From: Greg Kroah-Hartman Date: Mon, 20 May 2019 10:20:15 +0000 (+0200) Subject: 5.1-stable patches X-Git-Tag: v4.9.178~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=94bc207082f245fa73093f3d3580308260d95bbe;p=thirdparty%2Fkernel%2Fstable-queue.git 5.1-stable patches added patches: alsa-hda-realtek-corrected-fixup-for-system76-gazelle-gaze14.patch alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch alsa-hda-realtek-fixup-headphone-noise-via-runtime-suspend.patch ext4-avoid-panic-during-forced-reboot-due-to-aborted-journal.patch ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned-io.patch ext4-fix-use-after-free-in-dx_release.patch ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-wb-switches-going-into-workqueue-when-umount.patch jbd2-fix-potential-double-free.patch kvm-fix-the-bitmap-range-to-copy-during-clear-dirty.patch kvm-lapic-busy-wait-for-timer-to-expire-when-using-hv_timer.patch kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch mm-compaction.c-correct-zone-boundary-handling-when-isolating-pages-from-a-pageblock.patch revert-kvm-nvmx-expose-rdpmc-exiting-only-when-guest-supports-pmu.patch tty-don-t-force-riscv-sbi-console-as-preferred-console.patch --- diff --git a/queue-5.1/alsa-hda-realtek-corrected-fixup-for-system76-gazelle-gaze14.patch b/queue-5.1/alsa-hda-realtek-corrected-fixup-for-system76-gazelle-gaze14.patch new file mode 100644 index 00000000000..d2cd87d7b52 --- /dev/null +++ b/queue-5.1/alsa-hda-realtek-corrected-fixup-for-system76-gazelle-gaze14.patch @@ -0,0 +1,40 @@ +From 891afcf2462d2cc4ef7caf94215358ca61fa32cb Mon Sep 17 00:00:00 2001 +From: Jeremy Soller +Date: Fri, 10 May 2019 10:15:07 -0400 +Subject: ALSA: hda/realtek - Corrected fixup for System76 Gazelle (gaze14) + +From: Jeremy Soller + +commit 891afcf2462d2cc4ef7caf94215358ca61fa32cb upstream. + +A mistake was made in the identification of the four variants of the +System76 Gazelle (gaze14). This patch corrects the PCI ID of the +17-inch, GTX 1660 Ti variant from 0x8560 to 0x8551. This patch also +adds the correct fixups for the 15-inch and 17-inch GTX 1650 variants +with PCI IDs 0x8560 and 0x8561. + +Tests were done on all four variants ensuring full audio capability. + +Fixes: 80a5052db751 ("ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14)") +Signed-off-by: Jeremy Soller +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6933,7 +6933,9 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1462, 0xb171, "Cubi N 8GL (MS-B171)", ALC283_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1558, 0x1325, "System76 Darter Pro (darp5)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8550, "System76 Gazelle (gaze14)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), +- SND_PCI_QUIRK(0x1558, 0x8560, "System76 Gazelle (gaze14)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x8551, "System76 Gazelle (gaze14)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x8560, "System76 Gazelle (gaze14)", ALC269_FIXUP_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1558, 0x8561, "System76 Gazelle (gaze14)", ALC269_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC233_FIXUP_LENOVO_MULTI_CODECS), + SND_PCI_QUIRK(0x17aa, 0x20f2, "Thinkpad SL410/510", ALC269_FIXUP_SKU_IGNORE), + SND_PCI_QUIRK(0x17aa, 0x215e, "Thinkpad L512", ALC269_FIXUP_SKU_IGNORE), diff --git a/queue-5.1/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch b/queue-5.1/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch new file mode 100644 index 00000000000..88ef50262e5 --- /dev/null +++ b/queue-5.1/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch @@ -0,0 +1,41 @@ +From 56df90b631fc027fe28b70d41352d820797239bb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Wadowski?= +Date: Tue, 14 May 2019 16:58:00 +0200 +Subject: ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Wadowski + +commit 56df90b631fc027fe28b70d41352d820797239bb upstream. + +Add patch for realtek codec in Lenovo B50-70 that fixes inverted +internal microphone channel. +Device IdeaPad Y410P has the same PCI SSID as Lenovo B50-70, +but first one is about fix the noise and it didn't seem help in a +later kernel version. +So I replaced IdeaPad Y410P device description with B50-70 and apply +inverted microphone fix. + +Bugzilla: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1524215 +Signed-off-by: Michał Wadowski +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6990,7 +6990,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), +- SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP), ++ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK), diff --git a/queue-5.1/alsa-hda-realtek-fixup-headphone-noise-via-runtime-suspend.patch b/queue-5.1/alsa-hda-realtek-fixup-headphone-noise-via-runtime-suspend.patch new file mode 100644 index 00000000000..4a3ddcf1f23 --- /dev/null +++ b/queue-5.1/alsa-hda-realtek-fixup-headphone-noise-via-runtime-suspend.patch @@ -0,0 +1,110 @@ +From dad3197da7a3817f27bb24f7fd3c135ffa707202 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Fri, 10 May 2019 16:28:57 +0800 +Subject: ALSA: hda/realtek - Fixup headphone noise via runtime suspend + +From: Kailang Yang + +commit dad3197da7a3817f27bb24f7fd3c135ffa707202 upstream. + +Dell platform with ALC298. +system enter to runtime suspend. Headphone had noise. +Let Headset Mic not shutup will solve this issue. + +[ Fixed minor coding style issues by tiwai ] + +Signed-off-by: Kailang Yang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 59 ++++++++++++++++++++++++------------------ + 1 file changed, 35 insertions(+), 24 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -477,12 +477,45 @@ static void alc_auto_setup_eapd(struct h + set_eapd(codec, *p, on); + } + ++static int find_ext_mic_pin(struct hda_codec *codec); ++ ++static void alc_headset_mic_no_shutup(struct hda_codec *codec) ++{ ++ const struct hda_pincfg *pin; ++ int mic_pin = find_ext_mic_pin(codec); ++ int i; ++ ++ /* don't shut up pins when unloading the driver; otherwise it breaks ++ * the default pin setup at the next load of the driver ++ */ ++ if (codec->bus->shutdown) ++ return; ++ ++ snd_array_for_each(&codec->init_pins, i, pin) { ++ /* use read here for syncing after issuing each verb */ ++ if (pin->nid != mic_pin) ++ snd_hda_codec_read(codec, pin->nid, 0, ++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0); ++ } ++ ++ codec->pins_shutup = 1; ++} ++ + static void alc_shutup_pins(struct hda_codec *codec) + { + struct alc_spec *spec = codec->spec; + +- if (!spec->no_shutup_pins) +- snd_hda_shutup_pins(codec); ++ switch (codec->core.vendor_id) { ++ case 0x10ec0286: ++ case 0x10ec0288: ++ case 0x10ec0298: ++ alc_headset_mic_no_shutup(codec); ++ break; ++ default: ++ if (!spec->no_shutup_pins) ++ snd_hda_shutup_pins(codec); ++ break; ++ } + } + + /* generic shutup callback; +@@ -2923,27 +2956,6 @@ static int alc269_parse_auto_config(stru + return alc_parse_auto_config(codec, alc269_ignore, ssids); + } + +-static int find_ext_mic_pin(struct hda_codec *codec); +- +-static void alc286_shutup(struct hda_codec *codec) +-{ +- const struct hda_pincfg *pin; +- int i; +- int mic_pin = find_ext_mic_pin(codec); +- /* don't shut up pins when unloading the driver; otherwise it breaks +- * the default pin setup at the next load of the driver +- */ +- if (codec->bus->shutdown) +- return; +- snd_array_for_each(&codec->init_pins, i, pin) { +- /* use read here for syncing after issuing each verb */ +- if (pin->nid != mic_pin) +- snd_hda_codec_read(codec, pin->nid, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, 0); +- } +- codec->pins_shutup = 1; +-} +- + static void alc269vb_toggle_power_output(struct hda_codec *codec, int power_up) + { + alc_update_coef_idx(codec, 0x04, 1 << 11, power_up ? (1 << 11) : 0); +@@ -7707,7 +7719,6 @@ static int patch_alc269(struct hda_codec + case 0x10ec0286: + case 0x10ec0288: + spec->codec_variant = ALC269_TYPE_ALC286; +- spec->shutup = alc286_shutup; + break; + case 0x10ec0298: + spec->codec_variant = ALC269_TYPE_ALC298; diff --git a/queue-5.1/ext4-avoid-panic-during-forced-reboot-due-to-aborted-journal.patch b/queue-5.1/ext4-avoid-panic-during-forced-reboot-due-to-aborted-journal.patch new file mode 100644 index 00000000000..ed9f1f8c408 --- /dev/null +++ b/queue-5.1/ext4-avoid-panic-during-forced-reboot-due-to-aborted-journal.patch @@ -0,0 +1,35 @@ +From 2c1d0e3631e5732dba98ef49ac0bec1388776793 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 17 May 2019 17:37:18 -0400 +Subject: ext4: avoid panic during forced reboot due to aborted journal + +From: Jan Kara + +commit 2c1d0e3631e5732dba98ef49ac0bec1388776793 upstream. + +Handling of aborted journal is a special code path different from +standard ext4_error() one and it can call panic() as well. Commit +1dc1097ff60e ("ext4: avoid panic during forced reboot") forgot to update +this path so fix that omission. + +Fixes: 1dc1097ff60e ("ext4: avoid panic during forced reboot") +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org # 5.1 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -698,7 +698,7 @@ void __ext4_abort(struct super_block *sb + jbd2_journal_abort(EXT4_SB(sb)->s_journal, -EIO); + save_error_info(sb, function, line); + } +- if (test_opt(sb, ERRORS_PANIC)) { ++ if (test_opt(sb, ERRORS_PANIC) && !system_going_down()) { + if (EXT4_SB(sb)->s_journal && + !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR)) + return; diff --git a/queue-5.1/ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned-io.patch b/queue-5.1/ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned-io.patch new file mode 100644 index 00000000000..b12d869787c --- /dev/null +++ b/queue-5.1/ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned-io.patch @@ -0,0 +1,49 @@ +From 57a0da28ced8707cb9f79f071a016b9d005caf5a Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 10 May 2019 21:45:33 -0400 +Subject: ext4: fix data corruption caused by overlapping unaligned and aligned IO + +From: Lukas Czerner + +commit 57a0da28ced8707cb9f79f071a016b9d005caf5a upstream. + +Unaligned AIO must be serialized because the zeroing of partial blocks +of unaligned AIO can result in data corruption in case it's overlapping +another in flight IO. + +Currently we wait for all unwritten extents before we submit unaligned +AIO which protects data in case of unaligned AIO is following overlapping +IO. However if a unaligned AIO is followed by overlapping aligned AIO we +can still end up corrupting data. + +To fix this, we must make sure that the unaligned AIO is the only IO in +flight by waiting for unwritten extents conversion not just before the +IO submission, but right after it as well. + +This problem can be reproduced by xfstest generic/538 + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -264,6 +264,13 @@ ext4_file_write_iter(struct kiocb *iocb, + } + + ret = __generic_file_write_iter(iocb, from); ++ /* ++ * Unaligned direct AIO must be the only IO in flight. Otherwise ++ * overlapping aligned IO after unaligned might result in data ++ * corruption. ++ */ ++ if (ret == -EIOCBQUEUED && unaligned_aio) ++ ext4_unwritten_wait(inode); + inode_unlock(inode); + + if (ret > 0) diff --git a/queue-5.1/ext4-fix-use-after-free-in-dx_release.patch b/queue-5.1/ext4-fix-use-after-free-in-dx_release.patch new file mode 100644 index 00000000000..0c3d3d9a6cb --- /dev/null +++ b/queue-5.1/ext4-fix-use-after-free-in-dx_release.patch @@ -0,0 +1,53 @@ +From 08fc98a4d6424af66eb3ac4e2cedd2fc927ed436 Mon Sep 17 00:00:00 2001 +From: Sahitya Tummala +Date: Fri, 10 May 2019 22:00:33 -0400 +Subject: ext4: fix use-after-free in dx_release() + +From: Sahitya Tummala + +commit 08fc98a4d6424af66eb3ac4e2cedd2fc927ed436 upstream. + +The buffer_head (frames[0].bh) and it's corresping page can be +potentially free'd once brelse() is done inside the for loop +but before the for loop exits in dx_release(). It can be free'd +in another context, when the page cache is flushed via +drop_caches_sysctl_handler(). This results into below data abort +when accessing info->indirect_levels in dx_release(). + +Unable to handle kernel paging request at virtual address ffffffc17ac3e01e +Call trace: + dx_release+0x70/0x90 + ext4_htree_fill_tree+0x2d4/0x300 + ext4_readdir+0x244/0x6f8 + iterate_dir+0xbc/0x160 + SyS_getdents64+0x94/0x174 + +Signed-off-by: Sahitya Tummala +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/namei.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -871,12 +871,15 @@ static void dx_release(struct dx_frame * + { + struct dx_root_info *info; + int i; ++ unsigned int indirect_levels; + + if (frames[0].bh == NULL) + return; + + info = &((struct dx_root *)frames[0].bh->b_data)->info; +- for (i = 0; i <= info->indirect_levels; i++) { ++ /* save local copy, "info" may be freed after brelse() */ ++ indirect_levels = info->indirect_levels; ++ for (i = 0; i <= indirect_levels; i++) { + if (frames[i].bh == NULL) + break; + brelse(frames[i].bh); diff --git a/queue-5.1/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch b/queue-5.1/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch new file mode 100644 index 00000000000..6c67d950cba --- /dev/null +++ b/queue-5.1/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch @@ -0,0 +1,82 @@ +From 592acbf16821288ecdc4192c47e3774a4c48bb64 Mon Sep 17 00:00:00 2001 +From: Sriram Rajagopalan +Date: Fri, 10 May 2019 19:28:06 -0400 +Subject: ext4: zero out the unused memory region in the extent tree block + +From: Sriram Rajagopalan + +commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream. + +This commit zeroes out the unused memory region in the buffer_head +corresponding to the extent metablock after writing the extent header +and the corresponding extent node entries. + +This is done to prevent random uninitialized data from getting into +the filesystem when the extent block is synced. + +This fixes CVE-2019-11833. + +Signed-off-by: Sriram Rajagopalan +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -1035,6 +1035,7 @@ static int ext4_ext_split(handle_t *hand + __le32 border; + ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ + int err = 0; ++ size_t ext_size = 0; + + /* make decision: where to split? */ + /* FIXME: now decision is simplest: at current extent */ +@@ -1126,6 +1127,10 @@ static int ext4_ext_split(handle_t *hand + le16_add_cpu(&neh->eh_entries, m); + } + ++ /* zero out unused area in the extent block */ ++ ext_size = sizeof(struct ext4_extent_header) + ++ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries); ++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); + ext4_extent_block_csum_set(inode, neh); + set_buffer_uptodate(bh); + unlock_buffer(bh); +@@ -1205,6 +1210,11 @@ static int ext4_ext_split(handle_t *hand + sizeof(struct ext4_extent_idx) * m); + le16_add_cpu(&neh->eh_entries, m); + } ++ /* zero out unused area in the extent block */ ++ ext_size = sizeof(struct ext4_extent_header) + ++ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries)); ++ memset(bh->b_data + ext_size, 0, ++ inode->i_sb->s_blocksize - ext_size); + ext4_extent_block_csum_set(inode, neh); + set_buffer_uptodate(bh); + unlock_buffer(bh); +@@ -1270,6 +1280,7 @@ static int ext4_ext_grow_indepth(handle_ + ext4_fsblk_t newblock, goal = 0; + struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es; + int err = 0; ++ size_t ext_size = 0; + + /* Try to prepend new index to old one */ + if (ext_depth(inode)) +@@ -1295,9 +1306,11 @@ static int ext4_ext_grow_indepth(handle_ + goto out; + } + ++ ext_size = sizeof(EXT4_I(inode)->i_data); + /* move top-level index/leaf into new block */ +- memmove(bh->b_data, EXT4_I(inode)->i_data, +- sizeof(EXT4_I(inode)->i_data)); ++ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size); ++ /* zero out unused area in the extent block */ ++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); + + /* set size of new block */ + neh = ext_block_hdr(bh); diff --git a/queue-5.1/fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-wb-switches-going-into-workqueue-when-umount.patch b/queue-5.1/fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-wb-switches-going-into-workqueue-when-umount.patch new file mode 100644 index 00000000000..3a3b041b53a --- /dev/null +++ b/queue-5.1/fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-wb-switches-going-into-workqueue-when-umount.patch @@ -0,0 +1,75 @@ +From ec084de929e419e51bcdafaafe567d9e7d0273b7 Mon Sep 17 00:00:00 2001 +From: Jiufei Xue +Date: Fri, 17 May 2019 14:31:44 -0700 +Subject: fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount + +From: Jiufei Xue + +commit ec084de929e419e51bcdafaafe567d9e7d0273b7 upstream. + +synchronize_rcu() didn't wait for call_rcu() callbacks, so inode wb +switch may not go to the workqueue after synchronize_rcu(). Thus +previous scheduled switches was not finished even flushing the +workqueue, which will cause a NULL pointer dereferenced followed below. + + VFS: Busy inodes after unmount of vdd. Self-destruct in 5 seconds. Have a nice day... + BUG: unable to handle kernel NULL pointer dereference at 0000000000000278 + evict+0xb3/0x180 + iput+0x1b0/0x230 + inode_switch_wbs_work_fn+0x3c0/0x6a0 + worker_thread+0x4e/0x490 + ? process_one_work+0x410/0x410 + kthread+0xe6/0x100 + ret_from_fork+0x39/0x50 + +Replace the synchronize_rcu() call with a rcu_barrier() to wait for all +pending callbacks to finish. And inc isw_nr_in_flight after call_rcu() +in inode_switch_wbs() to make more sense. + +Link: http://lkml.kernel.org/r/20190429024108.54150-1-jiufei.xue@linux.alibaba.com +Signed-off-by: Jiufei Xue +Acked-by: Tejun Heo +Suggested-by: Tejun Heo +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fs-writeback.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -523,8 +523,6 @@ static void inode_switch_wbs(struct inod + + isw->inode = inode; + +- atomic_inc(&isw_nr_in_flight); +- + /* + * In addition to synchronizing among switchers, I_WB_SWITCH tells + * the RCU protected stat update paths to grab the i_page +@@ -532,6 +530,9 @@ static void inode_switch_wbs(struct inod + * Let's continue after I_WB_SWITCH is guaranteed to be visible. + */ + call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn); ++ ++ atomic_inc(&isw_nr_in_flight); ++ + goto out_unlock; + + out_free: +@@ -901,7 +902,11 @@ restart: + void cgroup_writeback_umount(void) + { + if (atomic_read(&isw_nr_in_flight)) { +- synchronize_rcu(); ++ /* ++ * Use rcu_barrier() to wait for all pending callbacks to ++ * ensure that all in-flight wb switches are in the workqueue. ++ */ ++ rcu_barrier(); + flush_workqueue(isw_wq); + } + } diff --git a/queue-5.1/jbd2-fix-potential-double-free.patch b/queue-5.1/jbd2-fix-potential-double-free.patch new file mode 100644 index 00000000000..0080b28fdb1 --- /dev/null +++ b/queue-5.1/jbd2-fix-potential-double-free.patch @@ -0,0 +1,230 @@ +From 0d52154bb0a700abb459a2cbce0a30fc2549b67e Mon Sep 17 00:00:00 2001 +From: Chengguang Xu +Date: Fri, 10 May 2019 21:15:47 -0400 +Subject: jbd2: fix potential double free + +From: Chengguang Xu + +commit 0d52154bb0a700abb459a2cbce0a30fc2549b67e upstream. + +When failing from creating cache jbd2_inode_cache, we will destroy the +previously created cache jbd2_handle_cache twice. This patch fixes +this by moving each cache initialization/destruction to its own +separate, individual function. + +Signed-off-by: Chengguang Xu +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/journal.c | 49 +++++++++++++++++++++++++++++++------------------ + fs/jbd2/revoke.c | 32 ++++++++++++++++++++------------ + fs/jbd2/transaction.c | 8 +++++--- + include/linux/jbd2.h | 8 +++++--- + 4 files changed, 61 insertions(+), 36 deletions(-) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -2375,22 +2375,19 @@ static struct kmem_cache *jbd2_journal_h + static atomic_t nr_journal_heads = ATOMIC_INIT(0); + #endif + +-static int jbd2_journal_init_journal_head_cache(void) ++static int __init jbd2_journal_init_journal_head_cache(void) + { +- int retval; +- +- J_ASSERT(jbd2_journal_head_cache == NULL); ++ J_ASSERT(!jbd2_journal_head_cache); + jbd2_journal_head_cache = kmem_cache_create("jbd2_journal_head", + sizeof(struct journal_head), + 0, /* offset */ + SLAB_TEMPORARY | SLAB_TYPESAFE_BY_RCU, + NULL); /* ctor */ +- retval = 0; + if (!jbd2_journal_head_cache) { +- retval = -ENOMEM; + printk(KERN_EMERG "JBD2: no memory for journal_head cache\n"); ++ return -ENOMEM; + } +- return retval; ++ return 0; + } + + static void jbd2_journal_destroy_journal_head_cache(void) +@@ -2636,28 +2633,38 @@ static void __exit jbd2_remove_jbd_stats + + struct kmem_cache *jbd2_handle_cache, *jbd2_inode_cache; + ++static int __init jbd2_journal_init_inode_cache(void) ++{ ++ J_ASSERT(!jbd2_inode_cache); ++ jbd2_inode_cache = KMEM_CACHE(jbd2_inode, 0); ++ if (!jbd2_inode_cache) { ++ pr_emerg("JBD2: failed to create inode cache\n"); ++ return -ENOMEM; ++ } ++ return 0; ++} ++ + static int __init jbd2_journal_init_handle_cache(void) + { ++ J_ASSERT(!jbd2_handle_cache); + jbd2_handle_cache = KMEM_CACHE(jbd2_journal_handle, SLAB_TEMPORARY); +- if (jbd2_handle_cache == NULL) { ++ if (!jbd2_handle_cache) { + printk(KERN_EMERG "JBD2: failed to create handle cache\n"); + return -ENOMEM; + } +- jbd2_inode_cache = KMEM_CACHE(jbd2_inode, 0); +- if (jbd2_inode_cache == NULL) { +- printk(KERN_EMERG "JBD2: failed to create inode cache\n"); +- kmem_cache_destroy(jbd2_handle_cache); +- return -ENOMEM; +- } + return 0; + } + ++static void jbd2_journal_destroy_inode_cache(void) ++{ ++ kmem_cache_destroy(jbd2_inode_cache); ++ jbd2_inode_cache = NULL; ++} ++ + static void jbd2_journal_destroy_handle_cache(void) + { + kmem_cache_destroy(jbd2_handle_cache); + jbd2_handle_cache = NULL; +- kmem_cache_destroy(jbd2_inode_cache); +- jbd2_inode_cache = NULL; + } + + /* +@@ -2668,21 +2675,27 @@ static int __init journal_init_caches(vo + { + int ret; + +- ret = jbd2_journal_init_revoke_caches(); ++ ret = jbd2_journal_init_revoke_record_cache(); ++ if (ret == 0) ++ ret = jbd2_journal_init_revoke_table_cache(); + if (ret == 0) + ret = jbd2_journal_init_journal_head_cache(); + if (ret == 0) + ret = jbd2_journal_init_handle_cache(); + if (ret == 0) ++ ret = jbd2_journal_init_inode_cache(); ++ if (ret == 0) + ret = jbd2_journal_init_transaction_cache(); + return ret; + } + + static void jbd2_journal_destroy_caches(void) + { +- jbd2_journal_destroy_revoke_caches(); ++ jbd2_journal_destroy_revoke_record_cache(); ++ jbd2_journal_destroy_revoke_table_cache(); + jbd2_journal_destroy_journal_head_cache(); + jbd2_journal_destroy_handle_cache(); ++ jbd2_journal_destroy_inode_cache(); + jbd2_journal_destroy_transaction_cache(); + jbd2_journal_destroy_slabs(); + } +--- a/fs/jbd2/revoke.c ++++ b/fs/jbd2/revoke.c +@@ -178,33 +178,41 @@ static struct jbd2_revoke_record_s *find + return NULL; + } + +-void jbd2_journal_destroy_revoke_caches(void) ++void jbd2_journal_destroy_revoke_record_cache(void) + { + kmem_cache_destroy(jbd2_revoke_record_cache); + jbd2_revoke_record_cache = NULL; ++} ++ ++void jbd2_journal_destroy_revoke_table_cache(void) ++{ + kmem_cache_destroy(jbd2_revoke_table_cache); + jbd2_revoke_table_cache = NULL; + } + +-int __init jbd2_journal_init_revoke_caches(void) ++int __init jbd2_journal_init_revoke_record_cache(void) + { + J_ASSERT(!jbd2_revoke_record_cache); +- J_ASSERT(!jbd2_revoke_table_cache); +- + jbd2_revoke_record_cache = KMEM_CACHE(jbd2_revoke_record_s, + SLAB_HWCACHE_ALIGN|SLAB_TEMPORARY); +- if (!jbd2_revoke_record_cache) +- goto record_cache_failure; + ++ if (!jbd2_revoke_record_cache) { ++ pr_emerg("JBD2: failed to create revoke_record cache\n"); ++ return -ENOMEM; ++ } ++ return 0; ++} ++ ++int __init jbd2_journal_init_revoke_table_cache(void) ++{ ++ J_ASSERT(!jbd2_revoke_table_cache); + jbd2_revoke_table_cache = KMEM_CACHE(jbd2_revoke_table_s, + SLAB_TEMPORARY); +- if (!jbd2_revoke_table_cache) +- goto table_cache_failure; +- return 0; +-table_cache_failure: +- jbd2_journal_destroy_revoke_caches(); +-record_cache_failure: ++ if (!jbd2_revoke_table_cache) { ++ pr_emerg("JBD2: failed to create revoke_table cache\n"); + return -ENOMEM; ++ } ++ return 0; + } + + static struct jbd2_revoke_table_s *jbd2_journal_init_revoke_table(int hash_size) +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -42,9 +42,11 @@ int __init jbd2_journal_init_transaction + 0, + SLAB_HWCACHE_ALIGN|SLAB_TEMPORARY, + NULL); +- if (transaction_cache) +- return 0; +- return -ENOMEM; ++ if (!transaction_cache) { ++ pr_emerg("JBD2: failed to create transaction cache\n"); ++ return -ENOMEM; ++ } ++ return 0; + } + + void jbd2_journal_destroy_transaction_cache(void) +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -1318,7 +1318,7 @@ extern void __wait_on_journal (journal_ + + /* Transaction cache support */ + extern void jbd2_journal_destroy_transaction_cache(void); +-extern int jbd2_journal_init_transaction_cache(void); ++extern int __init jbd2_journal_init_transaction_cache(void); + extern void jbd2_journal_free_transaction(transaction_t *); + + /* +@@ -1446,8 +1446,10 @@ static inline void jbd2_free_inode(struc + /* Primary revoke support */ + #define JOURNAL_REVOKE_DEFAULT_HASH 256 + extern int jbd2_journal_init_revoke(journal_t *, int); +-extern void jbd2_journal_destroy_revoke_caches(void); +-extern int jbd2_journal_init_revoke_caches(void); ++extern void jbd2_journal_destroy_revoke_record_cache(void); ++extern void jbd2_journal_destroy_revoke_table_cache(void); ++extern int __init jbd2_journal_init_revoke_record_cache(void); ++extern int __init jbd2_journal_init_revoke_table_cache(void); + + extern void jbd2_journal_destroy_revoke(journal_t *); + extern int jbd2_journal_revoke (handle_t *, unsigned long long, struct buffer_head *); diff --git a/queue-5.1/kvm-fix-the-bitmap-range-to-copy-during-clear-dirty.patch b/queue-5.1/kvm-fix-the-bitmap-range-to-copy-during-clear-dirty.patch new file mode 100644 index 00000000000..645230228a0 --- /dev/null +++ b/queue-5.1/kvm-fix-the-bitmap-range-to-copy-during-clear-dirty.patch @@ -0,0 +1,35 @@ +From 4ddc9204572c33f2eb91fbdb1d99d8078388b67d Mon Sep 17 00:00:00 2001 +From: Peter Xu +Date: Wed, 8 May 2019 17:15:45 +0800 +Subject: KVM: Fix the bitmap range to copy during clear dirty + +From: Peter Xu + +commit 4ddc9204572c33f2eb91fbdb1d99d8078388b67d upstream. + +kvm_dirty_bitmap_bytes() will return the size of the dirty bitmap of +the memslot rather than the size of bitmap passed over from the ioctl. +Here for KVM_CLEAR_DIRTY_LOG we should only copy exactly the size of +bitmap that covers kvm_clear_dirty_log.num_pages. + +Signed-off-by: Peter Xu +Cc: stable@vger.kernel.org +Fixes: 2a31b9db153530df4aa02dac8c32837bf5f47019 +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/kvm_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1250,7 +1250,7 @@ int kvm_clear_dirty_log_protect(struct k + if (!dirty_bitmap) + return -ENOENT; + +- n = kvm_dirty_bitmap_bytes(memslot); ++ n = ALIGN(log->num_pages, BITS_PER_LONG) / 8; + + if (log->first_page > memslot->npages || + log->num_pages > memslot->npages - log->first_page || diff --git a/queue-5.1/kvm-lapic-busy-wait-for-timer-to-expire-when-using-hv_timer.patch b/queue-5.1/kvm-lapic-busy-wait-for-timer-to-expire-when-using-hv_timer.patch new file mode 100644 index 00000000000..c8758f263a0 --- /dev/null +++ b/queue-5.1/kvm-lapic-busy-wait-for-timer-to-expire-when-using-hv_timer.patch @@ -0,0 +1,37 @@ +From ee66e453db13d4837a0dcf9d43efa7a88603161b Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 16 Apr 2019 13:32:44 -0700 +Subject: KVM: lapic: Busy wait for timer to expire when using hv_timer + +From: Sean Christopherson + +commit ee66e453db13d4837a0dcf9d43efa7a88603161b upstream. + +...now that VMX's preemption timer, i.e. the hv_timer, also adjusts its +programmed time based on lapic_timer_advance_ns. Without the delay, a +guest can see a timer interrupt arrive before the requested time when +KVM is using the hv_timer to emulate the guest's interrupt. + +Fixes: c5ce8235cffa0 ("KVM: VMX: Optimize tscdeadline timer latency") +Cc: +Cc: Wanpeng Li +Reviewed-by: Liran Alon +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1454,7 +1454,7 @@ static void apic_timer_expired(struct kv + if (swait_active(q)) + swake_up_one(q); + +- if (apic_lvtt_tscdeadline(apic)) ++ if (apic_lvtt_tscdeadline(apic) || ktimer->hv_timer_in_use) + ktimer->expired_tscdeadline = ktimer->tscdeadline; + } + diff --git a/queue-5.1/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch b/queue-5.1/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch new file mode 100644 index 00000000000..d8f298e337f --- /dev/null +++ b/queue-5.1/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch @@ -0,0 +1,99 @@ +From 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 2 Apr 2019 08:19:15 -0700 +Subject: KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes + +From: Sean Christopherson + +commit 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 upstream. + +KVM allows userspace to violate consistency checks related to the +guest's CPUID model to some degree. Generally speaking, userspace has +carte blanche when it comes to guest state so long as jamming invalid +state won't negatively affect the host. + +Currently this is seems to be a non-issue as most of the interesting +EFER checks are missing, e.g. NX and LME, but those will be added +shortly. Proactively exempt userspace from the CPUID checks so as not +to break userspace. + +Note, the efer_reserved_bits check still applies to userspace writes as +that mask reflects the host's capabilities, e.g. KVM shouldn't allow a +guest to run with NX=1 if it has been disabled in the host. + +Fixes: d80174745ba39 ("KVM: SVM: Only allow setting of EFER_SVME when CPUID SVM is set") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 37 ++++++++++++++++++++++++------------- + 1 file changed, 24 insertions(+), 13 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1262,31 +1262,42 @@ static int do_get_msr_feature(struct kvm + return 0; + } + +-bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) ++static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) + { +- if (efer & efer_reserved_bits) +- return false; +- + if (efer & EFER_FFXSR && !guest_cpuid_has(vcpu, X86_FEATURE_FXSR_OPT)) +- return false; ++ return false; + + if (efer & EFER_SVME && !guest_cpuid_has(vcpu, X86_FEATURE_SVM)) +- return false; ++ return false; + + return true; ++ ++} ++bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) ++{ ++ if (efer & efer_reserved_bits) ++ return false; ++ ++ return __kvm_valid_efer(vcpu, efer); + } + EXPORT_SYMBOL_GPL(kvm_valid_efer); + +-static int set_efer(struct kvm_vcpu *vcpu, u64 efer) ++static int set_efer(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + { + u64 old_efer = vcpu->arch.efer; ++ u64 efer = msr_info->data; + +- if (!kvm_valid_efer(vcpu, efer)) +- return 1; ++ if (efer & efer_reserved_bits) ++ return false; + +- if (is_paging(vcpu) +- && (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME)) +- return 1; ++ if (!msr_info->host_initiated) { ++ if (!__kvm_valid_efer(vcpu, efer)) ++ return 1; ++ ++ if (is_paging(vcpu) && ++ (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME)) ++ return 1; ++ } + + efer &= ~EFER_LMA; + efer |= vcpu->arch.efer & EFER_LMA; +@@ -2456,7 +2467,7 @@ int kvm_set_msr_common(struct kvm_vcpu * + vcpu->arch.arch_capabilities = data; + break; + case MSR_EFER: +- return set_efer(vcpu, data); ++ return set_efer(vcpu, msr_info); + case MSR_K7_HWCR: + data &= ~(u64)0x40; /* ignore flush filter disable */ + data &= ~(u64)0x100; /* ignore ignne emulation enable */ diff --git a/queue-5.1/mm-compaction.c-correct-zone-boundary-handling-when-isolating-pages-from-a-pageblock.patch b/queue-5.1/mm-compaction.c-correct-zone-boundary-handling-when-isolating-pages-from-a-pageblock.patch new file mode 100644 index 00000000000..15aa602d93e --- /dev/null +++ b/queue-5.1/mm-compaction.c-correct-zone-boundary-handling-when-isolating-pages-from-a-pageblock.patch @@ -0,0 +1,95 @@ +From 60fce36afa9c77c7ccbf980c4f670f3be3651fce Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Fri, 17 May 2019 14:31:41 -0700 +Subject: mm/compaction.c: correct zone boundary handling when isolating pages from a pageblock + +From: Mel Gorman + +commit 60fce36afa9c77c7ccbf980c4f670f3be3651fce upstream. + +syzbot reported the following error from a tree with a head commit of +baf76f0c58ae ("slip: make slhc_free() silently accept an error pointer") + + BUG: unable to handle kernel paging request at ffffea0003348000 + #PF error: [normal kernel read fault] + PGD 12c3f9067 P4D 12c3f9067 PUD 12c3f8067 PMD 0 + Oops: 0000 [#1] PREEMPT SMP KASAN + CPU: 1 PID: 28916 Comm: syz-executor.2 Not tainted 5.1.0-rc6+ #89 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:314 [inline] + RIP: 0010:PageCompound include/linux/page-flags.h:186 [inline] + RIP: 0010:isolate_freepages_block+0x1c0/0xd40 mm/compaction.c:579 + Code: 01 d8 ff 4d 85 ed 0f 84 ef 07 00 00 e8 29 00 d8 ff 4c 89 e0 83 85 38 ff + ff ff 01 48 c1 e8 03 42 80 3c 38 00 0f 85 31 0a 00 00 <4d> 8b 2c 24 31 ff 49 + c1 ed 10 41 83 e5 01 44 89 ee e8 3a 01 d8 ff + RSP: 0018:ffff88802b31eab8 EFLAGS: 00010246 + RAX: 1ffffd4000669000 RBX: 00000000000cd200 RCX: ffffc9000a235000 + RDX: 000000000001ca5e RSI: ffffffff81988cc7 RDI: 0000000000000001 + RBP: ffff88802b31ebd8 R08: ffff88805af700c0 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: ffffea0003348000 + R13: 0000000000000000 R14: ffff88802b31f030 R15: dffffc0000000000 + FS: 00007f61648dc700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffea0003348000 CR3: 0000000037c64000 CR4: 00000000001426e0 + Call Trace: + fast_isolate_around mm/compaction.c:1243 [inline] + fast_isolate_freepages mm/compaction.c:1418 [inline] + isolate_freepages mm/compaction.c:1438 [inline] + compaction_alloc+0x1aee/0x22e0 mm/compaction.c:1550 + +There is no reproducer and it is difficult to hit -- 1 crash every few +days. The issue is very similar to the fix in commit 6b0868c820ff +("mm/compaction.c: correct zone boundary handling when resetting pageblock +skip hints"). When isolating free pages around a target pageblock, the +boundary handling is off by one and can stray into the next pageblock. +Triggering the syzbot error requires that the end of pageblock is section +or zone aligned, and that the next section is unpopulated. + +A more subtle consequence of the bug is that pageblocks were being +improperly used as migration targets which potentially hurts fragmentation +avoidance in the long-term one page at a time. + +A debugging patch revealed that it's definitely possible to stray outside +of a pageblock which is not intended. While syzbot cannot be used to +verify this patch, it was confirmed that the debugging warning no longer +triggers with this patch applied. It has also been confirmed that the THP +allocation stress tests are not degraded by this patch. + +Link: http://lkml.kernel.org/r/20190510182124.GI18914@techsingularity.net +Fixes: e332f741a8dd ("mm, compaction: be selective about what pageblocks to clear skip hints") +Signed-off-by: Mel Gorman +Reported-by: syzbot+d84c80f9fe26a0f7a734@syzkaller.appspotmail.com +Cc: Dmitry Vyukov +Cc: Andrey Ryabinin +Cc: Qian Cai +Cc: Michal Hocko +Cc: Vlastimil Babka +Cc: # v5.1+ +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/compaction.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/compaction.c ++++ b/mm/compaction.c +@@ -1228,7 +1228,7 @@ fast_isolate_around(struct compact_contr + + /* Pageblock boundaries */ + start_pfn = pageblock_start_pfn(pfn); +- end_pfn = min(start_pfn + pageblock_nr_pages, zone_end_pfn(cc->zone)); ++ end_pfn = min(pageblock_end_pfn(pfn), zone_end_pfn(cc->zone)) - 1; + + /* Scan before */ + if (start_pfn != pfn) { +@@ -1239,7 +1239,7 @@ fast_isolate_around(struct compact_contr + + /* Scan after */ + start_pfn = pfn + nr_isolated; +- if (start_pfn != end_pfn) ++ if (start_pfn < end_pfn) + isolate_freepages_block(cc, &start_pfn, end_pfn, &cc->freepages, 1, false); + + /* Skip this pageblock in the future as it's full or nearly full */ diff --git a/queue-5.1/revert-kvm-nvmx-expose-rdpmc-exiting-only-when-guest-supports-pmu.patch b/queue-5.1/revert-kvm-nvmx-expose-rdpmc-exiting-only-when-guest-supports-pmu.patch new file mode 100644 index 00000000000..96ff96c4b2a --- /dev/null +++ b/queue-5.1/revert-kvm-nvmx-expose-rdpmc-exiting-only-when-guest-supports-pmu.patch @@ -0,0 +1,92 @@ +From f93f7ede087f2edcc18e4b02310df5749a6b5a61 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 8 May 2019 09:08:19 -0700 +Subject: Revert "KVM: nVMX: Expose RDPMC-exiting only when guest supports PMU" + +From: Sean Christopherson + +commit f93f7ede087f2edcc18e4b02310df5749a6b5a61 upstream. + +The RDPMC-exiting control is dependent on the existence of the RDPMC +instruction itself, i.e. is not tied to the "Architectural Performance +Monitoring" feature. For all intents and purposes, the control exists +on all CPUs with VMX support since RDPMC also exists on all VCPUs with +VMX supported. Per Intel's SDM: + + The RDPMC instruction was introduced into the IA-32 Architecture in + the Pentium Pro processor and the Pentium processor with MMX technology. + The earlier Pentium processors have performance-monitoring counters, but + they must be read with the RDMSR instruction. + +Because RDPMC-exiting always exists, KVM requires the control and refuses +to load if it's not available. As a result, hiding the PMU from a guest +breaks nested virtualization if the guest attemts to use KVM. + +While it's not explicitly stated in the RDPMC pseudocode, the VM-Exit +check for RDPMC-exiting follows standard fault vs. VM-Exit prioritization +for privileged instructions, e.g. occurs after the CPL/CR0.PE/CR4.PCE +checks, but before the counter referenced in ECX is checked for validity. + +In other words, the original KVM behavior of injecting a #GP was correct, +and the KVM unit test needs to be adjusted accordingly, e.g. eat the #GP +when the unit test guest (L3 in this case) executes RDPMC without +RDPMC-exiting set in the unit test host (L2). + +This reverts commit e51bfdb68725dc052d16241ace40ea3140f938aa. + +Fixes: e51bfdb68725 ("KVM: nVMX: Expose RDPMC-exiting only when guest supports PMU") +Reported-by: David Hill +Cc: Saar Amar +Cc: Mihai Carabas +Cc: Jim Mattson +Cc: Liran Alon +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx/vmx.c | 25 ------------------------- + 1 file changed, 25 deletions(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -6856,30 +6856,6 @@ static void nested_vmx_entry_exit_ctls_u + } + } + +-static bool guest_cpuid_has_pmu(struct kvm_vcpu *vcpu) +-{ +- struct kvm_cpuid_entry2 *entry; +- union cpuid10_eax eax; +- +- entry = kvm_find_cpuid_entry(vcpu, 0xa, 0); +- if (!entry) +- return false; +- +- eax.full = entry->eax; +- return (eax.split.version_id > 0); +-} +- +-static void nested_vmx_procbased_ctls_update(struct kvm_vcpu *vcpu) +-{ +- struct vcpu_vmx *vmx = to_vmx(vcpu); +- bool pmu_enabled = guest_cpuid_has_pmu(vcpu); +- +- if (pmu_enabled) +- vmx->nested.msrs.procbased_ctls_high |= CPU_BASED_RDPMC_EXITING; +- else +- vmx->nested.msrs.procbased_ctls_high &= ~CPU_BASED_RDPMC_EXITING; +-} +- + static void update_intel_pt_cfg(struct kvm_vcpu *vcpu) + { + struct vcpu_vmx *vmx = to_vmx(vcpu); +@@ -6968,7 +6944,6 @@ static void vmx_cpuid_update(struct kvm_ + if (nested_vmx_allowed(vcpu)) { + nested_vmx_cr_fixed1_bits_update(vcpu); + nested_vmx_entry_exit_ctls_update(vcpu); +- nested_vmx_procbased_ctls_update(vcpu); + } + + if (boot_cpu_has(X86_FEATURE_INTEL_PT) && diff --git a/queue-5.1/series b/queue-5.1/series index 4db60495cd8..f3432db24c6 100644 --- a/queue-5.1/series +++ b/queue-5.1/series @@ -101,3 +101,18 @@ bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch ipmi-add-the-i2c-addr-property-for-ssif-interfaces.patch ipmi-ssif-compare-block-number-correctly-for-multi-part-return-messages.patch arm-dts-imx-fix-the-ar803x-phy-mode.patch +mm-compaction.c-correct-zone-boundary-handling-when-isolating-pages-from-a-pageblock.patch +fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-wb-switches-going-into-workqueue-when-umount.patch +tty-don-t-force-riscv-sbi-console-as-preferred-console.patch +ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch +ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned-io.patch +ext4-fix-use-after-free-in-dx_release.patch +ext4-avoid-panic-during-forced-reboot-due-to-aborted-journal.patch +alsa-hda-realtek-corrected-fixup-for-system76-gazelle-gaze14.patch +alsa-hda-realtek-fixup-headphone-noise-via-runtime-suspend.patch +alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch +jbd2-fix-potential-double-free.patch +revert-kvm-nvmx-expose-rdpmc-exiting-only-when-guest-supports-pmu.patch +kvm-fix-the-bitmap-range-to-copy-during-clear-dirty.patch +kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch +kvm-lapic-busy-wait-for-timer-to-expire-when-using-hv_timer.patch diff --git a/queue-5.1/tty-don-t-force-riscv-sbi-console-as-preferred-console.patch b/queue-5.1/tty-don-t-force-riscv-sbi-console-as-preferred-console.patch new file mode 100644 index 00000000000..1e9c1f899d8 --- /dev/null +++ b/queue-5.1/tty-don-t-force-riscv-sbi-console-as-preferred-console.patch @@ -0,0 +1,50 @@ +From f91253a3d005796404ae0e578b3394459b5f9b71 Mon Sep 17 00:00:00 2001 +From: Anup Patel +Date: Thu, 25 Apr 2019 06:35:06 -0700 +Subject: tty: Don't force RISCV SBI console as preferred console + +From: Anup Patel + +commit f91253a3d005796404ae0e578b3394459b5f9b71 upstream. + +The Linux kernel will auto-disables all boot consoles whenever it +gets a preferred real console. + +Currently on RISC-V systems, if we have a real console which is not +RISCV SBI console then boot consoles (such as earlycon=sbi) are not +auto-disabled when a real console (ttyS0 or ttySIF0) is available. +This results in duplicate prints at boot-time after kernel starts +using real console (i.e. ttyS0 or ttySIF0) if "earlycon=" kernel +parameter was passed by bootloader. + +The reason for above issue is that RISCV SBI console always adds +itself as preferred console which is causing other real consoles +to be not used as preferred console. + +Ideally "console=" kernel parameter passed by bootloaders should +be the one selecting a preferred real console. + +This patch fixes above issue by not forcing RISCV SBI console as +preferred console. + +Fixes: afa6b1ccfad5 ("tty: New RISC-V SBI console driver") +Cc: stable@vger.kernel.org +Signed-off-by: Anup Patel +Reviewed-by: Atish Patra +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/hvc/hvc_riscv_sbi.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/tty/hvc/hvc_riscv_sbi.c ++++ b/drivers/tty/hvc/hvc_riscv_sbi.c +@@ -53,7 +53,6 @@ device_initcall(hvc_sbi_init); + static int __init hvc_sbi_console_init(void) + { + hvc_instantiate(0, 0, &hvc_sbi_ops); +- add_preferred_console("hvc", 0, NULL); + + return 0; + }