From: Sasha Levin Date: Thu, 13 Dec 2018 15:21:14 +0000 (-0500) Subject: patches for 4.4 X-Git-Tag: v4.19.10~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=864696a1735ef23f2f24a4aba909545cf25324ca;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch b/queue-4.4/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch new file mode 100644 index 00000000000..7cebc700748 --- /dev/null +++ b/queue-4.4/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch @@ -0,0 +1,40 @@ +From e4fa6e5a41c0af43eefd48090b4711b1859e3a52 Mon Sep 17 00:00:00 2001 +From: Janusz Krzysztofik +Date: Wed, 7 Nov 2018 22:30:31 +0100 +Subject: ARM: OMAP1: ams-delta: Fix possible use of uninitialized field + +[ Upstream commit cec83ff1241ec98113a19385ea9e9cfa9aa4125b ] + +While playing with initialization order of modem device, it has been +discovered that under some circumstances (early console init, I +believe) its .pm() callback may be called before the +uart_port->private_data pointer is initialized from +plat_serial8250_port->private_data, resulting in NULL pointer +dereference. Fix it by checking for uninitialized pointer before using +it in modem_pm(). + +Fixes: aabf31737a6a ("ARM: OMAP1: ams-delta: update the modem to use regulator API") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/board-ams-delta.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/mach-omap1/board-ams-delta.c b/arch/arm/mach-omap1/board-ams-delta.c +index a95499ea8706..fa1d41edce68 100644 +--- a/arch/arm/mach-omap1/board-ams-delta.c ++++ b/arch/arm/mach-omap1/board-ams-delta.c +@@ -511,6 +511,9 @@ static void modem_pm(struct uart_port *port, unsigned int state, unsigned old) + { + struct modem_private_data *priv = port->private_data; + ++ if (!priv) ++ return; ++ + if (IS_ERR(priv->regulator)) + return; + +-- +2.19.1 + diff --git a/queue-4.4/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch b/queue-4.4/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch new file mode 100644 index 00000000000..78992433e59 --- /dev/null +++ b/queue-4.4/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch @@ -0,0 +1,45 @@ +From ecee342ce2cce983d599f5b9f2000d45cfdde21e Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 17 Oct 2018 17:54:00 -0700 +Subject: ARM: OMAP2+: prm44xx: Fix section annotation on + omap44xx_prm_enable_io_wakeup + +[ Upstream commit eef3dc34a1e0b01d53328b88c25237bcc7323777 ] + +When building the kernel with Clang, the following section mismatch +warning appears: + +WARNING: vmlinux.o(.text+0x38b3c): Section mismatch in reference from +the function omap44xx_prm_late_init() to the function +.init.text:omap44xx_prm_enable_io_wakeup() +The function omap44xx_prm_late_init() references +the function __init omap44xx_prm_enable_io_wakeup(). +This is often because omap44xx_prm_late_init lacks a __init +annotation or the annotation of omap44xx_prm_enable_io_wakeup is wrong. + +Remove the __init annotation from omap44xx_prm_enable_io_wakeup so there +is no more mismatch. + +Signed-off-by: Nathan Chancellor +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/prm44xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/prm44xx.c b/arch/arm/mach-omap2/prm44xx.c +index 30768003f854..8c505284bc0c 100644 +--- a/arch/arm/mach-omap2/prm44xx.c ++++ b/arch/arm/mach-omap2/prm44xx.c +@@ -344,7 +344,7 @@ static void omap44xx_prm_reconfigure_io_chain(void) + * to occur, WAKEUPENABLE bits must be set in the pad mux registers, and + * omap44xx_prm_reconfigure_io_chain() must be called. No return value. + */ +-static void __init omap44xx_prm_enable_io_wakeup(void) ++static void omap44xx_prm_enable_io_wakeup(void) + { + s32 inst = omap4_prmst_get_prm_dev_inst(); + +-- +2.19.1 + diff --git a/queue-4.4/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch b/queue-4.4/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch new file mode 100644 index 00000000000..1c653013e82 --- /dev/null +++ b/queue-4.4/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch @@ -0,0 +1,57 @@ +From f9f0c18708f170f3abd249f42b13d3bd8b20fe31 Mon Sep 17 00:00:00 2001 +From: Tzung-Bi Shih +Date: Wed, 14 Nov 2018 17:06:13 +0800 +Subject: ASoC: dapm: Recalculate audio map forcely when card instantiated + +[ Upstream commit 882eab6c28d23a970ae73b7eb831b169a672d456 ] + +Audio map are possible in wrong state before card->instantiated has +been set to true. Imaging the following examples: + +time 1: at the beginning + + in:-1 in:-1 in:-1 in:-1 + out:-1 out:-1 out:-1 out:-1 + SIGGEN A B Spk + +time 2: after someone called snd_soc_dapm_new_widgets() +(e.g. create_fill_widget_route_map() in sound/soc/codecs/hdac_hdmi.c) + + in:1 in:0 in:0 in:0 + out:0 out:0 out:0 out:1 + SIGGEN A B Spk + +time 3: routes added + + in:1 in:0 in:0 in:0 + out:0 out:0 out:0 out:1 + SIGGEN -----> A -----> B ---> Spk + +In the end, the path should be powered on but it did not. At time 3, +"in" of SIGGEN and "out" of Spk did not propagate to their neighbors +because snd_soc_dapm_add_path() will not invalidate the paths if +the card has not instantiated (i.e. card->instantiated is false). +To correct the state of audio map, recalculate the whole map forcely. + +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index fa6b74a304a7..b927f9c81d92 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1711,6 +1711,7 @@ static int snd_soc_instantiate_card(struct snd_soc_card *card) + } + + card->instantiated = 1; ++ dapm_mark_endpoints_dirty(card); + snd_soc_dapm_sync(&card->dapm); + mutex_unlock(&card->mutex); + mutex_unlock(&client_mutex); +-- +2.19.1 + diff --git a/queue-4.4/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch b/queue-4.4/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch new file mode 100644 index 00000000000..85a5bd6cf9e --- /dev/null +++ b/queue-4.4/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch @@ -0,0 +1,63 @@ +From d28009013dd346c42659077889c456cce3eb077b Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 13:06:23 +0200 +Subject: ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE + +[ Upstream commit ffdcc3638c58d55a6fa68b6e5dfd4fb4109652eb ] + +We need to block sleep states which would require longer time to leave than +the time the DMA must react to the DMA request in order to keep the FIFO +serviced without overrun. + +Signed-off-by: Peter Ujfalusi +Acked-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-dmic.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sound/soc/omap/omap-dmic.c b/sound/soc/omap/omap-dmic.c +index 09db2aec12a3..776e809a8aab 100644 +--- a/sound/soc/omap/omap-dmic.c ++++ b/sound/soc/omap/omap-dmic.c +@@ -48,6 +48,8 @@ struct omap_dmic { + struct device *dev; + void __iomem *io_base; + struct clk *fclk; ++ struct pm_qos_request pm_qos_req; ++ int latency; + int fclk_freq; + int out_freq; + int clk_div; +@@ -124,6 +126,8 @@ static void omap_dmic_dai_shutdown(struct snd_pcm_substream *substream, + + mutex_lock(&dmic->mutex); + ++ pm_qos_remove_request(&dmic->pm_qos_req); ++ + if (!dai->active) + dmic->active = 0; + +@@ -226,6 +230,8 @@ static int omap_dmic_dai_hw_params(struct snd_pcm_substream *substream, + /* packet size is threshold * channels */ + dma_data = snd_soc_dai_get_dma_data(dai, substream); + dma_data->maxburst = dmic->threshold * channels; ++ dmic->latency = (OMAP_DMIC_THRES_MAX - dmic->threshold) * USEC_PER_SEC / ++ params_rate(params); + + return 0; + } +@@ -236,6 +242,9 @@ static int omap_dmic_dai_prepare(struct snd_pcm_substream *substream, + struct omap_dmic *dmic = snd_soc_dai_get_drvdata(dai); + u32 ctrl; + ++ if (pm_qos_request_active(&dmic->pm_qos_req)) ++ pm_qos_update_request(&dmic->pm_qos_req, dmic->latency); ++ + /* Configure uplink threshold */ + omap_dmic_write(dmic, OMAP_DMIC_FIFO_CTRL_REG, dmic->threshold); + +-- +2.19.1 + diff --git a/queue-4.4/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch b/queue-4.4/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch new file mode 100644 index 00000000000..56bb50ebba3 --- /dev/null +++ b/queue-4.4/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch @@ -0,0 +1,127 @@ +From 9ef43dc079650e914559bd5e3062914a4bcd0f6b Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 13:06:22 +0200 +Subject: ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with + CPU_IDLE + +[ Upstream commit 373a500e34aea97971c9d71e45edad458d3da98f ] + +We need to block sleep states which would require longer time to leave than +the time the DMA must react to the DMA request in order to keep the FIFO +serviced without under of overrun. + +Signed-off-by: Peter Ujfalusi +Acked-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-mcpdm.c | 43 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 42 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/omap/omap-mcpdm.c b/sound/soc/omap/omap-mcpdm.c +index 8d0d45d330e7..8eb2d12b6a34 100644 +--- a/sound/soc/omap/omap-mcpdm.c ++++ b/sound/soc/omap/omap-mcpdm.c +@@ -54,6 +54,8 @@ struct omap_mcpdm { + unsigned long phys_base; + void __iomem *io_base; + int irq; ++ struct pm_qos_request pm_qos_req; ++ int latency[2]; + + struct mutex mutex; + +@@ -273,6 +275,9 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { + struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai); ++ int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK); ++ int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE; ++ int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; + + mutex_lock(&mcpdm->mutex); + +@@ -285,6 +290,14 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream, + } + } + ++ if (mcpdm->latency[stream2]) ++ pm_qos_update_request(&mcpdm->pm_qos_req, ++ mcpdm->latency[stream2]); ++ else if (mcpdm->latency[stream1]) ++ pm_qos_remove_request(&mcpdm->pm_qos_req); ++ ++ mcpdm->latency[stream1] = 0; ++ + mutex_unlock(&mcpdm->mutex); + } + +@@ -296,7 +309,7 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream, + int stream = substream->stream; + struct snd_dmaengine_dai_dma_data *dma_data; + u32 threshold; +- int channels; ++ int channels, latency; + int link_mask = 0; + + channels = params_channels(params); +@@ -336,14 +349,25 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream, + + dma_data->maxburst = + (MCPDM_DN_THRES_MAX - threshold) * channels; ++ latency = threshold; + } else { + /* If playback is not running assume a stereo stream to come */ + if (!mcpdm->config[!stream].link_mask) + mcpdm->config[!stream].link_mask = (0x3 << 3); + + dma_data->maxburst = threshold * channels; ++ latency = (MCPDM_DN_THRES_MAX - threshold); + } + ++ /* ++ * The DMA must act to a DMA request within latency time (usec) to avoid ++ * under/overflow ++ */ ++ mcpdm->latency[stream] = latency * USEC_PER_SEC / params_rate(params); ++ ++ if (!mcpdm->latency[stream]) ++ mcpdm->latency[stream] = 10; ++ + /* Check if we need to restart McPDM with this stream */ + if (mcpdm->config[stream].link_mask && + mcpdm->config[stream].link_mask != link_mask) +@@ -358,6 +382,20 @@ static int omap_mcpdm_prepare(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { + struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai); ++ struct pm_qos_request *pm_qos_req = &mcpdm->pm_qos_req; ++ int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK); ++ int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE; ++ int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; ++ int latency = mcpdm->latency[stream2]; ++ ++ /* Prevent omap hardware from hitting off between FIFO fills */ ++ if (!latency || mcpdm->latency[stream1] < latency) ++ latency = mcpdm->latency[stream1]; ++ ++ if (pm_qos_request_active(pm_qos_req)) ++ pm_qos_update_request(pm_qos_req, latency); ++ else if (latency) ++ pm_qos_add_request(pm_qos_req, PM_QOS_CPU_DMA_LATENCY, latency); + + if (!omap_mcpdm_active(mcpdm)) { + omap_mcpdm_start(mcpdm); +@@ -419,6 +457,9 @@ static int omap_mcpdm_remove(struct snd_soc_dai *dai) + free_irq(mcpdm->irq, (void *)mcpdm); + pm_runtime_disable(mcpdm->dev); + ++ if (pm_qos_request_active(&mcpdm->pm_qos_req)) ++ pm_qos_remove_request(&mcpdm->pm_qos_req); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.4/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch b/queue-4.4/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch new file mode 100644 index 00000000000..450c0ed5e3d --- /dev/null +++ b/queue-4.4/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch @@ -0,0 +1,44 @@ +From c69d4d3f39f797e8226f00899cda57cbe556f546 Mon Sep 17 00:00:00 2001 +From: Martynas Pumputis +Date: Fri, 23 Nov 2018 17:43:26 +0100 +Subject: bpf: fix check of allowed specifiers in bpf_trace_printk + +[ Upstream commit 1efb6ee3edea57f57f9fb05dba8dcb3f7333f61f ] + +A format string consisting of "%p" or "%s" followed by an invalid +specifier (e.g. "%p%\n" or "%s%") could pass the check which +would make format_decode (lib/vsprintf.c) to warn. + +Fixes: 9c959c863f82 ("tracing: Allow BPF programs to call bpf_trace_printk()") +Reported-by: syzbot+1ec5c5ec949c4adaa0c4@syzkaller.appspotmail.com +Signed-off-by: Martynas Pumputis +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 4228fd3682c3..3dd40c736067 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -119,11 +119,13 @@ static u64 bpf_trace_printk(u64 r1, u64 fmt_size, u64 r3, u64 r4, u64 r5) + i++; + } else if (fmt[i] == 'p' || fmt[i] == 's') { + mod[fmt_cnt]++; +- i++; +- if (!isspace(fmt[i]) && !ispunct(fmt[i]) && fmt[i] != 0) ++ /* disallow any further format extensions */ ++ if (fmt[i + 1] != 0 && ++ !isspace(fmt[i + 1]) && ++ !ispunct(fmt[i + 1])) + return -EINVAL; + fmt_cnt++; +- if (fmt[i - 1] == 's') { ++ if (fmt[i] == 's') { + if (str_seen) + /* allow only one '%s' per fmt string */ + return -EINVAL; +-- +2.19.1 + diff --git a/queue-4.4/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch b/queue-4.4/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch new file mode 100644 index 00000000000..b19d0089afc --- /dev/null +++ b/queue-4.4/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch @@ -0,0 +1,200 @@ +From 91415af935a524e9c037454d3f19e51d3818deb0 Mon Sep 17 00:00:00 2001 +From: Robbie Ko +Date: Wed, 14 Nov 2018 18:32:37 +0000 +Subject: Btrfs: send, fix infinite loop due to directory rename dependencies + +[ Upstream commit a4390aee72713d9e73f1132bcdeb17d72fbbf974 ] + +When doing an incremental send, due to the need of delaying directory move +(rename) operations we can end up in infinite loop at +apply_children_dir_moves(). + +An example scenario that triggers this problem is described below, where +directory names correspond to the numbers of their respective inodes. + +Parent snapshot: + + . + |--- 261/ + |--- 271/ + |--- 266/ + |--- 259/ + |--- 260/ + | |--- 267 + | + |--- 264/ + | |--- 258/ + | |--- 257/ + | + |--- 265/ + |--- 268/ + |--- 269/ + | |--- 262/ + | + |--- 270/ + |--- 272/ + | |--- 263/ + | |--- 275/ + | + |--- 274/ + |--- 273/ + +Send snapshot: + + . + |-- 275/ + |-- 274/ + |-- 273/ + |-- 262/ + |-- 269/ + |-- 258/ + |-- 271/ + |-- 268/ + |-- 267/ + |-- 270/ + |-- 259/ + | |-- 265/ + | + |-- 272/ + |-- 257/ + |-- 260/ + |-- 264/ + |-- 263/ + |-- 261/ + |-- 266/ + +When processing inode 257 we delay its move (rename) operation because its +new parent in the send snapshot, inode 272, was not yet processed. Then +when processing inode 272, we delay the move operation for that inode +because inode 274 is its ancestor in the send snapshot. Finally we delay +the move operation for inode 274 when processing it because inode 275 is +its new parent in the send snapshot and was not yet moved. + +When finishing processing inode 275, we start to do the move operations +that were previously delayed (at apply_children_dir_moves()), resulting in +the following iterations: + +1) We issue the move operation for inode 274; + +2) Because inode 262 depended on the move operation of inode 274 (it was + delayed because 274 is its ancestor in the send snapshot), we issue the + move operation for inode 262; + +3) We issue the move operation for inode 272, because it was delayed by + inode 274 too (ancestor of 272 in the send snapshot); + +4) We issue the move operation for inode 269 (it was delayed by 262); + +5) We issue the move operation for inode 257 (it was delayed by 272); + +6) We issue the move operation for inode 260 (it was delayed by 272); + +7) We issue the move operation for inode 258 (it was delayed by 269); + +8) We issue the move operation for inode 264 (it was delayed by 257); + +9) We issue the move operation for inode 271 (it was delayed by 258); + +10) We issue the move operation for inode 263 (it was delayed by 264); + +11) We issue the move operation for inode 268 (it was delayed by 271); + +12) We verify if we can issue the move operation for inode 270 (it was + delayed by 271). We detect a path loop in the current state, because + inode 267 needs to be moved first before we can issue the move + operation for inode 270. So we delay again the move operation for + inode 270, this time we will attempt to do it after inode 267 is + moved; + +13) We issue the move operation for inode 261 (it was delayed by 263); + +14) We verify if we can issue the move operation for inode 266 (it was + delayed by 263). We detect a path loop in the current state, because + inode 270 needs to be moved first before we can issue the move + operation for inode 266. So we delay again the move operation for + inode 266, this time we will attempt to do it after inode 270 is + moved (its move operation was delayed in step 12); + +15) We issue the move operation for inode 267 (it was delayed by 268); + +16) We verify if we can issue the move operation for inode 266 (it was + delayed by 270). We detect a path loop in the current state, because + inode 270 needs to be moved first before we can issue the move + operation for inode 266. So we delay again the move operation for + inode 266, this time we will attempt to do it after inode 270 is + moved (its move operation was delayed in step 12). So here we added + again the same delayed move operation that we added in step 14; + +17) We attempt again to see if we can issue the move operation for inode + 266, and as in step 16, we realize we can not due to a path loop in + the current state due to a dependency on inode 270. Again we delay + inode's 266 rename to happen after inode's 270 move operation, adding + the same dependency to the empty stack that we did in steps 14 and 16. + The next iteration will pick the same move dependency on the stack + (the only entry) and realize again there is still a path loop and then + again the same dependency to the stack, over and over, resulting in + an infinite loop. + +So fix this by preventing adding the same move dependency entries to the +stack by removing each pending move record from the red black tree of +pending moves. This way the next call to get_pending_dir_moves() will +not return anything for the current parent inode. + +A test case for fstests, with this reproducer, follows soon. + +Signed-off-by: Robbie Ko +Reviewed-by: Filipe Manana +[Wrote changelog with example and more clear explanation] +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index 83c73738165e..40d1ab957fb6 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -3232,7 +3232,8 @@ static void free_pending_move(struct send_ctx *sctx, struct pending_dir_move *m) + kfree(m); + } + +-static void tail_append_pending_moves(struct pending_dir_move *moves, ++static void tail_append_pending_moves(struct send_ctx *sctx, ++ struct pending_dir_move *moves, + struct list_head *stack) + { + if (list_empty(&moves->list)) { +@@ -3243,6 +3244,10 @@ static void tail_append_pending_moves(struct pending_dir_move *moves, + list_add_tail(&moves->list, stack); + list_splice_tail(&list, stack); + } ++ if (!RB_EMPTY_NODE(&moves->node)) { ++ rb_erase(&moves->node, &sctx->pending_dir_moves); ++ RB_CLEAR_NODE(&moves->node); ++ } + } + + static int apply_children_dir_moves(struct send_ctx *sctx) +@@ -3257,7 +3262,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx) + return 0; + + INIT_LIST_HEAD(&stack); +- tail_append_pending_moves(pm, &stack); ++ tail_append_pending_moves(sctx, pm, &stack); + + while (!list_empty(&stack)) { + pm = list_first_entry(&stack, struct pending_dir_move, list); +@@ -3268,7 +3273,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx) + goto out; + pm = get_pending_dir_moves(sctx, parent_ino); + if (pm) +- tail_append_pending_moves(pm, &stack); ++ tail_append_pending_moves(sctx, pm, &stack); + } + return 0; + +-- +2.19.1 + diff --git a/queue-4.4/debugobjects-avoid-recursive-calls-with-kmemleak.patch b/queue-4.4/debugobjects-avoid-recursive-calls-with-kmemleak.patch new file mode 100644 index 00000000000..7671c6b6ec6 --- /dev/null +++ b/queue-4.4/debugobjects-avoid-recursive-calls-with-kmemleak.patch @@ -0,0 +1,58 @@ +From c26f016a6ceaf1b243916f8aea181f5bb84c0ac9 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Fri, 30 Nov 2018 14:09:48 -0800 +Subject: debugobjects: avoid recursive calls with kmemleak + +[ Upstream commit 8de456cf87ba863e028c4dd01bae44255ce3d835 ] + +CONFIG_DEBUG_OBJECTS_RCU_HEAD does not play well with kmemleak due to +recursive calls. + +fill_pool + kmemleak_ignore + make_black_object + put_object + __call_rcu (kernel/rcu/tree.c) + debug_rcu_head_queue + debug_object_activate + debug_object_init + fill_pool + kmemleak_ignore + make_black_object + ... + +So add SLAB_NOLEAKTRACE to kmem_cache_create() to not register newly +allocated debug objects at all. + +Link: http://lkml.kernel.org/r/20181126165343.2339-1-cai@gmx.us +Signed-off-by: Qian Cai +Suggested-by: Catalin Marinas +Acked-by: Waiman Long +Acked-by: Catalin Marinas +Cc: Thomas Gleixner +Cc: Yang Shi +Cc: Arnd Bergmann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/debugobjects.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/debugobjects.c b/lib/debugobjects.c +index a26328ec39f1..bb37541cd441 100644 +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -1088,7 +1088,8 @@ void __init debug_objects_mem_init(void) + + obj_cache = kmem_cache_create("debug_objects_cache", + sizeof (struct debug_obj), 0, +- SLAB_DEBUG_OBJECTS, NULL); ++ SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE, ++ NULL); + + if (!obj_cache || debug_objects_replace_static_objects()) { + debug_objects_enabled = 0; +-- +2.19.1 + diff --git a/queue-4.4/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch b/queue-4.4/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch new file mode 100644 index 00000000000..7bda831363c --- /dev/null +++ b/queue-4.4/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch @@ -0,0 +1,94 @@ +From f2c48efa5b423d8a8b7c0893e4e876415e4a923c Mon Sep 17 00:00:00 2001 +From: "Y.C. Chen" +Date: Thu, 22 Nov 2018 11:56:28 +0800 +Subject: drm/ast: fixed reading monitor EDID not stable issue + +[ Upstream commit 300625620314194d9e6d4f6dda71f2dc9cf62d9f ] + +v1: over-sample data to increase the stability with some specific monitors +v2: refine to avoid infinite loop +v3: remove un-necessary "volatile" declaration + +[airlied: fix two checkpatch warnings] + +Signed-off-by: Y.C. Chen +Signed-off-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/1542858988-1127-1-git-send-email-yc_chen@aspeedtech.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ast/ast_mode.c | 36 ++++++++++++++++++++++++++++------ + 1 file changed, 30 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c +index 21085f669e21..b19ba1792607 100644 +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -968,9 +968,21 @@ static int get_clock(void *i2c_priv) + { + struct ast_i2c_chan *i2c = i2c_priv; + struct ast_private *ast = i2c->dev->dev_private; +- uint32_t val; ++ uint32_t val, val2, count, pass; ++ ++ count = 0; ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01; ++ do { ++ val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01; ++ if (val == val2) { ++ pass++; ++ } else { ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01; ++ } ++ } while ((pass < 5) && (count++ < 0x10000)); + +- val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4; + return val & 1 ? 1 : 0; + } + +@@ -978,9 +990,21 @@ static int get_data(void *i2c_priv) + { + struct ast_i2c_chan *i2c = i2c_priv; + struct ast_private *ast = i2c->dev->dev_private; +- uint32_t val; ++ uint32_t val, val2, count, pass; ++ ++ count = 0; ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01; ++ do { ++ val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01; ++ if (val == val2) { ++ pass++; ++ } else { ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01; ++ } ++ } while ((pass < 5) && (count++ < 0x10000)); + +- val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5; + return val & 1 ? 1 : 0; + } + +@@ -993,7 +1017,7 @@ static void set_clock(void *i2c_priv, int clock) + + for (i = 0; i < 0x10000; i++) { + ujcrb7 = ((clock & 0x01) ? 0 : 1); +- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfe, ujcrb7); ++ ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf4, ujcrb7); + jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x01); + if (ujcrb7 == jtemp) + break; +@@ -1009,7 +1033,7 @@ static void set_data(void *i2c_priv, int data) + + for (i = 0; i < 0x10000; i++) { + ujcrb7 = ((data & 0x01) ? 0 : 1) << 2; +- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfb, ujcrb7); ++ ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf1, ujcrb7); + jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x04); + if (ujcrb7 == jtemp) + break; +-- +2.19.1 + diff --git a/queue-4.4/exportfs-do-not-read-dentry-after-free.patch b/queue-4.4/exportfs-do-not-read-dentry-after-free.patch new file mode 100644 index 00000000000..8e371acf6c6 --- /dev/null +++ b/queue-4.4/exportfs-do-not-read-dentry-after-free.patch @@ -0,0 +1,40 @@ +From 6f2997503638d0bd6bc931ec1864914df584eac5 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 23 Nov 2018 15:56:33 +0800 +Subject: exportfs: do not read dentry after free + +[ Upstream commit 2084ac6c505a58f7efdec13eba633c6aaa085ca5 ] + +The function dentry_connected calls dput(dentry) to drop the previously +acquired reference to dentry. In this case, dentry can be released. +After that, IS_ROOT(dentry) checks the condition +(dentry == dentry->d_parent), which may result in a use-after-free bug. +This patch directly compares dentry with its parent obtained before +dropping the reference. + +Fixes: a056cc8934c("exportfs: stop retrying once we race with +rename/remove") + +Signed-off-by: Pan Bian +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/exportfs/expfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c +index 714cd37a6ba3..6599c6124552 100644 +--- a/fs/exportfs/expfs.c ++++ b/fs/exportfs/expfs.c +@@ -76,7 +76,7 @@ static bool dentry_connected(struct dentry *dentry) + struct dentry *parent = dget_parent(dentry); + + dput(dentry); +- if (IS_ROOT(dentry)) { ++ if (dentry == parent) { + dput(parent); + return false; + } +-- +2.19.1 + diff --git a/queue-4.4/fscache-cachefiles-remove-redundant-variable-cache.patch b/queue-4.4/fscache-cachefiles-remove-redundant-variable-cache.patch new file mode 100644 index 00000000000..efb65c31bdf --- /dev/null +++ b/queue-4.4/fscache-cachefiles-remove-redundant-variable-cache.patch @@ -0,0 +1,39 @@ +From 0cabc275451918e8c6973c311fa4b9f7ce0fc3c7 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 17 Jul 2018 09:53:42 +0100 +Subject: fscache, cachefiles: remove redundant variable 'cache' + +[ Upstream commit 31ffa563833576bd49a8bf53120568312755e6e2 ] + +Variable 'cache' is being assigned but is never used hence it is +redundant and can be removed. + +Cleans up clang warning: +warning: variable 'cache' set but not used [-Wunused-but-set-variable] + +Signed-off-by: Colin Ian King +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/cachefiles/rdwr.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c +index 5b68cf526887..c05ab2ec0fef 100644 +--- a/fs/cachefiles/rdwr.c ++++ b/fs/cachefiles/rdwr.c +@@ -963,11 +963,8 @@ int cachefiles_write_page(struct fscache_storage *op, struct page *page) + void cachefiles_uncache_page(struct fscache_object *_object, struct page *page) + { + struct cachefiles_object *object; +- struct cachefiles_cache *cache; + + object = container_of(_object, struct cachefiles_object, fscache); +- cache = container_of(object->fscache.cache, +- struct cachefiles_cache, cache); + + _enter("%p,{%lu}", object, page->index); + +-- +2.19.1 + diff --git a/queue-4.4/fscache-fix-race-between-enablement-and-dropping-of-.patch b/queue-4.4/fscache-fix-race-between-enablement-and-dropping-of-.patch new file mode 100644 index 00000000000..4e1266f7c17 --- /dev/null +++ b/queue-4.4/fscache-fix-race-between-enablement-and-dropping-of-.patch @@ -0,0 +1,74 @@ +From 30c89f98c57f0e5903526628b1cf637dc98b3dc6 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 26 Oct 2018 17:16:29 +1100 +Subject: fscache: fix race between enablement and dropping of object + +[ Upstream commit c5a94f434c82529afda290df3235e4d85873c5b4 ] + +It was observed that a process blocked indefintely in +__fscache_read_or_alloc_page(), waiting for FSCACHE_COOKIE_LOOKING_UP +to be cleared via fscache_wait_for_deferred_lookup(). + +At this time, ->backing_objects was empty, which would normaly prevent +__fscache_read_or_alloc_page() from getting to the point of waiting. +This implies that ->backing_objects was cleared *after* +__fscache_read_or_alloc_page was was entered. + +When an object is "killed" and then "dropped", +FSCACHE_COOKIE_LOOKING_UP is cleared in fscache_lookup_failure(), then +KILL_OBJECT and DROP_OBJECT are "called" and only in DROP_OBJECT is +->backing_objects cleared. This leaves a window where +something else can set FSCACHE_COOKIE_LOOKING_UP and +__fscache_read_or_alloc_page() can start waiting, before +->backing_objects is cleared + +There is some uncertainty in this analysis, but it seems to be fit the +observations. Adding the wake in this patch will be handled correctly +by __fscache_read_or_alloc_page(), as it checks if ->backing_objects +is empty again, after waiting. + +Customer which reported the hang, also report that the hang cannot be +reproduced with this fix. + +The backtrace for the blocked process looked like: + +PID: 29360 TASK: ffff881ff2ac0f80 CPU: 3 COMMAND: "zsh" + #0 [ffff881ff43efbf8] schedule at ffffffff815e56f1 + #1 [ffff881ff43efc58] bit_wait at ffffffff815e64ed + #2 [ffff881ff43efc68] __wait_on_bit at ffffffff815e61b8 + #3 [ffff881ff43efca0] out_of_line_wait_on_bit at ffffffff815e625e + #4 [ffff881ff43efd08] fscache_wait_for_deferred_lookup at ffffffffa04f2e8f [fscache] + #5 [ffff881ff43efd18] __fscache_read_or_alloc_page at ffffffffa04f2ffe [fscache] + #6 [ffff881ff43efd58] __nfs_readpage_from_fscache at ffffffffa0679668 [nfs] + #7 [ffff881ff43efd78] nfs_readpage at ffffffffa067092b [nfs] + #8 [ffff881ff43efda0] generic_file_read_iter at ffffffff81187a73 + #9 [ffff881ff43efe50] nfs_file_read at ffffffffa066544b [nfs] +#10 [ffff881ff43efe70] __vfs_read at ffffffff811fc756 +#11 [ffff881ff43efee8] vfs_read at ffffffff811fccfa +#12 [ffff881ff43eff18] sys_read at ffffffff811fda62 +#13 [ffff881ff43eff50] entry_SYSCALL_64_fastpath at ffffffff815e986e + +Signed-off-by: NeilBrown +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/fscache/object.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/fscache/object.c b/fs/fscache/object.c +index 7a182c87f378..ab1d7f35f6c2 100644 +--- a/fs/fscache/object.c ++++ b/fs/fscache/object.c +@@ -715,6 +715,9 @@ static const struct fscache_state *fscache_drop_object(struct fscache_object *ob + + if (awaken) + wake_up_bit(&cookie->flags, FSCACHE_COOKIE_INVALIDATING); ++ if (test_and_clear_bit(FSCACHE_COOKIE_LOOKING_UP, &cookie->flags)) ++ wake_up_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP); ++ + + /* Prevent a race with our last child, which has to signal EV_CLEARED + * before dropping our spinlock. +-- +2.19.1 + diff --git a/queue-4.4/hfs-do-not-free-node-before-using.patch b/queue-4.4/hfs-do-not-free-node-before-using.patch new file mode 100644 index 00000000000..d2d6c99adc9 --- /dev/null +++ b/queue-4.4/hfs-do-not-free-node-before-using.patch @@ -0,0 +1,49 @@ +From 263176aed240a43b0b451d3f29d5cca403e89347 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 30 Nov 2018 14:09:14 -0800 +Subject: hfs: do not free node before using + +[ Upstream commit ce96a407adef126870b3f4a1b73529dd8aa80f49 ] + +hfs_bmap_free() frees the node via hfs_bnode_put(node). However, it +then reads node->this when dumping error message on an error path, which +may result in a use-after-free bug. This patch frees the node only when +it is never again used. + +Link: http://lkml.kernel.org/r/1542963889-128825-1-git-send-email-bianpan2016@163.com +Fixes: a1185ffa2fc ("HFS rewrite") +Signed-off-by: Pan Bian +Reviewed-by: Andrew Morton +Cc: Joe Perches +Cc: Ernesto A. Fernandez +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfs/btree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c +index 1ab19e660e69..1ff5774a5382 100644 +--- a/fs/hfs/btree.c ++++ b/fs/hfs/btree.c +@@ -328,13 +328,14 @@ void hfs_bmap_free(struct hfs_bnode *node) + + nidx -= len * 8; + i = node->next; +- hfs_bnode_put(node); + if (!i) { + /* panic */; + pr_crit("unable to free bnode %u. bmap not found!\n", + node->this); ++ hfs_bnode_put(node); + return; + } ++ hfs_bnode_put(node); + node = hfs_bnode_find(tree, i); + if (IS_ERR(node)) + return; +-- +2.19.1 + diff --git a/queue-4.4/hfsplus-do-not-free-node-before-using.patch b/queue-4.4/hfsplus-do-not-free-node-before-using.patch new file mode 100644 index 00000000000..b215c13139f --- /dev/null +++ b/queue-4.4/hfsplus-do-not-free-node-before-using.patch @@ -0,0 +1,49 @@ +From 3001a170244a0917df3997f12b237f1ad4e19fe2 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 30 Nov 2018 14:09:18 -0800 +Subject: hfsplus: do not free node before using + +[ Upstream commit c7d7d620dcbd2a1c595092280ca943f2fced7bbd ] + +hfs_bmap_free() frees node via hfs_bnode_put(node). However it then +reads node->this when dumping error message on an error path, which may +result in a use-after-free bug. This patch frees node only when it is +never used. + +Link: http://lkml.kernel.org/r/1543053441-66942-1-git-send-email-bianpan2016@163.com +Signed-off-by: Pan Bian +Reviewed-by: Andrew Morton +Cc: Ernesto A. Fernandez +Cc: Joe Perches +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfsplus/btree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c +index 3345c7553edc..7adc8a327e03 100644 +--- a/fs/hfsplus/btree.c ++++ b/fs/hfsplus/btree.c +@@ -453,14 +453,15 @@ void hfs_bmap_free(struct hfs_bnode *node) + + nidx -= len * 8; + i = node->next; +- hfs_bnode_put(node); + if (!i) { + /* panic */; + pr_crit("unable to free bnode %u. " + "bmap not found!\n", + node->this); ++ hfs_bnode_put(node); + return; + } ++ hfs_bnode_put(node); + node = hfs_bnode_find(tree, i); + if (IS_ERR(node)) + return; +-- +2.19.1 + diff --git a/queue-4.4/hwmon-ina2xx-fix-current-value-calculation.patch b/queue-4.4/hwmon-ina2xx-fix-current-value-calculation.patch new file mode 100644 index 00000000000..27c3340c0e9 --- /dev/null +++ b/queue-4.4/hwmon-ina2xx-fix-current-value-calculation.patch @@ -0,0 +1,39 @@ +From cbe533d36802c1b916915706f77bc43c01273968 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Tue, 13 Nov 2018 19:48:54 -0800 +Subject: hwmon: (ina2xx) Fix current value calculation + +[ Upstream commit 38cd989ee38c16388cde89db5b734f9d55b905f9 ] + +The current register (04h) has a sign bit at MSB. The comments +for this calculation also mention that it's a signed register. + +However, the regval is unsigned type so result of calculation +turns out to be an incorrect value when current is negative. + +This patch simply fixes this by adding a casting to s16. + +Fixes: 5d389b125186c ("hwmon: (ina2xx) Make calibration register value fixed") +Signed-off-by: Nicolin Chen +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ina2xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c +index 9ac6e1673375..1f291b344178 100644 +--- a/drivers/hwmon/ina2xx.c ++++ b/drivers/hwmon/ina2xx.c +@@ -273,7 +273,7 @@ static int ina2xx_get_value(struct ina2xx_data *data, u8 reg, + break; + case INA2XX_CURRENT: + /* signed register, result in mA */ +- val = regval * data->current_lsb_uA; ++ val = (s16)regval * data->current_lsb_uA; + val = DIV_ROUND_CLOSEST(val, 1000); + break; + case INA2XX_CALIBRATION: +-- +2.19.1 + diff --git a/queue-4.4/hwmon-w83795-temp4_type-has-writable-permission.patch b/queue-4.4/hwmon-w83795-temp4_type-has-writable-permission.patch new file mode 100644 index 00000000000..961e1dd8c43 --- /dev/null +++ b/queue-4.4/hwmon-w83795-temp4_type-has-writable-permission.patch @@ -0,0 +1,35 @@ +From 40293d6aacb97a431b586b1532e0932cd30cc7ca Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 15 Nov 2018 10:44:57 +0800 +Subject: hwmon: (w83795) temp4_type has writable permission + +[ Upstream commit 09aaf6813cfca4c18034fda7a43e68763f34abb1 ] + +Both datasheet and comments of store_temp_mode() tell us that temp1~4_type +is writable, so fix it. + +Signed-off-by: Yao Wang +Signed-off-by: Huacai Chen +Fixes: 39deb6993e7c (" hwmon: (w83795) Simplify temperature sensor type handling") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/w83795.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/w83795.c b/drivers/hwmon/w83795.c +index 49276bbdac3d..1bb80f992aa8 100644 +--- a/drivers/hwmon/w83795.c ++++ b/drivers/hwmon/w83795.c +@@ -1691,7 +1691,7 @@ store_sf_setup(struct device *dev, struct device_attribute *attr, + * somewhere else in the code + */ + #define SENSOR_ATTR_TEMP(index) { \ +- SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 4 ? S_IWUSR : 0), \ ++ SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 5 ? S_IWUSR : 0), \ + show_temp_mode, store_temp_mode, NOT_USED, index - 1), \ + SENSOR_ATTR_2(temp##index##_input, S_IRUGO, show_temp, \ + NULL, TEMP_READ, index - 1), \ +-- +2.19.1 + diff --git a/queue-4.4/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch b/queue-4.4/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch new file mode 100644 index 00000000000..2799c5cf5cd --- /dev/null +++ b/queue-4.4/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch @@ -0,0 +1,43 @@ +From 1ea829ed32d8b521a4fa96bdd705551850043a2c Mon Sep 17 00:00:00 2001 +From: Josh Elsasser +Date: Sat, 24 Nov 2018 12:57:33 -0800 +Subject: ixgbe: recognize 1000BaseLX SFP modules as 1Gbps +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a8bf879af7b1999eba36303ce9cc60e0e7dd816c ] + +Add the two 1000BaseLX enum values to the X550's check for 1Gbps modules, +allowing the core driver code to establish a link over this SFP type. + +This is done by the out-of-tree driver but the fix wasn't in mainline. + +Fixes: e23f33367882 ("ixgbe: Fix 1G and 10G link stability for X550EM_x SFP+”) +Fixes: 6a14ee0cfb19 ("ixgbe: Add X550 support function pointers") +Signed-off-by: Josh Elsasser +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +index ffd2e74e5638..dcd718ce13d5 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +@@ -1429,7 +1429,9 @@ static s32 ixgbe_get_link_capabilities_X550em(struct ixgbe_hw *hw, + *autoneg = false; + + if (hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core0 || +- hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1) { ++ hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1 || ++ hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core0 || ++ hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core1) { + *speed = IXGBE_LINK_SPEED_1GB_FULL; + return 0; + } +-- +2.19.1 + diff --git a/queue-4.4/kvm-x86-fix-empty-body-warnings.patch b/queue-4.4/kvm-x86-fix-empty-body-warnings.patch new file mode 100644 index 00000000000..dba93c0621e --- /dev/null +++ b/queue-4.4/kvm-x86-fix-empty-body-warnings.patch @@ -0,0 +1,43 @@ +From ebf0a35cae4eaf968dc139158558498389c06635 Mon Sep 17 00:00:00 2001 +From: Yi Wang +Date: Thu, 8 Nov 2018 16:48:36 +0800 +Subject: KVM: x86: fix empty-body warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 354cb410d87314e2eda344feea84809e4261570a ] + +We get the following warnings about empty statements when building +with 'W=1': + +arch/x86/kvm/lapic.c:632:53: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1907:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1936:65: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1975:44: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + +Rework the debug helper macro to get rid of these warnings. + +Signed-off-by: Yi Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/lapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index a1afd80a68aa..3c70f6c76d3a 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -56,7 +56,7 @@ + #define APIC_BUS_CYCLE_NS 1 + + /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */ +-#define apic_debug(fmt, arg...) ++#define apic_debug(fmt, arg...) do {} while (0) + + #define APIC_LVT_NUM 6 + /* 14 is the version for Xeon and Pentium 8.4.8*/ +-- +2.19.1 + diff --git a/queue-4.4/net-hisilicon-remove-unexpected-free_netdev.patch b/queue-4.4/net-hisilicon-remove-unexpected-free_netdev.patch new file mode 100644 index 00000000000..5192eebfbc4 --- /dev/null +++ b/queue-4.4/net-hisilicon-remove-unexpected-free_netdev.patch @@ -0,0 +1,37 @@ +From af93e2e25570825050c71efa5d6c84f2444a7074 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Wed, 28 Nov 2018 15:30:24 +0800 +Subject: net: hisilicon: remove unexpected free_netdev + +[ Upstream commit c758940158bf29fe14e9d0f89d5848f227b48134 ] + +The net device ndev is freed via free_netdev when failing to register +the device. The control flow then jumps to the error handling code +block. ndev is used and freed again. Resulting in a use-after-free bug. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 253f8ed0537a..60c727b0b7ab 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -919,10 +919,8 @@ static int hip04_mac_probe(struct platform_device *pdev) + } + + ret = register_netdev(ndev); +- if (ret) { +- free_netdev(ndev); ++ if (ret) + goto alloc_fail; +- } + + return 0; + +-- +2.19.1 + diff --git a/queue-4.4/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch b/queue-4.4/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch new file mode 100644 index 00000000000..d9e65799218 --- /dev/null +++ b/queue-4.4/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch @@ -0,0 +1,82 @@ +From d00b5b9370f26ba05d4c3b1c5840aea363c1e519 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Mon, 26 Nov 2018 15:07:16 +0100 +Subject: net: thunderx: fix NULL pointer dereference in nic_remove + +[ Upstream commit 24a6d2dd263bc910de018c78d1148b3e33b94512 ] + +Fix a possible NULL pointer dereference in nic_remove routine +removing the nicpf module if nic_probe fails. +The issue can be triggered with the following reproducer: + +$rmmod nicvf +$rmmod nicpf + +[ 521.412008] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000014 +[ 521.422777] Mem abort info: +[ 521.425561] ESR = 0x96000004 +[ 521.428624] Exception class = DABT (current EL), IL = 32 bits +[ 521.434535] SET = 0, FnV = 0 +[ 521.437579] EA = 0, S1PTW = 0 +[ 521.440730] Data abort info: +[ 521.443603] ISV = 0, ISS = 0x00000004 +[ 521.447431] CM = 0, WnR = 0 +[ 521.450417] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000072a3da42 +[ 521.457022] [0000000000000014] pgd=0000000000000000 +[ 521.461916] Internal error: Oops: 96000004 [#1] SMP +[ 521.511801] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018 +[ 521.518664] pstate: 80400005 (Nzcv daif +PAN -UAO) +[ 521.523451] pc : nic_remove+0x24/0x88 [nicpf] +[ 521.527808] lr : pci_device_remove+0x48/0xd8 +[ 521.532066] sp : ffff000013433cc0 +[ 521.535370] x29: ffff000013433cc0 x28: ffff810f6ac50000 +[ 521.540672] x27: 0000000000000000 x26: 0000000000000000 +[ 521.545974] x25: 0000000056000000 x24: 0000000000000015 +[ 521.551274] x23: ffff8007ff89a110 x22: ffff000001667070 +[ 521.556576] x21: ffff8007ffb170b0 x20: ffff8007ffb17000 +[ 521.561877] x19: 0000000000000000 x18: 0000000000000025 +[ 521.567178] x17: 0000000000000000 x16: 000000000000010ffc33ff98 x8 : 0000000000000000 +[ 521.593683] x7 : 0000000000000000 x6 : 0000000000000001 +[ 521.598983] x5 : 0000000000000002 x4 : 0000000000000003 +[ 521.604284] x3 : ffff8007ffb17184 x2 : ffff8007ffb17184 +[ 521.609585] x1 : ffff000001662118 x0 : ffff000008557be0 +[ 521.614887] Process rmmod (pid: 1897, stack limit = 0x00000000859535c3) +[ 521.621490] Call trace: +[ 521.623928] nic_remove+0x24/0x88 [nicpf] +[ 521.627927] pci_device_remove+0x48/0xd8 +[ 521.631847] device_release_driver_internal+0x1b0/0x248 +[ 521.637062] driver_detach+0x50/0xc0 +[ 521.640628] bus_remove_driver+0x60/0x100 +[ 521.644627] driver_unregister+0x34/0x60 +[ 521.648538] pci_unregister_driver+0x24/0xd8 +[ 521.652798] nic_cleanup_module+0x14/0x111c [nicpf] +[ 521.657672] __arm64_sys_delete_module+0x150/0x218 +[ 521.662460] el0_svc_handler+0x94/0x110 +[ 521.666287] el0_svc+0x8/0xc +[ 521.669160] Code: aa1e03e0 9102c295 d503201f f9404eb3 (b9401660) + +Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/nic_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/cavium/thunder/nic_main.c b/drivers/net/ethernet/cavium/thunder/nic_main.c +index 16baaafed26c..cbdeb54eab51 100644 +--- a/drivers/net/ethernet/cavium/thunder/nic_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c +@@ -1090,6 +1090,9 @@ static void nic_remove(struct pci_dev *pdev) + { + struct nicpf *nic = pci_get_drvdata(pdev); + ++ if (!nic) ++ return; ++ + if (nic->flags & NIC_SRIOV_ENABLED) + pci_disable_sriov(pdev); + +-- +2.19.1 + diff --git a/queue-4.4/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch b/queue-4.4/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch new file mode 100644 index 00000000000..149b414c6a2 --- /dev/null +++ b/queue-4.4/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch @@ -0,0 +1,147 @@ +From c40355cfb8a42abf868005ec8dd01e6e81ca2778 Mon Sep 17 00:00:00 2001 +From: Larry Chen +Date: Fri, 30 Nov 2018 14:08:56 -0800 +Subject: ocfs2: fix deadlock caused by ocfs2_defrag_extent() + +[ Upstream commit e21e57445a64598b29a6f629688f9b9a39e7242a ] + +ocfs2_defrag_extent may fall into deadlock. + +ocfs2_ioctl_move_extents + ocfs2_ioctl_move_extents + ocfs2_move_extents + ocfs2_defrag_extent + ocfs2_lock_allocators_move_extents + + ocfs2_reserve_clusters + inode_lock GLOBAL_BITMAP_SYSTEM_INODE + + __ocfs2_flush_truncate_log + inode_lock GLOBAL_BITMAP_SYSTEM_INODE + +As backtrace shows above, ocfs2_reserve_clusters() will call inode_lock +against the global bitmap if local allocator has not sufficient cluters. +Once global bitmap could meet the demand, ocfs2_reserve_cluster will +return success with global bitmap locked. + +After ocfs2_reserve_cluster(), if truncate log is full, +__ocfs2_flush_truncate_log() will definitely fall into deadlock because +it needs to inode_lock global bitmap, which has already been locked. + +To fix this bug, we could remove from +ocfs2_lock_allocators_move_extents() the code which intends to lock +global allocator, and put the removed code after +__ocfs2_flush_truncate_log(). + +ocfs2_lock_allocators_move_extents() is referred by 2 places, one is +here, the other does not need the data allocator context, which means +this patch does not affect the caller so far. + +Link: http://lkml.kernel.org/r/20181101071422.14470-1-lchen@suse.com +Signed-off-by: Larry Chen +Reviewed-by: Changwei Ge +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/move_extents.c | 47 +++++++++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 21 deletions(-) + +diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c +index 124471d26a73..c1a83c58456e 100644 +--- a/fs/ocfs2/move_extents.c ++++ b/fs/ocfs2/move_extents.c +@@ -156,18 +156,14 @@ static int __ocfs2_move_extent(handle_t *handle, + } + + /* +- * lock allocators, and reserving appropriate number of bits for +- * meta blocks and data clusters. +- * +- * in some cases, we don't need to reserve clusters, just let data_ac +- * be NULL. ++ * lock allocator, and reserve appropriate number of bits for ++ * meta blocks. + */ +-static int ocfs2_lock_allocators_move_extents(struct inode *inode, ++static int ocfs2_lock_meta_allocator_move_extents(struct inode *inode, + struct ocfs2_extent_tree *et, + u32 clusters_to_move, + u32 extents_to_split, + struct ocfs2_alloc_context **meta_ac, +- struct ocfs2_alloc_context **data_ac, + int extra_blocks, + int *credits) + { +@@ -192,13 +188,6 @@ static int ocfs2_lock_allocators_move_extents(struct inode *inode, + goto out; + } + +- if (data_ac) { +- ret = ocfs2_reserve_clusters(osb, clusters_to_move, data_ac); +- if (ret) { +- mlog_errno(ret); +- goto out; +- } +- } + + *credits += ocfs2_calc_extend_credits(osb->sb, et->et_root_el); + +@@ -260,10 +249,10 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context, + } + } + +- ret = ocfs2_lock_allocators_move_extents(inode, &context->et, *len, 1, +- &context->meta_ac, +- &context->data_ac, +- extra_blocks, &credits); ++ ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et, ++ *len, 1, ++ &context->meta_ac, ++ extra_blocks, &credits); + if (ret) { + mlog_errno(ret); + goto out; +@@ -286,6 +275,21 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context, + } + } + ++ /* ++ * Make sure ocfs2_reserve_cluster is called after ++ * __ocfs2_flush_truncate_log, otherwise, dead lock may happen. ++ * ++ * If ocfs2_reserve_cluster is called ++ * before __ocfs2_flush_truncate_log, dead lock on global bitmap ++ * may happen. ++ * ++ */ ++ ret = ocfs2_reserve_clusters(osb, *len, &context->data_ac); ++ if (ret) { ++ mlog_errno(ret); ++ goto out_unlock_mutex; ++ } ++ + handle = ocfs2_start_trans(osb, credits); + if (IS_ERR(handle)) { + ret = PTR_ERR(handle); +@@ -606,9 +610,10 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context, + } + } + +- ret = ocfs2_lock_allocators_move_extents(inode, &context->et, len, 1, +- &context->meta_ac, +- NULL, extra_blocks, &credits); ++ ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et, ++ len, 1, ++ &context->meta_ac, ++ extra_blocks, &credits); + if (ret) { + mlog_errno(ret); + goto out; +-- +2.19.1 + diff --git a/queue-4.4/ocfs2-fix-potential-use-after-free.patch b/queue-4.4/ocfs2-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..868fec05654 --- /dev/null +++ b/queue-4.4/ocfs2-fix-potential-use-after-free.patch @@ -0,0 +1,47 @@ +From e5dce6e167bb7a58e6a7d774ddba03a95d09bf74 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 30 Nov 2018 14:10:54 -0800 +Subject: ocfs2: fix potential use after free + +[ Upstream commit 164f7e586739d07eb56af6f6d66acebb11f315c8 ] + +ocfs2_get_dentry() calls iput(inode) to drop the reference count of +inode, and if the reference count hits 0, inode is freed. However, in +this function, it then reads inode->i_generation, which may result in a +use after free bug. Move the put operation later. + +Link: http://lkml.kernel.org/r/1543109237-110227-1-git-send-email-bianpan2016@163.com +Fixes: 781f200cb7a("ocfs2: Remove masklog ML_EXPORT.") +Signed-off-by: Pan Bian +Reviewed-by: Andrew Morton +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/export.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ocfs2/export.c b/fs/ocfs2/export.c +index 827fc9809bc2..3494e220b510 100644 +--- a/fs/ocfs2/export.c ++++ b/fs/ocfs2/export.c +@@ -125,10 +125,10 @@ static struct dentry *ocfs2_get_dentry(struct super_block *sb, + + check_gen: + if (handle->ih_generation != inode->i_generation) { +- iput(inode); + trace_ocfs2_get_dentry_generation((unsigned long long)blkno, + handle->ih_generation, + inode->i_generation); ++ iput(inode); + result = ERR_PTR(-ESTALE); + goto bail; + } +-- +2.19.1 + diff --git a/queue-4.4/pstore-convert-console-write-to-use-write_buf.patch b/queue-4.4/pstore-convert-console-write-to-use-write_buf.patch new file mode 100644 index 00000000000..abd8f1dfad3 --- /dev/null +++ b/queue-4.4/pstore-convert-console-write-to-use-write_buf.patch @@ -0,0 +1,42 @@ +From d7e5287def715bd3feee26a7a9cab7578ae79414 Mon Sep 17 00:00:00 2001 +From: Namhyung Kim +Date: Wed, 19 Oct 2016 10:23:41 +0900 +Subject: pstore: Convert console write to use ->write_buf + +[ Upstream commit 70ad35db3321a6d129245979de4ac9d06eed897c ] + +Maybe I'm missing something, but I don't know why it needs to copy the +input buffer to psinfo->buf and then write. Instead we can write the +input buffer directly. The only implementation that supports console +message (i.e. ramoops) already does it for ftrace messages. + +For the upcoming virtio backend driver, it needs to protect psinfo->buf +overwritten from console messages. If it could use ->write_buf method +instead of ->write, the problem will be solved easily. + +Cc: Stefan Hajnoczi +Signed-off-by: Namhyung Kim +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/pstore/platform.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c +index 588461bb2dd4..e97e7d74e134 100644 +--- a/fs/pstore/platform.c ++++ b/fs/pstore/platform.c +@@ -392,8 +392,8 @@ static void pstore_console_write(struct console *con, const char *s, unsigned c) + } else { + spin_lock_irqsave(&psinfo->buf_lock, flags); + } +- memcpy(psinfo->buf, s, c); +- psinfo->write(PSTORE_TYPE_CONSOLE, 0, &id, 0, 0, 0, c, psinfo); ++ psinfo->write_buf(PSTORE_TYPE_CONSOLE, 0, &id, 0, ++ s, 0, c, psinfo); + spin_unlock_irqrestore(&psinfo->buf_lock, flags); + s += c; + c = e - s; +-- +2.19.1 + diff --git a/queue-4.4/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch b/queue-4.4/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch new file mode 100644 index 00000000000..3786230415a --- /dev/null +++ b/queue-4.4/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch @@ -0,0 +1,113 @@ +From 9151ad4e4477ed56e470b6ae0328ae17e9feb81d Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Tue, 13 Nov 2018 15:38:22 +0000 +Subject: s390/cpum_cf: Reject request for sampling in event initialization + +[ Upstream commit 613a41b0d16e617f46776a93b975a1eeea96417c ] + +On s390 command perf top fails +[root@s35lp76 perf] # ./perf top -F100000 --stdio + Error: + cycles: PMU Hardware doesn't support sampling/overflow-interrupts. + Try 'perf stat' +[root@s35lp76 perf] # + +Using event -e rb0000 works as designed. Event rb0000 is the event +number of the sampling facility for basic sampling. + +During system start up the following PMUs are installed in the kernel's +PMU list (from head to tail): + cpum_cf --> s390 PMU counter facility device driver + cpum_sf --> s390 PMU sampling facility device driver + uprobe + kprobe + tracepoint + task_clock + cpu_clock + +Perf top executes following functions and calls perf_event_open(2) system +call with different parameters many times: + +cmd_top +--> __cmd_top + --> perf_evlist__add_default + --> __perf_evlist__add_default + --> perf_evlist__new_cycles (creates event type:0 (HW) + config 0 (CPU_CYCLES) + --> perf_event_attr__set_max_precise_ip + Uses perf_event_open(2) to detect correct + precise_ip level. Fails 3 times on s390 which is ok. + +Then functions cmd_top +--> __cmd_top + --> perf_top__start_counters + -->perf_evlist__config + --> perf_can_comm_exec + --> perf_probe_api + This functions test support for the following events: + "cycles:u", "instructions:u", "cpu-clock:u" using + --> perf_do_probe_api + --> perf_event_open_cloexec + Test the close on exec flag support with + perf_event_open(2). + perf_do_probe_api returns true if the event is + supported. + The function returns true because event cpu-clock is + supported by the PMU cpu_clock. + This is achieved by many calls to perf_event_open(2). + +Function perf_top__start_counters now calls perf_evsel__open() for every +event, which is the default event cpu_cycles (config:0) and type HARDWARE +(type:0) which a predfined frequence of 4000. + +Given the above order of the PMU list, the PMU cpum_cf gets called first +and returns 0, which indicates support for this sampling. The event is +fully allocated in the function perf_event_open (file kernel/event/core.c +near line 10521 and the following check fails: + + event = perf_event_alloc(&attr, cpu, task, group_leader, NULL, + NULL, NULL, cgroup_fd); + if (IS_ERR(event)) { + err = PTR_ERR(event); + goto err_cred; + } + + if (is_sampling_event(event)) { + if (event->pmu->capabilities & PERF_PMU_CAP_NO_INTERRUPT) { + err = -EOPNOTSUPP; + goto err_alloc; + } + } + +The check for the interrupt capabilities fails and the system call +perf_event_open() returns -EOPNOTSUPP (-95). + +Add a check to return -ENODEV when sampling is requested in PMU cpum_cf. +This allows common kernel code in the perf_event_open() system call to +test the next PMU in above list. + +Fixes: 97b1198fece0 (" "s390, perf: Use common PMU interrupt disabled code") +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_cf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c +index 929c147e07b4..1b69bfdf59f9 100644 +--- a/arch/s390/kernel/perf_cpum_cf.c ++++ b/arch/s390/kernel/perf_cpum_cf.c +@@ -344,6 +344,8 @@ static int __hw_perf_event_init(struct perf_event *event) + break; + + case PERF_TYPE_HARDWARE: ++ if (is_sampling_event(event)) /* No sampling support */ ++ return -ENOENT; + ev = attr->config; + /* Count user space (problem-state) only */ + if (!attr->exclude_user && attr->exclude_kernel) { +-- +2.19.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 07136ed2632..66de3e3be48 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -7,3 +7,33 @@ tcp-fix-null-ref-in-tail-loss-probe.patch tun-forbid-iface-creation-with-rtnl-ops.patch neighbour-avoid-writing-before-skb-head-in-neigh_hh_output.patch ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch +arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch +arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch +sysv-return-err-instead-of-0-in-__sysv_write_inode.patch +s390-cpum_cf-reject-request-for-sampling-in-event-in.patch +hwmon-ina2xx-fix-current-value-calculation.patch +asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch +hwmon-w83795-temp4_type-has-writable-permission.patch +btrfs-send-fix-infinite-loop-due-to-directory-rename.patch +asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch +asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch +exportfs-do-not-read-dentry-after-free.patch +bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch +usb-omap_udc-use-devm_request_irq.patch +usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch +usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch +usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch +kvm-x86-fix-empty-body-warnings.patch +net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch +ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch +net-hisilicon-remove-unexpected-free_netdev.patch +drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch +xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch +fscache-fix-race-between-enablement-and-dropping-of-.patch +fscache-cachefiles-remove-redundant-variable-cache.patch +ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch +hfs-do-not-free-node-before-using.patch +hfsplus-do-not-free-node-before-using.patch +debugobjects-avoid-recursive-calls-with-kmemleak.patch +ocfs2-fix-potential-use-after-free.patch +pstore-convert-console-write-to-use-write_buf.patch diff --git a/queue-4.4/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch b/queue-4.4/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch new file mode 100644 index 00000000000..8e5bff3d13b --- /dev/null +++ b/queue-4.4/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch @@ -0,0 +1,39 @@ +From a4430a374af276ab1178ab88d01f4cc189facf90 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 10 Nov 2018 04:13:24 +0000 +Subject: sysv: return 'err' instead of 0 in __sysv_write_inode + +[ Upstream commit c4b7d1ba7d263b74bb72e9325262a67139605cde ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +fs/sysv/inode.c: In function '__sysv_write_inode': +fs/sysv/inode.c:239:6: warning: + variable 'err' set but not used [-Wunused-but-set-variable] + +__sysv_write_inode should return 'err' instead of 0 + +Fixes: 05459ca81ac3 ("repair sysv_write_inode(), switch sysv to simple_fsync()") +Signed-off-by: YueHaibing +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/sysv/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c +index 02fa1dcc5969..29f5b2e589a1 100644 +--- a/fs/sysv/inode.c ++++ b/fs/sysv/inode.c +@@ -275,7 +275,7 @@ static int __sysv_write_inode(struct inode *inode, int wait) + } + } + brelse(bh); +- return 0; ++ return err; + } + + int sysv_write_inode(struct inode *inode, struct writeback_control *wbc) +-- +2.19.1 + diff --git a/queue-4.4/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch b/queue-4.4/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch new file mode 100644 index 00000000000..ee36e19edc8 --- /dev/null +++ b/queue-4.4/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch @@ -0,0 +1,114 @@ +From 2c0f74e0797d24b07cad5ea131816c1a2cfeba1e Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:05 +0200 +Subject: USB: omap_udc: fix crashes on probe error and module removal + +[ Upstream commit 99f700366fcea1aa2fa3c49c99f371670c3c62f8 ] + +We currently crash if usb_add_gadget_udc_release() fails, since the +udc->done is not initialized until in the remove function. +Furthermore, on module removal the udc data is accessed although +the release function is already triggered by usb_del_gadget_udc() +early in the function. + +Fix by rewriting the release and remove functions, basically moving +all the cleanup into the release function, and doing the completion +only in the module removal case. + +The patch fixes omap_udc module probe with a failing gadged, and also +allows the removal of omap_udc. Tested by running "modprobe omap_udc; +modprobe -r omap_udc" in a loop. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 50 ++++++++++++------------------- + 1 file changed, 19 insertions(+), 31 deletions(-) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index b25eac2dcaf8..da1030f69145 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2612,9 +2612,22 @@ omap_ep_setup(char *name, u8 addr, u8 type, + + static void omap_udc_release(struct device *dev) + { +- complete(udc->done); ++ pullup_disable(udc); ++ if (!IS_ERR_OR_NULL(udc->transceiver)) { ++ usb_put_phy(udc->transceiver); ++ udc->transceiver = NULL; ++ } ++ omap_writew(0, UDC_SYSCON1); ++ remove_proc_file(); ++ if (udc->dc_clk) { ++ if (udc->clk_requested) ++ omap_udc_enable_clock(0); ++ clk_put(udc->hhc_clk); ++ clk_put(udc->dc_clk); ++ } ++ if (udc->done) ++ complete(udc->done); + kfree(udc); +- udc = NULL; + } + + static int +@@ -2919,12 +2932,8 @@ static int omap_udc_probe(struct platform_device *pdev) + } + + create_proc_file(); +- status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget, +- omap_udc_release); +- if (!status) +- return 0; +- +- remove_proc_file(); ++ return usb_add_gadget_udc_release(&pdev->dev, &udc->gadget, ++ omap_udc_release); + + cleanup1: + kfree(udc); +@@ -2951,36 +2960,15 @@ static int omap_udc_remove(struct platform_device *pdev) + { + DECLARE_COMPLETION_ONSTACK(done); + +- if (!udc) +- return -ENODEV; +- +- usb_del_gadget_udc(&udc->gadget); +- if (udc->driver) +- return -EBUSY; +- + udc->done = &done; + +- pullup_disable(udc); +- if (!IS_ERR_OR_NULL(udc->transceiver)) { +- usb_put_phy(udc->transceiver); +- udc->transceiver = NULL; +- } +- omap_writew(0, UDC_SYSCON1); +- +- remove_proc_file(); ++ usb_del_gadget_udc(&udc->gadget); + +- if (udc->dc_clk) { +- if (udc->clk_requested) +- omap_udc_enable_clock(0); +- clk_put(udc->hhc_clk); +- clk_put(udc->dc_clk); +- } ++ wait_for_completion(&done); + + release_mem_region(pdev->resource[0].start, + pdev->resource[0].end - pdev->resource[0].start + 1); + +- wait_for_completion(&done); +- + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.4/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch b/queue-4.4/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch new file mode 100644 index 00000000000..27d3753c003 --- /dev/null +++ b/queue-4.4/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch @@ -0,0 +1,41 @@ +From 61c3134a65b4dc77563f54d456ef0fbf03024968 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:06 +0200 +Subject: USB: omap_udc: fix omap_udc_start() on 15xx machines + +[ Upstream commit 6ca6695f576b8453fe68865e84d25946d63b10ad ] + +On OMAP 15xx machines there are no transceivers, and omap_udc_start() +always fails as it forgot to adjust the default return value. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index da1030f69145..653963459d78 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2045,7 +2045,7 @@ static inline int machine_without_vbus_sense(void) + static int omap_udc_start(struct usb_gadget *g, + struct usb_gadget_driver *driver) + { +- int status = -ENODEV; ++ int status; + struct omap_ep *ep; + unsigned long flags; + +@@ -2083,6 +2083,7 @@ static int omap_udc_start(struct usb_gadget *g, + goto done; + } + } else { ++ status = 0; + if (can_pullup(udc)) + pullup_enable(udc); + else +-- +2.19.1 + diff --git a/queue-4.4/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch b/queue-4.4/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch new file mode 100644 index 00000000000..b4c3cc586ed --- /dev/null +++ b/queue-4.4/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch @@ -0,0 +1,32 @@ +From 8d62e7409f6fa2121fa182711dabfcc2d6eeb56c Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:07 +0200 +Subject: USB: omap_udc: fix USB gadget functionality on Palm Tungsten E + +[ Upstream commit 2c2322fbcab8102b8cadc09d66714700a2da42c2 ] + +On Palm TE nothing happens when you try to use gadget drivers and plug +the USB cable. Fix by adding the board to the vbus sense quirk list. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index 653963459d78..d1ed92acafa3 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2037,6 +2037,7 @@ static inline int machine_without_vbus_sense(void) + { + return machine_is_omap_innovator() + || machine_is_omap_osk() ++ || machine_is_omap_palmte() + || machine_is_sx1() + /* No known omap7xx boards with vbus sense */ + || cpu_is_omap7xx(); +-- +2.19.1 + diff --git a/queue-4.4/usb-omap_udc-use-devm_request_irq.patch b/queue-4.4/usb-omap_udc-use-devm_request_irq.patch new file mode 100644 index 00000000000..208663c4edf --- /dev/null +++ b/queue-4.4/usb-omap_udc-use-devm_request_irq.patch @@ -0,0 +1,102 @@ +From 14804a52123e9bcbe206599621b41b584b12c0ed Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:04 +0200 +Subject: USB: omap_udc: use devm_request_irq() + +[ Upstream commit 286afdde1640d8ea8916a0f05e811441fbbf4b9d ] + +The current code fails to release the third irq on the error path +(observed by reading the code), and we get also multiple WARNs with +failing gadget drivers due to duplicate IRQ releases. Fix by using +devm_request_irq(). + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 37 +++++++++---------------------- + 1 file changed, 10 insertions(+), 27 deletions(-) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index 9b7d39484ed3..b25eac2dcaf8 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2886,8 +2886,8 @@ static int omap_udc_probe(struct platform_device *pdev) + udc->clr_halt = UDC_RESET_EP; + + /* USB general purpose IRQ: ep0, state changes, dma, etc */ +- status = request_irq(pdev->resource[1].start, omap_udc_irq, +- 0, driver_name, udc); ++ status = devm_request_irq(&pdev->dev, pdev->resource[1].start, ++ omap_udc_irq, 0, driver_name, udc); + if (status != 0) { + ERR("can't get irq %d, err %d\n", + (int) pdev->resource[1].start, status); +@@ -2895,20 +2895,20 @@ static int omap_udc_probe(struct platform_device *pdev) + } + + /* USB "non-iso" IRQ (PIO for all but ep0) */ +- status = request_irq(pdev->resource[2].start, omap_udc_pio_irq, +- 0, "omap_udc pio", udc); ++ status = devm_request_irq(&pdev->dev, pdev->resource[2].start, ++ omap_udc_pio_irq, 0, "omap_udc pio", udc); + if (status != 0) { + ERR("can't get irq %d, err %d\n", + (int) pdev->resource[2].start, status); +- goto cleanup2; ++ goto cleanup1; + } + #ifdef USE_ISO +- status = request_irq(pdev->resource[3].start, omap_udc_iso_irq, +- 0, "omap_udc iso", udc); ++ status = devm_request_irq(&pdev->dev, pdev->resource[3].start, ++ omap_udc_iso_irq, 0, "omap_udc iso", udc); + if (status != 0) { + ERR("can't get irq %d, err %d\n", + (int) pdev->resource[3].start, status); +- goto cleanup3; ++ goto cleanup1; + } + #endif + if (cpu_is_omap16xx() || cpu_is_omap7xx()) { +@@ -2921,22 +2921,11 @@ static int omap_udc_probe(struct platform_device *pdev) + create_proc_file(); + status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget, + omap_udc_release); +- if (status) +- goto cleanup4; +- +- return 0; ++ if (!status) ++ return 0; + +-cleanup4: + remove_proc_file(); + +-#ifdef USE_ISO +-cleanup3: +- free_irq(pdev->resource[2].start, udc); +-#endif +- +-cleanup2: +- free_irq(pdev->resource[1].start, udc); +- + cleanup1: + kfree(udc); + udc = NULL; +@@ -2980,12 +2969,6 @@ static int omap_udc_remove(struct platform_device *pdev) + + remove_proc_file(); + +-#ifdef USE_ISO +- free_irq(pdev->resource[3].start, udc); +-#endif +- free_irq(pdev->resource[2].start, udc); +- free_irq(pdev->resource[1].start, udc); +- + if (udc->dc_clk) { + if (udc->clk_requested) + omap_udc_enable_clock(0); +-- +2.19.1 + diff --git a/queue-4.4/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch b/queue-4.4/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch new file mode 100644 index 00000000000..ac9ff20960b --- /dev/null +++ b/queue-4.4/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch @@ -0,0 +1,37 @@ +From e91d908411ec82fbb2b2998d83bee1cfc69d01e5 Mon Sep 17 00:00:00 2001 +From: Srikanth Boddepalli +Date: Tue, 27 Nov 2018 19:53:27 +0530 +Subject: xen: xlate_mmu: add missing header to fix 'W=1' warning + +[ Upstream commit 72791ac854fea36034fa7976b748fde585008e78 ] + +Add a missing header otherwise compiler warns about missed prototype: + +drivers/xen/xlate_mmu.c:183:5: warning: no previous prototype for 'xen_xlate_unmap_gfn_range?' [-Wmissing-prototypes] + int xen_xlate_unmap_gfn_range(struct vm_area_struct *vma, + ^~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Srikanth Boddepalli +Reviewed-by: Boris Ostrovsky +Reviewed-by: Joey Pabalinas +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/xlate_mmu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/xen/xlate_mmu.c b/drivers/xen/xlate_mmu.c +index 5063c5e796b7..84a1fab0dd6b 100644 +--- a/drivers/xen/xlate_mmu.c ++++ b/drivers/xen/xlate_mmu.c +@@ -34,6 +34,7 @@ + #include + + #include ++#include + #include + #include + #include +-- +2.19.1 +