmar@hotmail.com +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/irq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c +index c4ef1c31e0c4f..37caeadb2964c 100644 +--- a/arch/mips/lantiq/irq.c ++++ b/arch/mips/lantiq/irq.c +@@ -156,8 +156,9 @@ static int ltq_eiu_settype(struct irq_data *d, unsigned int type) + if (edge) + irq_set_handler(d->hwirq, handle_edge_irq); + +- ltq_eiu_w32(ltq_eiu_r32(LTQ_EIU_EXIN_C) | +- (val << (i * 4)), LTQ_EIU_EXIN_C); ++ ltq_eiu_w32((ltq_eiu_r32(LTQ_EIU_EXIN_C) & ++ (~(7 << (i * 4)))) | (val << (i * 4)), ++ LTQ_EIU_EXIN_C); + } + } + +-- +2.20.1 + diff --git a/queue-4.14/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch b/queue-4.14/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch new file mode 100644 index 00000000000..8311671d2a0 --- /dev/null +++ b/queue-4.14/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch @@ -0,0 +1,68 @@ +From 2b2b22e2e10f72aea1a7ae8f0c34ce661c6f14c4 Mon Sep 17 00:00:00 2001 +From: Doug Berger +Date: Tue, 16 Jul 2019 16:26:24 -0700 +Subject: mm/cma.c: fail if fixed declaration can't be honored + +[ Upstream commit c633324e311243586675e732249339685e5d6faa ] + +The description of cma_declare_contiguous() indicates that if the +'fixed' argument is true the reserved contiguous area must be exactly at +the address of the 'base' argument. + +However, the function currently allows the 'base', 'size', and 'limit' +arguments to be silently adjusted to meet alignment constraints. This +commit enforces the documented behavior through explicit checks that +return an error if the region does not fit within a specified region. + +Link: http://lkml.kernel.org/r/1561422051-16142-1-git-send-email-opendmb@gmail.com +Fixes: 5ea3b1b2f8ad ("cma: add placement specifier for "cma=" kernel parameter") +Signed-off-by: Doug Berger +Acked-by: Michal Nazarewicz +Cc: Yue Hu +Cc: Mike Rapoport +Cc: Laura Abbott +Cc: Peng Fan +Cc: Thomas Gleixner +Cc: Marek Szyprowski +Cc: Andrey Konovalov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/cma.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/mm/cma.c b/mm/cma.c +index 56761e40d1918..c4a34c813d470 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -277,6 +277,12 @@ int __init cma_declare_contiguous(phys_addr_t base, + */ + alignment = max(alignment, (phys_addr_t)PAGE_SIZE << + max_t(unsigned long, MAX_ORDER - 1, pageblock_order)); ++ if (fixed && base & (alignment - 1)) { ++ ret = -EINVAL; ++ pr_err("Region at %pa must be aligned to %pa bytes\n", ++ &base, &alignment); ++ goto err; ++ } + base = ALIGN(base, alignment); + size = ALIGN(size, alignment); + limit &= ~(alignment - 1); +@@ -307,6 +313,13 @@ int __init cma_declare_contiguous(phys_addr_t base, + if (limit == 0 || limit > memblock_end) + limit = memblock_end; + ++ if (base + size > limit) { ++ ret = -EINVAL; ++ pr_err("Size (%pa) of region at %pa exceeds limit (%pa)\n", ++ &size, &base, &limit); ++ goto err; ++ } ++ + /* Reserve memory */ + if (fixed) { + if (memblock_is_region_reserved(base, size) || +-- +2.20.1 + diff --git a/queue-4.14/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch b/queue-4.14/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch new file mode 100644 index 00000000000..5e8b6a23ba0 --- /dev/null +++ b/queue-4.14/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch @@ -0,0 +1,117 @@ +From af1f78ba28a411cddf04308ca216e1cd44b12891 Mon Sep 17 00:00:00 2001 +From: Benjamin Block +Date: Tue, 2 Jul 2019 23:02:02 +0200 +Subject: scsi: zfcp: fix GCC compiler warning emitted with + -Wmaybe-uninitialized + +[ Upstream commit 484647088826f2f651acbda6bcf9536b8a466703 ] + +GCC v9 emits this warning: + CC drivers/s390/scsi/zfcp_erp.o + drivers/s390/scsi/zfcp_erp.c: In function 'zfcp_erp_action_enqueue': + drivers/s390/scsi/zfcp_erp.c:217:26: warning: 'erp_action' may be used uninitialized in this function [-Wmaybe-uninitialized] + 217 | struct zfcp_erp_action *erp_action; + | ^~~~~~~~~~ + +This is a possible false positive case, as also documented in the GCC +documentations: + https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wmaybe-uninitialized + +The actual code-sequence is like this: + Various callers can invoke the function below with the argument "want" + being one of: + ZFCP_ERP_ACTION_REOPEN_ADAPTER, + ZFCP_ERP_ACTION_REOPEN_PORT_FORCED, + ZFCP_ERP_ACTION_REOPEN_PORT, or + ZFCP_ERP_ACTION_REOPEN_LUN. + + zfcp_erp_action_enqueue(want, ...) + ... + need = zfcp_erp_required_act(want, ...) + need = want + ... + maybe: need = ZFCP_ERP_ACTION_REOPEN_PORT + maybe: need = ZFCP_ERP_ACTION_REOPEN_ADAPTER + ... + return need + ... + zfcp_erp_setup_act(need, ...) + struct zfcp_erp_action *erp_action; // <== line 217 + ... + switch(need) { + case ZFCP_ERP_ACTION_REOPEN_LUN: + ... + erp_action = &zfcp_sdev->erp_action; + WARN_ON_ONCE(erp_action->port != port); // <== access + ... + break; + case ZFCP_ERP_ACTION_REOPEN_PORT: + case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: + ... + erp_action = &port->erp_action; + WARN_ON_ONCE(erp_action->port != port); // <== access + ... + break; + case ZFCP_ERP_ACTION_REOPEN_ADAPTER: + ... + erp_action = &adapter->erp_action; + WARN_ON_ONCE(erp_action->port != NULL); // <== access + ... + break; + } + ... + WARN_ON_ONCE(erp_action->adapter != adapter); // <== access + +When zfcp_erp_setup_act() is called, 'need' will never be anything else +than one of the 4 possible enumeration-names that are used in the +switch-case, and 'erp_action' is initialized for every one of them, before +it is used. Thus the warning is a false positive, as documented. + +We introduce the extra if{} in the beginning to create an extra code-flow, +so the compiler can be convinced that the switch-case will never see any +other value. + +BUG_ON()/BUG() is intentionally not used to not crash anything, should +this ever happen anyway - right now it's impossible, as argued above; and +it doesn't introduce a 'default:' switch-case to retain warnings should +'enum zfcp_erp_act_type' ever be extended and no explicit case be +introduced. See also v5.0 commit 399b6c8bc9f7 ("scsi: zfcp: drop old +default switch case which might paper over missing case"). + +Signed-off-by: Benjamin Block +Reviewed-by: Jens Remus +Reviewed-by: Steffen Maier +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/s390/scsi/zfcp_erp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c +index 6d5065f679acf..64d70de98cdb6 100644 +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -11,6 +11,7 @@ + #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt + + #include ++#include + #include "zfcp_ext.h" + #include "zfcp_reqlist.h" + +@@ -245,6 +246,12 @@ static struct zfcp_erp_action *zfcp_erp_setup_act(int need, u32 act_status, + struct zfcp_erp_action *erp_action; + struct zfcp_scsi_dev *zfcp_sdev; + ++ if (WARN_ON_ONCE(need != ZFCP_ERP_ACTION_REOPEN_LUN && ++ need != ZFCP_ERP_ACTION_REOPEN_PORT && ++ need != ZFCP_ERP_ACTION_REOPEN_PORT_FORCED && ++ need != ZFCP_ERP_ACTION_REOPEN_ADAPTER)) ++ return NULL; ++ + switch (need) { + case ZFCP_ERP_ACTION_REOPEN_LUN: + zfcp_sdev = sdev_to_zfcp(sdev); +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..ca87732794d --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,32 @@ +arm-riscpc-fix-dma.patch +arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch +arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch +arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch +ftrace-enable-trampoline-when-rec-count-returns-back.patch +kernel-module.c-only-return-eexist-for-modules-that-.patch +mips-lantiq-fix-bitfield-masking.patch +dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch +clk-tegra210-fix-pllu-and-pllu_out1.patch +fs-adfs-super-fix-use-after-free-bug.patch +btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch +cifs-fix-a-race-condition-with-cifs_echo_request.patch +ceph-fix-improper-use-of-smp_mb__before_atomic.patch +ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch +acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch +scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch +x86-kvm-avoid-constant-conversion-warning.patch +acpi-fix-false-positive-wuninitialized-warning.patch +be2net-signal-that-the-device-cannot-transmit-during.patch +x86-apic-silence-wtype-limits-compiler-warnings.patch +x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch +mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch +coda-add-error-handling-for-fget.patch +coda-fix-build-using-bare-metal-toolchain.patch +uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch +drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch +ipc-mqueue.c-only-perform-resource-calculation-if-us.patch +xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch +x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch +x86-paravirt-fix-callee-saved-function-elf-sizes.patch +x86-boot-remove-multiple-copy-of-static-function-san.patch +drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch diff --git a/queue-4.14/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch b/queue-4.14/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch new file mode 100644 index 00000000000..2d1bbc09b37 --- /dev/null +++ b/queue-4.14/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch @@ -0,0 +1,106 @@ +From 8082aa013533df859be254b57b166b5c6186e9bc Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli +Date: Tue, 16 Jul 2019 16:28:10 -0700 +Subject: uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel + side headers + +[ Upstream commit f90fb3c7e2c13ae829db2274b88b845a75038b8a ] + +Only users of upc_req in kernel side fs/coda/psdev.c and +fs/coda/upcall.c already include linux/coda_psdev.h. + +Suggested by Jan Harkes in + https://lore.kernel.org/lkml/20150531111913.GA23377@cs.cmu.edu/ + +Fixes these include/uapi/linux/coda_psdev.h compilation errors in userspace: + + linux/coda_psdev.h:12:19: error: field `uc_chain' has incomplete type + struct list_head uc_chain; + ^ + linux/coda_psdev.h:13:2: error: unknown type name `caddr_t' + caddr_t uc_data; + ^ + linux/coda_psdev.h:14:2: error: unknown type name `u_short' + u_short uc_flags; + ^ + linux/coda_psdev.h:15:2: error: unknown type name `u_short' + u_short uc_inSize; /* Size is at most 5000 bytes */ + ^ + linux/coda_psdev.h:16:2: error: unknown type name `u_short' + u_short uc_outSize; + ^ + linux/coda_psdev.h:17:2: error: unknown type name `u_short' + u_short uc_opcode; /* copied from data to save lookup */ + ^ + linux/coda_psdev.h:19:2: error: unknown type name `wait_queue_head_t' + wait_queue_head_t uc_sleep; /* process' wait queue */ + ^ + +Link: http://lkml.kernel.org/r/9f99f5ce6a0563d5266e6cf7aa9585aac2cae971.1558117389.git.jaharkes@cs.cmu.edu +Signed-off-by: Mikko Rapeli +Signed-off-by: Jan Harkes +Cc: Arnd Bergmann +Cc: Colin Ian King +Cc: Dan Carpenter +Cc: David Howells +Cc: Fabian Frederick +Cc: Sam Protsenko +Cc: Yann Droneaud +Cc: Zhouyang Jia +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/coda_psdev.h | 11 +++++++++++ + include/uapi/linux/coda_psdev.h | 13 ------------- + 2 files changed, 11 insertions(+), 13 deletions(-) + +diff --git a/include/linux/coda_psdev.h b/include/linux/coda_psdev.h +index 15170954aa2b3..57d2b2faf6a3e 100644 +--- a/include/linux/coda_psdev.h ++++ b/include/linux/coda_psdev.h +@@ -19,6 +19,17 @@ struct venus_comm { + struct mutex vc_mutex; + }; + ++/* messages between coda filesystem in kernel and Venus */ ++struct upc_req { ++ struct list_head uc_chain; ++ caddr_t uc_data; ++ u_short uc_flags; ++ u_short uc_inSize; /* Size is at most 5000 bytes */ ++ u_short uc_outSize; ++ u_short uc_opcode; /* copied from data to save lookup */ ++ int uc_unique; ++ wait_queue_head_t uc_sleep; /* process' wait queue */ ++}; + + static inline struct venus_comm *coda_vcp(struct super_block *sb) + { +diff --git a/include/uapi/linux/coda_psdev.h b/include/uapi/linux/coda_psdev.h +index aa6623efd2dd0..d50d51a57fe4e 100644 +--- a/include/uapi/linux/coda_psdev.h ++++ b/include/uapi/linux/coda_psdev.h +@@ -7,19 +7,6 @@ + #define CODA_PSDEV_MAJOR 67 + #define MAX_CODADEVS 5 /* how many do we allow */ + +- +-/* messages between coda filesystem in kernel and Venus */ +-struct upc_req { +- struct list_head uc_chain; +- caddr_t uc_data; +- u_short uc_flags; +- u_short uc_inSize; /* Size is at most 5000 bytes */ +- u_short uc_outSize; +- u_short uc_opcode; /* copied from data to save lookup */ +- int uc_unique; +- wait_queue_head_t uc_sleep; /* process' wait queue */ +-}; +- + #define CODA_REQ_ASYNC 0x1 + #define CODA_REQ_READ 0x2 + #define CODA_REQ_WRITE 0x4 +-- +2.20.1 + diff --git a/queue-4.14/x86-apic-silence-wtype-limits-compiler-warnings.patch b/queue-4.14/x86-apic-silence-wtype-limits-compiler-warnings.patch new file mode 100644 index 00000000000..06b8980bc44 --- /dev/null +++ b/queue-4.14/x86-apic-silence-wtype-limits-compiler-warnings.patch @@ -0,0 +1,74 @@ +From fe8f7d902788c6e4e4a94d5718eec78281d81740 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Mon, 8 Jul 2019 17:36:45 -0400 +Subject: x86/apic: Silence -Wtype-limits compiler warnings + +[ Upstream commit ec6335586953b0df32f83ef696002063090c7aef ] + +There are many compiler warnings like this, + +In file included from ./arch/x86/include/asm/smp.h:13, + from ./arch/x86/include/asm/mmzone_64.h:11, + from ./arch/x86/include/asm/mmzone.h:5, + from ./include/linux/mmzone.h:969, + from ./include/linux/gfp.h:6, + from ./include/linux/mm.h:10, + from arch/x86/kernel/apic/io_apic.c:34: +arch/x86/kernel/apic/io_apic.c: In function 'check_timer': +./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned +expression >= 0 is always true [-Wtype-limits] + if ((v) <= apic_verbosity) \ + ^~ +arch/x86/kernel/apic/io_apic.c:2160:2: note: in expansion of macro +'apic_printk' + apic_printk(APIC_QUIET, KERN_INFO "..TIMER: vector=0x%02X " + ^~~~~~~~~~~ +./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned +expression >= 0 is always true [-Wtype-limits] + if ((v) <= apic_verbosity) \ + ^~ +arch/x86/kernel/apic/io_apic.c:2207:4: note: in expansion of macro +'apic_printk' + apic_printk(APIC_QUIET, KERN_ERR "..MP-BIOS bug: " + ^~~~~~~~~~~ + +APIC_QUIET is 0, so silence them by making apic_verbosity type int. + +Signed-off-by: Qian Cai +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/1562621805-24789-1-git-send-email-cai@lca.pw +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/kernel/apic/apic.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h +index a1ed92aae12a6..25a5a5c6ae90a 100644 +--- a/arch/x86/include/asm/apic.h ++++ b/arch/x86/include/asm/apic.h +@@ -48,7 +48,7 @@ static inline void generic_apic_probe(void) + + #ifdef CONFIG_X86_LOCAL_APIC + +-extern unsigned int apic_verbosity; ++extern int apic_verbosity; + extern int local_apic_timer_c2_ok; + + extern int disable_apic; +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 2e64178f284da..ae410f7585f16 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -182,7 +182,7 @@ EXPORT_SYMBOL_GPL(local_apic_timer_c2_ok); + /* + * Debug level, exported for io_apic.c + */ +-unsigned int apic_verbosity; ++int apic_verbosity; + + int pic_mode; + +-- +2.20.1 + diff --git a/queue-4.14/x86-boot-remove-multiple-copy-of-static-function-san.patch b/queue-4.14/x86-boot-remove-multiple-copy-of-static-function-san.patch new file mode 100644 index 00000000000..ed802079284 --- /dev/null +++ b/queue-4.14/x86-boot-remove-multiple-copy-of-static-function-san.patch @@ -0,0 +1,59 @@ +From 5e3b186d87ffbf8f9521f49a3d0b13de8fe2c0d6 Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan +Date: Tue, 16 Jul 2019 21:18:12 +0800 +Subject: x86, boot: Remove multiple copy of static function + sanitize_boot_params() + +[ Upstream commit 8c5477e8046ca139bac250386c08453da37ec1ae ] + +Kernel build warns: + 'sanitize_boot_params' defined but not used [-Wunused-function] + +at below files: + arch/x86/boot/compressed/cmdline.c + arch/x86/boot/compressed/error.c + arch/x86/boot/compressed/early_serial_console.c + arch/x86/boot/compressed/acpi.c + +That's becausethey each include misc.h which includes a definition of +sanitize_boot_params() via bootparam_utils.h. + +Remove the inclusion from misc.h and have the c file including +bootparam_utils.h directly. + +Signed-off-by: Zhenzhong Duan +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/1563283092-1189-1-git-send-email-zhenzhong.duan@oracle.com +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/misc.c | 1 + + arch/x86/boot/compressed/misc.h | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c +index 252fee3208166..fb07cfa3f2f90 100644 +--- a/arch/x86/boot/compressed/misc.c ++++ b/arch/x86/boot/compressed/misc.c +@@ -16,6 +16,7 @@ + #include "error.h" + #include "../string.h" + #include "../voffset.h" ++#include + + /* + * WARNING!! +diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h +index 32d4ec2e0243c..5380d45b1c6e4 100644 +--- a/arch/x86/boot/compressed/misc.h ++++ b/arch/x86/boot/compressed/misc.h +@@ -19,7 +19,6 @@ + #include + #include + #include +-#include + + #define BOOT_BOOT_H + #include "../ctype.h" +-- +2.20.1 + diff --git a/queue-4.14/x86-kvm-avoid-constant-conversion-warning.patch b/queue-4.14/x86-kvm-avoid-constant-conversion-warning.patch new file mode 100644 index 00000000000..08eeabb34d6 --- /dev/null +++ b/queue-4.14/x86-kvm-avoid-constant-conversion-warning.patch @@ -0,0 +1,53 @@ +From 9e9490f822877edc77fe5e71596a482438437c34 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:12:30 +0200 +Subject: x86: kvm: avoid constant-conversion warning + +[ Upstream commit a6a6d3b1f867d34ba5bd61aa7bb056b48ca67cff ] + +clang finds a contruct suspicious that converts an unsigned +character to a signed integer and back, causing an overflow: + +arch/x86/kvm/mmu.c:4605:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -205 to 51 [-Werror,-Wconstant-conversion] + u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0; + ~~ ^~ +arch/x86/kvm/mmu.c:4607:38: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -241 to 15 [-Werror,-Wconstant-conversion] + u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0; + ~~ ^~ +arch/x86/kvm/mmu.c:4609:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -171 to 85 [-Werror,-Wconstant-conversion] + u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0; + ~~ ^~ + +Add an explicit cast to tell clang that everything works as +intended here. + +Signed-off-by: Arnd Bergmann +Link: https://github.com/ClangBuiltLinux/linux/issues/95 +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/mmu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c +index f97b533bc6e68..87a0601b1c204 100644 +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4313,11 +4313,11 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu, + */ + + /* Faults from writes to non-writable pages */ +- u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0; ++ u8 wf = (pfec & PFERR_WRITE_MASK) ? (u8)~w : 0; + /* Faults from user mode accesses to supervisor pages */ +- u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0; ++ u8 uf = (pfec & PFERR_USER_MASK) ? (u8)~u : 0; + /* Faults from fetches of non-executable pages*/ +- u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0; ++ u8 ff = (pfec & PFERR_FETCH_MASK) ? (u8)~x : 0; + /* Faults from kernel mode fetches of user pages */ + u8 smepf = 0; + /* Faults from kernel mode accesses of user pages */ +-- +2.20.1 + diff --git a/queue-4.14/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch b/queue-4.14/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch new file mode 100644 index 00000000000..09eabb9cc89 --- /dev/null +++ b/queue-4.14/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch @@ -0,0 +1,122 @@ +From 581784b235db7f7f018459a0c3c7b66f39cde9c4 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Wed, 17 Jul 2019 20:36:39 -0500 +Subject: x86/kvm: Don't call kvm_spurious_fault() from .fixup + +[ Upstream commit 3901336ed9887b075531bffaeef7742ba614058b ] + +After making a change to improve objtool's sibling call detection, it +started showing the following warning: + + arch/x86/kvm/vmx/nested.o: warning: objtool: .fixup+0x15: sibling call from callable instruction with modified stack frame + +The problem is the ____kvm_handle_fault_on_reboot() macro. It does a +fake call by pushing a fake RIP and doing a jump. That tricks the +unwinder into printing the function which triggered the exception, +rather than the .fixup code. + +Instead of the hack to make it look like the original function made the +call, just change the macro so that the original function actually does +make the call. This allows removal of the hack, and also makes objtool +happy. + +I triggered a vmx instruction exception and verified that the stack +trace is still sane: + + kernel BUG at arch/x86/kvm/x86.c:358! + invalid opcode: 0000 [#1] SMP PTI + CPU: 28 PID: 4096 Comm: qemu-kvm Not tainted 5.2.0+ #16 + Hardware name: Lenovo THINKSYSTEM SD530 -[7X2106Z000]-/-[7X2106Z000]-, BIOS -[TEE113Z-1.00]- 07/17/2017 + RIP: 0010:kvm_spurious_fault+0x5/0x10 + Code: 00 00 00 00 00 8b 44 24 10 89 d2 45 89 c9 48 89 44 24 10 8b 44 24 08 48 89 44 24 08 e9 d4 40 22 00 0f 1f 40 00 0f 1f 44 00 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41 + RSP: 0018:ffffbf91c683bd00 EFLAGS: 00010246 + RAX: 000061f040000000 RBX: ffff9e159c77bba0 RCX: ffff9e15a5c87000 + RDX: 0000000665c87000 RSI: ffff9e15a5c87000 RDI: ffff9e159c77bba0 + RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9e15a5c87000 + R10: 0000000000000000 R11: fffff8f2d99721c0 R12: ffff9e159c77bba0 + R13: ffffbf91c671d960 R14: ffff9e159c778000 R15: 0000000000000000 + FS: 00007fa341cbe700(0000) GS:ffff9e15b7400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fdd38356804 CR3: 00000006759de003 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + loaded_vmcs_init+0x4f/0xe0 + alloc_loaded_vmcs+0x38/0xd0 + vmx_create_vcpu+0xf7/0x600 + kvm_vm_ioctl+0x5e9/0x980 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? free_one_page+0x13f/0x4e0 + do_vfs_ioctl+0xa4/0x630 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x55/0x1c0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7fa349b1ee5b + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Acked-by: Paolo Bonzini +Acked-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/64a9b64d127e87b6920a97afde8e96ea76f6524e.1563413318.git.jpoimboe@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/kvm_host.h | 34 ++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index f9a4b85d7309b..9f3eb334c818e 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1353,25 +1353,29 @@ enum { + #define kvm_arch_vcpu_memslots_id(vcpu) ((vcpu)->arch.hflags & HF_SMM_MASK ? 1 : 0) + #define kvm_memslots_for_spte_role(kvm, role) __kvm_memslots(kvm, (role).smm) + ++asmlinkage void __noreturn kvm_spurious_fault(void); ++ + /* + * Hardware virtualization extension instructions may fault if a + * reboot turns off virtualization while processes are running. +- * Trap the fault and ignore the instruction if that happens. ++ * Usually after catching the fault we just panic; during reboot ++ * instead the instruction is ignored. + */ +-asmlinkage void kvm_spurious_fault(void); +- +-#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ +- "666: " insn "\n\t" \ +- "668: \n\t" \ +- ".pushsection .fixup, \"ax\" \n" \ +- "667: \n\t" \ +- cleanup_insn "\n\t" \ +- "cmpb $0, kvm_rebooting \n\t" \ +- "jne 668b \n\t" \ +- __ASM_SIZE(push) " $666b \n\t" \ +- "jmp kvm_spurious_fault \n\t" \ +- ".popsection \n\t" \ +- _ASM_EXTABLE(666b, 667b) ++#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ ++ "666: \n\t" \ ++ insn "\n\t" \ ++ "jmp 668f \n\t" \ ++ "667: \n\t" \ ++ "call kvm_spurious_fault \n\t" \ ++ "668: \n\t" \ ++ ".pushsection .fixup, \"ax\" \n\t" \ ++ "700: \n\t" \ ++ cleanup_insn "\n\t" \ ++ "cmpb $0, kvm_rebooting\n\t" \ ++ "je 667b \n\t" \ ++ "jmp 668b \n\t" \ ++ ".popsection \n\t" \ ++ _ASM_EXTABLE(666b, 700b) + + #define __kvm_handle_fault_on_reboot(insn) \ + ____kvm_handle_fault_on_reboot(insn, "") +-- +2.20.1 + diff --git a/queue-4.14/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch b/queue-4.14/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch new file mode 100644 index 00000000000..a755ca0139f --- /dev/null +++ b/queue-4.14/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch @@ -0,0 +1,69 @@ +From 4b46abb6133df5037914c3d7856aefb6604f0e8c Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:08:05 +0200 +Subject: x86: math-emu: Hide clang warnings for 16-bit overflow + +[ Upstream commit 29e7e9664aec17b94a9c8c5a75f8d216a206aa3a ] + +clang warns about a few parts of the math-emu implementation +where a 16-bit integer becomes negative during assignment: + +arch/x86/math-emu/poly_tan.c:88:35: error: implicit conversion from 'int' to 'short' changes value from 49216 to -16320 [-Werror,-Wconstant-conversion] + (0x41 + EXTENDED_Ebias) | SIGN_Negative); + ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~ +arch/x86/math-emu/fpu_emu.h:180:58: note: expanded from macro 'setexponent16' + #define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); } + ~ ^ +arch/x86/math-emu/reg_constant.c:37:32: error: implicit conversion from 'int' to 'short' changes value from 49085 to -16451 [-Werror,-Wconstant-conversion] +FPU_REG const CONST_PI2extra = MAKE_REG(NEG, -66, + ^~~~~~~~~~~~~~~~~~ +arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG' + ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } + ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/x86/math-emu/reg_constant.c:48:28: error: implicit conversion from 'int' to 'short' changes value from 65535 to -1 [-Werror,-Wconstant-conversion] +FPU_REG const CONST_QNaN = MAKE_REG(NEG, EXP_OVER, 0x00000000, 0xC0000000); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG' + ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } + ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ + +The code is correct as is, so add a typecast to shut up the warnings. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190712090816.350668-1-arnd@arndb.de +Signed-off-by: Sasha Levin +--- + arch/x86/math-emu/fpu_emu.h | 2 +- + arch/x86/math-emu/reg_constant.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/math-emu/fpu_emu.h b/arch/x86/math-emu/fpu_emu.h +index a5a41ec580721..0c122226ca56f 100644 +--- a/arch/x86/math-emu/fpu_emu.h ++++ b/arch/x86/math-emu/fpu_emu.h +@@ -177,7 +177,7 @@ static inline void reg_copy(FPU_REG const *x, FPU_REG *y) + #define setexponentpos(x,y) { (*(short *)&((x)->exp)) = \ + ((y) + EXTENDED_Ebias) & 0x7fff; } + #define exponent16(x) (*(short *)&((x)->exp)) +-#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); } ++#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (u16)(y); } + #define addexponent(x,y) { (*(short *)&((x)->exp)) += (y); } + #define stdexp(x) { (*(short *)&((x)->exp)) += EXTENDED_Ebias; } + +diff --git a/arch/x86/math-emu/reg_constant.c b/arch/x86/math-emu/reg_constant.c +index 8dc9095bab224..742619e94bdf2 100644 +--- a/arch/x86/math-emu/reg_constant.c ++++ b/arch/x86/math-emu/reg_constant.c +@@ -18,7 +18,7 @@ + #include "control_w.h" + + #define MAKE_REG(s, e, l, h) { l, h, \ +- ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } ++ (u16)((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } + + FPU_REG const CONST_1 = MAKE_REG(POS, 0, 0x00000000, 0x80000000); + #if 0 +-- +2.20.1 + diff --git a/queue-4.14/x86-paravirt-fix-callee-saved-function-elf-sizes.patch b/queue-4.14/x86-paravirt-fix-callee-saved-function-elf-sizes.patch new file mode 100644 index 00000000000..df3f9cb4e72 --- /dev/null +++ b/queue-4.14/x86-paravirt-fix-callee-saved-function-elf-sizes.patch @@ -0,0 +1,55 @@ +From a9ac35f03c6f8f6357486c30724fe2cb7c77a1ca Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Wed, 17 Jul 2019 20:36:36 -0500 +Subject: x86/paravirt: Fix callee-saved function ELF sizes + +[ Upstream commit 083db6764821996526970e42d09c1ab2f4155dd4 ] + +The __raw_callee_save_*() functions have an ELF symbol size of zero, +which confuses objtool and other tools. + +Fixes a bunch of warnings like the following: + + arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_pte_val() is missing an ELF size annotation + arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_pgd_val() is missing an ELF size annotation + arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_make_pte() is missing an ELF size annotation + arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_make_pgd() is missing an ELF size annotation + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Reviewed-by: Juergen Gross +Acked-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/afa6d49bb07497ca62e4fc3b27a2d0cece545b4e.1563413318.git.jpoimboe@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/paravirt.h | 1 + + arch/x86/kernel/kvm.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h +index c83a2f418cea0..4471f0da6ed76 100644 +--- a/arch/x86/include/asm/paravirt.h ++++ b/arch/x86/include/asm/paravirt.h +@@ -758,6 +758,7 @@ static __always_inline bool pv_vcpu_is_preempted(long cpu) + PV_RESTORE_ALL_CALLER_REGS \ + FRAME_END \ + "ret;" \ ++ ".size " PV_THUNK_NAME(func) ", .-" PV_THUNK_NAME(func) ";" \ + ".popsection") + + /* Get a reference to a callee-save function */ +diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c +index 652bdd867782c..5853eb50138e7 100644 +--- a/arch/x86/kernel/kvm.c ++++ b/arch/x86/kernel/kvm.c +@@ -631,6 +631,7 @@ asm( + "cmpb $0, " __stringify(KVM_STEAL_TIME_preempted) "+steal_time(%rax);" + "setne %al;" + "ret;" ++".size __raw_callee_save___kvm_vcpu_is_preempted, .-__raw_callee_save___kvm_vcpu_is_preempted;" + ".popsection"); + + #endif +-- +2.20.1 + diff --git a/queue-4.14/xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch b/queue-4.14/xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch new file mode 100644 index 00000000000..23cbc38f204 --- /dev/null +++ b/queue-4.14/xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch @@ -0,0 +1,117 @@ +From e7b5bee7eacc3adf0118f4ce6354fb55aaff644f Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan +Date: Sun, 14 Jul 2019 17:15:32 +0800 +Subject: xen/pv: Fix a boot up hang revealed by int3 self test + +[ Upstream commit b23e5844dfe78a80ba672793187d3f52e4b528d7 ] + +Commit 7457c0da024b ("x86/alternatives: Add int3_emulate_call() +selftest") is used to ensure there is a gap setup in int3 exception stack +which could be used for inserting call return address. + +This gap is missed in XEN PV int3 exception entry path, then below panic +triggered: + +[ 0.772876] general protection fault: 0000 [#1] SMP NOPTI +[ 0.772886] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.2.0+ #11 +[ 0.772893] RIP: e030:int3_magic+0x0/0x7 +[ 0.772905] RSP: 3507:ffffffff82203e98 EFLAGS: 00000246 +[ 0.773334] Call Trace: +[ 0.773334] alternative_instructions+0x3d/0x12e +[ 0.773334] check_bugs+0x7c9/0x887 +[ 0.773334] ? __get_locked_pte+0x178/0x1f0 +[ 0.773334] start_kernel+0x4ff/0x535 +[ 0.773334] ? set_init_arg+0x55/0x55 +[ 0.773334] xen_start_kernel+0x571/0x57a + +For 64bit PV guests, Xen's ABI enters the kernel with using SYSRET, with +%rcx/%r11 on the stack. To convert back to "normal" looking exceptions, +the xen thunks do 'xen_*: pop %rcx; pop %r11; jmp *'. + +E.g. Extracting 'xen_pv_trap xenint3' we have: +xen_xenint3: + pop %rcx; + pop %r11; + jmp xenint3 + +As xenint3 and int3 entry code are same except xenint3 doesn't generate +a gap, we can fix it by using int3 and drop useless xenint3. + +Signed-off-by: Zhenzhong Duan +Reviewed-by: Juergen Gross +Cc: Boris Ostrovsky +Cc: Juergen Gross +Cc: Stefano Stabellini +Cc: Andy Lutomirski +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: Andrew Cooper +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/entry/entry_64.S | 1 - + arch/x86/include/asm/traps.h | 2 +- + arch/x86/xen/enlighten_pv.c | 2 +- + arch/x86/xen/xen-asm_64.S | 1 - + 4 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S +index e09ba4bc8b98f..b2524d349595c 100644 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -1113,7 +1113,6 @@ idtentry stack_segment do_stack_segment has_error_code=1 + #ifdef CONFIG_XEN + idtentry xennmi do_nmi has_error_code=0 + idtentry xendebug do_debug has_error_code=0 +-idtentry xenint3 do_int3 has_error_code=0 + #endif + + idtentry general_protection do_general_protection has_error_code=1 +diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h +index afbc87206886e..b771bb3d159bc 100644 +--- a/arch/x86/include/asm/traps.h ++++ b/arch/x86/include/asm/traps.h +@@ -40,7 +40,7 @@ asmlinkage void simd_coprocessor_error(void); + asmlinkage void xen_divide_error(void); + asmlinkage void xen_xennmi(void); + asmlinkage void xen_xendebug(void); +-asmlinkage void xen_xenint3(void); ++asmlinkage void xen_int3(void); + asmlinkage void xen_overflow(void); + asmlinkage void xen_bounds(void); + asmlinkage void xen_invalid_op(void); +diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c +index 481d7920ea244..f79a0cdc6b4e7 100644 +--- a/arch/x86/xen/enlighten_pv.c ++++ b/arch/x86/xen/enlighten_pv.c +@@ -598,12 +598,12 @@ struct trap_array_entry { + + static struct trap_array_entry trap_array[] = { + { debug, xen_xendebug, true }, +- { int3, xen_xenint3, true }, + { double_fault, xen_double_fault, true }, + #ifdef CONFIG_X86_MCE + { machine_check, xen_machine_check, true }, + #endif + { nmi, xen_xennmi, true }, ++ { int3, xen_int3, false }, + { overflow, xen_overflow, false }, + #ifdef CONFIG_IA32_EMULATION + { entry_INT80_compat, xen_entry_INT80_compat, false }, +diff --git a/arch/x86/xen/xen-asm_64.S b/arch/x86/xen/xen-asm_64.S +index 417b339e5c8e1..3a6feed76dfc1 100644 +--- a/arch/x86/xen/xen-asm_64.S ++++ b/arch/x86/xen/xen-asm_64.S +@@ -30,7 +30,6 @@ xen_pv_trap divide_error + xen_pv_trap debug + xen_pv_trap xendebug + xen_pv_trap int3 +-xen_pv_trap xenint3 + xen_pv_trap xennmi + xen_pv_trap overflow + xen_pv_trap bounds +-- +2.20.1 +