From: Sasha Levin Date: Sun, 5 May 2019 20:03:59 +0000 (-0400) Subject: fixes for 4.19 X-Git-Tag: v4.9.174~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7be4ccde0c0bc1aa8d16f17105b40f94e8a4c01e;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/arm-dts-rockchip-fix-gpu-opp-node-names-for-rk3288.patch b/queue-4.19/arm-dts-rockchip-fix-gpu-opp-node-names-for-rk3288.patch new file mode 100644 index 00000000000..0b45a703584 --- /dev/null +++ b/queue-4.19/arm-dts-rockchip-fix-gpu-opp-node-names-for-rk3288.patch @@ -0,0 +1,63 @@ +From 196655699f9f72da29fd6be18d3c33ce09bd7c04 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Wed, 20 Mar 2019 13:14:00 -0700 +Subject: ARM: dts: rockchip: Fix gpu opp node names for rk3288 + +[ Upstream commit d040e4e8deeaa8257d6aa260e29ad69832b5d630 ] + +The device tree compiler yells like this: + Warning (unit_address_vs_reg): + /gpu-opp-table/opp@100000000: + node has a unit name, but no reg property + +Let's match the cpu opp node names and use a dash. + +Signed-off-by: Douglas Anderson +Reviewed-by: Matthias Kaehlcke +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288.dtsi | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi +index e6a36a792bae..c706adf4aed2 100644 +--- a/arch/arm/boot/dts/rk3288.dtsi ++++ b/arch/arm/boot/dts/rk3288.dtsi +@@ -1261,27 +1261,27 @@ + gpu_opp_table: gpu-opp-table { + compatible = "operating-points-v2"; + +- opp@100000000 { ++ opp-100000000 { + opp-hz = /bits/ 64 <100000000>; + opp-microvolt = <950000>; + }; +- opp@200000000 { ++ opp-200000000 { + opp-hz = /bits/ 64 <200000000>; + opp-microvolt = <950000>; + }; +- opp@300000000 { ++ opp-300000000 { + opp-hz = /bits/ 64 <300000000>; + opp-microvolt = <1000000>; + }; +- opp@400000000 { ++ opp-400000000 { + opp-hz = /bits/ 64 <400000000>; + opp-microvolt = <1100000>; + }; +- opp@500000000 { ++ opp-500000000 { + opp-hz = /bits/ 64 <500000000>; + opp-microvolt = <1200000>; + }; +- opp@600000000 { ++ opp-600000000 { + opp-hz = /bits/ 64 <600000000>; + opp-microvolt = <1250000>; + }; +-- +2.20.1 + diff --git a/queue-4.19/arm-iop-don-t-use-using-64-bit-dma-masks.patch b/queue-4.19/arm-iop-don-t-use-using-64-bit-dma-masks.patch new file mode 100644 index 00000000000..ab0cb76120e --- /dev/null +++ b/queue-4.19/arm-iop-don-t-use-using-64-bit-dma-masks.patch @@ -0,0 +1,152 @@ +From 6367ca348a7e6389b27cc07f8a5d396343d5df06 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 25 Mar 2019 16:50:43 +0100 +Subject: ARM: iop: don't use using 64-bit DMA masks + +[ Upstream commit 2125801ccce19249708ca3245d48998e70569ab8 ] + +clang warns about statically defined DMA masks from the DMA_BIT_MASK +macro with length 64: + + arch/arm/mach-iop13xx/setup.c:303:35: error: shift count >= width of type [-Werror,-Wshift-count-overflow] + static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(64); + ^~~~~~~~~~~~~~~~ + include/linux/dma-mapping.h:141:54: note: expanded from macro 'DMA_BIT_MASK' + #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1)) + ^ ~~~ + +The ones in iop shouldn't really be 64 bit masks, so changing them +to what the driver can support avoids the warning. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-iop13xx/setup.c | 8 ++++---- + arch/arm/mach-iop13xx/tpmi.c | 10 +++++----- + arch/arm/plat-iop/adma.c | 6 +++--- + 3 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/arch/arm/mach-iop13xx/setup.c b/arch/arm/mach-iop13xx/setup.c +index 53c316f7301e..fe4932fda01d 100644 +--- a/arch/arm/mach-iop13xx/setup.c ++++ b/arch/arm/mach-iop13xx/setup.c +@@ -300,7 +300,7 @@ static struct resource iop13xx_adma_2_resources[] = { + } + }; + +-static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(64); ++static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(32); + static struct iop_adma_platform_data iop13xx_adma_0_data = { + .hw_id = 0, + .pool_size = PAGE_SIZE, +@@ -324,7 +324,7 @@ static struct platform_device iop13xx_adma_0_channel = { + .resource = iop13xx_adma_0_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_0_data, + }, + }; +@@ -336,7 +336,7 @@ static struct platform_device iop13xx_adma_1_channel = { + .resource = iop13xx_adma_1_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_1_data, + }, + }; +@@ -348,7 +348,7 @@ static struct platform_device iop13xx_adma_2_channel = { + .resource = iop13xx_adma_2_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_2_data, + }, + }; +diff --git a/arch/arm/mach-iop13xx/tpmi.c b/arch/arm/mach-iop13xx/tpmi.c +index db511ec2b1df..116feb6b261e 100644 +--- a/arch/arm/mach-iop13xx/tpmi.c ++++ b/arch/arm/mach-iop13xx/tpmi.c +@@ -152,7 +152,7 @@ static struct resource iop13xx_tpmi_3_resources[] = { + } + }; + +-u64 iop13xx_tpmi_mask = DMA_BIT_MASK(64); ++u64 iop13xx_tpmi_mask = DMA_BIT_MASK(32); + static struct platform_device iop13xx_tpmi_0_device = { + .name = "iop-tpmi", + .id = 0, +@@ -160,7 +160,7 @@ static struct platform_device iop13xx_tpmi_0_device = { + .resource = iop13xx_tpmi_0_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -171,7 +171,7 @@ static struct platform_device iop13xx_tpmi_1_device = { + .resource = iop13xx_tpmi_1_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -182,7 +182,7 @@ static struct platform_device iop13xx_tpmi_2_device = { + .resource = iop13xx_tpmi_2_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -193,7 +193,7 @@ static struct platform_device iop13xx_tpmi_3_device = { + .resource = iop13xx_tpmi_3_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +diff --git a/arch/arm/plat-iop/adma.c b/arch/arm/plat-iop/adma.c +index a4d1f8de3b5b..d9612221e484 100644 +--- a/arch/arm/plat-iop/adma.c ++++ b/arch/arm/plat-iop/adma.c +@@ -143,7 +143,7 @@ struct platform_device iop3xx_dma_0_channel = { + .resource = iop3xx_dma_0_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_dma_0_data, + }, + }; +@@ -155,7 +155,7 @@ struct platform_device iop3xx_dma_1_channel = { + .resource = iop3xx_dma_1_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_dma_1_data, + }, + }; +@@ -167,7 +167,7 @@ struct platform_device iop3xx_aau_channel = { + .resource = iop3xx_aau_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_aau_data, + }, + }; +-- +2.20.1 + diff --git a/queue-4.19/arm-mach-at91-pm-fix-possible-object-reference-leak.patch b/queue-4.19/arm-mach-at91-pm-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..dd840f48c57 --- /dev/null +++ b/queue-4.19/arm-mach-at91-pm-fix-possible-object-reference-leak.patch @@ -0,0 +1,51 @@ +From c0290c002749075c9d45bc14243765cd62f188cb Mon Sep 17 00:00:00 2001 +From: Peng Hao +Date: Tue, 2 Apr 2019 22:12:38 +0800 +Subject: arm/mach-at91/pm : fix possible object reference leak + +[ Upstream commit ba5e60c9b75dec92d4c695b928f69300b17d7686 ] + +of_find_device_by_node() takes a reference to the struct device +when it finds a match via get_device. When returning error we should +call put_device. + +Reviewed-by: Mukesh Ojha +Signed-off-by: Peng Hao +Signed-off-by: Ludovic Desroches +Signed-off-by: Sasha Levin +--- + arch/arm/mach-at91/pm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c +index 32fae4dbd63b..0921e2c10edf 100644 +--- a/arch/arm/mach-at91/pm.c ++++ b/arch/arm/mach-at91/pm.c +@@ -594,13 +594,13 @@ static int __init at91_pm_backup_init(void) + + np = of_find_compatible_node(NULL, NULL, "atmel,sama5d2-securam"); + if (!np) +- goto securam_fail; ++ goto securam_fail_no_ref_dev; + + pdev = of_find_device_by_node(np); + of_node_put(np); + if (!pdev) { + pr_warn("%s: failed to find securam device!\n", __func__); +- goto securam_fail; ++ goto securam_fail_no_ref_dev; + } + + sram_pool = gen_pool_get(&pdev->dev, NULL); +@@ -623,6 +623,8 @@ static int __init at91_pm_backup_init(void) + return 0; + + securam_fail: ++ put_device(&pdev->dev); ++securam_fail_no_ref_dev: + iounmap(pm_data.sfrbu); + pm_data.sfrbu = NULL; + return ret; +-- +2.20.1 + diff --git a/queue-4.19/arm-orion-don-t-use-using-64-bit-dma-masks.patch b/queue-4.19/arm-orion-don-t-use-using-64-bit-dma-masks.patch new file mode 100644 index 00000000000..b61192bddb7 --- /dev/null +++ b/queue-4.19/arm-orion-don-t-use-using-64-bit-dma-masks.patch @@ -0,0 +1,51 @@ +From 24a306ee5640ab2918f4df8843583c3d2f2958e0 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 25 Mar 2019 16:50:42 +0100 +Subject: ARM: orion: don't use using 64-bit DMA masks + +[ Upstream commit cd92d74d67c811dc22544430b9ac3029f5bd64c5 ] + +clang warns about statically defined DMA masks from the DMA_BIT_MASK +macro with length 64: + +arch/arm/plat-orion/common.c:625:29: error: shift count >= width of type [-Werror,-Wshift-count-overflow] + .coherent_dma_mask = DMA_BIT_MASK(64), + ^~~~~~~~~~~~~~~~ +include/linux/dma-mapping.h:141:54: note: expanded from macro 'DMA_BIT_MASK' + #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1)) + +The ones in orion shouldn't really be 64 bit masks, so changing them +to what the driver can support avoids the warning. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/plat-orion/common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/plat-orion/common.c b/arch/arm/plat-orion/common.c +index a2399fd66e97..1e970873439c 100644 +--- a/arch/arm/plat-orion/common.c ++++ b/arch/arm/plat-orion/common.c +@@ -622,7 +622,7 @@ static struct platform_device orion_xor0_shared = { + .resource = orion_xor0_shared_resources, + .dev = { + .dma_mask = &orion_xor_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = &orion_xor0_pdata, + }, + }; +@@ -683,7 +683,7 @@ static struct platform_device orion_xor1_shared = { + .resource = orion_xor1_shared_resources, + .dev = { + .dma_mask = &orion_xor_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = &orion_xor1_pdata, + }, + }; +-- +2.20.1 + diff --git a/queue-4.19/arm64-dts-rockchip-fix-rk3328-roc-cc-gmac2io-tx-rx_d.patch b/queue-4.19/arm64-dts-rockchip-fix-rk3328-roc-cc-gmac2io-tx-rx_d.patch new file mode 100644 index 00000000000..a39e328ea25 --- /dev/null +++ b/queue-4.19/arm64-dts-rockchip-fix-rk3328-roc-cc-gmac2io-tx-rx_d.patch @@ -0,0 +1,42 @@ +From b518383113feec6944480007860620a4ef9b11d5 Mon Sep 17 00:00:00 2001 +From: "Leonidas P. Papadakos" +Date: Fri, 1 Mar 2019 00:29:23 +0200 +Subject: arm64: dts: rockchip: fix rk3328-roc-cc gmac2io tx/rx_delay + +[ Upstream commit 924726888f660b2a86382a5dd051ec9ca1b18190 ] + +The rk3328-roc-cc board exhibits tx stability issues with large packets, +as does the rock64 board, which was fixed with this patch +https://patchwork.kernel.org/patch/10178969/ + +A similar patch was merged for the rk3328-roc-cc here +https://patchwork.kernel.org/patch/10804863/ +but it doesn't include the tx/rx_delay tweaks, and I find that they +help with an issue where large transfers would bring the ethernet +link down, causing a link reset regularly. + +Signed-off-by: Leonidas P. Papadakos +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3328-roc-cc.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3328-roc-cc.dts b/arch/arm64/boot/dts/rockchip/rk3328-roc-cc.dts +index 246c317f6a68..91061d9cf78b 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3328-roc-cc.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3328-roc-cc.dts +@@ -94,8 +94,8 @@ + snps,reset-gpio = <&gpio1 RK_PC2 GPIO_ACTIVE_LOW>; + snps,reset-active-low; + snps,reset-delays-us = <0 10000 50000>; +- tx_delay = <0x25>; +- rx_delay = <0x11>; ++ tx_delay = <0x24>; ++ rx_delay = <0x18>; + status = "okay"; + }; + +-- +2.20.1 + diff --git a/queue-4.19/arm64-fix-wrong-check-of-on_sdei_stack-in-nmi-contex.patch b/queue-4.19/arm64-fix-wrong-check-of-on_sdei_stack-in-nmi-contex.patch new file mode 100644 index 00000000000..76edce87132 --- /dev/null +++ b/queue-4.19/arm64-fix-wrong-check-of-on_sdei_stack-in-nmi-contex.patch @@ -0,0 +1,48 @@ +From fa6b9945bf1865c2eabe0a8197f38d9911f6512d Mon Sep 17 00:00:00 2001 +From: Wei Li +Date: Mon, 1 Apr 2019 11:55:57 +0800 +Subject: arm64: fix wrong check of on_sdei_stack in nmi context + +[ Upstream commit 1c41860864c8ae0387ef7d44f0000e99cbb2e06d ] + +When doing unwind_frame() in the context of pseudo nmi (need enable +CONFIG_ARM64_PSEUDO_NMI), reaching the bottom of the stack (fp == 0, +pc != 0), function on_sdei_stack() will return true while the sdei acpi +table is not inited in fact. This will cause a "NULL pointer dereference" +oops when going on. + +Reviewed-by: Julien Thierry +Signed-off-by: Wei Li +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/sdei.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm64/kernel/sdei.c b/arch/arm64/kernel/sdei.c +index 5ba4465e44f0..ea94cf8f9dc6 100644 +--- a/arch/arm64/kernel/sdei.c ++++ b/arch/arm64/kernel/sdei.c +@@ -94,6 +94,9 @@ static bool on_sdei_normal_stack(unsigned long sp, struct stack_info *info) + unsigned long low = (unsigned long)raw_cpu_read(sdei_stack_normal_ptr); + unsigned long high = low + SDEI_STACK_SIZE; + ++ if (!low) ++ return false; ++ + if (sp < low || sp >= high) + return false; + +@@ -111,6 +114,9 @@ static bool on_sdei_critical_stack(unsigned long sp, struct stack_info *info) + unsigned long low = (unsigned long)raw_cpu_read(sdei_stack_critical_ptr); + unsigned long high = low + SDEI_STACK_SIZE; + ++ if (!low) ++ return false; ++ + if (sp < low || sp >= high) + return false; + +-- +2.20.1 + diff --git a/queue-4.19/batman-adv-fix-warning-in-function-batadv_v_elp_get_.patch b/queue-4.19/batman-adv-fix-warning-in-function-batadv_v_elp_get_.patch new file mode 100644 index 00000000000..b1a6a781b19 --- /dev/null +++ b/queue-4.19/batman-adv-fix-warning-in-function-batadv_v_elp_get_.patch @@ -0,0 +1,52 @@ +From 2fd6f0cd4fc0c06354cff10b35b24c82b1c08d61 Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Fri, 22 Feb 2019 16:25:54 +0100 +Subject: batman-adv: fix warning in function batadv_v_elp_get_throughput +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit ca8c3b922e7032aff6cc3fd05548f4df1f3df90e ] + +When CONFIG_CFG80211 isn't enabled the compiler correcly warns about +'sinfo.pertid' may be unused. It can also happen for other error +conditions that it not warn about. + +net/batman-adv/bat_v_elp.c: In function ‘batadv_v_elp_get_throughput.isra.0’: +include/net/cfg80211.h:6370:13: warning: ‘sinfo.pertid’ may be used + uninitialized in this function [-Wmaybe-uninitialized] + kfree(sinfo->pertid); + ~~~~~^~~~~~~~ + +Rework so that we only release '&sinfo' if cfg80211_get_station returns +zero. + +Fixes: 7d652669b61d ("batman-adv: release station info tidstats") +Signed-off-by: Anders Roxell +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_v_elp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c +index ef0dec20c7d8..5da183b2f4c9 100644 +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -104,8 +104,10 @@ static u32 batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh) + + ret = cfg80211_get_station(real_netdev, neigh->addr, &sinfo); + +- /* free the TID stats immediately */ +- cfg80211_sinfo_release_content(&sinfo); ++ if (!ret) { ++ /* free the TID stats immediately */ ++ cfg80211_sinfo_release_content(&sinfo); ++ } + + dev_put(real_netdev); + if (ret == -ENOENT) { +-- +2.20.1 + diff --git a/queue-4.19/batman-adv-reduce-claim-hash-refcnt-only-for-removed.patch b/queue-4.19/batman-adv-reduce-claim-hash-refcnt-only-for-removed.patch new file mode 100644 index 00000000000..5da84d0dabf --- /dev/null +++ b/queue-4.19/batman-adv-reduce-claim-hash-refcnt-only-for-removed.patch @@ -0,0 +1,74 @@ +From 0f4ccc451347700a5174491b60bfe4281e5f65c5 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sat, 23 Feb 2019 14:27:10 +0100 +Subject: batman-adv: Reduce claim hash refcnt only for removed entry + +[ Upstream commit 4ba104f468bbfc27362c393815d03aa18fb7a20f ] + +The batadv_hash_remove is a function which searches the hashtable for an +entry using a needle, a hashtable bucket selection function and a compare +function. It will lock the bucket list and delete an entry when the compare +function matches it with the needle. It returns the pointer to the +hlist_node which matches or NULL when no entry matches the needle. + +The batadv_bla_del_claim is not itself protected in anyway to avoid that +any other function is modifying the hashtable between the search for the +entry and the call to batadv_hash_remove. It can therefore happen that the +entry either doesn't exist anymore or an entry was deleted which is not the +same object as the needle. In such an situation, the reference counter (for +the reference stored in the hashtable) must not be reduced for the needle. +Instead the reference counter of the actually removed entry has to be +reduced. + +Otherwise the reference counter will underflow and the object might be +freed before all its references were dropped. The kref helpers reported +this problem as: + + refcount_t: underflow; use-after-free. + +Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index 5f1aeeded0e3..85faf25c2912 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -803,6 +803,8 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv, + const u8 *mac, const unsigned short vid) + { + struct batadv_bla_claim search_claim, *claim; ++ struct batadv_bla_claim *claim_removed_entry; ++ struct hlist_node *claim_removed_node; + + ether_addr_copy(search_claim.addr, mac); + search_claim.vid = vid; +@@ -813,10 +815,18 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv, + batadv_dbg(BATADV_DBG_BLA, bat_priv, "%s(): %pM, vid %d\n", __func__, + mac, batadv_print_vid(vid)); + +- batadv_hash_remove(bat_priv->bla.claim_hash, batadv_compare_claim, +- batadv_choose_claim, claim); +- batadv_claim_put(claim); /* reference from the hash is gone */ ++ claim_removed_node = batadv_hash_remove(bat_priv->bla.claim_hash, ++ batadv_compare_claim, ++ batadv_choose_claim, claim); ++ if (!claim_removed_node) ++ goto free_claim; + ++ /* reference from the hash is gone */ ++ claim_removed_entry = hlist_entry(claim_removed_node, ++ struct batadv_bla_claim, hash_entry); ++ batadv_claim_put(claim_removed_entry); ++ ++free_claim: + /* don't need the reference from hash_find() anymore */ + batadv_claim_put(claim); + } +-- +2.20.1 + diff --git a/queue-4.19/batman-adv-reduce-tt_global-hash-refcnt-only-for-rem.patch b/queue-4.19/batman-adv-reduce-tt_global-hash-refcnt-only-for-rem.patch new file mode 100644 index 00000000000..9c97650974f --- /dev/null +++ b/queue-4.19/batman-adv-reduce-tt_global-hash-refcnt-only-for-rem.patch @@ -0,0 +1,75 @@ +From 235d5ed9dabfa9bce4ece89c6c49ab6db491cb29 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sat, 23 Feb 2019 14:27:10 +0100 +Subject: batman-adv: Reduce tt_global hash refcnt only for removed entry + +[ Upstream commit f131a56880d10932931e74773fb8702894a94a75 ] + +The batadv_hash_remove is a function which searches the hashtable for an +entry using a needle, a hashtable bucket selection function and a compare +function. It will lock the bucket list and delete an entry when the compare +function matches it with the needle. It returns the pointer to the +hlist_node which matches or NULL when no entry matches the needle. + +The batadv_tt_global_free is not itself protected in anyway to avoid that +any other function is modifying the hashtable between the search for the +entry and the call to batadv_hash_remove. It can therefore happen that the +entry either doesn't exist anymore or an entry was deleted which is not the +same object as the needle. In such an situation, the reference counter (for +the reference stored in the hashtable) must not be reduced for the needle. +Instead the reference counter of the actually removed entry has to be +reduced. + +Otherwise the reference counter will underflow and the object might be +freed before all its references were dropped. The kref helpers reported +this problem as: + + refcount_t: underflow; use-after-free. + +Fixes: 7683fdc1e886 ("batman-adv: protect the local and the global trans-tables with rcu") +Reported-by: Martin Weinelt +Signed-off-by: Sven Eckelmann +Acked-by: Antonio Quartulli +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/translation-table.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index 696e6ddc534b..359ec1a6e822 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -616,14 +616,26 @@ static void batadv_tt_global_free(struct batadv_priv *bat_priv, + struct batadv_tt_global_entry *tt_global, + const char *message) + { ++ struct batadv_tt_global_entry *tt_removed_entry; ++ struct hlist_node *tt_removed_node; ++ + batadv_dbg(BATADV_DBG_TT, bat_priv, + "Deleting global tt entry %pM (vid: %d): %s\n", + tt_global->common.addr, + batadv_print_vid(tt_global->common.vid), message); + +- batadv_hash_remove(bat_priv->tt.global_hash, batadv_compare_tt, +- batadv_choose_tt, &tt_global->common); +- batadv_tt_global_entry_put(tt_global); ++ tt_removed_node = batadv_hash_remove(bat_priv->tt.global_hash, ++ batadv_compare_tt, ++ batadv_choose_tt, ++ &tt_global->common); ++ if (!tt_removed_node) ++ return; ++ ++ /* drop reference of remove hash entry */ ++ tt_removed_entry = hlist_entry(tt_removed_node, ++ struct batadv_tt_global_entry, ++ common.hash_entry); ++ batadv_tt_global_entry_put(tt_removed_entry); + } + + /** +-- +2.20.1 + diff --git a/queue-4.19/batman-adv-reduce-tt_local-hash-refcnt-only-for-remo.patch b/queue-4.19/batman-adv-reduce-tt_local-hash-refcnt-only-for-remo.patch new file mode 100644 index 00000000000..fbd45921738 --- /dev/null +++ b/queue-4.19/batman-adv-reduce-tt_local-hash-refcnt-only-for-remo.patch @@ -0,0 +1,78 @@ +From c23e958443455a26d0b932feceb1735e36fcb305 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sat, 23 Feb 2019 14:27:10 +0100 +Subject: batman-adv: Reduce tt_local hash refcnt only for removed entry + +[ Upstream commit 3d65b9accab4a7ed5038f6df403fbd5e298398c7 ] + +The batadv_hash_remove is a function which searches the hashtable for an +entry using a needle, a hashtable bucket selection function and a compare +function. It will lock the bucket list and delete an entry when the compare +function matches it with the needle. It returns the pointer to the +hlist_node which matches or NULL when no entry matches the needle. + +The batadv_tt_local_remove is not itself protected in anyway to avoid that +any other function is modifying the hashtable between the search for the +entry and the call to batadv_hash_remove. It can therefore happen that the +entry either doesn't exist anymore or an entry was deleted which is not the +same object as the needle. In such an situation, the reference counter (for +the reference stored in the hashtable) must not be reduced for the needle. +Instead the reference counter of the actually removed entry has to be +reduced. + +Otherwise the reference counter will underflow and the object might be +freed before all its references were dropped. The kref helpers reported +this problem as: + + refcount_t: underflow; use-after-free. + +Fixes: ef72706a0543 ("batman-adv: protect tt_local_entry from concurrent delete events") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/translation-table.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index d21624c44665..696e6ddc534b 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -1332,9 +1332,10 @@ u16 batadv_tt_local_remove(struct batadv_priv *bat_priv, const u8 *addr, + unsigned short vid, const char *message, + bool roaming) + { ++ struct batadv_tt_local_entry *tt_removed_entry; + struct batadv_tt_local_entry *tt_local_entry; + u16 flags, curr_flags = BATADV_NO_FLAGS; +- void *tt_entry_exists; ++ struct hlist_node *tt_removed_node; + + tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid); + if (!tt_local_entry) +@@ -1363,15 +1364,18 @@ u16 batadv_tt_local_remove(struct batadv_priv *bat_priv, const u8 *addr, + */ + batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL); + +- tt_entry_exists = batadv_hash_remove(bat_priv->tt.local_hash, ++ tt_removed_node = batadv_hash_remove(bat_priv->tt.local_hash, + batadv_compare_tt, + batadv_choose_tt, + &tt_local_entry->common); +- if (!tt_entry_exists) ++ if (!tt_removed_node) + goto out; + +- /* extra call to free the local tt entry */ +- batadv_tt_local_entry_put(tt_local_entry); ++ /* drop reference of remove hash entry */ ++ tt_removed_entry = hlist_entry(tt_removed_node, ++ struct batadv_tt_local_entry, ++ common.hash_entry); ++ batadv_tt_local_entry_put(tt_removed_entry); + + out: + if (tt_local_entry) +-- +2.20.1 + diff --git a/queue-4.19/block-pass-no-op-callback-to-init_work.patch b/queue-4.19/block-pass-no-op-callback-to-init_work.patch new file mode 100644 index 00000000000..03d17d3ccb7 --- /dev/null +++ b/queue-4.19/block-pass-no-op-callback-to-init_work.patch @@ -0,0 +1,52 @@ +From 28fab4490a3ad77217e23c2c7132308954b80e96 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 30 Jan 2019 22:21:45 +0900 +Subject: block: pass no-op callback to INIT_WORK(). + +[ Upstream commit 2e3c18d0ada16f145087b2687afcad1748c0827c ] + +syzbot is hitting flush_work() warning caused by commit 4d43d395fed12463 +("workqueue: Try to catch flush_work() without INIT_WORK().") [1]. +Although that commit did not expect INIT_WORK(NULL) case, calling +flush_work() without setting a valid callback should be avoided anyway. +Fix this problem by setting a no-op callback instead of NULL. + +[1] https://syzkaller.appspot.com/bug?id=e390366bc48bc82a7c668326e0663be3b91cbd29 + +Signed-off-by: Tetsuo Handa +Reported-and-tested-by: syzbot +Cc: Tejun Heo +Signed-off-by: Jens Axboe +[sl: rename blk_timeout_work] +Signed-off-by: Sasha Levin +--- + block/blk-core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index eb8b52241453..33488b1426b7 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -980,6 +980,10 @@ static void blk_rq_timed_out_timer(struct timer_list *t) + kblockd_schedule_work(&q->timeout_work); + } + ++static void blk_timeout_work_dummy(struct work_struct *work) ++{ ++} ++ + /** + * blk_alloc_queue_node - allocate a request queue + * @gfp_mask: memory allocation flags +@@ -1034,7 +1038,7 @@ struct request_queue *blk_alloc_queue_node(gfp_t gfp_mask, int node_id, + timer_setup(&q->backing_dev_info->laptop_mode_wb_timer, + laptop_mode_timer_fn, 0); + timer_setup(&q->timeout, blk_rq_timed_out_timer, 0); +- INIT_WORK(&q->timeout_work, NULL); ++ INIT_WORK(&q->timeout_work, blk_timeout_work_dummy); + INIT_LIST_HEAD(&q->timeout_list); + INIT_LIST_HEAD(&q->icq_list); + #ifdef CONFIG_BLK_CGROUP +-- +2.20.1 + diff --git a/queue-4.19/block-use-blk_free_flush_queue-to-free-hctx-fq-in-bl.patch b/queue-4.19/block-use-blk_free_flush_queue-to-free-hctx-fq-in-bl.patch new file mode 100644 index 00000000000..9fbe0570527 --- /dev/null +++ b/queue-4.19/block-use-blk_free_flush_queue-to-free-hctx-fq-in-bl.patch @@ -0,0 +1,34 @@ +From 72df8bc3b98a1d99c5713342eeff743dfc97bf8d Mon Sep 17 00:00:00 2001 +From: Shenghui Wang +Date: Mon, 1 Apr 2019 21:40:36 +0800 +Subject: block: use blk_free_flush_queue() to free hctx->fq in + blk_mq_init_hctx + +[ Upstream commit b9a1ff504b9492ad6beb7d5606e0e3365d4d8499 ] + +kfree() can leak the hctx->fq->flush_rq field. + +Reviewed-by: Ming Lei +Signed-off-by: Shenghui Wang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 7d53f2314d7c..414656796ecf 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2236,7 +2236,7 @@ static int blk_mq_init_hctx(struct request_queue *q, + return 0; + + free_fq: +- kfree(hctx->fq); ++ blk_free_flush_queue(hctx->fq); + exit_hctx: + if (set->ops->exit_hctx) + set->ops->exit_hctx(hctx, hctx_idx); +-- +2.20.1 + diff --git a/queue-4.19/bonding-show-full-hw-address-in-sysfs-for-slave-entr.patch b/queue-4.19/bonding-show-full-hw-address-in-sysfs-for-slave-entr.patch new file mode 100644 index 00000000000..01ed61c07f3 --- /dev/null +++ b/queue-4.19/bonding-show-full-hw-address-in-sysfs-for-slave-entr.patch @@ -0,0 +1,43 @@ +From 821dfde5611ed9198879154d128d271cde4eaec8 Mon Sep 17 00:00:00 2001 +From: Konstantin Khorenko +Date: Thu, 28 Mar 2019 13:29:21 +0300 +Subject: bonding: show full hw address in sysfs for slave entries + +[ Upstream commit 18bebc6dd3281955240062655a4df35eef2c46b3 ] + +Bond expects ethernet hwaddr for its slave, but it can be longer than 6 +bytes - infiniband interface for example. + + # cat /sys/devices//net/ib0/address + 80:00:02:08:fe:80:00:00:00:00:00:00:7c:fe:90:03:00:be:5d:e1 + + # cat /sys/devices//net/ib0/bonding_slave/perm_hwaddr + 80:00:02:08:fe:80 + +So print full hwaddr in sysfs "bonding_slave/perm_hwaddr" as well. + +Signed-off-by: Konstantin Khorenko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_sysfs_slave.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c +index 2f120b2ffef0..4985268e2273 100644 +--- a/drivers/net/bonding/bond_sysfs_slave.c ++++ b/drivers/net/bonding/bond_sysfs_slave.c +@@ -55,7 +55,9 @@ static SLAVE_ATTR_RO(link_failure_count); + + static ssize_t perm_hwaddr_show(struct slave *slave, char *buf) + { +- return sprintf(buf, "%pM\n", slave->perm_hwaddr); ++ return sprintf(buf, "%*phC\n", ++ slave->dev->addr_len, ++ slave->perm_hwaddr); + } + static SLAVE_ATTR_RO(perm_hwaddr); + +-- +2.20.1 + diff --git a/queue-4.19/debugfs-fix-use-after-free-on-symlink-traversal.patch b/queue-4.19/debugfs-fix-use-after-free-on-symlink-traversal.patch new file mode 100644 index 00000000000..ed2a67971e1 --- /dev/null +++ b/queue-4.19/debugfs-fix-use-after-free-on-symlink-traversal.patch @@ -0,0 +1,54 @@ +From 5b633736827a4af5c4f175a4e89bc8baa74380b6 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 26 Mar 2019 01:43:37 +0000 +Subject: debugfs: fix use-after-free on symlink traversal + +[ Upstream commit 93b919da64c15b90953f96a536e5e61df896ca57 ] + +symlink body shouldn't be freed without an RCU delay. Switch debugfs to +->destroy_inode() and use of call_rcu(); free both the inode and symlink +body in the callback. Similar to solution for bpf, only here it's even +more obvious that ->evict_inode() can be dropped. + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/debugfs/inode.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c +index 41ef452c1fcf..e5126fad57c5 100644 +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -163,19 +163,24 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root) + return 0; + } + +-static void debugfs_evict_inode(struct inode *inode) ++static void debugfs_i_callback(struct rcu_head *head) + { +- truncate_inode_pages_final(&inode->i_data); +- clear_inode(inode); ++ struct inode *inode = container_of(head, struct inode, i_rcu); + if (S_ISLNK(inode->i_mode)) + kfree(inode->i_link); ++ free_inode_nonrcu(inode); ++} ++ ++static void debugfs_destroy_inode(struct inode *inode) ++{ ++ call_rcu(&inode->i_rcu, debugfs_i_callback); + } + + static const struct super_operations debugfs_super_operations = { + .statfs = simple_statfs, + .remount_fs = debugfs_remount, + .show_options = debugfs_show_options, +- .evict_inode = debugfs_evict_inode, ++ .destroy_inode = debugfs_destroy_inode, + }; + + static void debugfs_release_dentry(struct dentry *dentry) +-- +2.20.1 + diff --git a/queue-4.19/efi-fix-debugobjects-warning-on-efi_rts_work.patch b/queue-4.19/efi-fix-debugobjects-warning-on-efi_rts_work.patch new file mode 100644 index 00000000000..8a8ee1046cd --- /dev/null +++ b/queue-4.19/efi-fix-debugobjects-warning-on-efi_rts_work.patch @@ -0,0 +1,50 @@ +From 41c0ae8d1aa7277db2de943cb81cda92e10659a1 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Wed, 14 Nov 2018 09:55:40 -0800 +Subject: efi: Fix debugobjects warning on 'efi_rts_work' + +[ Upstream commit ef1491e791308317bb9851a0ad380c4a68b58d54 ] + +The following commit: + + 9dbbedaa6171 ("efi: Make efi_rts_work accessible to efi page fault handler") + +converted 'efi_rts_work' from an auto variable to a global variable. +However, when submitting the work, INIT_WORK_ONSTACK() was still used, +causing the following complaint from debugobjects: + + ODEBUG: object 00000000ed27b500 is NOT on stack 00000000c7d38760, but annotated. + +Change the macro to just INIT_WORK() to eliminate the warning. + +Signed-off-by: Waiman Long +Signed-off-by: Ard Biesheuvel +Acked-by: Sai Praneeth Prakhya +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Fixes: 9dbbedaa6171 ("efi: Make efi_rts_work accessible to efi page fault handler") +Link: http://lkml.kernel.org/r/20181114175544.12860-2-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/runtime-wrappers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c +index b0aeffd4e269..1606abead22c 100644 +--- a/drivers/firmware/efi/runtime-wrappers.c ++++ b/drivers/firmware/efi/runtime-wrappers.c +@@ -95,7 +95,7 @@ struct efi_runtime_work { + efi_rts_work.status = EFI_ABORTED; \ + \ + init_completion(&efi_rts_work.efi_rts_comp); \ +- INIT_WORK_ONSTACK(&efi_rts_work.work, efi_call_rts); \ ++ INIT_WORK(&efi_rts_work.work, efi_call_rts); \ + efi_rts_work.arg1 = _arg1; \ + efi_rts_work.arg2 = _arg2; \ + efi_rts_work.arg3 = _arg3; \ +-- +2.20.1 + diff --git a/queue-4.19/fs-stream_open-opener-for-stream-like-files-so-that-.patch b/queue-4.19/fs-stream_open-opener-for-stream-like-files-so-that-.patch new file mode 100644 index 00000000000..2b6be5939a0 --- /dev/null +++ b/queue-4.19/fs-stream_open-opener-for-stream-like-files-so-that-.patch @@ -0,0 +1,658 @@ +From 08f750055be2ba828ea18d7e89e886b1599432e1 Mon Sep 17 00:00:00 2001 +From: Kirill Smelkov +Date: Tue, 26 Mar 2019 22:20:43 +0000 +Subject: fs: stream_open - opener for stream-like files so that read and write + can run simultaneously without deadlock + +[ Upstream commit 10dce8af34226d90fa56746a934f8da5dcdba3df ] + +Commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per POSIX") added +locking for file.f_pos access and in particular made concurrent read and +write not possible - now both those functions take f_pos lock for the +whole run, and so if e.g. a read is blocked waiting for data, write will +deadlock waiting for that read to complete. + +This caused regression for stream-like files where previously read and +write could run simultaneously, but after that patch could not do so +anymore. See e.g. commit 581d21a2d02a ("xenbus: fix deadlock on writes +to /proc/xen/xenbus") which fixes such regression for particular case of +/proc/xen/xenbus. + +The patch that added f_pos lock in 2014 did so to guarantee POSIX thread +safety for read/write/lseek and added the locking to file descriptors of +all regular files. In 2014 that thread-safety problem was not new as it +was already discussed earlier in 2006. + +However even though 2006'th version of Linus's patch was adding f_pos +locking "only for files that are marked seekable with FMODE_LSEEK (thus +avoiding the stream-like objects like pipes and sockets)", the 2014 +version - the one that actually made it into the tree as 9c225f2655e3 - +is doing so irregardless of whether a file is seekable or not. + +See + + https://lore.kernel.org/lkml/53022DB1.4070805@gmail.com/ + https://lwn.net/Articles/180387 + https://lwn.net/Articles/180396 + +for historic context. + +The reason that it did so is, probably, that there are many files that +are marked non-seekable, but e.g. their read implementation actually +depends on knowing current position to correctly handle the read. Some +examples: + + kernel/power/user.c snapshot_read + fs/debugfs/file.c u32_array_read + fs/fuse/control.c fuse_conn_waiting_read + ... + drivers/hwmon/asus_atk0110.c atk_debugfs_ggrp_read + arch/s390/hypfs/inode.c hypfs_read_iter + ... + +Despite that, many nonseekable_open users implement read and write with +pure stream semantics - they don't depend on passed ppos at all. And for +those cases where read could wait for something inside, it creates a +situation similar to xenbus - the write could be never made to go until +read is done, and read is waiting for some, potentially external, event, +for potentially unbounded time -> deadlock. + +Besides xenbus, there are 14 such places in the kernel that I've found +with semantic patch (see below): + + drivers/xen/evtchn.c:667:8-24: ERROR: evtchn_fops: .read() can deadlock .write() + drivers/isdn/capi/capi.c:963:8-24: ERROR: capi_fops: .read() can deadlock .write() + drivers/input/evdev.c:527:1-17: ERROR: evdev_fops: .read() can deadlock .write() + drivers/char/pcmcia/cm4000_cs.c:1685:7-23: ERROR: cm4000_fops: .read() can deadlock .write() + net/rfkill/core.c:1146:8-24: ERROR: rfkill_fops: .read() can deadlock .write() + drivers/s390/char/fs3270.c:488:1-17: ERROR: fs3270_fops: .read() can deadlock .write() + drivers/usb/misc/ldusb.c:310:1-17: ERROR: ld_usb_fops: .read() can deadlock .write() + drivers/hid/uhid.c:635:1-17: ERROR: uhid_fops: .read() can deadlock .write() + net/batman-adv/icmp_socket.c:80:1-17: ERROR: batadv_fops: .read() can deadlock .write() + drivers/media/rc/lirc_dev.c:198:1-17: ERROR: lirc_fops: .read() can deadlock .write() + drivers/leds/uleds.c:77:1-17: ERROR: uleds_fops: .read() can deadlock .write() + drivers/input/misc/uinput.c:400:1-17: ERROR: uinput_fops: .read() can deadlock .write() + drivers/infiniband/core/user_mad.c:985:7-23: ERROR: umad_fops: .read() can deadlock .write() + drivers/gnss/core.c:45:1-17: ERROR: gnss_fops: .read() can deadlock .write() + +In addition to the cases above another regression caused by f_pos +locking is that now FUSE filesystems that implement open with +FOPEN_NONSEEKABLE flag, can no longer implement bidirectional +stream-like files - for the same reason as above e.g. read can deadlock +write locking on file.f_pos in the kernel. + +FUSE's FOPEN_NONSEEKABLE was added in 2008 in a7c1b990f715 ("fuse: +implement nonseekable open") to support OSSPD. OSSPD implements /dev/dsp +in userspace with FOPEN_NONSEEKABLE flag, with corresponding read and +write routines not depending on current position at all, and with both +read and write being potentially blocking operations: + +See + + https://github.com/libfuse/osspd + https://lwn.net/Articles/308445 + + https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1406 + https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1438-L1477 + https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1479-L1510 + +Corresponding libfuse example/test also describes FOPEN_NONSEEKABLE as +"somewhat pipe-like files ..." with read handler not using offset. +However that test implements only read without write and cannot exercise +the deadlock scenario: + + https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L124-L131 + https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L146-L163 + https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L209-L216 + +I've actually hit the read vs write deadlock for real while implementing +my FUSE filesystem where there is /head/watch file, for which open +creates separate bidirectional socket-like stream in between filesystem +and its user with both read and write being later performed +simultaneously. And there it is semantically not easy to split the +stream into two separate read-only and write-only channels: + + https://lab.nexedi.com/kirr/wendelin.core/blob/f13aa600/wcfs/wcfs.go#L88-169 + +Let's fix this regression. The plan is: + +1. We can't change nonseekable_open to include &~FMODE_ATOMIC_POS - + doing so would break many in-kernel nonseekable_open users which + actually use ppos in read/write handlers. + +2. Add stream_open() to kernel to open stream-like non-seekable file + descriptors. Read and write on such file descriptors would never use + nor change ppos. And with that property on stream-like files read and + write will be running without taking f_pos lock - i.e. read and write + could be running simultaneously. + +3. With semantic patch search and convert to stream_open all in-kernel + nonseekable_open users for which read and write actually do not + depend on ppos and where there is no other methods in file_operations + which assume @offset access. + +4. Add FOPEN_STREAM to fs/fuse/ and open in-kernel file-descriptors via + steam_open if that bit is present in filesystem open reply. + + It was tempting to change fs/fuse/ open handler to use stream_open + instead of nonseekable_open on just FOPEN_NONSEEKABLE flags, but + grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE, + and in particular GVFS which actually uses offset in its read and + write handlers + + https://codesearch.debian.net/search?q=-%3Enonseekable+%3D + https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080 + https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346 + https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481 + + so if we would do such a change it will break a real user. + +5. Add stream_open and FOPEN_STREAM handling to stable kernels starting + from v3.14+ (the kernel where 9c225f2655 first appeared). + + This will allow to patch OSSPD and other FUSE filesystems that + provide stream-like files to return FOPEN_STREAM | FOPEN_NONSEEKABLE + in their open handler and this way avoid the deadlock on all kernel + versions. This should work because fs/fuse/ ignores unknown open + flags returned from a filesystem and so passing FOPEN_STREAM to a + kernel that is not aware of this flag cannot hurt. In turn the kernel + that is not aware of FOPEN_STREAM will be < v3.14 where just + FOPEN_NONSEEKABLE is sufficient to implement streams without read vs + write deadlock. + +This patch adds stream_open, converts /proc/xen/xenbus to it and adds +semantic patch to automatically locate in-kernel places that are either +required to be converted due to read vs write deadlock, or that are just +safe to be converted because read and write do not use ppos and there +are no other funky methods in file_operations. + +Regarding semantic patch I've verified each generated change manually - +that it is correct to convert - and each other nonseekable_open instance +left - that it is either not correct to convert there, or that it is not +converted due to current stream_open.cocci limitations. + +The script also does not convert files that should be valid to convert, +but that currently have .llseek = noop_llseek or generic_file_llseek for +unknown reason despite file being opened with nonseekable_open (e.g. +drivers/input/mousedev.c) + +Cc: Michael Kerrisk +Cc: Yongzhi Pan +Cc: Jonathan Corbet +Cc: David Vrabel +Cc: Juergen Gross +Cc: Miklos Szeredi +Cc: Tejun Heo +Cc: Kirill Tkhai +Cc: Arnd Bergmann +Cc: Christoph Hellwig +Cc: Greg Kroah-Hartman +Cc: Julia Lawall +Cc: Nikolaus Rath +Cc: Han-Wen Nienhuys +Signed-off-by: Kirill Smelkov +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/xen/xenbus/xenbus_dev_frontend.c | 4 +- + fs/open.c | 18 ++ + fs/read_write.c | 5 +- + include/linux/fs.h | 4 + + scripts/coccinelle/api/stream_open.cocci | 363 +++++++++++++++++++++++ + 5 files changed, 389 insertions(+), 5 deletions(-) + create mode 100644 scripts/coccinelle/api/stream_open.cocci + +diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c +index c3e201025ef0..0782ff3c2273 100644 +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -622,9 +622,7 @@ static int xenbus_file_open(struct inode *inode, struct file *filp) + if (xen_store_evtchn == 0) + return -ENOENT; + +- nonseekable_open(inode, filp); +- +- filp->f_mode &= ~FMODE_ATOMIC_POS; /* cdev-style semantics */ ++ stream_open(inode, filp); + + u = kzalloc(sizeof(*u), GFP_KERNEL); + if (u == NULL) +diff --git a/fs/open.c b/fs/open.c +index f1c2f855fd43..a00350018a47 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -1215,3 +1215,21 @@ int nonseekable_open(struct inode *inode, struct file *filp) + } + + EXPORT_SYMBOL(nonseekable_open); ++ ++/* ++ * stream_open is used by subsystems that want stream-like file descriptors. ++ * Such file descriptors are not seekable and don't have notion of position ++ * (file.f_pos is always 0). Contrary to file descriptors of other regular ++ * files, .read() and .write() can run simultaneously. ++ * ++ * stream_open never fails and is marked to return int so that it could be ++ * directly used as file_operations.open . ++ */ ++int stream_open(struct inode *inode, struct file *filp) ++{ ++ filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE | FMODE_ATOMIC_POS); ++ filp->f_mode |= FMODE_STREAM; ++ return 0; ++} ++ ++EXPORT_SYMBOL(stream_open); +diff --git a/fs/read_write.c b/fs/read_write.c +index 562974a0616c..85fd7a8ee29e 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -560,12 +560,13 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_ + + static inline loff_t file_pos_read(struct file *file) + { +- return file->f_pos; ++ return file->f_mode & FMODE_STREAM ? 0 : file->f_pos; + } + + static inline void file_pos_write(struct file *file, loff_t pos) + { +- file->f_pos = pos; ++ if ((file->f_mode & FMODE_STREAM) == 0) ++ file->f_pos = pos; + } + + ssize_t ksys_read(unsigned int fd, char __user *buf, size_t count) +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 111c94c4baa1..d4e1b43a53c3 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -153,6 +153,9 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset, + #define FMODE_OPENED ((__force fmode_t)0x80000) + #define FMODE_CREATED ((__force fmode_t)0x100000) + ++/* File is stream-like */ ++#define FMODE_STREAM ((__force fmode_t)0x200000) ++ + /* File was opened by fanotify and shouldn't generate fanotify events */ + #define FMODE_NONOTIFY ((__force fmode_t)0x4000000) + +@@ -3019,6 +3022,7 @@ extern loff_t no_seek_end_llseek_size(struct file *, loff_t, int, loff_t); + extern loff_t no_seek_end_llseek(struct file *, loff_t, int); + extern int generic_file_open(struct inode * inode, struct file * filp); + extern int nonseekable_open(struct inode * inode, struct file * filp); ++extern int stream_open(struct inode * inode, struct file * filp); + + #ifdef CONFIG_BLOCK + typedef void (dio_submit_t)(struct bio *bio, struct inode *inode, +diff --git a/scripts/coccinelle/api/stream_open.cocci b/scripts/coccinelle/api/stream_open.cocci +new file mode 100644 +index 000000000000..350145da7669 +--- /dev/null ++++ b/scripts/coccinelle/api/stream_open.cocci +@@ -0,0 +1,363 @@ ++// SPDX-License-Identifier: GPL-2.0 ++// Author: Kirill Smelkov (kirr@nexedi.com) ++// ++// Search for stream-like files that are using nonseekable_open and convert ++// them to stream_open. A stream-like file is a file that does not use ppos in ++// its read and write. Rationale for the conversion is to avoid deadlock in ++// between read and write. ++ ++virtual report ++virtual patch ++virtual explain // explain decisions in the patch (SPFLAGS="-D explain") ++ ++// stream-like reader & writer - ones that do not depend on f_pos. ++@ stream_reader @ ++identifier readstream, ppos; ++identifier f, buf, len; ++type loff_t; ++@@ ++ ssize_t readstream(struct file *f, char *buf, size_t len, loff_t *ppos) ++ { ++ ... when != ppos ++ } ++ ++@ stream_writer @ ++identifier writestream, ppos; ++identifier f, buf, len; ++type loff_t; ++@@ ++ ssize_t writestream(struct file *f, const char *buf, size_t len, loff_t *ppos) ++ { ++ ... when != ppos ++ } ++ ++ ++// a function that blocks ++@ blocks @ ++identifier block_f; ++identifier wait_event =~ "^wait_event_.*"; ++@@ ++ block_f(...) { ++ ... when exists ++ wait_event(...) ++ ... when exists ++ } ++ ++// stream_reader that can block inside. ++// ++// XXX wait_* can be called not directly from current function (e.g. func -> f -> g -> wait()) ++// XXX currently reader_blocks supports only direct and 1-level indirect cases. ++@ reader_blocks_direct @ ++identifier stream_reader.readstream; ++identifier wait_event =~ "^wait_event_.*"; ++@@ ++ readstream(...) ++ { ++ ... when exists ++ wait_event(...) ++ ... when exists ++ } ++ ++@ reader_blocks_1 @ ++identifier stream_reader.readstream; ++identifier blocks.block_f; ++@@ ++ readstream(...) ++ { ++ ... when exists ++ block_f(...) ++ ... when exists ++ } ++ ++@ reader_blocks depends on reader_blocks_direct || reader_blocks_1 @ ++identifier stream_reader.readstream; ++@@ ++ readstream(...) { ++ ... ++ } ++ ++ ++// file_operations + whether they have _any_ .read, .write, .llseek ... at all. ++// ++// XXX add support for file_operations xxx[N] = ... (sound/core/pcm_native.c) ++@ fops0 @ ++identifier fops; ++@@ ++ struct file_operations fops = { ++ ... ++ }; ++ ++@ has_read @ ++identifier fops0.fops; ++identifier read_f; ++@@ ++ struct file_operations fops = { ++ .read = read_f, ++ }; ++ ++@ has_read_iter @ ++identifier fops0.fops; ++identifier read_iter_f; ++@@ ++ struct file_operations fops = { ++ .read_iter = read_iter_f, ++ }; ++ ++@ has_write @ ++identifier fops0.fops; ++identifier write_f; ++@@ ++ struct file_operations fops = { ++ .write = write_f, ++ }; ++ ++@ has_write_iter @ ++identifier fops0.fops; ++identifier write_iter_f; ++@@ ++ struct file_operations fops = { ++ .write_iter = write_iter_f, ++ }; ++ ++@ has_llseek @ ++identifier fops0.fops; ++identifier llseek_f; ++@@ ++ struct file_operations fops = { ++ .llseek = llseek_f, ++ }; ++ ++@ has_no_llseek @ ++identifier fops0.fops; ++@@ ++ struct file_operations fops = { ++ .llseek = no_llseek, ++ }; ++ ++@ has_mmap @ ++identifier fops0.fops; ++identifier mmap_f; ++@@ ++ struct file_operations fops = { ++ .mmap = mmap_f, ++ }; ++ ++@ has_copy_file_range @ ++identifier fops0.fops; ++identifier copy_file_range_f; ++@@ ++ struct file_operations fops = { ++ .copy_file_range = copy_file_range_f, ++ }; ++ ++@ has_remap_file_range @ ++identifier fops0.fops; ++identifier remap_file_range_f; ++@@ ++ struct file_operations fops = { ++ .remap_file_range = remap_file_range_f, ++ }; ++ ++@ has_splice_read @ ++identifier fops0.fops; ++identifier splice_read_f; ++@@ ++ struct file_operations fops = { ++ .splice_read = splice_read_f, ++ }; ++ ++@ has_splice_write @ ++identifier fops0.fops; ++identifier splice_write_f; ++@@ ++ struct file_operations fops = { ++ .splice_write = splice_write_f, ++ }; ++ ++ ++// file_operations that is candidate for stream_open conversion - it does not ++// use mmap and other methods that assume @offset access to file. ++// ++// XXX for simplicity require no .{read/write}_iter and no .splice_{read/write} for now. ++// XXX maybe_steam.fops cannot be used in other rules - it gives "bad rule maybe_stream or bad variable fops". ++@ maybe_stream depends on (!has_llseek || has_no_llseek) && !has_mmap && !has_copy_file_range && !has_remap_file_range && !has_read_iter && !has_write_iter && !has_splice_read && !has_splice_write @ ++identifier fops0.fops; ++@@ ++ struct file_operations fops = { ++ }; ++ ++ ++// ---- conversions ---- ++ ++// XXX .open = nonseekable_open -> .open = stream_open ++// XXX .open = func -> openfunc -> nonseekable_open ++ ++// read & write ++// ++// if both are used in the same file_operations together with an opener - ++// under that conditions we can use stream_open instead of nonseekable_open. ++@ fops_rw depends on maybe_stream @ ++identifier fops0.fops, openfunc; ++identifier stream_reader.readstream; ++identifier stream_writer.writestream; ++@@ ++ struct file_operations fops = { ++ .open = openfunc, ++ .read = readstream, ++ .write = writestream, ++ }; ++ ++@ report_rw depends on report @ ++identifier fops_rw.openfunc; ++position p1; ++@@ ++ openfunc(...) { ++ <... ++ nonseekable_open@p1 ++ ...> ++ } ++ ++@ script:python depends on report && reader_blocks @ ++fops << fops0.fops; ++p << report_rw.p1; ++@@ ++coccilib.report.print_report(p[0], ++ "ERROR: %s: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix." % (fops,)) ++ ++@ script:python depends on report && !reader_blocks @ ++fops << fops0.fops; ++p << report_rw.p1; ++@@ ++coccilib.report.print_report(p[0], ++ "WARNING: %s: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open." % (fops,)) ++ ++ ++@ explain_rw_deadlocked depends on explain && reader_blocks @ ++identifier fops_rw.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ nonseekable_open /* read & write (was deadlock) */ ++ ...> ++ } ++ ++ ++@ explain_rw_nodeadlock depends on explain && !reader_blocks @ ++identifier fops_rw.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ nonseekable_open /* read & write (no direct deadlock) */ ++ ...> ++ } ++ ++@ patch_rw depends on patch @ ++identifier fops_rw.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ stream_open ++ ...> ++ } ++ ++ ++// read, but not write ++@ fops_r depends on maybe_stream && !has_write @ ++identifier fops0.fops, openfunc; ++identifier stream_reader.readstream; ++@@ ++ struct file_operations fops = { ++ .open = openfunc, ++ .read = readstream, ++ }; ++ ++@ report_r depends on report @ ++identifier fops_r.openfunc; ++position p1; ++@@ ++ openfunc(...) { ++ <... ++ nonseekable_open@p1 ++ ...> ++ } ++ ++@ script:python depends on report @ ++fops << fops0.fops; ++p << report_r.p1; ++@@ ++coccilib.report.print_report(p[0], ++ "WARNING: %s: .read() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,)) ++ ++@ explain_r depends on explain @ ++identifier fops_r.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ nonseekable_open /* read only */ ++ ...> ++ } ++ ++@ patch_r depends on patch @ ++identifier fops_r.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ stream_open ++ ...> ++ } ++ ++ ++// write, but not read ++@ fops_w depends on maybe_stream && !has_read @ ++identifier fops0.fops, openfunc; ++identifier stream_writer.writestream; ++@@ ++ struct file_operations fops = { ++ .open = openfunc, ++ .write = writestream, ++ }; ++ ++@ report_w depends on report @ ++identifier fops_w.openfunc; ++position p1; ++@@ ++ openfunc(...) { ++ <... ++ nonseekable_open@p1 ++ ...> ++ } ++ ++@ script:python depends on report @ ++fops << fops0.fops; ++p << report_w.p1; ++@@ ++coccilib.report.print_report(p[0], ++ "WARNING: %s: .write() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,)) ++ ++@ explain_w depends on explain @ ++identifier fops_w.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ nonseekable_open /* write only */ ++ ...> ++ } ++ ++@ patch_w depends on patch @ ++identifier fops_w.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ stream_open ++ ...> ++ } ++ ++ ++// no read, no write - don't change anything +-- +2.20.1 + diff --git a/queue-4.19/hid-debug-fix-race-condition-with-between-rdesc_show.patch b/queue-4.19/hid-debug-fix-race-condition-with-between-rdesc_show.patch new file mode 100644 index 00000000000..e96e923e269 --- /dev/null +++ b/queue-4.19/hid-debug-fix-race-condition-with-between-rdesc_show.patch @@ -0,0 +1,61 @@ +From 71ff54b8cf4bf5543b284ffb3df82f6e79466841 Mon Sep 17 00:00:00 2001 +From: "He, Bo" +Date: Thu, 14 Mar 2019 02:28:21 +0000 +Subject: HID: debug: fix race condition with between rdesc_show() and device + removal + +[ Upstream commit cef0d4948cb0a02db37ebfdc320e127c77ab1637 ] + +There is a race condition that could happen if hid_debug_rdesc_show() +is running while hdev is in the process of going away (device removal, +system suspend, etc) which could result in NULL pointer dereference: + + BUG: unable to handle kernel paging request at 0000000783316040 + CPU: 1 PID: 1512 Comm: getevent Tainted: G U O 4.19.20-quilt-2e5dc0ac-00029-gc455a447dd55 #1 + RIP: 0010:hid_dump_device+0x9b/0x160 + Call Trace: + hid_debug_rdesc_show+0x72/0x1d0 + seq_read+0xe0/0x410 + full_proxy_read+0x5f/0x90 + __vfs_read+0x3a/0x170 + vfs_read+0xa0/0x150 + ksys_read+0x58/0xc0 + __x64_sys_read+0x1a/0x20 + do_syscall_64+0x55/0x110 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Grab driver_input_lock to make sure the input device exists throughout the +whole process of dumping the rdesc. + +[jkosina@suse.cz: update changelog a bit] +Signed-off-by: he, bo +Signed-off-by: "Zhang, Jun" +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-debug.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c +index ebc9ffde41e9..a353a011fbdf 100644 +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -1060,10 +1060,15 @@ static int hid_debug_rdesc_show(struct seq_file *f, void *p) + seq_printf(f, "\n\n"); + + /* dump parsed data and input mappings */ ++ if (down_interruptible(&hdev->driver_input_lock)) ++ return 0; ++ + hid_dump_device(hdev, f); + seq_printf(f, "\n"); + hid_dump_input_mapping(hdev, f); + ++ up(&hdev->driver_input_lock); ++ + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.19/hid-input-add-mapping-for-assistant-key.patch b/queue-4.19/hid-input-add-mapping-for-assistant-key.patch new file mode 100644 index 00000000000..5de9b96dca5 --- /dev/null +++ b/queue-4.19/hid-input-add-mapping-for-assistant-key.patch @@ -0,0 +1,33 @@ +From 7b36cf5f788e8ff26c3970466e75f3115dc7c6c0 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 2 Apr 2019 09:57:13 -0700 +Subject: HID: input: add mapping for Assistant key + +[ Upstream commit ce856634af8cda3490947df8ac1ef5843e6356af ] + +According to HUTRR89 usage 0x1cb from the consumer page was assigned to +allow launching desktop-aware assistant application, so let's add the +mapping. + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index a3916e58dbf5..e649940e065d 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -982,6 +982,7 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case 0x1b8: map_key_clear(KEY_VIDEO); break; + case 0x1bc: map_key_clear(KEY_MESSENGER); break; + case 0x1bd: map_key_clear(KEY_INFO); break; ++ case 0x1cb: map_key_clear(KEY_ASSISTANT); break; + case 0x201: map_key_clear(KEY_NEW); break; + case 0x202: map_key_clear(KEY_OPEN); break; + case 0x203: map_key_clear(KEY_CLOSE); break; +-- +2.20.1 + diff --git a/queue-4.19/hid-logitech-check-the-return-value-of-create_single.patch b/queue-4.19/hid-logitech-check-the-return-value-of-create_single.patch new file mode 100644 index 00000000000..2e757b73352 --- /dev/null +++ b/queue-4.19/hid-logitech-check-the-return-value-of-create_single.patch @@ -0,0 +1,48 @@ +From ca77bd93750e1c953d2ecd5f2327717e9123bf2f Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 14 Mar 2019 00:24:02 -0500 +Subject: HID: logitech: check the return value of + create_singlethread_workqueue + +[ Upstream commit 6c44b15e1c9076d925d5236ddadf1318b0a25ce2 ] + +create_singlethread_workqueue may fail and return NULL. The fix checks if it is +NULL to avoid NULL pointer dereference. Also, the fix moves the call of +create_singlethread_workqueue earlier to avoid resource-release issues. + +Signed-off-by: Kangjie Lu +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index 19cc980eebce..8425d3548a41 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -1907,6 +1907,13 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 feature_index) + kfree(data); + return -ENOMEM; + } ++ data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue"); ++ if (!data->wq) { ++ kfree(data->effect_ids); ++ kfree(data); ++ return -ENOMEM; ++ } ++ + data->hidpp = hidpp; + data->feature_index = feature_index; + data->version = version; +@@ -1951,7 +1958,6 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 feature_index) + /* ignore boost value at response.fap.params[2] */ + + /* init the hardware command queue */ +- data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue"); + atomic_set(&data->workqueue_size, 0); + + /* initialize with zero autocenter to get wheel in usable state */ +-- +2.20.1 + diff --git a/queue-4.19/hid-quirks-fix-keyboard-touchpad-on-lenovo-miix-630.patch b/queue-4.19/hid-quirks-fix-keyboard-touchpad-on-lenovo-miix-630.patch new file mode 100644 index 00000000000..692dafe0efd --- /dev/null +++ b/queue-4.19/hid-quirks-fix-keyboard-touchpad-on-lenovo-miix-630.patch @@ -0,0 +1,47 @@ +From dde50c3a2ed9d8ecc35e03deb353967d75d7ee63 Mon Sep 17 00:00:00 2001 +From: Jeffrey Hugo +Date: Tue, 26 Mar 2019 09:55:54 -0700 +Subject: HID: quirks: Fix keyboard + touchpad on Lenovo Miix 630 + +[ Upstream commit 2bafa1e9625400bec4c840a168d70ba52607a58d ] + +Similar to commit edfc3722cfef ("HID: quirks: Fix keyboard + touchpad on +Toshiba Click Mini not working"), the Lenovo Miix 630 has a combo +keyboard/touchpad device with vid:pid of 04F3:0400, which is shared with +Elan touchpads. The combo on the Miix 630 has an ACPI id of QTEC0001, +which is not claimed by the elan_i2c driver, so key on that similar to +what was done for the Toshiba Click Mini. + +Signed-off-by: Jeffrey Hugo +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-quirks.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 94088c0ed68a..e24790c988c0 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -744,7 +744,6 @@ static const struct hid_device_id hid_ignore_list[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_DEALEXTREAME, USB_DEVICE_ID_DEALEXTREAME_RADIO_SI4701) }, + { HID_USB_DEVICE(USB_VENDOR_ID_DELORME, USB_DEVICE_ID_DELORME_EARTHMATE) }, + { HID_USB_DEVICE(USB_VENDOR_ID_DELORME, USB_DEVICE_ID_DELORME_EM_LT20) }, +- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, 0x0400) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ESSENTIAL_REALITY, USB_DEVICE_ID_ESSENTIAL_REALITY_P5) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ETT, USB_DEVICE_ID_TC5UH) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ETT, USB_DEVICE_ID_TC4UM) }, +@@ -1025,6 +1024,10 @@ bool hid_ignore(struct hid_device *hdev) + if (hdev->product == 0x0401 && + strncmp(hdev->name, "ELAN0800", 8) != 0) + return true; ++ /* Same with product id 0x0400 */ ++ if (hdev->product == 0x0400 && ++ strncmp(hdev->name, "QTEC0001", 8) != 0) ++ return true; + break; + } + +-- +2.20.1 + diff --git a/queue-4.19/hugetlbfs-fix-memory-leak-for-resv_map.patch b/queue-4.19/hugetlbfs-fix-memory-leak-for-resv_map.patch new file mode 100644 index 00000000000..f67995c9a05 --- /dev/null +++ b/queue-4.19/hugetlbfs-fix-memory-leak-for-resv_map.patch @@ -0,0 +1,78 @@ +From 960e849a37e5004b0aadb515457ad68ae7b2f181 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Fri, 5 Apr 2019 18:39:06 -0700 +Subject: hugetlbfs: fix memory leak for resv_map + +[ Upstream commit 58b6e5e8f1addd44583d61b0a03c0f5519527e35 ] + +When mknod is used to create a block special file in hugetlbfs, it will +allocate an inode and kmalloc a 'struct resv_map' via resv_map_alloc(). +inode->i_mapping->private_data will point the newly allocated resv_map. +However, when the device special file is opened bd_acquire() will set +inode->i_mapping to bd_inode->i_mapping. Thus the pointer to the +allocated resv_map is lost and the structure is leaked. + +Programs to reproduce: + mount -t hugetlbfs nodev hugetlbfs + mknod hugetlbfs/dev b 0 0 + exec 30<> hugetlbfs/dev + umount hugetlbfs/ + +resv_map structures are only needed for inodes which can have associated +page allocations. To fix the leak, only allocate resv_map for those +inodes which could possibly be associated with page allocations. + +Link: http://lkml.kernel.org/r/20190401213101.16476-1-mike.kravetz@oracle.com +Signed-off-by: Mike Kravetz +Reviewed-by: Andrew Morton +Reported-by: Yufen Yu +Suggested-by: Yufen Yu +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hugetlbfs/inode.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index a7fa037b876b..a3a3d256fb0e 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -741,11 +741,17 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb, + umode_t mode, dev_t dev) + { + struct inode *inode; +- struct resv_map *resv_map; ++ struct resv_map *resv_map = NULL; + +- resv_map = resv_map_alloc(); +- if (!resv_map) +- return NULL; ++ /* ++ * Reserve maps are only needed for inodes that can have associated ++ * page allocations. ++ */ ++ if (S_ISREG(mode) || S_ISLNK(mode)) { ++ resv_map = resv_map_alloc(); ++ if (!resv_map) ++ return NULL; ++ } + + inode = new_inode(sb); + if (inode) { +@@ -780,8 +786,10 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb, + break; + } + lockdep_annotate_inode_mutex_key(inode); +- } else +- kref_put(&resv_map->refs, resv_map_release); ++ } else { ++ if (resv_map) ++ kref_put(&resv_map->refs, resv_map_release); ++ } + + return inode; + } +-- +2.20.1 + diff --git a/queue-4.19/igb-fix-warn_once-on-runtime-suspend.patch b/queue-4.19/igb-fix-warn_once-on-runtime-suspend.patch new file mode 100644 index 00000000000..995070ff970 --- /dev/null +++ b/queue-4.19/igb-fix-warn_once-on-runtime-suspend.patch @@ -0,0 +1,155 @@ +From 443f5c671896a7cfbeb0520bfddf20b0a897cd0b Mon Sep 17 00:00:00 2001 +From: Arvind Sankar +Date: Sat, 2 Mar 2019 11:01:17 -0500 +Subject: igb: Fix WARN_ONCE on runtime suspend + +[ Upstream commit dabb8338be533c18f50255cf39ff4f66d4dabdbe ] + +The runtime_suspend device callbacks are not supposed to save +configuration state or change the power state. Commit fb29f76cc566 +("igb: Fix an issue that PME is not enabled during runtime suspend") +changed the driver to not save configuration state during runtime +suspend, however the driver callback still put the device into a +low-power state. This causes a warning in the pci pm core and results in +pci_pm_runtime_suspend not calling pci_save_state or pci_finish_runtime_suspend. + +Fix this by not changing the power state either, leaving that to pci pm +core, and make the same change for suspend callback as well. + +Also move a couple of defines into the appropriate header file instead +of inline in the .c file. + +Fixes: fb29f76cc566 ("igb: Fix an issue that PME is not enabled during runtime suspend") +Signed-off-by: Arvind Sankar +Reviewed-by: Kai-Heng Feng +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/igb/e1000_defines.h | 2 + + drivers/net/ethernet/intel/igb/igb_main.c | 57 +++---------------- + 2 files changed, 10 insertions(+), 49 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_defines.h b/drivers/net/ethernet/intel/igb/e1000_defines.h +index 8a28f3388f69..dca671591ef6 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_defines.h ++++ b/drivers/net/ethernet/intel/igb/e1000_defines.h +@@ -194,6 +194,8 @@ + /* enable link status from external LINK_0 and LINK_1 pins */ + #define E1000_CTRL_SWDPIN0 0x00040000 /* SWDPIN 0 value */ + #define E1000_CTRL_SWDPIN1 0x00080000 /* SWDPIN 1 value */ ++#define E1000_CTRL_ADVD3WUC 0x00100000 /* D3 WUC */ ++#define E1000_CTRL_EN_PHY_PWR_MGMT 0x00200000 /* PHY PM enable */ + #define E1000_CTRL_SDP0_DIR 0x00400000 /* SDP0 Data direction */ + #define E1000_CTRL_SDP1_DIR 0x00800000 /* SDP1 Data direction */ + #define E1000_CTRL_RST 0x04000000 /* Global reset */ +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index ffaa6e031632..aa39a068858e 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -8754,9 +8754,7 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + struct e1000_hw *hw = &adapter->hw; + u32 ctrl, rctl, status; + u32 wufc = runtime ? E1000_WUFC_LNKC : adapter->wol; +-#ifdef CONFIG_PM +- int retval = 0; +-#endif ++ bool wake; + + rtnl_lock(); + netif_device_detach(netdev); +@@ -8769,14 +8767,6 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + igb_clear_interrupt_scheme(adapter); + rtnl_unlock(); + +-#ifdef CONFIG_PM +- if (!runtime) { +- retval = pci_save_state(pdev); +- if (retval) +- return retval; +- } +-#endif +- + status = rd32(E1000_STATUS); + if (status & E1000_STATUS_LU) + wufc &= ~E1000_WUFC_LNKC; +@@ -8793,10 +8783,6 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + } + + ctrl = rd32(E1000_CTRL); +- /* advertise wake from D3Cold */ +- #define E1000_CTRL_ADVD3WUC 0x00100000 +- /* phy power management enable */ +- #define E1000_CTRL_EN_PHY_PWR_MGMT 0x00200000 + ctrl |= E1000_CTRL_ADVD3WUC; + wr32(E1000_CTRL, ctrl); + +@@ -8810,12 +8796,15 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + wr32(E1000_WUFC, 0); + } + +- *enable_wake = wufc || adapter->en_mng_pt; +- if (!*enable_wake) ++ wake = wufc || adapter->en_mng_pt; ++ if (!wake) + igb_power_down_link(adapter); + else + igb_power_up_link(adapter); + ++ if (enable_wake) ++ *enable_wake = wake; ++ + /* Release control of h/w to f/w. If f/w is AMT enabled, this + * would have already happened in close and is redundant. + */ +@@ -8858,22 +8847,7 @@ static void igb_deliver_wake_packet(struct net_device *netdev) + + static int __maybe_unused igb_suspend(struct device *dev) + { +- int retval; +- bool wake; +- struct pci_dev *pdev = to_pci_dev(dev); +- +- retval = __igb_shutdown(pdev, &wake, 0); +- if (retval) +- return retval; +- +- if (wake) { +- pci_prepare_to_sleep(pdev); +- } else { +- pci_wake_from_d3(pdev, false); +- pci_set_power_state(pdev, PCI_D3hot); +- } +- +- return 0; ++ return __igb_shutdown(to_pci_dev(dev), NULL, 0); + } + + static int __maybe_unused igb_resume(struct device *dev) +@@ -8944,22 +8918,7 @@ static int __maybe_unused igb_runtime_idle(struct device *dev) + + static int __maybe_unused igb_runtime_suspend(struct device *dev) + { +- struct pci_dev *pdev = to_pci_dev(dev); +- int retval; +- bool wake; +- +- retval = __igb_shutdown(pdev, &wake, 1); +- if (retval) +- return retval; +- +- if (wake) { +- pci_prepare_to_sleep(pdev); +- } else { +- pci_wake_from_d3(pdev, false); +- pci_set_power_state(pdev, PCI_D3hot); +- } +- +- return 0; ++ return __igb_shutdown(to_pci_dev(dev), NULL, 1); + } + + static int __maybe_unused igb_runtime_resume(struct device *dev) +-- +2.20.1 + diff --git a/queue-4.19/jffs2-fix-use-after-free-on-symlink-traversal.patch b/queue-4.19/jffs2-fix-use-after-free-on-symlink-traversal.patch new file mode 100644 index 00000000000..953b4db41f4 --- /dev/null +++ b/queue-4.19/jffs2-fix-use-after-free-on-symlink-traversal.patch @@ -0,0 +1,53 @@ +From 7fc483826275cc7d49a7f28ec7601a893ce3b9d5 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 26 Mar 2019 01:39:50 +0000 +Subject: jffs2: fix use-after-free on symlink traversal + +[ Upstream commit 4fdcfab5b5537c21891e22e65996d4d0dd8ab4ca ] + +free the symlink body after the same RCU delay we have for freeing the +struct inode itself, so that traversal during RCU pathwalk wouldn't step +into freed memory. + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/jffs2/readinode.c | 5 ----- + fs/jffs2/super.c | 5 ++++- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c +index 389ea53ea487..bccfc40b3a74 100644 +--- a/fs/jffs2/readinode.c ++++ b/fs/jffs2/readinode.c +@@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f) + + jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL); + +- if (f->target) { +- kfree(f->target); +- f->target = NULL; +- } +- + fds = f->dents; + while(fds) { + fd = fds; +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c +index bb6ae387469f..05d892c79339 100644 +--- a/fs/jffs2/super.c ++++ b/fs/jffs2/super.c +@@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb) + static void jffs2_i_callback(struct rcu_head *head) + { + struct inode *inode = container_of(head, struct inode, i_rcu); +- kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode)); ++ struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); ++ ++ kfree(f->target); ++ kmem_cache_free(jffs2_inode_cachep, f); + } + + static void jffs2_destroy_inode(struct inode *inode) +-- +2.20.1 + diff --git a/queue-4.19/kmemleak-powerpc-skip-scanning-holes-in-the-.bss-sec.patch b/queue-4.19/kmemleak-powerpc-skip-scanning-holes-in-the-.bss-sec.patch new file mode 100644 index 00000000000..963b9f969a3 --- /dev/null +++ b/queue-4.19/kmemleak-powerpc-skip-scanning-holes-in-the-.bss-sec.patch @@ -0,0 +1,106 @@ +From d71d0488eae38c934e088631e1b57ea8a6a11634 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Fri, 5 Apr 2019 18:38:49 -0700 +Subject: kmemleak: powerpc: skip scanning holes in the .bss section + +[ Upstream commit 298a32b132087550d3fa80641ca58323c5dfd4d9 ] + +Commit 2d4f567103ff ("KVM: PPC: Introduce kvm_tmp framework") adds +kvm_tmp[] into the .bss section and then free the rest of unused spaces +back to the page allocator. + +kernel_init + kvm_guest_init + kvm_free_tmp + free_reserved_area + free_unref_page + free_unref_page_prepare + +With DEBUG_PAGEALLOC=y, it will unmap those pages from kernel. As the +result, kmemleak scan will trigger a panic when it scans the .bss +section with unmapped pages. + +This patch creates dedicated kmemleak objects for the .data, .bss and +potentially .data..ro_after_init sections to allow partial freeing via +the kmemleak_free_part() in the powerpc kvm_free_tmp() function. + +Link: http://lkml.kernel.org/r/20190321171917.62049-1-catalin.marinas@arm.com +Signed-off-by: Catalin Marinas +Reported-by: Qian Cai +Acked-by: Michael Ellerman (powerpc) +Tested-by: Qian Cai +Cc: Paul Mackerras +Cc: Benjamin Herrenschmidt +Cc: Avi Kivity +Cc: Paolo Bonzini +Cc: Radim Krcmar +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/kvm.c | 7 +++++++ + mm/kmemleak.c | 16 +++++++++++----- + 2 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/kernel/kvm.c b/arch/powerpc/kernel/kvm.c +index 683b5b3805bd..cd381e2291df 100644 +--- a/arch/powerpc/kernel/kvm.c ++++ b/arch/powerpc/kernel/kvm.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -712,6 +713,12 @@ static void kvm_use_magic_page(void) + + static __init void kvm_free_tmp(void) + { ++ /* ++ * Inform kmemleak about the hole in the .bss section since the ++ * corresponding pages will be unmapped with DEBUG_PAGEALLOC=y. ++ */ ++ kmemleak_free_part(&kvm_tmp[kvm_tmp_index], ++ ARRAY_SIZE(kvm_tmp) - kvm_tmp_index); + free_reserved_area(&kvm_tmp[kvm_tmp_index], + &kvm_tmp[ARRAY_SIZE(kvm_tmp)], -1, NULL); + } +diff --git a/mm/kmemleak.c b/mm/kmemleak.c +index 17dd883198ae..5912a26e041c 100644 +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -1501,11 +1501,6 @@ static void kmemleak_scan(void) + } + rcu_read_unlock(); + +- /* data/bss scanning */ +- scan_large_block(_sdata, _edata); +- scan_large_block(__bss_start, __bss_stop); +- scan_large_block(__start_ro_after_init, __end_ro_after_init); +- + #ifdef CONFIG_SMP + /* per-cpu sections scanning */ + for_each_possible_cpu(i) +@@ -2036,6 +2031,17 @@ void __init kmemleak_init(void) + } + local_irq_restore(flags); + ++ /* register the data/bss sections */ ++ create_object((unsigned long)_sdata, _edata - _sdata, ++ KMEMLEAK_GREY, GFP_ATOMIC); ++ create_object((unsigned long)__bss_start, __bss_stop - __bss_start, ++ KMEMLEAK_GREY, GFP_ATOMIC); ++ /* only register .data..ro_after_init if not within .data */ ++ if (__start_ro_after_init < _sdata || __end_ro_after_init > _edata) ++ create_object((unsigned long)__start_ro_after_init, ++ __end_ro_after_init - __start_ro_after_init, ++ KMEMLEAK_GREY, GFP_ATOMIC); ++ + /* + * This is the point where tracking allocations is safe. Automatic + * scanning is started during the late initcall. Add the early logged +-- +2.20.1 + diff --git a/queue-4.19/kvm-svm-prevent-dbg_decrypt-and-dbg_encrypt-overflow.patch b/queue-4.19/kvm-svm-prevent-dbg_decrypt-and-dbg_encrypt-overflow.patch new file mode 100644 index 00000000000..5ffad669a60 --- /dev/null +++ b/queue-4.19/kvm-svm-prevent-dbg_decrypt-and-dbg_encrypt-overflow.patch @@ -0,0 +1,61 @@ +From d7e350ae47260055b1d886d2b7337b2abb4d18b5 Mon Sep 17 00:00:00 2001 +From: David Rientjes +Date: Mon, 25 Mar 2019 11:47:31 -0700 +Subject: KVM: SVM: prevent DBG_DECRYPT and DBG_ENCRYPT overflow + +[ Upstream commit b86bc2858b389255cd44555ce4b1e427b2b770c0 ] + +This ensures that the address and length provided to DBG_DECRYPT and +DBG_ENCRYPT do not cause an overflow. + +At the same time, pass the actual number of pages pinned in memory to +sev_unpin_memory() as a cleanup. + +Reported-by: Cfir Cohen +Signed-off-by: David Rientjes +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 813cb60eb401..8dd9208ae4de 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -6789,7 +6789,8 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec) + struct page **src_p, **dst_p; + struct kvm_sev_dbg debug; + unsigned long n; +- int ret, size; ++ unsigned int size; ++ int ret; + + if (!sev_guest(kvm)) + return -ENOTTY; +@@ -6797,6 +6798,11 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec) + if (copy_from_user(&debug, (void __user *)(uintptr_t)argp->data, sizeof(debug))) + return -EFAULT; + ++ if (!debug.len || debug.src_uaddr + debug.len < debug.src_uaddr) ++ return -EINVAL; ++ if (!debug.dst_uaddr) ++ return -EINVAL; ++ + vaddr = debug.src_uaddr; + size = debug.len; + vaddr_end = vaddr + size; +@@ -6847,8 +6853,8 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec) + dst_vaddr, + len, &argp->error); + +- sev_unpin_memory(kvm, src_p, 1); +- sev_unpin_memory(kvm, dst_p, 1); ++ sev_unpin_memory(kvm, src_p, n); ++ sev_unpin_memory(kvm, dst_p, n); + + if (ret) + goto err; +-- +2.20.1 + diff --git a/queue-4.19/libcxgb-fix-incorrect-ppmax-calculation.patch b/queue-4.19/libcxgb-fix-incorrect-ppmax-calculation.patch new file mode 100644 index 00000000000..aff123b7f66 --- /dev/null +++ b/queue-4.19/libcxgb-fix-incorrect-ppmax-calculation.patch @@ -0,0 +1,51 @@ +From bea6c444c98ff030a8ad771c4a39bb8acf7869f6 Mon Sep 17 00:00:00 2001 +From: Varun Prakash +Date: Wed, 3 Apr 2019 17:30:14 +0530 +Subject: libcxgb: fix incorrect ppmax calculation + +[ Upstream commit cc5a726c79158bd307150e8d4176ec79b52001ea ] + +BITS_TO_LONGS() uses DIV_ROUND_UP() because of +this ppmax value can be greater than available +per cpu page pods. + +This patch removes BITS_TO_LONGS() to fix this +issue. + +Signed-off-by: Varun Prakash +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c b/drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c +index 74849be5f004..e2919005ead3 100644 +--- a/drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c ++++ b/drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c +@@ -354,7 +354,10 @@ static struct cxgbi_ppm_pool *ppm_alloc_cpu_pool(unsigned int *total, + ppmax = max; + + /* pool size must be multiple of unsigned long */ +- bmap = BITS_TO_LONGS(ppmax); ++ bmap = ppmax / BITS_PER_TYPE(unsigned long); ++ if (!bmap) ++ return NULL; ++ + ppmax = (bmap * sizeof(unsigned long)) << 3; + + alloc_sz = sizeof(*pools) + sizeof(unsigned long) * bmap; +@@ -402,6 +405,10 @@ int cxgbi_ppm_init(void **ppm_pp, struct net_device *ndev, + if (reserve_factor) { + ppmax_pool = ppmax / reserve_factor; + pool = ppm_alloc_cpu_pool(&ppmax_pool, &pool_index_max); ++ if (!pool) { ++ ppmax_pool = 0; ++ reserve_factor = 0; ++ } + + pr_debug("%s: ppmax %u, cpu total %u, per cpu %u.\n", + ndev->name, ppmax, ppmax_pool, pool_index_max); +-- +2.20.1 + diff --git a/queue-4.19/mfd-twl-core-disable-irq-while-suspended.patch b/queue-4.19/mfd-twl-core-disable-irq-while-suspended.patch new file mode 100644 index 00000000000..4eb35f01205 --- /dev/null +++ b/queue-4.19/mfd-twl-core-disable-irq-while-suspended.patch @@ -0,0 +1,80 @@ +From 65c11e23df47f4f4587eab4c04191bb808a55119 Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Sat, 23 Feb 2019 12:47:54 +0100 +Subject: mfd: twl-core: Disable IRQ while suspended + +[ Upstream commit 20bb907f7dc82ecc9e135ad7067ac7eb69c81222 ] + +Since commit 6e2bd956936 ("i2c: omap: Use noirq system sleep pm ops to idle device for suspend") +on gta04 we have handle_twl4030_pih() called in situations where pm_runtime_get() +in i2c-omap.c returns -EACCES. + +[ 86.474365] Freezing remaining freezable tasks ... (elapsed 0.002 seconds) done. +[ 86.485473] printk: Suspending console(s) (use no_console_suspend to debug) +[ 86.555572] Disabling non-boot CPUs ... +[ 86.555664] Successfully put all powerdomains to target state +[ 86.563720] twl: Read failed (mod 1, reg 0x01 count 1) +[ 86.563751] twl4030: I2C error -13 reading PIH ISR +[ 86.563812] twl: Read failed (mod 1, reg 0x01 count 1) +[ 86.563812] twl4030: I2C error -13 reading PIH ISR +[ 86.563873] twl: Read failed (mod 1, reg 0x01 count 1) +[ 86.563903] twl4030: I2C error -13 reading PIH ISR + +This happens when we wakeup via something behing twl4030 (powerbutton or rtc +alarm). This goes on for minutes until the system is finally resumed. +Disable the irq on suspend and enable it on resume to avoid +having i2c access problems when the irq registers are checked. + +Fixes: 6e2bd956936 ("i2c: omap: Use noirq system sleep pm ops to idle device for suspend") +Signed-off-by: Andreas Kemnade +Tested-by: Tony Lindgren +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/twl-core.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/drivers/mfd/twl-core.c b/drivers/mfd/twl-core.c +index 299016bc46d9..104477b512a2 100644 +--- a/drivers/mfd/twl-core.c ++++ b/drivers/mfd/twl-core.c +@@ -1245,6 +1245,28 @@ twl_probe(struct i2c_client *client, const struct i2c_device_id *id) + return status; + } + ++static int __maybe_unused twl_suspend(struct device *dev) ++{ ++ struct i2c_client *client = to_i2c_client(dev); ++ ++ if (client->irq) ++ disable_irq(client->irq); ++ ++ return 0; ++} ++ ++static int __maybe_unused twl_resume(struct device *dev) ++{ ++ struct i2c_client *client = to_i2c_client(dev); ++ ++ if (client->irq) ++ enable_irq(client->irq); ++ ++ return 0; ++} ++ ++static SIMPLE_DEV_PM_OPS(twl_dev_pm_ops, twl_suspend, twl_resume); ++ + static const struct i2c_device_id twl_ids[] = { + { "twl4030", TWL4030_VAUX2 }, /* "Triton 2" */ + { "twl5030", 0 }, /* T2 updated */ +@@ -1262,6 +1284,7 @@ static const struct i2c_device_id twl_ids[] = { + /* One Client Driver , 4 Clients */ + static struct i2c_driver twl_driver = { + .driver.name = DRIVER_NAME, ++ .driver.pm = &twl_dev_pm_ops, + .id_table = twl_ids, + .probe = twl_probe, + .remove = twl_remove, +-- +2.20.1 + diff --git a/queue-4.19/net-hns-fix-icmp6-neighbor-solicitation-messages-dis.patch b/queue-4.19/net-hns-fix-icmp6-neighbor-solicitation-messages-dis.patch new file mode 100644 index 00000000000..7719cd83b9a --- /dev/null +++ b/queue-4.19/net-hns-fix-icmp6-neighbor-solicitation-messages-dis.patch @@ -0,0 +1,87 @@ +From b4ca2dc707f52e5d687ce910c725bb49384b3407 Mon Sep 17 00:00:00 2001 +From: Yonglong Liu +Date: Thu, 4 Apr 2019 16:46:45 +0800 +Subject: net: hns: fix ICMP6 neighbor solicitation messages discard problem + +[ Upstream commit f058e46855dcbc28edb2ed4736f38a71fd19cadb ] + +ICMP6 neighbor solicitation messages will be discard by the Hip06 +chips, because of not setting forwarding pool. Enable promisc mode +has the same problem. + +This patch fix the wrong forwarding table configs for the multicast +vague matching when enable promisc mode, and add forwarding pool +for the forwarding table. + +Signed-off-by: Yonglong Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns/hns_dsaf_main.c | 33 +++++++++++++++---- + 1 file changed, 27 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c +index b8155f5e71b4..fdff5526d2e8 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c +@@ -2750,6 +2750,17 @@ int hns_dsaf_get_regs_count(void) + return DSAF_DUMP_REGS_NUM; + } + ++static int hns_dsaf_get_port_id(u8 port) ++{ ++ if (port < DSAF_SERVICE_NW_NUM) ++ return port; ++ ++ if (port >= DSAF_BASE_INNER_PORT_NUM) ++ return port - DSAF_BASE_INNER_PORT_NUM + DSAF_SERVICE_NW_NUM; ++ ++ return -EINVAL; ++} ++ + static void set_promisc_tcam_enable(struct dsaf_device *dsaf_dev, u32 port) + { + struct dsaf_tbl_tcam_ucast_cfg tbl_tcam_ucast = {0, 1, 0, 0, 0x80}; +@@ -2815,23 +2826,33 @@ static void set_promisc_tcam_enable(struct dsaf_device *dsaf_dev, u32 port) + memset(&temp_key, 0x0, sizeof(temp_key)); + mask_entry.addr[0] = 0x01; + hns_dsaf_set_mac_key(dsaf_dev, &mask_key, mask_entry.in_vlan_id, +- port, mask_entry.addr); ++ 0xf, mask_entry.addr); + tbl_tcam_mcast.tbl_mcast_item_vld = 1; + tbl_tcam_mcast.tbl_mcast_old_en = 0; + +- if (port < DSAF_SERVICE_NW_NUM) { +- mskid = port; +- } else if (port >= DSAF_BASE_INNER_PORT_NUM) { +- mskid = port - DSAF_BASE_INNER_PORT_NUM + DSAF_SERVICE_NW_NUM; +- } else { ++ /* set MAC port to handle multicast */ ++ mskid = hns_dsaf_get_port_id(port); ++ if (mskid == -EINVAL) { + dev_err(dsaf_dev->dev, "%s,pnum(%d)error,key(%#x:%#x)\n", + dsaf_dev->ae_dev.name, port, + mask_key.high.val, mask_key.low.val); + return; + } ++ dsaf_set_bit(tbl_tcam_mcast.tbl_mcast_port_msk[mskid / 32], ++ mskid % 32, 1); + ++ /* set pool bit map to handle multicast */ ++ mskid = hns_dsaf_get_port_id(port_num); ++ if (mskid == -EINVAL) { ++ dev_err(dsaf_dev->dev, ++ "%s, pool bit map pnum(%d)error,key(%#x:%#x)\n", ++ dsaf_dev->ae_dev.name, port_num, ++ mask_key.high.val, mask_key.low.val); ++ return; ++ } + dsaf_set_bit(tbl_tcam_mcast.tbl_mcast_port_msk[mskid / 32], + mskid % 32, 1); ++ + memcpy(&temp_key, &mask_key, sizeof(mask_key)); + hns_dsaf_tcam_mc_cfg_vague(dsaf_dev, entry_index, &tbl_tcam_data_mc, + (struct dsaf_tbl_tcam_data *)(&mask_key), +-- +2.20.1 + diff --git a/queue-4.19/net-hns-fix-kasan-use-after-free-in-hns_nic_net_xmit.patch b/queue-4.19/net-hns-fix-kasan-use-after-free-in-hns_nic_net_xmit.patch new file mode 100644 index 00000000000..42858f115c5 --- /dev/null +++ b/queue-4.19/net-hns-fix-kasan-use-after-free-in-hns_nic_net_xmit.patch @@ -0,0 +1,54 @@ +From b746f937067fdd7462ce765fbf1853c0c7609670 Mon Sep 17 00:00:00 2001 +From: Liubin Shu +Date: Thu, 4 Apr 2019 16:46:42 +0800 +Subject: net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw() + +[ Upstream commit 3a39a12ad364a9acd1038ba8da67cd8430f30de4 ] + +This patch is trying to fix the issue due to: +[27237.844750] BUG: KASAN: use-after-free in hns_nic_net_xmit_hw+0x708/0xa18[hns_enet_drv] + +After hnae_queue_xmit() in hns_nic_net_xmit_hw(), can be +interrupted by interruptions, and than call hns_nic_tx_poll_one() +to handle the new packets, and free the skb. So, when turn back to +hns_nic_net_xmit_hw(), calling skb->len will cause use-after-free. + +This patch update tx ring statistics in hns_nic_tx_poll_one() to +fix the bug. + +Signed-off-by: Liubin Shu +Signed-off-by: Zhen Lei +Signed-off-by: Yonglong Liu +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_enet.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +index cc84133c184d..3a6e5cc76c5b 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -376,8 +376,6 @@ netdev_tx_t hns_nic_net_xmit_hw(struct net_device *ndev, + wmb(); /* commit all data before submit */ + assert(skb->queue_mapping < priv->ae_handle->q_num); + hnae_queue_xmit(priv->ae_handle->qs[skb->queue_mapping], buf_num); +- ring->stats.tx_pkts++; +- ring->stats.tx_bytes += skb->len; + + return NETDEV_TX_OK; + +@@ -999,6 +997,9 @@ static int hns_nic_tx_poll_one(struct hns_nic_ring_data *ring_data, + /* issue prefetch for next Tx descriptor */ + prefetch(&ring->desc_cb[ring->next_to_clean]); + } ++ /* update tx ring statistics. */ ++ ring->stats.tx_pkts += pkts; ++ ring->stats.tx_bytes += bytes; + + NETIF_TX_UNLOCK(ring); + +-- +2.20.1 + diff --git a/queue-4.19/net-hns-fix-probabilistic-memory-overwrite-when-hns-.patch b/queue-4.19/net-hns-fix-probabilistic-memory-overwrite-when-hns-.patch new file mode 100644 index 00000000000..8c7056592b1 --- /dev/null +++ b/queue-4.19/net-hns-fix-probabilistic-memory-overwrite-when-hns-.patch @@ -0,0 +1,93 @@ +From 25eecc2b4f662312802a8725ad44af70a8fe7352 Mon Sep 17 00:00:00 2001 +From: Yonglong Liu +Date: Thu, 4 Apr 2019 16:46:44 +0800 +Subject: net: hns: Fix probabilistic memory overwrite when HNS driver + initialized + +[ Upstream commit c0b0984426814f3a9251873b689e67d34d8ccd84 ] + +When reboot the system again and again, may cause a memory +overwrite. + +[ 15.638922] systemd[1]: Reached target Swap. +[ 15.667561] tun: Universal TUN/TAP device driver, 1.6 +[ 15.676756] Bridge firewalling registered +[ 17.344135] Unable to handle kernel paging request at virtual address 0000000200000040 +[ 17.352179] Mem abort info: +[ 17.355007] ESR = 0x96000004 +[ 17.358105] Exception class = DABT (current EL), IL = 32 bits +[ 17.364112] SET = 0, FnV = 0 +[ 17.367209] EA = 0, S1PTW = 0 +[ 17.370393] Data abort info: +[ 17.373315] ISV = 0, ISS = 0x00000004 +[ 17.377206] CM = 0, WnR = 0 +[ 17.380214] user pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____) +[ 17.386926] [0000000200000040] pgd=0000000000000000 +[ 17.391878] Internal error: Oops: 96000004 [#1] SMP +[ 17.396824] CPU: 23 PID: 95 Comm: kworker/u130:0 Tainted: G E 4.19.25-1.2.78.aarch64 #1 +[ 17.414175] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.54 08/16/2018 +[ 17.425615] Workqueue: events_unbound async_run_entry_fn +[ 17.435151] pstate: 00000005 (nzcv daif -PAN -UAO) +[ 17.444139] pc : __mutex_lock.isra.1+0x74/0x540 +[ 17.453002] lr : __mutex_lock.isra.1+0x3c/0x540 +[ 17.461701] sp : ffff000100d9bb60 +[ 17.469146] x29: ffff000100d9bb60 x28: 0000000000000000 +[ 17.478547] x27: 0000000000000000 x26: ffff802fb8945000 +[ 17.488063] x25: 0000000000000000 x24: ffff802fa32081a8 +[ 17.497381] x23: 0000000000000002 x22: ffff801fa2b15220 +[ 17.506701] x21: ffff000009809000 x20: ffff802fa23a0888 +[ 17.515980] x19: ffff801fa2b15220 x18: 0000000000000000 +[ 17.525272] x17: 0000000200000000 x16: 0000000200000000 +[ 17.534511] x15: 0000000000000000 x14: 0000000000000000 +[ 17.543652] x13: ffff000008d95db8 x12: 000000000000000d +[ 17.552780] x11: ffff000008d95d90 x10: 0000000000000b00 +[ 17.561819] x9 : ffff000100d9bb90 x8 : ffff802fb89d6560 +[ 17.570829] x7 : 0000000000000004 x6 : 00000004a1801d05 +[ 17.579839] x5 : 0000000000000000 x4 : 0000000000000000 +[ 17.588852] x3 : ffff802fb89d5a00 x2 : 0000000000000000 +[ 17.597734] x1 : 0000000200000000 x0 : 0000000200000000 +[ 17.606631] Process kworker/u130:0 (pid: 95, stack limit = 0x(____ptrval____)) +[ 17.617438] Call trace: +[ 17.623349] __mutex_lock.isra.1+0x74/0x540 +[ 17.630927] __mutex_lock_slowpath+0x24/0x30 +[ 17.638602] mutex_lock+0x50/0x60 +[ 17.645295] drain_workqueue+0x34/0x198 +[ 17.652623] __sas_drain_work+0x7c/0x168 +[ 17.659903] sas_drain_work+0x60/0x68 +[ 17.666947] hisi_sas_scan_finished+0x30/0x40 [hisi_sas_main] +[ 17.676129] do_scsi_scan_host+0x70/0xb0 +[ 17.683534] do_scan_async+0x20/0x228 +[ 17.690586] async_run_entry_fn+0x4c/0x1d0 +[ 17.697997] process_one_work+0x1b4/0x3f8 +[ 17.705296] worker_thread+0x54/0x470 + +Every time the call trace is not the same, but the overwrite address +is always the same: +Unable to handle kernel paging request at virtual address 0000000200000040 + +The root cause is, when write the reg XGMAC_MAC_TX_LF_RF_CONTROL_REG, +didn't use the io_base offset. + +Signed-off-by: Yonglong Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c +index ba4316910dea..a60f207768fc 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c +@@ -129,7 +129,7 @@ static void hns_xgmac_lf_rf_control_init(struct mac_driver *mac_drv) + dsaf_set_bit(val, XGMAC_UNIDIR_EN_B, 0); + dsaf_set_bit(val, XGMAC_RF_TX_EN_B, 1); + dsaf_set_field(val, XGMAC_LF_RF_INSERT_M, XGMAC_LF_RF_INSERT_S, 0); +- dsaf_write_reg(mac_drv, XGMAC_MAC_TX_LF_RF_CONTROL_REG, val); ++ dsaf_write_dev(mac_drv, XGMAC_MAC_TX_LF_RF_CONTROL_REG, val); + } + + /** +-- +2.20.1 + diff --git a/queue-4.19/net-hns-fix-warning-when-remove-hns-driver-with-smmu.patch b/queue-4.19/net-hns-fix-warning-when-remove-hns-driver-with-smmu.patch new file mode 100644 index 00000000000..20f04e5dc29 --- /dev/null +++ b/queue-4.19/net-hns-fix-warning-when-remove-hns-driver-with-smmu.patch @@ -0,0 +1,101 @@ +From e7812ef3a13a4c1d1d20c8f345a863c8e309c715 Mon Sep 17 00:00:00 2001 +From: Yonglong Liu +Date: Thu, 4 Apr 2019 16:46:46 +0800 +Subject: net: hns: Fix WARNING when remove HNS driver with SMMU enabled + +[ Upstream commit 8601a99d7c0256b7a7fdd1ab14cf6c1f1dfcadc6 ] + +When enable SMMU, remove HNS driver will cause a WARNING: + +[ 141.924177] WARNING: CPU: 36 PID: 2708 at drivers/iommu/dma-iommu.c:443 __iommu_dma_unmap+0xc0/0xc8 +[ 141.954673] Modules linked in: hns_enet_drv(-) +[ 141.963615] CPU: 36 PID: 2708 Comm: rmmod Tainted: G W 5.0.0-rc1-28723-gb729c57de95c-dirty #32 +[ 141.983593] Hardware name: Huawei D05/D05, BIOS Hisilicon D05 UEFI Nemo 1.8 RC0 08/31/2017 +[ 142.000244] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 142.009886] pc : __iommu_dma_unmap+0xc0/0xc8 +[ 142.018476] lr : __iommu_dma_unmap+0xc0/0xc8 +[ 142.027066] sp : ffff000013533b90 +[ 142.033728] x29: ffff000013533b90 x28: ffff8013e6983600 +[ 142.044420] x27: 0000000000000000 x26: 0000000000000000 +[ 142.055113] x25: 0000000056000000 x24: 0000000000000015 +[ 142.065806] x23: 0000000000000028 x22: ffff8013e66eee68 +[ 142.076499] x21: ffff8013db919800 x20: 0000ffffefbff000 +[ 142.087192] x19: 0000000000001000 x18: 0000000000000007 +[ 142.097885] x17: 000000000000000e x16: 0000000000000001 +[ 142.108578] x15: 0000000000000019 x14: 363139343a70616d +[ 142.119270] x13: 6e75656761705f67 x12: 0000000000000000 +[ 142.129963] x11: 00000000ffffffff x10: 0000000000000006 +[ 142.140656] x9 : 1346c1aa88093500 x8 : ffff0000114de4e0 +[ 142.151349] x7 : 6662666578303d72 x6 : ffff0000105ffec8 +[ 142.162042] x5 : 0000000000000000 x4 : 0000000000000000 +[ 142.172734] x3 : 00000000ffffffff x2 : ffff0000114de500 +[ 142.183427] x1 : 0000000000000000 x0 : 0000000000000035 +[ 142.194120] Call trace: +[ 142.199030] __iommu_dma_unmap+0xc0/0xc8 +[ 142.206920] iommu_dma_unmap_page+0x20/0x28 +[ 142.215335] __iommu_unmap_page+0x40/0x60 +[ 142.223399] hnae_unmap_buffer+0x110/0x134 +[ 142.231639] hnae_free_desc+0x6c/0x10c +[ 142.239177] hnae_fini_ring+0x14/0x34 +[ 142.246540] hnae_fini_queue+0x2c/0x40 +[ 142.254080] hnae_put_handle+0x38/0xcc +[ 142.261619] hns_nic_dev_remove+0x54/0xfc [hns_enet_drv] +[ 142.272312] platform_drv_remove+0x24/0x64 +[ 142.280552] device_release_driver_internal+0x17c/0x20c +[ 142.291070] driver_detach+0x4c/0x90 +[ 142.298259] bus_remove_driver+0x5c/0xd8 +[ 142.306148] driver_unregister+0x2c/0x54 +[ 142.314037] platform_driver_unregister+0x10/0x18 +[ 142.323505] hns_nic_dev_driver_exit+0x14/0xf0c [hns_enet_drv] +[ 142.335248] __arm64_sys_delete_module+0x214/0x25c +[ 142.344891] el0_svc_common+0xb0/0x10c +[ 142.352430] el0_svc_handler+0x24/0x80 +[ 142.359968] el0_svc+0x8/0x7c0 +[ 142.366104] ---[ end trace 60ad1cd58e63c407 ]--- + +The tx ring buffer map when xmit and unmap when xmit done. So in +hnae_init_ring() did not map tx ring buffer, but in hnae_fini_ring() +have a unmap operation for tx ring buffer, which is already unmapped +when xmit done, than cause this WARNING. + +The hnae_alloc_buffers() is called in hnae_init_ring(), +so the hnae_free_buffers() should be in hnae_fini_ring(), not in +hnae_free_desc(). + +In hnae_fini_ring(), adds a check is_rx_ring() as in hnae_init_ring(). +When the ring buffer is tx ring, adds a piece of code to ensure that +the tx ring is unmap. + +Signed-off-by: Yonglong Liu +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hnae.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hnae.c b/drivers/net/ethernet/hisilicon/hns/hnae.c +index 79d03f8ee7b1..c7fa97a7e1f4 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hnae.c ++++ b/drivers/net/ethernet/hisilicon/hns/hnae.c +@@ -150,7 +150,6 @@ static int hnae_alloc_buffers(struct hnae_ring *ring) + /* free desc along with its attached buffer */ + static void hnae_free_desc(struct hnae_ring *ring) + { +- hnae_free_buffers(ring); + dma_unmap_single(ring_to_dev(ring), ring->desc_dma_addr, + ring->desc_num * sizeof(ring->desc[0]), + ring_to_dma_dir(ring)); +@@ -183,6 +182,9 @@ static int hnae_alloc_desc(struct hnae_ring *ring) + /* fini ring, also free the buffer for the ring */ + static void hnae_fini_ring(struct hnae_ring *ring) + { ++ if (is_rx_ring(ring)) ++ hnae_free_buffers(ring); ++ + hnae_free_desc(ring); + kfree(ring->desc_cb); + ring->desc_cb = NULL; +-- +2.20.1 + diff --git a/queue-4.19/net-hns-use-napi_poll_weight-for-hns-driver.patch b/queue-4.19/net-hns-use-napi_poll_weight-for-hns-driver.patch new file mode 100644 index 00000000000..914b8d9b5bb --- /dev/null +++ b/queue-4.19/net-hns-use-napi_poll_weight-for-hns-driver.patch @@ -0,0 +1,59 @@ +From 0c4afa7c248842b224bc7d78fdac80db74984780 Mon Sep 17 00:00:00 2001 +From: Yonglong Liu +Date: Thu, 4 Apr 2019 16:46:43 +0800 +Subject: net: hns: Use NAPI_POLL_WEIGHT for hns driver + +[ Upstream commit acb1ce15a61154aa501891d67ebf79bc9ea26818 ] + +When the HNS driver loaded, always have an error print: +"netif_napi_add() called with weight 256" + +This is because the kernel checks the NAPI polling weights +requested by drivers and it prints an error message if a driver +requests a weight bigger than 64. + +So use NAPI_POLL_WEIGHT to fix it. + +Signed-off-by: Yonglong Liu +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_enet.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +index 3a6e5cc76c5b..1c70f9aa0aa7 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -29,9 +29,6 @@ + + #define SERVICE_TIMER_HZ (1 * HZ) + +-#define NIC_TX_CLEAN_MAX_NUM 256 +-#define NIC_RX_CLEAN_MAX_NUM 64 +- + #define RCB_IRQ_NOT_INITED 0 + #define RCB_IRQ_INITED 1 + #define HNS_BUFFER_SIZE_2048 2048 +@@ -2151,7 +2148,7 @@ static int hns_nic_init_ring_data(struct hns_nic_priv *priv) + hns_nic_tx_fini_pro_v2; + + netif_napi_add(priv->netdev, &rd->napi, +- hns_nic_common_poll, NIC_TX_CLEAN_MAX_NUM); ++ hns_nic_common_poll, NAPI_POLL_WEIGHT); + rd->ring->irq_init_flag = RCB_IRQ_NOT_INITED; + } + for (i = h->q_num; i < h->q_num * 2; i++) { +@@ -2164,7 +2161,7 @@ static int hns_nic_init_ring_data(struct hns_nic_priv *priv) + hns_nic_rx_fini_pro_v2; + + netif_napi_add(priv->netdev, &rd->napi, +- hns_nic_common_poll, NIC_RX_CLEAN_MAX_NUM); ++ hns_nic_common_poll, NAPI_POLL_WEIGHT); + rd->ring->irq_init_flag = RCB_IRQ_NOT_INITED; + } + +-- +2.20.1 + diff --git a/queue-4.19/net-hns3-fix-compile-error.patch b/queue-4.19/net-hns3-fix-compile-error.patch new file mode 100644 index 00000000000..3dc0584ba9a --- /dev/null +++ b/queue-4.19/net-hns3-fix-compile-error.patch @@ -0,0 +1,56 @@ +From 2e1b0e81a7521005d089f713ea6807cadf4c91d2 Mon Sep 17 00:00:00 2001 +From: Xi Wang +Date: Tue, 26 Mar 2019 14:53:49 +0800 +Subject: net: hns3: fix compile error + +[ Upstream commit 669efc76b317b3aa550ffbf0b79d064cb00a5f96 ] + +Currently, the rules for configuring search paths in Kbuild have +changed, this will lead some erros when compiling hns3 with the +following command: + +make O=DIR M=drivers/net/ethernet/hisilicon/hns3 + +drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c:11:10: +fatal error: hnae3.h: No such file or directory + +This patch fix it by adding $(srctree)/ prefix to the serach paths. + +Signed-off-by: Xi Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/Makefile | 2 +- + drivers/net/ethernet/hisilicon/hns3/hns3vf/Makefile | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/Makefile b/drivers/net/ethernet/hisilicon/hns3/hns3pf/Makefile +index cb8ddd043476..d278fc7ea3ed 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/Makefile ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/Makefile +@@ -3,7 +3,7 @@ + # Makefile for the HISILICON network device drivers. + # + +-ccflags-y := -Idrivers/net/ethernet/hisilicon/hns3 ++ccflags-y := -I $(srctree)/drivers/net/ethernet/hisilicon/hns3 + + obj-$(CONFIG_HNS3_HCLGE) += hclge.o + hclge-objs = hclge_main.o hclge_cmd.o hclge_mdio.o hclge_tm.o hclge_mbx.o +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/Makefile b/drivers/net/ethernet/hisilicon/hns3/hns3vf/Makefile +index fb93bbd35845..6193f8fa7cf3 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/Makefile ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/Makefile +@@ -3,7 +3,7 @@ + # Makefile for the HISILICON network device drivers. + # + +-ccflags-y := -Idrivers/net/ethernet/hisilicon/hns3 ++ccflags-y := -I $(srctree)/drivers/net/ethernet/hisilicon/hns3 + + obj-$(CONFIG_HNS3_HCLGEVF) += hclgevf.o + hclgevf-objs = hclgevf_main.o hclgevf_cmd.o hclgevf_mbx.o +\ No newline at end of file +-- +2.20.1 + diff --git a/queue-4.19/net-mlx5-e-switch-fix-esw-manager-vport-indication-f.patch b/queue-4.19/net-mlx5-e-switch-fix-esw-manager-vport-indication-f.patch new file mode 100644 index 00000000000..1072b87a68a --- /dev/null +++ b/queue-4.19/net-mlx5-e-switch-fix-esw-manager-vport-indication-f.patch @@ -0,0 +1,51 @@ +From 847ab7425e39a12395f1dfc50c87cde07642c943 Mon Sep 17 00:00:00 2001 +From: Omri Kahalon +Date: Sun, 24 Feb 2019 16:31:08 +0200 +Subject: net/mlx5: E-Switch, Fix esw manager vport indication for more vport + commands + +[ Upstream commit eca4a928585ac08147e5cc8e2111ecbc6279ee31 ] + +Traditionally, the PF (Physical Function) which resides on vport 0 was +the E-switch manager. Since the ECPF (Embedded CPU Physical Function), +which resides on vport 0xfffe, was introduced as the E-Switch manager, +the assumption that the E-switch manager is on vport 0 is incorrect. + +Since the eswitch code already uses the actual vport value, all we +need is to always set other_vport=1. + +Signed-off-by: Omri Kahalon +Reviewed-by: Max Gurtovoy +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 26c9f9421901..55ccd90beeb0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -80,8 +80,7 @@ static int arm_vport_context_events_cmd(struct mlx5_core_dev *dev, u16 vport, + opcode, MLX5_CMD_OP_MODIFY_NIC_VPORT_CONTEXT); + MLX5_SET(modify_nic_vport_context_in, in, field_select.change_event, 1); + MLX5_SET(modify_nic_vport_context_in, in, vport_number, vport); +- if (vport) +- MLX5_SET(modify_nic_vport_context_in, in, other_vport, 1); ++ MLX5_SET(modify_nic_vport_context_in, in, other_vport, 1); + nic_vport_ctx = MLX5_ADDR_OF(modify_nic_vport_context_in, + in, nic_vport_context); + +@@ -109,8 +108,7 @@ static int modify_esw_vport_context_cmd(struct mlx5_core_dev *dev, u16 vport, + MLX5_SET(modify_esw_vport_context_in, in, opcode, + MLX5_CMD_OP_MODIFY_ESW_VPORT_CONTEXT); + MLX5_SET(modify_esw_vport_context_in, in, vport_number, vport); +- if (vport) +- MLX5_SET(modify_esw_vport_context_in, in, other_vport, 1); ++ MLX5_SET(modify_esw_vport_context_in, in, other_vport, 1); + return mlx5_cmd_exec(dev, in, inlen, out, sizeof(out)); + } + +-- +2.20.1 + diff --git a/queue-4.19/net-stmmac-don-t-log-oversized-frames.patch b/queue-4.19/net-stmmac-don-t-log-oversized-frames.patch new file mode 100644 index 00000000000..5920f21121c --- /dev/null +++ b/queue-4.19/net-stmmac-don-t-log-oversized-frames.patch @@ -0,0 +1,33 @@ +From 5cced69ff76786862cf18b25a91de095cda8043a Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Wed, 27 Mar 2019 22:35:40 +0200 +Subject: net: stmmac: don't log oversized frames + +[ Upstream commit 057a0c5642a2ff2db7c421cdcde34294a23bf37b ] + +This is log is harmful as it can trigger multiple times per packet. Delete +it. + +Signed-off-by: Aaro Koskinen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/norm_desc.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c +index c55a9815b394..b7dd4e3c760d 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c +@@ -91,8 +91,6 @@ static int ndesc_get_rx_status(void *data, struct stmmac_extra_stats *x, + return dma_own; + + if (unlikely(!(rdes0 & RDES0_LAST_DESCRIPTOR))) { +- pr_warn("%s: Oversized frame spanned multiple buffers\n", +- __func__); + stats->rx_length_errors++; + return discard_frame; + } +-- +2.20.1 + diff --git a/queue-4.19/net-stmmac-don-t-overwrite-discard_frame-status.patch b/queue-4.19/net-stmmac-don-t-overwrite-discard_frame-status.patch new file mode 100644 index 00000000000..ec353871227 --- /dev/null +++ b/queue-4.19/net-stmmac-don-t-overwrite-discard_frame-status.patch @@ -0,0 +1,39 @@ +From e92ef53c00166623feb7b90fb23733e3e103f07b Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Wed, 27 Mar 2019 22:35:38 +0200 +Subject: net: stmmac: don't overwrite discard_frame status + +[ Upstream commit 1b746ce8b397e58f9e40ce5c63b7198de6930482 ] + +If we have error bits set, the discard_frame status will get overwritten +by checksum bit checks, which might set the status back to good one. +Fix by checking the COE status only if the frame is good. + +Signed-off-by: Aaro Koskinen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/enh_desc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c +index e8855e6adb48..c42ef6c729c0 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c +@@ -231,9 +231,10 @@ static int enh_desc_get_rx_status(void *data, struct stmmac_extra_stats *x, + * It doesn't match with the information reported into the databook. + * At any rate, we need to understand if the CSUM hw computation is ok + * and report this info to the upper layers. */ +- ret = enh_desc_coe_rdes0(!!(rdes0 & RDES0_IPC_CSUM_ERROR), +- !!(rdes0 & RDES0_FRAME_TYPE), +- !!(rdes0 & ERDES0_RX_MAC_ADDR)); ++ if (likely(ret == good_frame)) ++ ret = enh_desc_coe_rdes0(!!(rdes0 & RDES0_IPC_CSUM_ERROR), ++ !!(rdes0 & RDES0_FRAME_TYPE), ++ !!(rdes0 & ERDES0_RX_MAC_ADDR)); + + if (unlikely(rdes0 & RDES0_DRIBBLING)) + x->dribbling_bit++; +-- +2.20.1 + diff --git a/queue-4.19/net-stmmac-don-t-stop-napi-processing-when-dropping-.patch b/queue-4.19/net-stmmac-don-t-stop-napi-processing-when-dropping-.patch new file mode 100644 index 00000000000..59915e4c973 --- /dev/null +++ b/queue-4.19/net-stmmac-don-t-stop-napi-processing-when-dropping-.patch @@ -0,0 +1,89 @@ +From 0011350d29b5ad36878e8acd857e4cfdee6cec04 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Wed, 27 Mar 2019 22:35:37 +0200 +Subject: net: stmmac: don't stop NAPI processing when dropping a packet + +[ Upstream commit 07b3975352374c3f5ebb4a42ef0b253fe370542d ] + +Currently, if we drop a packet, we exit from NAPI loop before the budget +is consumed. In some situations this will make the RX processing stall +e.g. when flood pinging the system with oversized packets, as the +errorneous packets are not dropped efficiently. + +If we drop a packet, we should just continue to the next one as long as +the budget allows. + +Signed-off-by: Aaro Koskinen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index bacc2fd63bfc..5debe93ea4eb 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3333,9 +3333,8 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + { + struct stmmac_rx_queue *rx_q = &priv->rx_queue[queue]; + struct stmmac_channel *ch = &priv->channel[queue]; +- unsigned int entry = rx_q->cur_rx; ++ unsigned int next_entry = rx_q->cur_rx; + int coe = priv->hw->rx_csum; +- unsigned int next_entry; + unsigned int count = 0; + bool xmac; + +@@ -3353,10 +3352,12 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + stmmac_display_ring(priv, rx_head, DMA_RX_SIZE, true); + } + while (count < limit) { +- int status; ++ int entry, status; + struct dma_desc *p; + struct dma_desc *np; + ++ entry = next_entry; ++ + if (priv->extend_desc) + p = (struct dma_desc *)(rx_q->dma_erx + entry); + else +@@ -3417,7 +3418,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + "len %d larger than size (%d)\n", + frame_len, priv->dma_buf_sz); + priv->dev->stats.rx_length_errors++; +- break; ++ continue; + } + + /* ACS is set; GMAC core strips PAD/FCS for IEEE 802.3 +@@ -3452,7 +3453,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + dev_warn(priv->device, + "packet dropped\n"); + priv->dev->stats.rx_dropped++; +- break; ++ continue; + } + + dma_sync_single_for_cpu(priv->device, +@@ -3477,7 +3478,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + "%s: Inconsistent Rx chain\n", + priv->dev->name); + priv->dev->stats.rx_dropped++; +- break; ++ continue; + } + prefetch(skb->data - NET_IP_ALIGN); + rx_q->rx_skbuff[entry] = NULL; +@@ -3512,7 +3513,6 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + priv->dev->stats.rx_packets++; + priv->dev->stats.rx_bytes += frame_len; + } +- entry = next_entry; + } + + stmmac_rx_refill(priv, queue); +-- +2.20.1 + diff --git a/queue-4.19/net-stmmac-fix-dropping-of-multi-descriptor-rx-frame.patch b/queue-4.19/net-stmmac-fix-dropping-of-multi-descriptor-rx-frame.patch new file mode 100644 index 00000000000..cea4de31b80 --- /dev/null +++ b/queue-4.19/net-stmmac-fix-dropping-of-multi-descriptor-rx-frame.patch @@ -0,0 +1,42 @@ +From 0b582038c010f4b31b632314d7879350eed6ca4a Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Wed, 27 Mar 2019 22:35:39 +0200 +Subject: net: stmmac: fix dropping of multi-descriptor RX frames + +[ Upstream commit 8ac0c24fe1c256af6644caf3d311029440ec2fbd ] + +Packets without the last descriptor set should be dropped early. If we +receive a frame larger than the DMA buffer, the HW will continue using the +next descriptor. Driver mistakes these as individual frames, and sometimes +a truncated frame (without the LD set) may look like a valid packet. + +This fixes a strange issue where the system replies to 4098-byte ping +although the MTU/DMA buffer size is set to 4096, and yet at the same +time it's logging an oversized packet. + +Signed-off-by: Aaro Koskinen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/enh_desc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c +index c42ef6c729c0..5202d6ad7919 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c +@@ -201,6 +201,11 @@ static int enh_desc_get_rx_status(void *data, struct stmmac_extra_stats *x, + if (unlikely(rdes0 & RDES0_OWN)) + return dma_own; + ++ if (unlikely(!(rdes0 & RDES0_LAST_DESCRIPTOR))) { ++ stats->rx_length_errors++; ++ return discard_frame; ++ } ++ + if (unlikely(rdes0 & RDES0_ERROR_SUMMARY)) { + if (unlikely(rdes0 & RDES0_DESCRIPTOR_ERROR)) { + x->rx_desc++; +-- +2.20.1 + diff --git a/queue-4.19/net-stmmac-ratelimit-rx-error-logs.patch b/queue-4.19/net-stmmac-ratelimit-rx-error-logs.patch new file mode 100644 index 00000000000..91dc31be3b9 --- /dev/null +++ b/queue-4.19/net-stmmac-ratelimit-rx-error-logs.patch @@ -0,0 +1,51 @@ +From 72a9d55a43d4269ff86bca5ef4a2a2e23b2d2eea Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Wed, 27 Mar 2019 22:35:36 +0200 +Subject: net: stmmac: ratelimit RX error logs + +[ Upstream commit 972c9be784e077bc56472c78243e0326e525b689 ] + +Ratelimit RX error logs. + +Signed-off-by: Aaro Koskinen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index b44ca0c90c5c..bacc2fd63bfc 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3412,9 +3412,10 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + * ignored + */ + if (frame_len > priv->dma_buf_sz) { +- netdev_err(priv->dev, +- "len %d larger than size (%d)\n", +- frame_len, priv->dma_buf_sz); ++ if (net_ratelimit()) ++ netdev_err(priv->dev, ++ "len %d larger than size (%d)\n", ++ frame_len, priv->dma_buf_sz); + priv->dev->stats.rx_length_errors++; + break; + } +@@ -3471,9 +3472,10 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + } else { + skb = rx_q->rx_skbuff[entry]; + if (unlikely(!skb)) { +- netdev_err(priv->dev, +- "%s: Inconsistent Rx chain\n", +- priv->dev->name); ++ if (net_ratelimit()) ++ netdev_err(priv->dev, ++ "%s: Inconsistent Rx chain\n", ++ priv->dev->name); + priv->dev->stats.rx_dropped++; + break; + } +-- +2.20.1 + diff --git a/queue-4.19/net-stmmac-use-correct-dma-buffer-size-in-the-rx-des.patch b/queue-4.19/net-stmmac-use-correct-dma-buffer-size-in-the-rx-des.patch new file mode 100644 index 00000000000..94510450df6 --- /dev/null +++ b/queue-4.19/net-stmmac-use-correct-dma-buffer-size-in-the-rx-des.patch @@ -0,0 +1,185 @@ +From 17e7b355def8e8c3042a944a4e8d3df0b853bab9 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Wed, 27 Mar 2019 22:35:35 +0200 +Subject: net: stmmac: use correct DMA buffer size in the RX descriptor + +[ Upstream commit 583e6361414903c5206258a30e5bd88cb03c0254 ] + +We always program the maximum DMA buffer size into the receive descriptor, +although the allocated size may be less. E.g. with the default MTU size +we allocate only 1536 bytes. If somebody sends us a bigger frame, then +memory may get corrupted. + +Fix by using exact buffer sizes. + +Signed-off-by: Aaro Koskinen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/descs_com.h | 22 ++++++++++++------- + .../ethernet/stmicro/stmmac/dwmac4_descs.c | 2 +- + .../ethernet/stmicro/stmmac/dwxgmac2_descs.c | 2 +- + .../net/ethernet/stmicro/stmmac/enh_desc.c | 10 ++++++--- + drivers/net/ethernet/stmicro/stmmac/hwif.h | 2 +- + .../net/ethernet/stmicro/stmmac/norm_desc.c | 10 ++++++--- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 6 +++-- + 7 files changed, 35 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/descs_com.h b/drivers/net/ethernet/stmicro/stmmac/descs_com.h +index 40d6356a7e73..3dfb07a78952 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/descs_com.h ++++ b/drivers/net/ethernet/stmicro/stmmac/descs_com.h +@@ -29,11 +29,13 @@ + /* Specific functions used for Ring mode */ + + /* Enhanced descriptors */ +-static inline void ehn_desc_rx_set_on_ring(struct dma_desc *p, int end) ++static inline void ehn_desc_rx_set_on_ring(struct dma_desc *p, int end, ++ int bfsize) + { +- p->des1 |= cpu_to_le32((BUF_SIZE_8KiB +- << ERDES1_BUFFER2_SIZE_SHIFT) +- & ERDES1_BUFFER2_SIZE_MASK); ++ if (bfsize == BUF_SIZE_16KiB) ++ p->des1 |= cpu_to_le32((BUF_SIZE_8KiB ++ << ERDES1_BUFFER2_SIZE_SHIFT) ++ & ERDES1_BUFFER2_SIZE_MASK); + + if (end) + p->des1 |= cpu_to_le32(ERDES1_END_RING); +@@ -59,11 +61,15 @@ static inline void enh_set_tx_desc_len_on_ring(struct dma_desc *p, int len) + } + + /* Normal descriptors */ +-static inline void ndesc_rx_set_on_ring(struct dma_desc *p, int end) ++static inline void ndesc_rx_set_on_ring(struct dma_desc *p, int end, int bfsize) + { +- p->des1 |= cpu_to_le32(((BUF_SIZE_2KiB - 1) +- << RDES1_BUFFER2_SIZE_SHIFT) +- & RDES1_BUFFER2_SIZE_MASK); ++ if (bfsize >= BUF_SIZE_2KiB) { ++ int bfsize2; ++ ++ bfsize2 = min(bfsize - BUF_SIZE_2KiB + 1, BUF_SIZE_2KiB - 1); ++ p->des1 |= cpu_to_le32((bfsize2 << RDES1_BUFFER2_SIZE_SHIFT) ++ & RDES1_BUFFER2_SIZE_MASK); ++ } + + if (end) + p->des1 |= cpu_to_le32(RDES1_END_RING); +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c +index 736e29635b77..313a58b68fee 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c +@@ -296,7 +296,7 @@ static int dwmac4_wrback_get_rx_timestamp_status(void *desc, void *next_desc, + } + + static void dwmac4_rd_init_rx_desc(struct dma_desc *p, int disable_rx_ic, +- int mode, int end) ++ int mode, int end, int bfsize) + { + dwmac4_set_rx_owner(p, disable_rx_ic); + } +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c +index 1d858fdec997..98fa471da7c0 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c +@@ -123,7 +123,7 @@ static int dwxgmac2_get_rx_timestamp_status(void *desc, void *next_desc, + } + + static void dwxgmac2_init_rx_desc(struct dma_desc *p, int disable_rx_ic, +- int mode, int end) ++ int mode, int end, int bfsize) + { + dwxgmac2_set_rx_owner(p, disable_rx_ic); + } +diff --git a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c +index 5ef91a790f9d..e8855e6adb48 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c +@@ -259,15 +259,19 @@ static int enh_desc_get_rx_status(void *data, struct stmmac_extra_stats *x, + } + + static void enh_desc_init_rx_desc(struct dma_desc *p, int disable_rx_ic, +- int mode, int end) ++ int mode, int end, int bfsize) + { ++ int bfsize1; ++ + p->des0 |= cpu_to_le32(RDES0_OWN); +- p->des1 |= cpu_to_le32(BUF_SIZE_8KiB & ERDES1_BUFFER1_SIZE_MASK); ++ ++ bfsize1 = min(bfsize, BUF_SIZE_8KiB); ++ p->des1 |= cpu_to_le32(bfsize1 & ERDES1_BUFFER1_SIZE_MASK); + + if (mode == STMMAC_CHAIN_MODE) + ehn_desc_rx_set_on_chain(p); + else +- ehn_desc_rx_set_on_ring(p, end); ++ ehn_desc_rx_set_on_ring(p, end, bfsize); + + if (disable_rx_ic) + p->des1 |= cpu_to_le32(ERDES1_DISABLE_IC); +diff --git a/drivers/net/ethernet/stmicro/stmmac/hwif.h b/drivers/net/ethernet/stmicro/stmmac/hwif.h +index 92b8944f26e3..5bb00234d961 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/hwif.h ++++ b/drivers/net/ethernet/stmicro/stmmac/hwif.h +@@ -33,7 +33,7 @@ struct dma_extended_desc; + struct stmmac_desc_ops { + /* DMA RX descriptor ring initialization */ + void (*init_rx_desc)(struct dma_desc *p, int disable_rx_ic, int mode, +- int end); ++ int end, int bfsize); + /* DMA TX descriptor ring initialization */ + void (*init_tx_desc)(struct dma_desc *p, int mode, int end); + /* Invoked by the xmit function to prepare the tx descriptor */ +diff --git a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c +index de65bb29feba..c55a9815b394 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c +@@ -135,15 +135,19 @@ static int ndesc_get_rx_status(void *data, struct stmmac_extra_stats *x, + } + + static void ndesc_init_rx_desc(struct dma_desc *p, int disable_rx_ic, int mode, +- int end) ++ int end, int bfsize) + { ++ int bfsize1; ++ + p->des0 |= cpu_to_le32(RDES0_OWN); +- p->des1 |= cpu_to_le32((BUF_SIZE_2KiB - 1) & RDES1_BUFFER1_SIZE_MASK); ++ ++ bfsize1 = min(bfsize, BUF_SIZE_2KiB - 1); ++ p->des1 |= cpu_to_le32(bfsize & RDES1_BUFFER1_SIZE_MASK); + + if (mode == STMMAC_CHAIN_MODE) + ndesc_rx_set_on_chain(p, end); + else +- ndesc_rx_set_on_ring(p, end); ++ ndesc_rx_set_on_ring(p, end, bfsize); + + if (disable_rx_ic) + p->des1 |= cpu_to_le32(RDES1_DISABLE_IC); +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 39c105092214..b44ca0c90c5c 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1111,11 +1111,13 @@ static void stmmac_clear_rx_descriptors(struct stmmac_priv *priv, u32 queue) + if (priv->extend_desc) + stmmac_init_rx_desc(priv, &rx_q->dma_erx[i].basic, + priv->use_riwt, priv->mode, +- (i == DMA_RX_SIZE - 1)); ++ (i == DMA_RX_SIZE - 1), ++ priv->dma_buf_sz); + else + stmmac_init_rx_desc(priv, &rx_q->dma_rx[i], + priv->use_riwt, priv->mode, +- (i == DMA_RX_SIZE - 1)); ++ (i == DMA_RX_SIZE - 1), ++ priv->dma_buf_sz); + } + + /** +-- +2.20.1 + diff --git a/queue-4.19/nvme-loop-init-nvmet_ctrl-fatal_err_work-when-alloca.patch b/queue-4.19/nvme-loop-init-nvmet_ctrl-fatal_err_work-when-alloca.patch new file mode 100644 index 00000000000..983858120a6 --- /dev/null +++ b/queue-4.19/nvme-loop-init-nvmet_ctrl-fatal_err_work-when-alloca.patch @@ -0,0 +1,99 @@ +From 6ff7736376942fe5923c7497e6079e55da8e46de Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Wed, 13 Mar 2019 18:54:59 +0100 +Subject: nvme-loop: init nvmet_ctrl fatal_err_work when allocate + +[ Upstream commit d11de63f2b519f0a162b834013b6d3a46dbf3886 ] + +After commit 4d43d395fe (workqueue: Try to catch flush_work() without +INIT_WORK()), it can cause warning when delete nvme-loop device, trace +like: + +[ 76.601272] Call Trace: +[ 76.601646] ? del_timer+0x72/0xa0 +[ 76.602156] __cancel_work_timer+0x1ae/0x270 +[ 76.602791] cancel_work_sync+0x14/0x20 +[ 76.603407] nvmet_ctrl_free+0x1b7/0x2f0 [nvmet] +[ 76.604091] ? free_percpu+0x168/0x300 +[ 76.604652] nvmet_sq_destroy+0x106/0x240 [nvmet] +[ 76.605346] nvme_loop_destroy_admin_queue+0x30/0x60 [nvme_loop] +[ 76.606220] nvme_loop_shutdown_ctrl+0xc3/0xf0 [nvme_loop] +[ 76.607026] nvme_loop_delete_ctrl_host+0x19/0x30 [nvme_loop] +[ 76.607871] nvme_do_delete_ctrl+0x75/0xb0 +[ 76.608477] nvme_sysfs_delete+0x7d/0xc0 +[ 76.609057] dev_attr_store+0x24/0x40 +[ 76.609603] sysfs_kf_write+0x4c/0x60 +[ 76.610144] kernfs_fop_write+0x19a/0x260 +[ 76.610742] __vfs_write+0x1c/0x60 +[ 76.611246] vfs_write+0xfa/0x280 +[ 76.611739] ksys_write+0x6e/0x120 +[ 76.612238] __x64_sys_write+0x1e/0x30 +[ 76.612787] do_syscall_64+0xbf/0x3a0 +[ 76.613329] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +We fix it by moving fatal_err_work init to nvmet_alloc_ctrl(), which may +more reasonable. + +Signed-off-by: Yufen Yu +Reviewed-by: Sagi Grimberg +Reviewed-by: Bart Van Assche +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index b5ec96abd048..776b7e9e23b9 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -921,6 +921,15 @@ bool nvmet_host_allowed(struct nvmet_req *req, struct nvmet_subsys *subsys, + return __nvmet_host_allowed(subsys, hostnqn); + } + ++static void nvmet_fatal_error_handler(struct work_struct *work) ++{ ++ struct nvmet_ctrl *ctrl = ++ container_of(work, struct nvmet_ctrl, fatal_err_work); ++ ++ pr_err("ctrl %d fatal error occurred!\n", ctrl->cntlid); ++ ctrl->ops->delete_ctrl(ctrl); ++} ++ + u16 nvmet_alloc_ctrl(const char *subsysnqn, const char *hostnqn, + struct nvmet_req *req, u32 kato, struct nvmet_ctrl **ctrlp) + { +@@ -962,6 +971,7 @@ u16 nvmet_alloc_ctrl(const char *subsysnqn, const char *hostnqn, + + INIT_WORK(&ctrl->async_event_work, nvmet_async_event_work); + INIT_LIST_HEAD(&ctrl->async_events); ++ INIT_WORK(&ctrl->fatal_err_work, nvmet_fatal_error_handler); + + memcpy(ctrl->subsysnqn, subsysnqn, NVMF_NQN_SIZE); + memcpy(ctrl->hostnqn, hostnqn, NVMF_NQN_SIZE); +@@ -1076,21 +1086,11 @@ void nvmet_ctrl_put(struct nvmet_ctrl *ctrl) + kref_put(&ctrl->ref, nvmet_ctrl_free); + } + +-static void nvmet_fatal_error_handler(struct work_struct *work) +-{ +- struct nvmet_ctrl *ctrl = +- container_of(work, struct nvmet_ctrl, fatal_err_work); +- +- pr_err("ctrl %d fatal error occurred!\n", ctrl->cntlid); +- ctrl->ops->delete_ctrl(ctrl); +-} +- + void nvmet_ctrl_fatal_error(struct nvmet_ctrl *ctrl) + { + mutex_lock(&ctrl->lock); + if (!(ctrl->csts & NVME_CSTS_CFS)) { + ctrl->csts |= NVME_CSTS_CFS; +- INIT_WORK(&ctrl->fatal_err_work, nvmet_fatal_error_handler); + schedule_work(&ctrl->fatal_err_work); + } + mutex_unlock(&ctrl->lock); +-- +2.20.1 + diff --git a/queue-4.19/reset-meson-audio-arb-fix-missing-.owner-setting-of-.patch b/queue-4.19/reset-meson-audio-arb-fix-missing-.owner-setting-of-.patch new file mode 100644 index 00000000000..bb3d11e7d03 --- /dev/null +++ b/queue-4.19/reset-meson-audio-arb-fix-missing-.owner-setting-of-.patch @@ -0,0 +1,33 @@ +From c1d0bd43f91aae338d2a2dc329dc7602dc801658 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Mon, 18 Mar 2019 22:03:52 +0800 +Subject: reset: meson-audio-arb: Fix missing .owner setting of + reset_controller_dev + +[ Upstream commit 13e8a05b922457761ddef39cfff6231bd4ed9eef ] + +Set .owner to prevent module unloading while being used. + +Signed-off-by: Axel Lin +Fixes: d903779b58be ("reset: meson: add meson audio arb driver") +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/reset-meson-audio-arb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/reset/reset-meson-audio-arb.c b/drivers/reset/reset-meson-audio-arb.c +index 91751617b37a..c53a2185a039 100644 +--- a/drivers/reset/reset-meson-audio-arb.c ++++ b/drivers/reset/reset-meson-audio-arb.c +@@ -130,6 +130,7 @@ static int meson_audio_arb_probe(struct platform_device *pdev) + arb->rstc.nr_resets = ARRAY_SIZE(axg_audio_arb_reset_bits); + arb->rstc.ops = &meson_audio_arb_rstc_ops; + arb->rstc.of_node = dev->of_node; ++ arb->rstc.owner = THIS_MODULE; + + /* + * Enable general : +-- +2.20.1 + diff --git a/queue-4.19/riscv-fix-accessing-8-byte-variable-from-rv32.patch b/queue-4.19/riscv-fix-accessing-8-byte-variable-from-rv32.patch new file mode 100644 index 00000000000..b108c249a16 --- /dev/null +++ b/queue-4.19/riscv-fix-accessing-8-byte-variable-from-rv32.patch @@ -0,0 +1,38 @@ +From 421fc38b4286c60fc019f7318824169ff8b13be2 Mon Sep 17 00:00:00 2001 +From: Alan Kao +Date: Fri, 22 Mar 2019 14:37:04 +0800 +Subject: riscv: fix accessing 8-byte variable from RV32 + +[ Upstream commit dbee9c9c45846f003ec2f819710c2f4835630a6a ] + +A memory save operation to 8-byte variable in RV32 is divided into +two sw instructions in the put_user macro. The current fixup returns +execution flow to the second sw instead of the one after it. + +This patch fixes this fixup code according to the load access part. + +Signed-off-by: Alan Kao +Cc: Greentime Hu +Cc: Vincent Chen +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/uaccess.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h +index 8c3e3e3c8be1..f0ea3156192d 100644 +--- a/arch/riscv/include/asm/uaccess.h ++++ b/arch/riscv/include/asm/uaccess.h +@@ -307,7 +307,7 @@ do { \ + " .balign 4\n" \ + "4:\n" \ + " li %0, %6\n" \ +- " jump 2b, %1\n" \ ++ " jump 3b, %1\n" \ + " .previous\n" \ + " .section __ex_table,\"a\"\n" \ + " .balign " RISCV_SZPTR "\n" \ +-- +2.20.1 + diff --git a/queue-4.19/rtc-cros-ec-fail-suspend-resume-if-wake-irq-can-t-be.patch b/queue-4.19/rtc-cros-ec-fail-suspend-resume-if-wake-irq-can-t-be.patch new file mode 100644 index 00000000000..20ad6ad8807 --- /dev/null +++ b/queue-4.19/rtc-cros-ec-fail-suspend-resume-if-wake-irq-can-t-be.patch @@ -0,0 +1,65 @@ +From ed67f9330a283c4f5cc3b78567720ce69ce3a6e5 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Fri, 15 Mar 2019 11:51:12 -0700 +Subject: rtc: cros-ec: Fail suspend/resume if wake IRQ can't be configured + +[ Upstream commit d6752e185c3168771787a02dc6a55f32260943cc ] + +If we encounter a failure during suspend where this RTC was programmed +to wakeup the system from suspend, but that wakeup couldn't be +configured because the system didn't support wakeup interrupts, we'll +run into the following warning: + + Unbalanced IRQ 166 wake disable + WARNING: CPU: 7 PID: 3071 at kernel/irq/manage.c:669 irq_set_irq_wake+0x108/0x278 + +This happens because the suspend process isn't aborted when the RTC +fails to configure the wakeup IRQ. Instead, we continue suspending the +system and then another suspend callback fails the suspend process and +"unwinds" the previously suspended drivers by calling their resume +callbacks. When we get back to resuming this RTC driver, we'll call +disable_irq_wake() on an IRQ that hasn't been configured for wake. + +Let's just fail suspend/resume here if we can't configure the system to +wake and the user has chosen to wakeup with this device. This fixes this +warning and makes the code more robust in case there are systems out +there that can't wakeup from suspend on this line but the user has +chosen to do so. + +Cc: Enric Balletbo i Serra +Cc: Evan Green +Cc: Benson Leung +Cc: Guenter Roeck +Signed-off-by: Stephen Boyd +Acked-By: Benson Leung +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-cros-ec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/rtc/rtc-cros-ec.c b/drivers/rtc/rtc-cros-ec.c +index e5444296075e..4d6bf9304ceb 100644 +--- a/drivers/rtc/rtc-cros-ec.c ++++ b/drivers/rtc/rtc-cros-ec.c +@@ -298,7 +298,7 @@ static int cros_ec_rtc_suspend(struct device *dev) + struct cros_ec_rtc *cros_ec_rtc = dev_get_drvdata(&pdev->dev); + + if (device_may_wakeup(dev)) +- enable_irq_wake(cros_ec_rtc->cros_ec->irq); ++ return enable_irq_wake(cros_ec_rtc->cros_ec->irq); + + return 0; + } +@@ -309,7 +309,7 @@ static int cros_ec_rtc_resume(struct device *dev) + struct cros_ec_rtc *cros_ec_rtc = dev_get_drvdata(&pdev->dev); + + if (device_may_wakeup(dev)) +- disable_irq_wake(cros_ec_rtc->cros_ec->irq); ++ return disable_irq_wake(cros_ec_rtc->cros_ec->irq); + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.19/rtc-da9063-set-uie_unsupported-when-relevant.patch b/queue-4.19/rtc-da9063-set-uie_unsupported-when-relevant.patch new file mode 100644 index 00000000000..bc7bdd6fc7a --- /dev/null +++ b/queue-4.19/rtc-da9063-set-uie_unsupported-when-relevant.patch @@ -0,0 +1,42 @@ +From 5fc98c2eda5c2799ac30683522404cfea4cf3dcd Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Tue, 2 Apr 2019 12:26:36 +0200 +Subject: rtc: da9063: set uie_unsupported when relevant + +[ Upstream commit 882c5e552ffd06856de42261460f46e18319d259 ] + +The DA9063AD doesn't support alarms on any seconds and its granularity is +the minute. Set uie_unsupported in that case. + +Reported-by: Wolfram Sang +Reported-by: Geert Uytterhoeven +Reviewed-by: Wolfram Sang +Tested-by: Wolfram Sang +Acked-by: Steve Twiss +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-da9063.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/rtc/rtc-da9063.c b/drivers/rtc/rtc-da9063.c +index b4e054c64bad..69b54e5556c0 100644 +--- a/drivers/rtc/rtc-da9063.c ++++ b/drivers/rtc/rtc-da9063.c +@@ -480,6 +480,13 @@ static int da9063_rtc_probe(struct platform_device *pdev) + da9063_data_to_tm(data, &rtc->alarm_time, rtc); + rtc->rtc_sync = false; + ++ /* ++ * TODO: some models have alarms on a minute boundary but still support ++ * real hardware interrupts. Add this once the core supports it. ++ */ ++ if (config->rtc_data_start != RTC_SEC) ++ rtc->rtc_dev->uie_unsupported = 1; ++ + irq_alarm = platform_get_irq_byname(pdev, "ALARM"); + ret = devm_request_threaded_irq(&pdev->dev, irq_alarm, NULL, + da9063_alarm_event, +-- +2.20.1 + diff --git a/queue-4.19/rtc-sh-fix-invalid-alarm-warning-for-non-enabled-ala.patch b/queue-4.19/rtc-sh-fix-invalid-alarm-warning-for-non-enabled-ala.patch new file mode 100644 index 00000000000..43e3f95948e --- /dev/null +++ b/queue-4.19/rtc-sh-fix-invalid-alarm-warning-for-non-enabled-ala.patch @@ -0,0 +1,46 @@ +From 7367aa3e36e96f240d8e8a9ec1c12591c6028705 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 20 Mar 2019 11:32:14 +0100 +Subject: rtc: sh: Fix invalid alarm warning for non-enabled alarm + +[ Upstream commit 15d82d22498784966df8e4696174a16b02cc1052 ] + +When no alarm has been programmed on RSK-RZA1, an error message is +printed during boot: + + rtc rtc0: invalid alarm value: 2019-03-14T255:255:255 + +sh_rtc_read_alarm_value() returns 0xff when querying a hardware alarm +field that is not enabled. __rtc_read_alarm() validates the received +alarm values, and fills in missing fields when needed. +While 0xff is handled fine for the year, month, and day fields, and +corrected as considered being out-of-range, this is not the case for the +hour, minute, and second fields, where -1 is expected for missing +fields. + +Fix this by returning -1 instead, as this value is handled fine for all +fields. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-sh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c +index 51ba414798a8..3d7414e5ed35 100644 +--- a/drivers/rtc/rtc-sh.c ++++ b/drivers/rtc/rtc-sh.c +@@ -377,7 +377,7 @@ static int sh_rtc_set_time(struct device *dev, struct rtc_time *tm) + static inline int sh_rtc_read_alarm_value(struct sh_rtc *rtc, int reg_off) + { + unsigned int byte; +- int value = 0xff; /* return 0xff for ignored values */ ++ int value = -1; /* return -1 for ignored values */ + + byte = readb(rtc->regbase + reg_off); + if (byte & AR_ENB) { +-- +2.20.1 + diff --git a/queue-4.19/scsi-core-add-new-rdac-lenovo-de_series-device.patch b/queue-4.19/scsi-core-add-new-rdac-lenovo-de_series-device.patch new file mode 100644 index 00000000000..eac5581e7da --- /dev/null +++ b/queue-4.19/scsi-core-add-new-rdac-lenovo-de_series-device.patch @@ -0,0 +1,54 @@ +From 72bb87288427e66cf6cda6a3deda592bbde0dadf Mon Sep 17 00:00:00 2001 +From: Xose Vazquez Perez +Date: Sat, 30 Mar 2019 15:43:31 +0100 +Subject: scsi: core: add new RDAC LENOVO/DE_Series device + +[ Upstream commit 1cb1d2c64e812928fe0a40b8f7e74523d0283dbe ] + +Blacklist "Universal Xport" LUN. It's used for in-band storage array +management. Also add model to the rdac dh family. + +Cc: Martin Wilck +Cc: Hannes Reinecke +Cc: NetApp RDAC team +Cc: Christophe Varoqui +Cc: James E.J. Bottomley +Cc: Martin K. Petersen +Cc: SCSI ML +Cc: DM ML +Signed-off-by: Xose Vazquez Perez +Reviewed-by: Martin Wilck +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_devinfo.c | 1 + + drivers/scsi/scsi_dh.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c +index c4cbfd07b916..a08ff3bd6310 100644 +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -238,6 +238,7 @@ static struct { + {"NETAPP", "Universal Xport", "*", BLIST_NO_ULD_ATTACH}, + {"LSI", "Universal Xport", "*", BLIST_NO_ULD_ATTACH}, + {"ENGENIO", "Universal Xport", "*", BLIST_NO_ULD_ATTACH}, ++ {"LENOVO", "Universal Xport", "*", BLIST_NO_ULD_ATTACH}, + {"SMSC", "USB 2 HS-CF", NULL, BLIST_SPARSELUN | BLIST_INQUIRY_36}, + {"SONY", "CD-ROM CDU-8001", NULL, BLIST_BORKEN}, + {"SONY", "TSL", NULL, BLIST_FORCELUN}, /* DDS3 & DDS4 autoloaders */ +diff --git a/drivers/scsi/scsi_dh.c b/drivers/scsi/scsi_dh.c +index 5a58cbf3a75d..c14006ac98f9 100644 +--- a/drivers/scsi/scsi_dh.c ++++ b/drivers/scsi/scsi_dh.c +@@ -75,6 +75,7 @@ static const struct scsi_dh_blist scsi_dh_blist[] = { + {"NETAPP", "INF-01-00", "rdac", }, + {"LSI", "INF-01-00", "rdac", }, + {"ENGENIO", "INF-01-00", "rdac", }, ++ {"LENOVO", "DE_Series", "rdac", }, + {NULL, NULL, NULL }, + }; + +-- +2.20.1 + diff --git a/queue-4.19/scsi-storvsc-fix-calculation-of-sub-channel-count.patch b/queue-4.19/scsi-storvsc-fix-calculation-of-sub-channel-count.patch new file mode 100644 index 00000000000..94b4c2a5042 --- /dev/null +++ b/queue-4.19/scsi-storvsc-fix-calculation-of-sub-channel-count.patch @@ -0,0 +1,58 @@ +From 5bbff83bb58006ba355ad93d82079d9ecf6b1cee Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Mon, 1 Apr 2019 16:10:52 +0000 +Subject: scsi: storvsc: Fix calculation of sub-channel count + +[ Upstream commit 382e06d11e075a40b4094b6ef809f8d4bcc7ab2a ] + +When the number of sub-channels offered by Hyper-V is >= the number of CPUs +in the VM, calculate the correct number of sub-channels. The current code +produces one too many. + +This scenario arises only when the number of CPUs is artificially +restricted (for example, with maxcpus= on the kernel boot line), because +Hyper-V normally offers a sub-channel count < number of CPUs. While the +current code doesn't break, the extra sub-channel is unbalanced across the +CPUs (for example, a total of 5 channels on a VM with 4 CPUs). + +Signed-off-by: Michael Kelley +Reviewed-by: Vitaly Kuznetsov +Reviewed-by: Long Li +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/storvsc_drv.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index f03dc03a42c3..0c2ba075bc71 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -664,13 +664,22 @@ static void handle_sc_creation(struct vmbus_channel *new_sc) + static void handle_multichannel_storage(struct hv_device *device, int max_chns) + { + struct storvsc_device *stor_device; +- int num_cpus = num_online_cpus(); + int num_sc; + struct storvsc_cmd_request *request; + struct vstor_packet *vstor_packet; + int ret, t; + +- num_sc = ((max_chns > num_cpus) ? num_cpus : max_chns); ++ /* ++ * If the number of CPUs is artificially restricted, such as ++ * with maxcpus=1 on the kernel boot line, Hyper-V could offer ++ * sub-channels >= the number of CPUs. These sub-channels ++ * should not be created. The primary channel is already created ++ * and assigned to one CPU, so check against # CPUs - 1. ++ */ ++ num_sc = min((int)(num_online_cpus() - 1), max_chns); ++ if (!num_sc) ++ return; ++ + stor_device = get_out_stor_device(device); + if (!stor_device) + return; +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 410942f2d18..471a90e300e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -16,3 +16,54 @@ usb-dummy-hcd-fix-failure-to-give-back-unlinked-urbs.patch usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch usb-core-fix-unterminated-string-returned-by-usb_string.patch usb-core-fix-bug-caused-by-duplicate-interface-pm-usage-counter.patch +nvme-loop-init-nvmet_ctrl-fatal_err_work-when-alloca.patch +efi-fix-debugobjects-warning-on-efi_rts_work.patch +arm64-dts-rockchip-fix-rk3328-roc-cc-gmac2io-tx-rx_d.patch +hid-logitech-check-the-return-value-of-create_single.patch +hid-debug-fix-race-condition-with-between-rdesc_show.patch +rtc-cros-ec-fail-suspend-resume-if-wake-irq-can-t-be.patch +rtc-sh-fix-invalid-alarm-warning-for-non-enabled-ala.patch +batman-adv-reduce-claim-hash-refcnt-only-for-removed.patch +batman-adv-reduce-tt_local-hash-refcnt-only-for-remo.patch +batman-adv-reduce-tt_global-hash-refcnt-only-for-rem.patch +batman-adv-fix-warning-in-function-batadv_v_elp_get_.patch +arm-dts-rockchip-fix-gpu-opp-node-names-for-rk3288.patch +reset-meson-audio-arb-fix-missing-.owner-setting-of-.patch +igb-fix-warn_once-on-runtime-suspend.patch +riscv-fix-accessing-8-byte-variable-from-rv32.patch +hid-quirks-fix-keyboard-touchpad-on-lenovo-miix-630.patch +net-hns3-fix-compile-error.patch +net-mlx5-e-switch-fix-esw-manager-vport-indication-f.patch +bonding-show-full-hw-address-in-sysfs-for-slave-entr.patch +net-stmmac-use-correct-dma-buffer-size-in-the-rx-des.patch +net-stmmac-ratelimit-rx-error-logs.patch +net-stmmac-don-t-stop-napi-processing-when-dropping-.patch +net-stmmac-don-t-overwrite-discard_frame-status.patch +net-stmmac-fix-dropping-of-multi-descriptor-rx-frame.patch +net-stmmac-don-t-log-oversized-frames.patch +jffs2-fix-use-after-free-on-symlink-traversal.patch +debugfs-fix-use-after-free-on-symlink-traversal.patch +mfd-twl-core-disable-irq-while-suspended.patch +block-use-blk_free_flush_queue-to-free-hctx-fq-in-bl.patch +rtc-da9063-set-uie_unsupported-when-relevant.patch +hid-input-add-mapping-for-assistant-key.patch +vfio-pci-use-correct-format-characters.patch +scsi-core-add-new-rdac-lenovo-de_series-device.patch +scsi-storvsc-fix-calculation-of-sub-channel-count.patch +arm-mach-at91-pm-fix-possible-object-reference-leak.patch +arm64-fix-wrong-check-of-on_sdei_stack-in-nmi-contex.patch +net-hns-fix-kasan-use-after-free-in-hns_nic_net_xmit.patch +net-hns-use-napi_poll_weight-for-hns-driver.patch +net-hns-fix-probabilistic-memory-overwrite-when-hns-.patch +net-hns-fix-icmp6-neighbor-solicitation-messages-dis.patch +net-hns-fix-warning-when-remove-hns-driver-with-smmu.patch +libcxgb-fix-incorrect-ppmax-calculation.patch +kvm-svm-prevent-dbg_decrypt-and-dbg_encrypt-overflow.patch +kmemleak-powerpc-skip-scanning-holes-in-the-.bss-sec.patch +hugetlbfs-fix-memory-leak-for-resv_map.patch +sh-fix-multiple-function-definition-build-errors.patch +xsysace-fix-error-handling-in-ace_setup.patch +fs-stream_open-opener-for-stream-like-files-so-that-.patch +arm-orion-don-t-use-using-64-bit-dma-masks.patch +arm-iop-don-t-use-using-64-bit-dma-masks.patch +block-pass-no-op-callback-to-init_work.patch diff --git a/queue-4.19/sh-fix-multiple-function-definition-build-errors.patch b/queue-4.19/sh-fix-multiple-function-definition-build-errors.patch new file mode 100644 index 00000000000..e65c79d876d --- /dev/null +++ b/queue-4.19/sh-fix-multiple-function-definition-build-errors.patch @@ -0,0 +1,57 @@ +From f9ecf3653133318bcf10e14166bb10eb1126e002 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Fri, 5 Apr 2019 18:39:30 -0700 +Subject: sh: fix multiple function definition build errors + +[ Upstream commit acaf892ecbf5be7710ae05a61fd43c668f68ad95 ] + +Many of the sh CPU-types have their own plat_irq_setup() and +arch_init_clk_ops() functions, so these same (empty) functions in +arch/sh/boards/of-generic.c are not needed and cause build errors. + +If there is some case where these empty functions are needed, they can +be retained by marking them as "__weak" while at the same time making +builds that do not need them succeed. + +Fixes these build errors: + +arch/sh/boards/of-generic.o: In function `plat_irq_setup': +(.init.text+0x134): multiple definition of `plat_irq_setup' +arch/sh/kernel/cpu/sh2/setup-sh7619.o:(.init.text+0x30): first defined here +arch/sh/boards/of-generic.o: In function `arch_init_clk_ops': +(.init.text+0x118): multiple definition of `arch_init_clk_ops' +arch/sh/kernel/cpu/sh2/clock-sh7619.o:(.init.text+0x0): first defined here + +Link: http://lkml.kernel.org/r/9ee4e0c5-f100-86a2-bd4d-1d3287ceab31@infradead.org +Signed-off-by: Randy Dunlap +Reported-by: kbuild test robot +Cc: Takashi Iwai +Cc: Yoshinori Sato +Cc: Rich Felker +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/sh/boards/of-generic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/sh/boards/of-generic.c b/arch/sh/boards/of-generic.c +index 26789ad28193..cb99df514a1c 100644 +--- a/arch/sh/boards/of-generic.c ++++ b/arch/sh/boards/of-generic.c +@@ -175,10 +175,10 @@ static struct sh_machine_vector __initmv sh_of_generic_mv = { + + struct sh_clk_ops; + +-void __init arch_init_clk_ops(struct sh_clk_ops **ops, int idx) ++void __init __weak arch_init_clk_ops(struct sh_clk_ops **ops, int idx) + { + } + +-void __init plat_irq_setup(void) ++void __init __weak plat_irq_setup(void) + { + } +-- +2.20.1 + diff --git a/queue-4.19/vfio-pci-use-correct-format-characters.patch b/queue-4.19/vfio-pci-use-correct-format-characters.patch new file mode 100644 index 00000000000..de6ae82d3f8 --- /dev/null +++ b/queue-4.19/vfio-pci-use-correct-format-characters.patch @@ -0,0 +1,81 @@ +From d6ffd6537771e76dab4dfd38c9dce786c0e293d3 Mon Sep 17 00:00:00 2001 +From: Louis Taylor +Date: Wed, 3 Apr 2019 12:36:20 -0600 +Subject: vfio/pci: use correct format characters + +[ Upstream commit 426b046b748d1f47e096e05bdcc6fb4172791307 ] + +When compiling with -Wformat, clang emits the following warnings: + +drivers/vfio/pci/vfio_pci.c:1601:5: warning: format specifies type + 'unsigned short' but the argument has type 'unsigned int' [-Wformat] + vendor, device, subvendor, subdevice, + ^~~~~~ + +drivers/vfio/pci/vfio_pci.c:1601:13: warning: format specifies type + 'unsigned short' but the argument has type 'unsigned int' [-Wformat] + vendor, device, subvendor, subdevice, + ^~~~~~ + +drivers/vfio/pci/vfio_pci.c:1601:21: warning: format specifies type + 'unsigned short' but the argument has type 'unsigned int' [-Wformat] + vendor, device, subvendor, subdevice, + ^~~~~~~~~ + +drivers/vfio/pci/vfio_pci.c:1601:32: warning: format specifies type + 'unsigned short' but the argument has type 'unsigned int' [-Wformat] + vendor, device, subvendor, subdevice, + ^~~~~~~~~ + +drivers/vfio/pci/vfio_pci.c:1605:5: warning: format specifies type + 'unsigned short' but the argument has type 'unsigned int' [-Wformat] + vendor, device, subvendor, subdevice, + ^~~~~~ + +drivers/vfio/pci/vfio_pci.c:1605:13: warning: format specifies type + 'unsigned short' but the argument has type 'unsigned int' [-Wformat] + vendor, device, subvendor, subdevice, + ^~~~~~ + +drivers/vfio/pci/vfio_pci.c:1605:21: warning: format specifies type + 'unsigned short' but the argument has type 'unsigned int' [-Wformat] + vendor, device, subvendor, subdevice, + ^~~~~~~~~ + +drivers/vfio/pci/vfio_pci.c:1605:32: warning: format specifies type + 'unsigned short' but the argument has type 'unsigned int' [-Wformat] + vendor, device, subvendor, subdevice, + ^~~~~~~~~ +The types of these arguments are unconditionally defined, so this patch +updates the format character to the correct ones for unsigned ints. + +Link: https://github.com/ClangBuiltLinux/linux/issues/378 +Signed-off-by: Louis Taylor +Reviewed-by: Nick Desaulniers +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index cddb453a1ba5..6cf00d9f512b 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -1443,11 +1443,11 @@ static void __init vfio_pci_fill_ids(void) + rc = pci_add_dynid(&vfio_pci_driver, vendor, device, + subvendor, subdevice, class, class_mask, 0); + if (rc) +- pr_warn("failed to add dynamic id [%04hx:%04hx[%04hx:%04hx]] class %#08x/%08x (%d)\n", ++ pr_warn("failed to add dynamic id [%04x:%04x[%04x:%04x]] class %#08x/%08x (%d)\n", + vendor, device, subvendor, subdevice, + class, class_mask, rc); + else +- pr_info("add [%04hx:%04hx[%04hx:%04hx]] class %#08x/%08x\n", ++ pr_info("add [%04x:%04x[%04x:%04x]] class %#08x/%08x\n", + vendor, device, subvendor, subdevice, + class, class_mask); + } +-- +2.20.1 + diff --git a/queue-4.19/xsysace-fix-error-handling-in-ace_setup.patch b/queue-4.19/xsysace-fix-error-handling-in-ace_setup.patch new file mode 100644 index 00000000000..27d69b02f86 --- /dev/null +++ b/queue-4.19/xsysace-fix-error-handling-in-ace_setup.patch @@ -0,0 +1,85 @@ +From 33e347ec8fff857ed5ce1de7f5552efb593785fa Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Tue, 19 Feb 2019 08:49:56 -0800 +Subject: xsysace: Fix error handling in ace_setup + +[ Upstream commit 47b16820c490149c2923e8474048f2c6e7557cab ] + +If xace hardware reports a bad version number, the error handling code +in ace_setup() calls put_disk(), followed by queue cleanup. However, since +the disk data structure has the queue pointer set, put_disk() also +cleans and releases the queue. This results in blk_cleanup_queue() +accessing an already released data structure, which in turn may result +in a crash such as the following. + +[ 10.681671] BUG: Kernel NULL pointer dereference at 0x00000040 +[ 10.681826] Faulting instruction address: 0xc0431480 +[ 10.682072] Oops: Kernel access of bad area, sig: 11 [#1] +[ 10.682251] BE PAGE_SIZE=4K PREEMPT Xilinx Virtex440 +[ 10.682387] Modules linked in: +[ 10.682528] CPU: 0 PID: 1 Comm: swapper Tainted: G W 5.0.0-rc6-next-20190218+ #2 +[ 10.682733] NIP: c0431480 LR: c043147c CTR: c0422ad8 +[ 10.682863] REGS: cf82fbe0 TRAP: 0300 Tainted: G W (5.0.0-rc6-next-20190218+) +[ 10.683065] MSR: 00029000 CR: 22000222 XER: 00000000 +[ 10.683236] DEAR: 00000040 ESR: 00000000 +[ 10.683236] GPR00: c043147c cf82fc90 cf82ccc0 00000000 00000000 00000000 00000002 00000000 +[ 10.683236] GPR08: 00000000 00000000 c04310bc 00000000 22000222 00000000 c0002c54 00000000 +[ 10.683236] GPR16: 00000000 00000001 c09aa39c c09021b0 c09021dc 00000007 c0a68c08 00000000 +[ 10.683236] GPR24: 00000001 ced6d400 ced6dcf0 c0815d9c 00000000 00000000 00000000 cedf0800 +[ 10.684331] NIP [c0431480] blk_mq_run_hw_queue+0x28/0x114 +[ 10.684473] LR [c043147c] blk_mq_run_hw_queue+0x24/0x114 +[ 10.684602] Call Trace: +[ 10.684671] [cf82fc90] [c043147c] blk_mq_run_hw_queue+0x24/0x114 (unreliable) +[ 10.684854] [cf82fcc0] [c04315bc] blk_mq_run_hw_queues+0x50/0x7c +[ 10.685002] [cf82fce0] [c0422b24] blk_set_queue_dying+0x30/0x68 +[ 10.685154] [cf82fcf0] [c0423ec0] blk_cleanup_queue+0x34/0x14c +[ 10.685306] [cf82fd10] [c054d73c] ace_probe+0x3dc/0x508 +[ 10.685445] [cf82fd50] [c052d740] platform_drv_probe+0x4c/0xb8 +[ 10.685592] [cf82fd70] [c052abb0] really_probe+0x20c/0x32c +[ 10.685728] [cf82fda0] [c052ae58] driver_probe_device+0x68/0x464 +[ 10.685877] [cf82fdc0] [c052b500] device_driver_attach+0xb4/0xe4 +[ 10.686024] [cf82fde0] [c052b5dc] __driver_attach+0xac/0xfc +[ 10.686161] [cf82fe00] [c0528428] bus_for_each_dev+0x80/0xc0 +[ 10.686314] [cf82fe30] [c0529b3c] bus_add_driver+0x144/0x234 +[ 10.686457] [cf82fe50] [c052c46c] driver_register+0x88/0x15c +[ 10.686610] [cf82fe60] [c09de288] ace_init+0x4c/0xac +[ 10.686742] [cf82fe80] [c0002730] do_one_initcall+0xac/0x330 +[ 10.686888] [cf82fee0] [c09aafd0] kernel_init_freeable+0x34c/0x478 +[ 10.687043] [cf82ff30] [c0002c6c] kernel_init+0x18/0x114 +[ 10.687188] [cf82ff40] [c000f2f0] ret_from_kernel_thread+0x14/0x1c +[ 10.687349] Instruction dump: +[ 10.687435] 3863ffd4 4bfffd70 9421ffd0 7c0802a6 93c10028 7c9e2378 93e1002c 38810008 +[ 10.687637] 7c7f1b78 90010034 4bfffc25 813f008c <81290040> 75290100 4182002c 80810008 +[ 10.688056] ---[ end trace 13c9ff51d41b9d40 ]--- + +Fix the problem by setting the disk queue pointer to NULL before calling +put_disk(). A more comprehensive fix might be to rearrange the code +to check the hardware version before initializing data structures, +but I don't know if this would have undesirable side effects, and +it would increase the complexity of backporting the fix to older kernels. + +Fixes: 74489a91dd43a ("Add support for Xilinx SystemACE CompactFlash interface") +Acked-by: Michal Simek +Signed-off-by: Guenter Roeck +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/xsysace.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/xsysace.c b/drivers/block/xsysace.c +index c24589414c75..0f36db0cf74a 100644 +--- a/drivers/block/xsysace.c ++++ b/drivers/block/xsysace.c +@@ -1063,6 +1063,8 @@ static int ace_setup(struct ace_device *ace) + return 0; + + err_read: ++ /* prevent double queue cleanup */ ++ ace->gd->queue = NULL; + put_disk(ace->gd); + err_alloc_disk: + blk_cleanup_queue(ace->queue); +-- +2.20.1 +