From: Sasha Levin Date: Mon, 13 May 2019 18:42:40 +0000 (-0400) Subject: autosel fixes for 4.14 X-Git-Tag: v5.1.2~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=99b4934890ad761920be60431bd52efcc272e4a9;p=thirdparty%2Fkernel%2Fstable-queue.git autosel fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpica-aml-interpreter-add-region-addresses-in-globa.patch b/queue-4.14/acpica-aml-interpreter-add-region-addresses-in-globa.patch new file mode 100644 index 00000000000..c2601e50d23 --- /dev/null +++ b/queue-4.14/acpica-aml-interpreter-add-region-addresses-in-globa.patch @@ -0,0 +1,48 @@ +From f365d36bf8fe97b0e4216ba61d05cf466f258ff2 Mon Sep 17 00:00:00 2001 +From: Erik Schmauss +Date: Wed, 17 Oct 2018 14:09:35 -0700 +Subject: ACPICA: AML interpreter: add region addresses in global list during + initialization + +[ Upstream commit 4abb951b73ff0a8a979113ef185651aa3c8da19b ] + +The table load process omitted adding the operation region address +range to the global list. This omission is problematic because the OS +queries the global list to check for address range conflicts before +deciding which drivers to load. This commit may result in warning +messages that look like the following: + +[ 7.871761] ACPI Warning: system_IO range 0x00000428-0x0000042F conflicts with op_region 0x00000400-0x0000047F (\PMIO) (20180531/utaddress-213) +[ 7.871769] ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver + +However, these messages do not signify regressions. It is a result of +properly adding address ranges within the global address list. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=200011 +Tested-by: Jean-Marc Lenoir +Signed-off-by: Erik Schmauss +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dsopcode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/acpi/acpica/dsopcode.c b/drivers/acpi/acpica/dsopcode.c +index 0336df7ac47dd..e8070f6ca835e 100644 +--- a/drivers/acpi/acpica/dsopcode.c ++++ b/drivers/acpi/acpica/dsopcode.c +@@ -451,6 +451,10 @@ acpi_ds_eval_region_operands(struct acpi_walk_state *walk_state, + ACPI_FORMAT_UINT64(obj_desc->region.address), + obj_desc->region.length)); + ++ status = acpi_ut_add_address_range(obj_desc->region.space_id, ++ obj_desc->region.address, ++ obj_desc->region.length, node); ++ + /* Now the address and length are valid for this opregion */ + + obj_desc->region.flags |= AOPOBJ_DATA_VALID; +-- +2.20.1 + diff --git a/queue-4.14/acpica-namespace-remove-address-node-from-global-lis.patch b/queue-4.14/acpica-namespace-remove-address-node-from-global-lis.patch new file mode 100644 index 00000000000..766311ee33a --- /dev/null +++ b/queue-4.14/acpica-namespace-remove-address-node-from-global-lis.patch @@ -0,0 +1,65 @@ +From 2c94b3e19ebe6b0d535dff7fd8421551e44025a8 Mon Sep 17 00:00:00 2001 +From: Erik Schmauss +Date: Mon, 8 Apr 2019 13:42:26 -0700 +Subject: ACPICA: Namespace: remove address node from global list after method + termination + +[ Upstream commit c5781ffbbd4f742a58263458145fe7f0ac01d9e0 ] + +ACPICA commit b233720031a480abd438f2e9c643080929d144c3 + +ASL operation_regions declare a range of addresses that it uses. In a +perfect world, the range of addresses should be used exclusively by +the AML interpreter. The OS can use this information to decide which +drivers to load so that the AML interpreter and device drivers use +different regions of memory. + +During table load, the address information is added to a global +address range list. Each node in this list contains an address range +as well as a namespace node of the operation_region. This list is +deleted at ACPI shutdown. + +Unfortunately, ASL operation_regions can be declared inside of control +methods. Although this is not recommended, modern firmware contains +such code. New module level code changes unintentionally removed the +functionality of adding and removing nodes to the global address +range list. + +A few months ago, support for adding addresses has been re- +implemented. However, the removal of the address range list was +missed and resulted in some systems to crash due to the address list +containing bogus namespace nodes from operation_regions declared in +control methods. In order to fix the crash, this change removes +dynamic operation_regions after control method termination. + +Link: https://github.com/acpica/acpica/commit/b2337200 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=202475 +Fixes: 4abb951b73ff ("ACPICA: AML interpreter: add region addresses in global list during initialization") +Reported-by: Michael J Gruber +Signed-off-by: Erik Schmauss +Signed-off-by: Bob Moore +Cc: 4.20+ # 4.20+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/nsobject.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/acpi/acpica/nsobject.c b/drivers/acpi/acpica/nsobject.c +index 707b2aa501e1b..099be64242556 100644 +--- a/drivers/acpi/acpica/nsobject.c ++++ b/drivers/acpi/acpica/nsobject.c +@@ -222,6 +222,10 @@ void acpi_ns_detach_object(struct acpi_namespace_node *node) + } + } + ++ if (obj_desc->common.type == ACPI_TYPE_REGION) { ++ acpi_ut_remove_address_range(obj_desc->region.space_id, node); ++ } ++ + /* Clear the Node entry in all cases */ + + node->object = NULL; +-- +2.20.1 + diff --git a/queue-4.14/arm64-dts-marvell-armada-ap806-reserve-psci-area.patch b/queue-4.14/arm64-dts-marvell-armada-ap806-reserve-psci-area.patch new file mode 100644 index 00000000000..2a78ee20fab --- /dev/null +++ b/queue-4.14/arm64-dts-marvell-armada-ap806-reserve-psci-area.patch @@ -0,0 +1,51 @@ +From e3dfbcdbc4285aa07d8609b851e07854d7f3d1c5 Mon Sep 17 00:00:00 2001 +From: Heinrich Schuchardt +Date: Fri, 21 Dec 2018 17:45:03 +0100 +Subject: arm64: dts: marvell: armada-ap806: reserve PSCI area + +[ Upstream commit 132ac39cffbcfed80ada38ef0fc6d34d95da7be6 ] + +The memory area [0x4000000-0x4200000[ is occupied by the PSCI firmware. Any +attempt to access it from Linux leads to an immediate crash. + +So let's make the same memory reservation as the vendor kernel. + +[gregory: added as comment that this region matches the mainline U-boot] +Signed-off-by: Heinrich Schuchardt +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/marvell/armada-ap806.dtsi | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/arch/arm64/boot/dts/marvell/armada-ap806.dtsi b/arch/arm64/boot/dts/marvell/armada-ap806.dtsi +index 30d48ecf46e08..27d2bd85d1ae9 100644 +--- a/arch/arm64/boot/dts/marvell/armada-ap806.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-ap806.dtsi +@@ -65,6 +65,23 @@ + method = "smc"; + }; + ++ reserved-memory { ++ #address-cells = <2>; ++ #size-cells = <2>; ++ ranges; ++ ++ /* ++ * This area matches the mapping done with a ++ * mainline U-Boot, and should be updated by the ++ * bootloader. ++ */ ++ ++ psci-area@4000000 { ++ reg = <0x0 0x4000000 0x0 0x200000>; ++ no-map; ++ }; ++ }; ++ + ap806 { + #address-cells = <2>; + #size-cells = <2>; +-- +2.20.1 + diff --git a/queue-4.14/arm64-kvm-make-vhe-stage-2-tlb-invalidation-operatio.patch b/queue-4.14/arm64-kvm-make-vhe-stage-2-tlb-invalidation-operatio.patch new file mode 100644 index 00000000000..4c241ede093 --- /dev/null +++ b/queue-4.14/arm64-kvm-make-vhe-stage-2-tlb-invalidation-operatio.patch @@ -0,0 +1,151 @@ +From 2e797b1a38df429c2462caea26cf80734157b65d Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 6 Dec 2018 17:31:19 +0000 +Subject: arm64: KVM: Make VHE Stage-2 TLB invalidation operations + non-interruptible + +[ Upstream commit c987876a80e7bcb98a839f10dca9ce7fda4feced ] + +Contrary to the non-VHE version of the TLB invalidation helpers, the VHE +code has interrupts enabled, meaning that we can take an interrupt in +the middle of such a sequence, and start running something else with +HCR_EL2.TGE cleared. + +That's really not a good idea. + +Take the heavy-handed option and disable interrupts in +__tlb_switch_to_guest_vhe, restoring them in __tlb_switch_to_host_vhe. +The latter also gain an ISB in order to make sure that TGE really has +taken effect. + +Cc: stable@vger.kernel.org +Acked-by: Christoffer Dall +Reviewed-by: James Morse +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/hyp/tlb.c | 35 +++++++++++++++++++++++++---------- + 1 file changed, 25 insertions(+), 10 deletions(-) + +diff --git a/arch/arm64/kvm/hyp/tlb.c b/arch/arm64/kvm/hyp/tlb.c +index 73464a96c3657..db23c6e5c885c 100644 +--- a/arch/arm64/kvm/hyp/tlb.c ++++ b/arch/arm64/kvm/hyp/tlb.c +@@ -15,13 +15,18 @@ + * along with this program. If not, see . + */ + ++#include ++ + #include + #include + +-static void __hyp_text __tlb_switch_to_guest_vhe(struct kvm *kvm) ++static void __hyp_text __tlb_switch_to_guest_vhe(struct kvm *kvm, ++ unsigned long *flags) + { + u64 val; + ++ local_irq_save(*flags); ++ + /* + * With VHE enabled, we have HCR_EL2.{E2H,TGE} = {1,1}, and + * most TLB operations target EL2/EL0. In order to affect the +@@ -36,7 +41,8 @@ static void __hyp_text __tlb_switch_to_guest_vhe(struct kvm *kvm) + isb(); + } + +-static void __hyp_text __tlb_switch_to_guest_nvhe(struct kvm *kvm) ++static void __hyp_text __tlb_switch_to_guest_nvhe(struct kvm *kvm, ++ unsigned long *flags) + { + write_sysreg(kvm->arch.vttbr, vttbr_el2); + isb(); +@@ -47,7 +53,8 @@ static hyp_alternate_select(__tlb_switch_to_guest, + __tlb_switch_to_guest_vhe, + ARM64_HAS_VIRT_HOST_EXTN); + +-static void __hyp_text __tlb_switch_to_host_vhe(struct kvm *kvm) ++static void __hyp_text __tlb_switch_to_host_vhe(struct kvm *kvm, ++ unsigned long flags) + { + /* + * We're done with the TLB operation, let's restore the host's +@@ -55,9 +62,12 @@ static void __hyp_text __tlb_switch_to_host_vhe(struct kvm *kvm) + */ + write_sysreg(0, vttbr_el2); + write_sysreg(HCR_HOST_VHE_FLAGS, hcr_el2); ++ isb(); ++ local_irq_restore(flags); + } + +-static void __hyp_text __tlb_switch_to_host_nvhe(struct kvm *kvm) ++static void __hyp_text __tlb_switch_to_host_nvhe(struct kvm *kvm, ++ unsigned long flags) + { + write_sysreg(0, vttbr_el2); + } +@@ -69,11 +79,13 @@ static hyp_alternate_select(__tlb_switch_to_host, + + void __hyp_text __kvm_tlb_flush_vmid_ipa(struct kvm *kvm, phys_addr_t ipa) + { ++ unsigned long flags; ++ + dsb(ishst); + + /* Switch to requested VMID */ + kvm = kern_hyp_va(kvm); +- __tlb_switch_to_guest()(kvm); ++ __tlb_switch_to_guest()(kvm, &flags); + + /* + * We could do so much better if we had the VA as well. +@@ -116,36 +128,39 @@ void __hyp_text __kvm_tlb_flush_vmid_ipa(struct kvm *kvm, phys_addr_t ipa) + if (!has_vhe() && icache_is_vpipt()) + __flush_icache_all(); + +- __tlb_switch_to_host()(kvm); ++ __tlb_switch_to_host()(kvm, flags); + } + + void __hyp_text __kvm_tlb_flush_vmid(struct kvm *kvm) + { ++ unsigned long flags; ++ + dsb(ishst); + + /* Switch to requested VMID */ + kvm = kern_hyp_va(kvm); +- __tlb_switch_to_guest()(kvm); ++ __tlb_switch_to_guest()(kvm, &flags); + + __tlbi(vmalls12e1is); + dsb(ish); + isb(); + +- __tlb_switch_to_host()(kvm); ++ __tlb_switch_to_host()(kvm, flags); + } + + void __hyp_text __kvm_tlb_flush_local_vmid(struct kvm_vcpu *vcpu) + { + struct kvm *kvm = kern_hyp_va(kern_hyp_va(vcpu)->kvm); ++ unsigned long flags; + + /* Switch to requested VMID */ +- __tlb_switch_to_guest()(kvm); ++ __tlb_switch_to_guest()(kvm, &flags); + + __tlbi(vmalle1); + dsb(nsh); + isb(); + +- __tlb_switch_to_host()(kvm); ++ __tlb_switch_to_host()(kvm, flags); + } + + void __hyp_text __kvm_flush_vm_context(void) +-- +2.20.1 + diff --git a/queue-4.14/bcache-correct-dirty-data-statistics.patch b/queue-4.14/bcache-correct-dirty-data-statistics.patch new file mode 100644 index 00000000000..ed9fa37bb85 --- /dev/null +++ b/queue-4.14/bcache-correct-dirty-data-statistics.patch @@ -0,0 +1,43 @@ +From b7ee0e0b4380cafe32915f704e91b2b41b645d3d Mon Sep 17 00:00:00 2001 +From: Tang Junhui +Date: Mon, 8 Oct 2018 20:41:12 +0800 +Subject: bcache: correct dirty data statistics + +[ Upstream commit 2e17a262a2371d38d2ec03614a2675a32cef9912 ] + +When bcache device is clean, dirty keys may still exist after +journal replay, so we need to count these dirty keys even +device in clean status, otherwise after writeback, the amount +of dirty data would be incorrect. + +Signed-off-by: Tang Junhui +Cc: stable@vger.kernel.org +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index fe6e4c319b7cf..9e875aba41b9b 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1045,12 +1045,13 @@ int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c, + } + + if (BDEV_STATE(&dc->sb) == BDEV_STATE_DIRTY) { +- bch_sectors_dirty_init(&dc->disk); + atomic_set(&dc->has_dirty, 1); + atomic_inc(&dc->count); + bch_writeback_queue(dc); + } + ++ bch_sectors_dirty_init(&dc->disk); ++ + bch_cached_dev_run(dc); + bcache_device_link(&dc->disk, c, "bdev"); + +-- +2.20.1 + diff --git a/queue-4.14/btrfs-fix-missing-delayed-iputs-on-unmount.patch b/queue-4.14/btrfs-fix-missing-delayed-iputs-on-unmount.patch new file mode 100644 index 00000000000..03438762ed1 --- /dev/null +++ b/queue-4.14/btrfs-fix-missing-delayed-iputs-on-unmount.patch @@ -0,0 +1,156 @@ +From 901d9733a9d8500011a0b7d69f8d40ccf1f3d503 Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Wed, 31 Oct 2018 10:06:08 -0700 +Subject: Btrfs: fix missing delayed iputs on unmount + +[ Upstream commit d6fd0ae25c6495674dc5a41a8d16bc8e0073276d ] + +There's a race between close_ctree() and cleaner_kthread(). +close_ctree() sets btrfs_fs_closing(), and the cleaner stops when it +sees it set, but this is racy; the cleaner might have already checked +the bit and could be cleaning stuff. In particular, if it deletes unused +block groups, it will create delayed iputs for the free space cache +inodes. As of "btrfs: don't run delayed_iputs in commit", we're no +longer running delayed iputs after a commit. Therefore, if the cleaner +creates more delayed iputs after delayed iputs are run in +btrfs_commit_super(), we will leak inodes on unmount and get a busy +inode crash from the VFS. + +Fix it by parking the cleaner before we actually close anything. Then, +any remaining delayed iputs will always be handled in +btrfs_commit_super(). This also ensures that the commit in close_ctree() +is really the last commit, so we can get rid of the commit in +cleaner_kthread(). + +The fstest/generic/475 followed by 476 can trigger a crash that +manifests as a slab corruption caused by accessing the freed kthread +structure by a wake up function. Sample trace: + +[ 5657.077612] BUG: unable to handle kernel NULL pointer dereference at 00000000000000cc +[ 5657.079432] PGD 1c57a067 P4D 1c57a067 PUD da10067 PMD 0 +[ 5657.080661] Oops: 0000 [#1] PREEMPT SMP +[ 5657.081592] CPU: 1 PID: 5157 Comm: fsstress Tainted: G W 4.19.0-rc8-default+ #323 +[ 5657.083703] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626cc-prebuilt.qemu-project.org 04/01/2014 +[ 5657.086577] RIP: 0010:shrink_page_list+0x2f9/0xe90 +[ 5657.091937] RSP: 0018:ffffb5c745c8f728 EFLAGS: 00010287 +[ 5657.092953] RAX: 0000000000000074 RBX: ffffb5c745c8f830 RCX: 0000000000000000 +[ 5657.094590] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9a8747fdf3d0 +[ 5657.095987] RBP: ffffb5c745c8f9e0 R08: 0000000000000000 R09: 0000000000000000 +[ 5657.097159] R10: ffff9a8747fdf5e8 R11: 0000000000000000 R12: ffffb5c745c8f788 +[ 5657.098513] R13: ffff9a877f6ff2c0 R14: ffff9a877f6ff2c8 R15: dead000000000200 +[ 5657.099689] FS: 00007f948d853b80(0000) GS:ffff9a877d600000(0000) knlGS:0000000000000000 +[ 5657.101032] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5657.101953] CR2: 00000000000000cc CR3: 00000000684bd000 CR4: 00000000000006e0 +[ 5657.103159] Call Trace: +[ 5657.103776] shrink_inactive_list+0x194/0x410 +[ 5657.104671] shrink_node_memcg.constprop.84+0x39a/0x6a0 +[ 5657.105750] shrink_node+0x62/0x1c0 +[ 5657.106529] try_to_free_pages+0x1a4/0x500 +[ 5657.107408] __alloc_pages_slowpath+0x2c9/0xb20 +[ 5657.108418] __alloc_pages_nodemask+0x268/0x2b0 +[ 5657.109348] kmalloc_large_node+0x37/0x90 +[ 5657.110205] __kmalloc_node+0x236/0x310 +[ 5657.111014] kvmalloc_node+0x3e/0x70 + +Fixes: 30928e9baac2 ("btrfs: don't run delayed_iputs in commit") +Signed-off-by: Omar Sandoval +Reviewed-by: David Sterba +[ add trace ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 51 ++++++++++++++-------------------------------- + 1 file changed, 15 insertions(+), 36 deletions(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index e0bdc0c902e44..813834552aa10 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1688,9 +1688,8 @@ static int cleaner_kthread(void *arg) + struct btrfs_root *root = arg; + struct btrfs_fs_info *fs_info = root->fs_info; + int again; +- struct btrfs_trans_handle *trans; + +- do { ++ while (1) { + again = 0; + + /* Make the cleaner go to sleep early. */ +@@ -1739,42 +1738,16 @@ static int cleaner_kthread(void *arg) + */ + btrfs_delete_unused_bgs(fs_info); + sleep: ++ if (kthread_should_park()) ++ kthread_parkme(); ++ if (kthread_should_stop()) ++ return 0; + if (!again) { + set_current_state(TASK_INTERRUPTIBLE); +- if (!kthread_should_stop()) +- schedule(); ++ schedule(); + __set_current_state(TASK_RUNNING); + } +- } while (!kthread_should_stop()); +- +- /* +- * Transaction kthread is stopped before us and wakes us up. +- * However we might have started a new transaction and COWed some +- * tree blocks when deleting unused block groups for example. So +- * make sure we commit the transaction we started to have a clean +- * shutdown when evicting the btree inode - if it has dirty pages +- * when we do the final iput() on it, eviction will trigger a +- * writeback for it which will fail with null pointer dereferences +- * since work queues and other resources were already released and +- * destroyed by the time the iput/eviction/writeback is made. +- */ +- trans = btrfs_attach_transaction(root); +- if (IS_ERR(trans)) { +- if (PTR_ERR(trans) != -ENOENT) +- btrfs_err(fs_info, +- "cleaner transaction attach returned %ld", +- PTR_ERR(trans)); +- } else { +- int ret; +- +- ret = btrfs_commit_transaction(trans); +- if (ret) +- btrfs_err(fs_info, +- "cleaner open transaction commit returned %d", +- ret); + } +- +- return 0; + } + + static int transaction_kthread(void *arg) +@@ -3713,6 +3686,13 @@ void close_ctree(struct btrfs_fs_info *fs_info) + int ret; + + set_bit(BTRFS_FS_CLOSING_START, &fs_info->flags); ++ /* ++ * We don't want the cleaner to start new transactions, add more delayed ++ * iputs, etc. while we're closing. We can't use kthread_stop() yet ++ * because that frees the task_struct, and the transaction kthread might ++ * still try to wake up the cleaner. ++ */ ++ kthread_park(fs_info->cleaner_kthread); + + /* wait for the qgroup rescan worker to stop */ + btrfs_qgroup_wait_for_completion(fs_info, false); +@@ -3740,9 +3720,8 @@ void close_ctree(struct btrfs_fs_info *fs_info) + + if (!sb_rdonly(fs_info->sb)) { + /* +- * If the cleaner thread is stopped and there are +- * block groups queued for removal, the deletion will be +- * skipped when we quit the cleaner thread. ++ * The cleaner kthread is stopped, so do one final pass over ++ * unused block groups. + */ + btrfs_delete_unused_bgs(fs_info); + +-- +2.20.1 + diff --git a/queue-4.14/cifs-fix-memory-leak-in-smb2_read.patch b/queue-4.14/cifs-fix-memory-leak-in-smb2_read.patch new file mode 100644 index 00000000000..5a49f0503ac --- /dev/null +++ b/queue-4.14/cifs-fix-memory-leak-in-smb2_read.patch @@ -0,0 +1,35 @@ +From c9b34dcc57169cb479added6d1ff8eb1c77060a4 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Tue, 23 Apr 2019 16:39:45 +1000 +Subject: cifs: fix memory leak in SMB2_read + +[ Upstream commit 05fd5c2c61732152a6bddc318aae62d7e436629b ] + +Commit 088aaf17aa79300cab14dbee2569c58cfafd7d6e introduced a leak where +if SMB2_read() returned an error we would return without freeing the +request buffer. + +Cc: Stable +Signed-off-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index fd2d199dd413e..7936eac5a38a2 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -2699,6 +2699,7 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, + cifs_dbg(VFS, "Send error in read = %d\n", rc); + } + free_rsp_buf(resp_buftype, rsp_iov.iov_base); ++ cifs_small_buf_release(req); + return rc == -ENODATA ? 0 : rc; + } + +-- +2.20.1 + diff --git a/queue-4.14/clocksource-drivers-oxnas-fix-ox820-compatible.patch b/queue-4.14/clocksource-drivers-oxnas-fix-ox820-compatible.patch new file mode 100644 index 00000000000..fa83cd13cd9 --- /dev/null +++ b/queue-4.14/clocksource-drivers-oxnas-fix-ox820-compatible.patch @@ -0,0 +1,31 @@ +From acddfc58ab807410f2acac8fd4b8b82411e48994 Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Tue, 12 Mar 2019 11:32:56 +0100 +Subject: clocksource/drivers/oxnas: Fix OX820 compatible + +[ Upstream commit fbc87aa0f7c429999dc31f1bac3b2615008cac32 ] + +The OX820 compatible is wrong is the driver, fix it. + +Fixes: 2ea3401e2a84 ("clocksource/drivers/oxnas: Add OX820 compatible") +Reported-by: Daniel Golle +Signed-off-by: Neil Armstrong +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-oxnas-rps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-oxnas-rps.c b/drivers/clocksource/timer-oxnas-rps.c +index eed6feff8b5f2..30c6f4ce672b3 100644 +--- a/drivers/clocksource/timer-oxnas-rps.c ++++ b/drivers/clocksource/timer-oxnas-rps.c +@@ -296,4 +296,4 @@ static int __init oxnas_rps_timer_init(struct device_node *np) + TIMER_OF_DECLARE(ox810se_rps, + "oxsemi,ox810se-rps-timer", oxnas_rps_timer_init); + TIMER_OF_DECLARE(ox820_rps, +- "oxsemi,ox820se-rps-timer", oxnas_rps_timer_init); ++ "oxsemi,ox820-rps-timer", oxnas_rps_timer_init); +-- +2.20.1 + diff --git a/queue-4.14/crypto-testmgr-add-aes-cfb-tests.patch b/queue-4.14/crypto-testmgr-add-aes-cfb-tests.patch new file mode 100644 index 00000000000..b79fd298b14 --- /dev/null +++ b/queue-4.14/crypto-testmgr-add-aes-cfb-tests.patch @@ -0,0 +1,151 @@ +From 254adaaaed9d2c410376229a0ec2fa8963e1d8b2 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Sat, 20 Oct 2018 02:01:53 +0300 +Subject: crypto: testmgr - add AES-CFB tests + +[ Upstream commit 7da66670775d201f633577f5b15a4bbeebaaa2b0 ] + +Add AES128/192/256-CFB testvectors from NIST SP800-38A. + +Signed-off-by: Dmitry Eremin-Solenikov +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Eremin-Solenikov +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/tcrypt.c | 5 ++++ + crypto/testmgr.c | 7 +++++ + crypto/testmgr.h | 76 ++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 88 insertions(+) + +diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c +index f7affe7cf0b47..76df552f099ba 100644 +--- a/crypto/tcrypt.c ++++ b/crypto/tcrypt.c +@@ -1099,6 +1099,7 @@ static int do_test(const char *alg, u32 type, u32 mask, int m) + ret += tcrypt_test("xts(aes)"); + ret += tcrypt_test("ctr(aes)"); + ret += tcrypt_test("rfc3686(ctr(aes))"); ++ ret += tcrypt_test("cfb(aes)"); + break; + + case 11: +@@ -1422,6 +1423,10 @@ static int do_test(const char *alg, u32 type, u32 mask, int m) + speed_template_16_24_32); + test_cipher_speed("ctr(aes)", DECRYPT, sec, NULL, 0, + speed_template_16_24_32); ++ test_cipher_speed("cfb(aes)", ENCRYPT, sec, NULL, 0, ++ speed_template_16_24_32); ++ test_cipher_speed("cfb(aes)", DECRYPT, sec, NULL, 0, ++ speed_template_16_24_32); + break; + + case 201: +diff --git a/crypto/testmgr.c b/crypto/testmgr.c +index d91278c01ea89..e65c8228ea47a 100644 +--- a/crypto/testmgr.c ++++ b/crypto/testmgr.c +@@ -2631,6 +2631,13 @@ static const struct alg_test_desc alg_test_descs[] = { + .dec = __VECS(aes_ccm_dec_tv_template) + } + } ++ }, { ++ .alg = "cfb(aes)", ++ .test = alg_test_skcipher, ++ .fips_allowed = 1, ++ .suite = { ++ .cipher = __VECS(aes_cfb_tv_template) ++ }, + }, { + .alg = "chacha20", + .test = alg_test_skcipher, +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index 12835f072614f..5bd9c1400fee0 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -16071,6 +16071,82 @@ static const struct cipher_testvec aes_cbc_dec_tv_template[] = { + }, + }; + ++static const struct cipher_testvec aes_cfb_tv_template[] = { ++ { /* From NIST SP800-38A */ ++ .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6" ++ "\xab\xf7\x15\x88\x09\xcf\x4f\x3c", ++ .klen = 16, ++ .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" ++ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", ++ .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" ++ "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" ++ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c" ++ "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" ++ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11" ++ "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" ++ "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17" ++ "\xad\x2b\x41\x7b\xe6\x6c\x37\x10", ++ .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20" ++ "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a" ++ "\xc8\xa6\x45\x37\xa0\xb3\xa9\x3f" ++ "\xcd\xe3\xcd\xad\x9f\x1c\xe5\x8b" ++ "\x26\x75\x1f\x67\xa3\xcb\xb1\x40" ++ "\xb1\x80\x8c\xf1\x87\xa4\xf4\xdf" ++ "\xc0\x4b\x05\x35\x7c\x5d\x1c\x0e" ++ "\xea\xc4\xc6\x6f\x9f\xf7\xf2\xe6", ++ .len = 64, ++ }, { ++ .key = "\x8e\x73\xb0\xf7\xda\x0e\x64\x52" ++ "\xc8\x10\xf3\x2b\x80\x90\x79\xe5" ++ "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b", ++ .klen = 24, ++ .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" ++ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", ++ .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" ++ "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" ++ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c" ++ "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" ++ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11" ++ "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" ++ "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17" ++ "\xad\x2b\x41\x7b\xe6\x6c\x37\x10", ++ .ctext = "\xcd\xc8\x0d\x6f\xdd\xf1\x8c\xab" ++ "\x34\xc2\x59\x09\xc9\x9a\x41\x74" ++ "\x67\xce\x7f\x7f\x81\x17\x36\x21" ++ "\x96\x1a\x2b\x70\x17\x1d\x3d\x7a" ++ "\x2e\x1e\x8a\x1d\xd5\x9b\x88\xb1" ++ "\xc8\xe6\x0f\xed\x1e\xfa\xc4\xc9" ++ "\xc0\x5f\x9f\x9c\xa9\x83\x4f\xa0" ++ "\x42\xae\x8f\xba\x58\x4b\x09\xff", ++ .len = 64, ++ }, { ++ .key = "\x60\x3d\xeb\x10\x15\xca\x71\xbe" ++ "\x2b\x73\xae\xf0\x85\x7d\x77\x81" ++ "\x1f\x35\x2c\x07\x3b\x61\x08\xd7" ++ "\x2d\x98\x10\xa3\x09\x14\xdf\xf4", ++ .klen = 32, ++ .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" ++ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", ++ .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" ++ "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" ++ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c" ++ "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" ++ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11" ++ "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" ++ "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17" ++ "\xad\x2b\x41\x7b\xe6\x6c\x37\x10", ++ .ctext = "\xdc\x7e\x84\xbf\xda\x79\x16\x4b" ++ "\x7e\xcd\x84\x86\x98\x5d\x38\x60" ++ "\x39\xff\xed\x14\x3b\x28\xb1\xc8" ++ "\x32\x11\x3c\x63\x31\xe5\x40\x7b" ++ "\xdf\x10\x13\x24\x15\xe5\x4b\x92" ++ "\xa1\x3e\xd0\xa8\x26\x7a\xe2\xf9" ++ "\x75\xa3\x85\x74\x1a\xb9\xce\xf8" ++ "\x20\x31\x62\x3d\x55\xb1\xe4\x71", ++ .len = 64, ++ }, ++}; ++ + static const struct aead_testvec hmac_md5_ecb_cipher_null_enc_tv_template[] = { + { /* Input data from RFC 2410 Case 1 */ + #ifdef __LITTLE_ENDIAN +-- +2.20.1 + diff --git a/queue-4.14/devres-align-data-to-arch_kmalloc_minalign.patch b/queue-4.14/devres-align-data-to-arch_kmalloc_minalign.patch new file mode 100644 index 00000000000..624bffd6973 --- /dev/null +++ b/queue-4.14/devres-align-data-to-arch_kmalloc_minalign.patch @@ -0,0 +1,60 @@ +From 1ea02124263c277c43e6e7bc54a0a78131697b65 Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Wed, 31 Oct 2018 18:25:47 +0300 +Subject: devres: Align data[] to ARCH_KMALLOC_MINALIGN + +[ Upstream commit a66d972465d15b1d89281258805eb8b47d66bd36 ] + +Initially we bumped into problem with 32-bit aligned atomic64_t +on ARC, see [1]. And then during quite lengthly discussion Peter Z. +mentioned ARCH_KMALLOC_MINALIGN which IMHO makes perfect sense. +If allocation is done by plain kmalloc() obtained buffer will be +ARCH_KMALLOC_MINALIGN aligned and then why buffer obtained via +devm_kmalloc() should have any other alignment? + +This way we at least get the same behavior for both types of +allocation. + +[1] http://lists.infradead.org/pipermail/linux-snps-arc/2018-July/004009.html +[2] http://lists.infradead.org/pipermail/linux-snps-arc/2018-July/004036.html + +Signed-off-by: Alexey Brodkin +Cc: Greg Kroah-Hartman +Cc: Geert Uytterhoeven +Cc: David Laight +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Vineet Gupta +Cc: Will Deacon +Cc: Greg KH +Cc: # 4.8+ +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/devres.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/devres.c b/drivers/base/devres.c +index 71d577025285b..e43a04a495a31 100644 +--- a/drivers/base/devres.c ++++ b/drivers/base/devres.c +@@ -25,8 +25,14 @@ struct devres_node { + + struct devres { + struct devres_node node; +- /* -- 3 pointers */ +- unsigned long long data[]; /* guarantee ull alignment */ ++ /* ++ * Some archs want to perform DMA into kmalloc caches ++ * and need a guaranteed alignment larger than ++ * the alignment of a 64-bit integer. ++ * Thus we use ARCH_KMALLOC_MINALIGN here and get exactly the same ++ * buffer alignment as if it was allocated by plain kmalloc(). ++ */ ++ u8 __aligned(ARCH_KMALLOC_MINALIGN) data[]; + }; + + struct devres_group { +-- +2.20.1 + diff --git a/queue-4.14/drm-i915-disable-lp3-watermarks-on-all-snb-machines.patch b/queue-4.14/drm-i915-disable-lp3-watermarks-on-all-snb-machines.patch new file mode 100644 index 00000000000..f845831cd0a --- /dev/null +++ b/queue-4.14/drm-i915-disable-lp3-watermarks-on-all-snb-machines.patch @@ -0,0 +1,137 @@ +From ac7e5af49d6b2ca5128df025c4020b3ea372de51 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 14 Nov 2018 19:34:40 +0200 +Subject: drm/i915: Disable LP3 watermarks on all SNB machines +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 03981c6ebec4fc7056b9b45f847393aeac90d060 ] + +I have a Thinkpad X220 Tablet in my hands that is losing vblank +interrupts whenever LP3 watermarks are used. + +If I nudge the latency value written to the WM3 register just +by one in either direction the problem disappears. That to me +suggests that the punit will not enter the corrsponding +powersave mode (MPLL shutdown IIRC) unless the latency value +in the register matches exactly what we read from SSKPD. Ie. +it's not really a latency value but rather just a cookie +by which the punit can identify the desired power saving state. +On HSW/BDW this was changed such that we actually just write +the WM level number into those bits, which makes much more +sense given the observed behaviour. + +We could try to handle this by disallowing LP3 watermarks +only when vblank interrupts are enabled but we'd first have +to prove that only vblank interrupts are affected, which +seems unlikely. Also we can't grab the wm mutex from the +vblank enable/disable hooks because those are called with +various spinlocks held. Thus we'd have to redesigne the +watermark locking. So to play it safe and keep the code +simple we simply disable LP3 watermarks on all SNB machines. + +To do that we simply zero out the latency values for +watermark level 3, and we adjust the watermark computation +to check for that. The behaviour now matches that of the +g4x/vlv/skl wm code in the presence of a zeroed latency +value. + +v2: s/USHRT_MAX/U32_MAX/ for consistency with the types (Chris) + +Cc: stable@vger.kernel.org +Cc: Chris Wilson +Acked-by: Chris Wilson +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101269 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103713 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20181114173440.6730-1-ville.syrjala@linux.intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/intel_pm.c | 41 ++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index 87cccb5f8c5da..96a5237741e0c 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -2471,6 +2471,9 @@ static uint32_t ilk_compute_pri_wm(const struct intel_crtc_state *cstate, + uint32_t method1, method2; + int cpp; + ++ if (mem_value == 0) ++ return U32_MAX; ++ + if (!intel_wm_plane_visible(cstate, pstate)) + return 0; + +@@ -2500,6 +2503,9 @@ static uint32_t ilk_compute_spr_wm(const struct intel_crtc_state *cstate, + uint32_t method1, method2; + int cpp; + ++ if (mem_value == 0) ++ return U32_MAX; ++ + if (!intel_wm_plane_visible(cstate, pstate)) + return 0; + +@@ -2523,6 +2529,9 @@ static uint32_t ilk_compute_cur_wm(const struct intel_crtc_state *cstate, + { + int cpp; + ++ if (mem_value == 0) ++ return U32_MAX; ++ + if (!intel_wm_plane_visible(cstate, pstate)) + return 0; + +@@ -2981,6 +2990,34 @@ static void snb_wm_latency_quirk(struct drm_i915_private *dev_priv) + intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency); + } + ++static void snb_wm_lp3_irq_quirk(struct drm_i915_private *dev_priv) ++{ ++ /* ++ * On some SNB machines (Thinkpad X220 Tablet at least) ++ * LP3 usage can cause vblank interrupts to be lost. ++ * The DEIIR bit will go high but it looks like the CPU ++ * never gets interrupted. ++ * ++ * It's not clear whether other interrupt source could ++ * be affected or if this is somehow limited to vblank ++ * interrupts only. To play it safe we disable LP3 ++ * watermarks entirely. ++ */ ++ if (dev_priv->wm.pri_latency[3] == 0 && ++ dev_priv->wm.spr_latency[3] == 0 && ++ dev_priv->wm.cur_latency[3] == 0) ++ return; ++ ++ dev_priv->wm.pri_latency[3] = 0; ++ dev_priv->wm.spr_latency[3] = 0; ++ dev_priv->wm.cur_latency[3] = 0; ++ ++ DRM_DEBUG_KMS("LP3 watermarks disabled due to potential for lost interrupts\n"); ++ intel_print_wm_latency(dev_priv, "Primary", dev_priv->wm.pri_latency); ++ intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency); ++ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency); ++} ++ + static void ilk_setup_wm_latency(struct drm_i915_private *dev_priv) + { + intel_read_wm_latency(dev_priv, dev_priv->wm.pri_latency); +@@ -2997,8 +3034,10 @@ static void ilk_setup_wm_latency(struct drm_i915_private *dev_priv) + intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency); + intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency); + +- if (IS_GEN6(dev_priv)) ++ if (IS_GEN6(dev_priv)) { + snb_wm_latency_quirk(dev_priv); ++ snb_wm_lp3_irq_quirk(dev_priv); ++ } + } + + static void skl_setup_wm_latency(struct drm_i915_private *dev_priv) +-- +2.20.1 + diff --git a/queue-4.14/drm-i915-downgrade-gen9-plane-wm-latency-error.patch b/queue-4.14/drm-i915-downgrade-gen9-plane-wm-latency-error.patch new file mode 100644 index 00000000000..8bea0bba1d1 --- /dev/null +++ b/queue-4.14/drm-i915-downgrade-gen9-plane-wm-latency-error.patch @@ -0,0 +1,39 @@ +From 7692ef99e1230cfec4b5cf58d8669945fe3f43c7 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Thu, 26 Jul 2018 17:15:27 +0100 +Subject: drm/i915: Downgrade Gen9 Plane WM latency error + +[ Upstream commit 86c1c87d0e6241cbe35bd52badfc84b154e1b959 ] + +According to intel_read_wm_latency() it is perfectly legal for one WM +and all subsequent levels to be 0 (and the deeper powersaving states +disabled), so don't shout *ERROR*, over and over again. + +Signed-off-by: Chris Wilson +Cc: Maarten Lankhorst +Cc: Ville Syrjala +Acked-by: Maarten Lankhorst +Link: https://patchwork.freedesktop.org/patch/msgid/20180726161527.10516-1-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/intel_pm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index 96a5237741e0c..cb377b003321a 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -2934,8 +2934,8 @@ static void intel_print_wm_latency(struct drm_i915_private *dev_priv, + unsigned int latency = wm[level]; + + if (latency == 0) { +- DRM_ERROR("%s WM%d latency not provided\n", +- name, level); ++ DRM_DEBUG_KMS("%s WM%d latency not provided\n", ++ name, level); + continue; + } + +-- +2.20.1 + diff --git a/queue-4.14/drm-imx-don-t-skip-dp-channel-disable-for-background.patch b/queue-4.14/drm-imx-don-t-skip-dp-channel-disable-for-background.patch new file mode 100644 index 00000000000..202b0946530 --- /dev/null +++ b/queue-4.14/drm-imx-don-t-skip-dp-channel-disable-for-background.patch @@ -0,0 +1,32 @@ +From 33d00729ccbc9ca9536a373afdca4ac0bae86179 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Fri, 12 Apr 2019 17:59:41 +0200 +Subject: drm/imx: don't skip DP channel disable for background plane + +[ Upstream commit 7bcde275eb1d0ac8793c77c7e666a886eb16633d ] + +In order to make sure that the plane color space gets reset correctly. + +Signed-off-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c +index d976391dfa31c..957fbf8c55ebc 100644 +--- a/drivers/gpu/drm/imx/ipuv3-crtc.c ++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c +@@ -79,7 +79,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc, + if (disable_partial) + ipu_plane_disable(ipu_crtc->plane[1], true); + if (disable_full) +- ipu_plane_disable(ipu_crtc->plane[0], false); ++ ipu_plane_disable(ipu_crtc->plane[0], true); + } + + static void ipu_crtc_atomic_disable(struct drm_crtc *crtc, +-- +2.20.1 + diff --git a/queue-4.14/drm-rockchip-fix-for-mailbox-read-validation.patch b/queue-4.14/drm-rockchip-fix-for-mailbox-read-validation.patch new file mode 100644 index 00000000000..3751e58a5f4 --- /dev/null +++ b/queue-4.14/drm-rockchip-fix-for-mailbox-read-validation.patch @@ -0,0 +1,37 @@ +From 47a1d645e59ab3e54e7b28c2f144628dfcbb4434 Mon Sep 17 00:00:00 2001 +From: Damian Kos +Date: Mon, 19 Nov 2018 15:14:14 +0000 +Subject: drm/rockchip: fix for mailbox read validation. + +[ Upstream commit e4056bbb6719fe713bfc4030ac78e8e97ddf7574 ] + +This is basically the same fix as in +commit fa68d4f8476b ("drm/rockchip: fix for mailbox read size") +but for cdn_dp_mailbox_validate_receive function. + +See patchwork.kernel.org/patch/10671981/ for details. + +Signed-off-by: Damian Kos +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/1542640463-18332-1-git-send-email-dkos@cadence.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/cdn-dp-reg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/cdn-dp-reg.c b/drivers/gpu/drm/rockchip/cdn-dp-reg.c +index 0ed7e91471f6e..4df201d21f271 100644 +--- a/drivers/gpu/drm/rockchip/cdn-dp-reg.c ++++ b/drivers/gpu/drm/rockchip/cdn-dp-reg.c +@@ -113,7 +113,7 @@ static int cdp_dp_mailbox_write(struct cdn_dp_device *dp, u8 val) + + static int cdn_dp_mailbox_validate_receive(struct cdn_dp_device *dp, + u8 module_id, u8 opcode, +- u8 req_size) ++ u16 req_size) + { + u32 mbox_size, i; + u8 header[4]; +-- +2.20.1 + diff --git a/queue-4.14/drm-rockchip-psr-do-not-dereference-encoder-before-i.patch b/queue-4.14/drm-rockchip-psr-do-not-dereference-encoder-before-i.patch new file mode 100644 index 00000000000..a7520020121 --- /dev/null +++ b/queue-4.14/drm-rockchip-psr-do-not-dereference-encoder-before-i.patch @@ -0,0 +1,47 @@ +From 53f5b244e023e439564566ec8a686505b6397fef Mon Sep 17 00:00:00 2001 +From: Enric Balletbo i Serra +Date: Sat, 13 Oct 2018 12:56:54 +0200 +Subject: drm/rockchip: psr: do not dereference encoder before it is null + checked. + +[ Upstream commit 4eda776c3cefcb1f01b2d85bd8753f67606282b5 ] + +'encoder' is dereferenced before it is null sanity checked, hence we +potentially have a null pointer dereference bug. Instead, initialise +drm_drv from encoder->dev->dev_private after we are sure 'encoder' is +not null. + +Fixes: 5182c1a556d7f ("drm/rockchip: add an common abstracted PSR driver") +Cc: stable@vger.kernel.org +Signed-off-by: Enric Balletbo i Serra +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20181013105654.11827-1-enric.balletbo@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_psr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_psr.c b/drivers/gpu/drm/rockchip/rockchip_drm_psr.c +index a553e182ff538..32e7dba2bf5ea 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_psr.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_psr.c +@@ -221,13 +221,15 @@ EXPORT_SYMBOL(rockchip_drm_psr_flush_all); + int rockchip_drm_psr_register(struct drm_encoder *encoder, + void (*psr_set)(struct drm_encoder *, bool enable)) + { +- struct rockchip_drm_private *drm_drv = encoder->dev->dev_private; ++ struct rockchip_drm_private *drm_drv; + struct psr_drv *psr; + unsigned long flags; + + if (!encoder || !psr_set) + return -EINVAL; + ++ drm_drv = encoder->dev->dev_private; ++ + psr = kzalloc(sizeof(struct psr_drv), GFP_KERNEL); + if (!psr) + return -ENOMEM; +-- +2.20.1 + diff --git a/queue-4.14/drm-sun4i-set-device-driver-data-at-bind-time-for-us.patch b/queue-4.14/drm-sun4i-set-device-driver-data-at-bind-time-for-us.patch new file mode 100644 index 00000000000..61e39184bf4 --- /dev/null +++ b/queue-4.14/drm-sun4i-set-device-driver-data-at-bind-time-for-us.patch @@ -0,0 +1,37 @@ +From e33a3c7bf5bbfe7cad52cf0da76f2a5bf5abfcf6 Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Thu, 18 Apr 2019 15:27:26 +0200 +Subject: drm/sun4i: Set device driver data at bind time for use in unbind + +[ Upstream commit 02b92adbe33e6dbd15dc6e32540b22f47c4ff0a2 ] + +Our sun4i_drv_unbind gets the drm device using dev_get_drvdata. +However, that driver data is never set in sun4i_drv_bind. + +Set it there to avoid getting a NULL pointer at unbind time. + +Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support") +Signed-off-by: Paul Kocialkowski +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20190418132727.5128-3-paul.kocialkowski@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun4i_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c b/drivers/gpu/drm/sun4i/sun4i_drv.c +index 8d3c8070ed862..e09161cf312f7 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_drv.c ++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c +@@ -96,6 +96,8 @@ static int sun4i_drv_bind(struct device *dev) + ret = -ENOMEM; + goto free_drm; + } ++ ++ dev_set_drvdata(dev, drm); + drm->dev_private = drv; + INIT_LIST_HEAD(&drv->engine_list); + INIT_LIST_HEAD(&drv->tcon_list); +-- +2.20.1 + diff --git a/queue-4.14/fuse-fix-possibly-missed-wake-up-after-abort.patch b/queue-4.14/fuse-fix-possibly-missed-wake-up-after-abort.patch new file mode 100644 index 00000000000..fc109af1856 --- /dev/null +++ b/queue-4.14/fuse-fix-possibly-missed-wake-up-after-abort.patch @@ -0,0 +1,62 @@ +From 7345fc3d0e29b521060d471c9fb2610a4e2c1bde Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 9 Nov 2018 15:52:16 +0100 +Subject: fuse: fix possibly missed wake-up after abort + +[ Upstream commit 2d84a2d19b6150c6dbac1e6ebad9c82e4c123772 ] + +In current fuse_drop_waiting() implementation it's possible that +fuse_wait_aborted() will not be woken up in the unlikely case that +fuse_abort_conn() + fuse_wait_aborted() runs in between checking +fc->connected and calling atomic_dec(&fc->num_waiting). + +Do the atomic_dec_and_test() unconditionally, which also provides the +necessary barrier against reordering with the fc->connected check. + +The explicit smp_mb() in fuse_wait_aborted() is not actually needed, since +the spin_unlock() in fuse_abort_conn() provides the necessary RELEASE +barrier after resetting fc->connected. However, this is not a performance +sensitive path, and adding the explicit barrier makes it easier to +document. + +Signed-off-by: Miklos Szeredi +Fixes: b8f95e5d13f5 ("fuse: umount should wait for all requests") +Cc: #v4.19 +Signed-off-by: Sasha Levin +--- + fs/fuse/dev.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index 770733106d6d4..c934fab444529 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -133,9 +133,13 @@ static bool fuse_block_alloc(struct fuse_conn *fc, bool for_background) + + static void fuse_drop_waiting(struct fuse_conn *fc) + { +- if (fc->connected) { +- atomic_dec(&fc->num_waiting); +- } else if (atomic_dec_and_test(&fc->num_waiting)) { ++ /* ++ * lockess check of fc->connected is okay, because atomic_dec_and_test() ++ * provides a memory barrier mached with the one in fuse_wait_aborted() ++ * to ensure no wake-up is missed. ++ */ ++ if (atomic_dec_and_test(&fc->num_waiting) && ++ !READ_ONCE(fc->connected)) { + /* wake up aborters */ + wake_up_all(&fc->blocked_waitq); + } +@@ -2170,6 +2174,8 @@ EXPORT_SYMBOL_GPL(fuse_abort_conn); + + void fuse_wait_aborted(struct fuse_conn *fc) + { ++ /* matches implicit memory barrier in fuse_drop_waiting() */ ++ smp_mb(); + wait_event(fc->blocked_waitq, atomic_read(&fc->num_waiting) == 0); + } + +-- +2.20.1 + diff --git a/queue-4.14/gpu-ipu-v3-dp-fix-csc-handling.patch b/queue-4.14/gpu-ipu-v3-dp-fix-csc-handling.patch new file mode 100644 index 00000000000..9755e7b9c37 --- /dev/null +++ b/queue-4.14/gpu-ipu-v3-dp-fix-csc-handling.patch @@ -0,0 +1,69 @@ +From 042fc045f312c7564f4fcc479e0227f670d45aa6 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Fri, 12 Apr 2019 17:59:40 +0200 +Subject: gpu: ipu-v3: dp: fix CSC handling + +[ Upstream commit d4fad0a426c6e26f48c9a7cdd21a7fe9c198d645 ] + +Initialize the flow input colorspaces to unknown and reset to that value +when the channel gets disabled. This avoids the state getting mixed up +with a previous mode. + +Also keep the CSC settings for the background flow intact when disabling +the foreground flow. + +Root-caused-by: Jonathan Marek +Signed-off-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-dp.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-dp.c b/drivers/gpu/ipu-v3/ipu-dp.c +index 9b2b3fa479c46..5e44ff1f20851 100644 +--- a/drivers/gpu/ipu-v3/ipu-dp.c ++++ b/drivers/gpu/ipu-v3/ipu-dp.c +@@ -195,7 +195,8 @@ int ipu_dp_setup_channel(struct ipu_dp *dp, + ipu_dp_csc_init(flow, flow->foreground.in_cs, flow->out_cs, + DP_COM_CONF_CSC_DEF_BOTH); + } else { +- if (flow->foreground.in_cs == flow->out_cs) ++ if (flow->foreground.in_cs == IPUV3_COLORSPACE_UNKNOWN || ++ flow->foreground.in_cs == flow->out_cs) + /* + * foreground identical to output, apply color + * conversion on background +@@ -261,6 +262,8 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync) + struct ipu_dp_priv *priv = flow->priv; + u32 reg, csc; + ++ dp->in_cs = IPUV3_COLORSPACE_UNKNOWN; ++ + if (!dp->foreground) + return; + +@@ -268,8 +271,9 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync) + + reg = readl(flow->base + DP_COM_CONF); + csc = reg & DP_COM_CONF_CSC_DEF_MASK; +- if (csc == DP_COM_CONF_CSC_DEF_FG) +- reg &= ~DP_COM_CONF_CSC_DEF_MASK; ++ reg &= ~DP_COM_CONF_CSC_DEF_MASK; ++ if (csc == DP_COM_CONF_CSC_DEF_BOTH || csc == DP_COM_CONF_CSC_DEF_BG) ++ reg |= DP_COM_CONF_CSC_DEF_BG; + + reg &= ~DP_COM_CONF_FG_EN; + writel(reg, flow->base + DP_COM_CONF); +@@ -347,6 +351,8 @@ int ipu_dp_init(struct ipu_soc *ipu, struct device *dev, unsigned long base) + mutex_init(&priv->mutex); + + for (i = 0; i < IPUV3_NUM_FLOWS; i++) { ++ priv->flow[i].background.in_cs = IPUV3_COLORSPACE_UNKNOWN; ++ priv->flow[i].foreground.in_cs = IPUV3_COLORSPACE_UNKNOWN; + priv->flow[i].foreground.foreground = true; + priv->flow[i].base = priv->base + ipu_dp_flow_base[i]; + priv->flow[i].priv = priv; +-- +2.20.1 + diff --git a/queue-4.14/gtp-change-net_udp_tunnel-dependency-to-select.patch b/queue-4.14/gtp-change-net_udp_tunnel-dependency-to-select.patch new file mode 100644 index 00000000000..74293f843fe --- /dev/null +++ b/queue-4.14/gtp-change-net_udp_tunnel-dependency-to-select.patch @@ -0,0 +1,40 @@ +From 7e4093dbfca602a77cb16bf56129713d2d63312d Mon Sep 17 00:00:00 2001 +From: Matteo Croce +Date: Sat, 16 Mar 2019 01:00:50 +0100 +Subject: gtp: change NET_UDP_TUNNEL dependency to select + +[ Upstream commit c22da36688d6298f2e546dcc43fdc1ad35036467 ] + +Similarly to commit a7603ac1fc8c ("geneve: change NET_UDP_TUNNEL +dependency to select"), GTP has a dependency on NET_UDP_TUNNEL which +makes impossible to compile it if no other protocol depending on +NET_UDP_TUNNEL is selected. + +Fix this by changing the depends to a select, and drop NET_IP_TUNNEL from +the select list, as it already depends on NET_UDP_TUNNEL. + +Signed-off-by: Matteo Croce +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig +index aba0d652095b0..f3357091e9d18 100644 +--- a/drivers/net/Kconfig ++++ b/drivers/net/Kconfig +@@ -212,8 +212,8 @@ config GENEVE + + config GTP + tristate "GPRS Tunneling Protocol datapath (GTP-U)" +- depends on INET && NET_UDP_TUNNEL +- select NET_IP_TUNNEL ++ depends on INET ++ select NET_UDP_TUNNEL + ---help--- + This allows one to create gtp virtual interfaces that provide + the GPRS Tunneling Protocol datapath (GTP-U). This tunneling protocol +-- +2.20.1 + diff --git a/queue-4.14/hid-input-add-mapping-for-expose-overview-key.patch b/queue-4.14/hid-input-add-mapping-for-expose-overview-key.patch new file mode 100644 index 00000000000..5924411279b --- /dev/null +++ b/queue-4.14/hid-input-add-mapping-for-expose-overview-key.patch @@ -0,0 +1,37 @@ +From 598efbec0292f7f500a97ce490e6f3f8096b445a Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 18 Jan 2019 13:59:08 -0800 +Subject: HID: input: add mapping for Expose/Overview key +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 96dd86871e1fffbc39e4fa61c9c75ec54ee9af0f ] + +According to HUTRR77 usage 0x29f from the consumer page is reserved for +the Desktop application to present all running user’s application windows. +Linux defines KEY_SCALE to request Compiz Scale (Expose) mode, so let's +add the mapping. + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 1aa7d268686b9..693cd19e9dd40 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1017,6 +1017,8 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case 0x2cb: map_key_clear(KEY_KBDINPUTASSIST_ACCEPT); break; + case 0x2cc: map_key_clear(KEY_KBDINPUTASSIST_CANCEL); break; + ++ case 0x29f: map_key_clear(KEY_SCALE); break; ++ + default: map_key_clear(KEY_UNKNOWN); + } + break; +-- +2.20.1 + diff --git a/queue-4.14/hid-input-add-mapping-for-keyboard-brightness-up-dow.patch b/queue-4.14/hid-input-add-mapping-for-keyboard-brightness-up-dow.patch new file mode 100644 index 00000000000..7cc64161392 --- /dev/null +++ b/queue-4.14/hid-input-add-mapping-for-keyboard-brightness-up-dow.patch @@ -0,0 +1,34 @@ +From beb05b7e14dab0d9f2787edfe0ad3308159658d4 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 18 Jan 2019 14:05:52 -0800 +Subject: HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys + +[ Upstream commit 7975a1d6a7afeb3eb61c971a153d24dd8fa032f3 ] + +According to HUTRR73 usages 0x79, 0x7a and 0x7c from the consumer page +correspond to Brightness Up/Down/Toggle keys, so let's add the mappings. + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 693cd19e9dd40..f736bdf774dd8 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -886,6 +886,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case 0x074: map_key_clear(KEY_BRIGHTNESS_MAX); break; + case 0x075: map_key_clear(KEY_BRIGHTNESS_AUTO); break; + ++ case 0x079: map_key_clear(KEY_KBDILLUMUP); break; ++ case 0x07a: map_key_clear(KEY_KBDILLUMDOWN); break; ++ case 0x07c: map_key_clear(KEY_KBDILLUMTOGGLE); break; ++ + case 0x082: map_key_clear(KEY_VIDEO_NEXT); break; + case 0x083: map_key_clear(KEY_LAST); break; + case 0x084: map_key_clear(KEY_ENTER); break; +-- +2.20.1 + diff --git a/queue-4.14/hid-input-add-mapping-for-toggle-display-key.patch b/queue-4.14/hid-input-add-mapping-for-toggle-display-key.patch new file mode 100644 index 00000000000..8a4eefb55f3 --- /dev/null +++ b/queue-4.14/hid-input-add-mapping-for-toggle-display-key.patch @@ -0,0 +1,39 @@ +From 6fd9b32d05fe02405447a0226f03eea556b6ee07 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 18 Jan 2019 14:35:45 -0800 +Subject: HID: input: add mapping for "Toggle Display" key + +[ Upstream commit c01908a14bf735b871170092807c618bb9dae654 ] + +According to HUT 1.12 usage 0xb5 from the generic desktop page is reserved +for switching between external and internal display, so let's add the +mapping. + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index f736bdf774dd8..d723185de3ba2 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -677,6 +677,14 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + break; + } + ++ if ((usage->hid & 0xf0) == 0xb0) { /* SC - Display */ ++ switch (usage->hid & 0xf) { ++ case 0x05: map_key_clear(KEY_SWITCHVIDEOMODE); break; ++ default: goto ignore; ++ } ++ break; ++ } ++ + /* + * Some lazy vendors declare 255 usages for System Control, + * leading to the creation of ABS_X|Y axis and too many others. +-- +2.20.1 + diff --git a/queue-4.14/i2c-omap-enable-for-arch_k3.patch b/queue-4.14/i2c-omap-enable-for-arch_k3.patch new file mode 100644 index 00000000000..04e19f26af2 --- /dev/null +++ b/queue-4.14/i2c-omap-enable-for-arch_k3.patch @@ -0,0 +1,33 @@ +From f3418cdc9e387a6aa6f4ddb16bd2c74d533a5139 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Fri, 9 Nov 2018 16:44:11 +0530 +Subject: i2c: omap: Enable for ARCH_K3 + +[ Upstream commit 5b277402deac0691226a947df71c581686bd4020 ] + +Allow I2C_OMAP to be built for K3 platforms. + +Signed-off-by: Vignesh R +Reviewed-by: Grygorii Strashko +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig +index 45a3f3ca29b38..75ea367ffd833 100644 +--- a/drivers/i2c/busses/Kconfig ++++ b/drivers/i2c/busses/Kconfig +@@ -759,7 +759,7 @@ config I2C_OCORES + + config I2C_OMAP + tristate "OMAP I2C adapter" +- depends on ARCH_OMAP ++ depends on ARCH_OMAP || ARCH_K3 + default y if MACH_OMAP_H3 || MACH_OMAP_OSK + help + If you say yes to this option, support will be included for the +-- +2.20.1 + diff --git a/queue-4.14/ib-rxe-revise-the-ib_wr_opcode-enum.patch b/queue-4.14/ib-rxe-revise-the-ib_wr_opcode-enum.patch new file mode 100644 index 00000000000..c405b6c9242 --- /dev/null +++ b/queue-4.14/ib-rxe-revise-the-ib_wr_opcode-enum.patch @@ -0,0 +1,127 @@ +From 3aedd75a26ace5f0197318639721678a808650cf Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 14 Aug 2018 15:33:02 -0700 +Subject: IB/rxe: Revise the ib_wr_opcode enum + +[ Upstream commit 9a59739bd01f77db6fbe2955a4fce165f0f43568 ] + +This enum has become part of the uABI, as both RXE and the +ib_uverbs_post_send() command expect userspace to supply values from this +enum. So it should be properly placed in include/uapi/rdma. + +In userspace this enum is called 'enum ibv_wr_opcode' as part of +libibverbs.h. That enum defines different values for IB_WR_LOCAL_INV, +IB_WR_SEND_WITH_INV, and IB_WR_LSO. These were introduced (incorrectly, it +turns out) into libiberbs in 2015. + +The kernel has changed its mind on the numbering for several of the IB_WC +values over the years, but has remained stable on IB_WR_LOCAL_INV and +below. + +Based on this we can conclude that there is no real user space user of the +values beyond IB_WR_ATOMIC_FETCH_AND_ADD, as they have never worked via +rdma-core. This is confirmed by inspection, only rxe uses the kernel enum +and implements the latter operations. rxe has clearly never worked with +these attributes from userspace. Other drivers that support these opcodes +implement the functionality without calling out to the kernel. + +To make IB_WR_SEND_WITH_INV and related work for RXE in userspace we +choose to renumber the IB_WR enum in the kernel to match the uABI that +userspace has bee using since before Soft RoCE was merged. This is an +overall simpler configuration for the whole software stack, and obviously +can't break anything existing. + +Reported-by: Seth Howell +Tested-by: Seth Howell +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Cc: +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + include/rdma/ib_verbs.h | 34 ++++++++++++++++++------------- + include/uapi/rdma/ib_user_verbs.h | 20 +++++++++++++++++- + 2 files changed, 39 insertions(+), 15 deletions(-) + +diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h +index 5a24b4c700e59..9e76b2410d03f 100644 +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -1251,21 +1251,27 @@ struct ib_qp_attr { + }; + + enum ib_wr_opcode { +- IB_WR_RDMA_WRITE, +- IB_WR_RDMA_WRITE_WITH_IMM, +- IB_WR_SEND, +- IB_WR_SEND_WITH_IMM, +- IB_WR_RDMA_READ, +- IB_WR_ATOMIC_CMP_AND_SWP, +- IB_WR_ATOMIC_FETCH_AND_ADD, +- IB_WR_LSO, +- IB_WR_SEND_WITH_INV, +- IB_WR_RDMA_READ_WITH_INV, +- IB_WR_LOCAL_INV, +- IB_WR_REG_MR, +- IB_WR_MASKED_ATOMIC_CMP_AND_SWP, +- IB_WR_MASKED_ATOMIC_FETCH_AND_ADD, ++ /* These are shared with userspace */ ++ IB_WR_RDMA_WRITE = IB_UVERBS_WR_RDMA_WRITE, ++ IB_WR_RDMA_WRITE_WITH_IMM = IB_UVERBS_WR_RDMA_WRITE_WITH_IMM, ++ IB_WR_SEND = IB_UVERBS_WR_SEND, ++ IB_WR_SEND_WITH_IMM = IB_UVERBS_WR_SEND_WITH_IMM, ++ IB_WR_RDMA_READ = IB_UVERBS_WR_RDMA_READ, ++ IB_WR_ATOMIC_CMP_AND_SWP = IB_UVERBS_WR_ATOMIC_CMP_AND_SWP, ++ IB_WR_ATOMIC_FETCH_AND_ADD = IB_UVERBS_WR_ATOMIC_FETCH_AND_ADD, ++ IB_WR_LSO = IB_UVERBS_WR_TSO, ++ IB_WR_SEND_WITH_INV = IB_UVERBS_WR_SEND_WITH_INV, ++ IB_WR_RDMA_READ_WITH_INV = IB_UVERBS_WR_RDMA_READ_WITH_INV, ++ IB_WR_LOCAL_INV = IB_UVERBS_WR_LOCAL_INV, ++ IB_WR_MASKED_ATOMIC_CMP_AND_SWP = ++ IB_UVERBS_WR_MASKED_ATOMIC_CMP_AND_SWP, ++ IB_WR_MASKED_ATOMIC_FETCH_AND_ADD = ++ IB_UVERBS_WR_MASKED_ATOMIC_FETCH_AND_ADD, ++ ++ /* These are kernel only and can not be issued by userspace */ ++ IB_WR_REG_MR = 0x20, + IB_WR_REG_SIG_MR, ++ + /* reserve values for low level drivers' internal use. + * These values will not be used at all in the ib core layer. + */ +diff --git a/include/uapi/rdma/ib_user_verbs.h b/include/uapi/rdma/ib_user_verbs.h +index e0e83a105953a..e11b4def8630f 100644 +--- a/include/uapi/rdma/ib_user_verbs.h ++++ b/include/uapi/rdma/ib_user_verbs.h +@@ -751,10 +751,28 @@ struct ib_uverbs_sge { + __u32 lkey; + }; + ++enum ib_uverbs_wr_opcode { ++ IB_UVERBS_WR_RDMA_WRITE = 0, ++ IB_UVERBS_WR_RDMA_WRITE_WITH_IMM = 1, ++ IB_UVERBS_WR_SEND = 2, ++ IB_UVERBS_WR_SEND_WITH_IMM = 3, ++ IB_UVERBS_WR_RDMA_READ = 4, ++ IB_UVERBS_WR_ATOMIC_CMP_AND_SWP = 5, ++ IB_UVERBS_WR_ATOMIC_FETCH_AND_ADD = 6, ++ IB_UVERBS_WR_LOCAL_INV = 7, ++ IB_UVERBS_WR_BIND_MW = 8, ++ IB_UVERBS_WR_SEND_WITH_INV = 9, ++ IB_UVERBS_WR_TSO = 10, ++ IB_UVERBS_WR_RDMA_READ_WITH_INV = 11, ++ IB_UVERBS_WR_MASKED_ATOMIC_CMP_AND_SWP = 12, ++ IB_UVERBS_WR_MASKED_ATOMIC_FETCH_AND_ADD = 13, ++ /* Review enum ib_wr_opcode before modifying this */ ++}; ++ + struct ib_uverbs_send_wr { + __u64 wr_id; + __u32 num_sge; +- __u32 opcode; ++ __u32 opcode; /* see enum ib_uverbs_wr_opcode */ + __u32 send_flags; + union { + __u32 imm_data; +-- +2.20.1 + diff --git a/queue-4.14/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch b/queue-4.14/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch new file mode 100644 index 00000000000..d4718b0a243 --- /dev/null +++ b/queue-4.14/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch @@ -0,0 +1,38 @@ +From ec06269f15c8938d0f7cb3feba48c492e3d8e38c Mon Sep 17 00:00:00 2001 +From: Sven Van Asbroeck +Date: Sun, 10 Mar 2019 14:58:24 -0400 +Subject: iio: adc: xilinx: fix potential use-after-free on remove + +[ Upstream commit 62039b6aef63380ba7a37c113bbaeee8a55c5342 ] + +When cancel_delayed_work() returns, the delayed work may still +be running. This means that the core could potentially free +the private structure (struct xadc) while the delayed work +is still using it. This is a potential use-after-free. + +Fix by calling cancel_delayed_work_sync(), which waits for +any residual work to finish before returning. + +Signed-off-by: Sven Van Asbroeck +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/xilinx-xadc-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/xilinx-xadc-core.c b/drivers/iio/adc/xilinx-xadc-core.c +index 4a60497a1f193..e89711b30ae8f 100644 +--- a/drivers/iio/adc/xilinx-xadc-core.c ++++ b/drivers/iio/adc/xilinx-xadc-core.c +@@ -1302,7 +1302,7 @@ static int xadc_remove(struct platform_device *pdev) + } + free_irq(irq, indio_dev); + clk_disable_unprepare(xadc->clk); +- cancel_delayed_work(&xadc->zynq_unmask_work); ++ cancel_delayed_work_sync(&xadc->zynq_unmask_work); + kfree(xadc->data); + kfree(indio_dev->channels); + +-- +2.20.1 + diff --git a/queue-4.14/ima-open-a-new-file-instance-if-no-read-permissions.patch b/queue-4.14/ima-open-a-new-file-instance-if-no-read-permissions.patch new file mode 100644 index 00000000000..9e755197336 --- /dev/null +++ b/queue-4.14/ima-open-a-new-file-instance-if-no-read-permissions.patch @@ -0,0 +1,144 @@ +From f5cf6cd50d04593d3df0bbca83ae0c336eea7b2c Mon Sep 17 00:00:00 2001 +From: Goldwyn Rodrigues +Date: Tue, 9 Oct 2018 10:12:33 -0500 +Subject: ima: open a new file instance if no read permissions + +[ Upstream commit a408e4a86b36bf98ad15b9ada531cf0e5118ac67 ] + +Open a new file instance as opposed to changing file->f_mode when +the file is not readable. This is done to accomodate overlayfs +stacked file operations change. The real struct file is hidden +behind the overlays struct file. So, any file->f_mode manipulations are +not reflected on the real struct file. Open the file again in read mode +if original file cannot be read, read and calculate the hash. + +Signed-off-by: Goldwyn Rodrigues +Cc: stable@vger.kernel.org (linux-4.19) +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_crypto.c | 54 ++++++++++++++++++----------- + 1 file changed, 34 insertions(+), 20 deletions(-) + +diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c +index cb041af9eddb2..af680b5b678a4 100644 +--- a/security/integrity/ima/ima_crypto.c ++++ b/security/integrity/ima/ima_crypto.c +@@ -232,7 +232,7 @@ static int ima_calc_file_hash_atfm(struct file *file, + { + loff_t i_size, offset; + char *rbuf[2] = { NULL, }; +- int rc, read = 0, rbuf_len, active = 0, ahash_rc = 0; ++ int rc, rbuf_len, active = 0, ahash_rc = 0; + struct ahash_request *req; + struct scatterlist sg[1]; + struct ahash_completion res; +@@ -279,11 +279,6 @@ static int ima_calc_file_hash_atfm(struct file *file, + &rbuf_size[1], 0); + } + +- if (!(file->f_mode & FMODE_READ)) { +- file->f_mode |= FMODE_READ; +- read = 1; +- } +- + for (offset = 0; offset < i_size; offset += rbuf_len) { + if (!rbuf[1] && offset) { + /* Not using two buffers, and it is not the first +@@ -322,8 +317,6 @@ static int ima_calc_file_hash_atfm(struct file *file, + /* wait for the last update request to complete */ + rc = ahash_wait(ahash_rc, &res); + out3: +- if (read) +- file->f_mode &= ~FMODE_READ; + ima_free_pages(rbuf[0], rbuf_size[0]); + ima_free_pages(rbuf[1], rbuf_size[1]); + out2: +@@ -358,7 +351,7 @@ static int ima_calc_file_hash_tfm(struct file *file, + { + loff_t i_size, offset = 0; + char *rbuf; +- int rc, read = 0; ++ int rc; + SHASH_DESC_ON_STACK(shash, tfm); + + shash->tfm = tfm; +@@ -379,11 +372,6 @@ static int ima_calc_file_hash_tfm(struct file *file, + if (!rbuf) + return -ENOMEM; + +- if (!(file->f_mode & FMODE_READ)) { +- file->f_mode |= FMODE_READ; +- read = 1; +- } +- + while (offset < i_size) { + int rbuf_len; + +@@ -400,8 +388,6 @@ static int ima_calc_file_hash_tfm(struct file *file, + if (rc) + break; + } +- if (read) +- file->f_mode &= ~FMODE_READ; + kfree(rbuf); + out: + if (!rc) +@@ -442,6 +428,8 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash) + { + loff_t i_size; + int rc; ++ struct file *f = file; ++ bool new_file_instance = false, modified_flags = false; + + /* + * For consistency, fail file's opened with the O_DIRECT flag on +@@ -453,15 +441,41 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash) + return -EINVAL; + } + +- i_size = i_size_read(file_inode(file)); ++ /* Open a new file instance in O_RDONLY if we cannot read */ ++ if (!(file->f_mode & FMODE_READ)) { ++ int flags = file->f_flags & ~(O_WRONLY | O_APPEND | ++ O_TRUNC | O_CREAT | O_NOCTTY | O_EXCL); ++ flags |= O_RDONLY; ++ f = dentry_open(&file->f_path, flags, file->f_cred); ++ if (IS_ERR(f)) { ++ /* ++ * Cannot open the file again, lets modify f_flags ++ * of original and continue ++ */ ++ pr_info_ratelimited("Unable to reopen file for reading.\n"); ++ f = file; ++ f->f_flags |= FMODE_READ; ++ modified_flags = true; ++ } else { ++ new_file_instance = true; ++ } ++ } ++ ++ i_size = i_size_read(file_inode(f)); + + if (ima_ahash_minsize && i_size >= ima_ahash_minsize) { +- rc = ima_calc_file_ahash(file, hash); ++ rc = ima_calc_file_ahash(f, hash); + if (!rc) +- return 0; ++ goto out; + } + +- return ima_calc_file_shash(file, hash); ++ rc = ima_calc_file_shash(f, hash); ++out: ++ if (new_file_instance) ++ fput(f); ++ else if (modified_flags) ++ f->f_flags &= ~FMODE_READ; ++ return rc; + } + + /* +-- +2.20.1 + diff --git a/queue-4.14/init-initialize-jump-labels-before-command-line-opti.patch b/queue-4.14/init-initialize-jump-labels-before-command-line-opti.patch new file mode 100644 index 00000000000..b91428e4092 --- /dev/null +++ b/queue-4.14/init-initialize-jump-labels-before-command-line-opti.patch @@ -0,0 +1,79 @@ +From ecb29a03c876a6c951a5636c2032888418535d02 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 18 Apr 2019 17:50:44 -0700 +Subject: init: initialize jump labels before command line option parsing + +[ Upstream commit 6041186a32585fc7a1d0f6cfe2f138b05fdc3c82 ] + +When a module option, or core kernel argument, toggles a static-key it +requires jump labels to be initialized early. While x86, PowerPC, and +ARM64 arrange for jump_label_init() to be called before parse_args(), +ARM does not. + + Kernel command line: rdinit=/sbin/init page_alloc.shuffle=1 panic=-1 console=ttyAMA0,115200 page_alloc.shuffle=1 + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at ./include/linux/jump_label.h:303 + page_alloc_shuffle+0x12c/0x1ac + static_key_enable(): static key 'page_alloc_shuffle_key+0x0/0x4' used + before call to jump_label_init() + Modules linked in: + CPU: 0 PID: 0 Comm: swapper Not tainted + 5.1.0-rc4-next-20190410-00003-g3367c36ce744 #1 + Hardware name: ARM Integrator/CP (Device Tree) + [] (unwind_backtrace) from [] (show_stack+0x10/0x18) + [] (show_stack) from [] (dump_stack+0x18/0x24) + [] (dump_stack) from [] (__warn+0xe0/0x108) + [] (__warn) from [] (warn_slowpath_fmt+0x44/0x6c) + [] (warn_slowpath_fmt) from [] + (page_alloc_shuffle+0x12c/0x1ac) + [] (page_alloc_shuffle) from [] (shuffle_store+0x28/0x48) + [] (shuffle_store) from [] (parse_args+0x1f4/0x350) + [] (parse_args) from [] (start_kernel+0x1c0/0x488) + +Move the fallback call to jump_label_init() to occur before +parse_args(). + +The redundant calls to jump_label_init() in other archs are left intact +in case they have static key toggling use cases that are even earlier +than option parsing. + +Link: http://lkml.kernel.org/r/155544804466.1032396.13418949511615676665.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Dan Williams +Reported-by: Guenter Roeck +Reviewed-by: Kees Cook +Cc: Mathieu Desnoyers +Cc: Thomas Gleixner +Cc: Mike Rapoport +Cc: Russell King +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + init/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/init/main.c b/init/main.c +index 3d3d79c5a2324..51067e2db509d 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -550,6 +550,8 @@ asmlinkage __visible void __init start_kernel(void) + page_alloc_init(); + + pr_notice("Kernel command line: %s\n", boot_command_line); ++ /* parameters may set static keys */ ++ jump_label_init(); + parse_early_param(); + after_dashes = parse_args("Booting kernel", + static_command_line, __start___param, +@@ -559,8 +561,6 @@ asmlinkage __visible void __init start_kernel(void) + parse_args("Setting init args", after_dashes, NULL, 0, -1, -1, + NULL, set_init_arg); + +- jump_label_init(); +- + /* + * These use large bootmem allocations and must precede + * kmem_cache_init() +-- +2.20.1 + diff --git a/queue-4.14/input-elan_i2c-add-hardware-id-for-multiple-lenovo-l.patch b/queue-4.14/input-elan_i2c-add-hardware-id-for-multiple-lenovo-l.patch new file mode 100644 index 00000000000..d2e85ce8284 --- /dev/null +++ b/queue-4.14/input-elan_i2c-add-hardware-id-for-multiple-lenovo-l.patch @@ -0,0 +1,73 @@ +From 59ea885780030d4606a1da1bc44b6dc828c83b73 Mon Sep 17 00:00:00 2001 +From: KT Liao +Date: Tue, 26 Mar 2019 17:28:32 -0700 +Subject: Input: elan_i2c - add hardware ID for multiple Lenovo laptops + +[ Upstream commit 738c06d0e4562e0acf9f2c7438a22b2d5afc67aa ] + +There are many Lenovo laptops which need elan_i2c support, this patch adds +relevant IDs to the Elan driver so that touchpads are recognized. + +Signed-off-by: KT Liao +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/mouse/elan_i2c_core.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index 2ce805d31ed13..ad89ba143a0e3 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1254,22 +1254,47 @@ static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN0600", 0 }, + { "ELAN0601", 0 }, + { "ELAN0602", 0 }, ++ { "ELAN0603", 0 }, ++ { "ELAN0604", 0 }, + { "ELAN0605", 0 }, ++ { "ELAN0606", 0 }, ++ { "ELAN0607", 0 }, + { "ELAN0608", 0 }, + { "ELAN0605", 0 }, + { "ELAN0609", 0 }, + { "ELAN060B", 0 }, + { "ELAN060C", 0 }, ++ { "ELAN060F", 0 }, ++ { "ELAN0610", 0 }, + { "ELAN0611", 0 }, + { "ELAN0612", 0 }, ++ { "ELAN0615", 0 }, ++ { "ELAN0616", 0 }, + { "ELAN0617", 0 }, + { "ELAN0618", 0 }, ++ { "ELAN0619", 0 }, ++ { "ELAN061A", 0 }, ++ { "ELAN061B", 0 }, + { "ELAN061C", 0 }, + { "ELAN061D", 0 }, + { "ELAN061E", 0 }, ++ { "ELAN061F", 0 }, + { "ELAN0620", 0 }, + { "ELAN0621", 0 }, + { "ELAN0622", 0 }, ++ { "ELAN0623", 0 }, ++ { "ELAN0624", 0 }, ++ { "ELAN0625", 0 }, ++ { "ELAN0626", 0 }, ++ { "ELAN0627", 0 }, ++ { "ELAN0628", 0 }, ++ { "ELAN0629", 0 }, ++ { "ELAN062A", 0 }, ++ { "ELAN062B", 0 }, ++ { "ELAN062C", 0 }, ++ { "ELAN062D", 0 }, ++ { "ELAN0631", 0 }, ++ { "ELAN0632", 0 }, + { "ELAN1000", 0 }, + { } + }; +-- +2.20.1 + diff --git a/queue-4.14/input-synaptics-rmi4-fix-possible-double-free.patch b/queue-4.14/input-synaptics-rmi4-fix-possible-double-free.patch new file mode 100644 index 00000000000..f39ec344e05 --- /dev/null +++ b/queue-4.14/input-synaptics-rmi4-fix-possible-double-free.patch @@ -0,0 +1,45 @@ +From 6de60397fefd5f64d17b7c1c48e1e3016cd9019a Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 19 Apr 2019 07:39:00 +0000 +Subject: Input: synaptics-rmi4 - fix possible double free + +[ Upstream commit bce1a78423961fce676ac65540a31b6ffd179e6d ] + +The RMI4 function structure has been released in rmi_register_function +if error occurs. However, it will be released again in the function +rmi_create_function, which may result in a double-free bug. + +Signed-off-by: Pan Bian +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/rmi4/rmi_driver.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c +index f5954981e9ee5..997ccae7ee055 100644 +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -883,7 +883,7 @@ static int rmi_create_function(struct rmi_device *rmi_dev, + + error = rmi_register_function(fn); + if (error) +- goto err_put_fn; ++ return error; + + if (pdt->function_number == 0x01) + data->f01_container = fn; +@@ -893,10 +893,6 @@ static int rmi_create_function(struct rmi_device *rmi_dev, + list_add_tail(&fn->node, &data->function_list); + + return RMI_SCAN_CONTINUE; +- +-err_put_fn: +- put_device(&fn->dev); +- return error; + } + + void rmi_enable_irq(struct rmi_device *rmi_dev, bool clear_wake) +-- +2.20.1 + diff --git a/queue-4.14/ipvs-do-not-schedule-icmp-errors-from-tunnels.patch b/queue-4.14/ipvs-do-not-schedule-icmp-errors-from-tunnels.patch new file mode 100644 index 00000000000..3dda9f4c7f7 --- /dev/null +++ b/queue-4.14/ipvs-do-not-schedule-icmp-errors-from-tunnels.patch @@ -0,0 +1,38 @@ +From 45cabb25ac5209e8b82d47d942acca57627cb8b8 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Sun, 31 Mar 2019 13:24:52 +0300 +Subject: ipvs: do not schedule icmp errors from tunnels + +[ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ] + +We can receive ICMP errors from client or from +tunneling real server. While the former can be +scheduled to real server, the latter should +not be scheduled, they are decapsulated only when +existing connection is found. + +Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets") +Signed-off-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index 4278f5c947abd..d1c0378144f3d 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -1635,7 +1635,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, + if (!cp) { + int v; + +- if (!sysctl_schedule_icmp(ipvs)) ++ if (ipip || !sysctl_schedule_icmp(ipvs)) + return NF_ACCEPT; + + if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph)) +-- +2.20.1 + diff --git a/queue-4.14/kvm-arm-arm64-ensure-only-thp-is-candidate-for-adjus.patch b/queue-4.14/kvm-arm-arm64-ensure-only-thp-is-candidate-for-adjus.patch new file mode 100644 index 00000000000..12d132a9066 --- /dev/null +++ b/queue-4.14/kvm-arm-arm64-ensure-only-thp-is-candidate-for-adjus.patch @@ -0,0 +1,50 @@ +From 65f71ab8ee3473657531a6be2e3ea2fb51c2ca87 Mon Sep 17 00:00:00 2001 +From: Punit Agrawal +Date: Mon, 1 Oct 2018 16:54:35 +0100 +Subject: KVM: arm/arm64: Ensure only THP is candidate for adjustment + +[ Upstream commit fd2ef358282c849c193aa36dadbf4f07f7dcd29b ] + +PageTransCompoundMap() returns true for hugetlbfs and THP +hugepages. This behaviour incorrectly leads to stage 2 faults for +unsupported hugepage sizes (e.g., 64K hugepage with 4K pages) to be +treated as THP faults. + +Tighten the check to filter out hugetlbfs pages. This also leads to +consistently mapping all unsupported hugepage sizes as PTE level +entries at stage 2. + +Signed-off-by: Punit Agrawal +Reviewed-by: Suzuki Poulose +Cc: Christoffer Dall +Cc: Marc Zyngier +Cc: stable@vger.kernel.org # v4.13+ +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + virt/kvm/arm/mmu.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c +index 225dc671ae31b..1f4cac53b9234 100644 +--- a/virt/kvm/arm/mmu.c ++++ b/virt/kvm/arm/mmu.c +@@ -1068,8 +1068,14 @@ static bool transparent_hugepage_adjust(kvm_pfn_t *pfnp, phys_addr_t *ipap) + { + kvm_pfn_t pfn = *pfnp; + gfn_t gfn = *ipap >> PAGE_SHIFT; ++ struct page *page = pfn_to_page(pfn); + +- if (PageTransCompoundMap(pfn_to_page(pfn))) { ++ /* ++ * PageTransCompoungMap() returns true for THP and ++ * hugetlbfs. Make sure the adjustment is done only for THP ++ * pages. ++ */ ++ if (!PageHuge(page) && PageTransCompoundMap(page)) { + unsigned long mask; + /* + * The address we faulted on is backed by a transparent huge +-- +2.20.1 + diff --git a/queue-4.14/kvm-fix-spectrev1-gadgets.patch b/queue-4.14/kvm-fix-spectrev1-gadgets.patch new file mode 100644 index 00000000000..e83ecad084b --- /dev/null +++ b/queue-4.14/kvm-fix-spectrev1-gadgets.patch @@ -0,0 +1,133 @@ +From b5535eb52877cb1821c91b3015802bb664805125 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 11 Apr 2019 11:16:47 +0200 +Subject: KVM: fix spectrev1 gadgets + +[ Upstream commit 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c ] + +These were found with smatch, and then generalized when applicable. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/lapic.c | 4 +++- + include/linux/kvm_host.h | 10 ++++++---- + virt/kvm/irqchip.c | 5 +++-- + virt/kvm/kvm_main.c | 6 ++++-- + 4 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index f7c34184342a5..053e4937af0cb 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -133,6 +133,7 @@ static inline bool kvm_apic_map_get_logical_dest(struct kvm_apic_map *map, + if (offset <= max_apic_id) { + u8 cluster_size = min(max_apic_id - offset + 1, 16U); + ++ offset = array_index_nospec(offset, map->max_apic_id + 1); + *cluster = &map->phys_map[offset]; + *mask = dest_id & (0xffff >> (16 - cluster_size)); + } else { +@@ -829,7 +830,8 @@ static inline bool kvm_apic_map_get_dest_lapic(struct kvm *kvm, + if (irq->dest_id > map->max_apic_id) { + *bitmap = 0; + } else { +- *dst = &map->phys_map[irq->dest_id]; ++ u32 dest_id = array_index_nospec(irq->dest_id, map->max_apic_id + 1); ++ *dst = &map->phys_map[dest_id]; + *bitmap = 1; + } + return true; +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index 753c16633bac5..026615e242d8e 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -483,10 +484,10 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kvm *kvm, enum kvm_bus idx) + + static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) + { +- /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu, in case +- * the caller has read kvm->online_vcpus before (as is the case +- * for kvm_for_each_vcpu, for example). +- */ ++ int num_vcpus = atomic_read(&kvm->online_vcpus); ++ i = array_index_nospec(i, num_vcpus); ++ ++ /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu. */ + smp_rmb(); + return kvm->vcpus[i]; + } +@@ -570,6 +571,7 @@ void kvm_put_kvm(struct kvm *kvm); + + static inline struct kvm_memslots *__kvm_memslots(struct kvm *kvm, int as_id) + { ++ as_id = array_index_nospec(as_id, KVM_ADDRESS_SPACE_NUM); + return srcu_dereference_check(kvm->memslots[as_id], &kvm->srcu, + lockdep_is_held(&kvm->slots_lock) || + !refcount_read(&kvm->users_count)); +diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c +index b1286c4e07122..0bd0683640bdf 100644 +--- a/virt/kvm/irqchip.c ++++ b/virt/kvm/irqchip.c +@@ -144,18 +144,19 @@ static int setup_routing_entry(struct kvm *kvm, + { + struct kvm_kernel_irq_routing_entry *ei; + int r; ++ u32 gsi = array_index_nospec(ue->gsi, KVM_MAX_IRQ_ROUTES); + + /* + * Do not allow GSI to be mapped to the same irqchip more than once. + * Allow only one to one mapping between GSI and non-irqchip routing. + */ +- hlist_for_each_entry(ei, &rt->map[ue->gsi], link) ++ hlist_for_each_entry(ei, &rt->map[gsi], link) + if (ei->type != KVM_IRQ_ROUTING_IRQCHIP || + ue->type != KVM_IRQ_ROUTING_IRQCHIP || + ue->u.irqchip.irqchip == ei->irqchip.irqchip) + return -EINVAL; + +- e->gsi = ue->gsi; ++ e->gsi = gsi; + e->type = ue->type; + r = kvm_set_routing_entry(kvm, e, ue); + if (r) +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index a373c60ef1c06..b91716b1b428e 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2886,12 +2886,14 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + struct kvm_device_ops *ops = NULL; + struct kvm_device *dev; + bool test = cd->flags & KVM_CREATE_DEVICE_TEST; ++ int type; + int ret; + + if (cd->type >= ARRAY_SIZE(kvm_device_ops_table)) + return -ENODEV; + +- ops = kvm_device_ops_table[cd->type]; ++ type = array_index_nospec(cd->type, ARRAY_SIZE(kvm_device_ops_table)); ++ ops = kvm_device_ops_table[type]; + if (ops == NULL) + return -ENODEV; + +@@ -2906,7 +2908,7 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + dev->kvm = kvm; + + mutex_lock(&kvm->lock); +- ret = ops->create(dev, cd->type); ++ ret = ops->create(dev, type); + if (ret < 0) { + mutex_unlock(&kvm->lock); + kfree(dev); +-- +2.20.1 + diff --git a/queue-4.14/kvm-x86-avoid-misreporting-level-triggered-irqs-as-e.patch b/queue-4.14/kvm-x86-avoid-misreporting-level-triggered-irqs-as-e.patch new file mode 100644 index 00000000000..a3d21500efa --- /dev/null +++ b/queue-4.14/kvm-x86-avoid-misreporting-level-triggered-irqs-as-e.patch @@ -0,0 +1,51 @@ +From 694ea319ede15d7ff0289564da15a0b184311cac Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Wed, 27 Mar 2019 15:12:20 +0100 +Subject: KVM: x86: avoid misreporting level-triggered irqs as edge-triggered + in tracing + +[ Upstream commit 7a223e06b1a411cef6c4cd7a9b9a33c8d225b10e ] + +In __apic_accept_irq() interface trig_mode is int and actually on some code +paths it is set above u8: + +kvm_apic_set_irq() extracts it from 'struct kvm_lapic_irq' where trig_mode +is u16. This is done on purpose as e.g. kvm_set_msi_irq() sets it to +(1 << 15) & e->msi.data + +kvm_apic_local_deliver sets it to reg & (1 << 15). + +Fix the immediate issue by making 'tm' into u16. We may also want to adjust +__apic_accept_irq() interface and use proper sizes for vector, level, +trig_mode but this is not urgent. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/trace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h +index 9807c314c4788..3bf41413ab151 100644 +--- a/arch/x86/kvm/trace.h ++++ b/arch/x86/kvm/trace.h +@@ -438,13 +438,13 @@ TRACE_EVENT(kvm_apic_ipi, + ); + + TRACE_EVENT(kvm_apic_accept_irq, +- TP_PROTO(__u32 apicid, __u16 dm, __u8 tm, __u8 vec), ++ TP_PROTO(__u32 apicid, __u16 dm, __u16 tm, __u8 vec), + TP_ARGS(apicid, dm, tm, vec), + + TP_STRUCT__entry( + __field( __u32, apicid ) + __field( __u16, dm ) +- __field( __u8, tm ) ++ __field( __u16, tm ) + __field( __u8, vec ) + ), + +-- +2.20.1 + diff --git a/queue-4.14/leds-pwm-silently-error-out-on-eprobe_defer.patch b/queue-4.14/leds-pwm-silently-error-out-on-eprobe_defer.patch new file mode 100644 index 00000000000..7fe9e70e007 --- /dev/null +++ b/queue-4.14/leds-pwm-silently-error-out-on-eprobe_defer.patch @@ -0,0 +1,36 @@ +From 2046c5698f3f2aa9fdffe76dcdb10bd44cbcda67 Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Thu, 6 Sep 2018 15:59:04 +0200 +Subject: leds: pwm: silently error out on EPROBE_DEFER + +[ Upstream commit 9aec30371fb095a0c9415f3f0146ae269c3713d8 ] + +When probing, if we fail to get the pwm due to probe deferal, we shouldn't +print an error message. Just be silent in this case. + +Signed-off-by: Jerome Brunet +Signed-off-by: Jacek Anaszewski +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-pwm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/leds/leds-pwm.c b/drivers/leds/leds-pwm.c +index 8d456dc6c5bfe..83f9bbe57e02b 100644 +--- a/drivers/leds/leds-pwm.c ++++ b/drivers/leds/leds-pwm.c +@@ -101,8 +101,9 @@ static int led_pwm_add(struct device *dev, struct led_pwm_priv *priv, + led_data->pwm = devm_pwm_get(dev, led->name); + if (IS_ERR(led_data->pwm)) { + ret = PTR_ERR(led_data->pwm); +- dev_err(dev, "unable to request PWM for %s: %d\n", +- led->name, ret); ++ if (ret != -EPROBE_DEFER) ++ dev_err(dev, "unable to request PWM for %s: %d\n", ++ led->name, ret); + return ret; + } + +-- +2.20.1 + diff --git a/queue-4.14/libnvdimm-btt-fix-a-kmemdup-failure-check.patch b/queue-4.14/libnvdimm-btt-fix-a-kmemdup-failure-check.patch new file mode 100644 index 00000000000..ff5c56ff064 --- /dev/null +++ b/queue-4.14/libnvdimm-btt-fix-a-kmemdup-failure-check.patch @@ -0,0 +1,59 @@ +From 6ba7ada584d15536ba35adfe6a3b1f822920e5ea Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Mon, 25 Mar 2019 16:55:27 -0500 +Subject: libnvdimm/btt: Fix a kmemdup failure check + +[ Upstream commit 486fa92df4707b5df58d6508728bdb9321a59766 ] + +In case kmemdup fails, the fix releases resources and returns to +avoid the NULL pointer dereference. + +Signed-off-by: Aditya Pakki +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/btt_devs.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvdimm/btt_devs.c b/drivers/nvdimm/btt_devs.c +index d58925295aa79..e610dd890263b 100644 +--- a/drivers/nvdimm/btt_devs.c ++++ b/drivers/nvdimm/btt_devs.c +@@ -190,14 +190,15 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, + return NULL; + + nd_btt->id = ida_simple_get(&nd_region->btt_ida, 0, 0, GFP_KERNEL); +- if (nd_btt->id < 0) { +- kfree(nd_btt); +- return NULL; +- } ++ if (nd_btt->id < 0) ++ goto out_nd_btt; + + nd_btt->lbasize = lbasize; +- if (uuid) ++ if (uuid) { + uuid = kmemdup(uuid, 16, GFP_KERNEL); ++ if (!uuid) ++ goto out_put_id; ++ } + nd_btt->uuid = uuid; + dev = &nd_btt->dev; + dev_set_name(dev, "btt%d.%d", nd_region->id, nd_btt->id); +@@ -212,6 +213,13 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, + return NULL; + } + return dev; ++ ++out_put_id: ++ ida_simple_remove(&nd_region->btt_ida, nd_btt->id); ++ ++out_nd_btt: ++ kfree(nd_btt); ++ return NULL; + } + + struct device *nd_btt_create(struct nd_region *nd_region) +-- +2.20.1 + diff --git a/queue-4.14/libnvdimm-namespace-fix-a-potential-null-pointer-der.patch b/queue-4.14/libnvdimm-namespace-fix-a-potential-null-pointer-der.patch new file mode 100644 index 00000000000..3ce49f8a0c2 --- /dev/null +++ b/queue-4.14/libnvdimm-namespace-fix-a-potential-null-pointer-der.patch @@ -0,0 +1,38 @@ +From cc8ef7fce28aecb1f0f6bcfb57f9bc8d5b799fb1 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 12 Mar 2019 03:20:34 -0500 +Subject: libnvdimm/namespace: Fix a potential NULL pointer dereference + +[ Upstream commit 55c1fc0af29a6c1b92f217b7eb7581a882e0c07c ] + +In case kmemdup fails, the fix goes to blk_err to avoid NULL +pointer dereference. + +Signed-off-by: Kangjie Lu +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/namespace_devs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c +index 50b01d3eadd9c..e3f228af59d1e 100644 +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -2234,9 +2234,12 @@ struct device *create_namespace_blk(struct nd_region *nd_region, + if (!nsblk->uuid) + goto blk_err; + memcpy(name, nd_label->name, NSLABEL_NAME_LEN); +- if (name[0]) ++ if (name[0]) { + nsblk->alt_name = kmemdup(name, NSLABEL_NAME_LEN, + GFP_KERNEL); ++ if (!nsblk->alt_name) ++ goto blk_err; ++ } + res = nsblk_add_resource(nd_region, ndd, nsblk, + __le64_to_cpu(nd_label->dpa)); + if (!res) +-- +2.20.1 + diff --git a/queue-4.14/mac80211-fix-memory-accounting-with-a-msdu-aggregati.patch b/queue-4.14/mac80211-fix-memory-accounting-with-a-msdu-aggregati.patch new file mode 100644 index 00000000000..bf03bdcd47e --- /dev/null +++ b/queue-4.14/mac80211-fix-memory-accounting-with-a-msdu-aggregati.patch @@ -0,0 +1,52 @@ +From b150f15e79294b784546ae020f9075bcbb2e9595 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Sat, 16 Mar 2019 18:06:31 +0100 +Subject: mac80211: fix memory accounting with A-MSDU aggregation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit eb9b64e3a9f8483e6e54f4e03b2ae14ae5db2690 ] + +skb->truesize can change due to memory reallocation or when adding extra +fragments. Adjust fq->memory_usage accordingly + +Signed-off-by: Felix Fietkau +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 305a4655f23e1..09c7aa519ca82 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3125,6 +3125,7 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata, + u8 max_subframes = sta->sta.max_amsdu_subframes; + int max_frags = local->hw.max_tx_fragments; + int max_amsdu_len = sta->sta.max_amsdu_len; ++ int orig_truesize; + __be16 len; + void *data; + bool ret = false; +@@ -3158,6 +3159,7 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata, + if (!head) + goto out; + ++ orig_truesize = head->truesize; + orig_len = head->len; + + if (skb->len + head->len > max_amsdu_len) +@@ -3212,6 +3214,7 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata, + *frag_tail = skb; + + out_recalc: ++ fq->memory_usage += head->truesize - orig_truesize; + if (head->len != orig_len) { + flow->backlog += head->len - orig_len; + tin->backlog_bytes += head->len - orig_len; +-- +2.20.1 + diff --git a/queue-4.14/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch b/queue-4.14/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch new file mode 100644 index 00000000000..081c7253848 --- /dev/null +++ b/queue-4.14/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch @@ -0,0 +1,33 @@ +From 21c47e41344034e87f6528341941c4e6141ae750 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 13 Mar 2019 18:54:27 +0100 +Subject: mac80211: fix unaligned access in mesh table hash function + +[ Upstream commit 40586e3fc400c00c11151804dcdc93f8c831c808 ] + +The pointer to the last four bytes of the address is not guaranteed to be +aligned, so we need to use __get_unaligned_cpu32 here + +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_pathtbl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c +index 1ce068865629b..1300220912051 100644 +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -23,7 +23,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl, struct mesh_path *mpath); + static u32 mesh_table_hash(const void *addr, u32 len, u32 seed) + { + /* Use last four bytes of hw addr as hash index */ +- return jhash_1word(*(u32 *)(addr+2), seed); ++ return jhash_1word(__get_unaligned_cpu32((u8 *)addr + 2), seed); + } + + static const struct rhashtable_params mesh_rht_params = { +-- +2.20.1 + diff --git a/queue-4.14/mac80211-increase-max_msg_len.patch b/queue-4.14/mac80211-increase-max_msg_len.patch new file mode 100644 index 00000000000..542b9059dc5 --- /dev/null +++ b/queue-4.14/mac80211-increase-max_msg_len.patch @@ -0,0 +1,45 @@ +From 6a35693170e13edf48c6af903be0add7142f902b Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Fri, 15 Mar 2019 17:38:57 +0200 +Subject: mac80211: Increase MAX_MSG_LEN + +[ Upstream commit 78be2d21cc1cd3069c6138dcfecec62583130171 ] + +Looks that 100 chars isn't enough for messages, as we keep getting +warnings popping from different places due to message shortening. +Instead of trying to shorten the prints, just increase the buffer size. + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/trace_msg.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/trace_msg.h b/net/mac80211/trace_msg.h +index 366b9e6f043e2..40141df09f255 100644 +--- a/net/mac80211/trace_msg.h ++++ b/net/mac80211/trace_msg.h +@@ -1,4 +1,9 @@ + /* SPDX-License-Identifier: GPL-2.0 */ ++/* ++ * Portions of this file ++ * Copyright (C) 2019 Intel Corporation ++ */ ++ + #ifdef CONFIG_MAC80211_MESSAGE_TRACING + + #if !defined(__MAC80211_MSG_DRIVER_TRACE) || defined(TRACE_HEADER_MULTI_READ) +@@ -11,7 +16,7 @@ + #undef TRACE_SYSTEM + #define TRACE_SYSTEM mac80211_msg + +-#define MAX_MSG_LEN 100 ++#define MAX_MSG_LEN 120 + + DECLARE_EVENT_CLASS(mac80211_msg_event, + TP_PROTO(struct va_format *vaf), +-- +2.20.1 + diff --git a/queue-4.14/media-adv7604-when-the-edid-is-cleared-unconfigure-c.patch b/queue-4.14/media-adv7604-when-the-edid-is-cleared-unconfigure-c.patch new file mode 100644 index 00000000000..6ead85ccdcd --- /dev/null +++ b/queue-4.14/media-adv7604-when-the-edid-is-cleared-unconfigure-c.patch @@ -0,0 +1,37 @@ +From e6c7b67741c608df1d08dbb8fd8c331a4f9f8f3a Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 4 Oct 2018 03:57:06 -0400 +Subject: media: adv7604: when the EDID is cleared, unconfigure CEC as well + +[ Upstream commit e7da89926f6dc6cf855f5ffdf79ef99a1b115ca7 ] + +When there is no EDID the CEC adapter should be unconfigured as +well. So call cec_phys_addr_invalidate() when this happens. + +Signed-off-by: Hans Verkuil +Cc: # for v4.18 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/adv7604.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c +index d2108aad3c658..26c3ec573a565 100644 +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -2295,8 +2295,10 @@ static int adv76xx_set_edid(struct v4l2_subdev *sd, struct v4l2_edid *edid) + state->aspect_ratio.numerator = 16; + state->aspect_ratio.denominator = 9; + +- if (!state->edid.present) ++ if (!state->edid.present) { + state->edid.blocks = 0; ++ cec_phys_addr_invalidate(state->cec_adap); ++ } + + v4l2_dbg(2, debug, sd, "%s: clear EDID pad %d, edid.present = 0x%x\n", + __func__, edid->pad, state->edid.present); +-- +2.20.1 + diff --git a/queue-4.14/media-adv7842-when-the-edid-is-cleared-unconfigure-c.patch b/queue-4.14/media-adv7842-when-the-edid-is-cleared-unconfigure-c.patch new file mode 100644 index 00000000000..69aff412789 --- /dev/null +++ b/queue-4.14/media-adv7842-when-the-edid-is-cleared-unconfigure-c.patch @@ -0,0 +1,37 @@ +From 56f364c5b7953b651aeb5e28a4aa8d498ffaf00a Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 4 Oct 2018 03:58:34 -0400 +Subject: media: adv7842: when the EDID is cleared, unconfigure CEC as well + +[ Upstream commit ab83203e181015b099720aff43ffabc1812e0fb3 ] + +When there is no EDID the CEC adapter should be unconfigured as +well. So call cec_phys_addr_invalidate() when this happens. + +Signed-off-by: Hans Verkuil +Cc: # for v4.18 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/adv7842.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c +index f9c23173c9fa0..dcce8d030e5db 100644 +--- a/drivers/media/i2c/adv7842.c ++++ b/drivers/media/i2c/adv7842.c +@@ -799,8 +799,10 @@ static int edid_write_hdmi_segment(struct v4l2_subdev *sd, u8 port) + /* Disable I2C access to internal EDID ram from HDMI DDC ports */ + rep_write_and_or(sd, 0x77, 0xf3, 0x00); + +- if (!state->hdmi_edid.present) ++ if (!state->hdmi_edid.present) { ++ cec_phys_addr_invalidate(state->cec_adap); + return 0; ++ } + + pa = cec_get_edid_phys_addr(edid, 256, &spa_loc); + err = cec_phys_addr_validate(pa, &pa, NULL); +-- +2.20.1 + diff --git a/queue-4.14/media-cec-integrate-cec_validate_phys_addr-in-cec-ap.patch b/queue-4.14/media-cec-integrate-cec_validate_phys_addr-in-cec-ap.patch new file mode 100644 index 00000000000..b2c5de3fe6c --- /dev/null +++ b/queue-4.14/media-cec-integrate-cec_validate_phys_addr-in-cec-ap.patch @@ -0,0 +1,60 @@ +From e7c673c103d1a400063c5da5c96fa2e7fd827735 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 13 Sep 2018 03:36:29 -0400 +Subject: media: cec: integrate cec_validate_phys_addr() in cec-api.c + +[ Upstream commit e81bff39489a06384822bb38ce7a59f9e365bbe9 ] + +The cec_phys_addr_validate() function will be moved to V4L2, +so use a simplified variant of that function in cec-api.c. +cec now no longer calls cec_phys_addr_validate() and it can +be safely moved to V4L2. + +Signed-off-by: Hans Verkuil +Cc: # for v4.17 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/cec-api.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/cec/cec-api.c b/drivers/media/cec/cec-api.c +index a079f7fe018c4..21a5f45e0259e 100644 +--- a/drivers/media/cec/cec-api.c ++++ b/drivers/media/cec/cec-api.c +@@ -113,6 +113,23 @@ static long cec_adap_g_phys_addr(struct cec_adapter *adap, + return 0; + } + ++static int cec_validate_phys_addr(u16 phys_addr) ++{ ++ int i; ++ ++ if (phys_addr == CEC_PHYS_ADDR_INVALID) ++ return 0; ++ for (i = 0; i < 16; i += 4) ++ if (phys_addr & (0xf << i)) ++ break; ++ if (i == 16) ++ return 0; ++ for (i += 4; i < 16; i += 4) ++ if ((phys_addr & (0xf << i)) == 0) ++ return -EINVAL; ++ return 0; ++} ++ + static long cec_adap_s_phys_addr(struct cec_adapter *adap, struct cec_fh *fh, + bool block, __u16 __user *parg) + { +@@ -124,7 +141,7 @@ static long cec_adap_s_phys_addr(struct cec_adapter *adap, struct cec_fh *fh, + if (copy_from_user(&phys_addr, parg, sizeof(phys_addr))) + return -EFAULT; + +- err = cec_phys_addr_validate(phys_addr, NULL, NULL); ++ err = cec_validate_phys_addr(phys_addr); + if (err) + return err; + mutex_lock(&adap->lock); +-- +2.20.1 + diff --git a/queue-4.14/media-cec-make-cec_get_edid_spa_location-an-inline-f.patch b/queue-4.14/media-cec-make-cec_get_edid_spa_location-an-inline-f.patch new file mode 100644 index 00000000000..0afeb23ea4e --- /dev/null +++ b/queue-4.14/media-cec-make-cec_get_edid_spa_location-an-inline-f.patch @@ -0,0 +1,178 @@ +From 9853c7e97d70f17fe1d77f52c7a69757701aa780 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 13 Sep 2018 03:25:59 -0400 +Subject: media: cec: make cec_get_edid_spa_location() an inline function + +[ Upstream commit b915bf575d5b7774d0f22d57d6c143e07dcaade2 ] + +This function is needed by both V4L2 and CEC, so move this to +cec.h as a static inline since there are no obvious shared +modules between the two subsystems. + +This patch, together with the following ones, fixes a +dependency bug: if CEC_CORE is disabled, then building adv7604 +(and other HDMI receivers) will fail because an essential +function is now stubbed out. + +Signed-off-by: Hans Verkuil +Cc: # for v4.17 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/cec-edid.c | 60 ------------------------------- + include/media/cec.h | 70 ++++++++++++++++++++++++++++++++++++ + 2 files changed, 70 insertions(+), 60 deletions(-) + +diff --git a/drivers/media/cec/cec-edid.c b/drivers/media/cec/cec-edid.c +index 38e3fec6152b5..19a31d4c86035 100644 +--- a/drivers/media/cec/cec-edid.c ++++ b/drivers/media/cec/cec-edid.c +@@ -22,66 +22,6 @@ + #include + #include + +-/* +- * This EDID is expected to be a CEA-861 compliant, which means that there are +- * at least two blocks and one or more of the extensions blocks are CEA-861 +- * blocks. +- * +- * The returned location is guaranteed to be < size - 1. +- */ +-static unsigned int cec_get_edid_spa_location(const u8 *edid, unsigned int size) +-{ +- unsigned int blocks = size / 128; +- unsigned int block; +- u8 d; +- +- /* Sanity check: at least 2 blocks and a multiple of the block size */ +- if (blocks < 2 || size % 128) +- return 0; +- +- /* +- * If there are fewer extension blocks than the size, then update +- * 'blocks'. It is allowed to have more extension blocks than the size, +- * since some hardware can only read e.g. 256 bytes of the EDID, even +- * though more blocks are present. The first CEA-861 extension block +- * should normally be in block 1 anyway. +- */ +- if (edid[0x7e] + 1 < blocks) +- blocks = edid[0x7e] + 1; +- +- for (block = 1; block < blocks; block++) { +- unsigned int offset = block * 128; +- +- /* Skip any non-CEA-861 extension blocks */ +- if (edid[offset] != 0x02 || edid[offset + 1] != 0x03) +- continue; +- +- /* search Vendor Specific Data Block (tag 3) */ +- d = edid[offset + 2] & 0x7f; +- /* Check if there are Data Blocks */ +- if (d <= 4) +- continue; +- if (d > 4) { +- unsigned int i = offset + 4; +- unsigned int end = offset + d; +- +- /* Note: 'end' is always < 'size' */ +- do { +- u8 tag = edid[i] >> 5; +- u8 len = edid[i] & 0x1f; +- +- if (tag == 3 && len >= 5 && i + len <= end && +- edid[i + 1] == 0x03 && +- edid[i + 2] == 0x0c && +- edid[i + 3] == 0x00) +- return i + 4; +- i += len + 1; +- } while (i < end); +- } +- } +- return 0; +-} +- + u16 cec_get_edid_phys_addr(const u8 *edid, unsigned int size, + unsigned int *offset) + { +diff --git a/include/media/cec.h b/include/media/cec.h +index df6b3bd312849..b7339cc6fd3d6 100644 +--- a/include/media/cec.h ++++ b/include/media/cec.h +@@ -435,4 +435,74 @@ static inline void cec_phys_addr_invalidate(struct cec_adapter *adap) + cec_s_phys_addr(adap, CEC_PHYS_ADDR_INVALID, false); + } + ++/** ++ * cec_get_edid_spa_location() - find location of the Source Physical Address ++ * ++ * @edid: the EDID ++ * @size: the size of the EDID ++ * ++ * This EDID is expected to be a CEA-861 compliant, which means that there are ++ * at least two blocks and one or more of the extensions blocks are CEA-861 ++ * blocks. ++ * ++ * The returned location is guaranteed to be <= size-2. ++ * ++ * This is an inline function since it is used by both CEC and V4L2. ++ * Ideally this would go in a module shared by both, but it is overkill to do ++ * that for just a single function. ++ */ ++static inline unsigned int cec_get_edid_spa_location(const u8 *edid, ++ unsigned int size) ++{ ++ unsigned int blocks = size / 128; ++ unsigned int block; ++ u8 d; ++ ++ /* Sanity check: at least 2 blocks and a multiple of the block size */ ++ if (blocks < 2 || size % 128) ++ return 0; ++ ++ /* ++ * If there are fewer extension blocks than the size, then update ++ * 'blocks'. It is allowed to have more extension blocks than the size, ++ * since some hardware can only read e.g. 256 bytes of the EDID, even ++ * though more blocks are present. The first CEA-861 extension block ++ * should normally be in block 1 anyway. ++ */ ++ if (edid[0x7e] + 1 < blocks) ++ blocks = edid[0x7e] + 1; ++ ++ for (block = 1; block < blocks; block++) { ++ unsigned int offset = block * 128; ++ ++ /* Skip any non-CEA-861 extension blocks */ ++ if (edid[offset] != 0x02 || edid[offset + 1] != 0x03) ++ continue; ++ ++ /* search Vendor Specific Data Block (tag 3) */ ++ d = edid[offset + 2] & 0x7f; ++ /* Check if there are Data Blocks */ ++ if (d <= 4) ++ continue; ++ if (d > 4) { ++ unsigned int i = offset + 4; ++ unsigned int end = offset + d; ++ ++ /* Note: 'end' is always < 'size' */ ++ do { ++ u8 tag = edid[i] >> 5; ++ u8 len = edid[i] & 0x1f; ++ ++ if (tag == 3 && len >= 5 && i + len <= end && ++ edid[i + 1] == 0x03 && ++ edid[i + 2] == 0x0c && ++ edid[i + 3] == 0x00) ++ return i + 4; ++ i += len + 1; ++ } while (i < end); ++ } ++ } ++ return 0; ++} ++ + #endif /* _MEDIA_CEC_H */ +-- +2.20.1 + diff --git a/queue-4.14/media-ov5640-fix-auto-controls-values-when-switching.patch b/queue-4.14/media-ov5640-fix-auto-controls-values-when-switching.patch new file mode 100644 index 00000000000..ae16a2f326e --- /dev/null +++ b/queue-4.14/media-ov5640-fix-auto-controls-values-when-switching.patch @@ -0,0 +1,44 @@ +From b1bf56b19765bd2ca7e629b9d287c24e0a027938 Mon Sep 17 00:00:00 2001 +From: Hugues Fruchet +Date: Tue, 11 Sep 2018 09:48:20 -0400 +Subject: media: ov5640: fix auto controls values when switching to manual mode + +[ Upstream commit a8f438c684eaa4cbe6c98828eb996d5ec53e24fb ] + +When switching from auto to manual mode, V4L2 core is calling +g_volatile_ctrl() in manual mode in order to get the manual initial value. +Remove the manual mode check/return to not break this behaviour. + +Signed-off-by: Hugues Fruchet +Tested-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5640.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c +index 0366c8dc6ecf7..acf5c8a55bbd2 100644 +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -1900,16 +1900,12 @@ static int ov5640_g_volatile_ctrl(struct v4l2_ctrl *ctrl) + + switch (ctrl->id) { + case V4L2_CID_AUTOGAIN: +- if (!ctrl->val) +- return 0; + val = ov5640_get_gain(sensor); + if (val < 0) + return val; + sensor->ctrls.gain->val = val; + break; + case V4L2_CID_EXPOSURE_AUTO: +- if (ctrl->val == V4L2_EXPOSURE_MANUAL) +- return 0; + val = ov5640_get_exposure(sensor); + if (val < 0) + return val; +-- +2.20.1 + diff --git a/queue-4.14/media-ov5640-fix-wrong-binning-value-in-exposure-cal.patch b/queue-4.14/media-ov5640-fix-wrong-binning-value-in-exposure-cal.patch new file mode 100644 index 00000000000..f5fc7359ee3 --- /dev/null +++ b/queue-4.14/media-ov5640-fix-wrong-binning-value-in-exposure-cal.patch @@ -0,0 +1,58 @@ +From 53261c968211567d5d415fc61cccdb64ccae5ffa Mon Sep 17 00:00:00 2001 +From: Hugues Fruchet +Date: Tue, 11 Sep 2018 09:48:19 -0400 +Subject: media: ov5640: fix wrong binning value in exposure calculation + +[ Upstream commit c2c3f42df4dd9bb231d756bacb0c897f662c6d3c ] + +ov5640_set_mode_exposure_calc() is checking binning value but +binning value read is buggy, fix this. +Rename ov5640_binning_on() to ov5640_get_binning() as per other +similar functions. + +Signed-off-by: Hugues Fruchet +Reviewed-by: Laurent Pinchart +Reviewed-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5640.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c +index 39a2269c0beef..0366c8dc6ecf7 100644 +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -1216,7 +1216,7 @@ static int ov5640_set_ae_target(struct ov5640_dev *sensor, int target) + return ov5640_write_reg(sensor, OV5640_REG_AEC_CTRL1F, fast_low); + } + +-static int ov5640_binning_on(struct ov5640_dev *sensor) ++static int ov5640_get_binning(struct ov5640_dev *sensor) + { + u8 temp; + int ret; +@@ -1224,8 +1224,8 @@ static int ov5640_binning_on(struct ov5640_dev *sensor) + ret = ov5640_read_reg(sensor, OV5640_REG_TIMING_TC_REG21, &temp); + if (ret) + return ret; +- temp &= 0xfe; +- return temp ? 1 : 0; ++ ++ return temp & BIT(0); + } + + static int ov5640_set_virtual_channel(struct ov5640_dev *sensor) +@@ -1293,7 +1293,7 @@ static int ov5640_set_mode_exposure_calc( + if (ret < 0) + return ret; + prev_shutter = ret; +- ret = ov5640_binning_on(sensor); ++ ret = ov5640_get_binning(sensor); + if (ret < 0) + return ret; + if (ret && mode->id != OV5640_MODE_720P_1280_720 && +-- +2.20.1 + diff --git a/queue-4.14/mips-perf-ath79-fix-perfcount-irq-assignment.patch b/queue-4.14/mips-perf-ath79-fix-perfcount-irq-assignment.patch new file mode 100644 index 00000000000..a2f7402ad20 --- /dev/null +++ b/queue-4.14/mips-perf-ath79-fix-perfcount-irq-assignment.patch @@ -0,0 +1,118 @@ +From 504238816559b2ea552fb70aadd411ac346f539d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0tetiar?= +Date: Fri, 12 Apr 2019 23:08:32 +0200 +Subject: MIPS: perf: ath79: Fix perfcount IRQ assignment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a1e8783db8e0d58891681bc1e6d9ada66eae8e20 ] + +Currently it's not possible to use perf on ath79 due to genirq flags +mismatch happening on static virtual IRQ 13 which is used for +performance counters hardware IRQ 5. + +On TP-Link Archer C7v5: + + CPU0 + 2: 0 MIPS 2 ath9k + 4: 318 MIPS 4 19000000.eth + 7: 55034 MIPS 7 timer + 8: 1236 MISC 3 ttyS0 + 12: 0 INTC 1 ehci_hcd:usb1 + 13: 0 gpio-ath79 2 keys + 14: 0 gpio-ath79 5 keys + 15: 31 AR724X PCI 1 ath10k_pci + + $ perf top + genirq: Flags mismatch irq 13. 00014c83 (mips_perf_pmu) vs. 00002003 (keys) + +On TP-Link Archer C7v4: + + CPU0 + 4: 0 MIPS 4 19000000.eth + 5: 7135 MIPS 5 1a000000.eth + 7: 98379 MIPS 7 timer + 8: 30 MISC 3 ttyS0 + 12: 90028 INTC 0 ath9k + 13: 5520 INTC 1 ehci_hcd:usb1 + 14: 4623 INTC 2 ehci_hcd:usb2 + 15: 32844 AR724X PCI 1 ath10k_pci + 16: 0 gpio-ath79 16 keys + 23: 0 gpio-ath79 23 keys + + $ perf top + genirq: Flags mismatch irq 13. 00014c80 (mips_perf_pmu) vs. 00000080 (ehci_hcd:usb1) + +This problem is happening, because currently statically assigned virtual +IRQ 13 for performance counters is not claimed during the initialization +of MIPS PMU during the bootup, so the IRQ subsystem doesn't know, that +this interrupt isn't available for further use. + +So this patch fixes the issue by simply booking hardware IRQ 5 for MIPS PMU. + +Tested-by: Kevin 'ldir' Darbyshire-Bryant +Signed-off-by: Petr Å tetiar +Acked-by: John Crispin +Acked-by: Marc Zyngier +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Cc: Ralf Baechle +Cc: James Hogan +Cc: Thomas Gleixner +Cc: Jason Cooper +Signed-off-by: Sasha Levin +--- + arch/mips/ath79/setup.c | 6 ------ + drivers/irqchip/irq-ath79-misc.c | 11 +++++++++++ + 2 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/arch/mips/ath79/setup.c b/arch/mips/ath79/setup.c +index 26a058d58d37b..c7c31e2148136 100644 +--- a/arch/mips/ath79/setup.c ++++ b/arch/mips/ath79/setup.c +@@ -183,12 +183,6 @@ const char *get_system_type(void) + return ath79_sys_type; + } + +-int get_c0_perfcount_int(void) +-{ +- return ATH79_MISC_IRQ(5); +-} +-EXPORT_SYMBOL_GPL(get_c0_perfcount_int); +- + unsigned int get_c0_compare_int(void) + { + return CP0_LEGACY_COMPARE_IRQ; +diff --git a/drivers/irqchip/irq-ath79-misc.c b/drivers/irqchip/irq-ath79-misc.c +index aa72907846360..0390603170b40 100644 +--- a/drivers/irqchip/irq-ath79-misc.c ++++ b/drivers/irqchip/irq-ath79-misc.c +@@ -22,6 +22,15 @@ + #define AR71XX_RESET_REG_MISC_INT_ENABLE 4 + + #define ATH79_MISC_IRQ_COUNT 32 ++#define ATH79_MISC_PERF_IRQ 5 ++ ++static int ath79_perfcount_irq; ++ ++int get_c0_perfcount_int(void) ++{ ++ return ath79_perfcount_irq; ++} ++EXPORT_SYMBOL_GPL(get_c0_perfcount_int); + + static void ath79_misc_irq_handler(struct irq_desc *desc) + { +@@ -113,6 +122,8 @@ static void __init ath79_misc_intc_domain_init( + { + void __iomem *base = domain->host_data; + ++ ath79_perfcount_irq = irq_create_mapping(domain, ATH79_MISC_PERF_IRQ); ++ + /* Disable and clear all interrupts */ + __raw_writel(0, base + AR71XX_RESET_REG_MISC_INT_ENABLE); + __raw_writel(0, base + AR71XX_RESET_REG_MISC_INT_STATUS); +-- +2.20.1 + diff --git a/queue-4.14/mips-vdso-reduce-vdso_randomize_size-to-64mb-for-64b.patch b/queue-4.14/mips-vdso-reduce-vdso_randomize_size-to-64mb-for-64b.patch new file mode 100644 index 00000000000..d9467b7e2cc --- /dev/null +++ b/queue-4.14/mips-vdso-reduce-vdso_randomize_size-to-64mb-for-64b.patch @@ -0,0 +1,46 @@ +From 931300d1ff6ac219677c31eb2bd6b942712af8ad Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Mon, 5 Nov 2018 22:58:30 +0000 +Subject: MIPS: VDSO: Reduce VDSO_RANDOMIZE_SIZE to 64MB for 64bit + +[ Upstream commit c61c7def1fa0a722610d89790e0255b74f3c07dd ] + +Commit ea7e0480a4b6 ("MIPS: VDSO: Always map near top of user memory") +set VDSO_RANDOMIZE_SIZE to 256MB for 64bit kernel. But take a look at +arch/mips/mm/mmap.c we can see that MIN_GAP is 128MB, which means the +mmap_base may be at (user_address_top - 128MB). This make the stack be +surrounded by mmaped areas, then stack expanding fails and causes a +segmentation fault. Therefore, VDSO_RANDOMIZE_SIZE should be less than +MIN_GAP and this patch reduce it to 64MB. + +Signed-off-by: Huacai Chen +Signed-off-by: Paul Burton +Fixes: ea7e0480a4b6 ("MIPS: VDSO: Always map near top of user memory") +Patchwork: https://patchwork.linux-mips.org/patch/20910/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/include/asm/processor.h b/arch/mips/include/asm/processor.h +index 8bbbab611a3f1..0b86a01de9562 100644 +--- a/arch/mips/include/asm/processor.h ++++ b/arch/mips/include/asm/processor.h +@@ -81,7 +81,7 @@ extern unsigned int vced_count, vcei_count; + + #endif + +-#define VDSO_RANDOMIZE_SIZE (TASK_IS_32BIT_ADDR ? SZ_1M : SZ_256M) ++#define VDSO_RANDOMIZE_SIZE (TASK_IS_32BIT_ADDR ? SZ_1M : SZ_64M) + + extern unsigned long mips_stack_top(void); + #define STACK_TOP mips_stack_top() +-- +2.20.1 + diff --git a/queue-4.14/misdn-check-address-length-before-reading-address-fa.patch b/queue-4.14/misdn-check-address-length-before-reading-address-fa.patch new file mode 100644 index 00000000000..c2977734e8c --- /dev/null +++ b/queue-4.14/misdn-check-address-length-before-reading-address-fa.patch @@ -0,0 +1,37 @@ +From 78d7ca0927cfd9346d46a5f187eac456eecae535 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 12 Apr 2019 19:52:36 +0900 +Subject: mISDN: Check address length before reading address family + +[ Upstream commit 238ffdc49ef98b15819cfd5e3fb23194e3ea3d39 ] + +KMSAN will complain if valid address length passed to bind() is shorter +than sizeof("struct sockaddr_mISDN"->family) bytes. + +Signed-off-by: Tetsuo Handa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c +index c5603d1a07d6e..65cb4aac8dce7 100644 +--- a/drivers/isdn/mISDN/socket.c ++++ b/drivers/isdn/mISDN/socket.c +@@ -712,10 +712,10 @@ base_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len) + struct sock *sk = sock->sk; + int err = 0; + +- if (!maddr || maddr->family != AF_ISDN) ++ if (addr_len < sizeof(struct sockaddr_mISDN)) + return -EINVAL; + +- if (addr_len < sizeof(struct sockaddr_mISDN)) ++ if (!maddr || maddr->family != AF_ISDN) + return -EINVAL; + + lock_sock(sk); +-- +2.20.1 + diff --git a/queue-4.14/mlxsw-core-do-not-use-wq_mem_reclaim-for-emad-workqu.patch b/queue-4.14/mlxsw-core-do-not-use-wq_mem_reclaim-for-emad-workqu.patch new file mode 100644 index 00000000000..7a605e3de9e --- /dev/null +++ b/queue-4.14/mlxsw-core-do-not-use-wq_mem_reclaim-for-emad-workqu.patch @@ -0,0 +1,39 @@ +From b4fb595a973e1e3638ffc446becda606c74cb77c Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Wed, 10 Apr 2019 06:58:13 +0000 +Subject: mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue + +[ Upstream commit a8c133b06183c529c51cd0d54eb57d6b7078370c ] + +The EMAD workqueue is used to handle retransmission of EMAD packets that +contain configuration data for the device's firmware. + +Given the workers need to allocate these packets and that the code is +not called as part of memory reclaim path, remove the WQ_MEM_RECLAIM +flag. + +Fixes: d965465b60ba ("mlxsw: core: Fix possible deadlock") +Signed-off-by: Ido Schimmel +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index cced009da8699..070fd3f7fadf9 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -600,7 +600,7 @@ static int mlxsw_emad_init(struct mlxsw_core *mlxsw_core) + if (!(mlxsw_core->bus->features & MLXSW_BUS_F_TXRX)) + return 0; + +- emad_wq = alloc_workqueue("mlxsw_core_emad", WQ_MEM_RECLAIM, 0); ++ emad_wq = alloc_workqueue("mlxsw_core_emad", 0, 0); + if (!emad_wq) + return -ENOMEM; + mlxsw_core->emad_wq = emad_wq; +-- +2.20.1 + diff --git a/queue-4.14/mlxsw-core-do-not-use-wq_mem_reclaim-for-mlxsw-order.patch b/queue-4.14/mlxsw-core-do-not-use-wq_mem_reclaim-for-mlxsw-order.patch new file mode 100644 index 00000000000..c7d32444df9 --- /dev/null +++ b/queue-4.14/mlxsw-core-do-not-use-wq_mem_reclaim-for-mlxsw-order.patch @@ -0,0 +1,80 @@ +From f451da070149231811c0bf42ba18d4ef356ff90a Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Wed, 10 Apr 2019 06:58:14 +0000 +Subject: mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue + +[ Upstream commit 4af0699782e2cc7d0d89db9eb6f8844dd3df82dc ] + +The ordered workqueue is used to offload various objects such as routes +and neighbours in the order they are notified. + +It should not be called as part of memory reclaim path, so remove the +WQ_MEM_RECLAIM flag. This can also result in a warning [1], if a worker +tries to flush a non-WQ_MEM_RECLAIM workqueue. + +[1] +[97703.542861] workqueue: WQ_MEM_RECLAIM mlxsw_core_ordered:mlxsw_sp_router_fib6_event_work [mlxsw_spectrum] is flushing !WQ_MEM_RECLAIM events:rht_deferred_worker +[97703.542884] WARNING: CPU: 1 PID: 32492 at kernel/workqueue.c:2605 check_flush_dependency+0xb5/0x130 +... +[97703.542988] Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018 +[97703.543049] Workqueue: mlxsw_core_ordered mlxsw_sp_router_fib6_event_work [mlxsw_spectrum] +[97703.543061] RIP: 0010:check_flush_dependency+0xb5/0x130 +... +[97703.543071] RSP: 0018:ffffb3f08137bc00 EFLAGS: 00010086 +[97703.543076] RAX: 0000000000000000 RBX: ffff96e07740ae00 RCX: 0000000000000000 +[97703.543080] RDX: 0000000000000094 RSI: ffffffff82dc1934 RDI: 0000000000000046 +[97703.543084] RBP: ffffb3f08137bc20 R08: ffffffff82dc18a0 R09: 00000000000225c0 +[97703.543087] R10: 0000000000000000 R11: 0000000000007eec R12: ffffffff816e4ee0 +[97703.543091] R13: ffff96e06f6a5c00 R14: ffff96e077ba7700 R15: ffffffff812ab0c0 +[97703.543097] FS: 0000000000000000(0000) GS:ffff96e077a80000(0000) knlGS:0000000000000000 +[97703.543101] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[97703.543104] CR2: 00007f8cd135b280 CR3: 00000001e860e003 CR4: 00000000003606e0 +[97703.543109] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[97703.543112] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[97703.543115] Call Trace: +[97703.543129] __flush_work+0xbd/0x1e0 +[97703.543137] ? __cancel_work_timer+0x136/0x1b0 +[97703.543145] ? pwq_dec_nr_in_flight+0x49/0xa0 +[97703.543154] __cancel_work_timer+0x136/0x1b0 +[97703.543175] ? mlxsw_reg_trans_bulk_wait+0x145/0x400 [mlxsw_core] +[97703.543184] cancel_work_sync+0x10/0x20 +[97703.543191] rhashtable_free_and_destroy+0x23/0x140 +[97703.543198] rhashtable_destroy+0xd/0x10 +[97703.543254] mlxsw_sp_fib_destroy+0xb1/0xf0 [mlxsw_spectrum] +[97703.543310] mlxsw_sp_vr_put+0xa8/0xc0 [mlxsw_spectrum] +[97703.543364] mlxsw_sp_fib_node_put+0xbf/0x140 [mlxsw_spectrum] +[97703.543418] ? mlxsw_sp_fib6_entry_destroy+0xe8/0x110 [mlxsw_spectrum] +[97703.543475] mlxsw_sp_router_fib6_event_work+0x6cd/0x7f0 [mlxsw_spectrum] +[97703.543484] process_one_work+0x1fd/0x400 +[97703.543493] worker_thread+0x34/0x410 +[97703.543500] kthread+0x121/0x140 +[97703.543507] ? process_one_work+0x400/0x400 +[97703.543512] ? kthread_park+0x90/0x90 +[97703.543523] ret_from_fork+0x35/0x40 + +Fixes: a3832b31898f ("mlxsw: core: Create an ordered workqueue for FIB offload") +Signed-off-by: Ido Schimmel +Reported-by: Semion Lisyansky +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index 070fd3f7fadf9..33262c09c703c 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -1815,7 +1815,7 @@ static int __init mlxsw_core_module_init(void) + mlxsw_wq = alloc_workqueue(mlxsw_core_driver_name, WQ_MEM_RECLAIM, 0); + if (!mlxsw_wq) + return -ENOMEM; +- mlxsw_owq = alloc_ordered_workqueue("%s_ordered", WQ_MEM_RECLAIM, ++ mlxsw_owq = alloc_ordered_workqueue("%s_ordered", 0, + mlxsw_core_driver_name); + if (!mlxsw_owq) { + err = -ENOMEM; +-- +2.20.1 + diff --git a/queue-4.14/mlxsw-core-do-not-use-wq_mem_reclaim-for-mlxsw-workq.patch b/queue-4.14/mlxsw-core-do-not-use-wq_mem_reclaim-for-mlxsw-workq.patch new file mode 100644 index 00000000000..3a7a519e40f --- /dev/null +++ b/queue-4.14/mlxsw-core-do-not-use-wq_mem_reclaim-for-mlxsw-workq.patch @@ -0,0 +1,39 @@ +From ad19b84d4a6a56fa94b1a5dc7581b8a55dd56bbe Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Wed, 10 Apr 2019 06:58:15 +0000 +Subject: mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue + +[ Upstream commit b442fed1b724af0de087912a5718ddde1b87acbb ] + +The workqueue is used to periodically update the networking stack about +activity / statistics of various objects such as neighbours and TC +actions. + +It should not be called as part of memory reclaim path, so remove the +WQ_MEM_RECLAIM flag. + +Fixes: 3d5479e92087 ("mlxsw: core: Remove deprecated create_workqueue") +Signed-off-by: Ido Schimmel +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index 33262c09c703c..fad26046e1595 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -1812,7 +1812,7 @@ static int __init mlxsw_core_module_init(void) + { + int err; + +- mlxsw_wq = alloc_workqueue(mlxsw_core_driver_name, WQ_MEM_RECLAIM, 0); ++ mlxsw_wq = alloc_workqueue(mlxsw_core_driver_name, 0, 0); + if (!mlxsw_wq) + return -ENOMEM; + mlxsw_owq = alloc_ordered_workqueue("%s_ordered", 0, +-- +2.20.1 + diff --git a/queue-4.14/mlxsw-spectrum_switchdev-add-mdb-entries-in-prepare-.patch b/queue-4.14/mlxsw-spectrum_switchdev-add-mdb-entries-in-prepare-.patch new file mode 100644 index 00000000000..78371b3b9e4 --- /dev/null +++ b/queue-4.14/mlxsw-spectrum_switchdev-add-mdb-entries-in-prepare-.patch @@ -0,0 +1,69 @@ +From 41c13c7eb2c3fed0c82c6bb3750c870a7b00391e Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Wed, 10 Apr 2019 06:58:12 +0000 +Subject: mlxsw: spectrum_switchdev: Add MDB entries in prepare phase + +[ Upstream commit d4d0e40977ac450f32f2db5e4d8e23c9d2578899 ] + +The driver cannot guarantee in the prepare phase that it will be able to +write an MDB entry to the device. In case the driver returned success +during the prepare phase, but then failed to add the entry in the commit +phase, a WARNING [1] will be generated by the switchdev core. + +Fix this by doing the work in the prepare phase instead. + +[1] +[ 358.544486] swp12s0: Commit of object (id=2) failed. +[ 358.550061] WARNING: CPU: 0 PID: 30 at net/switchdev/switchdev.c:281 switchdev_port_obj_add_now+0x9b/0xe0 +[ 358.560754] CPU: 0 PID: 30 Comm: kworker/0:1 Not tainted 5.0.0-custom-13382-gf2449babf221 #1350 +[ 358.570472] Hardware name: Mellanox Technologies Ltd. MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016 +[ 358.580582] Workqueue: events switchdev_deferred_process_work +[ 358.587001] RIP: 0010:switchdev_port_obj_add_now+0x9b/0xe0 +... +[ 358.614109] RSP: 0018:ffffa6b900d6fe18 EFLAGS: 00010286 +[ 358.619943] RAX: 0000000000000000 RBX: ffff8b00797ff000 RCX: 0000000000000000 +[ 358.627912] RDX: ffff8b00b7a1d4c0 RSI: ffff8b00b7a152e8 RDI: ffff8b00b7a152e8 +[ 358.635881] RBP: ffff8b005c3f5bc0 R08: 000000000000022b R09: 0000000000000000 +[ 358.643850] R10: 0000000000000000 R11: ffffa6b900d6fcc8 R12: 0000000000000000 +[ 358.651819] R13: dead000000000100 R14: ffff8b00b65a23c0 R15: 0ffff8b00b7a2200 +[ 358.659790] FS: 0000000000000000(0000) GS:ffff8b00b7a00000(0000) knlGS:0000000000000000 +[ 358.668820] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 358.675228] CR2: 00007f00aad90de0 CR3: 00000001ca80d000 CR4: 00000000001006f0 +[ 358.683188] Call Trace: +[ 358.685918] switchdev_port_obj_add_deferred+0x13/0x60 +[ 358.691655] switchdev_deferred_process+0x6b/0xf0 +[ 358.696907] switchdev_deferred_process_work+0xa/0x10 +[ 358.702548] process_one_work+0x1f5/0x3f0 +[ 358.707022] worker_thread+0x28/0x3c0 +[ 358.711099] ? process_one_work+0x3f0/0x3f0 +[ 358.715768] kthread+0x10d/0x130 +[ 358.719369] ? __kthread_create_on_node+0x180/0x180 +[ 358.724815] ret_from_fork+0x35/0x40 + +Fixes: 3a49b4fde2a1 ("mlxsw: Adding layer 2 multicast support") +Signed-off-by: Ido Schimmel +Reported-by: Alex Kushnarov +Tested-by: Alex Kushnarov +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c +index 3ba9f2c079b2a..8a1788108f52a 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c +@@ -1320,7 +1320,7 @@ static int mlxsw_sp_port_mdb_add(struct mlxsw_sp_port *mlxsw_sp_port, + u16 fid_index; + int err = 0; + +- if (switchdev_trans_ph_prepare(trans)) ++ if (switchdev_trans_ph_commit(trans)) + return 0; + + bridge_port = mlxsw_sp_bridge_port_find(mlxsw_sp->bridge, orig_dev); +-- +2.20.1 + diff --git a/queue-4.14/mm-fix-inactive-list-balancing-between-numa-nodes-an.patch b/queue-4.14/mm-fix-inactive-list-balancing-between-numa-nodes-an.patch new file mode 100644 index 00000000000..b3259038797 --- /dev/null +++ b/queue-4.14/mm-fix-inactive-list-balancing-between-numa-nodes-an.patch @@ -0,0 +1,143 @@ +From 40b8245a4a5efaba98838a9b5c72a983d264105d Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Thu, 18 Apr 2019 17:50:34 -0700 +Subject: mm: fix inactive list balancing between NUMA nodes and cgroups + +[ Upstream commit 3b991208b897f52507168374033771a984b947b1 ] + +During !CONFIG_CGROUP reclaim, we expand the inactive list size if it's +thrashing on the node that is about to be reclaimed. But when cgroups +are enabled, we suddenly ignore the node scope and use the cgroup scope +only. The result is that pressure bleeds between NUMA nodes depending +on whether cgroups are merely compiled into Linux. This behavioral +difference is unexpected and undesirable. + +When the refault adaptivity of the inactive list was first introduced, +there were no statistics at the lruvec level - the intersection of node +and memcg - so it was better than nothing. + +But now that we have that infrastructure, use lruvec_page_state() to +make the list balancing decision always NUMA aware. + +[hannes@cmpxchg.org: fix bisection hole] + Link: http://lkml.kernel.org/r/20190417155241.GB23013@cmpxchg.org +Link: http://lkml.kernel.org/r/20190412144438.2645-1-hannes@cmpxchg.org +Fixes: 2a2e48854d70 ("mm: vmscan: fix IO/refault regression in cache workingset transition") +Signed-off-by: Johannes Weiner +Reviewed-by: Shakeel Butt +Cc: Roman Gushchin +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/vmscan.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 99837e931f531..7b140c967bca6 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2120,7 +2120,6 @@ static void shrink_active_list(unsigned long nr_to_scan, + * 10TB 320 32GB + */ + static bool inactive_list_is_low(struct lruvec *lruvec, bool file, +- struct mem_cgroup *memcg, + struct scan_control *sc, bool actual_reclaim) + { + enum lru_list active_lru = file * LRU_FILE + LRU_ACTIVE; +@@ -2141,16 +2140,12 @@ static bool inactive_list_is_low(struct lruvec *lruvec, bool file, + inactive = lruvec_lru_size(lruvec, inactive_lru, sc->reclaim_idx); + active = lruvec_lru_size(lruvec, active_lru, sc->reclaim_idx); + +- if (memcg) +- refaults = memcg_page_state(memcg, WORKINGSET_ACTIVATE); +- else +- refaults = node_page_state(pgdat, WORKINGSET_ACTIVATE); +- + /* + * When refaults are being observed, it means a new workingset + * is being established. Disable active list protection to get + * rid of the stale workingset quickly. + */ ++ refaults = lruvec_page_state(lruvec, WORKINGSET_ACTIVATE); + if (file && actual_reclaim && lruvec->refaults != refaults) { + inactive_ratio = 0; + } else { +@@ -2171,12 +2166,10 @@ static bool inactive_list_is_low(struct lruvec *lruvec, bool file, + } + + static unsigned long shrink_list(enum lru_list lru, unsigned long nr_to_scan, +- struct lruvec *lruvec, struct mem_cgroup *memcg, +- struct scan_control *sc) ++ struct lruvec *lruvec, struct scan_control *sc) + { + if (is_active_lru(lru)) { +- if (inactive_list_is_low(lruvec, is_file_lru(lru), +- memcg, sc, true)) ++ if (inactive_list_is_low(lruvec, is_file_lru(lru), sc, true)) + shrink_active_list(nr_to_scan, lruvec, sc, lru); + return 0; + } +@@ -2276,7 +2269,7 @@ static void get_scan_count(struct lruvec *lruvec, struct mem_cgroup *memcg, + * anonymous pages on the LRU in eligible zones. + * Otherwise, the small LRU gets thrashed. + */ +- if (!inactive_list_is_low(lruvec, false, memcg, sc, false) && ++ if (!inactive_list_is_low(lruvec, false, sc, false) && + lruvec_lru_size(lruvec, LRU_INACTIVE_ANON, sc->reclaim_idx) + >> sc->priority) { + scan_balance = SCAN_ANON; +@@ -2294,7 +2287,7 @@ static void get_scan_count(struct lruvec *lruvec, struct mem_cgroup *memcg, + * lruvec even if it has plenty of old anonymous pages unless the + * system is under heavy pressure. + */ +- if (!inactive_list_is_low(lruvec, true, memcg, sc, false) && ++ if (!inactive_list_is_low(lruvec, true, sc, false) && + lruvec_lru_size(lruvec, LRU_INACTIVE_FILE, sc->reclaim_idx) >> sc->priority) { + scan_balance = SCAN_FILE; + goto out; +@@ -2447,7 +2440,7 @@ static void shrink_node_memcg(struct pglist_data *pgdat, struct mem_cgroup *memc + nr[lru] -= nr_to_scan; + + nr_reclaimed += shrink_list(lru, nr_to_scan, +- lruvec, memcg, sc); ++ lruvec, sc); + } + } + +@@ -2514,7 +2507,7 @@ static void shrink_node_memcg(struct pglist_data *pgdat, struct mem_cgroup *memc + * Even if we did not try to evict anon pages at all, we want to + * rebalance the anon lru active/inactive ratio. + */ +- if (inactive_list_is_low(lruvec, false, memcg, sc, true)) ++ if (inactive_list_is_low(lruvec, false, sc, true)) + shrink_active_list(SWAP_CLUSTER_MAX, lruvec, + sc, LRU_ACTIVE_ANON); + } +@@ -2839,12 +2832,8 @@ static void snapshot_refaults(struct mem_cgroup *root_memcg, pg_data_t *pgdat) + unsigned long refaults; + struct lruvec *lruvec; + +- if (memcg) +- refaults = memcg_page_state(memcg, WORKINGSET_ACTIVATE); +- else +- refaults = node_page_state(pgdat, WORKINGSET_ACTIVATE); +- + lruvec = mem_cgroup_lruvec(pgdat, memcg); ++ refaults = lruvec_page_state(lruvec, WORKINGSET_ACTIVATE); + lruvec->refaults = refaults; + } while ((memcg = mem_cgroup_iter(root_memcg, memcg, NULL))); + } +@@ -3192,7 +3181,7 @@ static void age_active_anon(struct pglist_data *pgdat, + do { + struct lruvec *lruvec = mem_cgroup_lruvec(pgdat, memcg); + +- if (inactive_list_is_low(lruvec, false, memcg, sc, true)) ++ if (inactive_list_is_low(lruvec, false, sc, true)) + shrink_active_list(SWAP_CLUSTER_MAX, lruvec, + sc, LRU_ACTIVE_ANON); + +-- +2.20.1 + diff --git a/queue-4.14/mm-introduce-mm_-p4d-pud-pmd-_folded.patch b/queue-4.14/mm-introduce-mm_-p4d-pud-pmd-_folded.patch new file mode 100644 index 00000000000..2b8dbdeff22 --- /dev/null +++ b/queue-4.14/mm-introduce-mm_-p4d-pud-pmd-_folded.patch @@ -0,0 +1,45 @@ +From f8282ce2a4dc3427de5b3715374e33aa23332330 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Mon, 15 Oct 2018 10:25:57 +0200 +Subject: mm: introduce mm_[p4d|pud|pmd]_folded + +[ Upstream commit 1071fc5779d9846fec56a4ff6089ab08cac1ab72 ] + +Add three architecture overrideable functions to test if the +p4d, pud, or pmd layer of a page table is folded or not. + +Acked-by: Kirill A. Shutemov +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + include/asm-generic/pgtable.h | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h +index f00421dfacbd0..0c21014a38f23 100644 +--- a/include/asm-generic/pgtable.h ++++ b/include/asm-generic/pgtable.h +@@ -1081,4 +1081,20 @@ static inline bool arch_has_pfn_modify_check(void) + #endif + #endif + ++/* ++ * On some architectures it depends on the mm if the p4d/pud or pmd ++ * layer of the page table hierarchy is folded or not. ++ */ ++#ifndef mm_p4d_folded ++#define mm_p4d_folded(mm) __is_defined(__PAGETABLE_P4D_FOLDED) ++#endif ++ ++#ifndef mm_pud_folded ++#define mm_pud_folded(mm) __is_defined(__PAGETABLE_PUD_FOLDED) ++#endif ++ ++#ifndef mm_pmd_folded ++#define mm_pmd_folded(mm) __is_defined(__PAGETABLE_PMD_FOLDED) ++#endif ++ + #endif /* _ASM_GENERIC_PGTABLE_H */ +-- +2.20.1 + diff --git a/queue-4.14/mm-memory.c-fix-modifying-of-page-protection-by-inse.patch b/queue-4.14/mm-memory.c-fix-modifying-of-page-protection-by-inse.patch new file mode 100644 index 00000000000..7beb3ecb7ae --- /dev/null +++ b/queue-4.14/mm-memory.c-fix-modifying-of-page-protection-by-inse.patch @@ -0,0 +1,79 @@ +From 26c22faddb4886c716176e6b09ad7c698fbc70f2 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 28 Mar 2019 20:43:19 -0700 +Subject: mm/memory.c: fix modifying of page protection by insert_pfn() + +[ Upstream commit cae85cb8add35f678cf487139d05e083ce2f570a ] + +Aneesh has reported that PPC triggers the following warning when +excercising DAX code: + + IP set_pte_at+0x3c/0x190 + LR insert_pfn+0x208/0x280 + Call Trace: + insert_pfn+0x68/0x280 + dax_iomap_pte_fault.isra.7+0x734/0xa40 + __xfs_filemap_fault+0x280/0x2d0 + do_wp_page+0x48c/0xa40 + __handle_mm_fault+0x8d0/0x1fd0 + handle_mm_fault+0x140/0x250 + __do_page_fault+0x300/0xd60 + handle_page_fault+0x18 + +Now that is WARN_ON in set_pte_at which is + + VM_WARN_ON(pte_hw_valid(*ptep) && !pte_protnone(*ptep)); + +The problem is that on some architectures set_pte_at() cannot cope with +a situation where there is already some (different) valid entry present. + +Use ptep_set_access_flags() instead to modify the pfn which is built to +deal with modifying existing PTE. + +Link: http://lkml.kernel.org/r/20190311084537.16029-1-jack@suse.cz +Fixes: b2770da64254 "mm: add vm_insert_mixed_mkwrite()" +Signed-off-by: Jan Kara +Reported-by: "Aneesh Kumar K.V" +Reviewed-by: Aneesh Kumar K.V +Acked-by: Dan Williams +Cc: Chandan Rajendra +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/mm/memory.c b/mm/memory.c +index f99b64ca13031..e9bce27bc18c3 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1813,10 +1813,12 @@ static int insert_pfn(struct vm_area_struct *vma, unsigned long addr, + WARN_ON_ONCE(!is_zero_pfn(pte_pfn(*pte))); + goto out_unlock; + } +- entry = *pte; +- goto out_mkwrite; +- } else +- goto out_unlock; ++ entry = pte_mkyoung(*pte); ++ entry = maybe_mkwrite(pte_mkdirty(entry), vma); ++ if (ptep_set_access_flags(vma, addr, pte, entry, 1)) ++ update_mmu_cache(vma, addr, pte); ++ } ++ goto out_unlock; + } + + /* Ok, finally just insert the thing.. */ +@@ -1825,7 +1827,6 @@ static int insert_pfn(struct vm_area_struct *vma, unsigned long addr, + else + entry = pte_mkspecial(pfn_t_pte(pfn, prot)); + +-out_mkwrite: + if (mkwrite) { + entry = pte_mkyoung(entry); + entry = maybe_mkwrite(pte_mkdirty(entry), vma); +-- +2.20.1 + diff --git a/queue-4.14/net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch b/queue-4.14/net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch new file mode 100644 index 00000000000..816a1f5a01b --- /dev/null +++ b/queue-4.14/net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch @@ -0,0 +1,58 @@ +From 8ab29ebcaeacb849fef8b2fc4ac9b048af1e6cfc Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 21 Nov 2018 18:21:35 +0100 +Subject: net: don't keep lonely packets forever in the gro hash + +[ Upstream commit 605108acfe6233b72e2f803aa1cb59a2af3001ca ] + +Eric noted that with UDP GRO and NAPI timeout, we could keep a single +UDP packet inside the GRO hash forever, if the related NAPI instance +calls napi_gro_complete() at an higher frequency than the NAPI timeout. +Willem noted that even TCP packets could be trapped there, till the +next retransmission. +This patch tries to address the issue, flushing the old packets - +those with a NAPI_GRO_CB age before the current jiffy - before scheduling +the NAPI timeout. The rationale is that such a timeout should be +well below a jiffy and we are not flushing packets eligible for sane GRO. + +v1 -> v2: + - clarified the commit message and comment + +RFC -> v1: + - added 'Fixes tags', cleaned-up the wording. + +Reported-by: Eric Dumazet +Fixes: 3b47d30396ba ("net: gro: add a per device gro flush timer") +Signed-off-by: Paolo Abeni +Acked-by: Willem de Bruijn +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 93a1b07990b8d..90ec30d5b8514 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -5308,11 +5308,14 @@ bool napi_complete_done(struct napi_struct *n, int work_done) + if (work_done) + timeout = n->dev->gro_flush_timeout; + ++ /* When the NAPI instance uses a timeout and keeps postponing ++ * it, we need to bound somehow the time packets are kept in ++ * the GRO layer ++ */ ++ napi_gro_flush(n, !!timeout); + if (timeout) + hrtimer_start(&n->timer, ns_to_ktime(timeout), + HRTIMER_MODE_REL_PINNED); +- else +- napi_gro_flush(n, false); + } + if (unlikely(!list_empty(&n->poll_list))) { + /* If n->poll_list is not empty, we need to mask irqs */ +-- +2.20.1 + diff --git a/queue-4.14/net-fec-manage-ahb-clock-in-runtime-pm.patch b/queue-4.14/net-fec-manage-ahb-clock-in-runtime-pm.patch new file mode 100644 index 00000000000..40cc607a18d --- /dev/null +++ b/queue-4.14/net-fec-manage-ahb-clock-in-runtime-pm.patch @@ -0,0 +1,109 @@ +From 337587b1cdd09afb2dade6aef3be66bc8a7f4c67 Mon Sep 17 00:00:00 2001 +From: Andy Duan +Date: Tue, 9 Apr 2019 03:40:56 +0000 +Subject: net: fec: manage ahb clock in runtime pm + +[ Upstream commit d7c3a206e6338e4ccdf030719dec028e26a521d5 ] + +Some SOC like i.MX6SX clock have some limits: +- ahb clock should be disabled before ipg. +- ahb and ipg clocks are required for MAC MII bus. +So, move the ahb clock to runtime management together with +ipg clock. + +Signed-off-by: Fugang Duan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 30 ++++++++++++++++------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index ce55c8f7f33a4..ad3aabc39cc24 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1851,13 +1851,9 @@ static int fec_enet_clk_enable(struct net_device *ndev, bool enable) + int ret; + + if (enable) { +- ret = clk_prepare_enable(fep->clk_ahb); +- if (ret) +- return ret; +- + ret = clk_prepare_enable(fep->clk_enet_out); + if (ret) +- goto failed_clk_enet_out; ++ return ret; + + if (fep->clk_ptp) { + mutex_lock(&fep->ptp_clk_mutex); +@@ -1875,7 +1871,6 @@ static int fec_enet_clk_enable(struct net_device *ndev, bool enable) + if (ret) + goto failed_clk_ref; + } else { +- clk_disable_unprepare(fep->clk_ahb); + clk_disable_unprepare(fep->clk_enet_out); + if (fep->clk_ptp) { + mutex_lock(&fep->ptp_clk_mutex); +@@ -1894,8 +1889,6 @@ static int fec_enet_clk_enable(struct net_device *ndev, bool enable) + failed_clk_ptp: + if (fep->clk_enet_out) + clk_disable_unprepare(fep->clk_enet_out); +-failed_clk_enet_out: +- clk_disable_unprepare(fep->clk_ahb); + + return ret; + } +@@ -3455,6 +3448,9 @@ fec_probe(struct platform_device *pdev) + ret = clk_prepare_enable(fep->clk_ipg); + if (ret) + goto failed_clk_ipg; ++ ret = clk_prepare_enable(fep->clk_ahb); ++ if (ret) ++ goto failed_clk_ahb; + + fep->reg_phy = devm_regulator_get(&pdev->dev, "phy"); + if (!IS_ERR(fep->reg_phy)) { +@@ -3546,6 +3542,9 @@ fec_probe(struct platform_device *pdev) + pm_runtime_put(&pdev->dev); + pm_runtime_disable(&pdev->dev); + failed_regulator: ++ clk_disable_unprepare(fep->clk_ahb); ++failed_clk_ahb: ++ clk_disable_unprepare(fep->clk_ipg); + failed_clk_ipg: + fec_enet_clk_enable(ndev, false); + failed_clk: +@@ -3669,6 +3668,7 @@ static int __maybe_unused fec_runtime_suspend(struct device *dev) + struct net_device *ndev = dev_get_drvdata(dev); + struct fec_enet_private *fep = netdev_priv(ndev); + ++ clk_disable_unprepare(fep->clk_ahb); + clk_disable_unprepare(fep->clk_ipg); + + return 0; +@@ -3678,8 +3678,20 @@ static int __maybe_unused fec_runtime_resume(struct device *dev) + { + struct net_device *ndev = dev_get_drvdata(dev); + struct fec_enet_private *fep = netdev_priv(ndev); ++ int ret; + +- return clk_prepare_enable(fep->clk_ipg); ++ ret = clk_prepare_enable(fep->clk_ahb); ++ if (ret) ++ return ret; ++ ret = clk_prepare_enable(fep->clk_ipg); ++ if (ret) ++ goto failed_clk_ipg; ++ ++ return 0; ++ ++failed_clk_ipg: ++ clk_disable_unprepare(fep->clk_ahb); ++ return ret; + } + + static const struct dev_pm_ops fec_pm_ops = { +-- +2.20.1 + diff --git a/queue-4.14/net-hns-fix-warning-when-hns-modules-installed.patch b/queue-4.14/net-hns-fix-warning-when-hns-modules-installed.patch new file mode 100644 index 00000000000..3c9bcac0ed3 --- /dev/null +++ b/queue-4.14/net-hns-fix-warning-when-hns-modules-installed.patch @@ -0,0 +1,122 @@ +From 6040f2bcb3326ed3dfe639f5ba2b0233ed482e73 Mon Sep 17 00:00:00 2001 +From: Jun Xiao +Date: Tue, 23 Apr 2019 00:48:57 +0800 +Subject: net: hns: Fix WARNING when hns modules installed + +[ Upstream commit c77804be53369dd4c15bfc376cf9b45948194cab ] + +Commit 308c6cafde01 ("net: hns: All ports can not work when insmod hns ko +after rmmod.") add phy_stop in hns_nic_init_phy(), In the branch of "net", +this method is effective, but in the branch of "net-next", it will cause +a WARNING when hns modules loaded, reference to commit 2b3e88ea6528 ("net: +phy: improve phy state checking"): + +[10.092168] ------------[ cut here ]------------ +[10.092171] called from state READY +[10.092189] WARNING: CPU: 4 PID: 1 at ../drivers/net/phy/phy.c:854 + phy_stop+0x90/0xb0 +[10.092192] Modules linked in: +[10.092197] CPU: 4 PID:1 Comm:swapper/0 Not tainted 4.20.0-rc7-next-20181220 #1 +[10.092200] Hardware name: Huawei TaiShan 2280 /D05, BIOS Hisilicon D05 UEFI + 16.12 Release 05/15/2017 +[10.092202] pstate: 60000005 (nZCv daif -PAN -UAO) +[10.092205] pc : phy_stop+0x90/0xb0 +[10.092208] lr : phy_stop+0x90/0xb0 +[10.092209] sp : ffff00001159ba90 +[10.092212] x29: ffff00001159ba90 x28: 0000000000000007 +[10.092215] x27: ffff000011180068 x26: ffff0000110a5620 +[10.092218] x25: ffff0000113b6000 x24: ffff842f96dac000 +[10.092221] x23: 0000000000000000 x22: 0000000000000000 +[10.092223] x21: ffff841fb8425e18 x20: ffff801fb3a56438 +[10.092226] x19: ffff801fb3a56000 x18: ffffffffffffffff +[10.092228] x17: 0000000000000000 x16: 0000000000000000 +[10.092231] x15: ffff00001122d6c8 x14: ffff00009159b7b7 +[10.092234] x13: ffff00001159b7c5 x12: ffff000011245000 +[10.092236] x11: 0000000005f5e0ff x10: ffff00001159b750 +[10.092239] x9 : 00000000ffffffd0 x8 : 0000000000000465 +[10.092242] x7 : ffff0000112457f8 x6 : ffff0000113bd7ce +[10.092245] x5 : 0000000000000000 x4 : 0000000000000000 +[10.092247] x3 : 00000000ffffffff x2 : ffff000011245828 +[10.092250] x1 : 4b5860bd05871300 x0 : 0000000000000000 +[10.092253] Call trace: +[10.092255] phy_stop+0x90/0xb0 +[10.092260] hns_nic_init_phy+0xf8/0x110 +[10.092262] hns_nic_try_get_ae+0x4c/0x3b0 +[10.092264] hns_nic_dev_probe+0x1fc/0x480 +[10.092268] platform_drv_probe+0x50/0xa0 +[10.092271] really_probe+0x1f4/0x298 +[10.092273] driver_probe_device+0x58/0x108 +[10.092275] __driver_attach+0xdc/0xe0 +[10.092278] bus_for_each_dev+0x74/0xc8 +[10.092280] driver_attach+0x20/0x28 +[10.092283] bus_add_driver+0x1b8/0x228 +[10.092285] driver_register+0x60/0x110 +[10.092288] __platform_driver_register+0x40/0x48 +[10.092292] hns_nic_dev_driver_init+0x18/0x20 +[10.092296] do_one_initcall+0x5c/0x180 +[10.092299] kernel_init_freeable+0x198/0x240 +[10.092303] kernel_init+0x10/0x108 +[10.092306] ret_from_fork+0x10/0x18 +[10.092308] ---[ end trace 1396dd0278e397eb ]--- + +This WARNING occurred because of calling phy_stop before phy_start. + +The root cause of the problem in commit '308c6cafde01' is: + +Reference to hns_nic_init_phy, the flag phydev->supported is changed after +phy_connect_direct. The flag phydev->supported is 0x6ff when hns modules is +loaded, so will not change Fiber Port power(Reference to marvell.c), which +is power on at default. +Then the flag phydev->supported is changed to 0x6f, so Fiber Port power is +off when removing hns modules. +When hns modules installed again, the flag phydev->supported is default +value 0x6ff, so will not change Fiber Port power(now is off), causing mac +link not up problem. + +So the solution is change phy flags before phy_connect_direct. + +Fixes: 308c6cafde01 ("net: hns: All ports can not work when insmod hns ko after rmmod.") +Signed-off-by: Yonglong Liu +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_enet.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +index 8fd0408178048..b681c07b33fb6 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -1267,6 +1267,12 @@ int hns_nic_init_phy(struct net_device *ndev, struct hnae_handle *h) + if (!h->phy_dev) + return 0; + ++ phy_dev->supported &= h->if_support; ++ phy_dev->advertising = phy_dev->supported; ++ ++ if (h->phy_if == PHY_INTERFACE_MODE_XGMII) ++ phy_dev->autoneg = false; ++ + if (h->phy_if != PHY_INTERFACE_MODE_XGMII) { + phy_dev->dev_flags = 0; + +@@ -1278,15 +1284,6 @@ int hns_nic_init_phy(struct net_device *ndev, struct hnae_handle *h) + if (unlikely(ret)) + return -ENODEV; + +- phy_dev->supported &= h->if_support; +- phy_dev->advertising = phy_dev->supported; +- +- if (h->phy_if == PHY_INTERFACE_MODE_XGMII) +- phy_dev->autoneg = false; +- +- if (h->phy_if == PHY_INTERFACE_MODE_SGMII) +- phy_stop(phy_dev); +- + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.14/net-stmmac-move-debugfs-init-exit-to-probe-remove.patch b/queue-4.14/net-stmmac-move-debugfs-init-exit-to-probe-remove.patch new file mode 100644 index 00000000000..ffff4a41dc7 --- /dev/null +++ b/queue-4.14/net-stmmac-move-debugfs-init-exit-to-probe-remove.patch @@ -0,0 +1,97 @@ +From 959fa621be56021462f161720a958461e54df524 Mon Sep 17 00:00:00 2001 +From: Thierry Reding +Date: Tue, 27 Nov 2018 14:21:43 +0100 +Subject: net: stmmac: Move debugfs init/exit to ->probe()/->remove() + +[ Upstream commit 5f2b8b62786853341a20d4cd4948f9cbca3db002 ] + +Setting up and tearing down debugfs is current unbalanced, as seen by +this error during resume from suspend: + + [ 752.134067] dwc-eth-dwmac 2490000.ethernet eth0: ERROR failed to create debugfs directory + [ 752.134347] dwc-eth-dwmac 2490000.ethernet eth0: stmmac_hw_setup: failed debugFS registration + +The imbalance happens because the driver creates the debugfs hierarchy +when the device is opened and tears it down when the device is closed. +There's little gain in that, and it could be argued that it is even +surprising because it's not usually done for other devices. Fix the +imbalance by moving the debugfs creation and teardown to the driver's +->probe() and ->remove() implementations instead. + +Note that the ring descriptors cannot be read while the interface is +down, so make sure to return an empty file when the descriptors_status +debugfs file is read. + +Signed-off-by: Thierry Reding +Acked-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 23 +++++++++++-------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 0f85e540001ff..f4df9ab0aed5f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2530,12 +2530,6 @@ static int stmmac_hw_setup(struct net_device *dev, bool init_ptp) + netdev_warn(priv->dev, "PTP init failed\n"); + } + +-#ifdef CONFIG_DEBUG_FS +- ret = stmmac_init_fs(dev); +- if (ret < 0) +- netdev_warn(priv->dev, "%s: failed debugFS registration\n", +- __func__); +-#endif + priv->tx_lpi_timer = STMMAC_DEFAULT_TWT_LS; + + if ((priv->use_riwt) && (priv->hw->dma->rx_watchdog)) { +@@ -2729,10 +2723,6 @@ static int stmmac_release(struct net_device *dev) + + netif_carrier_off(dev); + +-#ifdef CONFIG_DEBUG_FS +- stmmac_exit_fs(dev); +-#endif +- + stmmac_release_ptp(priv); + + return 0; +@@ -3839,6 +3829,9 @@ static int stmmac_sysfs_ring_read(struct seq_file *seq, void *v) + u32 tx_count = priv->plat->tx_queues_to_use; + u32 queue; + ++ if ((dev->flags & IFF_UP) == 0) ++ return 0; ++ + for (queue = 0; queue < rx_count; queue++) { + struct stmmac_rx_queue *rx_q = &priv->rx_queue[queue]; + +@@ -4310,6 +4303,13 @@ int stmmac_dvr_probe(struct device *device, + goto error_netdev_register; + } + ++#ifdef CONFIG_DEBUG_FS ++ ret = stmmac_init_fs(ndev); ++ if (ret < 0) ++ netdev_warn(priv->dev, "%s: failed debugFS registration\n", ++ __func__); ++#endif ++ + return ret; + + error_netdev_register: +@@ -4343,6 +4343,9 @@ int stmmac_dvr_remove(struct device *dev) + + netdev_info(priv->dev, "%s: removing driver", __func__); + ++#ifdef CONFIG_DEBUG_FS ++ stmmac_exit_fs(ndev); ++#endif + stmmac_stop_all_dma(priv); + + priv->hw->mac->set_mac(priv->ioaddr, false); +-- +2.20.1 + diff --git a/queue-4.14/net_sched-fix-two-more-memory-leaks-in-cls_tcindex.patch b/queue-4.14/net_sched-fix-two-more-memory-leaks-in-cls_tcindex.patch new file mode 100644 index 00000000000..c55d91cedff --- /dev/null +++ b/queue-4.14/net_sched-fix-two-more-memory-leaks-in-cls_tcindex.patch @@ -0,0 +1,96 @@ +From a44e982ba5346aa3b85afd27e28f1799db697aa3 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Mon, 11 Feb 2019 13:06:16 -0800 +Subject: net_sched: fix two more memory leaks in cls_tcindex + +[ Upstream commit 1db817e75f5b9387b8db11e37d5f0624eb9223e0 ] + +struct tcindex_filter_result contains two parts: +struct tcf_exts and struct tcf_result. + +For the local variable 'cr', its exts part is never used but +initialized without being released properly on success path. So +just completely remove the exts part to fix this leak. + +For the local variable 'new_filter_result', it is never properly +released if not used by 'r' on success path. + +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_tcindex.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c +index 52829fdc280b3..75c7c7cc74999 100644 +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -322,9 +322,9 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, + struct nlattr *est, bool ovr) + { + struct tcindex_filter_result new_filter_result, *old_r = r; +- struct tcindex_filter_result cr; + struct tcindex_data *cp = NULL, *oldp; + struct tcindex_filter *f = NULL; /* make gcc behave */ ++ struct tcf_result cr = {}; + int err, balloc = 0; + struct tcf_exts e; + +@@ -363,13 +363,10 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, + cp->h = p->h; + + err = tcindex_filter_result_init(&new_filter_result); +- if (err < 0) +- goto errout1; +- err = tcindex_filter_result_init(&cr); + if (err < 0) + goto errout1; + if (old_r) +- cr.res = r->res; ++ cr = r->res; + + if (tb[TCA_TCINDEX_HASH]) + cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]); +@@ -460,8 +457,8 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, + } + + if (tb[TCA_TCINDEX_CLASSID]) { +- cr.res.classid = nla_get_u32(tb[TCA_TCINDEX_CLASSID]); +- tcf_bind_filter(tp, &cr.res, base); ++ cr.classid = nla_get_u32(tb[TCA_TCINDEX_CLASSID]); ++ tcf_bind_filter(tp, &cr, base); + } + + if (old_r && old_r != r) { +@@ -473,7 +470,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, + } + + oldp = p; +- r->res = cr.res; ++ r->res = cr; + tcf_exts_change(&r->exts, &e); + + rcu_assign_pointer(tp->root, cp); +@@ -492,6 +489,8 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, + ; /* nothing */ + + rcu_assign_pointer(*fp, f); ++ } else { ++ tcf_exts_destroy(&new_filter_result.exts); + } + + if (oldp) +@@ -504,7 +503,6 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, + else if (balloc == 2) + kfree(cp->h); + errout1: +- tcf_exts_destroy(&cr.exts); + tcf_exts_destroy(&new_filter_result.exts); + errout: + kfree(cp); +-- +2.20.1 + diff --git a/queue-4.14/netfilter-ctnetlink-don-t-use-conntrack-expect-objec.patch b/queue-4.14/netfilter-ctnetlink-don-t-use-conntrack-expect-objec.patch new file mode 100644 index 00000000000..22ed215c6cb --- /dev/null +++ b/queue-4.14/netfilter-ctnetlink-don-t-use-conntrack-expect-objec.patch @@ -0,0 +1,177 @@ +From 26bff9f60ad2f6931123176b455cb7a0d1196f1e Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 1 Apr 2019 13:08:54 +0200 +Subject: netfilter: ctnetlink: don't use conntrack/expect object addresses as + id + +[ Upstream commit 3c79107631db1f7fd32cf3f7368e4672004a3010 ] + +else, we leak the addresses to userspace via ctnetlink events +and dumps. + +Compute an ID on demand based on the immutable parts of nf_conn struct. + +Another advantage compared to using an address is that there is no +immediate re-use of the same ID in case the conntrack entry is freed and +reallocated again immediately. + +Fixes: 3583240249ef ("[NETFILTER]: nf_conntrack_expect: kill unique ID") +Fixes: 7f85f914721f ("[NETFILTER]: nf_conntrack: kill unique ID") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_conntrack.h | 2 ++ + net/netfilter/nf_conntrack_core.c | 35 ++++++++++++++++++++++++++++ + net/netfilter/nf_conntrack_netlink.c | 34 +++++++++++++++++++++++---- + 3 files changed, 66 insertions(+), 5 deletions(-) + +diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h +index 792c3f6d30ce8..93bbae8f96414 100644 +--- a/include/net/netfilter/nf_conntrack.h ++++ b/include/net/netfilter/nf_conntrack.h +@@ -315,6 +315,8 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, + gfp_t flags); + void nf_ct_tmpl_free(struct nf_conn *tmpl); + ++u32 nf_ct_get_id(const struct nf_conn *ct); ++ + static inline void + nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info) + { +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 06520bf30f294..fa49a627b6816 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -300,6 +301,40 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, + } + EXPORT_SYMBOL_GPL(nf_ct_invert_tuple); + ++/* Generate a almost-unique pseudo-id for a given conntrack. ++ * ++ * intentionally doesn't re-use any of the seeds used for hash ++ * table location, we assume id gets exposed to userspace. ++ * ++ * Following nf_conn items do not change throughout lifetime ++ * of the nf_conn after it has been committed to main hash table: ++ * ++ * 1. nf_conn address ++ * 2. nf_conn->ext address ++ * 3. nf_conn->master address (normally NULL) ++ * 4. tuple ++ * 5. the associated net namespace ++ */ ++u32 nf_ct_get_id(const struct nf_conn *ct) ++{ ++ static __read_mostly siphash_key_t ct_id_seed; ++ unsigned long a, b, c, d; ++ ++ net_get_random_once(&ct_id_seed, sizeof(ct_id_seed)); ++ ++ a = (unsigned long)ct; ++ b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct)); ++ c = (unsigned long)ct->ext; ++ d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash), ++ &ct_id_seed); ++#ifdef CONFIG_64BIT ++ return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed); ++#else ++ return siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &ct_id_seed); ++#endif ++} ++EXPORT_SYMBOL_GPL(nf_ct_get_id); ++ + static void + clean_from_lists(struct nf_conn *ct) + { +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 48dab1403b2c7..c781c9a1a697f 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -445,7 +446,9 @@ static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct) + + static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct) + { +- if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct))) ++ __be32 id = (__force __be32)nf_ct_get_id(ct); ++ ++ if (nla_put_be32(skb, CTA_ID, id)) + goto nla_put_failure; + return 0; + +@@ -1179,8 +1182,9 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, + ct = nf_ct_tuplehash_to_ctrack(h); + + if (cda[CTA_ID]) { +- u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID])); +- if (id != (u32)(unsigned long)ct) { ++ __be32 id = nla_get_be32(cda[CTA_ID]); ++ ++ if (id != (__force __be32)nf_ct_get_id(ct)) { + nf_ct_put(ct); + return -ENOENT; + } +@@ -2521,6 +2525,25 @@ static int ctnetlink_exp_dump_mask(struct sk_buff *skb, + + static const union nf_inet_addr any_addr; + ++static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp) ++{ ++ static __read_mostly siphash_key_t exp_id_seed; ++ unsigned long a, b, c, d; ++ ++ net_get_random_once(&exp_id_seed, sizeof(exp_id_seed)); ++ ++ a = (unsigned long)exp; ++ b = (unsigned long)exp->helper; ++ c = (unsigned long)exp->master; ++ d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed); ++ ++#ifdef CONFIG_64BIT ++ return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed); ++#else ++ return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed); ++#endif ++} ++ + static int + ctnetlink_exp_dump_expect(struct sk_buff *skb, + const struct nf_conntrack_expect *exp) +@@ -2568,7 +2591,7 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb, + } + #endif + if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) || +- nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) || ++ nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) || + nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) || + nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class))) + goto nla_put_failure; +@@ -2873,7 +2896,8 @@ static int ctnetlink_get_expect(struct net *net, struct sock *ctnl, + + if (cda[CTA_EXPECT_ID]) { + __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); +- if (ntohl(id) != (u32)(unsigned long)exp) { ++ ++ if (id != nf_expect_get_id(exp)) { + nf_ct_expect_put(exp); + return -ENOENT; + } +-- +2.20.1 + diff --git a/queue-4.14/netfilter-nf_tables-warn-when-expr-implements-only-o.patch b/queue-4.14/netfilter-nf_tables-warn-when-expr-implements-only-o.patch new file mode 100644 index 00000000000..79c57545a97 --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-warn-when-expr-implements-only-o.patch @@ -0,0 +1,75 @@ +From be9faa176158813b91924345f958263f739fa679 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 30 Aug 2018 10:42:55 +0200 +Subject: netfilter: nf_tables: warn when expr implements only one of + activate/deactivate + +[ Upstream commit 0ef235c71755c5f36c50282fcf2d7d08709be344 ] + +->destroy is only allowed to free data, or do other cleanups that do not +have side effects on other state, such as visibility to other netlink +requests. + +Such things need to be done in ->deactivate. +As a transaction can fail, we need to make sure we can undo such +operations, therefore ->activate() has to be provided too. + +So print a warning and refuse registration if expr->ops provides +only one of the two operations. + +v2: fix nft_expr_check_ops to not repeat same check twice (Jones Desougi) + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c445d57e3a5bc..b149a72190846 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -220,6 +220,18 @@ static int nft_delchain(struct nft_ctx *ctx) + return err; + } + ++/* either expr ops provide both activate/deactivate, or neither */ ++static bool nft_expr_check_ops(const struct nft_expr_ops *ops) ++{ ++ if (!ops) ++ return true; ++ ++ if (WARN_ON_ONCE((!ops->activate ^ !ops->deactivate))) ++ return false; ++ ++ return true; ++} ++ + static void nft_rule_expr_activate(const struct nft_ctx *ctx, + struct nft_rule *rule) + { +@@ -1724,6 +1736,9 @@ static int nf_tables_delchain(struct net *net, struct sock *nlsk, + */ + int nft_register_expr(struct nft_expr_type *type) + { ++ if (!nft_expr_check_ops(type->ops)) ++ return -EINVAL; ++ + nfnl_lock(NFNL_SUBSYS_NFTABLES); + if (type->family == NFPROTO_UNSPEC) + list_add_tail_rcu(&type->list, &nf_tables_expressions); +@@ -1873,6 +1888,10 @@ static int nf_tables_expr_parse(const struct nft_ctx *ctx, + err = PTR_ERR(ops); + goto err1; + } ++ if (!nft_expr_check_ops(ops)) { ++ err = -EINVAL; ++ goto err1; ++ } + } else + ops = type->ops; + +-- +2.20.1 + diff --git a/queue-4.14/nfc-nci-add-some-bounds-checking-in-nci_hci_cmd_rece.patch b/queue-4.14/nfc-nci-add-some-bounds-checking-in-nci_hci_cmd_rece.patch new file mode 100644 index 00000000000..290bd23a5f7 --- /dev/null +++ b/queue-4.14/nfc-nci-add-some-bounds-checking-in-nci_hci_cmd_rece.patch @@ -0,0 +1,55 @@ +From 0291c0a9a6472b9c694422b01cd156095e99b465 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 3 Apr 2019 10:12:48 +0300 +Subject: NFC: nci: Add some bounds checking in nci_hci_cmd_received() + +[ Upstream commit d7ee81ad09f072eab1681877fc71ec05f9c1ae92 ] + +This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory +corruption when handling SHDLC I-Frame commands"). + +I'm not totally sure, but I think that commit description may have +overstated the danger. I was under the impression that this data came +from the firmware? If you can't trust your networking firmware, then +you're already in trouble. + +Anyway, these days we add bounds checking where ever we can and we call +it kernel hardening. Better safe than sorry. + +Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/nci/hci.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c +index ddfc52ac1f9b4..c0d323b58e732 100644 +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -312,6 +312,10 @@ static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe, + create_info = (struct nci_hci_create_pipe_resp *)skb->data; + dest_gate = create_info->dest_gate; + new_pipe = create_info->pipe; ++ if (new_pipe >= NCI_HCI_MAX_PIPES) { ++ status = NCI_HCI_ANY_E_NOK; ++ goto exit; ++ } + + /* Save the new created pipe and bind with local gate, + * the description for skb->data[3] is destination gate id +@@ -336,6 +340,10 @@ static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe, + goto exit; + } + delete_info = (struct nci_hci_delete_pipe_noti *)skb->data; ++ if (delete_info->pipe >= NCI_HCI_MAX_PIPES) { ++ status = NCI_HCI_ANY_E_NOK; ++ goto exit; ++ } + + ndev->hci_dev->pipes[delete_info->pipe].gate = + NCI_HCI_INVALID_GATE; +-- +2.20.1 + diff --git a/queue-4.14/nfc-nci-potential-off-by-one-in-pipes-array.patch b/queue-4.14/nfc-nci-potential-off-by-one-in-pipes-array.patch new file mode 100644 index 00000000000..ec453861bda --- /dev/null +++ b/queue-4.14/nfc-nci-potential-off-by-one-in-pipes-array.patch @@ -0,0 +1,42 @@ +From 75f663748d39e3d7e1e242b86a8ef4f525b25ac0 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 3 Apr 2019 10:13:51 +0300 +Subject: nfc: nci: Potential off by one in ->pipes[] array + +[ Upstream commit 6491d698396fd5da4941980a35ca7c162a672016 ] + +This is similar to commit e285d5bfb7e9 ("NFC: Fix the number of pipes") +where we changed NFC_HCI_MAX_PIPES from 127 to 128. + +As the comment next to the define explains, the pipe identifier is 7 +bits long. The highest possible pipe is 127, but the number of possible +pipes is 128. As the code is now, then there is potential for an +out of bounds array access: + + net/nfc/nci/hci.c:297 nci_hci_cmd_received() warn: array off by one? + 'ndev->hci_dev->pipes[pipe]' '0-127 == 127' + +Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/nfc/nci_core.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/nfc/nci_core.h b/include/net/nfc/nci_core.h +index 87499b6b35d6d..df5c69db68afc 100644 +--- a/include/net/nfc/nci_core.h ++++ b/include/net/nfc/nci_core.h +@@ -166,7 +166,7 @@ struct nci_conn_info { + * According to specification 102 622 chapter 4.4 Pipes, + * the pipe identifier is 7 bits long. + */ +-#define NCI_HCI_MAX_PIPES 127 ++#define NCI_HCI_MAX_PIPES 128 + + struct nci_hci_gate { + u8 gate; +-- +2.20.1 + diff --git a/queue-4.14/nl80211-add-nl80211_flag_clear_skb-flag-for-other-nl.patch b/queue-4.14/nl80211-add-nl80211_flag_clear_skb-flag-for-other-nl.patch new file mode 100644 index 00000000000..8517854d2da --- /dev/null +++ b/queue-4.14/nl80211-add-nl80211_flag_clear_skb-flag-for-other-nl.patch @@ -0,0 +1,88 @@ +From 3c831cdd82e4d587e49e11818b70a0508cf35104 Mon Sep 17 00:00:00 2001 +From: Sunil Dutt +Date: Mon, 25 Feb 2019 15:37:20 +0530 +Subject: nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands + +[ Upstream commit d6db02a88a4aaa1cd7105137c67ddec7f3bdbc05 ] + +This commit adds NL80211_FLAG_CLEAR_SKB flag to other NL commands +that carry key data to ensure they do not stick around on heap +after the SKB is freed. + +Also introduced this flag for NL80211_CMD_VENDOR as there are sub +commands which configure the keys. + +Signed-off-by: Sunil Dutt +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 46e9812d13c02..c1a2ad050e617 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -12761,7 +12761,8 @@ static const struct genl_ops nl80211_ops[] = { + .policy = nl80211_policy, + .flags = GENL_UNS_ADMIN_PERM, + .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | +- NL80211_FLAG_NEED_RTNL, ++ NL80211_FLAG_NEED_RTNL | ++ NL80211_FLAG_CLEAR_SKB, + }, + { + .cmd = NL80211_CMD_DEAUTHENTICATE, +@@ -12812,7 +12813,8 @@ static const struct genl_ops nl80211_ops[] = { + .policy = nl80211_policy, + .flags = GENL_UNS_ADMIN_PERM, + .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | +- NL80211_FLAG_NEED_RTNL, ++ NL80211_FLAG_NEED_RTNL | ++ NL80211_FLAG_CLEAR_SKB, + }, + { + .cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS, +@@ -12820,7 +12822,8 @@ static const struct genl_ops nl80211_ops[] = { + .policy = nl80211_policy, + .flags = GENL_ADMIN_PERM, + .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | +- NL80211_FLAG_NEED_RTNL, ++ NL80211_FLAG_NEED_RTNL | ++ NL80211_FLAG_CLEAR_SKB, + }, + { + .cmd = NL80211_CMD_DISCONNECT, +@@ -12849,7 +12852,8 @@ static const struct genl_ops nl80211_ops[] = { + .policy = nl80211_policy, + .flags = GENL_UNS_ADMIN_PERM, + .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | +- NL80211_FLAG_NEED_RTNL, ++ NL80211_FLAG_NEED_RTNL | ++ NL80211_FLAG_CLEAR_SKB, + }, + { + .cmd = NL80211_CMD_DEL_PMKSA, +@@ -13201,7 +13205,8 @@ static const struct genl_ops nl80211_ops[] = { + .policy = nl80211_policy, + .flags = GENL_UNS_ADMIN_PERM, + .internal_flags = NL80211_FLAG_NEED_WIPHY | +- NL80211_FLAG_NEED_RTNL, ++ NL80211_FLAG_NEED_RTNL | ++ NL80211_FLAG_CLEAR_SKB, + }, + { + .cmd = NL80211_CMD_SET_QOS_MAP, +@@ -13256,7 +13261,8 @@ static const struct genl_ops nl80211_ops[] = { + .doit = nl80211_set_pmk, + .policy = nl80211_policy, + .internal_flags = NL80211_FLAG_NEED_NETDEV_UP | +- NL80211_FLAG_NEED_RTNL, ++ NL80211_FLAG_NEED_RTNL | ++ NL80211_FLAG_CLEAR_SKB, + }, + { + .cmd = NL80211_CMD_DEL_PMK, +-- +2.20.1 + diff --git a/queue-4.14/powerpc-remove-old-gcc-version-checks.patch b/queue-4.14/powerpc-remove-old-gcc-version-checks.patch new file mode 100644 index 00000000000..282ac926762 --- /dev/null +++ b/queue-4.14/powerpc-remove-old-gcc-version-checks.patch @@ -0,0 +1,63 @@ +From f6c5f6d7aede1a6bf3e71005378266d1f6ab5bea Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 14 Sep 2018 15:08:52 +1000 +Subject: powerpc: remove old GCC version checks + +[ Upstream commit f2910f0e6835339e6ce82cef22fa15718b7e3bfa ] + +GCC 4.6 is the minimum supported now. + +Signed-off-by: Nicholas Piggin +Reviewed-by: Joel Stanley +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/Makefile | 31 ++----------------------------- + 1 file changed, 2 insertions(+), 29 deletions(-) + +diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile +index 7452e50f4d1f8..0f04c878113ef 100644 +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -396,36 +396,9 @@ archprepare: checkbin + # to stdout and these checks are run even on install targets. + TOUT := .tmp_gas_check + +-# Check gcc and binutils versions: +-# - gcc-3.4 and binutils-2.14 are a fatal combination +-# - Require gcc 4.0 or above on 64-bit +-# - gcc-4.2.0 has issues compiling modules on 64-bit ++# Check toolchain versions: ++# - gcc-4.6 is the minimum kernel-wide version so nothing required. + checkbin: +- @if test "$(cc-name)" != "clang" \ +- && test "$(cc-version)" = "0304" ; then \ +- if ! /bin/echo mftb 5 | $(AS) -v -mppc -many -o $(TOUT) >/dev/null 2>&1 ; then \ +- echo -n '*** ${VERSION}.${PATCHLEVEL} kernels no longer build '; \ +- echo 'correctly with gcc-3.4 and your version of binutils.'; \ +- echo '*** Please upgrade your binutils or downgrade your gcc'; \ +- false; \ +- fi ; \ +- fi +- @if test "$(cc-name)" != "clang" \ +- && test "$(cc-version)" -lt "0400" \ +- && test "x${CONFIG_PPC64}" = "xy" ; then \ +- echo -n "Sorry, GCC v4.0 or above is required to build " ; \ +- echo "the 64-bit powerpc kernel." ; \ +- false ; \ +- fi +- @if test "$(cc-name)" != "clang" \ +- && test "$(cc-fullversion)" = "040200" \ +- && test "x${CONFIG_MODULES}${CONFIG_PPC64}" = "xyy" ; then \ +- echo -n '*** GCC-4.2.0 cannot compile the 64-bit powerpc ' ; \ +- echo 'kernel with modules enabled.' ; \ +- echo -n '*** Please use a different GCC version or ' ; \ +- echo 'disable kernel modules' ; \ +- false ; \ +- fi + @if test "x${CONFIG_CPU_LITTLE_ENDIAN}" = "xy" \ + && $(LD) --version | head -1 | grep ' 2\.24$$' >/dev/null ; then \ + echo -n '*** binutils 2.24 miscompiles weak symbols ' ; \ +-- +2.20.1 + diff --git a/queue-4.14/rdma-vmw_pvrdma-return-the-correct-opcode-when-creat.patch b/queue-4.14/rdma-vmw_pvrdma-return-the-correct-opcode-when-creat.patch new file mode 100644 index 00000000000..347f2f9b40f --- /dev/null +++ b/queue-4.14/rdma-vmw_pvrdma-return-the-correct-opcode-when-creat.patch @@ -0,0 +1,103 @@ +From 6c967c4ffadd06cbd20a55d09bc1b39419dc1c96 Mon Sep 17 00:00:00 2001 +From: Adit Ranadive +Date: Wed, 9 Jan 2019 23:08:49 +0000 +Subject: RDMA/vmw_pvrdma: Return the correct opcode when creating WR + +[ Upstream commit 6325e01b6cdf4636b721cf7259c1616e3cf28ce2 ] + +Since the IB_WR_REG_MR opcode value changed, let's set the PVRDMA device +opcodes explicitly. + +Reported-by: Ruishuang Wang +Fixes: 9a59739bd01f ("IB/rxe: Revise the ib_wr_opcode enum") +Cc: stable@vger.kernel.org +Reviewed-by: Bryan Tan +Reviewed-by: Ruishuang Wang +Reviewed-by: Vishnu Dasa +Signed-off-by: Adit Ranadive +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/vmw_pvrdma/pvrdma.h | 35 +++++++++++++++++++- + drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c | 6 ++++ + include/uapi/rdma/vmw_pvrdma-abi.h | 1 + + 3 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h b/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h +index 984aa3484928d..4463e1c1a764e 100644 +--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h ++++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h +@@ -407,7 +407,40 @@ static inline enum ib_qp_state pvrdma_qp_state_to_ib(enum pvrdma_qp_state state) + + static inline enum pvrdma_wr_opcode ib_wr_opcode_to_pvrdma(enum ib_wr_opcode op) + { +- return (enum pvrdma_wr_opcode)op; ++ switch (op) { ++ case IB_WR_RDMA_WRITE: ++ return PVRDMA_WR_RDMA_WRITE; ++ case IB_WR_RDMA_WRITE_WITH_IMM: ++ return PVRDMA_WR_RDMA_WRITE_WITH_IMM; ++ case IB_WR_SEND: ++ return PVRDMA_WR_SEND; ++ case IB_WR_SEND_WITH_IMM: ++ return PVRDMA_WR_SEND_WITH_IMM; ++ case IB_WR_RDMA_READ: ++ return PVRDMA_WR_RDMA_READ; ++ case IB_WR_ATOMIC_CMP_AND_SWP: ++ return PVRDMA_WR_ATOMIC_CMP_AND_SWP; ++ case IB_WR_ATOMIC_FETCH_AND_ADD: ++ return PVRDMA_WR_ATOMIC_FETCH_AND_ADD; ++ case IB_WR_LSO: ++ return PVRDMA_WR_LSO; ++ case IB_WR_SEND_WITH_INV: ++ return PVRDMA_WR_SEND_WITH_INV; ++ case IB_WR_RDMA_READ_WITH_INV: ++ return PVRDMA_WR_RDMA_READ_WITH_INV; ++ case IB_WR_LOCAL_INV: ++ return PVRDMA_WR_LOCAL_INV; ++ case IB_WR_REG_MR: ++ return PVRDMA_WR_FAST_REG_MR; ++ case IB_WR_MASKED_ATOMIC_CMP_AND_SWP: ++ return PVRDMA_WR_MASKED_ATOMIC_CMP_AND_SWP; ++ case IB_WR_MASKED_ATOMIC_FETCH_AND_ADD: ++ return PVRDMA_WR_MASKED_ATOMIC_FETCH_AND_ADD; ++ case IB_WR_REG_SIG_MR: ++ return PVRDMA_WR_REG_SIG_MR; ++ default: ++ return PVRDMA_WR_ERROR; ++ } + } + + static inline enum ib_wc_status pvrdma_wc_status_to_ib( +diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c +index d7162f2b7979a..4d9c99dd366b1 100644 +--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c ++++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_qp.c +@@ -695,6 +695,12 @@ int pvrdma_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr, + wr->opcode == IB_WR_RDMA_WRITE_WITH_IMM) + wqe_hdr->ex.imm_data = wr->ex.imm_data; + ++ if (unlikely(wqe_hdr->opcode == PVRDMA_WR_ERROR)) { ++ *bad_wr = wr; ++ ret = -EINVAL; ++ goto out; ++ } ++ + switch (qp->ibqp.qp_type) { + case IB_QPT_GSI: + case IB_QPT_UD: +diff --git a/include/uapi/rdma/vmw_pvrdma-abi.h b/include/uapi/rdma/vmw_pvrdma-abi.h +index 912ea1556a0b0..fd801c7be1204 100644 +--- a/include/uapi/rdma/vmw_pvrdma-abi.h ++++ b/include/uapi/rdma/vmw_pvrdma-abi.h +@@ -76,6 +76,7 @@ enum pvrdma_wr_opcode { + PVRDMA_WR_MASKED_ATOMIC_FETCH_AND_ADD, + PVRDMA_WR_BIND_MW, + PVRDMA_WR_REG_SIG_MR, ++ PVRDMA_WR_ERROR, + }; + + enum pvrdma_wc_status { +-- +2.20.1 + diff --git a/queue-4.14/s390-3270-fix-lockdep-false-positive-on-view-lock.patch b/queue-4.14/s390-3270-fix-lockdep-false-positive-on-view-lock.patch new file mode 100644 index 00000000000..7fcdd4a56ac --- /dev/null +++ b/queue-4.14/s390-3270-fix-lockdep-false-positive-on-view-lock.patch @@ -0,0 +1,122 @@ +From 3fe1b6717ecd513bb472b9523c77c972bb313da5 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Wed, 3 Apr 2019 09:13:34 +0200 +Subject: s390/3270: fix lockdep false positive on view->lock + +[ Upstream commit 5712f3301a12c0c3de9cc423484496b0464f2faf ] + +The spinlock in the raw3270_view structure is used by con3270, tty3270 +and fs3270 in different ways. For con3270 the lock can be acquired in +irq context, for tty3270 and fs3270 the highest context is bh. + +Lockdep sees the view->lock as a single class and if the 3270 driver +is used for the console the following message is generated: + +WARNING: inconsistent lock state +5.1.0-rc3-05157-g5c168033979d #12 Not tainted +-------------------------------- +inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. +swapper/0/1 [HC0[0]:SC1[1]:HE1:SE0] takes: +(____ptrval____) (&(&view->lock)->rlock){?.-.}, at: tty3270_update+0x7c/0x330 + +Introduce a lockdep subclass for the view lock to distinguish bh from +irq locks. + +Signed-off-by: Martin Schwidefsky + +Signed-off-by: Sasha Levin +--- + drivers/s390/char/con3270.c | 2 +- + drivers/s390/char/fs3270.c | 3 ++- + drivers/s390/char/raw3270.c | 3 ++- + drivers/s390/char/raw3270.h | 4 +++- + drivers/s390/char/tty3270.c | 3 ++- + 5 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/s390/char/con3270.c b/drivers/s390/char/con3270.c +index be3e3c1206c24..1868ff803f439 100644 +--- a/drivers/s390/char/con3270.c ++++ b/drivers/s390/char/con3270.c +@@ -629,7 +629,7 @@ con3270_init(void) + (void (*)(unsigned long)) con3270_read_tasklet, + (unsigned long) condev->read); + +- raw3270_add_view(&condev->view, &con3270_fn, 1); ++ raw3270_add_view(&condev->view, &con3270_fn, 1, RAW3270_VIEW_LOCK_IRQ); + + INIT_LIST_HEAD(&condev->freemem); + for (i = 0; i < CON3270_STRING_PAGES; i++) { +diff --git a/drivers/s390/char/fs3270.c b/drivers/s390/char/fs3270.c +index c4518168fd02c..4f73a38c7cbd2 100644 +--- a/drivers/s390/char/fs3270.c ++++ b/drivers/s390/char/fs3270.c +@@ -463,7 +463,8 @@ fs3270_open(struct inode *inode, struct file *filp) + + init_waitqueue_head(&fp->wait); + fp->fs_pid = get_pid(task_pid(current)); +- rc = raw3270_add_view(&fp->view, &fs3270_fn, minor); ++ rc = raw3270_add_view(&fp->view, &fs3270_fn, minor, ++ RAW3270_VIEW_LOCK_BH); + if (rc) { + fs3270_free_view(&fp->view); + goto out; +diff --git a/drivers/s390/char/raw3270.c b/drivers/s390/char/raw3270.c +index 5d4f053d7c38c..0f47fec35acc0 100644 +--- a/drivers/s390/char/raw3270.c ++++ b/drivers/s390/char/raw3270.c +@@ -919,7 +919,7 @@ raw3270_deactivate_view(struct raw3270_view *view) + * Add view to device with minor "minor". + */ + int +-raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor) ++raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor, int subclass) + { + unsigned long flags; + struct raw3270 *rp; +@@ -941,6 +941,7 @@ raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor) + view->cols = rp->cols; + view->ascebc = rp->ascebc; + spin_lock_init(&view->lock); ++ lockdep_set_subclass(&view->lock, subclass); + list_add(&view->list, &rp->view_list); + rc = 0; + spin_unlock_irqrestore(get_ccwdev_lock(rp->cdev), flags); +diff --git a/drivers/s390/char/raw3270.h b/drivers/s390/char/raw3270.h +index 114ca7cbf8897..3afaa35f73513 100644 +--- a/drivers/s390/char/raw3270.h ++++ b/drivers/s390/char/raw3270.h +@@ -150,6 +150,8 @@ struct raw3270_fn { + struct raw3270_view { + struct list_head list; + spinlock_t lock; ++#define RAW3270_VIEW_LOCK_IRQ 0 ++#define RAW3270_VIEW_LOCK_BH 1 + atomic_t ref_count; + struct raw3270 *dev; + struct raw3270_fn *fn; +@@ -158,7 +160,7 @@ struct raw3270_view { + unsigned char *ascebc; /* ascii -> ebcdic table */ + }; + +-int raw3270_add_view(struct raw3270_view *, struct raw3270_fn *, int); ++int raw3270_add_view(struct raw3270_view *, struct raw3270_fn *, int, int); + int raw3270_activate_view(struct raw3270_view *); + void raw3270_del_view(struct raw3270_view *); + void raw3270_deactivate_view(struct raw3270_view *); +diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c +index e5ebe2fbee235..401688bf8fd37 100644 +--- a/drivers/s390/char/tty3270.c ++++ b/drivers/s390/char/tty3270.c +@@ -978,7 +978,8 @@ static int tty3270_install(struct tty_driver *driver, struct tty_struct *tty) + return PTR_ERR(tp); + + rc = raw3270_add_view(&tp->view, &tty3270_fn, +- tty->index + RAW3270_FIRSTMINOR); ++ tty->index + RAW3270_FIRSTMINOR, ++ RAW3270_VIEW_LOCK_BH); + if (rc) { + tty3270_free_view(tp); + return rc; +-- +2.20.1 + diff --git a/queue-4.14/s390-ctcm-fix-ctcm_new_device-error-return-code.patch b/queue-4.14/s390-ctcm-fix-ctcm_new_device-error-return-code.patch new file mode 100644 index 00000000000..1140acd1e34 --- /dev/null +++ b/queue-4.14/s390-ctcm-fix-ctcm_new_device-error-return-code.patch @@ -0,0 +1,53 @@ +From a9e4932478ff9587c71564400ecf138f3eac6426 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 17 Apr 2019 18:29:13 +0200 +Subject: s390: ctcm: fix ctcm_new_device error return code + +[ Upstream commit 27b141fc234a3670d21bd742c35d7205d03cbb3a ] + +clang points out that the return code from this function is +undefined for one of the error paths: + +../drivers/s390/net/ctcm_main.c:1595:7: warning: variable 'result' is used uninitialized whenever 'if' condition is true + [-Wsometimes-uninitialized] + if (priv->channel[direction] == NULL) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../drivers/s390/net/ctcm_main.c:1638:9: note: uninitialized use occurs here + return result; + ^~~~~~ +../drivers/s390/net/ctcm_main.c:1595:3: note: remove the 'if' if its condition is always false + if (priv->channel[direction] == NULL) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../drivers/s390/net/ctcm_main.c:1539:12: note: initialize the variable 'result' to silence this warning + int result; + ^ + +Make it return -ENODEV here, as in the related failure cases. +gcc has a known bug in underreporting some of these warnings +when it has already eliminated the assignment of the return code +based on some earlier optimization step. + +Reviewed-by: Nathan Chancellor +Signed-off-by: Arnd Bergmann +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c +index 26363e0816fe4..fbe35c2ac8981 100644 +--- a/drivers/s390/net/ctcm_main.c ++++ b/drivers/s390/net/ctcm_main.c +@@ -1594,6 +1594,7 @@ static int ctcm_new_device(struct ccwgroup_device *cgdev) + if (priv->channel[direction] == NULL) { + if (direction == CTCM_WRITE) + channel_free(priv->channel[CTCM_READ]); ++ result = -ENODEV; + goto out_dev; + } + priv->channel[direction]->netdev = dev; +-- +2.20.1 + diff --git a/queue-4.14/s390-dasd-fix-capacity-calculation-for-large-volumes.patch b/queue-4.14/s390-dasd-fix-capacity-calculation-for-large-volumes.patch new file mode 100644 index 00000000000..ade37061045 --- /dev/null +++ b/queue-4.14/s390-dasd-fix-capacity-calculation-for-large-volumes.patch @@ -0,0 +1,59 @@ +From 3291e2847997763e2514a5964671f1730400ab9c Mon Sep 17 00:00:00 2001 +From: Peter Oberparleiter +Date: Fri, 22 Mar 2019 16:01:17 +0100 +Subject: s390/dasd: Fix capacity calculation for large volumes + +[ Upstream commit 2cc9637ce825f3a9f51f8f78af7474e9e85bfa5f ] + +The DASD driver incorrectly limits the maximum number of blocks of ECKD +DASD volumes to 32 bit numbers. Volumes with a capacity greater than +2^32-1 blocks are incorrectly recognized as smaller volumes. + +This results in the following volume capacity limits depending on the +formatted block size: + + BLKSIZE MAX_GB MAX_CYL + 512 2047 5843492 + 1024 4095 8676701 + 2048 8191 13634816 + 4096 16383 23860929 + +The same problem occurs when a volume with more than 17895697 cylinders +is accessed in raw-track-access mode. + +Fix this problem by adding an explicit type cast when calculating the +maximum number of blocks. + +Signed-off-by: Peter Oberparleiter +Reviewed-by: Stefan Haberland +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd_eckd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 0a1e7f9b5239d..0d5e2d92e05bc 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -2001,14 +2001,14 @@ static int dasd_eckd_end_analysis(struct dasd_block *block) + blk_per_trk = recs_per_track(&private->rdc_data, 0, block->bp_block); + + raw: +- block->blocks = (private->real_cyl * ++ block->blocks = ((unsigned long) private->real_cyl * + private->rdc_data.trk_per_cyl * + blk_per_trk); + + dev_info(&device->cdev->dev, +- "DASD with %d KB/block, %d KB total size, %d KB/track, " ++ "DASD with %u KB/block, %lu KB total size, %u KB/track, " + "%s\n", (block->bp_block >> 10), +- ((private->real_cyl * ++ (((unsigned long) private->real_cyl * + private->rdc_data.trk_per_cyl * + blk_per_trk * (block->bp_block >> 9)) >> 1), + ((blk_per_trk * block->bp_block) >> 10), +-- +2.20.1 + diff --git a/queue-4.14/s390-pkey-add-one-more-argument-space-for-debug-feat.patch b/queue-4.14/s390-pkey-add-one-more-argument-space-for-debug-feat.patch new file mode 100644 index 00000000000..ff00df76d1a --- /dev/null +++ b/queue-4.14/s390-pkey-add-one-more-argument-space-for-debug-feat.patch @@ -0,0 +1,43 @@ +From 776e5b9ac8418670ef1d669bae7ca9f290a5c1ba Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Fri, 12 Apr 2019 11:04:50 +0200 +Subject: s390/pkey: add one more argument space for debug feature entry + +[ Upstream commit 6b1f16ba730d4c0cda1247568c3a1bf4fa3a2f2f ] + +The debug feature entries have been used with up to 5 arguents +(including the pointer to the format string) but there was only +space reserved for 4 arguemnts. So now the registration does +reserve space for 5 times a long value. + +This fixes a sometime appearing weired value as the last +value of an debug feature entry like this: + +... pkey_sec2protkey zcrypt_send_cprb (cardnr=10 domain=12) + failed with errno -2143346254 + +Signed-off-by: Harald Freudenberger +Reported-by: Christian Rund +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/pkey_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c +index f61fa47135a6c..bd0376dc7e1e3 100644 +--- a/drivers/s390/crypto/pkey_api.c ++++ b/drivers/s390/crypto/pkey_api.c +@@ -49,7 +49,8 @@ static debug_info_t *debug_info; + + static void __init pkey_debug_init(void) + { +- debug_info = debug_register("pkey", 1, 1, 4 * sizeof(long)); ++ /* 5 arguments per dbf entry (including the format string ptr) */ ++ debug_info = debug_register("pkey", 1, 1, 5 * sizeof(long)); + debug_register_view(debug_info, &debug_sprintf_view); + debug_set_level(debug_info, 3); + } +-- +2.20.1 + diff --git a/queue-4.14/scsi-raid_attrs-fix-unused-variable-warning.patch b/queue-4.14/scsi-raid_attrs-fix-unused-variable-warning.patch new file mode 100644 index 00000000000..935f3c369c4 --- /dev/null +++ b/queue-4.14/scsi-raid_attrs-fix-unused-variable-warning.patch @@ -0,0 +1,49 @@ +From 7c5e1faa7443e15c4b71c5826a691c2f81c41a38 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 14 Dec 2018 23:10:07 +0100 +Subject: scsi: raid_attrs: fix unused variable warning + +[ Upstream commit 0eeec01488da9b1403c8c29e73eacac8af9e4bf2 ] + +I ran into a new warning on randconfig kernels: + +drivers/scsi/raid_class.c: In function 'raid_match': +drivers/scsi/raid_class.c:64:24: error: unused variable 'i' [-Werror=unused-variable] + +This looks like a very old problem that for some reason was very hard to +run into, but it is very easy to fix, by replacing the incorrect #ifdef +with a simpler IS_ENABLED() check. + +Fixes: fac829fdcaf4 ("[SCSI] raid_attrs: fix dependency problems") +Signed-off-by: Arnd Bergmann +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/raid_class.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/scsi/raid_class.c b/drivers/scsi/raid_class.c +index 2c146b44d95fc..cddd78893b46c 100644 +--- a/drivers/scsi/raid_class.c ++++ b/drivers/scsi/raid_class.c +@@ -63,8 +63,7 @@ static int raid_match(struct attribute_container *cont, struct device *dev) + * emulated RAID devices, so start with SCSI */ + struct raid_internal *i = ac_to_raid_internal(cont); + +-#if defined(CONFIG_SCSI) || defined(CONFIG_SCSI_MODULE) +- if (scsi_is_sdev_device(dev)) { ++ if (IS_ENABLED(CONFIG_SCSI) && scsi_is_sdev_device(dev)) { + struct scsi_device *sdev = to_scsi_device(dev); + + if (i->f->cookie != sdev->host->hostt) +@@ -72,7 +71,6 @@ static int raid_match(struct attribute_container *cont, struct device *dev) + + return i->f->is_raid(dev); + } +-#endif + /* FIXME: look at other subsystems too */ + return 0; + } +-- +2.20.1 + diff --git a/queue-4.14/selftests-net-correct-the-return-value-for-run_netso.patch b/queue-4.14/selftests-net-correct-the-return-value-for-run_netso.patch new file mode 100644 index 00000000000..969235ed176 --- /dev/null +++ b/queue-4.14/selftests-net-correct-the-return-value-for-run_netso.patch @@ -0,0 +1,44 @@ +From 39e06decdb3dbc141919442cfff6c838d24e3b79 Mon Sep 17 00:00:00 2001 +From: Po-Hsu Lin +Date: Thu, 18 Apr 2019 19:57:25 +0800 +Subject: selftests/net: correct the return value for run_netsocktests + +[ Upstream commit 30c04d796b693e22405c38e9b78e9a364e4c77e6 ] + +The run_netsocktests will be marked as passed regardless the actual test +result from the ./socket: + + selftests: net: run_netsocktests + ======================================== + -------------------- + running socket test + -------------------- + [FAIL] + ok 1..6 selftests: net: run_netsocktests [PASS] + +This is because the test script itself has been successfully executed. +Fix this by exit 1 when the test failed. + +Signed-off-by: Po-Hsu Lin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/run_netsocktests | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/run_netsocktests b/tools/testing/selftests/net/run_netsocktests +index b093f39c298c3..14e41faf2c574 100755 +--- a/tools/testing/selftests/net/run_netsocktests ++++ b/tools/testing/selftests/net/run_netsocktests +@@ -7,7 +7,7 @@ echo "--------------------" + ./socket + if [ $? -ne 0 ]; then + echo "[FAIL]" ++ exit 1 + else + echo "[PASS]" + fi +- +-- +2.20.1 + diff --git a/queue-4.14/selftests-netfilter-check-icmp-pkttoobig-errors-are-.patch b/queue-4.14/selftests-netfilter-check-icmp-pkttoobig-errors-are-.patch new file mode 100644 index 00000000000..2a48428ea1a --- /dev/null +++ b/queue-4.14/selftests-netfilter-check-icmp-pkttoobig-errors-are-.patch @@ -0,0 +1,333 @@ +From da59f0ff588af8998eed9c9b2869354fc3b54e4b Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 25 Mar 2019 23:11:53 +0100 +Subject: selftests: netfilter: check icmp pkttoobig errors are set as related + +[ Upstream commit becf2319f320cae43e20cf179cc51a355a0deb5f ] + +When an icmp error such as pkttoobig is received, conntrack checks +if the "inner" header (header of packet that did not fit link mtu) +is matches an existing connection, and, if so, sets that packet as +being related to the conntrack entry it found. + +It was recently reported that this "related" setting also works +if the inner header is from another, different connection (i.e., +artificial/forged icmp error). + +Add a test, followup patch will add additional "inner dst matches +outer dst in reverse direction" check before setting related state. + +Link: https://www.synacktiv.com/posts/systems/icmp-reachable.html +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/netfilter/Makefile | 2 +- + .../netfilter/conntrack_icmp_related.sh | 283 ++++++++++++++++++ + 2 files changed, 284 insertions(+), 1 deletion(-) + create mode 100755 tools/testing/selftests/netfilter/conntrack_icmp_related.sh + +diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile +index c9ff2b47bd1ca..a37cb1192c6a6 100644 +--- a/tools/testing/selftests/netfilter/Makefile ++++ b/tools/testing/selftests/netfilter/Makefile +@@ -1,6 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + # Makefile for netfilter selftests + +-TEST_PROGS := nft_trans_stress.sh nft_nat.sh ++TEST_PROGS := nft_trans_stress.sh nft_nat.sh conntrack_icmp_related.sh + + include ../lib.mk +diff --git a/tools/testing/selftests/netfilter/conntrack_icmp_related.sh b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh +new file mode 100755 +index 0000000000000..b48e1833bc896 +--- /dev/null ++++ b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh +@@ -0,0 +1,283 @@ ++#!/bin/bash ++# ++# check that ICMP df-needed/pkttoobig icmp are set are set as related ++# state ++# ++# Setup is: ++# ++# nsclient1 -> nsrouter1 -> nsrouter2 -> nsclient2 ++# MTU 1500, except for nsrouter2 <-> nsclient2 link (1280). ++# ping nsclient2 from nsclient1, checking that conntrack did set RELATED ++# 'fragmentation needed' icmp packet. ++# ++# In addition, nsrouter1 will perform IP masquerading, i.e. also ++# check the icmp errors are propagated to the correct host as per ++# nat of "established" icmp-echo "connection". ++ ++# Kselftest framework requirement - SKIP code is 4. ++ksft_skip=4 ++ret=0 ++ ++nft --version > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: Could not run test without nft tool" ++ exit $ksft_skip ++fi ++ ++ip -Version > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: Could not run test without ip tool" ++ exit $ksft_skip ++fi ++ ++cleanup() { ++ for i in 1 2;do ip netns del nsclient$i;done ++ for i in 1 2;do ip netns del nsrouter$i;done ++} ++ ++ipv4() { ++ echo -n 192.168.$1.2 ++} ++ ++ipv6 () { ++ echo -n dead:$1::2 ++} ++ ++check_counter() ++{ ++ ns=$1 ++ name=$2 ++ expect=$3 ++ local lret=0 ++ ++ cnt=$(ip netns exec $ns nft list counter inet filter "$name" | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ echo "ERROR: counter $name in $ns has unexpected value (expected $expect)" 1>&2 ++ ip netns exec $ns nft list counter inet filter "$name" 1>&2 ++ lret=1 ++ fi ++ ++ return $lret ++} ++ ++check_unknown() ++{ ++ expect="packets 0 bytes 0" ++ for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do ++ check_counter $n "unknown" "$expect" ++ if [ $? -ne 0 ] ;then ++ return 1 ++ fi ++ done ++ ++ return 0 ++} ++ ++for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do ++ ip netns add $n ++ ip -net $n link set lo up ++done ++ ++DEV=veth0 ++ip link add $DEV netns nsclient1 type veth peer name eth1 netns nsrouter1 ++DEV=veth0 ++ip link add $DEV netns nsclient2 type veth peer name eth1 netns nsrouter2 ++ ++DEV=veth0 ++ip link add $DEV netns nsrouter1 type veth peer name eth2 netns nsrouter2 ++ ++DEV=veth0 ++for i in 1 2; do ++ ip -net nsclient$i link set $DEV up ++ ip -net nsclient$i addr add $(ipv4 $i)/24 dev $DEV ++ ip -net nsclient$i addr add $(ipv6 $i)/64 dev $DEV ++done ++ ++ip -net nsrouter1 link set eth1 up ++ip -net nsrouter1 link set veth0 up ++ ++ip -net nsrouter2 link set eth1 up ++ip -net nsrouter2 link set eth2 up ++ ++ip -net nsclient1 route add default via 192.168.1.1 ++ip -net nsclient1 -6 route add default via dead:1::1 ++ ++ip -net nsclient2 route add default via 192.168.2.1 ++ip -net nsclient2 route add default via dead:2::1 ++ ++i=3 ++ip -net nsrouter1 addr add 192.168.1.1/24 dev eth1 ++ip -net nsrouter1 addr add 192.168.3.1/24 dev veth0 ++ip -net nsrouter1 addr add dead:1::1/64 dev eth1 ++ip -net nsrouter1 addr add dead:3::1/64 dev veth0 ++ip -net nsrouter1 route add default via 192.168.3.10 ++ip -net nsrouter1 -6 route add default via dead:3::10 ++ ++ip -net nsrouter2 addr add 192.168.2.1/24 dev eth1 ++ip -net nsrouter2 addr add 192.168.3.10/24 dev eth2 ++ip -net nsrouter2 addr add dead:2::1/64 dev eth1 ++ip -net nsrouter2 addr add dead:3::10/64 dev eth2 ++ip -net nsrouter2 route add default via 192.168.3.1 ++ip -net nsrouter2 route add default via dead:3::1 ++ ++sleep 2 ++for i in 4 6; do ++ ip netns exec nsrouter1 sysctl -q net.ipv$i.conf.all.forwarding=1 ++ ip netns exec nsrouter2 sysctl -q net.ipv$i.conf.all.forwarding=1 ++done ++ ++for netns in nsrouter1 nsrouter2; do ++ip netns exec $netns nft -f - </dev/null ++if [ $? -ne 0 ]; then ++ echo "ERROR: netns ip routing/connectivity broken" 1>&2 ++ cleanup ++ exit 1 ++fi ++ip netns exec nsclient1 ping6 -q -c 1 -s 1000 dead:2::2 >/dev/null ++if [ $? -ne 0 ]; then ++ echo "ERROR: netns ipv6 routing/connectivity broken" 1>&2 ++ cleanup ++ exit 1 ++fi ++ ++check_unknown ++if [ $? -ne 0 ]; then ++ ret=1 ++fi ++ ++expect="packets 0 bytes 0" ++for netns in nsrouter1 nsrouter2 nsclient1;do ++ check_counter "$netns" "related" "$expect" ++ if [ $? -ne 0 ]; then ++ ret=1 ++ fi ++done ++ ++expect="packets 2 bytes 2076" ++check_counter nsclient2 "new" "$expect" ++if [ $? -ne 0 ]; then ++ ret=1 ++fi ++ ++ip netns exec nsclient1 ping -q -c 1 -s 1300 -M do 192.168.2.2 > /dev/null ++if [ $? -eq 0 ]; then ++ echo "ERROR: ping should have failed with PMTU too big error" 1>&2 ++ ret=1 ++fi ++ ++# nsrouter2 should have generated the icmp error, so ++# related counter should be 0 (its in forward). ++expect="packets 0 bytes 0" ++check_counter "nsrouter2" "related" "$expect" ++if [ $? -ne 0 ]; then ++ ret=1 ++fi ++ ++# but nsrouter1 should have seen it, same for nsclient1. ++expect="packets 1 bytes 576" ++for netns in nsrouter1 nsclient1;do ++ check_counter "$netns" "related" "$expect" ++ if [ $? -ne 0 ]; then ++ ret=1 ++ fi ++done ++ ++ip netns exec nsclient1 ping6 -c 1 -s 1300 dead:2::2 > /dev/null ++if [ $? -eq 0 ]; then ++ echo "ERROR: ping6 should have failed with PMTU too big error" 1>&2 ++ ret=1 ++fi ++ ++expect="packets 2 bytes 1856" ++for netns in nsrouter1 nsclient1;do ++ check_counter "$netns" "related" "$expect" ++ if [ $? -ne 0 ]; then ++ ret=1 ++ fi ++done ++ ++if [ $ret -eq 0 ];then ++ echo "PASS: icmp mtu error had RELATED state" ++else ++ echo "ERROR: icmp error RELATED state test has failed" ++fi ++ ++cleanup ++exit $ret +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index b438f6cc335..d5affec93b2 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -4,3 +4,90 @@ platform-x86-thinkpad_acpi-disable-bluetooth-for-some-machines.patch hwmon-pwm-fan-disable-pwm-if-fetching-cooling-data-fails.patch kernfs-fix-barrier-usage-in-__kernfs_new_node.patch usb-serial-fix-unthrottle-races.patch +iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch +libnvdimm-namespace-fix-a-potential-null-pointer-der.patch +hid-input-add-mapping-for-expose-overview-key.patch +hid-input-add-mapping-for-keyboard-brightness-up-dow.patch +hid-input-add-mapping-for-toggle-display-key.patch +libnvdimm-btt-fix-a-kmemdup-failure-check.patch +s390-dasd-fix-capacity-calculation-for-large-volumes.patch +mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch +mac80211-increase-max_msg_len.patch +mac80211-fix-memory-accounting-with-a-msdu-aggregati.patch +nl80211-add-nl80211_flag_clear_skb-flag-for-other-nl.patch +s390-3270-fix-lockdep-false-positive-on-view-lock.patch +clocksource-drivers-oxnas-fix-ox820-compatible.patch +misdn-check-address-length-before-reading-address-fa.patch +s390-pkey-add-one-more-argument-space-for-debug-feat.patch +x86-reboot-efi-use-efi-reboot-for-acer-travelmate-x5.patch +kvm-fix-spectrev1-gadgets.patch +kvm-x86-avoid-misreporting-level-triggered-irqs-as-e.patch +tools-lib-traceevent-fix-missing-equality-check-for-.patch +mm-fix-inactive-list-balancing-between-numa-nodes-an.patch +init-initialize-jump-labels-before-command-line-opti.patch +selftests-netfilter-check-icmp-pkttoobig-errors-are-.patch +ipvs-do-not-schedule-icmp-errors-from-tunnels.patch +netfilter-ctnetlink-don-t-use-conntrack-expect-objec.patch +mips-perf-ath79-fix-perfcount-irq-assignment.patch +s390-ctcm-fix-ctcm_new_device-error-return-code.patch +drm-sun4i-set-device-driver-data-at-bind-time-for-us.patch +selftests-net-correct-the-return-value-for-run_netso.patch +gpu-ipu-v3-dp-fix-csc-handling.patch +drm-imx-don-t-skip-dp-channel-disable-for-background.patch +spi-micrel-eth-switch-declare-missing-of-table.patch +spi-st-st95hf-nfc-declare-missing-of-table.patch +input-synaptics-rmi4-fix-possible-double-free.patch +sparc64-export-__node_distance.patch +sparc64-make-corrupted-user-stacks-more-debuggable.patch +mips-vdso-reduce-vdso_randomize_size-to-64mb-for-64b.patch +bcache-correct-dirty-data-statistics.patch +acpica-aml-interpreter-add-region-addresses-in-globa.patch +ib-rxe-revise-the-ib_wr_opcode-enum.patch +ima-open-a-new-file-instance-if-no-read-permissions.patch +kvm-arm-arm64-ensure-only-thp-is-candidate-for-adjus.patch +media-cec-make-cec_get_edid_spa_location-an-inline-f.patch +media-cec-integrate-cec_validate_phys_addr-in-cec-ap.patch +media-adv7604-when-the-edid-is-cleared-unconfigure-c.patch +media-adv7842-when-the-edid-is-cleared-unconfigure-c.patch +fuse-fix-possibly-missed-wake-up-after-abort.patch +i2c-omap-enable-for-arch_k3.patch +drm-i915-disable-lp3-watermarks-on-all-snb-machines.patch +media-ov5640-fix-wrong-binning-value-in-exposure-cal.patch +media-ov5640-fix-auto-controls-values-when-switching.patch +net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch +tracing-fgraph-fix-set_graph_function-from-showing-i.patch +drm-i915-downgrade-gen9-plane-wm-latency-error.patch +scsi-raid_attrs-fix-unused-variable-warning.patch +staging-olpc_dcon-add-a-missing-dependency.patch +net-stmmac-move-debugfs-init-exit-to-probe-remove.patch +btrfs-fix-missing-delayed-iputs-on-unmount.patch +x86-vdso-pass-eh-frame-hdr-to-the-linker.patch +mm-introduce-mm_-p4d-pud-pmd-_folded.patch +arm64-kvm-make-vhe-stage-2-tlb-invalidation-operatio.patch +crypto-testmgr-add-aes-cfb-tests.patch +powerpc-remove-old-gcc-version-checks.patch +leds-pwm-silently-error-out-on-eprobe_defer.patch +drm-rockchip-psr-do-not-dereference-encoder-before-i.patch +rdma-vmw_pvrdma-return-the-correct-opcode-when-creat.patch +arm64-dts-marvell-armada-ap806-reserve-psci-area.patch +vt-always-call-notifier-with-the-console-lock-held.patch +devres-align-data-to-arch_kmalloc_minalign.patch +xtensa-xtfpga.dtsi-fix-dtc-warnings-about-spi.patch +net_sched-fix-two-more-memory-leaks-in-cls_tcindex.patch +gtp-change-net_udp_tunnel-dependency-to-select.patch +acpica-namespace-remove-address-node-from-global-lis.patch +input-elan_i2c-add-hardware-id-for-multiple-lenovo-l.patch +netfilter-nf_tables-warn-when-expr-implements-only-o.patch +drm-rockchip-fix-for-mailbox-read-validation.patch +cifs-fix-memory-leak-in-smb2_read.patch +x86-fpu-don-t-export-__kernel_fpu_-begin-end.patch +net-hns-fix-warning-when-hns-modules-installed.patch +mm-memory.c-fix-modifying-of-page-protection-by-inse.patch +net-fec-manage-ahb-clock-in-runtime-pm.patch +mlxsw-spectrum_switchdev-add-mdb-entries-in-prepare-.patch +mlxsw-core-do-not-use-wq_mem_reclaim-for-emad-workqu.patch +mlxsw-core-do-not-use-wq_mem_reclaim-for-mlxsw-order.patch +mlxsw-core-do-not-use-wq_mem_reclaim-for-mlxsw-workq.patch +nfc-nci-add-some-bounds-checking-in-nci_hci_cmd_rece.patch +nfc-nci-potential-off-by-one-in-pipes-array.patch +x86-kprobes-avoid-kretprobe-recursion-bug.patch diff --git a/queue-4.14/sparc64-export-__node_distance.patch b/queue-4.14/sparc64-export-__node_distance.patch new file mode 100644 index 00000000000..d5d8a8cf610 --- /dev/null +++ b/queue-4.14/sparc64-export-__node_distance.patch @@ -0,0 +1,34 @@ +From 82dd82355d69a4d7fcc66eb2fa2c9516e1281ea8 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Fri, 26 Oct 2018 15:11:56 -0700 +Subject: sparc64: Export __node_distance. + +[ Upstream commit 2b4792eaa9f553764047d157365ed8b7787751a3 ] + +Some drivers reference it via node_distance(), for example the +NVME host driver core. + +ERROR: "__node_distance" [drivers/nvme/host/nvme-core.ko] undefined! +make[1]: *** [scripts/Makefile.modpost:92: __modpost] Error 1 + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/mm/init_64.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c +index 984e9d65ea0d1..76977296dc9c6 100644 +--- a/arch/sparc/mm/init_64.c ++++ b/arch/sparc/mm/init_64.c +@@ -1383,6 +1383,7 @@ int __node_distance(int from, int to) + } + return numa_latency[from][to]; + } ++EXPORT_SYMBOL(__node_distance); + + static int __init find_best_numa_node_for_mlgroup(struct mdesc_mlgroup *grp) + { +-- +2.20.1 + diff --git a/queue-4.14/sparc64-make-corrupted-user-stacks-more-debuggable.patch b/queue-4.14/sparc64-make-corrupted-user-stacks-more-debuggable.patch new file mode 100644 index 00000000000..7405302e483 --- /dev/null +++ b/queue-4.14/sparc64-make-corrupted-user-stacks-more-debuggable.patch @@ -0,0 +1,170 @@ +From 289f8e97250c214ed50ec503c589eb253a6083f9 Mon Sep 17 00:00:00 2001 +From: David Miller +Date: Thu, 25 Oct 2018 20:36:46 -0700 +Subject: sparc64: Make corrupted user stacks more debuggable. + +[ Upstream commit 5b4fc3882a649c9411dd0dcad2ddb78e911d340e ] + +Right now if we get a corrupted user stack frame we do a +do_exit(SIGILL) which is not helpful. + +If under a debugger, this behavior causes the inferior process to +exit. So the register and other state cannot be examined at the time +of the event. + +Instead, conditionally log a rate limited kernel log message and then +force a SIGSEGV. + +With bits and ideas borrowed (as usual) from powerpc. + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/include/asm/switch_to_64.h | 3 ++- + arch/sparc/kernel/process_64.c | 25 +++++++++++++++++++------ + arch/sparc/kernel/rtrap_64.S | 1 + + arch/sparc/kernel/signal32.c | 12 ++++++++++-- + arch/sparc/kernel/signal_64.c | 6 +++++- + 5 files changed, 37 insertions(+), 10 deletions(-) + +diff --git a/arch/sparc/include/asm/switch_to_64.h b/arch/sparc/include/asm/switch_to_64.h +index 4ff29b1406a9b..b1d4e2e3210fb 100644 +--- a/arch/sparc/include/asm/switch_to_64.h ++++ b/arch/sparc/include/asm/switch_to_64.h +@@ -67,6 +67,7 @@ do { save_and_clear_fpu(); \ + } while(0) + + void synchronize_user_stack(void); +-void fault_in_user_windows(void); ++struct pt_regs; ++void fault_in_user_windows(struct pt_regs *); + + #endif /* __SPARC64_SWITCH_TO_64_H */ +diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c +index 318efd784a0b3..5640131e2abf3 100644 +--- a/arch/sparc/kernel/process_64.c ++++ b/arch/sparc/kernel/process_64.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -528,7 +529,12 @@ static void stack_unaligned(unsigned long sp) + force_sig_info(SIGBUS, &info, current); + } + +-void fault_in_user_windows(void) ++static const char uwfault32[] = KERN_INFO \ ++ "%s[%d]: bad register window fault: SP %08lx (orig_sp %08lx) TPC %08lx O7 %08lx\n"; ++static const char uwfault64[] = KERN_INFO \ ++ "%s[%d]: bad register window fault: SP %016lx (orig_sp %016lx) TPC %08lx O7 %016lx\n"; ++ ++void fault_in_user_windows(struct pt_regs *regs) + { + struct thread_info *t = current_thread_info(); + unsigned long window; +@@ -541,9 +547,9 @@ void fault_in_user_windows(void) + do { + struct reg_window *rwin = &t->reg_window[window]; + int winsize = sizeof(struct reg_window); +- unsigned long sp; ++ unsigned long sp, orig_sp; + +- sp = t->rwbuf_stkptrs[window]; ++ orig_sp = sp = t->rwbuf_stkptrs[window]; + + if (test_thread_64bit_stack(sp)) + sp += STACK_BIAS; +@@ -554,8 +560,16 @@ void fault_in_user_windows(void) + stack_unaligned(sp); + + if (unlikely(copy_to_user((char __user *)sp, +- rwin, winsize))) ++ rwin, winsize))) { ++ if (show_unhandled_signals) ++ printk_ratelimited(is_compat_task() ? ++ uwfault32 : uwfault64, ++ current->comm, current->pid, ++ sp, orig_sp, ++ regs->tpc, ++ regs->u_regs[UREG_I7]); + goto barf; ++ } + } while (window--); + } + set_thread_wsaved(0); +@@ -563,8 +577,7 @@ void fault_in_user_windows(void) + + barf: + set_thread_wsaved(window + 1); +- user_exit(); +- do_exit(SIGILL); ++ force_sig(SIGSEGV, current); + } + + asmlinkage long sparc_do_fork(unsigned long clone_flags, +diff --git a/arch/sparc/kernel/rtrap_64.S b/arch/sparc/kernel/rtrap_64.S +index 0b21042ab181b..ad88d60bb740c 100644 +--- a/arch/sparc/kernel/rtrap_64.S ++++ b/arch/sparc/kernel/rtrap_64.S +@@ -30,6 +30,7 @@ __handle_preemption: + wrpr %g0, RTRAP_PSTATE_IRQOFF, %pstate + + __handle_user_windows: ++ add %sp, PTREGS_OFF, %o0 + call fault_in_user_windows + wrpr %g0, RTRAP_PSTATE, %pstate + ba,pt %xcc, __handle_preemption_continue +diff --git a/arch/sparc/kernel/signal32.c b/arch/sparc/kernel/signal32.c +index 5c572de64c748..879f8d86bc21c 100644 +--- a/arch/sparc/kernel/signal32.c ++++ b/arch/sparc/kernel/signal32.c +@@ -442,7 +442,11 @@ static int setup_frame32(struct ksignal *ksig, struct pt_regs *regs, + get_sigframe(ksig, regs, sigframe_size); + + if (invalid_frame_pointer(sf, sigframe_size)) { +- do_exit(SIGILL); ++ if (show_unhandled_signals) ++ pr_info("%s[%d] bad frame in setup_frame32: %08lx TPC %08lx O7 %08lx\n", ++ current->comm, current->pid, (unsigned long)sf, ++ regs->tpc, regs->u_regs[UREG_I7]); ++ force_sigsegv(ksig->sig, current); + return -EINVAL; + } + +@@ -573,7 +577,11 @@ static int setup_rt_frame32(struct ksignal *ksig, struct pt_regs *regs, + get_sigframe(ksig, regs, sigframe_size); + + if (invalid_frame_pointer(sf, sigframe_size)) { +- do_exit(SIGILL); ++ if (show_unhandled_signals) ++ pr_info("%s[%d] bad frame in setup_rt_frame32: %08lx TPC %08lx O7 %08lx\n", ++ current->comm, current->pid, (unsigned long)sf, ++ regs->tpc, regs->u_regs[UREG_I7]); ++ force_sigsegv(ksig->sig, current); + return -EINVAL; + } + +diff --git a/arch/sparc/kernel/signal_64.c b/arch/sparc/kernel/signal_64.c +index 20426a1c28f29..2d0a50bde3f96 100644 +--- a/arch/sparc/kernel/signal_64.c ++++ b/arch/sparc/kernel/signal_64.c +@@ -373,7 +373,11 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) + get_sigframe(ksig, regs, sf_size); + + if (invalid_frame_pointer (sf)) { +- do_exit(SIGILL); /* won't return, actually */ ++ if (show_unhandled_signals) ++ pr_info("%s[%d] bad frame in setup_rt_frame: %016lx TPC %016lx O7 %016lx\n", ++ current->comm, current->pid, (unsigned long)sf, ++ regs->tpc, regs->u_regs[UREG_I7]); ++ force_sigsegv(ksig->sig, current); + return -EINVAL; + } + +-- +2.20.1 + diff --git a/queue-4.14/spi-micrel-eth-switch-declare-missing-of-table.patch b/queue-4.14/spi-micrel-eth-switch-declare-missing-of-table.patch new file mode 100644 index 00000000000..948f62fa266 --- /dev/null +++ b/queue-4.14/spi-micrel-eth-switch-declare-missing-of-table.patch @@ -0,0 +1,66 @@ +From 0083301210512d97307ef5d0f4f05352ec3b9653 Mon Sep 17 00:00:00 2001 +From: Daniel Gomez +Date: Mon, 22 Apr 2019 21:08:03 +0200 +Subject: spi: Micrel eth switch: declare missing of table + +[ Upstream commit 2f23a2a768bee7ad2ff1e9527c3f7e279e794a46 ] + +Add missing table for SPI driver relying on SPI +device match since compatible is in a DT binding or in a DTS. + +Before this patch: +modinfo drivers/net/phy/spi_ks8995.ko | grep alias +alias: spi:ksz8795 +alias: spi:ksz8864 +alias: spi:ks8995 + +After this patch: +modinfo drivers/net/phy/spi_ks8995.ko | grep alias +alias: spi:ksz8795 +alias: spi:ksz8864 +alias: spi:ks8995 +alias: of:N*T*Cmicrel,ksz8795C* +alias: of:N*T*Cmicrel,ksz8795 +alias: of:N*T*Cmicrel,ksz8864C* +alias: of:N*T*Cmicrel,ksz8864 +alias: of:N*T*Cmicrel,ks8995C* +alias: of:N*T*Cmicrel,ks8995 + +Reported-by: Javier Martinez Canillas +Signed-off-by: Daniel Gomez +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/spi_ks8995.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/phy/spi_ks8995.c b/drivers/net/phy/spi_ks8995.c +index 1e2d4f1179da3..45df03673e010 100644 +--- a/drivers/net/phy/spi_ks8995.c ++++ b/drivers/net/phy/spi_ks8995.c +@@ -162,6 +162,14 @@ static const struct spi_device_id ks8995_id[] = { + }; + MODULE_DEVICE_TABLE(spi, ks8995_id); + ++static const struct of_device_id ks8895_spi_of_match[] = { ++ { .compatible = "micrel,ks8995" }, ++ { .compatible = "micrel,ksz8864" }, ++ { .compatible = "micrel,ksz8795" }, ++ { }, ++ }; ++MODULE_DEVICE_TABLE(of, ks8895_spi_of_match); ++ + static inline u8 get_chip_id(u8 val) + { + return (val >> ID1_CHIPID_S) & ID1_CHIPID_M; +@@ -529,6 +537,7 @@ static int ks8995_remove(struct spi_device *spi) + static struct spi_driver ks8995_driver = { + .driver = { + .name = "spi-ks8995", ++ .of_match_table = of_match_ptr(ks8895_spi_of_match), + }, + .probe = ks8995_probe, + .remove = ks8995_remove, +-- +2.20.1 + diff --git a/queue-4.14/spi-st-st95hf-nfc-declare-missing-of-table.patch b/queue-4.14/spi-st-st95hf-nfc-declare-missing-of-table.patch new file mode 100644 index 00000000000..1bb05bf8aee --- /dev/null +++ b/queue-4.14/spi-st-st95hf-nfc-declare-missing-of-table.patch @@ -0,0 +1,56 @@ +From 0089789fd691ef923e7143397b5d81f138768591 Mon Sep 17 00:00:00 2001 +From: Daniel Gomez +Date: Mon, 22 Apr 2019 21:08:04 +0200 +Subject: spi: ST ST95HF NFC: declare missing of table + +[ Upstream commit d04830531d0c4a99c897a44038e5da3d23331d2f ] + +Add missing table for SPI driver relying on SPI +device match since compatible is in a DT binding or in a DTS. + +Before this patch: +modinfo drivers/nfc/st95hf/st95hf.ko | grep alias +alias: spi:st95hf + +After this patch: +modinfo drivers/nfc/st95hf/st95hf.ko | grep alias +alias: spi:st95hf +alias: of:N*T*Cst,st95hfC* +alias: of:N*T*Cst,st95hf + +Reported-by: Javier Martinez Canillas +Signed-off-by: Daniel Gomez +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/st95hf/core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c +index 2b26f762fbc3b..01acb6e533655 100644 +--- a/drivers/nfc/st95hf/core.c ++++ b/drivers/nfc/st95hf/core.c +@@ -1074,6 +1074,12 @@ static const struct spi_device_id st95hf_id[] = { + }; + MODULE_DEVICE_TABLE(spi, st95hf_id); + ++static const struct of_device_id st95hf_spi_of_match[] = { ++ { .compatible = "st,st95hf" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(of, st95hf_spi_of_match); ++ + static int st95hf_probe(struct spi_device *nfc_spi_dev) + { + int ret; +@@ -1260,6 +1266,7 @@ static struct spi_driver st95hf_driver = { + .driver = { + .name = "st95hf", + .owner = THIS_MODULE, ++ .of_match_table = of_match_ptr(st95hf_spi_of_match), + }, + .id_table = st95hf_id, + .probe = st95hf_probe, +-- +2.20.1 + diff --git a/queue-4.14/staging-olpc_dcon-add-a-missing-dependency.patch b/queue-4.14/staging-olpc_dcon-add-a-missing-dependency.patch new file mode 100644 index 00000000000..c9b50542ee7 --- /dev/null +++ b/queue-4.14/staging-olpc_dcon-add-a-missing-dependency.patch @@ -0,0 +1,35 @@ +From 965545250cec53bfccbc3b9b79f8d913244a1249 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Fri, 14 Dec 2018 23:10:08 +0100 +Subject: staging: olpc_dcon: add a missing dependency + +[ Upstream commit 33f49571d75024b1044cd02689ad2bdb4924cc80 ] + + WARNING: unmet direct dependencies detected for BACKLIGHT_CLASS_DEVICE + Depends on [n]: HAS_IOMEM [=y] && BACKLIGHT_LCD_SUPPORT [=n] + Selected by [y]: + - FB_OLPC_DCON [=y] && STAGING [=y] && X86 [=y] && OLPC [=y] && FB [=y] + && I2C [=y] && (GPIO_CS5535 [=n] || GPIO_CS5535 [=n]=n) + +Signed-off-by: Lubomir Rintel +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/olpc_dcon/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/olpc_dcon/Kconfig b/drivers/staging/olpc_dcon/Kconfig +index d277f048789e6..8c6cc61d634bf 100644 +--- a/drivers/staging/olpc_dcon/Kconfig ++++ b/drivers/staging/olpc_dcon/Kconfig +@@ -2,6 +2,7 @@ config FB_OLPC_DCON + tristate "One Laptop Per Child Display CONtroller support" + depends on OLPC && FB + depends on I2C ++ depends on BACKLIGHT_LCD_SUPPORT + depends on (GPIO_CS5535 || GPIO_CS5535=n) + select BACKLIGHT_CLASS_DEVICE + ---help--- +-- +2.20.1 + diff --git a/queue-4.14/tools-lib-traceevent-fix-missing-equality-check-for-.patch b/queue-4.14/tools-lib-traceevent-fix-missing-equality-check-for-.patch new file mode 100644 index 00000000000..6a6dadd97a2 --- /dev/null +++ b/queue-4.14/tools-lib-traceevent-fix-missing-equality-check-for-.patch @@ -0,0 +1,59 @@ +From 6c94d959f24ae42f6c7693d4d0afb61d24496c14 Mon Sep 17 00:00:00 2001 +From: Rikard Falkeborn +Date: Tue, 9 Apr 2019 11:15:29 +0200 +Subject: tools lib traceevent: Fix missing equality check for strcmp + +[ Upstream commit f32c2877bcb068a718bb70094cd59ccc29d4d082 ] + +There was a missing comparison with 0 when checking if type is "s64" or +"u64". Therefore, the body of the if-statement was entered if "type" was +"u64" or not "s64", which made the first strcmp() redundant since if +type is "u64", it's not "s64". + +If type is "s64", the body of the if-statement is not entered but since +the remainder of the function consists of if-statements which will not +be entered if type is "s64", we will just return "val", which is +correct, albeit at the cost of a few more calls to strcmp(), i.e., it +will behave just as if the if-statement was entered. + +If type is neither "s64" or "u64", the body of the if-statement will be +entered incorrectly and "val" returned. This means that any type that is +checked after "s64" and "u64" is handled the same way as "s64" and +"u64", i.e., the limiting of "val" to fit in for example "s8" is never +reached. + +This was introduced in the kernel tree when the sources were copied from +trace-cmd in commit f7d82350e597 ("tools/events: Add files to create +libtraceevent.a"), and in the trace-cmd repo in 1cdbae6035cei +("Implement typecasting in parser") when the function was introduced, +i.e., it has always behaved the wrong way. + +Detected by cppcheck. + +Signed-off-by: Rikard Falkeborn +Reviewed-by: Steven Rostedt (VMware) +Cc: Tzvetomir Stoyanov +Fixes: f7d82350e597 ("tools/events: Add files to create libtraceevent.a") +Link: http://lkml.kernel.org/r/20190409091529.2686-1-rikard.falkeborn@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/traceevent/event-parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index 3955ba9e6fcb5..7989dd6289e7a 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -2206,7 +2206,7 @@ eval_type_str(unsigned long long val, const char *type, int pointer) + return val & 0xffffffff; + + if (strcmp(type, "u64") == 0 || +- strcmp(type, "s64")) ++ strcmp(type, "s64") == 0) + return val; + + if (strcmp(type, "s8") == 0) +-- +2.20.1 + diff --git a/queue-4.14/tracing-fgraph-fix-set_graph_function-from-showing-i.patch b/queue-4.14/tracing-fgraph-fix-set_graph_function-from-showing-i.patch new file mode 100644 index 00000000000..5cc8637da08 --- /dev/null +++ b/queue-4.14/tracing-fgraph-fix-set_graph_function-from-showing-i.patch @@ -0,0 +1,212 @@ +From b4edd765b94daf478cdc5d964a81d826af395af3 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 29 Nov 2018 08:50:27 -0500 +Subject: tracing/fgraph: Fix set_graph_function from showing interrupts + +[ Upstream commit 5cf99a0f3161bc3ae2391269d134d6bf7e26f00e ] + +The tracefs file set_graph_function is used to only function graph functions +that are listed in that file (or all functions if the file is empty). The +way this is implemented is that the function graph tracer looks at every +function, and if the current depth is zero and the function matches +something in the file then it will trace that function. When other functions +are called, the depth will be greater than zero (because the original +function will be at depth zero), and all functions will be traced where the +depth is greater than zero. + +The issue is that when a function is first entered, and the handler that +checks this logic is called, the depth is set to zero. If an interrupt comes +in and a function in the interrupt handler is traced, its depth will be +greater than zero and it will automatically be traced, even if the original +function was not. But because the logic only looks at depth it may trace +interrupts when it should not be. + +The recent design change of the function graph tracer to fix other bugs +caused the depth to be zero while the function graph callback handler is +being called for a longer time, widening the race of this happening. This +bug was actually there for a longer time, but because the race window was so +small it seldom happened. The Fixes tag below is for the commit that widen +the race window, because that commit belongs to a series that will also help +fix the original bug. + +Cc: stable@kernel.org +Fixes: 39eb456dacb5 ("function_graph: Use new curr_ret_depth to manage depth instead of curr_ret_stack") +Reported-by: Joe Lawrence +Tested-by: Joe Lawrence +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.h | 57 ++++++++++++++++++++++++++-- + kernel/trace/trace_functions_graph.c | 4 ++ + kernel/trace/trace_irqsoff.c | 2 + + kernel/trace/trace_sched_wakeup.c | 2 + + 4 files changed, 62 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h +index 851cd16050857..a51e32de7c5f7 100644 +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -504,12 +504,44 @@ enum { + * can only be modified by current, we can reuse trace_recursion. + */ + TRACE_IRQ_BIT, ++ ++ /* Set if the function is in the set_graph_function file */ ++ TRACE_GRAPH_BIT, ++ ++ /* ++ * In the very unlikely case that an interrupt came in ++ * at a start of graph tracing, and we want to trace ++ * the function in that interrupt, the depth can be greater ++ * than zero, because of the preempted start of a previous ++ * trace. In an even more unlikely case, depth could be 2 ++ * if a softirq interrupted the start of graph tracing, ++ * followed by an interrupt preempting a start of graph ++ * tracing in the softirq, and depth can even be 3 ++ * if an NMI came in at the start of an interrupt function ++ * that preempted a softirq start of a function that ++ * preempted normal context!!!! Luckily, it can't be ++ * greater than 3, so the next two bits are a mask ++ * of what the depth is when we set TRACE_GRAPH_BIT ++ */ ++ ++ TRACE_GRAPH_DEPTH_START_BIT, ++ TRACE_GRAPH_DEPTH_END_BIT, + }; + + #define trace_recursion_set(bit) do { (current)->trace_recursion |= (1<<(bit)); } while (0) + #define trace_recursion_clear(bit) do { (current)->trace_recursion &= ~(1<<(bit)); } while (0) + #define trace_recursion_test(bit) ((current)->trace_recursion & (1<<(bit))) + ++#define trace_recursion_depth() \ ++ (((current)->trace_recursion >> TRACE_GRAPH_DEPTH_START_BIT) & 3) ++#define trace_recursion_set_depth(depth) \ ++ do { \ ++ current->trace_recursion &= \ ++ ~(3 << TRACE_GRAPH_DEPTH_START_BIT); \ ++ current->trace_recursion |= \ ++ ((depth) & 3) << TRACE_GRAPH_DEPTH_START_BIT; \ ++ } while (0) ++ + #define TRACE_CONTEXT_BITS 4 + + #define TRACE_FTRACE_START TRACE_FTRACE_BIT +@@ -839,8 +871,9 @@ extern void __trace_graph_return(struct trace_array *tr, + extern struct ftrace_hash *ftrace_graph_hash; + extern struct ftrace_hash *ftrace_graph_notrace_hash; + +-static inline int ftrace_graph_addr(unsigned long addr) ++static inline int ftrace_graph_addr(struct ftrace_graph_ent *trace) + { ++ unsigned long addr = trace->func; + int ret = 0; + + preempt_disable_notrace(); +@@ -851,6 +884,14 @@ static inline int ftrace_graph_addr(unsigned long addr) + } + + if (ftrace_lookup_ip(ftrace_graph_hash, addr)) { ++ ++ /* ++ * This needs to be cleared on the return functions ++ * when the depth is zero. ++ */ ++ trace_recursion_set(TRACE_GRAPH_BIT); ++ trace_recursion_set_depth(trace->depth); ++ + /* + * If no irqs are to be traced, but a set_graph_function + * is set, and called by an interrupt handler, we still +@@ -868,6 +909,13 @@ static inline int ftrace_graph_addr(unsigned long addr) + return ret; + } + ++static inline void ftrace_graph_addr_finish(struct ftrace_graph_ret *trace) ++{ ++ if (trace_recursion_test(TRACE_GRAPH_BIT) && ++ trace->depth == trace_recursion_depth()) ++ trace_recursion_clear(TRACE_GRAPH_BIT); ++} ++ + static inline int ftrace_graph_notrace_addr(unsigned long addr) + { + int ret = 0; +@@ -881,7 +929,7 @@ static inline int ftrace_graph_notrace_addr(unsigned long addr) + return ret; + } + #else +-static inline int ftrace_graph_addr(unsigned long addr) ++static inline int ftrace_graph_addr(struct ftrace_graph_ent *trace) + { + return 1; + } +@@ -890,6 +938,8 @@ static inline int ftrace_graph_notrace_addr(unsigned long addr) + { + return 0; + } ++static inline void ftrace_graph_addr_finish(struct ftrace_graph_ret *trace) ++{ } + #endif /* CONFIG_DYNAMIC_FTRACE */ + + extern unsigned int fgraph_max_depth; +@@ -897,7 +947,8 @@ extern unsigned int fgraph_max_depth; + static inline bool ftrace_graph_ignore_func(struct ftrace_graph_ent *trace) + { + /* trace it when it is-nested-in or is a function enabled. */ +- return !(trace->depth || ftrace_graph_addr(trace->func)) || ++ return !(trace_recursion_test(TRACE_GRAPH_BIT) || ++ ftrace_graph_addr(trace)) || + (trace->depth < 0) || + (fgraph_max_depth && trace->depth >= fgraph_max_depth); + } +diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c +index 169b3c44ee97f..72d0d477f5c16 100644 +--- a/kernel/trace/trace_functions_graph.c ++++ b/kernel/trace/trace_functions_graph.c +@@ -482,6 +482,8 @@ void trace_graph_return(struct ftrace_graph_ret *trace) + int cpu; + int pc; + ++ ftrace_graph_addr_finish(trace); ++ + local_irq_save(flags); + cpu = raw_smp_processor_id(); + data = per_cpu_ptr(tr->trace_buffer.data, cpu); +@@ -505,6 +507,8 @@ void set_graph_array(struct trace_array *tr) + + static void trace_graph_thresh_return(struct ftrace_graph_ret *trace) + { ++ ftrace_graph_addr_finish(trace); ++ + if (tracing_thresh && + (trace->rettime - trace->calltime < tracing_thresh)) + return; +diff --git a/kernel/trace/trace_irqsoff.c b/kernel/trace/trace_irqsoff.c +index 7758bc0617cb1..2d9e12380dc3b 100644 +--- a/kernel/trace/trace_irqsoff.c ++++ b/kernel/trace/trace_irqsoff.c +@@ -204,6 +204,8 @@ static void irqsoff_graph_return(struct ftrace_graph_ret *trace) + unsigned long flags; + int pc; + ++ ftrace_graph_addr_finish(trace); ++ + if (!func_prolog_dec(tr, &data, &flags)) + return; + +diff --git a/kernel/trace/trace_sched_wakeup.c b/kernel/trace/trace_sched_wakeup.c +index 7d461dcd48318..0fa9dadf3f4f2 100644 +--- a/kernel/trace/trace_sched_wakeup.c ++++ b/kernel/trace/trace_sched_wakeup.c +@@ -270,6 +270,8 @@ static void wakeup_graph_return(struct ftrace_graph_ret *trace) + unsigned long flags; + int pc; + ++ ftrace_graph_addr_finish(trace); ++ + if (!func_prolog_preempt_disable(tr, &data, &pc)) + return; + +-- +2.20.1 + diff --git a/queue-4.14/vt-always-call-notifier-with-the-console-lock-held.patch b/queue-4.14/vt-always-call-notifier-with-the-console-lock-held.patch new file mode 100644 index 00000000000..090ac7af76d --- /dev/null +++ b/queue-4.14/vt-always-call-notifier-with-the-console-lock-held.patch @@ -0,0 +1,35 @@ +From b4d3ab9e0fa5bb891844210def2c99c4b073321a Mon Sep 17 00:00:00 2001 +From: Nicolas Pitre +Date: Tue, 8 Jan 2019 22:55:00 -0500 +Subject: vt: always call notifier with the console lock held + +[ Upstream commit 7e1d226345f89ad5d0216a9092c81386c89b4983 ] + +Every invocation of notify_write() and notify_update() is performed +under the console lock, except for one case. Let's fix that. + +Signed-off-by: Nicolas Pitre +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/vt/vt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index 1fb5e7f409c4a..6ff921cf9a9e4 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -2435,8 +2435,8 @@ static int do_con_write(struct tty_struct *tty, const unsigned char *buf, int co + } + con_flush(vc, draw_from, draw_to, &draw_x); + console_conditional_schedule(); +- console_unlock(); + notify_update(vc); ++ console_unlock(); + return n; + } + +-- +2.20.1 + diff --git a/queue-4.14/x86-fpu-don-t-export-__kernel_fpu_-begin-end.patch b/queue-4.14/x86-fpu-don-t-export-__kernel_fpu_-begin-end.patch new file mode 100644 index 00000000000..8eeb1e396b5 --- /dev/null +++ b/queue-4.14/x86-fpu-don-t-export-__kernel_fpu_-begin-end.patch @@ -0,0 +1,136 @@ +From debb373127f82911e1a174d8a2ba8244165914a1 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Thu, 29 Nov 2018 16:02:10 +0100 +Subject: x86/fpu: Don't export __kernel_fpu_{begin,end}() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 12209993e98c5fa1855c467f22a24e3d5b8be205 ] + +There is one user of __kernel_fpu_begin() and before invoking it, +it invokes preempt_disable(). So it could invoke kernel_fpu_begin() +right away. The 32bit version of arch_efi_call_virt_setup() and +arch_efi_call_virt_teardown() does this already. + +The comment above *kernel_fpu*() claims that before invoking +__kernel_fpu_begin() preemption should be disabled and that KVM is a +good example of doing it. Well, KVM doesn't do that since commit + + f775b13eedee2 ("x86,kvm: move qemu/guest FPU switching out to vcpu_run") + +so it is not an example anymore. + +With EFI gone as the last user of __kernel_fpu_{begin|end}(), both can +be made static and not exported anymore. + +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Borislav Petkov +Reviewed-by: Rik van Riel +Cc: "H. Peter Anvin" +Cc: "Jason A. Donenfeld" +Cc: Andy Lutomirski +Cc: Ard Biesheuvel +Cc: Dave Hansen +Cc: Ingo Molnar +Cc: Nicolai Stange +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Thomas Gleixner +Cc: kvm ML +Cc: linux-efi +Cc: x86-ml +Link: https://lkml.kernel.org/r/20181129150210.2k4mawt37ow6c2vq@linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/efi.h | 6 ++---- + arch/x86/include/asm/fpu/api.h | 15 +++++---------- + arch/x86/kernel/fpu/core.c | 6 ++---- + 3 files changed, 9 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h +index a399c1ebf6f0e..96fd0251f8f57 100644 +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -82,8 +82,7 @@ struct efi_scratch { + #define arch_efi_call_virt_setup() \ + ({ \ + efi_sync_low_kernel_mappings(); \ +- preempt_disable(); \ +- __kernel_fpu_begin(); \ ++ kernel_fpu_begin(); \ + firmware_restrict_branch_speculation_start(); \ + \ + if (efi_scratch.use_pgd) { \ +@@ -104,8 +103,7 @@ struct efi_scratch { + } \ + \ + firmware_restrict_branch_speculation_end(); \ +- __kernel_fpu_end(); \ +- preempt_enable(); \ ++ kernel_fpu_end(); \ + }) + + extern void __iomem *__init efi_ioremap(unsigned long addr, unsigned long size, +diff --git a/arch/x86/include/asm/fpu/api.h b/arch/x86/include/asm/fpu/api.h +index a9caac9d4a729..b56d504af6545 100644 +--- a/arch/x86/include/asm/fpu/api.h ++++ b/arch/x86/include/asm/fpu/api.h +@@ -12,17 +12,12 @@ + #define _ASM_X86_FPU_API_H + + /* +- * Careful: __kernel_fpu_begin/end() must be called with preempt disabled +- * and they don't touch the preempt state on their own. +- * If you enable preemption after __kernel_fpu_begin(), preempt notifier +- * should call the __kernel_fpu_end() to prevent the kernel/user FPU +- * state from getting corrupted. KVM for example uses this model. +- * +- * All other cases use kernel_fpu_begin/end() which disable preemption +- * during kernel FPU usage. ++ * Use kernel_fpu_begin/end() if you intend to use FPU in kernel context. It ++ * disables preemption so be careful if you intend to use it for long periods ++ * of time. ++ * If you intend to use the FPU in softirq you need to check first with ++ * irq_fpu_usable() if it is possible. + */ +-extern void __kernel_fpu_begin(void); +-extern void __kernel_fpu_end(void); + extern void kernel_fpu_begin(void); + extern void kernel_fpu_end(void); + extern bool irq_fpu_usable(void); +diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c +index 2ea85b32421a0..2e5003fef51a9 100644 +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -93,7 +93,7 @@ bool irq_fpu_usable(void) + } + EXPORT_SYMBOL(irq_fpu_usable); + +-void __kernel_fpu_begin(void) ++static void __kernel_fpu_begin(void) + { + struct fpu *fpu = ¤t->thread.fpu; + +@@ -111,9 +111,8 @@ void __kernel_fpu_begin(void) + __cpu_invalidate_fpregs_state(); + } + } +-EXPORT_SYMBOL(__kernel_fpu_begin); + +-void __kernel_fpu_end(void) ++static void __kernel_fpu_end(void) + { + struct fpu *fpu = ¤t->thread.fpu; + +@@ -122,7 +121,6 @@ void __kernel_fpu_end(void) + + kernel_fpu_enable(); + } +-EXPORT_SYMBOL(__kernel_fpu_end); + + void kernel_fpu_begin(void) + { +-- +2.20.1 + diff --git a/queue-4.14/x86-kprobes-avoid-kretprobe-recursion-bug.patch b/queue-4.14/x86-kprobes-avoid-kretprobe-recursion-bug.patch new file mode 100644 index 00000000000..78fc2128755 --- /dev/null +++ b/queue-4.14/x86-kprobes-avoid-kretprobe-recursion-bug.patch @@ -0,0 +1,109 @@ +From ba089b83e85d9e77c1ad67fa0a91774f3a5ecfb6 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sun, 24 Feb 2019 01:50:49 +0900 +Subject: x86/kprobes: Avoid kretprobe recursion bug + +[ Upstream commit b191fa96ea6dc00d331dcc28c1f7db5e075693a0 ] + +Avoid kretprobe recursion loop bg by setting a dummy +kprobes to current_kprobe per-CPU variable. + +This bug has been introduced with the asm-coded trampoline +code, since previously it used another kprobe for hooking +the function return placeholder (which only has a nop) and +trampoline handler was called from that kprobe. + +This revives the old lost kprobe again. + +With this fix, we don't see deadlock anymore. + +And you can see that all inner-called kretprobe are skipped. + + event_1 235 0 + event_2 19375 19612 + +The 1st column is recorded count and the 2nd is missed count. +Above shows (event_1 rec) + (event_2 rec) ~= (event_2 missed) +(some difference are here because the counter is racy) + +Reported-by: Andrea Righi +Tested-by: Andrea Righi +Signed-off-by: Masami Hiramatsu +Acked-by: Steven Rostedt +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Fixes: c9becf58d935 ("[PATCH] kretprobe: kretprobe-booster") +Link: http://lkml.kernel.org/r/155094064889.6137.972160690963039.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/kprobes/core.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index 56cf6c2632549..9d7bb8de2917e 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -744,11 +744,16 @@ asm( + NOKPROBE_SYMBOL(kretprobe_trampoline); + STACK_FRAME_NON_STANDARD(kretprobe_trampoline); + ++static struct kprobe kretprobe_kprobe = { ++ .addr = (void *)kretprobe_trampoline, ++}; ++ + /* + * Called from kretprobe_trampoline + */ + __visible __used void *trampoline_handler(struct pt_regs *regs) + { ++ struct kprobe_ctlblk *kcb; + struct kretprobe_instance *ri = NULL; + struct hlist_head *head, empty_rp; + struct hlist_node *tmp; +@@ -758,6 +763,17 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) + void *frame_pointer; + bool skipped = false; + ++ preempt_disable(); ++ ++ /* ++ * Set a dummy kprobe for avoiding kretprobe recursion. ++ * Since kretprobe never run in kprobe handler, kprobe must not ++ * be running at this point. ++ */ ++ kcb = get_kprobe_ctlblk(); ++ __this_cpu_write(current_kprobe, &kretprobe_kprobe); ++ kcb->kprobe_status = KPROBE_HIT_ACTIVE; ++ + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); + /* fixup registers */ +@@ -833,10 +849,9 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) + orig_ret_address = (unsigned long)ri->ret_addr; + if (ri->rp && ri->rp->handler) { + __this_cpu_write(current_kprobe, &ri->rp->kp); +- get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE; + ri->ret_addr = correct_ret_addr; + ri->rp->handler(ri, regs); +- __this_cpu_write(current_kprobe, NULL); ++ __this_cpu_write(current_kprobe, &kretprobe_kprobe); + } + + recycle_rp_inst(ri, &empty_rp); +@@ -852,6 +867,9 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) + + kretprobe_hash_unlock(current, &flags); + ++ __this_cpu_write(current_kprobe, NULL); ++ preempt_enable(); ++ + hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { + hlist_del(&ri->hlist); + kfree(ri); +-- +2.20.1 + diff --git a/queue-4.14/x86-reboot-efi-use-efi-reboot-for-acer-travelmate-x5.patch b/queue-4.14/x86-reboot-efi-use-efi-reboot-for-acer-travelmate-x5.patch new file mode 100644 index 00000000000..68e1786aad1 --- /dev/null +++ b/queue-4.14/x86-reboot-efi-use-efi-reboot-for-acer-travelmate-x5.patch @@ -0,0 +1,102 @@ +From fb954706fcc9c892e9cd0729874a31eab3812047 Mon Sep 17 00:00:00 2001 +From: Jian-Hong Pan +Date: Fri, 12 Apr 2019 16:01:53 +0800 +Subject: x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T + +[ Upstream commit 0082517fa4bce073e7cf542633439f26538a14cc ] + +Upon reboot, the Acer TravelMate X514-51T laptop appears to complete the +shutdown process, but then it hangs in BIOS POST with a black screen. + +The problem is intermittent - at some points it has appeared related to +Secure Boot settings or different kernel builds, but ultimately we have +not been able to identify the exact conditions that trigger the issue to +come and go. + +Besides, the EFI mode cannot be disabled in the BIOS of this model. + +However, after extensive testing, we observe that using the EFI reboot +method reliably avoids the issue in all cases. + +So add a boot time quirk to use EFI reboot on such systems. + +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=203119 +Signed-off-by: Jian-Hong Pan +Signed-off-by: Daniel Drake +Cc: Ard Biesheuvel +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Matt Fleming +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Cc: linux@endlessm.com +Link: http://lkml.kernel.org/r/20190412080152.3718-1-jian-hong@endlessm.com +[ Fix !CONFIG_EFI build failure, clarify the code and the changelog a bit. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/reboot.c | 21 +++++++++++++++++++++ + include/linux/efi.h | 7 ++++++- + 2 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index 2126b9d27c340..c663d5fcff2ee 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -81,6 +81,19 @@ static int __init set_bios_reboot(const struct dmi_system_id *d) + return 0; + } + ++/* ++ * Some machines don't handle the default ACPI reboot method and ++ * require the EFI reboot method: ++ */ ++static int __init set_efi_reboot(const struct dmi_system_id *d) ++{ ++ if (reboot_type != BOOT_EFI && !efi_runtime_disabled()) { ++ reboot_type = BOOT_EFI; ++ pr_info("%s series board detected. Selecting EFI-method for reboot.\n", d->ident); ++ } ++ return 0; ++} ++ + void __noreturn machine_real_restart(unsigned int type) + { + local_irq_disable(); +@@ -166,6 +179,14 @@ static const struct dmi_system_id reboot_dmi_table[] __initconst = { + DMI_MATCH(DMI_PRODUCT_NAME, "AOA110"), + }, + }, ++ { /* Handle reboot issue on Acer TravelMate X514-51T */ ++ .callback = set_efi_reboot, ++ .ident = "Acer TravelMate X514-51T", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate X514-51T"), ++ }, ++ }, + + /* Apple */ + { /* Handle problems with rebooting on Apple MacBook5 */ +diff --git a/include/linux/efi.h b/include/linux/efi.h +index b68b7d199feea..2dab158b74c45 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -1518,7 +1518,12 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg, + struct screen_info *si, efi_guid_t *proto, + unsigned long size); + +-bool efi_runtime_disabled(void); ++#ifdef CONFIG_EFI ++extern bool efi_runtime_disabled(void); ++#else ++static inline bool efi_runtime_disabled(void) { return true; } ++#endif ++ + extern void efi_call_virt_check_flags(unsigned long flags, const char *call); + + enum efi_secureboot_mode { +-- +2.20.1 + diff --git a/queue-4.14/x86-vdso-pass-eh-frame-hdr-to-the-linker.patch b/queue-4.14/x86-vdso-pass-eh-frame-hdr-to-the-linker.patch new file mode 100644 index 00000000000..c5fc6e5fd42 --- /dev/null +++ b/queue-4.14/x86-vdso-pass-eh-frame-hdr-to-the-linker.patch @@ -0,0 +1,68 @@ +From 7793d012407511bdf67ca79989766f3825f21ec4 Mon Sep 17 00:00:00 2001 +From: Alistair Strachan +Date: Fri, 14 Dec 2018 14:36:37 -0800 +Subject: x86/vdso: Pass --eh-frame-hdr to the linker + +[ Upstream commit cd01544a268ad8ee5b1dfe42c4393f1095f86879 ] + +Commit + + 379d98ddf413 ("x86: vdso: Use $LD instead of $CC to link") + +accidentally broke unwinding from userspace, because ld would strip the +.eh_frame sections when linking. + +Originally, the compiler would implicitly add --eh-frame-hdr when +invoking the linker, but when this Makefile was converted from invoking +ld via the compiler, to invoking it directly (like vmlinux does), +the flag was missed. (The EH_FRAME section is important for the VDSO +shared libraries, but not for vmlinux.) + +Fix the problem by explicitly specifying --eh-frame-hdr, which restores +parity with the old method. + +See relevant bug reports for additional info: + + https://bugzilla.kernel.org/show_bug.cgi?id=201741 + https://bugzilla.redhat.com/show_bug.cgi?id=1659295 + +Fixes: 379d98ddf413 ("x86: vdso: Use $LD instead of $CC to link") +Reported-by: Florian Weimer +Reported-by: Carlos O'Donell +Reported-by: "H. J. Lu" +Signed-off-by: Alistair Strachan +Signed-off-by: Borislav Petkov +Tested-by: Laura Abbott +Cc: Andy Lutomirski +Cc: Carlos O'Donell +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Joel Fernandes +Cc: kernel-team@android.com +Cc: Laura Abbott +Cc: stable +Cc: Thomas Gleixner +Cc: X86 ML +Link: https://lkml.kernel.org/r/20181214223637.35954-1-astrachan@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/entry/vdso/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile +index 839015f1b0de0..ab7f730cf7f22 100644 +--- a/arch/x86/entry/vdso/Makefile ++++ b/arch/x86/entry/vdso/Makefile +@@ -182,7 +182,8 @@ quiet_cmd_vdso = VDSO $@ + sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@' + + VDSO_LDFLAGS = -shared $(call ld-option, --hash-style=both) \ +- $(call ld-option, --build-id) -Bsymbolic ++ $(call ld-option, --build-id) $(call ld-option, --eh-frame-hdr) \ ++ -Bsymbolic + GCOV_PROFILE := n + + # +-- +2.20.1 + diff --git a/queue-4.14/xtensa-xtfpga.dtsi-fix-dtc-warnings-about-spi.patch b/queue-4.14/xtensa-xtfpga.dtsi-fix-dtc-warnings-about-spi.patch new file mode 100644 index 00000000000..2b687cf46cf --- /dev/null +++ b/queue-4.14/xtensa-xtfpga.dtsi-fix-dtc-warnings-about-spi.patch @@ -0,0 +1,53 @@ +From a1f3f58ae96b487908ec3bde873166d0d6fbd568 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Tue, 4 Dec 2018 16:08:20 -0800 +Subject: xtensa: xtfpga.dtsi: fix dtc warnings about SPI + +[ Upstream commit f37598be4e3896359e87c824be57ddddc280cc3f ] + +Rename SPI controller node in the XTFPGA DTS to spi@... +This fixes the following build warnings: + +arch/xtensa/boot/dts/kc705_nommu.dtb: Warning (spi_bus_bridge): + /soc/spi-master@0d0a0000: node name for SPI buses should be 'spi' +arch/xtensa/boot/dts/kc705_nommu.dtb: Warning (spi_bus_reg): + Failed prerequisite 'spi_bus_bridge' +arch/xtensa/boot/dts/lx200mx.dtb: Warning (spi_bus_bridge): + /soc/spi-master@0d0a0000: node name for SPI buses should be 'spi' +arch/xtensa/boot/dts/lx200mx.dtb: Warning (spi_bus_reg): + Failed prerequisite 'spi_bus_bridge' +arch/xtensa/boot/dts/kc705.dtb: Warning (spi_bus_bridge): + /soc/spi-master@0d0a0000: node name for SPI buses should be 'spi' +arch/xtensa/boot/dts/kc705.dtb: Warning (spi_bus_reg): + Failed prerequisite 'spi_bus_bridge' +arch/xtensa/boot/dts/ml605.dtb: Warning (spi_bus_bridge): + /soc/spi-master@0d0a0000: node name for SPI buses should be 'spi' +arch/xtensa/boot/dts/ml605.dtb: Warning (spi_bus_reg): + Failed prerequisite 'spi_bus_bridge' +arch/xtensa/boot/dts/lx60.dtb: Warning (spi_bus_bridge): + /soc/spi-master@0d0a0000: node name for SPI buses should be 'spi' +arch/xtensa/boot/dts/lx60.dtb: Warning (spi_bus_reg): + Failed prerequisite 'spi_bus_bridge' + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/boot/dts/xtfpga.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/xtensa/boot/dts/xtfpga.dtsi b/arch/xtensa/boot/dts/xtfpga.dtsi +index 1090528825ec6..e46ae07bab059 100644 +--- a/arch/xtensa/boot/dts/xtfpga.dtsi ++++ b/arch/xtensa/boot/dts/xtfpga.dtsi +@@ -103,7 +103,7 @@ + }; + }; + +- spi0: spi-master@0d0a0000 { ++ spi0: spi@0d0a0000 { + compatible = "cdns,xtfpga-spi"; + #address-cells = <1>; + #size-cells = <0>; +-- +2.20.1 +