From: Sasha Levin Date: Thu, 13 Dec 2018 15:21:13 +0000 (-0500) Subject: patches for 4.14 X-Git-Tag: v4.19.10~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a39039ba17112faa7f8fcd7aa02ec982cc3a0ef6;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpi-iort-fix-iort_get_platform_device_domain-uninit.patch b/queue-4.14/acpi-iort-fix-iort_get_platform_device_domain-uninit.patch new file mode 100644 index 00000000000..fef1a60bb70 --- /dev/null +++ b/queue-4.14/acpi-iort-fix-iort_get_platform_device_domain-uninit.patch @@ -0,0 +1,54 @@ +From 18bbcbb336b736dfe9f583d3277c21fce9af1300 Mon Sep 17 00:00:00 2001 +From: Lorenzo Pieralisi +Date: Thu, 29 Nov 2018 09:55:59 +0000 +Subject: ACPI/IORT: Fix iort_get_platform_device_domain() uninitialized + pointer value + +[ Upstream commit ea2412dc21cc790335d319181dddc43682aef164 ] + +Running the Clang static analyzer on IORT code detected the following +error: + +Logic error: Branch condition evaluates to a garbage value + +in + +iort_get_platform_device_domain() + +If the named component associated with a given device has no IORT +mappings, iort_get_platform_device_domain() exits its MSI mapping loop +with msi_parent pointer containing garbage, which can lead to erroneous +code path execution. + +Initialize the msi_parent pointer, fixing the bug. + +Fixes: d4f54a186667 ("ACPI: platform: setup MSI domain for ACPI based +platform device") +Reported-by: Patrick Bellasi +Reviewed-by: Hanjun Guo +Acked-by: Will Deacon +Cc: Sudeep Holla +Cc: "Rafael J. Wysocki" +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + drivers/acpi/arm64/iort.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c +index de56394dd161..ca414910710e 100644 +--- a/drivers/acpi/arm64/iort.c ++++ b/drivers/acpi/arm64/iort.c +@@ -547,7 +547,7 @@ struct irq_domain *iort_get_device_domain(struct device *dev, u32 req_id) + */ + static struct irq_domain *iort_get_platform_device_domain(struct device *dev) + { +- struct acpi_iort_node *node, *msi_parent; ++ struct acpi_iort_node *node, *msi_parent = NULL; + struct fwnode_handle *iort_fwnode; + struct acpi_iort_its_group *its; + int i; +-- +2.19.1 + diff --git a/queue-4.14/arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch b/queue-4.14/arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch new file mode 100644 index 00000000000..6eafec52ff8 --- /dev/null +++ b/queue-4.14/arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch @@ -0,0 +1,41 @@ +From c8477ccd7cb76bcae1e1eb2cfab018728a65228c Mon Sep 17 00:00:00 2001 +From: Romain Izard +Date: Tue, 20 Nov 2018 17:57:37 +0100 +Subject: ARM: dts: at91: sama5d2: use the divided clock for SMC + +[ Upstream commit 4ab7ca092c3c7ac8b16aa28eba723a8868f82f14 ] + +The SAMA5D2 is different from SAMA5D3 and SAMA5D4, as there are two +different clocks for the peripherals in the SoC. The Static Memory +controller is connected to the divided master clock. + +Unfortunately, the device tree does not correctly show this and uses the +master clock directly. This clock is then used by the code for the NAND +controller to calculate the timings for the controller, and we end up with +slow NAND Flash access. + +Fix the device tree, and the performance of Flash access is improved. + +Signed-off-by: Romain Izard +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/sama5d2.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/sama5d2.dtsi b/arch/arm/boot/dts/sama5d2.dtsi +index b1a26b42d190..a8e4b89097d9 100644 +--- a/arch/arm/boot/dts/sama5d2.dtsi ++++ b/arch/arm/boot/dts/sama5d2.dtsi +@@ -308,7 +308,7 @@ + 0x1 0x0 0x60000000 0x10000000 + 0x2 0x0 0x70000000 0x10000000 + 0x3 0x0 0x80000000 0x10000000>; +- clocks = <&mck>; ++ clocks = <&h32ck>; + status = "disabled"; + + nand_controller: nand-controller { +-- +2.19.1 + diff --git a/queue-4.14/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch b/queue-4.14/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch new file mode 100644 index 00000000000..8fdc7414538 --- /dev/null +++ b/queue-4.14/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch @@ -0,0 +1,36 @@ +From 4a7b9c7ae571fb5880fc271b2be83859744e30d8 Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Sun, 28 Oct 2018 15:29:27 -0500 +Subject: ARM: dts: logicpd-somlv: Fix interrupt on mmc3_dat1 + +[ Upstream commit 3d8b804bc528d3720ec0c39c212af92dafaf6e84 ] + +The interrupt on mmc3_dat1 is wrong which prevents this from +appearing in /proc/interrupts. + +Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic PD +DM3730 SOM-LV") #Kernel 4.9+ + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/logicpd-som-lv.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/logicpd-som-lv.dtsi b/arch/arm/boot/dts/logicpd-som-lv.dtsi +index c335b923753a..a7883676f675 100644 +--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi ++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi +@@ -123,7 +123,7 @@ + }; + + &mmc3 { +- interrupts-extended = <&intc 94 &omap3_pmx_core2 0x46>; ++ interrupts-extended = <&intc 94 &omap3_pmx_core 0x136>; + pinctrl-0 = <&mmc3_pins &wl127x_gpio>; + pinctrl-names = "default"; + vmmc-supply = <&wl12xx_vmmc>; +-- +2.19.1 + diff --git a/queue-4.14/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch b/queue-4.14/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch new file mode 100644 index 00000000000..7da49456a70 --- /dev/null +++ b/queue-4.14/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch @@ -0,0 +1,40 @@ +From 88c5b40290a1cb86b86bb403729bdeb38c44218f Mon Sep 17 00:00:00 2001 +From: Janusz Krzysztofik +Date: Wed, 7 Nov 2018 22:30:31 +0100 +Subject: ARM: OMAP1: ams-delta: Fix possible use of uninitialized field + +[ Upstream commit cec83ff1241ec98113a19385ea9e9cfa9aa4125b ] + +While playing with initialization order of modem device, it has been +discovered that under some circumstances (early console init, I +believe) its .pm() callback may be called before the +uart_port->private_data pointer is initialized from +plat_serial8250_port->private_data, resulting in NULL pointer +dereference. Fix it by checking for uninitialized pointer before using +it in modem_pm(). + +Fixes: aabf31737a6a ("ARM: OMAP1: ams-delta: update the modem to use regulator API") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/board-ams-delta.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/mach-omap1/board-ams-delta.c b/arch/arm/mach-omap1/board-ams-delta.c +index 6cbc69c92913..4174fa86bfb1 100644 +--- a/arch/arm/mach-omap1/board-ams-delta.c ++++ b/arch/arm/mach-omap1/board-ams-delta.c +@@ -512,6 +512,9 @@ static void modem_pm(struct uart_port *port, unsigned int state, unsigned old) + struct modem_private_data *priv = port->private_data; + int ret; + ++ if (!priv) ++ return; ++ + if (IS_ERR(priv->regulator)) + return; + +-- +2.19.1 + diff --git a/queue-4.14/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch b/queue-4.14/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch new file mode 100644 index 00000000000..b7535fca044 --- /dev/null +++ b/queue-4.14/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch @@ -0,0 +1,45 @@ +From 229e4316c6c1801a4aabe1631a6f49e74f15ba67 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 17 Oct 2018 17:54:00 -0700 +Subject: ARM: OMAP2+: prm44xx: Fix section annotation on + omap44xx_prm_enable_io_wakeup + +[ Upstream commit eef3dc34a1e0b01d53328b88c25237bcc7323777 ] + +When building the kernel with Clang, the following section mismatch +warning appears: + +WARNING: vmlinux.o(.text+0x38b3c): Section mismatch in reference from +the function omap44xx_prm_late_init() to the function +.init.text:omap44xx_prm_enable_io_wakeup() +The function omap44xx_prm_late_init() references +the function __init omap44xx_prm_enable_io_wakeup(). +This is often because omap44xx_prm_late_init lacks a __init +annotation or the annotation of omap44xx_prm_enable_io_wakeup is wrong. + +Remove the __init annotation from omap44xx_prm_enable_io_wakeup so there +is no more mismatch. + +Signed-off-by: Nathan Chancellor +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/prm44xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/prm44xx.c b/arch/arm/mach-omap2/prm44xx.c +index 1c0c1663f078..5affa9f5300b 100644 +--- a/arch/arm/mach-omap2/prm44xx.c ++++ b/arch/arm/mach-omap2/prm44xx.c +@@ -344,7 +344,7 @@ static void omap44xx_prm_reconfigure_io_chain(void) + * to occur, WAKEUPENABLE bits must be set in the pad mux registers, and + * omap44xx_prm_reconfigure_io_chain() must be called. No return value. + */ +-static void __init omap44xx_prm_enable_io_wakeup(void) ++static void omap44xx_prm_enable_io_wakeup(void) + { + s32 inst = omap4_prmst_get_prm_dev_inst(); + +-- +2.19.1 + diff --git a/queue-4.14/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch b/queue-4.14/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch new file mode 100644 index 00000000000..2f3f702f44d --- /dev/null +++ b/queue-4.14/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch @@ -0,0 +1,57 @@ +From 14d7f10ca5bd0d0bdb7b04a72f88737de2a8b5b4 Mon Sep 17 00:00:00 2001 +From: Tzung-Bi Shih +Date: Wed, 14 Nov 2018 17:06:13 +0800 +Subject: ASoC: dapm: Recalculate audio map forcely when card instantiated + +[ Upstream commit 882eab6c28d23a970ae73b7eb831b169a672d456 ] + +Audio map are possible in wrong state before card->instantiated has +been set to true. Imaging the following examples: + +time 1: at the beginning + + in:-1 in:-1 in:-1 in:-1 + out:-1 out:-1 out:-1 out:-1 + SIGGEN A B Spk + +time 2: after someone called snd_soc_dapm_new_widgets() +(e.g. create_fill_widget_route_map() in sound/soc/codecs/hdac_hdmi.c) + + in:1 in:0 in:0 in:0 + out:0 out:0 out:0 out:1 + SIGGEN A B Spk + +time 3: routes added + + in:1 in:0 in:0 in:0 + out:0 out:0 out:0 out:1 + SIGGEN -----> A -----> B ---> Spk + +In the end, the path should be powered on but it did not. At time 3, +"in" of SIGGEN and "out" of Spk did not propagate to their neighbors +because snd_soc_dapm_add_path() will not invalidate the paths if +the card has not instantiated (i.e. card->instantiated is false). +To correct the state of audio map, recalculate the whole map forcely. + +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index fee4b0ef5566..42c2a3065b77 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2307,6 +2307,7 @@ static int snd_soc_instantiate_card(struct snd_soc_card *card) + } + + card->instantiated = 1; ++ dapm_mark_endpoints_dirty(card); + snd_soc_dapm_sync(&card->dapm); + mutex_unlock(&card->mutex); + mutex_unlock(&client_mutex); +-- +2.19.1 + diff --git a/queue-4.14/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch b/queue-4.14/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch new file mode 100644 index 00000000000..f5c82a5f0b1 --- /dev/null +++ b/queue-4.14/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch @@ -0,0 +1,159 @@ +From 29d08210bad2753c06936519eb52443ba46ad6ef Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 14:58:20 +0200 +Subject: ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred + probing + +[ Upstream commit 76836fd354922ebe4798a64fda01f8dc6a8b0984 ] + +The machine driver fails to probe in next-20181113 with: + +[ 2.539093] omap-abe-twl6040 sound: ASoC: CODEC DAI twl6040-legacy not registered +[ 2.546630] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -517 +... +[ 3.693206] omap-abe-twl6040 sound: ASoC: Both platform name/of_node are set for TWL6040 +[ 3.701446] omap-abe-twl6040 sound: ASoC: failed to init link TWL6040 +[ 3.708007] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -22 +[ 3.715148] omap-abe-twl6040: probe of sound failed with error -22 + +Bisect pointed to a merge commit: +first bad commit: [0f688ab20a540aafa984c5dbd68a71debebf4d7f] Merge remote-tracking branch 'net-next/master' + +and a diff between a working kernel does not reveal anything which would +explain the change in behavior. + +Further investigation showed that on the second try of loading fails +because the dai_link->platform is no longer NULL and it might be pointing +to uninitialized memory. + +The fix is to move the snd_soc_dai_link and snd_soc_card inside of the +abe_twl6040 struct, which is dynamically allocated every time the driver +probes. + +Signed-off-by: Peter Ujfalusi +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-abe-twl6040.c | 67 +++++++++++++------------------ + 1 file changed, 29 insertions(+), 38 deletions(-) + +diff --git a/sound/soc/omap/omap-abe-twl6040.c b/sound/soc/omap/omap-abe-twl6040.c +index 614b18d2f631..6fd143799534 100644 +--- a/sound/soc/omap/omap-abe-twl6040.c ++++ b/sound/soc/omap/omap-abe-twl6040.c +@@ -36,6 +36,8 @@ + #include "../codecs/twl6040.h" + + struct abe_twl6040 { ++ struct snd_soc_card card; ++ struct snd_soc_dai_link dai_links[2]; + int jack_detection; /* board can detect jack events */ + int mclk_freq; /* MCLK frequency speed for twl6040 */ + }; +@@ -208,40 +210,10 @@ static int omap_abe_dmic_init(struct snd_soc_pcm_runtime *rtd) + ARRAY_SIZE(dmic_audio_map)); + } + +-/* Digital audio interface glue - connects codec <--> CPU */ +-static struct snd_soc_dai_link abe_twl6040_dai_links[] = { +- { +- .name = "TWL6040", +- .stream_name = "TWL6040", +- .codec_dai_name = "twl6040-legacy", +- .codec_name = "twl6040-codec", +- .init = omap_abe_twl6040_init, +- .ops = &omap_abe_ops, +- }, +- { +- .name = "DMIC", +- .stream_name = "DMIC Capture", +- .codec_dai_name = "dmic-hifi", +- .codec_name = "dmic-codec", +- .init = omap_abe_dmic_init, +- .ops = &omap_abe_dmic_ops, +- }, +-}; +- +-/* Audio machine driver */ +-static struct snd_soc_card omap_abe_card = { +- .owner = THIS_MODULE, +- +- .dapm_widgets = twl6040_dapm_widgets, +- .num_dapm_widgets = ARRAY_SIZE(twl6040_dapm_widgets), +- .dapm_routes = audio_map, +- .num_dapm_routes = ARRAY_SIZE(audio_map), +-}; +- + static int omap_abe_probe(struct platform_device *pdev) + { + struct device_node *node = pdev->dev.of_node; +- struct snd_soc_card *card = &omap_abe_card; ++ struct snd_soc_card *card; + struct device_node *dai_node; + struct abe_twl6040 *priv; + int num_links = 0; +@@ -252,12 +224,18 @@ static int omap_abe_probe(struct platform_device *pdev) + return -ENODEV; + } + +- card->dev = &pdev->dev; +- + priv = devm_kzalloc(&pdev->dev, sizeof(struct abe_twl6040), GFP_KERNEL); + if (priv == NULL) + return -ENOMEM; + ++ card = &priv->card; ++ card->dev = &pdev->dev; ++ card->owner = THIS_MODULE; ++ card->dapm_widgets = twl6040_dapm_widgets; ++ card->num_dapm_widgets = ARRAY_SIZE(twl6040_dapm_widgets); ++ card->dapm_routes = audio_map; ++ card->num_dapm_routes = ARRAY_SIZE(audio_map); ++ + if (snd_soc_of_parse_card_name(card, "ti,model")) { + dev_err(&pdev->dev, "Card name is not provided\n"); + return -ENODEV; +@@ -274,14 +252,27 @@ static int omap_abe_probe(struct platform_device *pdev) + dev_err(&pdev->dev, "McPDM node is not provided\n"); + return -EINVAL; + } +- abe_twl6040_dai_links[0].cpu_of_node = dai_node; +- abe_twl6040_dai_links[0].platform_of_node = dai_node; ++ ++ priv->dai_links[0].name = "DMIC"; ++ priv->dai_links[0].stream_name = "TWL6040"; ++ priv->dai_links[0].cpu_of_node = dai_node; ++ priv->dai_links[0].platform_of_node = dai_node; ++ priv->dai_links[0].codec_dai_name = "twl6040-legacy"; ++ priv->dai_links[0].codec_name = "twl6040-codec"; ++ priv->dai_links[0].init = omap_abe_twl6040_init; ++ priv->dai_links[0].ops = &omap_abe_ops; + + dai_node = of_parse_phandle(node, "ti,dmic", 0); + if (dai_node) { + num_links = 2; +- abe_twl6040_dai_links[1].cpu_of_node = dai_node; +- abe_twl6040_dai_links[1].platform_of_node = dai_node; ++ priv->dai_links[1].name = "TWL6040"; ++ priv->dai_links[1].stream_name = "DMIC Capture"; ++ priv->dai_links[1].cpu_of_node = dai_node; ++ priv->dai_links[1].platform_of_node = dai_node; ++ priv->dai_links[1].codec_dai_name = "dmic-hifi"; ++ priv->dai_links[1].codec_name = "dmic-codec"; ++ priv->dai_links[1].init = omap_abe_dmic_init; ++ priv->dai_links[1].ops = &omap_abe_dmic_ops; + } else { + num_links = 1; + } +@@ -300,7 +291,7 @@ static int omap_abe_probe(struct platform_device *pdev) + return -ENODEV; + } + +- card->dai_link = abe_twl6040_dai_links; ++ card->dai_link = priv->dai_links; + card->num_links = num_links; + + snd_soc_card_set_drvdata(card, priv); +-- +2.19.1 + diff --git a/queue-4.14/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch b/queue-4.14/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch new file mode 100644 index 00000000000..ff07d53317b --- /dev/null +++ b/queue-4.14/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch @@ -0,0 +1,63 @@ +From ba2733060495b067b65a344aa2fa1fbc31bc1506 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 13:06:23 +0200 +Subject: ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE + +[ Upstream commit ffdcc3638c58d55a6fa68b6e5dfd4fb4109652eb ] + +We need to block sleep states which would require longer time to leave than +the time the DMA must react to the DMA request in order to keep the FIFO +serviced without overrun. + +Signed-off-by: Peter Ujfalusi +Acked-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-dmic.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sound/soc/omap/omap-dmic.c b/sound/soc/omap/omap-dmic.c +index 09db2aec12a3..776e809a8aab 100644 +--- a/sound/soc/omap/omap-dmic.c ++++ b/sound/soc/omap/omap-dmic.c +@@ -48,6 +48,8 @@ struct omap_dmic { + struct device *dev; + void __iomem *io_base; + struct clk *fclk; ++ struct pm_qos_request pm_qos_req; ++ int latency; + int fclk_freq; + int out_freq; + int clk_div; +@@ -124,6 +126,8 @@ static void omap_dmic_dai_shutdown(struct snd_pcm_substream *substream, + + mutex_lock(&dmic->mutex); + ++ pm_qos_remove_request(&dmic->pm_qos_req); ++ + if (!dai->active) + dmic->active = 0; + +@@ -226,6 +230,8 @@ static int omap_dmic_dai_hw_params(struct snd_pcm_substream *substream, + /* packet size is threshold * channels */ + dma_data = snd_soc_dai_get_dma_data(dai, substream); + dma_data->maxburst = dmic->threshold * channels; ++ dmic->latency = (OMAP_DMIC_THRES_MAX - dmic->threshold) * USEC_PER_SEC / ++ params_rate(params); + + return 0; + } +@@ -236,6 +242,9 @@ static int omap_dmic_dai_prepare(struct snd_pcm_substream *substream, + struct omap_dmic *dmic = snd_soc_dai_get_drvdata(dai); + u32 ctrl; + ++ if (pm_qos_request_active(&dmic->pm_qos_req)) ++ pm_qos_update_request(&dmic->pm_qos_req, dmic->latency); ++ + /* Configure uplink threshold */ + omap_dmic_write(dmic, OMAP_DMIC_FIFO_CTRL_REG, dmic->threshold); + +-- +2.19.1 + diff --git a/queue-4.14/asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch b/queue-4.14/asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch new file mode 100644 index 00000000000..a0c8b5597a4 --- /dev/null +++ b/queue-4.14/asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch @@ -0,0 +1,38 @@ +From b9e1e81936f8347648fe68f59ee6f55c6bbdd4ca Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 13:06:21 +0200 +Subject: ASoC: omap-mcbsp: Fix latency value calculation for pm_qos + +[ Upstream commit dd2f52d8991af9fe0928d59ec502ba52be7bc38d ] + +The latency number is in usec for the pm_qos. Correct the calculation to +give us the time in usec + +Signed-off-by: Peter Ujfalusi +Acked-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-mcbsp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/omap/omap-mcbsp.c b/sound/soc/omap/omap-mcbsp.c +index 6b40bdbef336..47c2ed5ca492 100644 +--- a/sound/soc/omap/omap-mcbsp.c ++++ b/sound/soc/omap/omap-mcbsp.c +@@ -308,9 +308,9 @@ static int omap_mcbsp_dai_hw_params(struct snd_pcm_substream *substream, + pkt_size = channels; + } + +- latency = ((((buffer_size - pkt_size) / channels) * 1000) +- / (params->rate_num / params->rate_den)); +- ++ latency = (buffer_size - pkt_size) / channels; ++ latency = latency * USEC_PER_SEC / ++ (params->rate_num / params->rate_den); + mcbsp->latency[substream->stream] = latency; + + omap_mcbsp_set_threshold(substream, pkt_size); +-- +2.19.1 + diff --git a/queue-4.14/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch b/queue-4.14/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch new file mode 100644 index 00000000000..4b70e95cce6 --- /dev/null +++ b/queue-4.14/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch @@ -0,0 +1,127 @@ +From f37666e0f302884908ecc1490ab18c96b3939062 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 13:06:22 +0200 +Subject: ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with + CPU_IDLE + +[ Upstream commit 373a500e34aea97971c9d71e45edad458d3da98f ] + +We need to block sleep states which would require longer time to leave than +the time the DMA must react to the DMA request in order to keep the FIFO +serviced without under of overrun. + +Signed-off-by: Peter Ujfalusi +Acked-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-mcpdm.c | 43 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 42 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/omap/omap-mcpdm.c b/sound/soc/omap/omap-mcpdm.c +index 64609c77a79d..44ffeb71cd1d 100644 +--- a/sound/soc/omap/omap-mcpdm.c ++++ b/sound/soc/omap/omap-mcpdm.c +@@ -54,6 +54,8 @@ struct omap_mcpdm { + unsigned long phys_base; + void __iomem *io_base; + int irq; ++ struct pm_qos_request pm_qos_req; ++ int latency[2]; + + struct mutex mutex; + +@@ -277,6 +279,9 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { + struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai); ++ int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK); ++ int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE; ++ int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; + + mutex_lock(&mcpdm->mutex); + +@@ -289,6 +294,14 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream, + } + } + ++ if (mcpdm->latency[stream2]) ++ pm_qos_update_request(&mcpdm->pm_qos_req, ++ mcpdm->latency[stream2]); ++ else if (mcpdm->latency[stream1]) ++ pm_qos_remove_request(&mcpdm->pm_qos_req); ++ ++ mcpdm->latency[stream1] = 0; ++ + mutex_unlock(&mcpdm->mutex); + } + +@@ -300,7 +313,7 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream, + int stream = substream->stream; + struct snd_dmaengine_dai_dma_data *dma_data; + u32 threshold; +- int channels; ++ int channels, latency; + int link_mask = 0; + + channels = params_channels(params); +@@ -340,14 +353,25 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream, + + dma_data->maxburst = + (MCPDM_DN_THRES_MAX - threshold) * channels; ++ latency = threshold; + } else { + /* If playback is not running assume a stereo stream to come */ + if (!mcpdm->config[!stream].link_mask) + mcpdm->config[!stream].link_mask = (0x3 << 3); + + dma_data->maxburst = threshold * channels; ++ latency = (MCPDM_DN_THRES_MAX - threshold); + } + ++ /* ++ * The DMA must act to a DMA request within latency time (usec) to avoid ++ * under/overflow ++ */ ++ mcpdm->latency[stream] = latency * USEC_PER_SEC / params_rate(params); ++ ++ if (!mcpdm->latency[stream]) ++ mcpdm->latency[stream] = 10; ++ + /* Check if we need to restart McPDM with this stream */ + if (mcpdm->config[stream].link_mask && + mcpdm->config[stream].link_mask != link_mask) +@@ -362,6 +386,20 @@ static int omap_mcpdm_prepare(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { + struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai); ++ struct pm_qos_request *pm_qos_req = &mcpdm->pm_qos_req; ++ int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK); ++ int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE; ++ int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; ++ int latency = mcpdm->latency[stream2]; ++ ++ /* Prevent omap hardware from hitting off between FIFO fills */ ++ if (!latency || mcpdm->latency[stream1] < latency) ++ latency = mcpdm->latency[stream1]; ++ ++ if (pm_qos_request_active(pm_qos_req)) ++ pm_qos_update_request(pm_qos_req, latency); ++ else if (latency) ++ pm_qos_add_request(pm_qos_req, PM_QOS_CPU_DMA_LATENCY, latency); + + if (!omap_mcpdm_active(mcpdm)) { + omap_mcpdm_start(mcpdm); +@@ -423,6 +461,9 @@ static int omap_mcpdm_remove(struct snd_soc_dai *dai) + free_irq(mcpdm->irq, (void *)mcpdm); + pm_runtime_disable(mcpdm->dev); + ++ if (pm_qos_request_active(&mcpdm->pm_qos_req)) ++ pm_qos_remove_request(&mcpdm->pm_qos_req); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.14/asoc-rsnd-fixup-clock-start-checker.patch b/queue-4.14/asoc-rsnd-fixup-clock-start-checker.patch new file mode 100644 index 00000000000..8d195f89d2d --- /dev/null +++ b/queue-4.14/asoc-rsnd-fixup-clock-start-checker.patch @@ -0,0 +1,43 @@ +From 365d0e7c3acaf08a17092dbfa89992e6b2ddf0c6 Mon Sep 17 00:00:00 2001 +From: Kuninori Morimoto +Date: Wed, 31 Oct 2018 00:48:12 +0000 +Subject: ASoC: rsnd: fixup clock start checker + +[ Upstream commit 3ee9a76a8c5a10e1bfb04b81db767c6d562ddaf3 ] + +commit 4d230d12710646 ("ASoC: rsnd: fixup not to call clk_get/set under +non-atomic") fixuped clock start timing. But it exchanged clock start +checker from ssi->usrcnt to ssi->rate. + +Current rsnd_ssi_master_clk_start() is called from .prepare, +but some player (for example GStreamer) might calls it many times. +In such case, the checker might returns error even though it was not +error. It should check ssi->usrcnt instead of ssi->rate. +This patch fixup it. Without this patch, GStreamer can't switch +48kHz / 44.1kHz. + +Reported-by: Yusuke Goda +Signed-off-by: Kuninori Morimoto +Tested-by: Yusuke Goda +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/ssi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c +index 34223c8c28a8..0db2791f7035 100644 +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -280,7 +280,7 @@ static int rsnd_ssi_master_clk_start(struct rsnd_mod *mod, + if (rsnd_ssi_is_multi_slave(mod, io)) + return 0; + +- if (ssi->rate) { ++ if (ssi->usrcnt > 1) { + if (ssi->rate != rate) { + dev_err(dev, "SSI parent/child should use same rate\n"); + return -EINVAL; +-- +2.19.1 + diff --git a/queue-4.14/asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch b/queue-4.14/asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch new file mode 100644 index 00000000000..0acead1e9f7 --- /dev/null +++ b/queue-4.14/asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch @@ -0,0 +1,88 @@ +From bacaff98d6a4b88093e821465a450f7b1b984ae5 Mon Sep 17 00:00:00 2001 +From: Richard Fitzgerald +Date: Mon, 12 Nov 2018 13:36:38 +0000 +Subject: ASoC: wm_adsp: Fix dma-unsafe read of scratch registers + +[ Upstream commit 20e00db2f59bdddf8a8e241473ef8be94631d3ae ] + +Stack memory isn't DMA-safe so it isn't safe to use either +regmap_raw_read or regmap_bulk_read to read into stack memory. + +The two functions to read the scratch registers were using +stack memory and regmap_raw_read. It's not worth allocating +memory just for this trivial read, and it isn't time-critical. +A simple regmap_read for each register is sufficient. + +Signed-off-by: Richard Fitzgerald +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm_adsp.c | 37 ++++++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 17 deletions(-) + +diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c +index 989d093abda7..67330b6ab204 100644 +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -787,38 +787,41 @@ static unsigned int wm_adsp_region_to_reg(struct wm_adsp_region const *mem, + + static void wm_adsp2_show_fw_status(struct wm_adsp *dsp) + { +- u16 scratch[4]; ++ unsigned int scratch[4]; ++ unsigned int addr = dsp->base + ADSP2_SCRATCH0; ++ unsigned int i; + int ret; + +- ret = regmap_raw_read(dsp->regmap, dsp->base + ADSP2_SCRATCH0, +- scratch, sizeof(scratch)); +- if (ret) { +- adsp_err(dsp, "Failed to read SCRATCH regs: %d\n", ret); +- return; ++ for (i = 0; i < ARRAY_SIZE(scratch); ++i) { ++ ret = regmap_read(dsp->regmap, addr + i, &scratch[i]); ++ if (ret) { ++ adsp_err(dsp, "Failed to read SCRATCH%u: %d\n", i, ret); ++ return; ++ } + } + + adsp_dbg(dsp, "FW SCRATCH 0:0x%x 1:0x%x 2:0x%x 3:0x%x\n", +- be16_to_cpu(scratch[0]), +- be16_to_cpu(scratch[1]), +- be16_to_cpu(scratch[2]), +- be16_to_cpu(scratch[3])); ++ scratch[0], scratch[1], scratch[2], scratch[3]); + } + + static void wm_adsp2v2_show_fw_status(struct wm_adsp *dsp) + { +- u32 scratch[2]; ++ unsigned int scratch[2]; + int ret; + +- ret = regmap_raw_read(dsp->regmap, dsp->base + ADSP2V2_SCRATCH0_1, +- scratch, sizeof(scratch)); +- ++ ret = regmap_read(dsp->regmap, dsp->base + ADSP2V2_SCRATCH0_1, ++ &scratch[0]); + if (ret) { +- adsp_err(dsp, "Failed to read SCRATCH regs: %d\n", ret); ++ adsp_err(dsp, "Failed to read SCRATCH0_1: %d\n", ret); + return; + } + +- scratch[0] = be32_to_cpu(scratch[0]); +- scratch[1] = be32_to_cpu(scratch[1]); ++ ret = regmap_read(dsp->regmap, dsp->base + ADSP2V2_SCRATCH2_3, ++ &scratch[1]); ++ if (ret) { ++ adsp_err(dsp, "Failed to read SCRATCH2_3: %d\n", ret); ++ return; ++ } + + adsp_dbg(dsp, "FW SCRATCH 0:0x%x 1:0x%x 2:0x%x 3:0x%x\n", + scratch[0] & 0xFFFF, +-- +2.19.1 + diff --git a/queue-4.14/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch b/queue-4.14/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch new file mode 100644 index 00000000000..43d4c5557d1 --- /dev/null +++ b/queue-4.14/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch @@ -0,0 +1,44 @@ +From 0887094f736c365636a17498d7aeda78ce544a03 Mon Sep 17 00:00:00 2001 +From: Martynas Pumputis +Date: Fri, 23 Nov 2018 17:43:26 +0100 +Subject: bpf: fix check of allowed specifiers in bpf_trace_printk + +[ Upstream commit 1efb6ee3edea57f57f9fb05dba8dcb3f7333f61f ] + +A format string consisting of "%p" or "%s" followed by an invalid +specifier (e.g. "%p%\n" or "%s%") could pass the check which +would make format_decode (lib/vsprintf.c) to warn. + +Fixes: 9c959c863f82 ("tracing: Allow BPF programs to call bpf_trace_printk()") +Reported-by: syzbot+1ec5c5ec949c4adaa0c4@syzkaller.appspotmail.com +Signed-off-by: Martynas Pumputis +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 6350f64d5aa4..f9dd8fd055a6 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -161,11 +161,13 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1, + i++; + } else if (fmt[i] == 'p' || fmt[i] == 's') { + mod[fmt_cnt]++; +- i++; +- if (!isspace(fmt[i]) && !ispunct(fmt[i]) && fmt[i] != 0) ++ /* disallow any further format extensions */ ++ if (fmt[i + 1] != 0 && ++ !isspace(fmt[i + 1]) && ++ !ispunct(fmt[i + 1])) + return -EINVAL; + fmt_cnt++; +- if (fmt[i - 1] == 's') { ++ if (fmt[i] == 's') { + if (str_seen) + /* allow only one '%s' per fmt string */ + return -EINVAL; +-- +2.19.1 + diff --git a/queue-4.14/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch b/queue-4.14/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch new file mode 100644 index 00000000000..bc199cebae2 --- /dev/null +++ b/queue-4.14/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch @@ -0,0 +1,200 @@ +From 722daadac3d6596bc2d516854984950cbad7b0e5 Mon Sep 17 00:00:00 2001 +From: Robbie Ko +Date: Wed, 14 Nov 2018 18:32:37 +0000 +Subject: Btrfs: send, fix infinite loop due to directory rename dependencies + +[ Upstream commit a4390aee72713d9e73f1132bcdeb17d72fbbf974 ] + +When doing an incremental send, due to the need of delaying directory move +(rename) operations we can end up in infinite loop at +apply_children_dir_moves(). + +An example scenario that triggers this problem is described below, where +directory names correspond to the numbers of their respective inodes. + +Parent snapshot: + + . + |--- 261/ + |--- 271/ + |--- 266/ + |--- 259/ + |--- 260/ + | |--- 267 + | + |--- 264/ + | |--- 258/ + | |--- 257/ + | + |--- 265/ + |--- 268/ + |--- 269/ + | |--- 262/ + | + |--- 270/ + |--- 272/ + | |--- 263/ + | |--- 275/ + | + |--- 274/ + |--- 273/ + +Send snapshot: + + . + |-- 275/ + |-- 274/ + |-- 273/ + |-- 262/ + |-- 269/ + |-- 258/ + |-- 271/ + |-- 268/ + |-- 267/ + |-- 270/ + |-- 259/ + | |-- 265/ + | + |-- 272/ + |-- 257/ + |-- 260/ + |-- 264/ + |-- 263/ + |-- 261/ + |-- 266/ + +When processing inode 257 we delay its move (rename) operation because its +new parent in the send snapshot, inode 272, was not yet processed. Then +when processing inode 272, we delay the move operation for that inode +because inode 274 is its ancestor in the send snapshot. Finally we delay +the move operation for inode 274 when processing it because inode 275 is +its new parent in the send snapshot and was not yet moved. + +When finishing processing inode 275, we start to do the move operations +that were previously delayed (at apply_children_dir_moves()), resulting in +the following iterations: + +1) We issue the move operation for inode 274; + +2) Because inode 262 depended on the move operation of inode 274 (it was + delayed because 274 is its ancestor in the send snapshot), we issue the + move operation for inode 262; + +3) We issue the move operation for inode 272, because it was delayed by + inode 274 too (ancestor of 272 in the send snapshot); + +4) We issue the move operation for inode 269 (it was delayed by 262); + +5) We issue the move operation for inode 257 (it was delayed by 272); + +6) We issue the move operation for inode 260 (it was delayed by 272); + +7) We issue the move operation for inode 258 (it was delayed by 269); + +8) We issue the move operation for inode 264 (it was delayed by 257); + +9) We issue the move operation for inode 271 (it was delayed by 258); + +10) We issue the move operation for inode 263 (it was delayed by 264); + +11) We issue the move operation for inode 268 (it was delayed by 271); + +12) We verify if we can issue the move operation for inode 270 (it was + delayed by 271). We detect a path loop in the current state, because + inode 267 needs to be moved first before we can issue the move + operation for inode 270. So we delay again the move operation for + inode 270, this time we will attempt to do it after inode 267 is + moved; + +13) We issue the move operation for inode 261 (it was delayed by 263); + +14) We verify if we can issue the move operation for inode 266 (it was + delayed by 263). We detect a path loop in the current state, because + inode 270 needs to be moved first before we can issue the move + operation for inode 266. So we delay again the move operation for + inode 266, this time we will attempt to do it after inode 270 is + moved (its move operation was delayed in step 12); + +15) We issue the move operation for inode 267 (it was delayed by 268); + +16) We verify if we can issue the move operation for inode 266 (it was + delayed by 270). We detect a path loop in the current state, because + inode 270 needs to be moved first before we can issue the move + operation for inode 266. So we delay again the move operation for + inode 266, this time we will attempt to do it after inode 270 is + moved (its move operation was delayed in step 12). So here we added + again the same delayed move operation that we added in step 14; + +17) We attempt again to see if we can issue the move operation for inode + 266, and as in step 16, we realize we can not due to a path loop in + the current state due to a dependency on inode 270. Again we delay + inode's 266 rename to happen after inode's 270 move operation, adding + the same dependency to the empty stack that we did in steps 14 and 16. + The next iteration will pick the same move dependency on the stack + (the only entry) and realize again there is still a path loop and then + again the same dependency to the stack, over and over, resulting in + an infinite loop. + +So fix this by preventing adding the same move dependency entries to the +stack by removing each pending move record from the red black tree of +pending moves. This way the next call to get_pending_dir_moves() will +not return anything for the current parent inode. + +A test case for fstests, with this reproducer, follows soon. + +Signed-off-by: Robbie Ko +Reviewed-by: Filipe Manana +[Wrote changelog with example and more clear explanation] +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index baf5a4cd7ffc..3f22af96d63b 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -3354,7 +3354,8 @@ static void free_pending_move(struct send_ctx *sctx, struct pending_dir_move *m) + kfree(m); + } + +-static void tail_append_pending_moves(struct pending_dir_move *moves, ++static void tail_append_pending_moves(struct send_ctx *sctx, ++ struct pending_dir_move *moves, + struct list_head *stack) + { + if (list_empty(&moves->list)) { +@@ -3365,6 +3366,10 @@ static void tail_append_pending_moves(struct pending_dir_move *moves, + list_add_tail(&moves->list, stack); + list_splice_tail(&list, stack); + } ++ if (!RB_EMPTY_NODE(&moves->node)) { ++ rb_erase(&moves->node, &sctx->pending_dir_moves); ++ RB_CLEAR_NODE(&moves->node); ++ } + } + + static int apply_children_dir_moves(struct send_ctx *sctx) +@@ -3379,7 +3384,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx) + return 0; + + INIT_LIST_HEAD(&stack); +- tail_append_pending_moves(pm, &stack); ++ tail_append_pending_moves(sctx, pm, &stack); + + while (!list_empty(&stack)) { + pm = list_first_entry(&stack, struct pending_dir_move, list); +@@ -3390,7 +3395,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx) + goto out; + pm = get_pending_dir_moves(sctx, parent_ino); + if (pm) +- tail_append_pending_moves(pm, &stack); ++ tail_append_pending_moves(sctx, pm, &stack); + } + return 0; + +-- +2.19.1 + diff --git a/queue-4.14/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch b/queue-4.14/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch new file mode 100644 index 00000000000..50532c48a8a --- /dev/null +++ b/queue-4.14/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch @@ -0,0 +1,87 @@ +From 2b93e751541e2443ba725027be0fb1ffb6ed68bb Mon Sep 17 00:00:00 2001 +From: Kiran Kumar Modukuri +Date: Mon, 24 Sep 2018 12:02:39 +1000 +Subject: cachefiles: Fix page leak in cachefiles_read_backing_file while + vmscan is active + +[ Upstream commit 9a24ce5b66f9c8190d63b15f4473600db4935f1f ] + +[Description] + +In a heavily loaded system where the system pagecache is nearing memory +limits and fscache is enabled, pages can be leaked by fscache while trying +read pages from cachefiles backend. This can happen because two +applications can be reading same page from a single mount, two threads can +be trying to read the backing page at same time. This results in one of +the threads finding that a page for the backing file or netfs file is +already in the radix tree. During the error handling cachefiles does not +clean up the reference on backing page, leading to page leak. + +[Fix] +The fix is straightforward, to decrement the reference when error is +encountered. + + [dhowells: Note that I've removed the clearance and put of newpage as + they aren't attested in the commit message and don't appear to actually + achieve anything since a new page is only allocated is newpage!=NULL and + any residual new page is cleared before returning.] + +[Testing] +I have tested the fix using following method for 12+ hrs. + +1) mkdir -p /mnt/nfs ; mount -o vers=3,fsc :/export /mnt/nfs +2) create 10000 files of 2.8MB in a NFS mount. +3) start a thread to simulate heavy VM presssure + (while true ; do echo 3 > /proc/sys/vm/drop_caches ; sleep 1 ; done)& +4) start multiple parallel reader for data set at same time + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & + .. + .. + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & +5) finally check using cat /proc/fs/fscache/stats | grep -i pages ; + free -h , cat /proc/meminfo and page-types -r -b lru + to ensure all pages are freed. + +Reviewed-by: Daniel Axtens +Signed-off-by: Shantanu Goel +Signed-off-by: Kiran Kumar Modukuri +[dja: forward ported to current upstream] +Signed-off-by: Daniel Axtens +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/cachefiles/rdwr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c +index 199eb396a1bb..54379cf7db7f 100644 +--- a/fs/cachefiles/rdwr.c ++++ b/fs/cachefiles/rdwr.c +@@ -537,7 +537,10 @@ static int cachefiles_read_backing_file(struct cachefiles_object *object, + netpage->index, cachefiles_gfp); + if (ret < 0) { + if (ret == -EEXIST) { ++ put_page(backpage); ++ backpage = NULL; + put_page(netpage); ++ netpage = NULL; + fscache_retrieval_complete(op, 1); + continue; + } +@@ -610,7 +613,10 @@ static int cachefiles_read_backing_file(struct cachefiles_object *object, + netpage->index, cachefiles_gfp); + if (ret < 0) { + if (ret == -EEXIST) { ++ put_page(backpage); ++ backpage = NULL; + put_page(netpage); ++ netpage = NULL; + fscache_retrieval_complete(op, 1); + continue; + } +-- +2.19.1 + diff --git a/queue-4.14/debugobjects-avoid-recursive-calls-with-kmemleak.patch b/queue-4.14/debugobjects-avoid-recursive-calls-with-kmemleak.patch new file mode 100644 index 00000000000..f6c51c3c27c --- /dev/null +++ b/queue-4.14/debugobjects-avoid-recursive-calls-with-kmemleak.patch @@ -0,0 +1,74 @@ +From a96df6ee95d61ad188e2011329519b8ad1caa33c Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Fri, 30 Nov 2018 14:09:48 -0800 +Subject: debugobjects: avoid recursive calls with kmemleak + +[ Upstream commit 8de456cf87ba863e028c4dd01bae44255ce3d835 ] + +CONFIG_DEBUG_OBJECTS_RCU_HEAD does not play well with kmemleak due to +recursive calls. + +fill_pool + kmemleak_ignore + make_black_object + put_object + __call_rcu (kernel/rcu/tree.c) + debug_rcu_head_queue + debug_object_activate + debug_object_init + fill_pool + kmemleak_ignore + make_black_object + ... + +So add SLAB_NOLEAKTRACE to kmem_cache_create() to not register newly +allocated debug objects at all. + +Link: http://lkml.kernel.org/r/20181126165343.2339-1-cai@gmx.us +Signed-off-by: Qian Cai +Suggested-by: Catalin Marinas +Acked-by: Waiman Long +Acked-by: Catalin Marinas +Cc: Thomas Gleixner +Cc: Yang Shi +Cc: Arnd Bergmann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/debugobjects.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/lib/debugobjects.c b/lib/debugobjects.c +index 99308479b1c8..bacb00a9cd9f 100644 +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -111,7 +111,6 @@ static void fill_pool(void) + if (!new) + return; + +- kmemleak_ignore(new); + raw_spin_lock_irqsave(&pool_lock, flags); + hlist_add_head(&new->node, &obj_pool); + debug_objects_allocated++; +@@ -1085,7 +1084,6 @@ static int __init debug_objects_replace_static_objects(void) + obj = kmem_cache_zalloc(obj_cache, GFP_KERNEL); + if (!obj) + goto free; +- kmemleak_ignore(obj); + hlist_add_head(&obj->node, &objects); + } + +@@ -1141,7 +1139,8 @@ void __init debug_objects_mem_init(void) + + obj_cache = kmem_cache_create("debug_objects_cache", + sizeof (struct debug_obj), 0, +- SLAB_DEBUG_OBJECTS, NULL); ++ SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE, ++ NULL); + + if (!obj_cache || debug_objects_replace_static_objects()) { + debug_objects_enabled = 0; +-- +2.19.1 + diff --git a/queue-4.14/drm-amdgpu-add-delay-after-enable-rlc-ucode.patch b/queue-4.14/drm-amdgpu-add-delay-after-enable-rlc-ucode.patch new file mode 100644 index 00000000000..ab5a6bb19cd --- /dev/null +++ b/queue-4.14/drm-amdgpu-add-delay-after-enable-rlc-ucode.patch @@ -0,0 +1,49 @@ +From 89535560893d136fcc20e05ed21a8f1219187b89 Mon Sep 17 00:00:00 2001 +From: shaoyunl +Date: Thu, 22 Nov 2018 11:45:24 -0500 +Subject: drm/amdgpu: Add delay after enable RLC ucode + +[ Upstream commit ad97d9de45835b6a0f71983b0ae0cffd7306730a ] + +Driver shouldn't try to access any GFX registers until RLC is idle. +During the test, it took 12 seconds for RLC to clear the BUSY bit +in RLC_GPM_STAT register which is un-acceptable for driver. +As per RLC engineer, it would take RLC Ucode less than 10,000 GFXCLK +cycles to finish its critical section. In a lowest 300M enginer clock +setting(default from vbios), 50 us delay is enough. + +This commit fix the hang when RLC introduce the work around for XGMI +which requires more cycles to setup more registers than normal + +Signed-off-by: shaoyunl +Acked-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +index 3981915e2311..b2eecfc9042e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -1992,12 +1992,13 @@ static void gfx_v9_0_rlc_start(struct amdgpu_device *adev) + #endif + + WREG32_FIELD15(GC, 0, RLC_CNTL, RLC_ENABLE_F32, 1); ++ udelay(50); + + /* carrizo do enable cp interrupt after cp inited */ +- if (!(adev->flags & AMD_IS_APU)) ++ if (!(adev->flags & AMD_IS_APU)) { + gfx_v9_0_enable_gui_idle_interrupt(adev, true); +- +- udelay(50); ++ udelay(50); ++ } + + #ifdef AMDGPU_RLC_DEBUG_RETRY + /* RLC_GPM_GENERAL_6 : RLC Ucode version */ +-- +2.19.1 + diff --git a/queue-4.14/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch b/queue-4.14/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch new file mode 100644 index 00000000000..512d26e3165 --- /dev/null +++ b/queue-4.14/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch @@ -0,0 +1,94 @@ +From bc09d4cede6b2c019b8926af86a3d6f5ca9d0beb Mon Sep 17 00:00:00 2001 +From: "Y.C. Chen" +Date: Thu, 22 Nov 2018 11:56:28 +0800 +Subject: drm/ast: fixed reading monitor EDID not stable issue + +[ Upstream commit 300625620314194d9e6d4f6dda71f2dc9cf62d9f ] + +v1: over-sample data to increase the stability with some specific monitors +v2: refine to avoid infinite loop +v3: remove un-necessary "volatile" declaration + +[airlied: fix two checkpatch warnings] + +Signed-off-by: Y.C. Chen +Signed-off-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/1542858988-1127-1-git-send-email-yc_chen@aspeedtech.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ast/ast_mode.c | 36 ++++++++++++++++++++++++++++------ + 1 file changed, 30 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c +index fae1176b2472..343867b182dd 100644 +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -973,9 +973,21 @@ static int get_clock(void *i2c_priv) + { + struct ast_i2c_chan *i2c = i2c_priv; + struct ast_private *ast = i2c->dev->dev_private; +- uint32_t val; ++ uint32_t val, val2, count, pass; ++ ++ count = 0; ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01; ++ do { ++ val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01; ++ if (val == val2) { ++ pass++; ++ } else { ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01; ++ } ++ } while ((pass < 5) && (count++ < 0x10000)); + +- val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4; + return val & 1 ? 1 : 0; + } + +@@ -983,9 +995,21 @@ static int get_data(void *i2c_priv) + { + struct ast_i2c_chan *i2c = i2c_priv; + struct ast_private *ast = i2c->dev->dev_private; +- uint32_t val; ++ uint32_t val, val2, count, pass; ++ ++ count = 0; ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01; ++ do { ++ val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01; ++ if (val == val2) { ++ pass++; ++ } else { ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01; ++ } ++ } while ((pass < 5) && (count++ < 0x10000)); + +- val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5; + return val & 1 ? 1 : 0; + } + +@@ -998,7 +1022,7 @@ static void set_clock(void *i2c_priv, int clock) + + for (i = 0; i < 0x10000; i++) { + ujcrb7 = ((clock & 0x01) ? 0 : 1); +- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfe, ujcrb7); ++ ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf4, ujcrb7); + jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x01); + if (ujcrb7 == jtemp) + break; +@@ -1014,7 +1038,7 @@ static void set_data(void *i2c_priv, int data) + + for (i = 0; i < 0x10000; i++) { + ujcrb7 = ((data & 0x01) ? 0 : 1) << 2; +- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfb, ujcrb7); ++ ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf1, ujcrb7); + jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x04); + if (ujcrb7 == jtemp) + break; +-- +2.19.1 + diff --git a/queue-4.14/drm-meson-add-support-for-1080p25-mode.patch b/queue-4.14/drm-meson-add-support-for-1080p25-mode.patch new file mode 100644 index 00000000000..b2559c65679 --- /dev/null +++ b/queue-4.14/drm-meson-add-support-for-1080p25-mode.patch @@ -0,0 +1,35 @@ +From e771691b2f9901985c6e284ed55e30b8bc73eaca Mon Sep 17 00:00:00 2001 +From: Christian Hewitt +Date: Wed, 21 Nov 2018 13:39:29 +0400 +Subject: drm/meson: add support for 1080p25 mode + +[ Upstream commit 31e1ab494559fb46de304cc6c2aed1528f94b298 ] + +This essential mode for PAL users is missing, so add it. + +Fixes: 335e3713afb87 ("drm/meson: Add support for HDMI venc modes and settings") +Signed-off-by: Christian Hewitt +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/1542793169-13008-1-git-send-email-christianshewitt@gmail.com +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_venc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/meson/meson_venc.c b/drivers/gpu/drm/meson/meson_venc.c +index 9509017dbded..d5dfe7045cc6 100644 +--- a/drivers/gpu/drm/meson/meson_venc.c ++++ b/drivers/gpu/drm/meson/meson_venc.c +@@ -714,6 +714,7 @@ struct meson_hdmi_venc_vic_mode { + { 5, &meson_hdmi_encp_mode_1080i60 }, + { 20, &meson_hdmi_encp_mode_1080i50 }, + { 32, &meson_hdmi_encp_mode_1080p24 }, ++ { 33, &meson_hdmi_encp_mode_1080p50 }, + { 34, &meson_hdmi_encp_mode_1080p30 }, + { 31, &meson_hdmi_encp_mode_1080p50 }, + { 16, &meson_hdmi_encp_mode_1080p60 }, +-- +2.19.1 + diff --git a/queue-4.14/exportfs-do-not-read-dentry-after-free.patch b/queue-4.14/exportfs-do-not-read-dentry-after-free.patch new file mode 100644 index 00000000000..3a90332f989 --- /dev/null +++ b/queue-4.14/exportfs-do-not-read-dentry-after-free.patch @@ -0,0 +1,40 @@ +From 17c35afe4d7fcc3868ed6385bf35a13536b2f2f6 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 23 Nov 2018 15:56:33 +0800 +Subject: exportfs: do not read dentry after free + +[ Upstream commit 2084ac6c505a58f7efdec13eba633c6aaa085ca5 ] + +The function dentry_connected calls dput(dentry) to drop the previously +acquired reference to dentry. In this case, dentry can be released. +After that, IS_ROOT(dentry) checks the condition +(dentry == dentry->d_parent), which may result in a use-after-free bug. +This patch directly compares dentry with its parent obtained before +dropping the reference. + +Fixes: a056cc8934c("exportfs: stop retrying once we race with +rename/remove") + +Signed-off-by: Pan Bian +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/exportfs/expfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c +index 329a5d103846..c22cc9d2a5c9 100644 +--- a/fs/exportfs/expfs.c ++++ b/fs/exportfs/expfs.c +@@ -77,7 +77,7 @@ static bool dentry_connected(struct dentry *dentry) + struct dentry *parent = dget_parent(dentry); + + dput(dentry); +- if (IS_ROOT(dentry)) { ++ if (dentry == parent) { + dput(parent); + return false; + } +-- +2.19.1 + diff --git a/queue-4.14/fscache-cachefiles-remove-redundant-variable-cache.patch b/queue-4.14/fscache-cachefiles-remove-redundant-variable-cache.patch new file mode 100644 index 00000000000..c0af9a2054a --- /dev/null +++ b/queue-4.14/fscache-cachefiles-remove-redundant-variable-cache.patch @@ -0,0 +1,39 @@ +From 9c4c36c9037ae17f9ae1c444cc9e35e538e4c04b Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 17 Jul 2018 09:53:42 +0100 +Subject: fscache, cachefiles: remove redundant variable 'cache' + +[ Upstream commit 31ffa563833576bd49a8bf53120568312755e6e2 ] + +Variable 'cache' is being assigned but is never used hence it is +redundant and can be removed. + +Cleans up clang warning: +warning: variable 'cache' set but not used [-Wunused-but-set-variable] + +Signed-off-by: Colin Ian King +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/cachefiles/rdwr.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c +index 54379cf7db7f..5e9176ec0d3a 100644 +--- a/fs/cachefiles/rdwr.c ++++ b/fs/cachefiles/rdwr.c +@@ -969,11 +969,8 @@ int cachefiles_write_page(struct fscache_storage *op, struct page *page) + void cachefiles_uncache_page(struct fscache_object *_object, struct page *page) + { + struct cachefiles_object *object; +- struct cachefiles_cache *cache; + + object = container_of(_object, struct cachefiles_object, fscache); +- cache = container_of(object->fscache.cache, +- struct cachefiles_cache, cache); + + _enter("%p,{%lu}", object, page->index); + +-- +2.19.1 + diff --git a/queue-4.14/fscache-fix-race-between-enablement-and-dropping-of-.patch b/queue-4.14/fscache-fix-race-between-enablement-and-dropping-of-.patch new file mode 100644 index 00000000000..e6d0681d4af --- /dev/null +++ b/queue-4.14/fscache-fix-race-between-enablement-and-dropping-of-.patch @@ -0,0 +1,74 @@ +From a508bde0aeff01e61975067e4059e3d4536c9797 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 26 Oct 2018 17:16:29 +1100 +Subject: fscache: fix race between enablement and dropping of object + +[ Upstream commit c5a94f434c82529afda290df3235e4d85873c5b4 ] + +It was observed that a process blocked indefintely in +__fscache_read_or_alloc_page(), waiting for FSCACHE_COOKIE_LOOKING_UP +to be cleared via fscache_wait_for_deferred_lookup(). + +At this time, ->backing_objects was empty, which would normaly prevent +__fscache_read_or_alloc_page() from getting to the point of waiting. +This implies that ->backing_objects was cleared *after* +__fscache_read_or_alloc_page was was entered. + +When an object is "killed" and then "dropped", +FSCACHE_COOKIE_LOOKING_UP is cleared in fscache_lookup_failure(), then +KILL_OBJECT and DROP_OBJECT are "called" and only in DROP_OBJECT is +->backing_objects cleared. This leaves a window where +something else can set FSCACHE_COOKIE_LOOKING_UP and +__fscache_read_or_alloc_page() can start waiting, before +->backing_objects is cleared + +There is some uncertainty in this analysis, but it seems to be fit the +observations. Adding the wake in this patch will be handled correctly +by __fscache_read_or_alloc_page(), as it checks if ->backing_objects +is empty again, after waiting. + +Customer which reported the hang, also report that the hang cannot be +reproduced with this fix. + +The backtrace for the blocked process looked like: + +PID: 29360 TASK: ffff881ff2ac0f80 CPU: 3 COMMAND: "zsh" + #0 [ffff881ff43efbf8] schedule at ffffffff815e56f1 + #1 [ffff881ff43efc58] bit_wait at ffffffff815e64ed + #2 [ffff881ff43efc68] __wait_on_bit at ffffffff815e61b8 + #3 [ffff881ff43efca0] out_of_line_wait_on_bit at ffffffff815e625e + #4 [ffff881ff43efd08] fscache_wait_for_deferred_lookup at ffffffffa04f2e8f [fscache] + #5 [ffff881ff43efd18] __fscache_read_or_alloc_page at ffffffffa04f2ffe [fscache] + #6 [ffff881ff43efd58] __nfs_readpage_from_fscache at ffffffffa0679668 [nfs] + #7 [ffff881ff43efd78] nfs_readpage at ffffffffa067092b [nfs] + #8 [ffff881ff43efda0] generic_file_read_iter at ffffffff81187a73 + #9 [ffff881ff43efe50] nfs_file_read at ffffffffa066544b [nfs] +#10 [ffff881ff43efe70] __vfs_read at ffffffff811fc756 +#11 [ffff881ff43efee8] vfs_read at ffffffff811fccfa +#12 [ffff881ff43eff18] sys_read at ffffffff811fda62 +#13 [ffff881ff43eff50] entry_SYSCALL_64_fastpath at ffffffff815e986e + +Signed-off-by: NeilBrown +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/fscache/object.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/fscache/object.c b/fs/fscache/object.c +index 7a182c87f378..ab1d7f35f6c2 100644 +--- a/fs/fscache/object.c ++++ b/fs/fscache/object.c +@@ -715,6 +715,9 @@ static const struct fscache_state *fscache_drop_object(struct fscache_object *ob + + if (awaken) + wake_up_bit(&cookie->flags, FSCACHE_COOKIE_INVALIDATING); ++ if (test_and_clear_bit(FSCACHE_COOKIE_LOOKING_UP, &cookie->flags)) ++ wake_up_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP); ++ + + /* Prevent a race with our last child, which has to signal EV_CLEARED + * before dropping our spinlock. +-- +2.19.1 + diff --git a/queue-4.14/hfs-do-not-free-node-before-using.patch b/queue-4.14/hfs-do-not-free-node-before-using.patch new file mode 100644 index 00000000000..796460c77ec --- /dev/null +++ b/queue-4.14/hfs-do-not-free-node-before-using.patch @@ -0,0 +1,49 @@ +From 97edf96720f25835c61e0d9c993b7f2a76c421c2 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 30 Nov 2018 14:09:14 -0800 +Subject: hfs: do not free node before using + +[ Upstream commit ce96a407adef126870b3f4a1b73529dd8aa80f49 ] + +hfs_bmap_free() frees the node via hfs_bnode_put(node). However, it +then reads node->this when dumping error message on an error path, which +may result in a use-after-free bug. This patch frees the node only when +it is never again used. + +Link: http://lkml.kernel.org/r/1542963889-128825-1-git-send-email-bianpan2016@163.com +Fixes: a1185ffa2fc ("HFS rewrite") +Signed-off-by: Pan Bian +Reviewed-by: Andrew Morton +Cc: Joe Perches +Cc: Ernesto A. Fernandez +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfs/btree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c +index 374b5688e29e..9bdff5e40626 100644 +--- a/fs/hfs/btree.c ++++ b/fs/hfs/btree.c +@@ -329,13 +329,14 @@ void hfs_bmap_free(struct hfs_bnode *node) + + nidx -= len * 8; + i = node->next; +- hfs_bnode_put(node); + if (!i) { + /* panic */; + pr_crit("unable to free bnode %u. bmap not found!\n", + node->this); ++ hfs_bnode_put(node); + return; + } ++ hfs_bnode_put(node); + node = hfs_bnode_find(tree, i); + if (IS_ERR(node)) + return; +-- +2.19.1 + diff --git a/queue-4.14/hfsplus-do-not-free-node-before-using.patch b/queue-4.14/hfsplus-do-not-free-node-before-using.patch new file mode 100644 index 00000000000..887b5e53ded --- /dev/null +++ b/queue-4.14/hfsplus-do-not-free-node-before-using.patch @@ -0,0 +1,49 @@ +From f822f319656ac3f7510fd462843916fe3f584428 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 30 Nov 2018 14:09:18 -0800 +Subject: hfsplus: do not free node before using + +[ Upstream commit c7d7d620dcbd2a1c595092280ca943f2fced7bbd ] + +hfs_bmap_free() frees node via hfs_bnode_put(node). However it then +reads node->this when dumping error message on an error path, which may +result in a use-after-free bug. This patch frees node only when it is +never used. + +Link: http://lkml.kernel.org/r/1543053441-66942-1-git-send-email-bianpan2016@163.com +Signed-off-by: Pan Bian +Reviewed-by: Andrew Morton +Cc: Ernesto A. Fernandez +Cc: Joe Perches +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfsplus/btree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c +index de14b2b6881b..3de3bc4918b5 100644 +--- a/fs/hfsplus/btree.c ++++ b/fs/hfsplus/btree.c +@@ -454,14 +454,15 @@ void hfs_bmap_free(struct hfs_bnode *node) + + nidx -= len * 8; + i = node->next; +- hfs_bnode_put(node); + if (!i) { + /* panic */; + pr_crit("unable to free bnode %u. " + "bmap not found!\n", + node->this); ++ hfs_bnode_put(node); + return; + } ++ hfs_bnode_put(node); + node = hfs_bnode_find(tree, i); + if (IS_ERR(node)) + return; +-- +2.19.1 + diff --git a/queue-4.14/hwmon-ina2xx-fix-current-value-calculation.patch b/queue-4.14/hwmon-ina2xx-fix-current-value-calculation.patch new file mode 100644 index 00000000000..52d16bd47c9 --- /dev/null +++ b/queue-4.14/hwmon-ina2xx-fix-current-value-calculation.patch @@ -0,0 +1,39 @@ +From aaf5820611f69e49b54a9572cfe9d44dde843487 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Tue, 13 Nov 2018 19:48:54 -0800 +Subject: hwmon: (ina2xx) Fix current value calculation + +[ Upstream commit 38cd989ee38c16388cde89db5b734f9d55b905f9 ] + +The current register (04h) has a sign bit at MSB. The comments +for this calculation also mention that it's a signed register. + +However, the regval is unsigned type so result of calculation +turns out to be an incorrect value when current is negative. + +This patch simply fixes this by adding a casting to s16. + +Fixes: 5d389b125186c ("hwmon: (ina2xx) Make calibration register value fixed") +Signed-off-by: Nicolin Chen +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ina2xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c +index c2252cf452f5..07ee19573b3f 100644 +--- a/drivers/hwmon/ina2xx.c ++++ b/drivers/hwmon/ina2xx.c +@@ -274,7 +274,7 @@ static int ina2xx_get_value(struct ina2xx_data *data, u8 reg, + break; + case INA2XX_CURRENT: + /* signed register, result in mA */ +- val = regval * data->current_lsb_uA; ++ val = (s16)regval * data->current_lsb_uA; + val = DIV_ROUND_CLOSEST(val, 1000); + break; + case INA2XX_CALIBRATION: +-- +2.19.1 + diff --git a/queue-4.14/hwmon-ina2xx-fix-null-id-pointer-in-probe.patch b/queue-4.14/hwmon-ina2xx-fix-null-id-pointer-in-probe.patch new file mode 100644 index 00000000000..55c295b3067 --- /dev/null +++ b/queue-4.14/hwmon-ina2xx-fix-null-id-pointer-in-probe.patch @@ -0,0 +1,68 @@ +From ddf874b9aaab17b8b1c89668babbc8fcae1179dc Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Fri, 9 Nov 2018 16:42:14 -0800 +Subject: hwmon (ina2xx) Fix NULL id pointer in probe() + +[ Upstream commit 70df9ebbd82c794ddfbb49d45b337f18d5588dc2 ] + +When using DT configurations, the id pointer might turn out to +be NULL. Then the driver encounters NULL pointer access: + + Unable to handle kernel read from unreadable memory at vaddr 00000018 + [...] + PC is at ina2xx_probe+0x114/0x200 + LR is at ina2xx_probe+0x10c/0x200 + [...] + Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b + +The reason is that i2c core returns the id pointer by matching +id_table with client->name, while the client->name is actually +using the name from the first string in the DT compatible list, +not the best one. So i2c core would fail to match the id_table +if the best matched compatible string isn't the first one, and +then would return a NULL id pointer. + +This probably should be fixed in i2c core. But it doesn't hurt +to make the driver robust. So this patch fixes it by using the +"chip" that's added to unify both DT and non-DT configurations. + +Additionally, since id pointer could be null, so as id->name: + ina2xx 10-0047: power monitor (null) (Rshunt = 1000 uOhm) + ina2xx 10-0048: power monitor (null) (Rshunt = 10000 uOhm) + +So this patch also fixes NULL name pointer, using client->name +to play safe and to align with hwmon->name. + +Fixes: bd0ddd4d0883 ("hwmon: (ina2xx) Add OF device ID table") +Signed-off-by: Nicolin Chen +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ina2xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c +index 71d3445ba869..c2252cf452f5 100644 +--- a/drivers/hwmon/ina2xx.c ++++ b/drivers/hwmon/ina2xx.c +@@ -491,7 +491,7 @@ static int ina2xx_probe(struct i2c_client *client, + } + + data->groups[group++] = &ina2xx_group; +- if (id->driver_data == ina226) ++ if (chip == ina226) + data->groups[group++] = &ina226_group; + + hwmon_dev = devm_hwmon_device_register_with_groups(dev, client->name, +@@ -500,7 +500,7 @@ static int ina2xx_probe(struct i2c_client *client, + return PTR_ERR(hwmon_dev); + + dev_info(dev, "power monitor %s (Rshunt = %li uOhm)\n", +- id->name, data->rshunt); ++ client->name, data->rshunt); + + return 0; + } +-- +2.19.1 + diff --git a/queue-4.14/hwmon-w83795-temp4_type-has-writable-permission.patch b/queue-4.14/hwmon-w83795-temp4_type-has-writable-permission.patch new file mode 100644 index 00000000000..eeb3668ff48 --- /dev/null +++ b/queue-4.14/hwmon-w83795-temp4_type-has-writable-permission.patch @@ -0,0 +1,35 @@ +From 800452b6f93b7f5e6bab328c62a29f38b0e8ec77 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 15 Nov 2018 10:44:57 +0800 +Subject: hwmon: (w83795) temp4_type has writable permission + +[ Upstream commit 09aaf6813cfca4c18034fda7a43e68763f34abb1 ] + +Both datasheet and comments of store_temp_mode() tell us that temp1~4_type +is writable, so fix it. + +Signed-off-by: Yao Wang +Signed-off-by: Huacai Chen +Fixes: 39deb6993e7c (" hwmon: (w83795) Simplify temperature sensor type handling") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/w83795.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/w83795.c b/drivers/hwmon/w83795.c +index 49276bbdac3d..1bb80f992aa8 100644 +--- a/drivers/hwmon/w83795.c ++++ b/drivers/hwmon/w83795.c +@@ -1691,7 +1691,7 @@ store_sf_setup(struct device *dev, struct device_attribute *attr, + * somewhere else in the code + */ + #define SENSOR_ATTR_TEMP(index) { \ +- SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 4 ? S_IWUSR : 0), \ ++ SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 5 ? S_IWUSR : 0), \ + show_temp_mode, store_temp_mode, NOT_USED, index - 1), \ + SENSOR_ATTR_2(temp##index##_input, S_IRUGO, show_temp, \ + NULL, TEMP_READ, index - 1), \ +-- +2.19.1 + diff --git a/queue-4.14/ib-mlx5-fix-page-fault-handling-for-mw.patch b/queue-4.14/ib-mlx5-fix-page-fault-handling-for-mw.patch new file mode 100644 index 00000000000..ce33aa521bb --- /dev/null +++ b/queue-4.14/ib-mlx5-fix-page-fault-handling-for-mw.patch @@ -0,0 +1,40 @@ +From d132a6974b339d61bbeb230ab31325497694a69b Mon Sep 17 00:00:00 2001 +From: Artemy Kovalyov +Date: Sun, 25 Nov 2018 20:34:26 +0200 +Subject: IB/mlx5: Fix page fault handling for MW + +[ Upstream commit 75b7b86bdb0df37e08e44b6c1f99010967f81944 ] + +Memory windows are implemented with an indirect MKey, when a page fault +event comes for a MW Mkey we need to find the MR at the end of the list of +the indirect MKeys by iterating on all items from the first to the last. + +The offset calculated during this process has to be zeroed after the first +iteration or the next iteration will start from a wrong address, resulting +incorrect ODP faulting behavior. + +Fixes: db570d7deafb ("IB/mlx5: Add ODP support to MW") +Signed-off-by: Artemy Kovalyov +Signed-off-by: Moni Shoua +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/odp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c +index 3d701c7a4c91..1ed94b6c0b0a 100644 +--- a/drivers/infiniband/hw/mlx5/odp.c ++++ b/drivers/infiniband/hw/mlx5/odp.c +@@ -723,6 +723,7 @@ static int pagefault_single_data_segment(struct mlx5_ib_dev *dev, + head = frame; + + bcnt -= frame->bcnt; ++ offset = 0; + } + break; + +-- +2.19.1 + diff --git a/queue-4.14/igb-fix-uninitialized-variables.patch b/queue-4.14/igb-fix-uninitialized-variables.patch new file mode 100644 index 00000000000..6282f36f323 --- /dev/null +++ b/queue-4.14/igb-fix-uninitialized-variables.patch @@ -0,0 +1,32 @@ +From 5f7288d2f14c23c4ad321355bd0c0878b5d77122 Mon Sep 17 00:00:00 2001 +From: Yunjian Wang +Date: Tue, 6 Nov 2018 16:27:12 +0800 +Subject: igb: fix uninitialized variables + +[ Upstream commit e4c39f7926b4de355f7df75651d75003806aae09 ] + +This patch fixes the variable 'phy_word' may be used uninitialized. + +Signed-off-by: Yunjian Wang +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/e1000_i210.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_i210.c b/drivers/net/ethernet/intel/igb/e1000_i210.c +index 07d48f2e3369..6766081f5ab9 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_i210.c ++++ b/drivers/net/ethernet/intel/igb/e1000_i210.c +@@ -862,6 +862,7 @@ s32 igb_pll_workaround_i210(struct e1000_hw *hw) + nvm_word = E1000_INVM_DEFAULT_AL; + tmp_nvm = nvm_word | E1000_INVM_PLL_WO_VAL; + igb_write_phy_reg_82580(hw, I347AT4_PAGE_SELECT, E1000_PHY_PLL_FREQ_PAGE); ++ phy_word = E1000_PHY_PLL_UNCONF; + for (i = 0; i < E1000_MAX_PLL_TRIES; i++) { + /* check current state directly from internal PHY */ + igb_read_phy_reg_82580(hw, E1000_PHY_PLL_FREQ_REG, &phy_word); +-- +2.19.1 + diff --git a/queue-4.14/iio-hid-sensors-fix-iio_chan_info_raw-returning-wron.patch b/queue-4.14/iio-hid-sensors-fix-iio_chan_info_raw-returning-wron.patch new file mode 100644 index 00000000000..60cb2559d1f --- /dev/null +++ b/queue-4.14/iio-hid-sensors-fix-iio_chan_info_raw-returning-wron.patch @@ -0,0 +1,370 @@ +From 111a2fdbf77a48c77fe355f0aa7c90039b20f3d3 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 31 Oct 2018 15:20:05 +0100 +Subject: iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for + signed numbers + +[ Upstream commit 0145b50566e7de5637e80ecba96c7f0e6fff1aad ] + +Before this commit sensor_hub_input_attr_get_raw_value() failed to take +the signedness of 16 and 8 bit values into account, returning e.g. +65436 instead of -100 for the z-axis reading of an accelerometer. + +This commit adds a new is_signed parameter to the function and makes all +callers pass the appropriate value for this. + +While at it, this commit also fixes up some neighboring lines where +statements were needlessly split over 2 lines to improve readability. + +Signed-off-by: Hans de Goede +Acked-by: Srinivas Pandruvada +Acked-by: Benjamin Tissoires +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-sensor-custom.c | 2 +- + drivers/hid/hid-sensor-hub.c | 13 ++++++++++--- + drivers/iio/accel/hid-sensor-accel-3d.c | 5 ++++- + drivers/iio/gyro/hid-sensor-gyro-3d.c | 5 ++++- + drivers/iio/humidity/hid-sensor-humidity.c | 3 ++- + drivers/iio/light/hid-sensor-als.c | 8 +++++--- + drivers/iio/light/hid-sensor-prox.c | 8 +++++--- + drivers/iio/magnetometer/hid-sensor-magn-3d.c | 8 +++++--- + drivers/iio/orientation/hid-sensor-incl-3d.c | 8 +++++--- + drivers/iio/pressure/hid-sensor-press.c | 8 +++++--- + drivers/iio/temperature/hid-sensor-temperature.c | 3 ++- + drivers/rtc/rtc-hid-sensor-time.c | 2 +- + include/linux/hid-sensor-hub.h | 4 +++- + 13 files changed, 52 insertions(+), 25 deletions(-) + +diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c +index 0bcf041368c7..574126b649e9 100644 +--- a/drivers/hid/hid-sensor-custom.c ++++ b/drivers/hid/hid-sensor-custom.c +@@ -358,7 +358,7 @@ static ssize_t show_value(struct device *dev, struct device_attribute *attr, + sensor_inst->hsdev, + sensor_inst->hsdev->usage, + usage, report_id, +- SENSOR_HUB_SYNC); ++ SENSOR_HUB_SYNC, false); + } else if (!strncmp(name, "units", strlen("units"))) + value = sensor_inst->fields[field_index].attribute.units; + else if (!strncmp(name, "unit-expo", strlen("unit-expo"))) +diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c +index faba542d1b07..b5bd5cb7d532 100644 +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -299,7 +299,8 @@ EXPORT_SYMBOL_GPL(sensor_hub_get_feature); + int sensor_hub_input_attr_get_raw_value(struct hid_sensor_hub_device *hsdev, + u32 usage_id, + u32 attr_usage_id, u32 report_id, +- enum sensor_hub_read_flags flag) ++ enum sensor_hub_read_flags flag, ++ bool is_signed) + { + struct sensor_hub_data *data = hid_get_drvdata(hsdev->hdev); + unsigned long flags; +@@ -331,10 +332,16 @@ int sensor_hub_input_attr_get_raw_value(struct hid_sensor_hub_device *hsdev, + &hsdev->pending.ready, HZ*5); + switch (hsdev->pending.raw_size) { + case 1: +- ret_val = *(u8 *)hsdev->pending.raw_data; ++ if (is_signed) ++ ret_val = *(s8 *)hsdev->pending.raw_data; ++ else ++ ret_val = *(u8 *)hsdev->pending.raw_data; + break; + case 2: +- ret_val = *(u16 *)hsdev->pending.raw_data; ++ if (is_signed) ++ ret_val = *(s16 *)hsdev->pending.raw_data; ++ else ++ ret_val = *(u16 *)hsdev->pending.raw_data; + break; + case 4: + ret_val = *(u32 *)hsdev->pending.raw_data; +diff --git a/drivers/iio/accel/hid-sensor-accel-3d.c b/drivers/iio/accel/hid-sensor-accel-3d.c +index 2238a26aba63..f573d9c61fc3 100644 +--- a/drivers/iio/accel/hid-sensor-accel-3d.c ++++ b/drivers/iio/accel/hid-sensor-accel-3d.c +@@ -149,6 +149,7 @@ static int accel_3d_read_raw(struct iio_dev *indio_dev, + int report_id = -1; + u32 address; + int ret_type; ++ s32 min; + struct hid_sensor_hub_device *hsdev = + accel_state->common_attributes.hsdev; + +@@ -158,12 +159,14 @@ static int accel_3d_read_raw(struct iio_dev *indio_dev, + case 0: + hid_sensor_power_state(&accel_state->common_attributes, true); + report_id = accel_state->accel[chan->scan_index].report_id; ++ min = accel_state->accel[chan->scan_index].logical_minimum; + address = accel_3d_addresses[chan->scan_index]; + if (report_id >= 0) + *val = sensor_hub_input_attr_get_raw_value( + accel_state->common_attributes.hsdev, + hsdev->usage, address, report_id, +- SENSOR_HUB_SYNC); ++ SENSOR_HUB_SYNC, ++ min < 0); + else { + *val = 0; + hid_sensor_power_state(&accel_state->common_attributes, +diff --git a/drivers/iio/gyro/hid-sensor-gyro-3d.c b/drivers/iio/gyro/hid-sensor-gyro-3d.c +index c67ce2ac4715..d9192eb41131 100644 +--- a/drivers/iio/gyro/hid-sensor-gyro-3d.c ++++ b/drivers/iio/gyro/hid-sensor-gyro-3d.c +@@ -111,6 +111,7 @@ static int gyro_3d_read_raw(struct iio_dev *indio_dev, + int report_id = -1; + u32 address; + int ret_type; ++ s32 min; + + *val = 0; + *val2 = 0; +@@ -118,13 +119,15 @@ static int gyro_3d_read_raw(struct iio_dev *indio_dev, + case 0: + hid_sensor_power_state(&gyro_state->common_attributes, true); + report_id = gyro_state->gyro[chan->scan_index].report_id; ++ min = gyro_state->gyro[chan->scan_index].logical_minimum; + address = gyro_3d_addresses[chan->scan_index]; + if (report_id >= 0) + *val = sensor_hub_input_attr_get_raw_value( + gyro_state->common_attributes.hsdev, + HID_USAGE_SENSOR_GYRO_3D, address, + report_id, +- SENSOR_HUB_SYNC); ++ SENSOR_HUB_SYNC, ++ min < 0); + else { + *val = 0; + hid_sensor_power_state(&gyro_state->common_attributes, +diff --git a/drivers/iio/humidity/hid-sensor-humidity.c b/drivers/iio/humidity/hid-sensor-humidity.c +index 6e09c1acfe51..e53914d51ec3 100644 +--- a/drivers/iio/humidity/hid-sensor-humidity.c ++++ b/drivers/iio/humidity/hid-sensor-humidity.c +@@ -75,7 +75,8 @@ static int humidity_read_raw(struct iio_dev *indio_dev, + HID_USAGE_SENSOR_HUMIDITY, + HID_USAGE_SENSOR_ATMOSPHERIC_HUMIDITY, + humid_st->humidity_attr.report_id, +- SENSOR_HUB_SYNC); ++ SENSOR_HUB_SYNC, ++ humid_st->humidity_attr.logical_minimum < 0); + hid_sensor_power_state(&humid_st->common_attributes, false); + + return IIO_VAL_INT; +diff --git a/drivers/iio/light/hid-sensor-als.c b/drivers/iio/light/hid-sensor-als.c +index 059d964772c7..95ca86f50434 100644 +--- a/drivers/iio/light/hid-sensor-als.c ++++ b/drivers/iio/light/hid-sensor-als.c +@@ -93,6 +93,7 @@ static int als_read_raw(struct iio_dev *indio_dev, + int report_id = -1; + u32 address; + int ret_type; ++ s32 min; + + *val = 0; + *val2 = 0; +@@ -102,8 +103,8 @@ static int als_read_raw(struct iio_dev *indio_dev, + case CHANNEL_SCAN_INDEX_INTENSITY: + case CHANNEL_SCAN_INDEX_ILLUM: + report_id = als_state->als_illum.report_id; +- address = +- HID_USAGE_SENSOR_LIGHT_ILLUM; ++ min = als_state->als_illum.logical_minimum; ++ address = HID_USAGE_SENSOR_LIGHT_ILLUM; + break; + default: + report_id = -1; +@@ -116,7 +117,8 @@ static int als_read_raw(struct iio_dev *indio_dev, + als_state->common_attributes.hsdev, + HID_USAGE_SENSOR_ALS, address, + report_id, +- SENSOR_HUB_SYNC); ++ SENSOR_HUB_SYNC, ++ min < 0); + hid_sensor_power_state(&als_state->common_attributes, + false); + } else { +diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c +index 73fced8a63b7..8c017abc4ee2 100644 +--- a/drivers/iio/light/hid-sensor-prox.c ++++ b/drivers/iio/light/hid-sensor-prox.c +@@ -73,6 +73,7 @@ static int prox_read_raw(struct iio_dev *indio_dev, + int report_id = -1; + u32 address; + int ret_type; ++ s32 min; + + *val = 0; + *val2 = 0; +@@ -81,8 +82,8 @@ static int prox_read_raw(struct iio_dev *indio_dev, + switch (chan->scan_index) { + case CHANNEL_SCAN_INDEX_PRESENCE: + report_id = prox_state->prox_attr.report_id; +- address = +- HID_USAGE_SENSOR_HUMAN_PRESENCE; ++ min = prox_state->prox_attr.logical_minimum; ++ address = HID_USAGE_SENSOR_HUMAN_PRESENCE; + break; + default: + report_id = -1; +@@ -95,7 +96,8 @@ static int prox_read_raw(struct iio_dev *indio_dev, + prox_state->common_attributes.hsdev, + HID_USAGE_SENSOR_PROX, address, + report_id, +- SENSOR_HUB_SYNC); ++ SENSOR_HUB_SYNC, ++ min < 0); + hid_sensor_power_state(&prox_state->common_attributes, + false); + } else { +diff --git a/drivers/iio/magnetometer/hid-sensor-magn-3d.c b/drivers/iio/magnetometer/hid-sensor-magn-3d.c +index 0e791b02ed4a..b495107bd173 100644 +--- a/drivers/iio/magnetometer/hid-sensor-magn-3d.c ++++ b/drivers/iio/magnetometer/hid-sensor-magn-3d.c +@@ -163,21 +163,23 @@ static int magn_3d_read_raw(struct iio_dev *indio_dev, + int report_id = -1; + u32 address; + int ret_type; ++ s32 min; + + *val = 0; + *val2 = 0; + switch (mask) { + case 0: + hid_sensor_power_state(&magn_state->magn_flux_attributes, true); +- report_id = +- magn_state->magn[chan->address].report_id; ++ report_id = magn_state->magn[chan->address].report_id; ++ min = magn_state->magn[chan->address].logical_minimum; + address = magn_3d_addresses[chan->address]; + if (report_id >= 0) + *val = sensor_hub_input_attr_get_raw_value( + magn_state->magn_flux_attributes.hsdev, + HID_USAGE_SENSOR_COMPASS_3D, address, + report_id, +- SENSOR_HUB_SYNC); ++ SENSOR_HUB_SYNC, ++ min < 0); + else { + *val = 0; + hid_sensor_power_state( +diff --git a/drivers/iio/orientation/hid-sensor-incl-3d.c b/drivers/iio/orientation/hid-sensor-incl-3d.c +index fd1b3696ee42..16c744bef021 100644 +--- a/drivers/iio/orientation/hid-sensor-incl-3d.c ++++ b/drivers/iio/orientation/hid-sensor-incl-3d.c +@@ -111,21 +111,23 @@ static int incl_3d_read_raw(struct iio_dev *indio_dev, + int report_id = -1; + u32 address; + int ret_type; ++ s32 min; + + *val = 0; + *val2 = 0; + switch (mask) { + case IIO_CHAN_INFO_RAW: + hid_sensor_power_state(&incl_state->common_attributes, true); +- report_id = +- incl_state->incl[chan->scan_index].report_id; ++ report_id = incl_state->incl[chan->scan_index].report_id; ++ min = incl_state->incl[chan->scan_index].logical_minimum; + address = incl_3d_addresses[chan->scan_index]; + if (report_id >= 0) + *val = sensor_hub_input_attr_get_raw_value( + incl_state->common_attributes.hsdev, + HID_USAGE_SENSOR_INCLINOMETER_3D, address, + report_id, +- SENSOR_HUB_SYNC); ++ SENSOR_HUB_SYNC, ++ min < 0); + else { + hid_sensor_power_state(&incl_state->common_attributes, + false); +diff --git a/drivers/iio/pressure/hid-sensor-press.c b/drivers/iio/pressure/hid-sensor-press.c +index 6848d8c80eff..1c49ef78f888 100644 +--- a/drivers/iio/pressure/hid-sensor-press.c ++++ b/drivers/iio/pressure/hid-sensor-press.c +@@ -77,6 +77,7 @@ static int press_read_raw(struct iio_dev *indio_dev, + int report_id = -1; + u32 address; + int ret_type; ++ s32 min; + + *val = 0; + *val2 = 0; +@@ -85,8 +86,8 @@ static int press_read_raw(struct iio_dev *indio_dev, + switch (chan->scan_index) { + case CHANNEL_SCAN_INDEX_PRESSURE: + report_id = press_state->press_attr.report_id; +- address = +- HID_USAGE_SENSOR_ATMOSPHERIC_PRESSURE; ++ min = press_state->press_attr.logical_minimum; ++ address = HID_USAGE_SENSOR_ATMOSPHERIC_PRESSURE; + break; + default: + report_id = -1; +@@ -99,7 +100,8 @@ static int press_read_raw(struct iio_dev *indio_dev, + press_state->common_attributes.hsdev, + HID_USAGE_SENSOR_PRESSURE, address, + report_id, +- SENSOR_HUB_SYNC); ++ SENSOR_HUB_SYNC, ++ min < 0); + hid_sensor_power_state(&press_state->common_attributes, + false); + } else { +diff --git a/drivers/iio/temperature/hid-sensor-temperature.c b/drivers/iio/temperature/hid-sensor-temperature.c +index c01efeca4002..6ed5cd5742f1 100644 +--- a/drivers/iio/temperature/hid-sensor-temperature.c ++++ b/drivers/iio/temperature/hid-sensor-temperature.c +@@ -76,7 +76,8 @@ static int temperature_read_raw(struct iio_dev *indio_dev, + HID_USAGE_SENSOR_TEMPERATURE, + HID_USAGE_SENSOR_DATA_ENVIRONMENTAL_TEMPERATURE, + temp_st->temperature_attr.report_id, +- SENSOR_HUB_SYNC); ++ SENSOR_HUB_SYNC, ++ temp_st->temperature_attr.logical_minimum < 0); + hid_sensor_power_state( + &temp_st->common_attributes, + false); +diff --git a/drivers/rtc/rtc-hid-sensor-time.c b/drivers/rtc/rtc-hid-sensor-time.c +index 2751dba850c6..3e1abb455472 100644 +--- a/drivers/rtc/rtc-hid-sensor-time.c ++++ b/drivers/rtc/rtc-hid-sensor-time.c +@@ -213,7 +213,7 @@ static int hid_rtc_read_time(struct device *dev, struct rtc_time *tm) + /* get a report with all values through requesting one value */ + sensor_hub_input_attr_get_raw_value(time_state->common_attributes.hsdev, + HID_USAGE_SENSOR_TIME, hid_time_addresses[0], +- time_state->info[0].report_id, SENSOR_HUB_SYNC); ++ time_state->info[0].report_id, SENSOR_HUB_SYNC, false); + /* wait for all values (event) */ + ret = wait_for_completion_killable_timeout( + &time_state->comp_last_time, HZ*6); +diff --git a/include/linux/hid-sensor-hub.h b/include/linux/hid-sensor-hub.h +index fc7aae64dcde..000de6da3b1b 100644 +--- a/include/linux/hid-sensor-hub.h ++++ b/include/linux/hid-sensor-hub.h +@@ -177,6 +177,7 @@ int sensor_hub_input_get_attribute_info(struct hid_sensor_hub_device *hsdev, + * @attr_usage_id: Attribute usage id as per spec + * @report_id: Report id to look for + * @flag: Synchronous or asynchronous read ++* @is_signed: If true then fields < 32 bits will be sign-extended + * + * Issues a synchronous or asynchronous read request for an input attribute. + * Returns data upto 32 bits. +@@ -190,7 +191,8 @@ enum sensor_hub_read_flags { + int sensor_hub_input_attr_get_raw_value(struct hid_sensor_hub_device *hsdev, + u32 usage_id, + u32 attr_usage_id, u32 report_id, +- enum sensor_hub_read_flags flag ++ enum sensor_hub_read_flags flag, ++ bool is_signed + ); + + /** +-- +2.19.1 + diff --git a/queue-4.14/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch b/queue-4.14/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch new file mode 100644 index 00000000000..8e72f9288c7 --- /dev/null +++ b/queue-4.14/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch @@ -0,0 +1,57 @@ +From 64915495dd2177f03d2ff2bc658ec14bddfc8010 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Thu, 15 Nov 2018 15:14:30 +0800 +Subject: ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf + +[ Upstream commit 2a31e4bd9ad255ee40809b5c798c4b1c2b09703b ] + +ip_vs_dst_event is supposed to clean up all dst used in ipvs' +destinations when a net dev is going down. But it works only +when the dst's dev is the same as the dev from the event. + +Now with the same priority but late registration, +ip_vs_dst_notifier is always called later than ipv6_dev_notf +where the dst's dev is set to lo for NETDEV_DOWN event. + +As the dst's dev lo is not the same as the dev from the event +in ip_vs_dst_event, ip_vs_dst_notifier doesn't actually work. +Also as these dst have to wait for dest_trash_timer to clean +them up. It would cause some non-permanent kernel warnings: + + unregister_netdevice: waiting for br0 to become free. Usage count = 3 + +To fix it, call ip_vs_dst_notifier earlier than ipv6_dev_notf +by increasing its priority to ADDRCONF_NOTIFY_PRIORITY + 5. + +Note that for ipv4 route fib_netdev_notifier doesn't set dst's +dev to lo in NETDEV_DOWN event, so this fix is only needed when +IP_VS_IPV6 is defined. + +Fixes: 7a4f0761fce3 ("IPVS: init and cleanup restructuring") +Reported-by: Li Shuang +Signed-off-by: Xin Long +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 327ebe786eeb..2f45c3ce77ef 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -4012,6 +4012,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct netns_ipvs *ipvs) + + static struct notifier_block ip_vs_dst_notifier = { + .notifier_call = ip_vs_dst_event, ++#ifdef CONFIG_IP_VS_IPV6 ++ .priority = ADDRCONF_NOTIFY_PRIORITY + 5, ++#endif + }; + + int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs) +-- +2.19.1 + diff --git a/queue-4.14/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch b/queue-4.14/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch new file mode 100644 index 00000000000..fb0e2fc33bc --- /dev/null +++ b/queue-4.14/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch @@ -0,0 +1,43 @@ +From da68163210a3eb97c0867d750382e49859651bbe Mon Sep 17 00:00:00 2001 +From: Josh Elsasser +Date: Sat, 24 Nov 2018 12:57:33 -0800 +Subject: ixgbe: recognize 1000BaseLX SFP modules as 1Gbps +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a8bf879af7b1999eba36303ce9cc60e0e7dd816c ] + +Add the two 1000BaseLX enum values to the X550's check for 1Gbps modules, +allowing the core driver code to establish a link over this SFP type. + +This is done by the out-of-tree driver but the fix wasn't in mainline. + +Fixes: e23f33367882 ("ixgbe: Fix 1G and 10G link stability for X550EM_x SFP+”) +Fixes: 6a14ee0cfb19 ("ixgbe: Add X550 support function pointers") +Signed-off-by: Josh Elsasser +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +index cf6a245db6d5..a37c951b0753 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +@@ -2257,7 +2257,9 @@ static s32 ixgbe_get_link_capabilities_X550em(struct ixgbe_hw *hw, + *autoneg = false; + + if (hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core0 || +- hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1) { ++ hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1 || ++ hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core0 || ++ hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core1) { + *speed = IXGBE_LINK_SPEED_1GB_FULL; + return 0; + } +-- +2.19.1 + diff --git a/queue-4.14/kvm-x86-fix-empty-body-warnings.patch b/queue-4.14/kvm-x86-fix-empty-body-warnings.patch new file mode 100644 index 00000000000..24381251f8d --- /dev/null +++ b/queue-4.14/kvm-x86-fix-empty-body-warnings.patch @@ -0,0 +1,43 @@ +From 9fdfd5c2e4b25ac32947d4efcfc23c37063c4506 Mon Sep 17 00:00:00 2001 +From: Yi Wang +Date: Thu, 8 Nov 2018 16:48:36 +0800 +Subject: KVM: x86: fix empty-body warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 354cb410d87314e2eda344feea84809e4261570a ] + +We get the following warnings about empty statements when building +with 'W=1': + +arch/x86/kvm/lapic.c:632:53: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1907:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1936:65: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1975:44: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + +Rework the debug helper macro to get rid of these warnings. + +Signed-off-by: Yi Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/lapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 13dfb55b84db..f7c34184342a 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -55,7 +55,7 @@ + #define PRIo64 "o" + + /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */ +-#define apic_debug(fmt, arg...) ++#define apic_debug(fmt, arg...) do {} while (0) + + /* 14 is the version for Xeon and Pentium 8.4.8*/ + #define APIC_VERSION (0x14UL | ((KVM_APIC_LVT_NUM - 1) << 16)) +-- +2.19.1 + diff --git a/queue-4.14/mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch b/queue-4.14/mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch new file mode 100644 index 00000000000..873712e5955 --- /dev/null +++ b/queue-4.14/mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch @@ -0,0 +1,88 @@ +From 2f748e9cc3c41d2c9cddca31781867c0a558a650 Mon Sep 17 00:00:00 2001 +From: Wei Yang +Date: Fri, 30 Nov 2018 14:09:07 -0800 +Subject: mm/page_alloc.c: fix calculation of pgdat->nr_zones + +[ Upstream commit 8f416836c0d50b198cad1225132e5abebf8980dc ] + +init_currently_empty_zone() will adjust pgdat->nr_zones and set it to +'zone_idx(zone) + 1' unconditionally. This is correct in the normal +case, while not exact in hot-plug situation. + +This function is used in two places: + + * free_area_init_core() + * move_pfn_range_to_zone() + +In the first case, we are sure zone index increase monotonically. While +in the second one, this is under users control. + +One way to reproduce this is: +---------------------------- + +1. create a virtual machine with empty node1 + + -m 4G,slots=32,maxmem=32G \ + -smp 4,maxcpus=8 \ + -numa node,nodeid=0,mem=4G,cpus=0-3 \ + -numa node,nodeid=1,mem=0G,cpus=4-7 + +2. hot-add cpu 3-7 + + cpu-add [3-7] + +2. hot-add memory to nod1 + + object_add memory-backend-ram,id=ram0,size=1G + device_add pc-dimm,id=dimm0,memdev=ram0,node=1 + +3. online memory with following order + + echo online_movable > memory47/state + echo online > memory40/state + +After this, node1 will have its nr_zones equals to (ZONE_NORMAL + 1) +instead of (ZONE_MOVABLE + 1). + +Michal said: + "Having an incorrect nr_zones might result in all sorts of problems + which would be quite hard to debug (e.g. reclaim not considering the + movable zone). I do not expect many users would suffer from this it + but still this is trivial and obviously right thing to do so + backporting to the stable tree shouldn't be harmful (last famous + words)" + +Link: http://lkml.kernel.org/r/20181117022022.9956-1-richard.weiyang@gmail.com +Fixes: f1dd2cd13c4b ("mm, memory_hotplug: do not associate hotadded memory to zones until online") +Signed-off-by: Wei Yang +Acked-by: Michal Hocko +Reviewed-by: Oscar Salvador +Cc: Anshuman Khandual +Cc: Dave Hansen +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds + +Signed-off-by: Sasha Levin +--- + mm/page_alloc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 6be91a1a00d9..a2f365f40433 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -5544,8 +5544,10 @@ void __meminit init_currently_empty_zone(struct zone *zone, + unsigned long size) + { + struct pglist_data *pgdat = zone->zone_pgdat; ++ int zone_idx = zone_idx(zone) + 1; + +- pgdat->nr_zones = zone_idx(zone) + 1; ++ if (zone_idx > pgdat->nr_zones) ++ pgdat->nr_zones = zone_idx; + + zone->zone_start_pfn = zone_start_pfn; + +-- +2.19.1 + diff --git a/queue-4.14/net-hisilicon-remove-unexpected-free_netdev.patch b/queue-4.14/net-hisilicon-remove-unexpected-free_netdev.patch new file mode 100644 index 00000000000..04f4cab8ec0 --- /dev/null +++ b/queue-4.14/net-hisilicon-remove-unexpected-free_netdev.patch @@ -0,0 +1,37 @@ +From f6ad88c61e3b18385ca9a80776c927a09d2f4402 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Wed, 28 Nov 2018 15:30:24 +0800 +Subject: net: hisilicon: remove unexpected free_netdev + +[ Upstream commit c758940158bf29fe14e9d0f89d5848f227b48134 ] + +The net device ndev is freed via free_netdev when failing to register +the device. The control flow then jumps to the error handling code +block. ndev is used and freed again. Resulting in a use-after-free bug. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 0cec06bec63e..c27054b8ce81 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -914,10 +914,8 @@ static int hip04_mac_probe(struct platform_device *pdev) + } + + ret = register_netdev(ndev); +- if (ret) { +- free_netdev(ndev); ++ if (ret) + goto alloc_fail; +- } + + return 0; + +-- +2.19.1 + diff --git a/queue-4.14/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch b/queue-4.14/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch new file mode 100644 index 00000000000..66255468a3c --- /dev/null +++ b/queue-4.14/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch @@ -0,0 +1,82 @@ +From 60dd75902fb124d8c7df7551fd33aad38ad692a1 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Mon, 26 Nov 2018 15:07:16 +0100 +Subject: net: thunderx: fix NULL pointer dereference in nic_remove + +[ Upstream commit 24a6d2dd263bc910de018c78d1148b3e33b94512 ] + +Fix a possible NULL pointer dereference in nic_remove routine +removing the nicpf module if nic_probe fails. +The issue can be triggered with the following reproducer: + +$rmmod nicvf +$rmmod nicpf + +[ 521.412008] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000014 +[ 521.422777] Mem abort info: +[ 521.425561] ESR = 0x96000004 +[ 521.428624] Exception class = DABT (current EL), IL = 32 bits +[ 521.434535] SET = 0, FnV = 0 +[ 521.437579] EA = 0, S1PTW = 0 +[ 521.440730] Data abort info: +[ 521.443603] ISV = 0, ISS = 0x00000004 +[ 521.447431] CM = 0, WnR = 0 +[ 521.450417] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000072a3da42 +[ 521.457022] [0000000000000014] pgd=0000000000000000 +[ 521.461916] Internal error: Oops: 96000004 [#1] SMP +[ 521.511801] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018 +[ 521.518664] pstate: 80400005 (Nzcv daif +PAN -UAO) +[ 521.523451] pc : nic_remove+0x24/0x88 [nicpf] +[ 521.527808] lr : pci_device_remove+0x48/0xd8 +[ 521.532066] sp : ffff000013433cc0 +[ 521.535370] x29: ffff000013433cc0 x28: ffff810f6ac50000 +[ 521.540672] x27: 0000000000000000 x26: 0000000000000000 +[ 521.545974] x25: 0000000056000000 x24: 0000000000000015 +[ 521.551274] x23: ffff8007ff89a110 x22: ffff000001667070 +[ 521.556576] x21: ffff8007ffb170b0 x20: ffff8007ffb17000 +[ 521.561877] x19: 0000000000000000 x18: 0000000000000025 +[ 521.567178] x17: 0000000000000000 x16: 000000000000010ffc33ff98 x8 : 0000000000000000 +[ 521.593683] x7 : 0000000000000000 x6 : 0000000000000001 +[ 521.598983] x5 : 0000000000000002 x4 : 0000000000000003 +[ 521.604284] x3 : ffff8007ffb17184 x2 : ffff8007ffb17184 +[ 521.609585] x1 : ffff000001662118 x0 : ffff000008557be0 +[ 521.614887] Process rmmod (pid: 1897, stack limit = 0x00000000859535c3) +[ 521.621490] Call trace: +[ 521.623928] nic_remove+0x24/0x88 [nicpf] +[ 521.627927] pci_device_remove+0x48/0xd8 +[ 521.631847] device_release_driver_internal+0x1b0/0x248 +[ 521.637062] driver_detach+0x50/0xc0 +[ 521.640628] bus_remove_driver+0x60/0x100 +[ 521.644627] driver_unregister+0x34/0x60 +[ 521.648538] pci_unregister_driver+0x24/0xd8 +[ 521.652798] nic_cleanup_module+0x14/0x111c [nicpf] +[ 521.657672] __arm64_sys_delete_module+0x150/0x218 +[ 521.662460] el0_svc_handler+0x94/0x110 +[ 521.666287] el0_svc+0x8/0xc +[ 521.669160] Code: aa1e03e0 9102c295 d503201f f9404eb3 (b9401660) + +Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/nic_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/cavium/thunder/nic_main.c b/drivers/net/ethernet/cavium/thunder/nic_main.c +index fb770b0182d3..d89ec4724efd 100644 +--- a/drivers/net/ethernet/cavium/thunder/nic_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c +@@ -1376,6 +1376,9 @@ static void nic_remove(struct pci_dev *pdev) + { + struct nicpf *nic = pci_get_drvdata(pdev); + ++ if (!nic) ++ return; ++ + if (nic->flags & NIC_SRIOV_ENABLED) + pci_disable_sriov(pdev); + +-- +2.19.1 + diff --git a/queue-4.14/netfilter-ipv6-preserve-link-scope-traffic-original-.patch b/queue-4.14/netfilter-ipv6-preserve-link-scope-traffic-original-.patch new file mode 100644 index 00000000000..b0bb2b6c6c6 --- /dev/null +++ b/queue-4.14/netfilter-ipv6-preserve-link-scope-traffic-original-.patch @@ -0,0 +1,40 @@ +From c8acc82dca546a78d010277070ed7c7f9addb76b Mon Sep 17 00:00:00 2001 +From: Alin Nastac +Date: Wed, 21 Nov 2018 14:00:30 +0100 +Subject: netfilter: ipv6: Preserve link scope traffic original oif + +[ Upstream commit 508b09046c0f21678652fb66fd1e9959d55591d2 ] + +When ip6_route_me_harder is invoked, it resets outgoing interface of: + - link-local scoped packets sent by neighbor discovery + - multicast packets sent by MLD host + - multicast packets send by MLD proxy daemon that sets outgoing + interface through IPV6_PKTINFO ipi6_ifindex + +Link-local and multicast packets must keep their original oif after +ip6_route_me_harder is called. + +Signed-off-by: Alin Nastac +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c +index 9bf260459f83..1f8b1a433b5d 100644 +--- a/net/ipv6/netfilter.c ++++ b/net/ipv6/netfilter.c +@@ -25,7 +25,8 @@ int ip6_route_me_harder(struct net *net, struct sk_buff *skb) + unsigned int hh_len; + struct dst_entry *dst; + struct flowi6 fl6 = { +- .flowi6_oif = sk ? sk->sk_bound_dev_if : 0, ++ .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if : ++ rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0, + .flowi6_mark = skb->mark, + .flowi6_uid = sock_net_uid(net, sk), + .daddr = iph->daddr, +-- +2.19.1 + diff --git a/queue-4.14/netfilter-nf_tables-deactivate-expressions-in-rule-r.patch b/queue-4.14/netfilter-nf_tables-deactivate-expressions-in-rule-r.patch new file mode 100644 index 00000000000..e27ac05aad7 --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-deactivate-expressions-in-rule-r.patch @@ -0,0 +1,94 @@ +From 7b9151b0fe7af5f3fc4152c399e591201900ff0f Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 28 Nov 2018 11:27:28 +0900 +Subject: netfilter: nf_tables: deactivate expressions in rule replecement + routine + +[ Upstream commit ca08987885a147643817d02bf260bc4756ce8cd4 ] + +There is no expression deactivation call from the rule replacement path, +hence, chain counter is not decremented. A few steps to reproduce the +problem: + + %nft add table ip filter + %nft add chain ip filter c1 + %nft add chain ip filter c1 + %nft add rule ip filter c1 jump c2 + %nft replace rule ip filter c1 handle 3 accept + %nft flush ruleset + + expression means immediate NFT_JUMP to chain c2. +Reference count of chain c2 is increased when the rule is added. + +When rule is deleted or replaced, the reference counter of c2 should be +decreased via nft_rule_expr_deactivate() which calls +nft_immediate_deactivate(). + +Splat looks like: +[ 214.396453] WARNING: CPU: 1 PID: 21 at net/netfilter/nf_tables_api.c:1432 nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables] +[ 214.398983] Modules linked in: nf_tables nfnetlink +[ 214.398983] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 4.20.0-rc2+ #44 +[ 214.398983] Workqueue: events nf_tables_trans_destroy_work [nf_tables] +[ 214.398983] RIP: 0010:nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables] +[ 214.398983] Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 8e 00 00 00 48 8b 7b 58 e8 e1 2c 4e c6 48 89 df e8 d9 2c 4e c6 eb 9a <0f> 0b eb 96 0f 0b e9 7e fe ff ff e8 a7 7e 4e c6 e9 a4 fe ff ff e8 +[ 214.398983] RSP: 0018:ffff8881152874e8 EFLAGS: 00010202 +[ 214.398983] RAX: 0000000000000001 RBX: ffff88810ef9fc28 RCX: ffff8881152876f0 +[ 214.398983] RDX: dffffc0000000000 RSI: 1ffff11022a50ede RDI: ffff88810ef9fc78 +[ 214.398983] RBP: 1ffff11022a50e9d R08: 0000000080000000 R09: 0000000000000000 +[ 214.398983] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff11022a50eba +[ 214.398983] R13: ffff888114446e08 R14: ffff8881152876f0 R15: ffffed1022a50ed6 +[ 214.398983] FS: 0000000000000000(0000) GS:ffff888116400000(0000) knlGS:0000000000000000 +[ 214.398983] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 214.398983] CR2: 00007fab9bb5f868 CR3: 000000012aa16000 CR4: 00000000001006e0 +[ 214.398983] Call Trace: +[ 214.398983] ? nf_tables_table_destroy.isra.37+0x100/0x100 [nf_tables] +[ 214.398983] ? __kasan_slab_free+0x145/0x180 +[ 214.398983] ? nf_tables_trans_destroy_work+0x439/0x830 [nf_tables] +[ 214.398983] ? kfree+0xdb/0x280 +[ 214.398983] nf_tables_trans_destroy_work+0x5f5/0x830 [nf_tables] +[ ... ] + +Fixes: bb7b40aecbf7 ("netfilter: nf_tables: bogus EBUSY in chain deletions") +Reported by: Christoph Anton Mitterer +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914505 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=201791 +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index ea1e57daf50e..623ec29ade26 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2400,21 +2400,14 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, + } + + if (nlh->nlmsg_flags & NLM_F_REPLACE) { +- if (!nft_is_active_next(net, old_rule)) { +- err = -ENOENT; +- goto err2; +- } +- trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE, +- old_rule); ++ trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); + if (trans == NULL) { + err = -ENOMEM; + goto err2; + } +- nft_deactivate_next(net, old_rule); +- chain->use--; +- +- if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { +- err = -ENOMEM; ++ err = nft_delrule(&ctx, old_rule); ++ if (err < 0) { ++ nft_trans_destroy(trans); + goto err2; + } + +-- +2.19.1 + diff --git a/queue-4.14/netfilter-nf_tables-fix-use-after-free-when-deleting.patch b/queue-4.14/netfilter-nf_tables-fix-use-after-free-when-deleting.patch new file mode 100644 index 00000000000..0340b123891 --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-fix-use-after-free-when-deleting.patch @@ -0,0 +1,78 @@ +From 305e7d5b2ee9349f4d06d305b36e92e7ee5353d6 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 12 Nov 2018 22:43:45 +0100 +Subject: netfilter: nf_tables: fix use-after-free when deleting compat + expressions + +[ Upstream commit 29e3880109e357fdc607b4393f8308cef6af9413 ] + +nft_compat ops do not have static storage duration, unlike all other +expressions. + +When nf_tables_expr_destroy() returns, expr->ops might have been +free'd already, so we need to store next address before calling +expression destructor. + +For same reason, we can't deref match pointer after nft_xt_put(). + +This can be easily reproduced by adding msleep() before +nft_match_destroy() returns. + +Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") +Reported-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 5 +++-- + net/netfilter/nft_compat.c | 3 ++- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 3ae365f92bff..ea1e57daf50e 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2252,7 +2252,7 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk, + static void nf_tables_rule_destroy(const struct nft_ctx *ctx, + struct nft_rule *rule) + { +- struct nft_expr *expr; ++ struct nft_expr *expr, *next; + + /* + * Careful: some expressions might not be initialized in case this +@@ -2260,8 +2260,9 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx, + */ + expr = nft_expr_first(rule); + while (expr != nft_expr_last(rule) && expr->ops) { ++ next = nft_expr_next(expr); + nf_tables_expr_destroy(ctx, expr); +- expr = nft_expr_next(expr); ++ expr = next; + } + kfree(rule); + } +diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c +index 6da1cec1494a..7533c2fd6b76 100644 +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -497,6 +497,7 @@ __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr, + void *info) + { + struct xt_match *match = expr->ops->data; ++ struct module *me = match->me; + struct xt_mtdtor_param par; + + par.net = ctx->net; +@@ -507,7 +508,7 @@ __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr, + par.match->destroy(&par); + + if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops))) +- module_put(match->me); ++ module_put(me); + } + + static void +-- +2.19.1 + diff --git a/queue-4.14/netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch b/queue-4.14/netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch new file mode 100644 index 00000000000..afc6bcb30e6 --- /dev/null +++ b/queue-4.14/netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch @@ -0,0 +1,71 @@ +From 53445307e0485f8e22a9a0cfe1011f3d7ce13c36 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Fri, 16 Nov 2018 21:32:35 +0900 +Subject: netfilter: xt_hashlimit: fix a possible memory leak in + htable_create() + +[ Upstream commit b4e955e9f372035361fbc6f07b21fe2cc6a5be4a ] + +In the htable_create(), hinfo is allocated by vmalloc() +So that if error occurred, hinfo should be freed. + +Fixes: 11d5f15723c9 ("netfilter: xt_hashlimit: Create revision 2 to support higher pps rates") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_hashlimit.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c +index 0c034597b9b8..fe8e8a1622b5 100644 +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -295,9 +295,10 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg, + + /* copy match config into hashtable config */ + ret = cfg_copy(&hinfo->cfg, (void *)cfg, 3); +- +- if (ret) ++ if (ret) { ++ vfree(hinfo); + return ret; ++ } + + hinfo->cfg.size = size; + if (hinfo->cfg.max == 0) +@@ -814,7 +815,6 @@ hashlimit_mt_v1(const struct sk_buff *skb, struct xt_action_param *par) + int ret; + + ret = cfg_copy(&cfg, (void *)&info->cfg, 1); +- + if (ret) + return ret; + +@@ -830,7 +830,6 @@ hashlimit_mt_v2(const struct sk_buff *skb, struct xt_action_param *par) + int ret; + + ret = cfg_copy(&cfg, (void *)&info->cfg, 2); +- + if (ret) + return ret; + +@@ -920,7 +919,6 @@ static int hashlimit_mt_check_v1(const struct xt_mtchk_param *par) + return ret; + + ret = cfg_copy(&cfg, (void *)&info->cfg, 1); +- + if (ret) + return ret; + +@@ -939,7 +937,6 @@ static int hashlimit_mt_check_v2(const struct xt_mtchk_param *par) + return ret; + + ret = cfg_copy(&cfg, (void *)&info->cfg, 2); +- + if (ret) + return ret; + +-- +2.19.1 + diff --git a/queue-4.14/nvme-flush-namespace-scanning-work-just-before-remov.patch b/queue-4.14/nvme-flush-namespace-scanning-work-just-before-remov.patch new file mode 100644 index 00000000000..7972c902e62 --- /dev/null +++ b/queue-4.14/nvme-flush-namespace-scanning-work-just-before-remov.patch @@ -0,0 +1,53 @@ +From 15a65148d9047f27ce25446a9415fe589a7de7c9 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Wed, 21 Nov 2018 15:17:37 -0800 +Subject: nvme: flush namespace scanning work just before removing namespaces + +[ Upstream commit f6c8e432cb0479255322c5d0335b9f1699a0270c ] + +nvme_stop_ctrl can be called also for reset flow and there is no need to +flush the scan_work as namespaces are not being removed. This can cause +deadlock in rdma, fc and loop drivers since nvme_stop_ctrl barriers +before controller teardown (and specifically I/O cancellation of the +scan_work itself) takes place, but the scan_work will be blocked anyways +so there is no need to flush it. + +Instead, move scan_work flush to nvme_remove_namespaces() where it really +needs to flush. + +Reported-by: Ming Lei +Signed-off-by: Sagi Grimberg +Reviewed-by: Keith Busch +Reviewed by: James Smart +Tested-by: Ewan D. Milne +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 3a63d58d2ca9..65f3f1a34b6b 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2572,6 +2572,9 @@ void nvme_remove_namespaces(struct nvme_ctrl *ctrl) + { + struct nvme_ns *ns, *next; + ++ /* prevent racing with ns scanning */ ++ flush_work(&ctrl->scan_work); ++ + /* + * The dead states indicates the controller was not gracefully + * disconnected. In that case, we won't be able to flush any data while +@@ -2743,7 +2746,6 @@ void nvme_stop_ctrl(struct nvme_ctrl *ctrl) + { + nvme_stop_keep_alive(ctrl); + flush_work(&ctrl->async_event_work); +- flush_work(&ctrl->scan_work); + cancel_work_sync(&ctrl->fw_act_work); + } + EXPORT_SYMBOL_GPL(nvme_stop_ctrl); +-- +2.19.1 + diff --git a/queue-4.14/objtool-fix-double-free-in-.cold-detection-error-pat.patch b/queue-4.14/objtool-fix-double-free-in-.cold-detection-error-pat.patch new file mode 100644 index 00000000000..5d69cb9d5fc --- /dev/null +++ b/queue-4.14/objtool-fix-double-free-in-.cold-detection-error-pat.patch @@ -0,0 +1,42 @@ +From 227790208b2f902ad10753731dd6f04537cbaa84 Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Tue, 20 Nov 2018 11:52:15 -0600 +Subject: objtool: Fix double-free in .cold detection error path + +[ Upstream commit 0b9301fb632f7111a3293a30cc5b20f1b82ed08d ] + +If read_symbols() fails during second list traversal (the one dealing +with ".cold" subfunctions) it frees the symbol, but never deletes it +from the list/hash_table resulting in symbol being freed again in +elf_close(). Fix it by just returning an error, leaving cleanup to +elf_close(). + +Signed-off-by: Artem Savkov +Signed-off-by: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions") +Link: http://lkml.kernel.org/r/beac5a9b7da9e8be90223459dcbe07766ae437dd.1542736240.git.jpoimboe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + tools/objtool/elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c +index 0d1acb704f64..3616d626991e 100644 +--- a/tools/objtool/elf.c ++++ b/tools/objtool/elf.c +@@ -312,7 +312,7 @@ static int read_symbols(struct elf *elf) + if (!pfunc) { + WARN("%s(): can't find parent function", + sym->name); +- goto err; ++ return -1; + } + + sym->pfunc = pfunc; +-- +2.19.1 + diff --git a/queue-4.14/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch b/queue-4.14/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch new file mode 100644 index 00000000000..38680be5dd1 --- /dev/null +++ b/queue-4.14/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch @@ -0,0 +1,76 @@ +From 4e86c37ba416617deec99032c08c92a784716adf Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Tue, 20 Nov 2018 11:52:16 -0600 +Subject: objtool: Fix segfault in .cold detection with -ffunction-sections + +[ Upstream commit 22566c1603030f0a036ad564634b064ad1a55db2 ] + +Because find_symbol_by_name() traverses the same lists as +read_symbols(), changing sym->name in place without copying it affects +the result of find_symbol_by_name(). In the case where a ".cold" +function precedes its parent in sec->symbol_list, it can result in a +function being considered a parent of itself. This leads to function +length being set to 0 and other consequent side-effects including a +segfault in add_switch_table(). The effects of this bug are only +visible when building with -ffunction-sections in KCFLAGS. + +Fix by copying the search string instead of modifying it in place. + +Signed-off-by: Artem Savkov +Signed-off-by: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions") +Link: http://lkml.kernel.org/r/910abd6b5a4945130fd44f787c24e07b9e07c8da.1542736240.git.jpoimboe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + tools/objtool/elf.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c +index 3616d626991e..dd4ed7c3c062 100644 +--- a/tools/objtool/elf.c ++++ b/tools/objtool/elf.c +@@ -31,6 +31,8 @@ + #include "elf.h" + #include "warn.h" + ++#define MAX_NAME_LEN 128 ++ + struct section *find_section_by_name(struct elf *elf, const char *name) + { + struct section *sec; +@@ -298,6 +300,8 @@ static int read_symbols(struct elf *elf) + /* Create parent/child links for any cold subfunctions */ + list_for_each_entry(sec, &elf->sections, list) { + list_for_each_entry(sym, &sec->symbol_list, list) { ++ char pname[MAX_NAME_LEN + 1]; ++ size_t pnamelen; + if (sym->type != STT_FUNC) + continue; + sym->pfunc = sym->cfunc = sym; +@@ -305,9 +309,16 @@ static int read_symbols(struct elf *elf) + if (!coldstr) + continue; + +- coldstr[0] = '\0'; +- pfunc = find_symbol_by_name(elf, sym->name); +- coldstr[0] = '.'; ++ pnamelen = coldstr - sym->name; ++ if (pnamelen > MAX_NAME_LEN) { ++ WARN("%s(): parent function name exceeds maximum length of %d characters", ++ sym->name, MAX_NAME_LEN); ++ return -1; ++ } ++ ++ strncpy(pname, sym->name, pnamelen); ++ pname[pnamelen] = '\0'; ++ pfunc = find_symbol_by_name(elf, pname); + + if (!pfunc) { + WARN("%s(): can't find parent function", +-- +2.19.1 + diff --git a/queue-4.14/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch b/queue-4.14/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch new file mode 100644 index 00000000000..1f33c3c5c7a --- /dev/null +++ b/queue-4.14/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch @@ -0,0 +1,147 @@ +From f940af68ddd1d3656b710a25d71ccbb7cf381f75 Mon Sep 17 00:00:00 2001 +From: Larry Chen +Date: Fri, 30 Nov 2018 14:08:56 -0800 +Subject: ocfs2: fix deadlock caused by ocfs2_defrag_extent() + +[ Upstream commit e21e57445a64598b29a6f629688f9b9a39e7242a ] + +ocfs2_defrag_extent may fall into deadlock. + +ocfs2_ioctl_move_extents + ocfs2_ioctl_move_extents + ocfs2_move_extents + ocfs2_defrag_extent + ocfs2_lock_allocators_move_extents + + ocfs2_reserve_clusters + inode_lock GLOBAL_BITMAP_SYSTEM_INODE + + __ocfs2_flush_truncate_log + inode_lock GLOBAL_BITMAP_SYSTEM_INODE + +As backtrace shows above, ocfs2_reserve_clusters() will call inode_lock +against the global bitmap if local allocator has not sufficient cluters. +Once global bitmap could meet the demand, ocfs2_reserve_cluster will +return success with global bitmap locked. + +After ocfs2_reserve_cluster(), if truncate log is full, +__ocfs2_flush_truncate_log() will definitely fall into deadlock because +it needs to inode_lock global bitmap, which has already been locked. + +To fix this bug, we could remove from +ocfs2_lock_allocators_move_extents() the code which intends to lock +global allocator, and put the removed code after +__ocfs2_flush_truncate_log(). + +ocfs2_lock_allocators_move_extents() is referred by 2 places, one is +here, the other does not need the data allocator context, which means +this patch does not affect the caller so far. + +Link: http://lkml.kernel.org/r/20181101071422.14470-1-lchen@suse.com +Signed-off-by: Larry Chen +Reviewed-by: Changwei Ge +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/move_extents.c | 47 +++++++++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 21 deletions(-) + +diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c +index 7eb3b0a6347e..f55f82ca3425 100644 +--- a/fs/ocfs2/move_extents.c ++++ b/fs/ocfs2/move_extents.c +@@ -156,18 +156,14 @@ static int __ocfs2_move_extent(handle_t *handle, + } + + /* +- * lock allocators, and reserving appropriate number of bits for +- * meta blocks and data clusters. +- * +- * in some cases, we don't need to reserve clusters, just let data_ac +- * be NULL. ++ * lock allocator, and reserve appropriate number of bits for ++ * meta blocks. + */ +-static int ocfs2_lock_allocators_move_extents(struct inode *inode, ++static int ocfs2_lock_meta_allocator_move_extents(struct inode *inode, + struct ocfs2_extent_tree *et, + u32 clusters_to_move, + u32 extents_to_split, + struct ocfs2_alloc_context **meta_ac, +- struct ocfs2_alloc_context **data_ac, + int extra_blocks, + int *credits) + { +@@ -192,13 +188,6 @@ static int ocfs2_lock_allocators_move_extents(struct inode *inode, + goto out; + } + +- if (data_ac) { +- ret = ocfs2_reserve_clusters(osb, clusters_to_move, data_ac); +- if (ret) { +- mlog_errno(ret); +- goto out; +- } +- } + + *credits += ocfs2_calc_extend_credits(osb->sb, et->et_root_el); + +@@ -257,10 +246,10 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context, + } + } + +- ret = ocfs2_lock_allocators_move_extents(inode, &context->et, *len, 1, +- &context->meta_ac, +- &context->data_ac, +- extra_blocks, &credits); ++ ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et, ++ *len, 1, ++ &context->meta_ac, ++ extra_blocks, &credits); + if (ret) { + mlog_errno(ret); + goto out; +@@ -283,6 +272,21 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context, + } + } + ++ /* ++ * Make sure ocfs2_reserve_cluster is called after ++ * __ocfs2_flush_truncate_log, otherwise, dead lock may happen. ++ * ++ * If ocfs2_reserve_cluster is called ++ * before __ocfs2_flush_truncate_log, dead lock on global bitmap ++ * may happen. ++ * ++ */ ++ ret = ocfs2_reserve_clusters(osb, *len, &context->data_ac); ++ if (ret) { ++ mlog_errno(ret); ++ goto out_unlock_mutex; ++ } ++ + handle = ocfs2_start_trans(osb, credits); + if (IS_ERR(handle)) { + ret = PTR_ERR(handle); +@@ -600,9 +604,10 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context, + } + } + +- ret = ocfs2_lock_allocators_move_extents(inode, &context->et, len, 1, +- &context->meta_ac, +- NULL, extra_blocks, &credits); ++ ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et, ++ len, 1, ++ &context->meta_ac, ++ extra_blocks, &credits); + if (ret) { + mlog_errno(ret); + goto out; +-- +2.19.1 + diff --git a/queue-4.14/ocfs2-fix-potential-use-after-free.patch b/queue-4.14/ocfs2-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..419edd76dde --- /dev/null +++ b/queue-4.14/ocfs2-fix-potential-use-after-free.patch @@ -0,0 +1,47 @@ +From 1d77aaf4cf430c8c3b7dcd297664a819128a3d4a Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 30 Nov 2018 14:10:54 -0800 +Subject: ocfs2: fix potential use after free + +[ Upstream commit 164f7e586739d07eb56af6f6d66acebb11f315c8 ] + +ocfs2_get_dentry() calls iput(inode) to drop the reference count of +inode, and if the reference count hits 0, inode is freed. However, in +this function, it then reads inode->i_generation, which may result in a +use after free bug. Move the put operation later. + +Link: http://lkml.kernel.org/r/1543109237-110227-1-git-send-email-bianpan2016@163.com +Fixes: 781f200cb7a("ocfs2: Remove masklog ML_EXPORT.") +Signed-off-by: Pan Bian +Reviewed-by: Andrew Morton +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/export.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ocfs2/export.c b/fs/ocfs2/export.c +index 9f88188060db..4bf8d5854b27 100644 +--- a/fs/ocfs2/export.c ++++ b/fs/ocfs2/export.c +@@ -125,10 +125,10 @@ static struct dentry *ocfs2_get_dentry(struct super_block *sb, + + check_gen: + if (handle->ih_generation != inode->i_generation) { +- iput(inode); + trace_ocfs2_get_dentry_generation((unsigned long long)blkno, + handle->ih_generation, + inode->i_generation); ++ iput(inode); + result = ERR_PTR(-ESTALE); + goto bail; + } +-- +2.19.1 + diff --git a/queue-4.14/pci-imx6-fix-link-training-status-detection-in-link-.patch b/queue-4.14/pci-imx6-fix-link-training-status-detection-in-link-.patch new file mode 100644 index 00000000000..7986754c839 --- /dev/null +++ b/queue-4.14/pci-imx6-fix-link-training-status-detection-in-link-.patch @@ -0,0 +1,89 @@ +From f61f2360f24c22046ccc91179036ef3c2cffb106 Mon Sep 17 00:00:00 2001 +From: Trent Piepho +Date: Mon, 5 Nov 2018 18:11:36 +0000 +Subject: PCI: imx6: Fix link training status detection in link up check + +[ Upstream commit 68bc10bf992180f269816ff3d22eb30383138577 ] + +This bug was introduced in the interaction for two commits on either +branch of the merge commit 562df5c8521e ("Merge branch +'pci/host-designware' into next"). + +Commit 4d107d3b5a68 ("PCI: imx6: Move link up check into +imx6_pcie_wait_for_link()"), changed imx6_pcie_wait_for_link() to poll +the link status register directly, checking for link up and not +training, and made imx6_pcie_link_up() only check the link up bit (once, +not a polling loop). + +While commit 886bc5ceb5cc ("PCI: designware: Add generic +dw_pcie_wait_for_link()"), replaced the loop in +imx6_pcie_wait_for_link() with a call to a new dwc core function, which +polled imx6_pcie_link_up(), which still checked both link up and not +training in a loop. + +When these two commits were merged, the version of +imx6_pcie_wait_for_link() from 886bc5ceb5cc was kept, which eliminated +the link training check placed there by 4d107d3b5a68. However, the +version of imx6_pcie_link_up() from 4d107d3b5a68 was kept, which +eliminated the link training check that had been there and was moved to +imx6_pcie_wait_for_link(). + +The result was the link training check got lost for the imx6 driver. + +Eliminate imx6_pcie_link_up() so that the default handler, +dw_pcie_link_up(), is used instead. The default handler has the correct +code, which checks for link up and also that it still is not training, +fixing the regression. + +Fixes: 562df5c8521e ("Merge branch 'pci/host-designware' into next") +Signed-off-by: Trent Piepho +[lorenzo.pieralisi@arm.com: rewrote the commit log] +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Lucas Stach +Cc: Bjorn Helgaas +Cc: Joao Pinto +Cc: Lorenzo Pieralisi +Cc: Richard Zhu +Signed-off-by: Sasha Levin +--- + drivers/pci/dwc/pci-imx6.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/pci/dwc/pci-imx6.c b/drivers/pci/dwc/pci-imx6.c +index b73483534a5b..1f1069b70e45 100644 +--- a/drivers/pci/dwc/pci-imx6.c ++++ b/drivers/pci/dwc/pci-imx6.c +@@ -83,8 +83,6 @@ struct imx6_pcie { + #define PCIE_PL_PFLR_FORCE_LINK (1 << 15) + #define PCIE_PHY_DEBUG_R0 (PL_OFFSET + 0x28) + #define PCIE_PHY_DEBUG_R1 (PL_OFFSET + 0x2c) +-#define PCIE_PHY_DEBUG_R1_XMLH_LINK_IN_TRAINING (1 << 29) +-#define PCIE_PHY_DEBUG_R1_XMLH_LINK_UP (1 << 4) + + #define PCIE_PHY_CTRL (PL_OFFSET + 0x114) + #define PCIE_PHY_CTRL_DATA_LOC 0 +@@ -653,12 +651,6 @@ static int imx6_pcie_host_init(struct pcie_port *pp) + return 0; + } + +-static int imx6_pcie_link_up(struct dw_pcie *pci) +-{ +- return dw_pcie_readl_dbi(pci, PCIE_PHY_DEBUG_R1) & +- PCIE_PHY_DEBUG_R1_XMLH_LINK_UP; +-} +- + static const struct dw_pcie_host_ops imx6_pcie_host_ops = { + .host_init = imx6_pcie_host_init, + }; +@@ -701,7 +693,7 @@ static int imx6_add_pcie_port(struct imx6_pcie *imx6_pcie, + } + + static const struct dw_pcie_ops dw_pcie_ops = { +- .link_up = imx6_pcie_link_up, ++ /* No special ops needed, but pcie-designware still expects this struct */ + }; + + static int imx6_pcie_probe(struct platform_device *pdev) +-- +2.19.1 + diff --git a/queue-4.14/perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch b/queue-4.14/perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch new file mode 100644 index 00000000000..26b1362c1c6 --- /dev/null +++ b/queue-4.14/perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch @@ -0,0 +1,129 @@ +From 26242ed8f4516a86ef2242075819ad95e513ba80 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Thu, 1 Nov 2018 18:00:01 +0100 +Subject: perf tools: Restore proper cwd on return from mnt namespace + +[ Upstream commit b01c1f69c8660eaeab7d365cd570103c5c073a02 ] + +When reporting on 'record' server we try to retrieve/use the mnt +namespace of the profiled tasks. We use following API with cookie to +hold the return namespace, roughly: + + nsinfo__mountns_enter(struct nsinfo *nsi, struct nscookie *nc) + setns(newns, 0); + ... + new ns related open.. + ... + nsinfo__mountns_exit(struct nscookie *nc) + setns(nc->oldns) + +Once finished we setns to old namespace, which also sets the current +working directory (cwd) to "/", trashing the cwd we had. + +This is mostly fine, because we use absolute paths almost everywhere, +but it screws up 'perf diff': + + # perf diff + failed to open perf.data: No such file or directory (try 'perf record' first) + ... + +Adding the current working directory to be part of the cookie and +restoring it in the nsinfo__mountns_exit call. + +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Krister Johansen +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: 843ff37bb59e ("perf symbols: Find symbols in different mount namespace") +Link: http://lkml.kernel.org/r/20181101170001.30019-1-jolsa@kernel.org +[ No need to check for NULL args for free(), use zfree() for struct members ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/namespaces.c | 17 +++++++++++++++-- + tools/perf/util/namespaces.h | 1 + + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/namespaces.c b/tools/perf/util/namespaces.c +index 1ef0049860a8..eadc7ddacbf6 100644 +--- a/tools/perf/util/namespaces.c ++++ b/tools/perf/util/namespaces.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + struct namespaces *namespaces__new(struct namespaces_event *event) + { +@@ -185,6 +186,7 @@ void nsinfo__mountns_enter(struct nsinfo *nsi, + char curpath[PATH_MAX]; + int oldns = -1; + int newns = -1; ++ char *oldcwd = NULL; + + if (nc == NULL) + return; +@@ -198,9 +200,13 @@ void nsinfo__mountns_enter(struct nsinfo *nsi, + if (snprintf(curpath, PATH_MAX, "/proc/self/ns/mnt") >= PATH_MAX) + return; + ++ oldcwd = get_current_dir_name(); ++ if (!oldcwd) ++ return; ++ + oldns = open(curpath, O_RDONLY); + if (oldns < 0) +- return; ++ goto errout; + + newns = open(nsi->mntns_path, O_RDONLY); + if (newns < 0) +@@ -209,11 +215,13 @@ void nsinfo__mountns_enter(struct nsinfo *nsi, + if (setns(newns, CLONE_NEWNS) < 0) + goto errout; + ++ nc->oldcwd = oldcwd; + nc->oldns = oldns; + nc->newns = newns; + return; + + errout: ++ free(oldcwd); + if (oldns > -1) + close(oldns); + if (newns > -1) +@@ -222,11 +230,16 @@ void nsinfo__mountns_enter(struct nsinfo *nsi, + + void nsinfo__mountns_exit(struct nscookie *nc) + { +- if (nc == NULL || nc->oldns == -1 || nc->newns == -1) ++ if (nc == NULL || nc->oldns == -1 || nc->newns == -1 || !nc->oldcwd) + return; + + setns(nc->oldns, CLONE_NEWNS); + ++ if (nc->oldcwd) { ++ WARN_ON_ONCE(chdir(nc->oldcwd)); ++ zfree(&nc->oldcwd); ++ } ++ + if (nc->oldns > -1) { + close(nc->oldns); + nc->oldns = -1; +diff --git a/tools/perf/util/namespaces.h b/tools/perf/util/namespaces.h +index 05d82601c9a6..23584a6dd048 100644 +--- a/tools/perf/util/namespaces.h ++++ b/tools/perf/util/namespaces.h +@@ -36,6 +36,7 @@ struct nsinfo { + struct nscookie { + int oldns; + int newns; ++ char *oldcwd; + }; + + int nsinfo__init(struct nsinfo *nsi); +-- +2.19.1 + diff --git a/queue-4.14/printk-add-console-owner-and-waiter-logic-to-load-ba.patch b/queue-4.14/printk-add-console-owner-and-waiter-logic-to-load-ba.patch new file mode 100644 index 00000000000..8dd9ebed6e2 --- /dev/null +++ b/queue-4.14/printk-add-console-owner-and-waiter-logic-to-load-ba.patch @@ -0,0 +1,358 @@ +From 51387793273eca2ed854aa5af2d84e0e7867b21a Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 10 Jan 2018 14:24:17 +0100 +Subject: printk: Add console owner and waiter logic to load balance console + writes + +[ Upstream commit dbdda842fe96f8932bae554f0adf463c27c42bc7 ] + +This patch implements what I discussed in Kernel Summit. I added +lockdep annotation (hopefully correctly), and it hasn't had any splats +(since I fixed some bugs in the first iterations). It did catch +problems when I had the owner covering too much. But now that the owner +is only set when actively calling the consoles, lockdep has stayed +quiet. + +Here's the design again: + +I added a "console_owner" which is set to a task that is actively +writing to the consoles. It is *not* the same as the owner of the +console_lock. It is only set when doing the calls to the console +functions. It is protected by a console_owner_lock which is a raw spin +lock. + +There is a console_waiter. This is set when there is an active console +owner that is not current, and waiter is not set. This too is protected +by console_owner_lock. + +In printk() when it tries to write to the consoles, we have: + + if (console_trylock()) + console_unlock(); + +Now I added an else, which will check if there is an active owner, and +no current waiter. If that is the case, then console_waiter is set, and +the task goes into a spin until it is no longer set. + +When the active console owner finishes writing the current message to +the consoles, it grabs the console_owner_lock and sees if there is a +waiter, and clears console_owner. + +If there is a waiter, then it breaks out of the loop, clears the waiter +flag (because that will release the waiter from its spin), and exits. +Note, it does *not* release the console semaphore. Because it is a +semaphore, there is no owner. Another task may release it. This means +that the waiter is guaranteed to be the new console owner! Which it +becomes. + +Then the waiter calls console_unlock() and continues to write to the +consoles. + +If another task comes along and does a printk() it too can become the +new waiter, and we wash rinse and repeat! + +By Petr Mladek about possible new deadlocks: + +The thing is that we move console_sem only to printk() call +that normally calls console_unlock() as well. It means that +the transferred owner should not bring new type of dependencies. +As Steven said somewhere: "If there is a deadlock, it was +there even before." + +We could look at it from this side. The possible deadlock would +look like: + +CPU0 CPU1 + +console_unlock() + + console_owner = current; + + spin_lockA() + printk() + spin = true; + while (...) + + call_console_drivers() + spin_lockA() + +This would be a deadlock. CPU0 would wait for the lock A. +While CPU1 would own the lockA and would wait for CPU0 +to finish calling the console drivers and pass the console_sem +owner. + +But if the above is true than the following scenario was +already possible before: + +CPU0 + +spin_lockA() + printk() + console_unlock() + call_console_drivers() + spin_lockA() + +By other words, this deadlock was there even before. Such +deadlocks are prevented by using printk_deferred() in +the sections guarded by the lock A. + +By Steven Rostedt: + +To demonstrate the issue, this module has been shown to lock up a +system with 4 CPUs and a slow console (like a serial console). It is +also able to lock up a 8 CPU system with only a fast (VGA) console, by +passing in "loops=100". The changes in this commit prevent this module +from locking up the system. + + #include + #include + #include + #include + #include + #include + + static bool stop_testing; + static unsigned int loops = 1; + + static void preempt_printk_workfn(struct work_struct *work) + { + int i; + + while (!READ_ONCE(stop_testing)) { + for (i = 0; i < loops && !READ_ONCE(stop_testing); i++) { + preempt_disable(); + pr_emerg("%5d%-75s\n", smp_processor_id(), + " XXX NOPREEMPT"); + preempt_enable(); + } + msleep(1); + } + } + + static struct work_struct __percpu *works; + + static void finish(void) + { + int cpu; + + WRITE_ONCE(stop_testing, true); + for_each_online_cpu(cpu) + flush_work(per_cpu_ptr(works, cpu)); + free_percpu(works); + } + + static int __init test_init(void) + { + int cpu; + + works = alloc_percpu(struct work_struct); + if (!works) + return -ENOMEM; + + /* + * This is just a test module. This will break if you + * do any CPU hot plugging between loading and + * unloading the module. + */ + + for_each_online_cpu(cpu) { + struct work_struct *work = per_cpu_ptr(works, cpu); + + INIT_WORK(work, &preempt_printk_workfn); + schedule_work_on(cpu, work); + } + + return 0; + } + + static void __exit test_exit(void) + { + finish(); + } + + module_param(loops, uint, 0); + module_init(test_init); + module_exit(test_exit); + MODULE_LICENSE("GPL"); + +Link: http://lkml.kernel.org/r/20180110132418.7080-2-pmladek@suse.com +Cc: akpm@linux-foundation.org +Cc: linux-mm@kvack.org +Cc: Cong Wang +Cc: Dave Hansen +Cc: Johannes Weiner +Cc: Mel Gorman +Cc: Michal Hocko +Cc: Vlastimil Babka +Cc: Peter Zijlstra +Cc: Linus Torvalds +Cc: Jan Kara +Cc: Mathieu Desnoyers +Cc: Tetsuo Handa +Cc: Byungchul Park +Cc: Tejun Heo +Cc: Pavel Machek +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Steven Rostedt (VMware) +[pmladek@suse.com: Commit message about possible deadlocks] +Acked-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 108 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 107 insertions(+), 1 deletion(-) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index 7161312593dd..b88b402444d6 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -86,8 +86,15 @@ EXPORT_SYMBOL_GPL(console_drivers); + static struct lockdep_map console_lock_dep_map = { + .name = "console_lock" + }; ++static struct lockdep_map console_owner_dep_map = { ++ .name = "console_owner" ++}; + #endif + ++static DEFINE_RAW_SPINLOCK(console_owner_lock); ++static struct task_struct *console_owner; ++static bool console_waiter; ++ + enum devkmsg_log_bits { + __DEVKMSG_LOG_BIT_ON = 0, + __DEVKMSG_LOG_BIT_OFF, +@@ -1767,8 +1774,56 @@ asmlinkage int vprintk_emit(int facility, int level, + * semaphore. The release will print out buffers and wake up + * /dev/kmsg and syslog() users. + */ +- if (console_trylock()) ++ if (console_trylock()) { + console_unlock(); ++ } else { ++ struct task_struct *owner = NULL; ++ bool waiter; ++ bool spin = false; ++ ++ printk_safe_enter_irqsave(flags); ++ ++ raw_spin_lock(&console_owner_lock); ++ owner = READ_ONCE(console_owner); ++ waiter = READ_ONCE(console_waiter); ++ if (!waiter && owner && owner != current) { ++ WRITE_ONCE(console_waiter, true); ++ spin = true; ++ } ++ raw_spin_unlock(&console_owner_lock); ++ ++ /* ++ * If there is an active printk() writing to the ++ * consoles, instead of having it write our data too, ++ * see if we can offload that load from the active ++ * printer, and do some printing ourselves. ++ * Go into a spin only if there isn't already a waiter ++ * spinning, and there is an active printer, and ++ * that active printer isn't us (recursive printk?). ++ */ ++ if (spin) { ++ /* We spin waiting for the owner to release us */ ++ spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_); ++ /* Owner will clear console_waiter on hand off */ ++ while (READ_ONCE(console_waiter)) ++ cpu_relax(); ++ ++ spin_release(&console_owner_dep_map, 1, _THIS_IP_); ++ printk_safe_exit_irqrestore(flags); ++ ++ /* ++ * The owner passed the console lock to us. ++ * Since we did not spin on console lock, annotate ++ * this as a trylock. Otherwise lockdep will ++ * complain. ++ */ ++ mutex_acquire(&console_lock_dep_map, 0, 1, _THIS_IP_); ++ console_unlock(); ++ printk_safe_enter_irqsave(flags); ++ } ++ printk_safe_exit_irqrestore(flags); ++ ++ } + } + + return printed_len; +@@ -2155,6 +2210,7 @@ void console_unlock(void) + static u64 seen_seq; + unsigned long flags; + bool wake_klogd = false; ++ bool waiter = false; + bool do_cond_resched, retry; + + if (console_suspended) { +@@ -2243,14 +2299,64 @@ void console_unlock(void) + console_seq++; + raw_spin_unlock(&logbuf_lock); + ++ /* ++ * While actively printing out messages, if another printk() ++ * were to occur on another CPU, it may wait for this one to ++ * finish. This task can not be preempted if there is a ++ * waiter waiting to take over. ++ */ ++ raw_spin_lock(&console_owner_lock); ++ console_owner = current; ++ raw_spin_unlock(&console_owner_lock); ++ ++ /* The waiter may spin on us after setting console_owner */ ++ spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_); ++ + stop_critical_timings(); /* don't trace print latency */ + call_console_drivers(ext_text, ext_len, text, len); + start_critical_timings(); ++ ++ raw_spin_lock(&console_owner_lock); ++ waiter = READ_ONCE(console_waiter); ++ console_owner = NULL; ++ raw_spin_unlock(&console_owner_lock); ++ ++ /* ++ * If there is a waiter waiting for us, then pass the ++ * rest of the work load over to that waiter. ++ */ ++ if (waiter) ++ break; ++ ++ /* There was no waiter, and nothing will spin on us here */ ++ spin_release(&console_owner_dep_map, 1, _THIS_IP_); ++ + printk_safe_exit_irqrestore(flags); + + if (do_cond_resched) + cond_resched(); + } ++ ++ /* ++ * If there is an active waiter waiting on the console_lock. ++ * Pass off the printing to the waiter, and the waiter ++ * will continue printing on its CPU, and when all writing ++ * has finished, the last printer will wake up klogd. ++ */ ++ if (waiter) { ++ WRITE_ONCE(console_waiter, false); ++ /* The waiter is now free to continue */ ++ spin_release(&console_owner_dep_map, 1, _THIS_IP_); ++ /* ++ * Hand off console_lock to waiter. The waiter will perform ++ * the up(). After this, the waiter is the console_lock owner. ++ */ ++ mutex_release(&console_lock_dep_map, 1, _THIS_IP_); ++ printk_safe_exit_irqrestore(flags); ++ /* Note, if waiter is set, logbuf_lock is not held */ ++ return; ++ } ++ + console_locked = 0; + + /* Release the exclusive_console once it is used */ +-- +2.19.1 + diff --git a/queue-4.14/printk-hide-console-waiter-logic-into-helpers.patch b/queue-4.14/printk-hide-console-waiter-logic-into-helpers.patch new file mode 100644 index 00000000000..007ad99b42c --- /dev/null +++ b/queue-4.14/printk-hide-console-waiter-logic-into-helpers.patch @@ -0,0 +1,354 @@ +From 93f9028c6b41efe1761e168acf3b97180fd09a35 Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Fri, 12 Jan 2018 17:08:37 +0100 +Subject: printk: Hide console waiter logic into helpers + +[ Upstream commit c162d5b4338d72deed61aa65ed0f2f4ba2bbc8ab ] + +The commit ("printk: Add console owner and waiter logic to load balance +console writes") made vprintk_emit() and console_unlock() even more +complicated. + +This patch extracts the new code into 3 helper functions. They should +help to keep it rather self-contained. It will be easier to use and +maintain. + +This patch just shuffles the existing code. It does not change +the functionality. + +Link: http://lkml.kernel.org/r/20180112160837.GD24497@linux.suse +Cc: akpm@linux-foundation.org +Cc: linux-mm@kvack.org +Cc: Cong Wang +Cc: Dave Hansen +Cc: Johannes Weiner +Cc: Mel Gorman +Cc: Michal Hocko +Cc: Vlastimil Babka +Cc: Peter Zijlstra +Cc: Linus Torvalds +Cc: Jan Kara +Cc: Mathieu Desnoyers +Cc: Tetsuo Handa +Cc: rostedt@home.goodmis.org +Cc: Byungchul Park +Cc: Tejun Heo +Cc: Pavel Machek +Cc: linux-kernel@vger.kernel.org +Reviewed-by: Steven Rostedt (VMware) +Acked-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 245 +++++++++++++++++++++++++---------------- + 1 file changed, 148 insertions(+), 97 deletions(-) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index b88b402444d6..2d1c2700bd85 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -86,15 +86,8 @@ EXPORT_SYMBOL_GPL(console_drivers); + static struct lockdep_map console_lock_dep_map = { + .name = "console_lock" + }; +-static struct lockdep_map console_owner_dep_map = { +- .name = "console_owner" +-}; + #endif + +-static DEFINE_RAW_SPINLOCK(console_owner_lock); +-static struct task_struct *console_owner; +-static bool console_waiter; +- + enum devkmsg_log_bits { + __DEVKMSG_LOG_BIT_ON = 0, + __DEVKMSG_LOG_BIT_OFF, +@@ -1555,6 +1548,146 @@ SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) + return do_syslog(type, buf, len, SYSLOG_FROM_READER); + } + ++/* ++ * Special console_lock variants that help to reduce the risk of soft-lockups. ++ * They allow to pass console_lock to another printk() call using a busy wait. ++ */ ++ ++#ifdef CONFIG_LOCKDEP ++static struct lockdep_map console_owner_dep_map = { ++ .name = "console_owner" ++}; ++#endif ++ ++static DEFINE_RAW_SPINLOCK(console_owner_lock); ++static struct task_struct *console_owner; ++static bool console_waiter; ++ ++/** ++ * console_lock_spinning_enable - mark beginning of code where another ++ * thread might safely busy wait ++ * ++ * This basically converts console_lock into a spinlock. This marks ++ * the section where the console_lock owner can not sleep, because ++ * there may be a waiter spinning (like a spinlock). Also it must be ++ * ready to hand over the lock at the end of the section. ++ */ ++static void console_lock_spinning_enable(void) ++{ ++ raw_spin_lock(&console_owner_lock); ++ console_owner = current; ++ raw_spin_unlock(&console_owner_lock); ++ ++ /* The waiter may spin on us after setting console_owner */ ++ spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_); ++} ++ ++/** ++ * console_lock_spinning_disable_and_check - mark end of code where another ++ * thread was able to busy wait and check if there is a waiter ++ * ++ * This is called at the end of the section where spinning is allowed. ++ * It has two functions. First, it is a signal that it is no longer ++ * safe to start busy waiting for the lock. Second, it checks if ++ * there is a busy waiter and passes the lock rights to her. ++ * ++ * Important: Callers lose the lock if there was a busy waiter. ++ * They must not touch items synchronized by console_lock ++ * in this case. ++ * ++ * Return: 1 if the lock rights were passed, 0 otherwise. ++ */ ++static int console_lock_spinning_disable_and_check(void) ++{ ++ int waiter; ++ ++ raw_spin_lock(&console_owner_lock); ++ waiter = READ_ONCE(console_waiter); ++ console_owner = NULL; ++ raw_spin_unlock(&console_owner_lock); ++ ++ if (!waiter) { ++ spin_release(&console_owner_dep_map, 1, _THIS_IP_); ++ return 0; ++ } ++ ++ /* The waiter is now free to continue */ ++ WRITE_ONCE(console_waiter, false); ++ ++ spin_release(&console_owner_dep_map, 1, _THIS_IP_); ++ ++ /* ++ * Hand off console_lock to waiter. The waiter will perform ++ * the up(). After this, the waiter is the console_lock owner. ++ */ ++ mutex_release(&console_lock_dep_map, 1, _THIS_IP_); ++ return 1; ++} ++ ++/** ++ * console_trylock_spinning - try to get console_lock by busy waiting ++ * ++ * This allows to busy wait for the console_lock when the current ++ * owner is running in specially marked sections. It means that ++ * the current owner is running and cannot reschedule until it ++ * is ready to lose the lock. ++ * ++ * Return: 1 if we got the lock, 0 othrewise ++ */ ++static int console_trylock_spinning(void) ++{ ++ struct task_struct *owner = NULL; ++ bool waiter; ++ bool spin = false; ++ unsigned long flags; ++ ++ if (console_trylock()) ++ return 1; ++ ++ printk_safe_enter_irqsave(flags); ++ ++ raw_spin_lock(&console_owner_lock); ++ owner = READ_ONCE(console_owner); ++ waiter = READ_ONCE(console_waiter); ++ if (!waiter && owner && owner != current) { ++ WRITE_ONCE(console_waiter, true); ++ spin = true; ++ } ++ raw_spin_unlock(&console_owner_lock); ++ ++ /* ++ * If there is an active printk() writing to the ++ * consoles, instead of having it write our data too, ++ * see if we can offload that load from the active ++ * printer, and do some printing ourselves. ++ * Go into a spin only if there isn't already a waiter ++ * spinning, and there is an active printer, and ++ * that active printer isn't us (recursive printk?). ++ */ ++ if (!spin) { ++ printk_safe_exit_irqrestore(flags); ++ return 0; ++ } ++ ++ /* We spin waiting for the owner to release us */ ++ spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_); ++ /* Owner will clear console_waiter on hand off */ ++ while (READ_ONCE(console_waiter)) ++ cpu_relax(); ++ spin_release(&console_owner_dep_map, 1, _THIS_IP_); ++ ++ printk_safe_exit_irqrestore(flags); ++ /* ++ * The owner passed the console lock to us. ++ * Since we did not spin on console lock, annotate ++ * this as a trylock. Otherwise lockdep will ++ * complain. ++ */ ++ mutex_acquire(&console_lock_dep_map, 0, 1, _THIS_IP_); ++ ++ return 1; ++} ++ + /* + * Call the console drivers, asking them to write out + * log_buf[start] to log_buf[end - 1]. +@@ -1774,56 +1907,8 @@ asmlinkage int vprintk_emit(int facility, int level, + * semaphore. The release will print out buffers and wake up + * /dev/kmsg and syslog() users. + */ +- if (console_trylock()) { ++ if (console_trylock_spinning()) + console_unlock(); +- } else { +- struct task_struct *owner = NULL; +- bool waiter; +- bool spin = false; +- +- printk_safe_enter_irqsave(flags); +- +- raw_spin_lock(&console_owner_lock); +- owner = READ_ONCE(console_owner); +- waiter = READ_ONCE(console_waiter); +- if (!waiter && owner && owner != current) { +- WRITE_ONCE(console_waiter, true); +- spin = true; +- } +- raw_spin_unlock(&console_owner_lock); +- +- /* +- * If there is an active printk() writing to the +- * consoles, instead of having it write our data too, +- * see if we can offload that load from the active +- * printer, and do some printing ourselves. +- * Go into a spin only if there isn't already a waiter +- * spinning, and there is an active printer, and +- * that active printer isn't us (recursive printk?). +- */ +- if (spin) { +- /* We spin waiting for the owner to release us */ +- spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_); +- /* Owner will clear console_waiter on hand off */ +- while (READ_ONCE(console_waiter)) +- cpu_relax(); +- +- spin_release(&console_owner_dep_map, 1, _THIS_IP_); +- printk_safe_exit_irqrestore(flags); +- +- /* +- * The owner passed the console lock to us. +- * Since we did not spin on console lock, annotate +- * this as a trylock. Otherwise lockdep will +- * complain. +- */ +- mutex_acquire(&console_lock_dep_map, 0, 1, _THIS_IP_); +- console_unlock(); +- printk_safe_enter_irqsave(flags); +- } +- printk_safe_exit_irqrestore(flags); +- +- } + } + + return printed_len; +@@ -1924,6 +2009,8 @@ static ssize_t msg_print_ext_header(char *buf, size_t size, + static ssize_t msg_print_ext_body(char *buf, size_t size, + char *dict, size_t dict_len, + char *text, size_t text_len) { return 0; } ++static void console_lock_spinning_enable(void) { } ++static int console_lock_spinning_disable_and_check(void) { return 0; } + static void call_console_drivers(const char *ext_text, size_t ext_len, + const char *text, size_t len) {} + static size_t msg_print_text(const struct printk_log *msg, +@@ -2210,7 +2297,6 @@ void console_unlock(void) + static u64 seen_seq; + unsigned long flags; + bool wake_klogd = false; +- bool waiter = false; + bool do_cond_resched, retry; + + if (console_suspended) { +@@ -2305,31 +2391,16 @@ void console_unlock(void) + * finish. This task can not be preempted if there is a + * waiter waiting to take over. + */ +- raw_spin_lock(&console_owner_lock); +- console_owner = current; +- raw_spin_unlock(&console_owner_lock); +- +- /* The waiter may spin on us after setting console_owner */ +- spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_); ++ console_lock_spinning_enable(); + + stop_critical_timings(); /* don't trace print latency */ + call_console_drivers(ext_text, ext_len, text, len); + start_critical_timings(); + +- raw_spin_lock(&console_owner_lock); +- waiter = READ_ONCE(console_waiter); +- console_owner = NULL; +- raw_spin_unlock(&console_owner_lock); +- +- /* +- * If there is a waiter waiting for us, then pass the +- * rest of the work load over to that waiter. +- */ +- if (waiter) +- break; +- +- /* There was no waiter, and nothing will spin on us here */ +- spin_release(&console_owner_dep_map, 1, _THIS_IP_); ++ if (console_lock_spinning_disable_and_check()) { ++ printk_safe_exit_irqrestore(flags); ++ return; ++ } + + printk_safe_exit_irqrestore(flags); + +@@ -2337,26 +2408,6 @@ void console_unlock(void) + cond_resched(); + } + +- /* +- * If there is an active waiter waiting on the console_lock. +- * Pass off the printing to the waiter, and the waiter +- * will continue printing on its CPU, and when all writing +- * has finished, the last printer will wake up klogd. +- */ +- if (waiter) { +- WRITE_ONCE(console_waiter, false); +- /* The waiter is now free to continue */ +- spin_release(&console_owner_dep_map, 1, _THIS_IP_); +- /* +- * Hand off console_lock to waiter. The waiter will perform +- * the up(). After this, the waiter is the console_lock owner. +- */ +- mutex_release(&console_lock_dep_map, 1, _THIS_IP_); +- printk_safe_exit_irqrestore(flags); +- /* Note, if waiter is set, logbuf_lock is not held */ +- return; +- } +- + console_locked = 0; + + /* Release the exclusive_console once it is used */ +-- +2.19.1 + diff --git a/queue-4.14/printk-never-set-console_may_schedule-in-console_try.patch b/queue-4.14/printk-never-set-console_may_schedule-in-console_try.patch new file mode 100644 index 00000000000..fbe4f7dd115 --- /dev/null +++ b/queue-4.14/printk-never-set-console_may_schedule-in-console_try.patch @@ -0,0 +1,113 @@ +From 8c3e1e2293af4d4224811cec39e8815ef94be2d2 Mon Sep 17 00:00:00 2001 +From: Sergey Senozhatsky +Date: Tue, 16 Jan 2018 13:47:16 +0900 +Subject: printk: Never set console_may_schedule in console_trylock() + +[ Upstream commit fd5f7cde1b85d4c8e09ca46ce948e008a2377f64 ] + +This patch, basically, reverts commit 6b97a20d3a79 ("printk: +set may_schedule for some of console_trylock() callers"). +That commit was a mistake, it introduced a big dependency +on the scheduler, by enabling preemption under console_sem +in printk()->console_unlock() path, which is rather too +critical. The patch did not significantly reduce the +possibilities of printk() lockups, but made it possible to +stall printk(), as has been reported by Tetsuo Handa [1]. + +Another issues is that preemption under console_sem also +messes up with Steven Rostedt's hand off scheme, by making +it possible to sleep with console_sem both in console_unlock() +and in vprintk_emit(), after acquiring the console_sem +ownership (anywhere between printk_safe_exit_irqrestore() in +console_trylock_spinning() and printk_safe_enter_irqsave() +in console_unlock()). This makes hand off less likely and, +at the same time, may result in a significant amount of +pending logbuf messages. Preempted console_sem owner makes +it impossible for other CPUs to emit logbuf messages, but +does not make it impossible for other CPUs to append new +messages to the logbuf. + +Reinstate the old behavior and make printk() non-preemptible. +Should any printk() lockup reports arrive they must be handled +in a different way. + +[1] http://lkml.kernel.org/r/201603022101.CAH73907.OVOOMFHFFtQJSL%20()%20I-love%20!%20SAKURA%20!%20ne%20!%20jp +Fixes: 6b97a20d3a79 ("printk: set may_schedule for some of console_trylock() callers") +Link: http://lkml.kernel.org/r/20180116044716.GE6607@jagdpanzerIV +To: Tetsuo Handa +Cc: Sergey Senozhatsky +Cc: Tejun Heo +Cc: akpm@linux-foundation.org +Cc: linux-mm@kvack.org +Cc: Cong Wang +Cc: Dave Hansen +Cc: Johannes Weiner +Cc: Mel Gorman +Cc: Michal Hocko +Cc: Vlastimil Babka +Cc: Peter Zijlstra +Cc: Linus Torvalds +Cc: Jan Kara +Cc: Mathieu Desnoyers +Cc: Byungchul Park +Cc: Pavel Machek +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sergey Senozhatsky +Reported-by: Tetsuo Handa +Reviewed-by: Steven Rostedt (VMware) +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 22 ++++++++-------------- + 1 file changed, 8 insertions(+), 14 deletions(-) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index 2d1c2700bd85..2f654a79f80b 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -1902,6 +1902,12 @@ asmlinkage int vprintk_emit(int facility, int level, + + /* If called from the scheduler, we can not call up(). */ + if (!in_sched) { ++ /* ++ * Disable preemption to avoid being preempted while holding ++ * console_sem which would prevent anyone from printing to ++ * console ++ */ ++ preempt_disable(); + /* + * Try to acquire and then immediately release the console + * semaphore. The release will print out buffers and wake up +@@ -1909,6 +1915,7 @@ asmlinkage int vprintk_emit(int facility, int level, + */ + if (console_trylock_spinning()) + console_unlock(); ++ preempt_enable(); + } + + return printed_len; +@@ -2225,20 +2232,7 @@ int console_trylock(void) + return 0; + } + console_locked = 1; +- /* +- * When PREEMPT_COUNT disabled we can't reliably detect if it's +- * safe to schedule (e.g. calling printk while holding a spin_lock), +- * because preempt_disable()/preempt_enable() are just barriers there +- * and preempt_count() is always 0. +- * +- * RCU read sections have a separate preemption counter when +- * PREEMPT_RCU enabled thus we must take extra care and check +- * rcu_preempt_depth(), otherwise RCU read sections modify +- * preempt_count(). +- */ +- console_may_schedule = !oops_in_progress && +- preemptible() && +- !rcu_preempt_depth(); ++ console_may_schedule = 0; + return 1; + } + EXPORT_SYMBOL(console_trylock); +-- +2.19.1 + diff --git a/queue-4.14/printk-wake-klogd-when-passing-console_lock-owner.patch b/queue-4.14/printk-wake-klogd-when-passing-console_lock-owner.patch new file mode 100644 index 00000000000..7c4caf3bd9e --- /dev/null +++ b/queue-4.14/printk-wake-klogd-when-passing-console_lock-owner.patch @@ -0,0 +1,94 @@ +From adcc7accbc8d54cd9ba446a87e44b85e7c5cfa06 Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Mon, 26 Feb 2018 15:44:20 +0100 +Subject: printk: Wake klogd when passing console_lock owner + +[ Upstream commit c14376de3a1befa70d9811ca2872d47367b48767 ] + +wake_klogd is a local variable in console_unlock(). The information +is lost when the console_lock owner using the busy wait added by +the commit dbdda842fe96f8932 ("printk: Add console owner and waiter +logic to load balance console writes"). The following race is +possible: + +CPU0 CPU1 +console_unlock() + + for (;;) + /* calling console for last message */ + + printk() + log_store() + log_next_seq++; + + /* see new message */ + if (seen_seq != log_next_seq) { + wake_klogd = true; + seen_seq = log_next_seq; + } + + console_lock_spinning_enable(); + + if (console_trylock_spinning()) + /* spinning */ + + if (console_lock_spinning_disable_and_check()) { + printk_safe_exit_irqrestore(flags); + return; + + console_unlock() + if (seen_seq != log_next_seq) { + /* already seen */ + /* nothing to do */ + +Result: Nobody would wakeup klogd. + +One solution would be to make a global variable from wake_klogd. +But then we would need to manipulate it under a lock or so. + +This patch wakes klogd also when console_lock is passed to the +spinning waiter. It looks like the right way to go. Also userspace +should have a chance to see and store any "flood" of messages. + +Note that the very late klogd wake up was a historic solution. +It made sense on single CPU systems or when sys_syslog() operations +were synchronized using the big kernel lock like in v2.1.113. +But it is questionable these days. + +Fixes: dbdda842fe96f8932 ("printk: Add console owner and waiter logic to load balance console writes") +Link: http://lkml.kernel.org/r/20180226155734.dzwg3aovqnwtvkoy@pathway.suse.cz +Cc: Steven Rostedt +Cc: linux-kernel@vger.kernel.org +Cc: Tejun Heo +Suggested-by: Sergey Senozhatsky +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index 2f654a79f80b..2e2c86dd226f 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -2393,7 +2393,7 @@ void console_unlock(void) + + if (console_lock_spinning_disable_and_check()) { + printk_safe_exit_irqrestore(flags); +- return; ++ goto out; + } + + printk_safe_exit_irqrestore(flags); +@@ -2426,6 +2426,7 @@ void console_unlock(void) + if (retry && console_trylock()) + goto again; + ++out: + if (wake_klogd) + wake_up_klogd(); + } +-- +2.19.1 + diff --git a/queue-4.14/pstore-ram-correctly-calculate-usable-prz-bytes.patch b/queue-4.14/pstore-ram-correctly-calculate-usable-prz-bytes.patch new file mode 100644 index 00000000000..40282bc2e64 --- /dev/null +++ b/queue-4.14/pstore-ram-correctly-calculate-usable-prz-bytes.patch @@ -0,0 +1,80 @@ +From cbf75875d5f6442a3a0bdfd7f35cf6afaf7e2829 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 1 Nov 2018 16:17:22 -0700 +Subject: pstore/ram: Correctly calculate usable PRZ bytes + +[ Upstream commit 89d328f637b9904b6d4c9af73c8a608b8dd4d6f8 ] + +The actual number of bytes stored in a PRZ is smaller than the +bytes requested by platform data, since there is a header on each +PRZ. Additionally, if ECC is enabled, there are trailing bytes used +as well. Normally this mismatch doesn't matter since PRZs are circular +buffers and the leading "overflow" bytes are just thrown away. However, in +the case of a compressed record, this rather badly corrupts the results. + +This corruption was visible with "ramoops.mem_size=204800 ramoops.ecc=1". +Any stored crashes would not be uncompressable (producing a pstorefs +"dmesg-*.enc.z" file), and triggering errors at boot: + + [ 2.790759] pstore: crypto_comp_decompress failed, ret = -22! + +Backporting this depends on commit 70ad35db3321 ("pstore: Convert console +write to use ->write_buf") + +Reported-by: Joel Fernandes +Fixes: b0aad7a99c1d ("pstore: Add compression support to pstore") +Signed-off-by: Kees Cook +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Sasha Levin +--- + fs/pstore/ram.c | 15 ++++++--------- + include/linux/pstore.h | 5 ++++- + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c +index 7125b398d312..9f7e546d7050 100644 +--- a/fs/pstore/ram.c ++++ b/fs/pstore/ram.c +@@ -804,17 +804,14 @@ static int ramoops_probe(struct platform_device *pdev) + + cxt->pstore.data = cxt; + /* +- * Console can handle any buffer size, so prefer LOG_LINE_MAX. If we +- * have to handle dumps, we must have at least record_size buffer. And +- * for ftrace, bufsize is irrelevant (if bufsize is 0, buf will be +- * ZERO_SIZE_PTR). ++ * Since bufsize is only used for dmesg crash dumps, it ++ * must match the size of the dprz record (after PRZ header ++ * and ECC bytes have been accounted for). + */ +- if (cxt->console_size) +- cxt->pstore.bufsize = 1024; /* LOG_LINE_MAX */ +- cxt->pstore.bufsize = max(cxt->record_size, cxt->pstore.bufsize); +- cxt->pstore.buf = kmalloc(cxt->pstore.bufsize, GFP_KERNEL); ++ cxt->pstore.bufsize = cxt->dprzs[0]->buffer_size; ++ cxt->pstore.buf = kzalloc(cxt->pstore.bufsize, GFP_KERNEL); + if (!cxt->pstore.buf) { +- pr_err("cannot allocate pstore buffer\n"); ++ pr_err("cannot allocate pstore crash dump buffer\n"); + err = -ENOMEM; + goto fail_clear; + } +diff --git a/include/linux/pstore.h b/include/linux/pstore.h +index 61f806a7fe29..170bb981d2fd 100644 +--- a/include/linux/pstore.h ++++ b/include/linux/pstore.h +@@ -90,7 +90,10 @@ struct pstore_record { + * + * @buf_lock: spinlock to serialize access to @buf + * @buf: preallocated crash dump buffer +- * @bufsize: size of @buf available for crash dump writes ++ * @bufsize: size of @buf available for crash dump bytes (must match ++ * smallest number of bytes available for writing to a ++ * backend entry, since compressed bytes don't take kindly ++ * to being truncated) + * + * @read_mutex: serializes @open, @read, @close, and @erase callbacks + * @flags: bitfield of frontends the backend can accept writes for +-- +2.19.1 + diff --git a/queue-4.14/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch b/queue-4.14/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch new file mode 100644 index 00000000000..2f1a3b16dfd --- /dev/null +++ b/queue-4.14/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch @@ -0,0 +1,67 @@ +From 6ac4e44b87deeed9d0f2627988b85e4c7419bbfe Mon Sep 17 00:00:00 2001 +From: Majd Dibbiny +Date: Mon, 5 Nov 2018 08:07:37 +0200 +Subject: RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR + +[ Upstream commit 074fca3a18e7e1e0d4d7dcc9d7badc43b90232f4 ] + +Currently, for IB_WR_LOCAL_INV WR, when the next fence is None, the +current fence will be SMALL instead of Normal Fence. + +Without this patch krping doesn't work on CX-5 devices and throws +following error: + +The error messages are from CX5 driver are: (from server side) +[ 710.434014] mlx5_0:dump_cqe:278:(pid 2712): dump error cqe +[ 710.434016] 00000000 00000000 00000000 00000000 +[ 710.434016] 00000000 00000000 00000000 00000000 +[ 710.434017] 00000000 00000000 00000000 00000000 +[ 710.434018] 00000000 93003204 100000b8 000524d2 +[ 710.434019] krping: cq completion failed with wr_id 0 status 4 opcode 128 vender_err 32 + +Fixed the logic to set the correct fence type. + +Fixes: 6e8484c5cf07 ("RDMA/mlx5: set UMR wqe fence according to HCA cap") +Signed-off-by: Majd Dibbiny +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/qp.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index dfc190055167..964c3a0bbf16 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -3928,17 +3928,18 @@ int mlx5_ib_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr, + goto out; + } + +- if (wr->opcode == IB_WR_LOCAL_INV || +- wr->opcode == IB_WR_REG_MR) { ++ if (wr->opcode == IB_WR_REG_MR) { + fence = dev->umr_fence; + next_fence = MLX5_FENCE_MODE_INITIATOR_SMALL; +- } else if (wr->send_flags & IB_SEND_FENCE) { +- if (qp->next_fence) +- fence = MLX5_FENCE_MODE_SMALL_AND_FENCE; +- else +- fence = MLX5_FENCE_MODE_FENCE; +- } else { +- fence = qp->next_fence; ++ } else { ++ if (wr->send_flags & IB_SEND_FENCE) { ++ if (qp->next_fence) ++ fence = MLX5_FENCE_MODE_SMALL_AND_FENCE; ++ else ++ fence = MLX5_FENCE_MODE_FENCE; ++ } else { ++ fence = qp->next_fence; ++ } + } + + switch (ibqp->qp_type) { +-- +2.19.1 + diff --git a/queue-4.14/rdma-rdmavt-fix-rvt_create_ah-function-signature.patch b/queue-4.14/rdma-rdmavt-fix-rvt_create_ah-function-signature.patch new file mode 100644 index 00000000000..5c6d8c7973c --- /dev/null +++ b/queue-4.14/rdma-rdmavt-fix-rvt_create_ah-function-signature.patch @@ -0,0 +1,63 @@ +From c8c3702cd7c2a1d6f03bd5ff0bfc3370cf426bce Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Thu, 15 Nov 2018 09:49:38 -0800 +Subject: RDMA/rdmavt: Fix rvt_create_ah function signature + +[ Upstream commit 4f32fb921b153ae9ea280e02a3e91509fffc03d3 ] + +rdmavt uses a crazy system that looses the type checking when assinging +functions to struct ib_device function pointers. Because of this the +signature to this function was not changed when the below commit revised +things. + +Fix the signature so we are not calling a function pointer with a +mismatched signature. + +Fixes: 477864c8fcd9 ("IB/core: Let create_ah return extended response to user") +Signed-off-by: Kamal Heib +Reviewed-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rdmavt/ah.c | 4 +++- + drivers/infiniband/sw/rdmavt/ah.h | 3 ++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rdmavt/ah.c b/drivers/infiniband/sw/rdmavt/ah.c +index ba3639a0d77c..48ea5b8207f0 100644 +--- a/drivers/infiniband/sw/rdmavt/ah.c ++++ b/drivers/infiniband/sw/rdmavt/ah.c +@@ -91,13 +91,15 @@ EXPORT_SYMBOL(rvt_check_ah); + * rvt_create_ah - create an address handle + * @pd: the protection domain + * @ah_attr: the attributes of the AH ++ * @udata: pointer to user's input output buffer information. + * + * This may be called from interrupt context. + * + * Return: newly allocated ah + */ + struct ib_ah *rvt_create_ah(struct ib_pd *pd, +- struct rdma_ah_attr *ah_attr) ++ struct rdma_ah_attr *ah_attr, ++ struct ib_udata *udata) + { + struct rvt_ah *ah; + struct rvt_dev_info *dev = ib_to_rvt(pd->device); +diff --git a/drivers/infiniband/sw/rdmavt/ah.h b/drivers/infiniband/sw/rdmavt/ah.h +index 16105af99189..25271b48a683 100644 +--- a/drivers/infiniband/sw/rdmavt/ah.h ++++ b/drivers/infiniband/sw/rdmavt/ah.h +@@ -51,7 +51,8 @@ + #include + + struct ib_ah *rvt_create_ah(struct ib_pd *pd, +- struct rdma_ah_attr *ah_attr); ++ struct rdma_ah_attr *ah_attr, ++ struct ib_udata *udata); + int rvt_destroy_ah(struct ib_ah *ibah); + int rvt_modify_ah(struct ib_ah *ibah, struct rdma_ah_attr *ah_attr); + int rvt_query_ah(struct ib_ah *ibah, struct rdma_ah_attr *ah_attr); +-- +2.19.1 + diff --git a/queue-4.14/revert-printk-never-set-console_may_schedule-in-cons.patch b/queue-4.14/revert-printk-never-set-console_may_schedule-in-cons.patch new file mode 100644 index 00000000000..d2309915270 --- /dev/null +++ b/queue-4.14/revert-printk-never-set-console_may_schedule-in-cons.patch @@ -0,0 +1,63 @@ +From cb0a0747c9f61f745643396c4524551198a828ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Dec 2018 09:24:35 -0500 +Subject: Revert "printk: Never set console_may_schedule in console_trylock()" + +This reverts commit c9b8d580b3fb0ab65d37c372aef19a318fda3199. + +This is just a technical revert to make the printk fix apply cleanly, +this patch will be re-picked in about 3 commits. +--- + kernel/printk/printk.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index a9cf2e15f6a3..7161312593dd 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -1762,12 +1762,6 @@ asmlinkage int vprintk_emit(int facility, int level, + + /* If called from the scheduler, we can not call up(). */ + if (!in_sched) { +- /* +- * Disable preemption to avoid being preempted while holding +- * console_sem which would prevent anyone from printing to +- * console +- */ +- preempt_disable(); + /* + * Try to acquire and then immediately release the console + * semaphore. The release will print out buffers and wake up +@@ -1775,7 +1769,6 @@ asmlinkage int vprintk_emit(int facility, int level, + */ + if (console_trylock()) + console_unlock(); +- preempt_enable(); + } + + return printed_len; +@@ -2090,7 +2083,20 @@ int console_trylock(void) + return 0; + } + console_locked = 1; +- console_may_schedule = 0; ++ /* ++ * When PREEMPT_COUNT disabled we can't reliably detect if it's ++ * safe to schedule (e.g. calling printk while holding a spin_lock), ++ * because preempt_disable()/preempt_enable() are just barriers there ++ * and preempt_count() is always 0. ++ * ++ * RCU read sections have a separate preemption counter when ++ * PREEMPT_RCU enabled thus we must take extra care and check ++ * rcu_preempt_depth(), otherwise RCU read sections modify ++ * preempt_count(). ++ */ ++ console_may_schedule = !oops_in_progress && ++ preemptible() && ++ !rcu_preempt_depth(); + return 1; + } + EXPORT_SYMBOL(console_trylock); +-- +2.19.1 + diff --git a/queue-4.14/revert-xen-balloon-mark-unallocated-host-memory-as-u.patch b/queue-4.14/revert-xen-balloon-mark-unallocated-host-memory-as-u.patch new file mode 100644 index 00000000000..3cf3c4f8f02 --- /dev/null +++ b/queue-4.14/revert-xen-balloon-mark-unallocated-host-memory-as-u.patch @@ -0,0 +1,266 @@ +From 93c6372949af346b896809eb0caf7da9abf44ac2 Mon Sep 17 00:00:00 2001 +From: Igor Druzhinin +Date: Tue, 27 Nov 2018 20:58:21 +0000 +Subject: Revert "xen/balloon: Mark unallocated host memory as UNUSABLE" + +[ Upstream commit 123664101aa2156d05251704fc63f9bcbf77741a ] + +This reverts commit b3cf8528bb21febb650a7ecbf080d0647be40b9f. + +That commit unintentionally broke Xen balloon memory hotplug with +"hotplug_unpopulated" set to 1. As long as "System RAM" resource +got assigned under a new "Unusable memory" resource in IO/Mem tree +any attempt to online this memory would fail due to general kernel +restrictions on having "System RAM" resources as 1st level only. + +The original issue that commit has tried to workaround fa564ad96366 +("x86/PCI: Enable a 64bit BAR on AMD Family 15h (Models 00-1f, 30-3f, +60-7f)") also got amended by the following 03a551734 ("x86/PCI: Move +and shrink AMD 64-bit window to avoid conflict") which made the +original fix to Xen ballooning unnecessary. + +Signed-off-by: Igor Druzhinin +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/enlighten.c | 78 ---------------------------------------- + arch/x86/xen/setup.c | 6 ++-- + drivers/xen/balloon.c | 65 +++++---------------------------- + include/xen/balloon.h | 5 --- + 4 files changed, 13 insertions(+), 141 deletions(-) + +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index df208af3cd74..515d5e4414c2 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -7,7 +7,6 @@ + + #include + #include +-#include + + #include + #include +@@ -336,80 +335,3 @@ void xen_arch_unregister_cpu(int num) + } + EXPORT_SYMBOL(xen_arch_unregister_cpu); + #endif +- +-#ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG +-void __init arch_xen_balloon_init(struct resource *hostmem_resource) +-{ +- struct xen_memory_map memmap; +- int rc; +- unsigned int i, last_guest_ram; +- phys_addr_t max_addr = PFN_PHYS(max_pfn); +- struct e820_table *xen_e820_table; +- const struct e820_entry *entry; +- struct resource *res; +- +- if (!xen_initial_domain()) +- return; +- +- xen_e820_table = kmalloc(sizeof(*xen_e820_table), GFP_KERNEL); +- if (!xen_e820_table) +- return; +- +- memmap.nr_entries = ARRAY_SIZE(xen_e820_table->entries); +- set_xen_guest_handle(memmap.buffer, xen_e820_table->entries); +- rc = HYPERVISOR_memory_op(XENMEM_machine_memory_map, &memmap); +- if (rc) { +- pr_warn("%s: Can't read host e820 (%d)\n", __func__, rc); +- goto out; +- } +- +- last_guest_ram = 0; +- for (i = 0; i < memmap.nr_entries; i++) { +- if (xen_e820_table->entries[i].addr >= max_addr) +- break; +- if (xen_e820_table->entries[i].type == E820_TYPE_RAM) +- last_guest_ram = i; +- } +- +- entry = &xen_e820_table->entries[last_guest_ram]; +- if (max_addr >= entry->addr + entry->size) +- goto out; /* No unallocated host RAM. */ +- +- hostmem_resource->start = max_addr; +- hostmem_resource->end = entry->addr + entry->size; +- +- /* +- * Mark non-RAM regions between the end of dom0 RAM and end of host RAM +- * as unavailable. The rest of that region can be used for hotplug-based +- * ballooning. +- */ +- for (; i < memmap.nr_entries; i++) { +- entry = &xen_e820_table->entries[i]; +- +- if (entry->type == E820_TYPE_RAM) +- continue; +- +- if (entry->addr >= hostmem_resource->end) +- break; +- +- res = kzalloc(sizeof(*res), GFP_KERNEL); +- if (!res) +- goto out; +- +- res->name = "Unavailable host RAM"; +- res->start = entry->addr; +- res->end = (entry->addr + entry->size < hostmem_resource->end) ? +- entry->addr + entry->size : hostmem_resource->end; +- rc = insert_resource(hostmem_resource, res); +- if (rc) { +- pr_warn("%s: Can't insert [%llx - %llx) (%d)\n", +- __func__, res->start, res->end, rc); +- kfree(res); +- goto out; +- } +- } +- +- out: +- kfree(xen_e820_table); +-} +-#endif /* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG */ +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index 6e0d2086eacb..c114ca767b3b 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -808,6 +808,7 @@ char * __init xen_memory_setup(void) + addr = xen_e820_table.entries[0].addr; + size = xen_e820_table.entries[0].size; + while (i < xen_e820_table.nr_entries) { ++ bool discard = false; + + chunk_size = size; + type = xen_e820_table.entries[i].type; +@@ -823,10 +824,11 @@ char * __init xen_memory_setup(void) + xen_add_extra_mem(pfn_s, n_pfns); + xen_max_p2m_pfn = pfn_s + n_pfns; + } else +- type = E820_TYPE_UNUSABLE; ++ discard = true; + } + +- xen_align_and_add_e820_region(addr, chunk_size, type); ++ if (!discard) ++ xen_align_and_add_e820_region(addr, chunk_size, type); + + addr += chunk_size; + size -= chunk_size; +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index 065f0b607373..f77e499afddd 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -257,25 +257,10 @@ static void release_memory_resource(struct resource *resource) + kfree(resource); + } + +-/* +- * Host memory not allocated to dom0. We can use this range for hotplug-based +- * ballooning. +- * +- * It's a type-less resource. Setting IORESOURCE_MEM will make resource +- * management algorithms (arch_remove_reservations()) look into guest e820, +- * which we don't want. +- */ +-static struct resource hostmem_resource = { +- .name = "Host RAM", +-}; +- +-void __attribute__((weak)) __init arch_xen_balloon_init(struct resource *res) +-{} +- + static struct resource *additional_memory_resource(phys_addr_t size) + { +- struct resource *res, *res_hostmem; +- int ret = -ENOMEM; ++ struct resource *res; ++ int ret; + + res = kzalloc(sizeof(*res), GFP_KERNEL); + if (!res) +@@ -284,42 +269,13 @@ static struct resource *additional_memory_resource(phys_addr_t size) + res->name = "System RAM"; + res->flags = IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY; + +- res_hostmem = kzalloc(sizeof(*res), GFP_KERNEL); +- if (res_hostmem) { +- /* Try to grab a range from hostmem */ +- res_hostmem->name = "Host memory"; +- ret = allocate_resource(&hostmem_resource, res_hostmem, +- size, 0, -1, +- PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL); +- } +- +- if (!ret) { +- /* +- * Insert this resource into iomem. Because hostmem_resource +- * tracks portion of guest e820 marked as UNUSABLE noone else +- * should try to use it. +- */ +- res->start = res_hostmem->start; +- res->end = res_hostmem->end; +- ret = insert_resource(&iomem_resource, res); +- if (ret < 0) { +- pr_err("Can't insert iomem_resource [%llx - %llx]\n", +- res->start, res->end); +- release_memory_resource(res_hostmem); +- res_hostmem = NULL; +- res->start = res->end = 0; +- } +- } +- +- if (ret) { +- ret = allocate_resource(&iomem_resource, res, +- size, 0, -1, +- PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL); +- if (ret < 0) { +- pr_err("Cannot allocate new System RAM resource\n"); +- kfree(res); +- return NULL; +- } ++ ret = allocate_resource(&iomem_resource, res, ++ size, 0, -1, ++ PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL); ++ if (ret < 0) { ++ pr_err("Cannot allocate new System RAM resource\n"); ++ kfree(res); ++ return NULL; + } + + #ifdef CONFIG_SPARSEMEM +@@ -331,7 +287,6 @@ static struct resource *additional_memory_resource(phys_addr_t size) + pr_err("New System RAM resource outside addressable RAM (%lu > %lu)\n", + pfn, limit); + release_memory_resource(res); +- release_memory_resource(res_hostmem); + return NULL; + } + } +@@ -810,8 +765,6 @@ static int __init balloon_init(void) + set_online_page_callback(&xen_online_page); + register_memory_notifier(&xen_memory_nb); + register_sysctl_table(xen_root); +- +- arch_xen_balloon_init(&hostmem_resource); + #endif + + #ifdef CONFIG_XEN_PV +diff --git a/include/xen/balloon.h b/include/xen/balloon.h +index 61f410fd74e4..4914b93a23f2 100644 +--- a/include/xen/balloon.h ++++ b/include/xen/balloon.h +@@ -44,8 +44,3 @@ static inline void xen_balloon_init(void) + { + } + #endif +- +-#ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG +-struct resource; +-void arch_xen_balloon_init(struct resource *hostmem_resource); +-#endif +-- +2.19.1 + diff --git a/queue-4.14/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch b/queue-4.14/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch new file mode 100644 index 00000000000..75e125dfad4 --- /dev/null +++ b/queue-4.14/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch @@ -0,0 +1,113 @@ +From 9df84abaa4cc452b004626a67572b5762aaeb2e1 Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Tue, 13 Nov 2018 15:38:22 +0000 +Subject: s390/cpum_cf: Reject request for sampling in event initialization + +[ Upstream commit 613a41b0d16e617f46776a93b975a1eeea96417c ] + +On s390 command perf top fails +[root@s35lp76 perf] # ./perf top -F100000 --stdio + Error: + cycles: PMU Hardware doesn't support sampling/overflow-interrupts. + Try 'perf stat' +[root@s35lp76 perf] # + +Using event -e rb0000 works as designed. Event rb0000 is the event +number of the sampling facility for basic sampling. + +During system start up the following PMUs are installed in the kernel's +PMU list (from head to tail): + cpum_cf --> s390 PMU counter facility device driver + cpum_sf --> s390 PMU sampling facility device driver + uprobe + kprobe + tracepoint + task_clock + cpu_clock + +Perf top executes following functions and calls perf_event_open(2) system +call with different parameters many times: + +cmd_top +--> __cmd_top + --> perf_evlist__add_default + --> __perf_evlist__add_default + --> perf_evlist__new_cycles (creates event type:0 (HW) + config 0 (CPU_CYCLES) + --> perf_event_attr__set_max_precise_ip + Uses perf_event_open(2) to detect correct + precise_ip level. Fails 3 times on s390 which is ok. + +Then functions cmd_top +--> __cmd_top + --> perf_top__start_counters + -->perf_evlist__config + --> perf_can_comm_exec + --> perf_probe_api + This functions test support for the following events: + "cycles:u", "instructions:u", "cpu-clock:u" using + --> perf_do_probe_api + --> perf_event_open_cloexec + Test the close on exec flag support with + perf_event_open(2). + perf_do_probe_api returns true if the event is + supported. + The function returns true because event cpu-clock is + supported by the PMU cpu_clock. + This is achieved by many calls to perf_event_open(2). + +Function perf_top__start_counters now calls perf_evsel__open() for every +event, which is the default event cpu_cycles (config:0) and type HARDWARE +(type:0) which a predfined frequence of 4000. + +Given the above order of the PMU list, the PMU cpum_cf gets called first +and returns 0, which indicates support for this sampling. The event is +fully allocated in the function perf_event_open (file kernel/event/core.c +near line 10521 and the following check fails: + + event = perf_event_alloc(&attr, cpu, task, group_leader, NULL, + NULL, NULL, cgroup_fd); + if (IS_ERR(event)) { + err = PTR_ERR(event); + goto err_cred; + } + + if (is_sampling_event(event)) { + if (event->pmu->capabilities & PERF_PMU_CAP_NO_INTERRUPT) { + err = -EOPNOTSUPP; + goto err_alloc; + } + } + +The check for the interrupt capabilities fails and the system call +perf_event_open() returns -EOPNOTSUPP (-95). + +Add a check to return -ENODEV when sampling is requested in PMU cpum_cf. +This allows common kernel code in the perf_event_open() system call to +test the next PMU in above list. + +Fixes: 97b1198fece0 (" "s390, perf: Use common PMU interrupt disabled code") +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_cf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c +index 61e91fee8467..edf6a61f0a64 100644 +--- a/arch/s390/kernel/perf_cpum_cf.c ++++ b/arch/s390/kernel/perf_cpum_cf.c +@@ -349,6 +349,8 @@ static int __hw_perf_event_init(struct perf_event *event) + break; + + case PERF_TYPE_HARDWARE: ++ if (is_sampling_event(event)) /* No sampling support */ ++ return -ENOENT; + ev = attr->config; + /* Count user space (problem-state) only */ + if (!attr->exclude_user && attr->exclude_kernel) { +-- +2.19.1 + diff --git a/queue-4.14/selftests-add-script-to-stress-test-nft-packet-path-.patch b/queue-4.14/selftests-add-script-to-stress-test-nft-packet-path-.patch new file mode 100644 index 00000000000..8dbc57dfab0 --- /dev/null +++ b/queue-4.14/selftests-add-script-to-stress-test-nft-packet-path-.patch @@ -0,0 +1,150 @@ +From d3be2b10c062f97e5eea943fb856de9543c7fe9d Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 31 Oct 2018 18:26:21 +0100 +Subject: selftests: add script to stress-test nft packet path vs. control + plane + +[ Upstream commit 25d8bcedbf4329895dbaf9dd67baa6f18dad918c ] + +Start flood ping for each cpu while loading/flushing rulesets to make +sure we do not access already-free'd rules from nf_tables evaluation loop. + +Also add this to TARGETS so 'make run_tests' in selftest dir runs it +automatically. + +This would have caught the bug fixed in previous change +("netfilter: nf_tables: do not skip inactive chains during generation update") +sooner. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/Makefile | 1 + + tools/testing/selftests/netfilter/Makefile | 6 ++ + tools/testing/selftests/netfilter/config | 2 + + .../selftests/netfilter/nft_trans_stress.sh | 78 +++++++++++++++++++ + 4 files changed, 87 insertions(+) + create mode 100644 tools/testing/selftests/netfilter/Makefile + create mode 100644 tools/testing/selftests/netfilter/config + create mode 100755 tools/testing/selftests/netfilter/nft_trans_stress.sh + +diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile +index ea300e7818a7..10b89f5b9af7 100644 +--- a/tools/testing/selftests/Makefile ++++ b/tools/testing/selftests/Makefile +@@ -20,6 +20,7 @@ TARGETS += memory-hotplug + TARGETS += mount + TARGETS += mqueue + TARGETS += net ++TARGETS += netfilter + TARGETS += nsfs + TARGETS += powerpc + TARGETS += pstore +diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile +new file mode 100644 +index 000000000000..47ed6cef93fb +--- /dev/null ++++ b/tools/testing/selftests/netfilter/Makefile +@@ -0,0 +1,6 @@ ++# SPDX-License-Identifier: GPL-2.0 ++# Makefile for netfilter selftests ++ ++TEST_PROGS := nft_trans_stress.sh ++ ++include ../lib.mk +diff --git a/tools/testing/selftests/netfilter/config b/tools/testing/selftests/netfilter/config +new file mode 100644 +index 000000000000..1017313e41a8 +--- /dev/null ++++ b/tools/testing/selftests/netfilter/config +@@ -0,0 +1,2 @@ ++CONFIG_NET_NS=y ++NF_TABLES_INET=y +diff --git a/tools/testing/selftests/netfilter/nft_trans_stress.sh b/tools/testing/selftests/netfilter/nft_trans_stress.sh +new file mode 100755 +index 000000000000..f1affd12c4b1 +--- /dev/null ++++ b/tools/testing/selftests/netfilter/nft_trans_stress.sh +@@ -0,0 +1,78 @@ ++#!/bin/bash ++# ++# This test is for stress-testing the nf_tables config plane path vs. ++# packet path processing: Make sure we never release rules that are ++# still visible to other cpus. ++# ++# set -e ++ ++# Kselftest framework requirement - SKIP code is 4. ++ksft_skip=4 ++ ++testns=testns1 ++tables="foo bar baz quux" ++ ++nft --version > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: Could not run test without nft tool" ++ exit $ksft_skip ++fi ++ ++ip -Version > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: Could not run test without ip tool" ++ exit $ksft_skip ++fi ++ ++tmp=$(mktemp) ++ ++for table in $tables; do ++ echo add table inet "$table" >> "$tmp" ++ echo flush table inet "$table" >> "$tmp" ++ ++ echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp" ++ echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp" ++ for c in $(seq 1 400); do ++ chain=$(printf "chain%03u" "$c") ++ echo "add chain inet $table $chain" >> "$tmp" ++ done ++ ++ for c in $(seq 1 400); do ++ chain=$(printf "chain%03u" "$c") ++ for BASE in INPUT OUTPUT; do ++ echo "add rule inet $table $BASE counter jump $chain" >> "$tmp" ++ done ++ echo "add rule inet $table $chain counter return" >> "$tmp" ++ done ++done ++ ++ip netns add "$testns" ++ip -netns "$testns" link set lo up ++ ++lscpu | grep ^CPU\(s\): | ( read cpu cpunum ; ++cpunum=$((cpunum-1)) ++for i in $(seq 0 $cpunum);do ++ mask=$(printf 0x%x $((1<<$i))) ++ ip netns exec "$testns" taskset $mask ping -4 127.0.0.1 -fq > /dev/null & ++ ip netns exec "$testns" taskset $mask ping -6 ::1 -fq > /dev/null & ++done) ++ ++sleep 1 ++ ++for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done ++ ++for table in $tables;do ++ randsleep=$((RANDOM%10)) ++ sleep $randsleep ++ ip netns exec "$testns" nft delete table inet $table 2>/dev/null ++done ++ ++randsleep=$((RANDOM%10)) ++sleep $randsleep ++ ++pkill -9 ping ++ ++wait ++ ++rm -f "$tmp" ++ip netns del "$testns" +-- +2.19.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 721240db74c..565192d40f0 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -13,3 +13,71 @@ tcp-do-not-underestimate-rwnd_limited.patch tcp-fix-null-ref-in-tail-loss-probe.patch tun-forbid-iface-creation-with-rtnl-ops.patch virtio-net-keep-vnet-header-zeroed-after-processing-xdp.patch +arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch +asoc-rsnd-fixup-clock-start-checker.patch +staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch +arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch +arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch +sysv-return-err-instead-of-0-in-__sysv_write_inode.patch +selftests-add-script-to-stress-test-nft-packet-path-.patch +netfilter-nf_tables-fix-use-after-free-when-deleting.patch +hwmon-ina2xx-fix-null-id-pointer-in-probe.patch +asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch +s390-cpum_cf-reject-request-for-sampling-in-event-in.patch +hwmon-ina2xx-fix-current-value-calculation.patch +asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch +asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch +iio-hid-sensors-fix-iio_chan_info_raw-returning-wron.patch +netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch +hwmon-w83795-temp4_type-has-writable-permission.patch +perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch +pci-imx6-fix-link-training-status-detection-in-link-.patch +objtool-fix-double-free-in-.cold-detection-error-pat.patch +objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch +arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch +btrfs-send-fix-infinite-loop-due-to-directory-rename.patch +rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch +rdma-rdmavt-fix-rvt_create_ah-function-signature.patch +asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch +asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch +asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch +exportfs-do-not-read-dentry-after-free.patch +bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch +ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch +usb-omap_udc-use-devm_request_irq.patch +usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch +usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch +usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch +usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch +drm-meson-add-support-for-1080p25-mode.patch +netfilter-ipv6-preserve-link-scope-traffic-original-.patch +ib-mlx5-fix-page-fault-handling-for-mw.patch +kvm-x86-fix-empty-body-warnings.patch +x86-kvm-vmx-fix-old-style-function-declaration.patch +net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch +usb-gadget-u_ether-fix-unsafe-list-iteration.patch +netfilter-nf_tables-deactivate-expressions-in-rule-r.patch +cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch +igb-fix-uninitialized-variables.patch +ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch +net-hisilicon-remove-unexpected-free_netdev.patch +drm-amdgpu-add-delay-after-enable-rlc-ucode.patch +drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch +xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch +revert-xen-balloon-mark-unallocated-host-memory-as-u.patch +pstore-ram-correctly-calculate-usable-prz-bytes.patch +fscache-fix-race-between-enablement-and-dropping-of-.patch +fscache-cachefiles-remove-redundant-variable-cache.patch +nvme-flush-namespace-scanning-work-just-before-remov.patch +acpi-iort-fix-iort_get_platform_device_domain-uninit.patch +ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch +mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch +hfs-do-not-free-node-before-using.patch +hfsplus-do-not-free-node-before-using.patch +debugobjects-avoid-recursive-calls-with-kmemleak.patch +ocfs2-fix-potential-use-after-free.patch +revert-printk-never-set-console_may_schedule-in-cons.patch +printk-add-console-owner-and-waiter-logic-to-load-ba.patch +printk-hide-console-waiter-logic-into-helpers.patch +printk-never-set-console_may_schedule-in-console_try.patch +printk-wake-klogd-when-passing-console_lock-owner.patch diff --git a/queue-4.14/staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch b/queue-4.14/staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch new file mode 100644 index 00000000000..13a8ec20285 --- /dev/null +++ b/queue-4.14/staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch @@ -0,0 +1,37 @@ +From 02c244d15c78913e92478a1be1b315a96ddf6a98 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Wed, 17 Oct 2018 10:15:34 +0200 +Subject: staging: rtl8723bs: Fix the return value in case of error in + 'rtw_wx_read32()' + +[ Upstream commit c3e43d8b958bd6849817393483e805d8638a8ab7 ] + +We return 0 unconditionally in 'rtw_wx_read32()'. +However, 'ret' is set to some error codes in several error handling paths. + +Return 'ret' instead to propagate the error code. + +Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +index d5e5f830f2a1..1b61da61690b 100644 +--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c ++++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +@@ -2383,7 +2383,7 @@ static int rtw_wx_read32(struct net_device *dev, + exit: + kfree(ptmp); + +- return 0; ++ return ret; + } + + static int rtw_wx_write32(struct net_device *dev, +-- +2.19.1 + diff --git a/queue-4.14/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch b/queue-4.14/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch new file mode 100644 index 00000000000..a6ab846b480 --- /dev/null +++ b/queue-4.14/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch @@ -0,0 +1,39 @@ +From 2612113d65289176dce23c18d131344bd724739b Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 10 Nov 2018 04:13:24 +0000 +Subject: sysv: return 'err' instead of 0 in __sysv_write_inode + +[ Upstream commit c4b7d1ba7d263b74bb72e9325262a67139605cde ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +fs/sysv/inode.c: In function '__sysv_write_inode': +fs/sysv/inode.c:239:6: warning: + variable 'err' set but not used [-Wunused-but-set-variable] + +__sysv_write_inode should return 'err' instead of 0 + +Fixes: 05459ca81ac3 ("repair sysv_write_inode(), switch sysv to simple_fsync()") +Signed-off-by: YueHaibing +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/sysv/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c +index 3c47b7d5d4cf..9e0874d1524c 100644 +--- a/fs/sysv/inode.c ++++ b/fs/sysv/inode.c +@@ -275,7 +275,7 @@ static int __sysv_write_inode(struct inode *inode, int wait) + } + } + brelse(bh); +- return 0; ++ return err; + } + + int sysv_write_inode(struct inode *inode, struct writeback_control *wbc) +-- +2.19.1 + diff --git a/queue-4.14/usb-gadget-u_ether-fix-unsafe-list-iteration.patch b/queue-4.14/usb-gadget-u_ether-fix-unsafe-list-iteration.patch new file mode 100644 index 00000000000..f7e6b24ca23 --- /dev/null +++ b/queue-4.14/usb-gadget-u_ether-fix-unsafe-list-iteration.patch @@ -0,0 +1,103 @@ +From e7aea1f6c46f7c995aea81c62e656ca559eca649 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Mon, 19 Nov 2018 16:49:05 +0100 +Subject: usb: gadget: u_ether: fix unsafe list iteration + +[ Upstream commit c9287fa657b3328b4549c0ab39ea7f197a3d6a50 ] + +list_for_each_entry_safe() is not safe for deleting entries from the +list if the spin lock, which protects it, is released and reacquired during +the list iteration. Fix this issue by replacing this construction with +a simple check if list is empty and removing the first entry in each +iteration. This is almost equivalent to a revert of the commit mentioned in +the Fixes: tag. + +This patch fixes following issue: +--->8--- +Unable to handle kernel NULL pointer dereference at virtual address 00000104 +pgd = (ptrval) +[00000104] *pgd=00000000 +Internal error: Oops: 817 [#1] PREEMPT SMP ARM +Modules linked in: +CPU: 1 PID: 84 Comm: kworker/1:1 Not tainted 4.20.0-rc2-next-20181114-00009-g8266b35ec404 #1061 +Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) +Workqueue: events eth_work +PC is at rx_fill+0x60/0xac +LR is at _raw_spin_lock_irqsave+0x50/0x5c +pc : [] lr : [] psr: 80000093 +sp : ee7fbee8 ip : 00000100 fp : 00000000 +r10: 006000c0 r9 : c10b0ab0 r8 : ee7eb5c0 +r7 : ee7eb614 r6 : ee7eb5ec r5 : 000000dc r4 : ee12ac00 +r3 : ee12ac24 r2 : 00000200 r1 : 60000013 r0 : ee7eb5ec +Flags: Nzcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c5387d Table: 6d5dc04a DAC: 00000051 +Process kworker/1:1 (pid: 84, stack limit = 0x(ptrval)) +Stack: (0xee7fbee8 to 0xee7fc000) +... +[] (rx_fill) from [] (process_one_work+0x200/0x738) +[] (process_one_work) from [] (worker_thread+0x2c/0x4c8) +[] (worker_thread) from [] (kthread+0x128/0x164) +[] (kthread) from [] (ret_from_fork+0x14/0x20) +Exception stack(0xee7fbfb0 to 0xee7fbff8) +... +---[ end trace 64480bc835eba7d6 ]--- + +Fixes: fea14e68ff5e ("usb: gadget: u_ether: use better list accessors") +Signed-off-by: Marek Szyprowski +Signed-off-by: Felipe Balbi + +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/u_ether.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c +index bdbc3fdc7c4f..3a0e4f5d7b83 100644 +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -405,12 +405,12 @@ static int alloc_requests(struct eth_dev *dev, struct gether *link, unsigned n) + static void rx_fill(struct eth_dev *dev, gfp_t gfp_flags) + { + struct usb_request *req; +- struct usb_request *tmp; + unsigned long flags; + + /* fill unused rxq slots with some skb */ + spin_lock_irqsave(&dev->req_lock, flags); +- list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) { ++ while (!list_empty(&dev->rx_reqs)) { ++ req = list_first_entry(&dev->rx_reqs, struct usb_request, list); + list_del_init(&req->list); + spin_unlock_irqrestore(&dev->req_lock, flags); + +@@ -1125,7 +1125,6 @@ void gether_disconnect(struct gether *link) + { + struct eth_dev *dev = link->ioport; + struct usb_request *req; +- struct usb_request *tmp; + + WARN_ON(!dev); + if (!dev) +@@ -1142,7 +1141,8 @@ void gether_disconnect(struct gether *link) + */ + usb_ep_disable(link->in_ep); + spin_lock(&dev->req_lock); +- list_for_each_entry_safe(req, tmp, &dev->tx_reqs, list) { ++ while (!list_empty(&dev->tx_reqs)) { ++ req = list_first_entry(&dev->tx_reqs, struct usb_request, list); + list_del(&req->list); + + spin_unlock(&dev->req_lock); +@@ -1154,7 +1154,8 @@ void gether_disconnect(struct gether *link) + + usb_ep_disable(link->out_ep); + spin_lock(&dev->req_lock); +- list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) { ++ while (!list_empty(&dev->rx_reqs)) { ++ req = list_first_entry(&dev->rx_reqs, struct usb_request, list); + list_del(&req->list); + + spin_unlock(&dev->req_lock); +-- +2.19.1 + diff --git a/queue-4.14/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch b/queue-4.14/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch new file mode 100644 index 00000000000..6956d30c64e --- /dev/null +++ b/queue-4.14/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch @@ -0,0 +1,114 @@ +From ac231912151575c4c8f93fd858fdaa1dfb4c8d68 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:05 +0200 +Subject: USB: omap_udc: fix crashes on probe error and module removal + +[ Upstream commit 99f700366fcea1aa2fa3c49c99f371670c3c62f8 ] + +We currently crash if usb_add_gadget_udc_release() fails, since the +udc->done is not initialized until in the remove function. +Furthermore, on module removal the udc data is accessed although +the release function is already triggered by usb_del_gadget_udc() +early in the function. + +Fix by rewriting the release and remove functions, basically moving +all the cleanup into the release function, and doing the completion +only in the module removal case. + +The patch fixes omap_udc module probe with a failing gadged, and also +allows the removal of omap_udc. Tested by running "modprobe omap_udc; +modprobe -r omap_udc" in a loop. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 50 ++++++++++++------------------- + 1 file changed, 19 insertions(+), 31 deletions(-) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index e515c85ef0c5..d45dc14ef0a2 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2612,9 +2612,22 @@ omap_ep_setup(char *name, u8 addr, u8 type, + + static void omap_udc_release(struct device *dev) + { +- complete(udc->done); ++ pullup_disable(udc); ++ if (!IS_ERR_OR_NULL(udc->transceiver)) { ++ usb_put_phy(udc->transceiver); ++ udc->transceiver = NULL; ++ } ++ omap_writew(0, UDC_SYSCON1); ++ remove_proc_file(); ++ if (udc->dc_clk) { ++ if (udc->clk_requested) ++ omap_udc_enable_clock(0); ++ clk_put(udc->hhc_clk); ++ clk_put(udc->dc_clk); ++ } ++ if (udc->done) ++ complete(udc->done); + kfree(udc); +- udc = NULL; + } + + static int +@@ -2919,12 +2932,8 @@ static int omap_udc_probe(struct platform_device *pdev) + } + + create_proc_file(); +- status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget, +- omap_udc_release); +- if (!status) +- return 0; +- +- remove_proc_file(); ++ return usb_add_gadget_udc_release(&pdev->dev, &udc->gadget, ++ omap_udc_release); + + cleanup1: + kfree(udc); +@@ -2951,36 +2960,15 @@ static int omap_udc_remove(struct platform_device *pdev) + { + DECLARE_COMPLETION_ONSTACK(done); + +- if (!udc) +- return -ENODEV; +- +- usb_del_gadget_udc(&udc->gadget); +- if (udc->driver) +- return -EBUSY; +- + udc->done = &done; + +- pullup_disable(udc); +- if (!IS_ERR_OR_NULL(udc->transceiver)) { +- usb_put_phy(udc->transceiver); +- udc->transceiver = NULL; +- } +- omap_writew(0, UDC_SYSCON1); +- +- remove_proc_file(); ++ usb_del_gadget_udc(&udc->gadget); + +- if (udc->dc_clk) { +- if (udc->clk_requested) +- omap_udc_enable_clock(0); +- clk_put(udc->hhc_clk); +- clk_put(udc->dc_clk); +- } ++ wait_for_completion(&done); + + release_mem_region(pdev->resource[0].start, + pdev->resource[0].end - pdev->resource[0].start + 1); + +- wait_for_completion(&done); +- + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.14/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch b/queue-4.14/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch new file mode 100644 index 00000000000..da2cf15d760 --- /dev/null +++ b/queue-4.14/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch @@ -0,0 +1,41 @@ +From 788fdc74dcb0ad647ea08d699b15b2d128638e9e Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:06 +0200 +Subject: USB: omap_udc: fix omap_udc_start() on 15xx machines + +[ Upstream commit 6ca6695f576b8453fe68865e84d25946d63b10ad ] + +On OMAP 15xx machines there are no transceivers, and omap_udc_start() +always fails as it forgot to adjust the default return value. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index d45dc14ef0a2..9060b3af27ff 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2045,7 +2045,7 @@ static inline int machine_without_vbus_sense(void) + static int omap_udc_start(struct usb_gadget *g, + struct usb_gadget_driver *driver) + { +- int status = -ENODEV; ++ int status; + struct omap_ep *ep; + unsigned long flags; + +@@ -2083,6 +2083,7 @@ static int omap_udc_start(struct usb_gadget *g, + goto done; + } + } else { ++ status = 0; + if (can_pullup(udc)) + pullup_enable(udc); + else +-- +2.19.1 + diff --git a/queue-4.14/usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch b/queue-4.14/usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch new file mode 100644 index 00000000000..4a11d520077 --- /dev/null +++ b/queue-4.14/usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch @@ -0,0 +1,35 @@ +From 40a991e545dfcb5b9403d118c619e7ba81bdb30a Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:08 +0200 +Subject: USB: omap_udc: fix rejection of out transfers when DMA is used + +[ Upstream commit 069caf5950dfa75d0526cd89c439ff9d9d3136d8 ] + +Commit 387f869d2579 ("usb: gadget: u_ether: conditionally align +transfer size") started aligning transfer size only if requested, +breaking omap_udc DMA mode. Set quirk_ep_out_aligned_size to restore +the old behaviour. + +Fixes: 387f869d2579 ("usb: gadget: u_ether: conditionally align transfer size") +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index c8facc8aa87e..ee0b87a0773c 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2661,6 +2661,7 @@ omap_udc_setup(struct platform_device *odev, struct usb_phy *xceiv) + udc->gadget.speed = USB_SPEED_UNKNOWN; + udc->gadget.max_speed = USB_SPEED_FULL; + udc->gadget.name = driver_name; ++ udc->gadget.quirk_ep_out_aligned_size = 1; + udc->transceiver = xceiv; + + /* ep0 is special; put it right after the SETUP buffer */ +-- +2.19.1 + diff --git a/queue-4.14/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch b/queue-4.14/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch new file mode 100644 index 00000000000..68ef4864d75 --- /dev/null +++ b/queue-4.14/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch @@ -0,0 +1,32 @@ +From d6a6956f6fc14aba470aa79d5891586cadcf0257 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:07 +0200 +Subject: USB: omap_udc: fix USB gadget functionality on Palm Tungsten E + +[ Upstream commit 2c2322fbcab8102b8cadc09d66714700a2da42c2 ] + +On Palm TE nothing happens when you try to use gadget drivers and plug +the USB cable. Fix by adding the board to the vbus sense quirk list. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index 9060b3af27ff..c8facc8aa87e 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2037,6 +2037,7 @@ static inline int machine_without_vbus_sense(void) + { + return machine_is_omap_innovator() + || machine_is_omap_osk() ++ || machine_is_omap_palmte() + || machine_is_sx1() + /* No known omap7xx boards with vbus sense */ + || cpu_is_omap7xx(); +-- +2.19.1 + diff --git a/queue-4.14/usb-omap_udc-use-devm_request_irq.patch b/queue-4.14/usb-omap_udc-use-devm_request_irq.patch new file mode 100644 index 00000000000..3532204e531 --- /dev/null +++ b/queue-4.14/usb-omap_udc-use-devm_request_irq.patch @@ -0,0 +1,102 @@ +From 6c47a2b7de242e15c3782f87bae986bc8354483b Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:04 +0200 +Subject: USB: omap_udc: use devm_request_irq() + +[ Upstream commit 286afdde1640d8ea8916a0f05e811441fbbf4b9d ] + +The current code fails to release the third irq on the error path +(observed by reading the code), and we get also multiple WARNs with +failing gadget drivers due to duplicate IRQ releases. Fix by using +devm_request_irq(). + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 37 +++++++++---------------------- + 1 file changed, 10 insertions(+), 27 deletions(-) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index f05ba6825bfe..e515c85ef0c5 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2886,8 +2886,8 @@ static int omap_udc_probe(struct platform_device *pdev) + udc->clr_halt = UDC_RESET_EP; + + /* USB general purpose IRQ: ep0, state changes, dma, etc */ +- status = request_irq(pdev->resource[1].start, omap_udc_irq, +- 0, driver_name, udc); ++ status = devm_request_irq(&pdev->dev, pdev->resource[1].start, ++ omap_udc_irq, 0, driver_name, udc); + if (status != 0) { + ERR("can't get irq %d, err %d\n", + (int) pdev->resource[1].start, status); +@@ -2895,20 +2895,20 @@ static int omap_udc_probe(struct platform_device *pdev) + } + + /* USB "non-iso" IRQ (PIO for all but ep0) */ +- status = request_irq(pdev->resource[2].start, omap_udc_pio_irq, +- 0, "omap_udc pio", udc); ++ status = devm_request_irq(&pdev->dev, pdev->resource[2].start, ++ omap_udc_pio_irq, 0, "omap_udc pio", udc); + if (status != 0) { + ERR("can't get irq %d, err %d\n", + (int) pdev->resource[2].start, status); +- goto cleanup2; ++ goto cleanup1; + } + #ifdef USE_ISO +- status = request_irq(pdev->resource[3].start, omap_udc_iso_irq, +- 0, "omap_udc iso", udc); ++ status = devm_request_irq(&pdev->dev, pdev->resource[3].start, ++ omap_udc_iso_irq, 0, "omap_udc iso", udc); + if (status != 0) { + ERR("can't get irq %d, err %d\n", + (int) pdev->resource[3].start, status); +- goto cleanup3; ++ goto cleanup1; + } + #endif + if (cpu_is_omap16xx() || cpu_is_omap7xx()) { +@@ -2921,22 +2921,11 @@ static int omap_udc_probe(struct platform_device *pdev) + create_proc_file(); + status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget, + omap_udc_release); +- if (status) +- goto cleanup4; +- +- return 0; ++ if (!status) ++ return 0; + +-cleanup4: + remove_proc_file(); + +-#ifdef USE_ISO +-cleanup3: +- free_irq(pdev->resource[2].start, udc); +-#endif +- +-cleanup2: +- free_irq(pdev->resource[1].start, udc); +- + cleanup1: + kfree(udc); + udc = NULL; +@@ -2980,12 +2969,6 @@ static int omap_udc_remove(struct platform_device *pdev) + + remove_proc_file(); + +-#ifdef USE_ISO +- free_irq(pdev->resource[3].start, udc); +-#endif +- free_irq(pdev->resource[2].start, udc); +- free_irq(pdev->resource[1].start, udc); +- + if (udc->dc_clk) { + if (udc->clk_requested) + omap_udc_enable_clock(0); +-- +2.19.1 + diff --git a/queue-4.14/x86-kvm-vmx-fix-old-style-function-declaration.patch b/queue-4.14/x86-kvm-vmx-fix-old-style-function-declaration.patch new file mode 100644 index 00000000000..ed51528b85a --- /dev/null +++ b/queue-4.14/x86-kvm-vmx-fix-old-style-function-declaration.patch @@ -0,0 +1,68 @@ +From df1d782b948d7419692a0589744469d9f95e3c36 Mon Sep 17 00:00:00 2001 +From: Yi Wang +Date: Thu, 8 Nov 2018 11:22:21 +0800 +Subject: x86/kvm/vmx: fix old-style function declaration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 1e4329ee2c52692ea42cc677fb2133519718b34a ] + +The inline keyword which is not at the beginning of the function +declaration may trigger the following build warnings, so let's fix it: + +arch/x86/kvm/vmx.c:1309:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:5947:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:5985:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:6023:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] + +Signed-off-by: Yi Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index ec588cf4fe95..4353580b659a 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1089,7 +1089,7 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked); + static bool nested_vmx_is_page_fault_vmexit(struct vmcs12 *vmcs12, + u16 error_code); + static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu); +-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type); + + static DEFINE_PER_CPU(struct vmcs *, vmxarea); +@@ -5227,7 +5227,7 @@ static void free_vpid(int vpid) + spin_unlock(&vmx_vpid_lock); + } + +-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type) + { + int f = sizeof(unsigned long); +@@ -5262,7 +5262,7 @@ static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bit + } + } + +-static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_enable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type) + { + int f = sizeof(unsigned long); +@@ -5297,7 +5297,7 @@ static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitm + } + } + +-static void __always_inline vmx_set_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_set_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type, bool value) + { + if (value) +-- +2.19.1 + diff --git a/queue-4.14/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch b/queue-4.14/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch new file mode 100644 index 00000000000..e36c25ebea8 --- /dev/null +++ b/queue-4.14/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch @@ -0,0 +1,37 @@ +From 4bc124afbb47061883a7a2ff017a727caff927df Mon Sep 17 00:00:00 2001 +From: Srikanth Boddepalli +Date: Tue, 27 Nov 2018 19:53:27 +0530 +Subject: xen: xlate_mmu: add missing header to fix 'W=1' warning + +[ Upstream commit 72791ac854fea36034fa7976b748fde585008e78 ] + +Add a missing header otherwise compiler warns about missed prototype: + +drivers/xen/xlate_mmu.c:183:5: warning: no previous prototype for 'xen_xlate_unmap_gfn_range?' [-Wmissing-prototypes] + int xen_xlate_unmap_gfn_range(struct vm_area_struct *vma, + ^~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Srikanth Boddepalli +Reviewed-by: Boris Ostrovsky +Reviewed-by: Joey Pabalinas +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/xlate_mmu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/xen/xlate_mmu.c b/drivers/xen/xlate_mmu.c +index 23f1387b3ef7..e7df65d32c91 100644 +--- a/drivers/xen/xlate_mmu.c ++++ b/drivers/xen/xlate_mmu.c +@@ -36,6 +36,7 @@ + #include + + #include ++#include + #include + #include + #include +-- +2.19.1 +