From: Sasha Levin Date: Thu, 9 Jan 2020 20:37:01 +0000 (-0500) Subject: fixes for 4.9 X-Git-Tag: v4.4.209~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a83d428cbd5bcd659aa629fa17fb0311fb5bcab4;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/arm-dts-am437x-gp-epos-evm-fix-panel-compatible.patch b/queue-4.9/arm-dts-am437x-gp-epos-evm-fix-panel-compatible.patch new file mode 100644 index 00000000000..39eda4bbd32 --- /dev/null +++ b/queue-4.9/arm-dts-am437x-gp-epos-evm-fix-panel-compatible.patch @@ -0,0 +1,54 @@ +From 7ddc4d9971074db9bcd481f77550f96e24b71c0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 11:39:48 +0200 +Subject: ARM: dts: am437x-gp/epos-evm: fix panel compatible + +From: Tomi Valkeinen + +[ Upstream commit c6b16761c6908d3dc167a0a566578b4b0b972905 ] + +The LCD panel on AM4 GP EVMs and ePOS boards seems to be +osd070t1718-19ts. The current dts files say osd057T0559-34ts. Possibly +the panel has changed since the early EVMs, or there has been a mistake +with the panel type. + +Update the DT files accordingly. + +Acked-by: Laurent Pinchart +Signed-off-by: Tomi Valkeinen +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am437x-gp-evm.dts | 2 +- + arch/arm/boot/dts/am43x-epos-evm.dts | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/am437x-gp-evm.dts b/arch/arm/boot/dts/am437x-gp-evm.dts +index 957840cc7b78..b55c094893c6 100644 +--- a/arch/arm/boot/dts/am437x-gp-evm.dts ++++ b/arch/arm/boot/dts/am437x-gp-evm.dts +@@ -79,7 +79,7 @@ + }; + + lcd0: display { +- compatible = "osddisplays,osd057T0559-34ts", "panel-dpi"; ++ compatible = "osddisplays,osd070t1718-19ts", "panel-dpi"; + label = "lcd"; + + panel-timing { +diff --git a/arch/arm/boot/dts/am43x-epos-evm.dts b/arch/arm/boot/dts/am43x-epos-evm.dts +index 9d35c3f07cad..21918807c9f6 100644 +--- a/arch/arm/boot/dts/am43x-epos-evm.dts ++++ b/arch/arm/boot/dts/am43x-epos-evm.dts +@@ -41,7 +41,7 @@ + }; + + lcd0: display { +- compatible = "osddisplays,osd057T0559-34ts", "panel-dpi"; ++ compatible = "osddisplays,osd070t1718-19ts", "panel-dpi"; + label = "lcd"; + + panel-timing { +-- +2.20.1 + diff --git a/queue-4.9/arm-vexpress-set-up-shared-opp-table-instead-of-indi.patch b/queue-4.9/arm-vexpress-set-up-shared-opp-table-instead-of-indi.patch new file mode 100644 index 00000000000..5dc8498ef09 --- /dev/null +++ b/queue-4.9/arm-vexpress-set-up-shared-opp-table-instead-of-indi.patch @@ -0,0 +1,70 @@ +From 299b7224d8cd923b6c049b155a4ce3031b9fdd7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 15:56:40 +0000 +Subject: ARM: vexpress: Set-up shared OPP table instead of individual for each + CPU + +From: Sudeep Holla + +[ Upstream commit 2a76352ad2cc6b78e58f737714879cc860903802 ] + +Currently we add individual copy of same OPP table for each CPU within +the cluster. This is redundant and doesn't reflect the reality. + +We can't use core cpumask to set policy->cpus in ve_spc_cpufreq_init() +anymore as it gets called via cpuhp_cpufreq_online()->cpufreq_online() +->cpufreq_driver->init() and the cpumask gets updated upon CPU hotplug +operations. It also may cause issues when the vexpress_spc_cpufreq +driver is built as a module. + +Since ve_spc_clk_init is built-in device initcall, we should be able to +use the same topology_core_cpumask to set the opp sharing cpumask via +dev_pm_opp_set_sharing_cpus and use the same later in the driver via +dev_pm_opp_get_sharing_cpus. + +Cc: Liviu Dudau +Cc: Lorenzo Pieralisi +Acked-by: Viresh Kumar +Tested-by: Dietmar Eggemann +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + arch/arm/mach-vexpress/spc.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-vexpress/spc.c b/arch/arm/mach-vexpress/spc.c +index fe488523694c..635b0d549487 100644 +--- a/arch/arm/mach-vexpress/spc.c ++++ b/arch/arm/mach-vexpress/spc.c +@@ -555,8 +555,9 @@ static struct clk *ve_spc_clk_register(struct device *cpu_dev) + + static int __init ve_spc_clk_init(void) + { +- int cpu; ++ int cpu, cluster; + struct clk *clk; ++ bool init_opp_table[MAX_CLUSTERS] = { false }; + + if (!info) + return 0; /* Continue only if SPC is initialised */ +@@ -582,8 +583,17 @@ static int __init ve_spc_clk_init(void) + continue; + } + ++ cluster = topology_physical_package_id(cpu_dev->id); ++ if (init_opp_table[cluster]) ++ continue; ++ + if (ve_init_opp_table(cpu_dev)) + pr_warn("failed to initialise cpu%d opp table\n", cpu); ++ else if (dev_pm_opp_set_sharing_cpus(cpu_dev, ++ topology_core_cpumask(cpu_dev->id))) ++ pr_warn("failed to mark OPPs shared for cpu%d\n", cpu); ++ else ++ init_opp_table[cluster] = true; + } + + platform_device_register_simple("vexpress-spc-cpufreq", -1, NULL, 0); +-- +2.20.1 + diff --git a/queue-4.9/asoc-wm8962-fix-lambda-value.patch b/queue-4.9/asoc-wm8962-fix-lambda-value.patch new file mode 100644 index 00000000000..6dca87608a6 --- /dev/null +++ b/queue-4.9/asoc-wm8962-fix-lambda-value.patch @@ -0,0 +1,47 @@ +From 401670d82959f5dd8423ee1af3f97fe9ea8189d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 19:57:22 +0800 +Subject: ASoC: wm8962: fix lambda value + +From: Shengjiu Wang + +[ Upstream commit 556672d75ff486e0b6786056da624131679e0576 ] + +According to user manual, it is required that FLL_LAMBDA > 0 +in all cases (Integer and Franctional modes). + +Fixes: 9a76f1ff6e29 ("ASoC: Add initial WM8962 CODEC driver") +Signed-off-by: Shengjiu Wang +Acked-by: Charles Keepax +Link: https://lore.kernel.org/r/1576065442-19763-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm8962.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c +index fd2731d171dd..0e8008d38161 100644 +--- a/sound/soc/codecs/wm8962.c ++++ b/sound/soc/codecs/wm8962.c +@@ -2791,7 +2791,7 @@ static int fll_factors(struct _fll_div *fll_div, unsigned int Fref, + + if (target % Fref == 0) { + fll_div->theta = 0; +- fll_div->lambda = 0; ++ fll_div->lambda = 1; + } else { + gcd_fll = gcd(target, fratio * Fref); + +@@ -2861,7 +2861,7 @@ static int wm8962_set_fll(struct snd_soc_codec *codec, int fll_id, int source, + return -EINVAL; + } + +- if (fll_div.theta || fll_div.lambda) ++ if (fll_div.theta) + fll1 |= WM8962_FLL_FRAC; + + /* Stop the FLL while we reconfigure */ +-- +2.20.1 + diff --git a/queue-4.9/block-fix-memleak-when-__blk_rq_map_user_iov-is-fail.patch b/queue-4.9/block-fix-memleak-when-__blk_rq_map_user_iov-is-fail.patch new file mode 100644 index 00000000000..7cb8d92d9b3 --- /dev/null +++ b/queue-4.9/block-fix-memleak-when-__blk_rq_map_user_iov-is-fail.patch @@ -0,0 +1,62 @@ +From df2e7e028666afd77a336d5227031dac54aac950 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 16:44:04 +0800 +Subject: block: fix memleak when __blk_rq_map_user_iov() is failed + +From: Yang Yingliang + +[ Upstream commit 3b7995a98ad76da5597b488fa84aa5a56d43b608 ] + +When I doing fuzzy test, get the memleak report: + +BUG: memory leak +unreferenced object 0xffff88837af80000 (size 4096): + comm "memleak", pid 3557, jiffies 4294817681 (age 112.499s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 20 00 00 00 10 01 00 00 00 00 00 00 01 00 00 00 ............... + backtrace: + [<000000001c894df8>] bio_alloc_bioset+0x393/0x590 + [<000000008b139a3c>] bio_copy_user_iov+0x300/0xcd0 + [<00000000a998bd8c>] blk_rq_map_user_iov+0x2f1/0x5f0 + [<000000005ceb7f05>] blk_rq_map_user+0xf2/0x160 + [<000000006454da92>] sg_common_write.isra.21+0x1094/0x1870 + [<00000000064bb208>] sg_write.part.25+0x5d9/0x950 + [<000000004fc670f6>] sg_write+0x5f/0x8c + [<00000000b0d05c7b>] __vfs_write+0x7c/0x100 + [<000000008e177714>] vfs_write+0x1c3/0x500 + [<0000000087d23f34>] ksys_write+0xf9/0x200 + [<000000002c8dbc9d>] do_syscall_64+0x9f/0x4f0 + [<00000000678d8e9a>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +If __blk_rq_map_user_iov() is failed in blk_rq_map_user_iov(), +the bio(s) which is allocated before this failing will leak. The +refcount of the bio(s) is init to 1 and increased to 2 by calling +bio_get(), but __blk_rq_unmap_user() only decrease it to 1, so +the bio cannot be freed. Fix it by calling blk_rq_unmap_user(). + +Reviewed-by: Bob Liu +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-map.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-map.c b/block/blk-map.c +index a8b4f526d8bb..52edbe6b9380 100644 +--- a/block/blk-map.c ++++ b/block/blk-map.c +@@ -142,7 +142,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, + return 0; + + unmap_rq: +- __blk_rq_unmap_user(bio); ++ blk_rq_unmap_user(bio); + fail: + rq->bio = NULL; + return ret; +-- +2.20.1 + diff --git a/queue-4.9/bnx2x-do-not-handle-requests-from-vfs-after-parity.patch b/queue-4.9/bnx2x-do-not-handle-requests-from-vfs-after-parity.patch new file mode 100644 index 00000000000..1d7e2bd5bda --- /dev/null +++ b/queue-4.9/bnx2x-do-not-handle-requests-from-vfs-after-parity.patch @@ -0,0 +1,88 @@ +From 2b82990fc403c4c44debf97f6ea94af103f76669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 09:59:55 -0800 +Subject: bnx2x: Do not handle requests from VFs after parity + +From: Manish Chopra + +[ Upstream commit 7113f796bbbced2470cd6d7379d50d7a7a78bf34 ] + +Parity error from the hardware will cause PF to lose the state +of their VFs due to PF's internal reload and hardware reset following +the parity error. Restrict any configuration request from the VFs after +the parity as it could cause unexpected hardware behavior, only way +for VFs to recover would be to trigger FLR on VFs and reload them. + +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 12 ++++++++++-- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h | 1 + + drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c | 12 ++++++++++++ + 3 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index ce8a777b1e97..8d17d464c067 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -9995,10 +9995,18 @@ static void bnx2x_recovery_failed(struct bnx2x *bp) + */ + static void bnx2x_parity_recover(struct bnx2x *bp) + { +- bool global = false; + u32 error_recovered, error_unrecovered; +- bool is_parity; ++ bool is_parity, global = false; ++#ifdef CONFIG_BNX2X_SRIOV ++ int vf_idx; ++ ++ for (vf_idx = 0; vf_idx < bp->requested_nr_virtfn; vf_idx++) { ++ struct bnx2x_virtf *vf = BP_VF(bp, vf_idx); + ++ if (vf) ++ vf->state = VF_LOST; ++ } ++#endif + DP(NETIF_MSG_HW, "Handling parity\n"); + while (1) { + switch (bp->recovery_state) { +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h +index 888d0b6632e8..7152a03e3607 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h +@@ -139,6 +139,7 @@ struct bnx2x_virtf { + #define VF_ACQUIRED 1 /* VF acquired, but not initialized */ + #define VF_ENABLED 2 /* VF Enabled */ + #define VF_RESET 3 /* VF FLR'd, pending cleanup */ ++#define VF_LOST 4 /* Recovery while VFs are loaded */ + + bool flr_clnup_stage; /* true during flr cleanup */ + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c +index c2d327d9dff0..27142fb195b6 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c +@@ -2095,6 +2095,18 @@ static void bnx2x_vf_mbx_request(struct bnx2x *bp, struct bnx2x_virtf *vf, + { + int i; + ++ if (vf->state == VF_LOST) { ++ /* Just ack the FW and return if VFs are lost ++ * in case of parity error. VFs are supposed to be timedout ++ * on waiting for PF response. ++ */ ++ DP(BNX2X_MSG_IOV, ++ "VF 0x%x lost, not handling the request\n", vf->abs_vfid); ++ ++ storm_memset_vf_mbx_ack(bp, vf->abs_vfid); ++ return; ++ } ++ + /* check if tlv type is known */ + if (bnx2x_tlv_supported(mbx->first_tlv.tl.type)) { + /* Lock the per vf op mutex and note the locker's identity. +-- +2.20.1 + diff --git a/queue-4.9/bnx2x-fix-logic-to-get-total-no.-of-pfs-per-engine.patch b/queue-4.9/bnx2x-fix-logic-to-get-total-no.-of-pfs-per-engine.patch new file mode 100644 index 00000000000..8330214e27e --- /dev/null +++ b/queue-4.9/bnx2x-fix-logic-to-get-total-no.-of-pfs-per-engine.patch @@ -0,0 +1,39 @@ +From 45e66abcc7c632752a8514d2565c5efdb37b9025 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 09:59:56 -0800 +Subject: bnx2x: Fix logic to get total no. of PFs per engine + +From: Manish Chopra + +[ Upstream commit ee699f89bdbaa19c399804504241b5c531b48888 ] + +Driver doesn't calculate total number of PFs configured on a +given engine correctly which messed up resources in the PFs +loaded on that engine, leading driver to exceed configuration +of resources (like vlan filters etc.) beyond the limit per +engine, which ended up with asserts from the firmware. + +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +index 2ec1c43270b7..bb36312c9696 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +@@ -1112,7 +1112,7 @@ static inline u8 bnx2x_get_path_func_num(struct bnx2x *bp) + for (i = 0; i < E1H_FUNC_MAX / 2; i++) { + u32 func_config = + MF_CFG_RD(bp, +- func_mf_config[BP_PORT(bp) + 2 * i]. ++ func_mf_config[BP_PATH(bp) + 2 * i]. + config); + func_num += + ((func_config & FUNC_MF_CFG_FUNC_HIDE) ? 0 : 1); +-- +2.20.1 + diff --git a/queue-4.9/efi-gop-fix-memory-leak-in-__gop_query32-64.patch b/queue-4.9/efi-gop-fix-memory-leak-in-__gop_query32-64.patch new file mode 100644 index 00000000000..e9bc4829c41 --- /dev/null +++ b/queue-4.9/efi-gop-fix-memory-leak-in-__gop_query32-64.patch @@ -0,0 +1,150 @@ +From 189dcaf234da71c50c4682f7d33ed7705ad9ab21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 16:55:40 +0000 +Subject: efi/gop: Fix memory leak in __gop_query32/64() + +From: Arvind Sankar + +[ Upstream commit ff397be685e410a59c34b21ce0c55d4daa466bb7 ] + +efi_graphics_output_protocol::query_mode() returns info in +callee-allocated memory which must be freed by the caller, which +we aren't doing. + +We don't actually need to call query_mode() in order to obtain the +info for the current graphics mode, which is already there in +gop->mode->info, so just access it directly in the setup_gop32/64() +functions. + +Also nothing uses the size of the info structure, so don't update the +passed-in size (which is the size of the gop_handle table in bytes) +unnecessarily. + +Signed-off-by: Arvind Sankar +Signed-off-by: Ard Biesheuvel +Cc: Andy Shevchenko +Cc: Bhupesh Sharma +Cc: Masayoshi Mizuma +Cc: linux-efi@vger.kernel.org +Link: https://lkml.kernel.org/r/20191206165542.31469-5-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/gop.c | 66 ++++++------------------------ + 1 file changed, 12 insertions(+), 54 deletions(-) + +diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c +index 81ffda5d1e48..fd8053f9556e 100644 +--- a/drivers/firmware/efi/libstub/gop.c ++++ b/drivers/firmware/efi/libstub/gop.c +@@ -85,30 +85,6 @@ setup_pixel_info(struct screen_info *si, u32 pixels_per_scan_line, + } + } + +-static efi_status_t +-__gop_query32(efi_system_table_t *sys_table_arg, +- struct efi_graphics_output_protocol_32 *gop32, +- struct efi_graphics_output_mode_info **info, +- unsigned long *size, u64 *fb_base) +-{ +- struct efi_graphics_output_protocol_mode_32 *mode; +- efi_graphics_output_protocol_query_mode query_mode; +- efi_status_t status; +- unsigned long m; +- +- m = gop32->mode; +- mode = (struct efi_graphics_output_protocol_mode_32 *)m; +- query_mode = (void *)(unsigned long)gop32->query_mode; +- +- status = __efi_call_early(query_mode, (void *)gop32, mode->mode, size, +- info); +- if (status != EFI_SUCCESS) +- return status; +- +- *fb_base = mode->frame_buffer_base; +- return status; +-} +- + static efi_status_t + setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + efi_guid_t *proto, unsigned long size, void **gop_handle) +@@ -130,6 +106,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + + nr_gops = size / sizeof(u32); + for (i = 0; i < nr_gops; i++) { ++ struct efi_graphics_output_protocol_mode_32 *mode; + struct efi_graphics_output_mode_info *info = NULL; + efi_guid_t conout_proto = EFI_CONSOLE_OUT_DEVICE_GUID; + bool conout_found = false; +@@ -147,9 +124,11 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + if (status == EFI_SUCCESS) + conout_found = true; + +- status = __gop_query32(sys_table_arg, gop32, &info, &size, +- ¤t_fb_base); +- if (status == EFI_SUCCESS && (!first_gop || conout_found) && ++ mode = (void *)(unsigned long)gop32->mode; ++ info = (void *)(unsigned long)mode->info; ++ current_fb_base = mode->frame_buffer_base; ++ ++ if ((!first_gop || conout_found) && + info->pixel_format != PIXEL_BLT_ONLY) { + /* + * Systems that use the UEFI Console Splitter may +@@ -203,30 +182,6 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + return EFI_SUCCESS; + } + +-static efi_status_t +-__gop_query64(efi_system_table_t *sys_table_arg, +- struct efi_graphics_output_protocol_64 *gop64, +- struct efi_graphics_output_mode_info **info, +- unsigned long *size, u64 *fb_base) +-{ +- struct efi_graphics_output_protocol_mode_64 *mode; +- efi_graphics_output_protocol_query_mode query_mode; +- efi_status_t status; +- unsigned long m; +- +- m = gop64->mode; +- mode = (struct efi_graphics_output_protocol_mode_64 *)m; +- query_mode = (void *)(unsigned long)gop64->query_mode; +- +- status = __efi_call_early(query_mode, (void *)gop64, mode->mode, size, +- info); +- if (status != EFI_SUCCESS) +- return status; +- +- *fb_base = mode->frame_buffer_base; +- return status; +-} +- + static efi_status_t + setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + efi_guid_t *proto, unsigned long size, void **gop_handle) +@@ -248,6 +203,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + + nr_gops = size / sizeof(u64); + for (i = 0; i < nr_gops; i++) { ++ struct efi_graphics_output_protocol_mode_64 *mode; + struct efi_graphics_output_mode_info *info = NULL; + efi_guid_t conout_proto = EFI_CONSOLE_OUT_DEVICE_GUID; + bool conout_found = false; +@@ -265,9 +221,11 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + if (status == EFI_SUCCESS) + conout_found = true; + +- status = __gop_query64(sys_table_arg, gop64, &info, &size, +- ¤t_fb_base); +- if (status == EFI_SUCCESS && (!first_gop || conout_found) && ++ mode = (void *)(unsigned long)gop64->mode; ++ info = (void *)(unsigned long)mode->info; ++ current_fb_base = mode->frame_buffer_base; ++ ++ if ((!first_gop || conout_found) && + info->pixel_format != PIXEL_BLT_ONLY) { + /* + * Systems that use the UEFI Console Splitter may +-- +2.20.1 + diff --git a/queue-4.9/efi-gop-return-efi_not_found-if-there-are-no-usable-.patch b/queue-4.9/efi-gop-return-efi_not_found-if-there-are-no-usable-.patch new file mode 100644 index 00000000000..f3369f8fe1e --- /dev/null +++ b/queue-4.9/efi-gop-return-efi_not_found-if-there-are-no-usable-.patch @@ -0,0 +1,91 @@ +From 5a4510099611d0dca67c689dc355f650acd83a16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 16:55:38 +0000 +Subject: efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs + +From: Arvind Sankar + +[ Upstream commit 6fc3cec30dfeee7d3c5db8154016aff9d65503c5 ] + +If we don't find a usable instance of the Graphics Output Protocol +(GOP) because none of them have a framebuffer (i.e. they were all +PIXEL_BLT_ONLY), but all the EFI calls succeeded, we will return +EFI_SUCCESS even though we didn't find a usable GOP. + +Fix this by explicitly returning EFI_NOT_FOUND if no usable GOPs are +found, allowing the caller to probe for UGA instead. + +Signed-off-by: Arvind Sankar +Signed-off-by: Ard Biesheuvel +Cc: Andy Shevchenko +Cc: Bhupesh Sharma +Cc: Masayoshi Mizuma +Cc: linux-efi@vger.kernel.org +Link: https://lkml.kernel.org/r/20191206165542.31469-3-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/gop.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c +index 24c461dea7af..16ed61c023e8 100644 +--- a/drivers/firmware/efi/libstub/gop.c ++++ b/drivers/firmware/efi/libstub/gop.c +@@ -121,7 +121,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + u64 fb_base; + struct efi_pixel_bitmask pixel_info; + int pixel_format; +- efi_status_t status = EFI_NOT_FOUND; ++ efi_status_t status; + u32 *handles = (u32 *)(unsigned long)gop_handle; + int i; + +@@ -177,7 +177,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + + /* Did we find any GOPs? */ + if (!first_gop) +- goto out; ++ return EFI_NOT_FOUND; + + /* EFI framebuffer */ + si->orig_video_isVGA = VIDEO_TYPE_EFI; +@@ -199,7 +199,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + si->lfb_size = si->lfb_linelength * si->lfb_height; + + si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS; +-out: ++ + return status; + } + +@@ -239,7 +239,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + u64 fb_base; + struct efi_pixel_bitmask pixel_info; + int pixel_format; +- efi_status_t status = EFI_NOT_FOUND; ++ efi_status_t status; + u64 *handles = (u64 *)(unsigned long)gop_handle; + int i; + +@@ -295,7 +295,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + + /* Did we find any GOPs? */ + if (!first_gop) +- goto out; ++ return EFI_NOT_FOUND; + + /* EFI framebuffer */ + si->orig_video_isVGA = VIDEO_TYPE_EFI; +@@ -317,7 +317,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + si->lfb_size = si->lfb_linelength * si->lfb_height; + + si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS; +-out: ++ + return status; + } + +-- +2.20.1 + diff --git a/queue-4.9/efi-gop-return-efi_success-if-a-usable-gop-was-found.patch b/queue-4.9/efi-gop-return-efi_success-if-a-usable-gop-was-found.patch new file mode 100644 index 00000000000..86270d34c12 --- /dev/null +++ b/queue-4.9/efi-gop-return-efi_success-if-a-usable-gop-was-found.patch @@ -0,0 +1,56 @@ +From e6dce2a4f522a604bee34b40b4f27b1d77499674 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 16:55:39 +0000 +Subject: efi/gop: Return EFI_SUCCESS if a usable GOP was found + +From: Arvind Sankar + +[ Upstream commit dbd89c303b4420f6cdb689fd398349fc83b059dd ] + +If we've found a usable instance of the Graphics Output Protocol +(GOP) with a framebuffer, it is possible that one of the later EFI +calls fails while checking if any support console output. In this +case status may be an EFI error code even though we found a usable +GOP. + +Fix this by explicitly return EFI_SUCCESS if a usable GOP has been +located. + +Signed-off-by: Arvind Sankar +Signed-off-by: Ard Biesheuvel +Cc: Andy Shevchenko +Cc: Bhupesh Sharma +Cc: Masayoshi Mizuma +Cc: linux-efi@vger.kernel.org +Link: https://lkml.kernel.org/r/20191206165542.31469-4-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/gop.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c +index 16ed61c023e8..81ffda5d1e48 100644 +--- a/drivers/firmware/efi/libstub/gop.c ++++ b/drivers/firmware/efi/libstub/gop.c +@@ -200,7 +200,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + + si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS; + +- return status; ++ return EFI_SUCCESS; + } + + static efi_status_t +@@ -318,7 +318,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + + si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS; + +- return status; ++ return EFI_SUCCESS; + } + + /* +-- +2.20.1 + diff --git a/queue-4.9/kconfig-don-t-crash-on-null-expressions-in-expr_eq.patch b/queue-4.9/kconfig-don-t-crash-on-null-expressions-in-expr_eq.patch new file mode 100644 index 00000000000..af8273557a5 --- /dev/null +++ b/queue-4.9/kconfig-don-t-crash-on-null-expressions-in-expr_eq.patch @@ -0,0 +1,42 @@ +From aecb9a4f7242bec10707b344f08684fec78ae3e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 00:19:17 -0800 +Subject: kconfig: don't crash on NULL expressions in expr_eq() + +From: Thomas Hebb + +[ Upstream commit 272a72103012862e3a24ea06635253ead0b6e808 ] + +NULL expressions are taken to always be true, as implemented by the +expr_is_yes() macro and by several other functions in expr.c. As such, +they ought to be valid inputs to expr_eq(), which compares two +expressions. + +Signed-off-by: Thomas Hebb +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/expr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/scripts/kconfig/expr.c b/scripts/kconfig/expr.c +index ed29bad1f03a..96420b620963 100644 +--- a/scripts/kconfig/expr.c ++++ b/scripts/kconfig/expr.c +@@ -201,6 +201,13 @@ static int expr_eq(struct expr *e1, struct expr *e2) + { + int res, old_count; + ++ /* ++ * A NULL expr is taken to be yes, but there's also a different way to ++ * represent yes. expr_is_yes() checks for either representation. ++ */ ++ if (!e1 || !e2) ++ return expr_is_yes(e1) && expr_is_yes(e2); ++ + if (e1->type != e2->type) + return 0; + switch (e1->type) { +-- +2.20.1 + diff --git a/queue-4.9/llc2-fix-return-statement-of-llc_stat_ev_rx_null_dsa.patch b/queue-4.9/llc2-fix-return-statement-of-llc_stat_ev_rx_null_dsa.patch new file mode 100644 index 00000000000..289bcb4bd27 --- /dev/null +++ b/queue-4.9/llc2-fix-return-statement-of-llc_stat_ev_rx_null_dsa.patch @@ -0,0 +1,53 @@ +From 4148278970e6bb725edb3fd5cc91c3d83cc16a97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2019 14:16:18 +0800 +Subject: llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and + _test_c) + +From: Chan Shu Tak, Alex + +[ Upstream commit af1c0e4e00f3cc76cb136ebf2e2c04e8b6446285 ] + +When a frame with NULL DSAP is received, llc_station_rcv is called. +In turn, llc_stat_ev_rx_null_dsap_xid_c is called to check if it is a NULL +XID frame. The return statement of llc_stat_ev_rx_null_dsap_xid_c returns 1 +when the incoming frame is not a NULL XID frame and 0 otherwise. Hence, a +NULL XID response is returned unexpectedly, e.g. when the incoming frame is +a NULL TEST command. + +To fix the error, simply remove the conditional operator. + +A similar error in llc_stat_ev_rx_null_dsap_test_c is also fixed. + +Signed-off-by: Chan Shu Tak, Alex +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/llc/llc_station.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c +index 204a8351efff..c29170e767a8 100644 +--- a/net/llc/llc_station.c ++++ b/net/llc/llc_station.c +@@ -32,7 +32,7 @@ static int llc_stat_ev_rx_null_dsap_xid_c(struct sk_buff *skb) + return LLC_PDU_IS_CMD(pdu) && /* command PDU */ + LLC_PDU_TYPE_IS_U(pdu) && /* U type PDU */ + LLC_U_PDU_CMD(pdu) == LLC_1_PDU_CMD_XID && +- !pdu->dsap ? 0 : 1; /* NULL DSAP value */ ++ !pdu->dsap; /* NULL DSAP value */ + } + + static int llc_stat_ev_rx_null_dsap_test_c(struct sk_buff *skb) +@@ -42,7 +42,7 @@ static int llc_stat_ev_rx_null_dsap_test_c(struct sk_buff *skb) + return LLC_PDU_IS_CMD(pdu) && /* command PDU */ + LLC_PDU_TYPE_IS_U(pdu) && /* U type PDU */ + LLC_U_PDU_CMD(pdu) == LLC_1_PDU_CMD_TEST && +- !pdu->dsap ? 0 : 1; /* NULL DSAP */ ++ !pdu->dsap; /* NULL DSAP */ + } + + static int llc_station_ac_send_xid_r(struct sk_buff *skb) +-- +2.20.1 + diff --git a/queue-4.9/locking-spinlock-debug-fix-various-data-races.patch b/queue-4.9/locking-spinlock-debug-fix-various-data-races.patch new file mode 100644 index 00000000000..02dff3e2c61 --- /dev/null +++ b/queue-4.9/locking-spinlock-debug-fix-various-data-races.patch @@ -0,0 +1,145 @@ +From 83226c282700796b126455aae5e51b46e61f398b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Nov 2019 16:57:15 +0100 +Subject: locking/spinlock/debug: Fix various data races + +From: Marco Elver + +[ Upstream commit 1a365e822372ba24c9da0822bc583894f6f3d821 ] + +This fixes various data races in spinlock_debug. By testing with KCSAN, +it is observable that the console gets spammed with data races reports, +suggesting these are extremely frequent. + +Example data race report: + + read to 0xffff8ab24f403c48 of 4 bytes by task 221 on cpu 2: + debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] + do_raw_spin_lock+0x9b/0x210 kernel/locking/spinlock_debug.c:112 + __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline] + _raw_spin_lock+0x39/0x40 kernel/locking/spinlock.c:151 + spin_lock include/linux/spinlock.h:338 [inline] + get_partial_node.isra.0.part.0+0x32/0x2f0 mm/slub.c:1873 + get_partial_node mm/slub.c:1870 [inline] + + + write to 0xffff8ab24f403c48 of 4 bytes by task 167 on cpu 3: + debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline] + do_raw_spin_unlock+0xc9/0x1a0 kernel/locking/spinlock_debug.c:138 + __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:159 [inline] + _raw_spin_unlock_irqrestore+0x2d/0x50 kernel/locking/spinlock.c:191 + spin_unlock_irqrestore include/linux/spinlock.h:393 [inline] + free_debug_processing+0x1b3/0x210 mm/slub.c:1214 + __slab_free+0x292/0x400 mm/slub.c:2864 + + +As a side-effect, with KCSAN, this eventually locks up the console, most +likely due to deadlock, e.g. .. -> printk lock -> spinlock_debug -> +KCSAN detects data race -> kcsan_print_report() -> printk lock -> +deadlock. + +This fix will 1) avoid the data races, and 2) allow using lock debugging +together with KCSAN. + +Reported-by: Qian Cai +Signed-off-by: Marco Elver +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Link: https://lkml.kernel.org/r/20191120155715.28089-1-elver@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/spinlock_debug.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/kernel/locking/spinlock_debug.c b/kernel/locking/spinlock_debug.c +index 9aa0fccd5d43..03595c29c566 100644 +--- a/kernel/locking/spinlock_debug.c ++++ b/kernel/locking/spinlock_debug.c +@@ -51,19 +51,19 @@ EXPORT_SYMBOL(__rwlock_init); + + static void spin_dump(raw_spinlock_t *lock, const char *msg) + { +- struct task_struct *owner = NULL; ++ struct task_struct *owner = READ_ONCE(lock->owner); + +- if (lock->owner && lock->owner != SPINLOCK_OWNER_INIT) +- owner = lock->owner; ++ if (owner == SPINLOCK_OWNER_INIT) ++ owner = NULL; + printk(KERN_EMERG "BUG: spinlock %s on CPU#%d, %s/%d\n", + msg, raw_smp_processor_id(), + current->comm, task_pid_nr(current)); + printk(KERN_EMERG " lock: %pS, .magic: %08x, .owner: %s/%d, " + ".owner_cpu: %d\n", +- lock, lock->magic, ++ lock, READ_ONCE(lock->magic), + owner ? owner->comm : "", + owner ? task_pid_nr(owner) : -1, +- lock->owner_cpu); ++ READ_ONCE(lock->owner_cpu)); + dump_stack(); + } + +@@ -80,16 +80,16 @@ static void spin_bug(raw_spinlock_t *lock, const char *msg) + static inline void + debug_spin_lock_before(raw_spinlock_t *lock) + { +- SPIN_BUG_ON(lock->magic != SPINLOCK_MAGIC, lock, "bad magic"); +- SPIN_BUG_ON(lock->owner == current, lock, "recursion"); +- SPIN_BUG_ON(lock->owner_cpu == raw_smp_processor_id(), ++ SPIN_BUG_ON(READ_ONCE(lock->magic) != SPINLOCK_MAGIC, lock, "bad magic"); ++ SPIN_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion"); ++ SPIN_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(), + lock, "cpu recursion"); + } + + static inline void debug_spin_lock_after(raw_spinlock_t *lock) + { +- lock->owner_cpu = raw_smp_processor_id(); +- lock->owner = current; ++ WRITE_ONCE(lock->owner_cpu, raw_smp_processor_id()); ++ WRITE_ONCE(lock->owner, current); + } + + static inline void debug_spin_unlock(raw_spinlock_t *lock) +@@ -99,8 +99,8 @@ static inline void debug_spin_unlock(raw_spinlock_t *lock) + SPIN_BUG_ON(lock->owner != current, lock, "wrong owner"); + SPIN_BUG_ON(lock->owner_cpu != raw_smp_processor_id(), + lock, "wrong CPU"); +- lock->owner = SPINLOCK_OWNER_INIT; +- lock->owner_cpu = -1; ++ WRITE_ONCE(lock->owner, SPINLOCK_OWNER_INIT); ++ WRITE_ONCE(lock->owner_cpu, -1); + } + + /* +@@ -183,8 +183,8 @@ static inline void debug_write_lock_before(rwlock_t *lock) + + static inline void debug_write_lock_after(rwlock_t *lock) + { +- lock->owner_cpu = raw_smp_processor_id(); +- lock->owner = current; ++ WRITE_ONCE(lock->owner_cpu, raw_smp_processor_id()); ++ WRITE_ONCE(lock->owner, current); + } + + static inline void debug_write_unlock(rwlock_t *lock) +@@ -193,8 +193,8 @@ static inline void debug_write_unlock(rwlock_t *lock) + RWLOCK_BUG_ON(lock->owner != current, lock, "wrong owner"); + RWLOCK_BUG_ON(lock->owner_cpu != raw_smp_processor_id(), + lock, "wrong CPU"); +- lock->owner = SPINLOCK_OWNER_INIT; +- lock->owner_cpu = -1; ++ WRITE_ONCE(lock->owner, SPINLOCK_OWNER_INIT); ++ WRITE_ONCE(lock->owner_cpu, -1); + } + + void do_raw_write_lock(rwlock_t *lock) +-- +2.20.1 + diff --git a/queue-4.9/net-stmmac-rx-buffer-size-must-be-16-byte-aligned.patch b/queue-4.9/net-stmmac-rx-buffer-size-must-be-16-byte-aligned.patch new file mode 100644 index 00000000000..591dcf7314b --- /dev/null +++ b/queue-4.9/net-stmmac-rx-buffer-size-must-be-16-byte-aligned.patch @@ -0,0 +1,39 @@ +From ab94e37305a382f6caede8ca55198987b0c85605 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 11:17:40 +0100 +Subject: net: stmmac: RX buffer size must be 16 byte aligned + +From: Jose Abreu + +[ Upstream commit 8d558f0294fe92e04af192e221d0d0f6a180ee7b ] + +We need to align the RX buffer size to at least 16 byte so that IP +doesn't mis-behave. This is required by HW. + +Changes from v2: +- Align UP and not DOWN (David) + +Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver") +Signed-off-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 5ac48a594951..a2b7c685cbf1 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -55,7 +55,7 @@ + #include + #include "dwmac1000.h" + +-#define STMMAC_ALIGN(x) __ALIGN_KERNEL(x, SMP_CACHE_BYTES) ++#define STMMAC_ALIGN(x) ALIGN(ALIGN(x, SMP_CACHE_BYTES), 16) + #define TSO_MAX_BUFF_SIZE (SZ_16K - 1) + + /* Module parameters */ +-- +2.20.1 + diff --git a/queue-4.9/net-usb-lan78xx-fix-error-message-format-specifier.patch b/queue-4.9/net-usb-lan78xx-fix-error-message-format-specifier.patch new file mode 100644 index 00000000000..9f107d4090b --- /dev/null +++ b/queue-4.9/net-usb-lan78xx-fix-error-message-format-specifier.patch @@ -0,0 +1,35 @@ +From 84a2bb8676bd71ff7f0db8b1b1bd2a577387a07b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2019 18:33:11 +0200 +Subject: net: usb: lan78xx: Fix error message format specifier + +From: Cristian Birsan + +[ Upstream commit 858ce8ca62ea1530f2779d0e3f934b0176e663c3 ] + +Display the return code as decimal integer. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Cristian Birsan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 96258e6a1920..207660fd4b74 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -442,7 +442,7 @@ static int lan78xx_read_stats(struct lan78xx_net *dev, + } + } else { + netdev_warn(dev->net, +- "Failed to read stat ret = 0x%x", ret); ++ "Failed to read stat ret = %d", ret); + } + + kfree(stats); +-- +2.20.1 + diff --git a/queue-4.9/netfilter-ctnetlink-netns-exit-must-wait-for-callbac.patch b/queue-4.9/netfilter-ctnetlink-netns-exit-must-wait-for-callbac.patch new file mode 100644 index 00000000000..cd88cd8eab6 --- /dev/null +++ b/queue-4.9/netfilter-ctnetlink-netns-exit-must-wait-for-callbac.patch @@ -0,0 +1,79 @@ +From fbff6708475c219d5602f3dd0cfd140bb3092a30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 12:39:23 +0100 +Subject: netfilter: ctnetlink: netns exit must wait for callbacks + +From: Florian Westphal + +[ Upstream commit 18a110b022a5c02e7dc9f6109d0bd93e58ac6ebb ] + +Curtis Taylor and Jon Maxwell reported and debugged a crash on 3.10 +based kernel. + +Crash occurs in ctnetlink_conntrack_events because net->nfnl socket is +NULL. The nfnl socket was set to NULL by netns destruction running on +another cpu. + +The exiting network namespace calls the relevant destructors in the +following order: + +1. ctnetlink_net_exit_batch + +This nulls out the event callback pointer in struct netns. + +2. nfnetlink_net_exit_batch + +This nulls net->nfnl socket and frees it. + +3. nf_conntrack_cleanup_net_list + +This removes all remaining conntrack entries. + +This is order is correct. The only explanation for the crash so ar is: + +cpu1: conntrack is dying, eviction occurs: + -> nf_ct_delete() + -> nf_conntrack_event_report \ + -> nf_conntrack_eventmask_report + -> notify->fcn() (== ctnetlink_conntrack_events). + +cpu1: a. fetches rcu protected pointer to obtain ctnetlink event callback. + b. gets interrupted. + cpu2: runs netns exit handlers: + a runs ctnetlink destructor, event cb pointer set to NULL. + b runs nfnetlink destructor, nfnl socket is closed and set to NULL. +cpu1: c. resumes and trips over NULL net->nfnl. + +Problem appears to be that ctnetlink_net_exit_batch only prevents future +callers of nf_conntrack_eventmask_report() from obtaining the callback. +It doesn't wait of other cpus that might have already obtained the +callbacks address. + +I don't see anything in upstream kernels that would prevent similar +crash: We need to wait for all cpus to have exited the event callback. + +Fixes: 9592a5c01e79dbc59eb56fa ("netfilter: ctnetlink: netns support") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index deea281ab169..5e28702c801f 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3388,6 +3388,9 @@ static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list) + + list_for_each_entry(net, net_exit_list, exit_list) + ctnetlink_net_exit(net); ++ ++ /* wait for other cpus until they are done with ctnl_notifiers */ ++ synchronize_rcu(); + } + + static struct pernet_operations ctnetlink_net_ops = { +-- +2.20.1 + diff --git a/queue-4.9/netfilter-uapi-avoid-undefined-left-shift-in-xt_sctp.patch b/queue-4.9/netfilter-uapi-avoid-undefined-left-shift-in-xt_sctp.patch new file mode 100644 index 00000000000..5dfa5e6a4fa --- /dev/null +++ b/queue-4.9/netfilter-uapi-avoid-undefined-left-shift-in-xt_sctp.patch @@ -0,0 +1,50 @@ +From cb3a1c22ffa60b65c2d3aa636a6d3edb6af1a4ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 13:35:11 +0100 +Subject: netfilter: uapi: Avoid undefined left-shift in xt_sctp.h + +From: Phil Sutter + +[ Upstream commit 164166558aacea01b99c8c8ffb710d930405ba69 ] + +With 'bytes(__u32)' being 32, a left-shift of 31 may happen which is +undefined for the signed 32-bit value 1. Avoid this by declaring 1 as +unsigned. + +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/xt_sctp.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/uapi/linux/netfilter/xt_sctp.h b/include/uapi/linux/netfilter/xt_sctp.h +index 58ffcfb7978e..c2b0886c7c25 100644 +--- a/include/uapi/linux/netfilter/xt_sctp.h ++++ b/include/uapi/linux/netfilter/xt_sctp.h +@@ -40,19 +40,19 @@ struct xt_sctp_info { + #define SCTP_CHUNKMAP_SET(chunkmap, type) \ + do { \ + (chunkmap)[type / bytes(__u32)] |= \ +- 1 << (type % bytes(__u32)); \ ++ 1u << (type % bytes(__u32)); \ + } while (0) + + #define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ + do { \ + (chunkmap)[type / bytes(__u32)] &= \ +- ~(1 << (type % bytes(__u32))); \ ++ ~(1u << (type % bytes(__u32))); \ + } while (0) + + #define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ + ({ \ + ((chunkmap)[type / bytes (__u32)] & \ +- (1 << (type % bytes (__u32)))) ? 1: 0; \ ++ (1u << (type % bytes (__u32)))) ? 1: 0; \ + }) + + #define SCTP_CHUNKMAP_RESET(chunkmap) \ +-- +2.20.1 + diff --git a/queue-4.9/parisc-fix-compiler-warnings-in-debug_core.c.patch b/queue-4.9/parisc-fix-compiler-warnings-in-debug_core.c.patch new file mode 100644 index 00000000000..447f9070516 --- /dev/null +++ b/queue-4.9/parisc-fix-compiler-warnings-in-debug_core.c.patch @@ -0,0 +1,53 @@ +From 0537029f2bcab6a2b1c0ed8e89ab20bf1354c4c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2019 21:00:19 +0100 +Subject: parisc: Fix compiler warnings in debug_core.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Helge Deller + +[ Upstream commit 75cf9797006a3a9f29a3a25c1febd6842a4a9eb2 ] + +Fix this compiler warning: +kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’: +arch/parisc/include/asm/cmpxchg.h:48:3: warning: value computed is not used [-Wunused-value] + 48 | ((__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), sizeof(*(ptr)))) +arch/parisc/include/asm/atomic.h:78:30: note: in expansion of macro ‘xchg’ + 78 | #define atomic_xchg(v, new) (xchg(&((v)->counter), new)) + | ^~~~ +kernel/debug/debug_core.c:596:4: note: in expansion of macro ‘atomic_xchg’ + 596 | atomic_xchg(&kgdb_active, cpu); + | ^~~~~~~~~~~ + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/include/asm/cmpxchg.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/include/asm/cmpxchg.h b/arch/parisc/include/asm/cmpxchg.h +index 7ada30900807..90253bdc2ee5 100644 +--- a/arch/parisc/include/asm/cmpxchg.h ++++ b/arch/parisc/include/asm/cmpxchg.h +@@ -43,8 +43,14 @@ __xchg(unsigned long x, __volatile__ void *ptr, int size) + ** if (((unsigned long)p & 0xf) == 0) + ** return __ldcw(p); + */ +-#define xchg(ptr, x) \ +- ((__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), sizeof(*(ptr)))) ++#define xchg(ptr, x) \ ++({ \ ++ __typeof__(*(ptr)) __ret; \ ++ __typeof__(*(ptr)) _x_ = (x); \ ++ __ret = (__typeof__(*(ptr))) \ ++ __xchg((unsigned long)_x_, (ptr), sizeof(*(ptr))); \ ++ __ret; \ ++}) + + /* bug catcher for when unsupported size is used - won't link */ + extern void __cmpxchg_called_with_bad_pointer(void); +-- +2.20.1 + diff --git a/queue-4.9/perf-x86-intel-fix-pt-pmi-handling.patch b/queue-4.9/perf-x86-intel-fix-pt-pmi-handling.patch new file mode 100644 index 00000000000..d55f151b965 --- /dev/null +++ b/queue-4.9/perf-x86-intel-fix-pt-pmi-handling.patch @@ -0,0 +1,76 @@ +From 1d1c5c80457fc742a34c19a6170f9417ec96c2ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 12:51:01 +0200 +Subject: perf/x86/intel: Fix PT PMI handling + +From: Alexander Shishkin + +[ Upstream commit 92ca7da4bdc24d63bb0bcd241c11441ddb63b80a ] + +Commit: + + ccbebba4c6bf ("perf/x86/intel/pt: Bypass PT vs. LBR exclusivity if the core supports it") + +skips the PT/LBR exclusivity check on CPUs where PT and LBRs coexist, but +also inadvertently skips the active_events bump for PT in that case, which +is a bug. If there aren't any hardware events at the same time as PT, the +PMI handler will ignore PT PMIs, as active_events reads zero in that case, +resulting in the "Uhhuh" spurious NMI warning and PT data loss. + +Fix this by always increasing active_events for PT events. + +Fixes: ccbebba4c6bf ("perf/x86/intel/pt: Bypass PT vs. LBR exclusivity if the core supports it") +Reported-by: Vitaly Slobodskoy +Signed-off-by: Alexander Shishkin +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Alexey Budankov +Cc: Jiri Olsa +Cc: Ingo Molnar +Cc: Arnaldo Carvalho de Melo +Link: https://lkml.kernel.org/r/20191210105101.77210-1-alexander.shishkin@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/core.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c +index 1e9f610d36a4..c26cca506f64 100644 +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -374,7 +374,7 @@ int x86_add_exclusive(unsigned int what) + * LBR and BTS are still mutually exclusive. + */ + if (x86_pmu.lbr_pt_coexist && what == x86_lbr_exclusive_pt) +- return 0; ++ goto out; + + if (!atomic_inc_not_zero(&x86_pmu.lbr_exclusive[what])) { + mutex_lock(&pmc_reserve_mutex); +@@ -386,6 +386,7 @@ int x86_add_exclusive(unsigned int what) + mutex_unlock(&pmc_reserve_mutex); + } + ++out: + atomic_inc(&active_events); + return 0; + +@@ -396,11 +397,15 @@ int x86_add_exclusive(unsigned int what) + + void x86_del_exclusive(unsigned int what) + { ++ atomic_dec(&active_events); ++ ++ /* ++ * See the comment in x86_add_exclusive(). ++ */ + if (x86_pmu.lbr_pt_coexist && what == x86_lbr_exclusive_pt) + return; + + atomic_dec(&x86_pmu.lbr_exclusive[what]); +- atomic_dec(&active_events); + } + + int x86_setup_perfctr(struct perf_event *event) +-- +2.20.1 + diff --git a/queue-4.9/powerpc-ensure-that-swiotlb-buffer-is-allocated-from.patch b/queue-4.9/powerpc-ensure-that-swiotlb-buffer-is-allocated-from.patch new file mode 100644 index 00000000000..60164de817d --- /dev/null +++ b/queue-4.9/powerpc-ensure-that-swiotlb-buffer-is-allocated-from.patch @@ -0,0 +1,49 @@ +From adb582a0248a97cc880ee1eb857f605b74f44201 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 14:35:24 +0200 +Subject: powerpc: Ensure that swiotlb buffer is allocated from low memory + +From: Mike Rapoport + +[ Upstream commit 8fabc623238e68b3ac63c0dd1657bf86c1fa33af ] + +Some powerpc platforms (e.g. 85xx) limit DMA-able memory way below 4G. +If a system has more physical memory than this limit, the swiotlb +buffer is not addressable because it is allocated from memblock using +top-down mode. + +Force memblock to bottom-up mode before calling swiotlb_init() to +ensure that the swiotlb buffer is DMA-able. + +Reported-by: Christian Zigotzky +Signed-off-by: Mike Rapoport +Reviewed-by: Christoph Hellwig +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191204123524.22919-1-rppt@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/mem.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c +index 1e93dbc88e80..34f70d36b16d 100644 +--- a/arch/powerpc/mm/mem.c ++++ b/arch/powerpc/mm/mem.c +@@ -345,6 +345,14 @@ void __init mem_init(void) + BUILD_BUG_ON(MMU_PAGE_COUNT > 16); + + #ifdef CONFIG_SWIOTLB ++ /* ++ * Some platforms (e.g. 85xx) limit DMA-able memory way below ++ * 4G. We force memblock to bottom-up mode to ensure that the ++ * memory allocated in swiotlb_init() is DMA-able. ++ * As it's the last memblock allocation, no need to reset it ++ * back to to-down. ++ */ ++ memblock_set_bottom_up(true); + swiotlb_init(0); + #endif + +-- +2.20.1 + diff --git a/queue-4.9/regulator-rn5t618-fix-module-aliases.patch b/queue-4.9/regulator-rn5t618-fix-module-aliases.patch new file mode 100644 index 00000000000..0ddbfab061b --- /dev/null +++ b/queue-4.9/regulator-rn5t618-fix-module-aliases.patch @@ -0,0 +1,36 @@ +From c8a9214fc901250864bb639046d71a2da00a1dd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 23:16:00 +0100 +Subject: regulator: rn5t618: fix module aliases + +From: Andreas Kemnade + +[ Upstream commit 62a1923cc8fe095912e6213ed5de27abbf1de77e ] + +platform device aliases were missing, preventing +autoloading of module. + +Fixes: 811b700630ff ("regulator: rn5t618: add driver for Ricoh RN5T618 regulators") +Signed-off-by: Andreas Kemnade +Link: https://lore.kernel.org/r/20191211221600.29438-1-andreas@kemnade.info +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/rn5t618-regulator.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/rn5t618-regulator.c b/drivers/regulator/rn5t618-regulator.c +index 9c930eb68cda..ffc34e1ee35d 100644 +--- a/drivers/regulator/rn5t618-regulator.c ++++ b/drivers/regulator/rn5t618-regulator.c +@@ -127,6 +127,7 @@ static struct platform_driver rn5t618_regulator_driver = { + + module_platform_driver(rn5t618_regulator_driver); + ++MODULE_ALIAS("platform:rn5t618-regulator"); + MODULE_AUTHOR("Beniamino Galvani "); + MODULE_DESCRIPTION("RN5T618 regulator driver"); + MODULE_LICENSE("GPL v2"); +-- +2.20.1 + diff --git a/queue-4.9/rfkill-fix-incorrect-check-to-avoid-null-pointer-der.patch b/queue-4.9/rfkill-fix-incorrect-check-to-avoid-null-pointer-der.patch new file mode 100644 index 00000000000..fda0b76b2b3 --- /dev/null +++ b/queue-4.9/rfkill-fix-incorrect-check-to-avoid-null-pointer-der.patch @@ -0,0 +1,44 @@ +From 8b1594405b7ae0244cee46767234a26c2416bb55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Dec 2019 09:34:08 -0600 +Subject: rfkill: Fix incorrect check to avoid NULL pointer dereference + +From: Aditya Pakki + +[ Upstream commit 6fc232db9e8cd50b9b83534de9cd91ace711b2d7 ] + +In rfkill_register, the struct rfkill pointer is first derefernced +and then checked for NULL. This patch removes the BUG_ON and returns +an error to the caller in case rfkill is NULL. + +Signed-off-by: Aditya Pakki +Link: https://lore.kernel.org/r/20191215153409.21696-1-pakki001@umn.edu +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/rfkill/core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/rfkill/core.c b/net/rfkill/core.c +index 884027f62783..87c35844d7d9 100644 +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -940,10 +940,13 @@ static void rfkill_sync_work(struct work_struct *work) + int __must_check rfkill_register(struct rfkill *rfkill) + { + static unsigned long rfkill_no; +- struct device *dev = &rfkill->dev; ++ struct device *dev; + int error; + +- BUG_ON(!rfkill); ++ if (!rfkill) ++ return -EINVAL; ++ ++ dev = &rfkill->dev; + + mutex_lock(&rfkill_global_mutex); + +-- +2.20.1 + diff --git a/queue-4.9/samples-bpf-replace-symbol-compare-of-trace_event.patch b/queue-4.9/samples-bpf-replace-symbol-compare-of-trace_event.patch new file mode 100644 index 00000000000..d0f53a95f85 --- /dev/null +++ b/queue-4.9/samples-bpf-replace-symbol-compare-of-trace_event.patch @@ -0,0 +1,45 @@ +From fe290723482f1a8dcb379bc2a1e02468d149584e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 17:01:13 +0900 +Subject: samples: bpf: Replace symbol compare of trace_event + +From: Daniel T. Lee + +[ Upstream commit bba1b2a890253528c45aa66cf856f289a215bfbc ] + +Previously, when this sample is added, commit 1c47910ef8013 +("samples/bpf: add perf_event+bpf example"), a symbol 'sys_read' and +'sys_write' has been used without no prefixes. But currently there are +no exact symbols with these under kallsyms and this leads to failure. + +This commit changes exact compare to substring compare to keep compatible +with exact symbol or prefixed symbol. + +Fixes: 1c47910ef8013 ("samples/bpf: add perf_event+bpf example") +Signed-off-by: Daniel T. Lee +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20191205080114.19766-2-danieltimlee@gmail.com +Signed-off-by: Sasha Levin +--- + samples/bpf/trace_event_user.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/samples/bpf/trace_event_user.c b/samples/bpf/trace_event_user.c +index 9a130d31ecf2..6fbb5eb9daf3 100644 +--- a/samples/bpf/trace_event_user.c ++++ b/samples/bpf/trace_event_user.c +@@ -33,9 +33,9 @@ static void print_ksym(__u64 addr) + return; + sym = ksym_search(addr); + printf("%s;", sym->name); +- if (!strcmp(sym->name, "sys_read")) ++ if (!strstr(sym->name, "sys_read")) + sys_read_seen = true; +- else if (!strcmp(sym->name, "sys_write")) ++ else if (!strstr(sym->name, "sys_write")) + sys_write_seen = true; + } + +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index d8bc8e6320a..463d211f819 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -54,3 +54,26 @@ s390-smp-fix-physical-to-logical-cpu-map-for-smt.patch xen-blkback-avoid-unmapping-unmapped-grant-pages.patch locking-x86-remove-the-unused-atomic_inc_short-methd.patch pstore-ram-write-new-dumps-to-start-of-recycled-zone.patch +locking-spinlock-debug-fix-various-data-races.patch +netfilter-ctnetlink-netns-exit-must-wait-for-callbac.patch +efi-gop-return-efi_not_found-if-there-are-no-usable-.patch +efi-gop-return-efi_success-if-a-usable-gop-was-found.patch +efi-gop-fix-memory-leak-in-__gop_query32-64.patch +arm-vexpress-set-up-shared-opp-table-instead-of-indi.patch +netfilter-uapi-avoid-undefined-left-shift-in-xt_sctp.patch +spi-spi-cavium-thunderx-add-missing-pci_release_regi.patch +arm-dts-am437x-gp-epos-evm-fix-panel-compatible.patch +samples-bpf-replace-symbol-compare-of-trace_event.patch +powerpc-ensure-that-swiotlb-buffer-is-allocated-from.patch +bnx2x-do-not-handle-requests-from-vfs-after-parity.patch +bnx2x-fix-logic-to-get-total-no.-of-pfs-per-engine.patch +net-usb-lan78xx-fix-error-message-format-specifier.patch +rfkill-fix-incorrect-check-to-avoid-null-pointer-der.patch +asoc-wm8962-fix-lambda-value.patch +regulator-rn5t618-fix-module-aliases.patch +kconfig-don-t-crash-on-null-expressions-in-expr_eq.patch +perf-x86-intel-fix-pt-pmi-handling.patch +net-stmmac-rx-buffer-size-must-be-16-byte-aligned.patch +block-fix-memleak-when-__blk_rq_map_user_iov-is-fail.patch +parisc-fix-compiler-warnings-in-debug_core.c.patch +llc2-fix-return-statement-of-llc_stat_ev_rx_null_dsa.patch diff --git a/queue-4.9/spi-spi-cavium-thunderx-add-missing-pci_release_regi.patch b/queue-4.9/spi-spi-cavium-thunderx-add-missing-pci_release_regi.patch new file mode 100644 index 00000000000..3590019a56a --- /dev/null +++ b/queue-4.9/spi-spi-cavium-thunderx-add-missing-pci_release_regi.patch @@ -0,0 +1,44 @@ +From 9299f9a3429c9058374fb55d20aa68e0b345c30a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 15:55:00 +0800 +Subject: spi: spi-cavium-thunderx: Add missing pci_release_regions() + +From: Chuhong Yuan + +[ Upstream commit a841e2853e1afecc2ee692b8cc5bff606bc84e4c ] + +The driver forgets to call pci_release_regions() in probe failure +and remove. +Add the missed calls to fix it. + +Signed-off-by: Chuhong Yuan +Link: https://lore.kernel.org/r/20191206075500.18525-1-hslester96@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cavium-thunderx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/spi/spi-cavium-thunderx.c b/drivers/spi/spi-cavium-thunderx.c +index 877937706240..828fbbebc3c4 100644 +--- a/drivers/spi/spi-cavium-thunderx.c ++++ b/drivers/spi/spi-cavium-thunderx.c +@@ -81,6 +81,7 @@ static int thunderx_spi_probe(struct pci_dev *pdev, + + error: + clk_disable_unprepare(p->clk); ++ pci_release_regions(pdev); + spi_master_put(master); + return ret; + } +@@ -95,6 +96,7 @@ static void thunderx_spi_remove(struct pci_dev *pdev) + return; + + clk_disable_unprepare(p->clk); ++ pci_release_regions(pdev); + /* Put everything in a known state. */ + writeq(0, p->register_base + OCTEON_SPI_CFG(p)); + } +-- +2.20.1 +