From: Greg Kroah-Hartman Date: Tue, 11 Sep 2018 10:14:49 +0000 (+0200) Subject: 4.18-stable patches X-Git-Tag: v4.4.156~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad70271651307094d0bdcb440becdc2bca8fae75;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: acpi-scan-initialize-status-to-acpi_sta_default.patch acpica-acpica-add-status-check-for-acpi_hw_read-before-assigning-return-value.patch apparmor-fix-an-error-code-in-__aa_create_ns.patch arm-rockchip-force-config_pm-on-rockchip-systems.patch arm64-rockchip-force-config_pm-on-rockchip-systems.patch asoc-rt5677-fix-initialization-of-rt5677_of_match.data.patch blk-mq-count-the-hctx-as-active-before-allocating-tag.patch block-bvec_nr_vecs-returns-value-for-wrong-slab.patch block-don-t-warn-for-flush-on-read-only-device.patch bpf-fix-bpffs-non-array-map-seq_show-issue.patch bpf-sockmap-fix-leakage-of-smap_psock_map_entry.patch bpf-sockmap-fix-map-elem-deletion-race-with-smap_stop_sock.patch bpf-sockmap-fix-sock_map_ctx_update_elem-race-with-exist-noexist.patch brcmfmac-fix-brcmf_wiphy_wowl_params-null-pointer-dereference.patch btrfs-check-integrity-fix-null-pointer-dereference-for-degraded-mount.patch btrfs-do-btrfs_free_stale_devices-outside-of-device_list_add.patch btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch btrfs-exit-gracefully-when-chunk-map-cannot-be-inserted-to-the-tree.patch btrfs-extend-locked-section-when-adding-a-new-device-in-device_list_add.patch btrfs-fix-a-c-compliance-issue.patch btrfs-fix-in-memory-value-of-total_devices-after-seed-device-deletion.patch btrfs-fix-mount-and-ioctl-device-scan-ioctl-race.patch btrfs-lift-uuid_mutex-to-callers-of-btrfs_open_devices.patch btrfs-lift-uuid_mutex-to-callers-of-btrfs_parse_early_options.patch btrfs-lift-uuid_mutex-to-callers-of-btrfs_scan_one_device.patch btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch btrfs-rename-local-devices-for-fs_devices-in-btrfs_free_stale_devices.patch btrfs-reorder-initialization-before-the-mount-locks-uuid_mutex.patch btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch btrfs-tree-checker-detect-invalid-and-empty-essential-trees.patch btrfs-use-device_list_mutex-when-removing-stale-devices.patch cfq-suppress-compiler-warnings-about-comparisons.patch cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch cifs-fix-memory-leak-and-remove-dead-code.patch clk-rockchip-add-pclk_rkpwm_pmu-to-pmu-critical-clocks-in-rk3399.patch coccicheck-return-proper-error-code-on-fail.patch dm-kcopyd-avoid-softlockup-in-run_complete_job.patch drm-amd-display-guard-against-null-crtc-in-crc-irq.patch drm-amd-display-read-back-max-backlight-value-at-boot.patch drm-etnaviv-fix-crash-in-gpu-suspend-when-init-failed-due-to-buffer-placement.patch f2fs-avoid-race-between-zero_range-and-background-gc.patch f2fs-fix-avoid-race-between-truncate-and-background-gc.patch f2fs-fix-to-clear-pg_checked-flag-in-set_page_dirty.patch fat-validate-i_start-before-using.patch fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_snapshot.patch fs-proc-kcore.c-use-__pa_symbol-for-kcore_text-list-entries.patch fs-proc-vmcore.c-hide-vmcoredd_mmap_dumps-for-nommu-builds.patch hfs-prevent-crash-on-exit-from-failed-search.patch hfsplus-don-t-return-0-when-fill_super-failed.patch hfsplus-fix-null-dereference-in-hfsplus_lookup.patch i2c-core-acpi-make-acpi_gsb_i2c_read_bytes-check-i2c_transfer-return-value.patch ib-hfi1-invalid-numa-node-information-can-cause-a-divide-by-zero.patch input-do-not-use-warn-in-input_alloc_absinfo.patch iommu-omap-fix-cache-flushes-on-l2-table-entries.patch iommu-rockchip-handle-errors-returned-from-pm-framework.patch iommu-rockchip-move-irq-request-past-pm_runtime_enable.patch ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch irqchip-bcm7038-l1-hide-cpu-offline-callback-when-building-for-smp.patch irqchip-stm32-fix-init-error-handling.patch kvm-nvmx-fix-fault-vector-for-vmx-operation-at-cpl-0.patch kvm-vmx-track-host_state.loaded-using-a-loaded_vmcs-pointer.patch mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch mm-make-deferred_struct_page_init-explicitly-depend-on-sparsemem.patch net-9p-fix-error-path-of-p9_virtio_probe.patch net-9p-trans_fd.c-fix-race-by-holding-the-lock.patch net-hns3-fix-for-command-format-parsing-error-in-hclge_is_all_function_id_zero.patch net-hns3-fix-for-phy-link-issue-when-using-marvell-phy-driver.patch net-xdp-fix-suspicious-rcu-usage-warning.patch netfilter-fix-memory-leaks-on-netlink_dump_start-error.patch netfilter-ip6t_rpfilter-set-f_iface-for-linklocal-addresses.patch netfilter-x_tables-do-not-fail-xt_alloc_table_info-too-easilly.patch nfsv4-fix-error-handling-in-nfs4_sp4_select_mode.patch pci-match-root-port-s-mps-to-endpoint-s-mpss-as-necessary.patch pci-mvebu-fix-i-o-space-end-address-calculation.patch perf-arm-spe-fix-uninitialized-record-error-variable.patch perf-probe-powerpc-fix-trace-event-post-processing.patch perf-python-fix-pyrf_evlist__read_on_cpu-interface.patch perf-tools-check-for-null-when-copying-nsinfo.patch pinctrl-axp209-fix-null-pointer-dereference-after-allocation.patch platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch platform-x86-intel_punit_ipc-fix-build-errors.patch powerpc-64s-make-rfi_flush_fallback-a-little-more-robust.patch powerpc-fix-size-calculation-using-resource_size.patch powerpc-platforms-85xx-fix-t1042rdb_diu.c-build-errors-warning.patch powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch powerpc-topology-get-topology-for-shared-processors-at-boot.patch powerpc-uaccess-enable-get_user-u64-p-on-32-bit.patch pwm-meson-fix-mux-clock-names.patch rdma-hns-fix-usage-of-bitmap-allocation-functions-return-values.patch rds-ib-fix-passing-zero-to-err_ptr-warning.patch reiserfs-change-j_timestamp-type-to-time64_t.patch risc-v-use-kbuild_cflags-instead-of-kcflags-when-building-the-vdso.patch s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch s390-dasd-fix-panic-for-failed-online-processing.patch s390-kdump-fix-memleak-in-nt_vmcoreinfo.patch samples-bpf-all-xdp-samples-should-unload-xdp-bpf-prog-on-sigterm.patch scripts-modpost-check-memory-allocation-results.patch scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch selftests-powerpc-kill-child-processes-on-sigint.patch selinux-cleanup-dentry-and-inodes-on-error-in-selinuxfs.patch smb3-fix-reset-of-bytes-read-and-written-stats.patch smb3-if-server-does-not-support-posix-do-not-allow-posix-mount-option.patch smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch sunrpc-don-t-use-stack-buffer-with-scatterlist.patch tcp-ulp-add-alias-for-all-ulp-modules.patch tcp-ulp-fix-leftover-icsk_ulp_ops-preventing-sock-from-reattach.patch tracing-handle-cc_flags_ftrace-more-accurately.patch ubi-initialize-fastmap-checkmapping-correctly.patch um-fix-parallel-building-with-o-option.patch virtio-pci-legacy-validate-queue-pfn.patch workqueue-re-add-lockdep-dependencies-for-flushing.patch workqueue-skip-lockdep-wq-dependency-in-cancel_work_sync.patch x86-mce-add-notifier_block-forward-declaration.patch xen-balloon-fix-balloon-initialization-for-pvh-dom0.patch --- diff --git a/queue-4.18/acpi-scan-initialize-status-to-acpi_sta_default.patch b/queue-4.18/acpi-scan-initialize-status-to-acpi_sta_default.patch new file mode 100644 index 00000000000..3ee6f373433 --- /dev/null +++ b/queue-4.18/acpi-scan-initialize-status-to-acpi_sta_default.patch @@ -0,0 +1,60 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Hans de Goede +Date: Wed, 8 Aug 2018 10:30:03 +0200 +Subject: ACPI / scan: Initialize status to ACPI_STA_DEFAULT + +From: Hans de Goede + +[ Upstream commit 5971b0c1594d6c34e257101ed5fdffec65205c50 ] + +Since commit 63347db0affa "ACPI / scan: Use acpi_bus_get_status() to +initialize ACPI_TYPE_DEVICE devs" the status field of normal acpi_devices +gets set to 0 by acpi_bus_type_and_status() and filled with its actual +value later when acpi_add_single_object() calls acpi_bus_get_status(). + +This means that any acpi_match_device_ids() calls in between will always +fail with -ENOENT. + +We already have a workaround for this, which temporary forces status to +ACPI_STA_DEFAULT in drivers/acpi/x86/utils.c: acpi_device_always_present() +and the next commit in this series adds another acpi_match_device_ids() +call between status being initialized as 0 and the acpi_bus_get_status() +call. + +Rather then adding another workaround, this commit makes +acpi_bus_type_and_status() initialize status to ACPI_STA_DEFAULT, this is +safe to do as the only code looking at status between the initialization +and the acpi_bus_get_status() call is those acpi_match_device_ids() calls. + +Note this does mean that we need to (re)set status to 0 in case the +acpi_bus_get_status() call fails. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/scan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1612,7 +1612,8 @@ static int acpi_add_single_object(struct + * Note this must be done before the get power-/wakeup_dev-flags calls. + */ + if (type == ACPI_BUS_TYPE_DEVICE) +- acpi_bus_get_status(device); ++ if (acpi_bus_get_status(device) < 0) ++ acpi_set_device_status(device, 0); + + acpi_bus_get_power_flags(device); + acpi_bus_get_wakeup_device_flags(device); +@@ -1690,7 +1691,7 @@ static int acpi_bus_type_and_status(acpi + * acpi_add_single_object updates this once we've an acpi_device + * so that acpi_bus_get_status' quirk handling can be used. + */ +- *sta = 0; ++ *sta = ACPI_STA_DEFAULT; + break; + case ACPI_TYPE_PROCESSOR: + *type = ACPI_BUS_TYPE_PROCESSOR; diff --git a/queue-4.18/acpica-acpica-add-status-check-for-acpi_hw_read-before-assigning-return-value.patch b/queue-4.18/acpica-acpica-add-status-check-for-acpi_hw_read-before-assigning-return-value.patch new file mode 100644 index 00000000000..31353f40823 --- /dev/null +++ b/queue-4.18/acpica-acpica-add-status-check-for-acpi_hw_read-before-assigning-return-value.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Erik Schmauss +Date: Fri, 10 Aug 2018 14:42:55 -0700 +Subject: ACPICA: ACPICA: add status check for acpi_hw_read before assigning return value + +From: Erik Schmauss + +[ Upstream commit f016b19a9275089a2ab06c2144567c2ad8d5d6ad ] + +The value coming from acpi_hw_read() should not be used if it +returns an error code, so check the status returned by it before +using that value in two places in acpi_hw_register_read(). + +Reported-by: Mark Gross +Signed-off-by: Erik Schmauss +[ rjw: Changelog ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/hwregs.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/acpica/hwregs.c ++++ b/drivers/acpi/acpica/hwregs.c +@@ -528,13 +528,18 @@ acpi_status acpi_hw_register_read(u32 re + + status = + acpi_hw_read(&value64, &acpi_gbl_FADT.xpm2_control_block); +- value = (u32)value64; ++ if (ACPI_SUCCESS(status)) { ++ value = (u32)value64; ++ } + break; + + case ACPI_REGISTER_PM_TIMER: /* 32-bit access */ + + status = acpi_hw_read(&value64, &acpi_gbl_FADT.xpm_timer_block); +- value = (u32)value64; ++ if (ACPI_SUCCESS(status)) { ++ value = (u32)value64; ++ } ++ + break; + + case ACPI_REGISTER_SMI_COMMAND_BLOCK: /* 8-bit access */ diff --git a/queue-4.18/apparmor-fix-an-error-code-in-__aa_create_ns.patch b/queue-4.18/apparmor-fix-an-error-code-in-__aa_create_ns.patch new file mode 100644 index 00000000000..3a222c68bea --- /dev/null +++ b/queue-4.18/apparmor-fix-an-error-code-in-__aa_create_ns.patch @@ -0,0 +1,32 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Dan Carpenter +Date: Thu, 2 Aug 2018 11:38:23 +0300 +Subject: apparmor: fix an error code in __aa_create_ns() + +From: Dan Carpenter + +[ Upstream commit 0a6b29230ec336189bab32498df3f06c8a6944d8 ] + +We should return error pointers in this function. Returning NULL +results in a NULL dereference in the caller. + +Fixes: 73688d1ed0b8 ("apparmor: refactor prepare_ns() and make usable from different views") +Signed-off-by: Dan Carpenter +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/policy_ns.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/apparmor/policy_ns.c ++++ b/security/apparmor/policy_ns.c +@@ -255,7 +255,7 @@ static struct aa_ns *__aa_create_ns(stru + + ns = alloc_ns(parent->base.hname, name); + if (!ns) +- return NULL; ++ return ERR_PTR(-ENOMEM); + ns->level = parent->level + 1; + mutex_lock_nested(&ns->lock, ns->level); + error = __aafs_ns_mkdir(ns, ns_subns_dir(parent), name, dir); diff --git a/queue-4.18/arm-rockchip-force-config_pm-on-rockchip-systems.patch b/queue-4.18/arm-rockchip-force-config_pm-on-rockchip-systems.patch new file mode 100644 index 00000000000..238014871a8 --- /dev/null +++ b/queue-4.18/arm-rockchip-force-config_pm-on-rockchip-systems.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Marc Zyngier +Date: Fri, 24 Aug 2018 16:06:34 +0100 +Subject: ARM: rockchip: Force CONFIG_PM on Rockchip systems + +From: Marc Zyngier + +[ Upstream commit d1558dfd9f22c99a5b8e1354ad881ee40749da89 ] + +A number of the Rockchip-specific drivers (IOMMU, display controllers) +are now assuming that CONFIG_PM is set, and may completely misbehave +if that's not the case. + +Since there is hardly any reason for this configuration option not +to be selected anyway, let's require it (in the same way Tegra already +does). + +Signed-off-by: Marc Zyngier +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-rockchip/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-rockchip/Kconfig ++++ b/arch/arm/mach-rockchip/Kconfig +@@ -17,6 +17,7 @@ config ARCH_ROCKCHIP + select ARM_GLOBAL_TIMER + select CLKSRC_ARM_GLOBAL_TIMER_SCHED_CLOCK + select ZONE_DMA if ARM_LPAE ++ select PM + help + Support for Rockchip's Cortex-A9 Single-to-Quad-Core-SoCs + containing the RK2928, RK30xx and RK31xx series. diff --git a/queue-4.18/arm64-rockchip-force-config_pm-on-rockchip-systems.patch b/queue-4.18/arm64-rockchip-force-config_pm-on-rockchip-systems.patch new file mode 100644 index 00000000000..f439cb3e52f --- /dev/null +++ b/queue-4.18/arm64-rockchip-force-config_pm-on-rockchip-systems.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Marc Zyngier +Date: Fri, 24 Aug 2018 16:06:35 +0100 +Subject: arm64: rockchip: Force CONFIG_PM on Rockchip systems + +From: Marc Zyngier + +[ Upstream commit 7db7a8f5638a2ffe0c0c0d55b5186b6191fd6af7 ] + +A number of the Rockchip-specific drivers (IOMMU, display controllers) +are now assuming that CONFIG_PM is set, and may completely misbehave +if that's not the case. + +Since there is hardly any reason for this configuration option not +to be selected anyway, let's require it (in the same way Tegra already +does). + +Signed-off-by: Marc Zyngier +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/Kconfig.platforms | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/Kconfig.platforms ++++ b/arch/arm64/Kconfig.platforms +@@ -151,6 +151,7 @@ config ARCH_ROCKCHIP + select GPIOLIB + select PINCTRL + select PINCTRL_ROCKCHIP ++ select PM + select ROCKCHIP_TIMER + help + This enables support for the ARMv8 based Rockchip chipsets, diff --git a/queue-4.18/asoc-rt5677-fix-initialization-of-rt5677_of_match.data.patch b/queue-4.18/asoc-rt5677-fix-initialization-of-rt5677_of_match.data.patch new file mode 100644 index 00000000000..a6b88a04145 --- /dev/null +++ b/queue-4.18/asoc-rt5677-fix-initialization-of-rt5677_of_match.data.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Matthias Kaehlcke +Date: Tue, 7 Aug 2018 10:19:40 -0700 +Subject: ASoC: rt5677: Fix initialization of rt5677_of_match.data + +From: Matthias Kaehlcke + +[ Upstream commit f861e3e28a3016a2064d9f600eaa92a530b732b4 ] + +The driver expects to find the device id in rt5677_of_match.data, however +it is currently assigned to rt5677_of_match.type. Fix this. + +The problem was found with the help of clang: + sound/soc/codecs/rt5677.c:5010:36: warning: expression which evaluates to + zero treated as a null pointer constant of type 'const void *' + [-Wnon-literal-null-conversion] + { .compatible = "realtek,rt5677", RT5677 }, + ^~~~~~ + +Fixes: ddc9e69b9dc2 ("ASoC: rt5677: Hide platform data in the module sources") +Signed-off-by: Matthias Kaehlcke +Reviewed-by: Guenter Roeck +Acked-by: Andy Shevchenko +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/rt5677.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/rt5677.c ++++ b/sound/soc/codecs/rt5677.c +@@ -5007,7 +5007,7 @@ static const struct regmap_config rt5677 + }; + + static const struct of_device_id rt5677_of_match[] = { +- { .compatible = "realtek,rt5677", RT5677 }, ++ { .compatible = "realtek,rt5677", .data = (const void *)RT5677 }, + { } + }; + MODULE_DEVICE_TABLE(of, rt5677_of_match); diff --git a/queue-4.18/blk-mq-count-the-hctx-as-active-before-allocating-tag.patch b/queue-4.18/blk-mq-count-the-hctx-as-active-before-allocating-tag.patch new file mode 100644 index 00000000000..137b9fa4649 --- /dev/null +++ b/queue-4.18/blk-mq-count-the-hctx-as-active-before-allocating-tag.patch @@ -0,0 +1,83 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Jianchao Wang +Date: Thu, 9 Aug 2018 08:34:17 -0600 +Subject: blk-mq: count the hctx as active before allocating tag + +From: Jianchao Wang + +[ Upstream commit d263ed9926823c462f99a7679e18f0c9e5b8550d ] + +Currently, we count the hctx as active after allocate driver tag +successfully. If a previously inactive hctx try to get tag first +time, it may fails and need to wait. However, due to the stale tag +->active_queues, the other shared-tags users are still able to +occupy all driver tags while there is someone waiting for tag. +Consequently, even if the previously inactive hctx is waked up, it +still may not be able to get a tag and could be starved. + +To fix it, we count the hctx as active before try to allocate driver +tag, then when it is waiting the tag, the other shared-tag users +will reserve budget for it. + +Reviewed-by: Ming Lei +Signed-off-by: Jianchao Wang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq-tag.c | 3 +++ + block/blk-mq.c | 8 ++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/block/blk-mq-tag.c ++++ b/block/blk-mq-tag.c +@@ -23,6 +23,9 @@ bool blk_mq_has_free_tags(struct blk_mq_ + + /* + * If a previously inactive queue goes active, bump the active user count. ++ * We need to do this before try to allocate driver tag, then even if fail ++ * to get tag when first time, the other shared-tag users could reserve ++ * budget for it. + */ + bool __blk_mq_tag_busy(struct blk_mq_hw_ctx *hctx) + { +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -285,7 +285,7 @@ static struct request *blk_mq_rq_ctx_ini + rq->tag = -1; + rq->internal_tag = tag; + } else { +- if (blk_mq_tag_busy(data->hctx)) { ++ if (data->hctx->flags & BLK_MQ_F_TAG_SHARED) { + rq_flags = RQF_MQ_INFLIGHT; + atomic_inc(&data->hctx->nr_active); + } +@@ -367,6 +367,8 @@ static struct request *blk_mq_get_reques + if (!op_is_flush(op) && e->type->ops.mq.limit_depth && + !(data->flags & BLK_MQ_REQ_RESERVED)) + e->type->ops.mq.limit_depth(op, data); ++ } else { ++ blk_mq_tag_busy(data->hctx); + } + + tag = blk_mq_get_tag(data); +@@ -970,6 +972,7 @@ bool blk_mq_get_driver_tag(struct reques + .hctx = blk_mq_map_queue(rq->q, rq->mq_ctx->cpu), + .flags = wait ? 0 : BLK_MQ_REQ_NOWAIT, + }; ++ bool shared; + + might_sleep_if(wait); + +@@ -979,9 +982,10 @@ bool blk_mq_get_driver_tag(struct reques + if (blk_mq_tag_is_reserved(data.hctx->sched_tags, rq->internal_tag)) + data.flags |= BLK_MQ_REQ_RESERVED; + ++ shared = blk_mq_tag_busy(data.hctx); + rq->tag = blk_mq_get_tag(&data); + if (rq->tag >= 0) { +- if (blk_mq_tag_busy(data.hctx)) { ++ if (shared) { + rq->rq_flags |= RQF_MQ_INFLIGHT; + atomic_inc(&data.hctx->nr_active); + } diff --git a/queue-4.18/block-bvec_nr_vecs-returns-value-for-wrong-slab.patch b/queue-4.18/block-bvec_nr_vecs-returns-value-for-wrong-slab.patch new file mode 100644 index 00000000000..e7369ba661a --- /dev/null +++ b/queue-4.18/block-bvec_nr_vecs-returns-value-for-wrong-slab.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Greg Edwards +Date: Wed, 8 Aug 2018 13:27:53 -0600 +Subject: block: bvec_nr_vecs() returns value for wrong slab + +From: Greg Edwards + +[ Upstream commit d6c02a9beb67f13d5f14f23e72fa9981e8b84477 ] + +In commit ed996a52c868 ("block: simplify and cleanup bvec pool +handling"), the value of the slab index is incremented by one in +bvec_alloc() after the allocation is done to indicate an index value of +0 does not need to be later freed. + +bvec_nr_vecs() was not updated accordingly, and thus returns the wrong +value. Decrement idx before performing the lookup. + +Fixes: ed996a52c868 ("block: simplify and cleanup bvec pool handling") +Signed-off-by: Greg Edwards +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/bio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -156,7 +156,7 @@ out: + + unsigned int bvec_nr_vecs(unsigned short idx) + { +- return bvec_slabs[idx].nr_vecs; ++ return bvec_slabs[--idx].nr_vecs; + } + + void bvec_free(mempool_t *pool, struct bio_vec *bv, unsigned int idx) diff --git a/queue-4.18/block-don-t-warn-for-flush-on-read-only-device.patch b/queue-4.18/block-don-t-warn-for-flush-on-read-only-device.patch new file mode 100644 index 00000000000..43f8abb0319 --- /dev/null +++ b/queue-4.18/block-don-t-warn-for-flush-on-read-only-device.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Jens Axboe +Date: Tue, 14 Aug 2018 10:52:40 -0600 +Subject: block: don't warn for flush on read-only device + +From: Jens Axboe + +[ Upstream commit b089cfd95d32638335c551651a8e00fd2c4edb0b ] + +Don't warn for a flush issued to a read-only device. It's not strictly +a writable command, as it doesn't change any on-media data by itself. + +Reported-by: Stefan Agner +Fixes: 721c7fc701c7 ("block: fail op_is_write() requests to read-only partitions") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -2159,7 +2159,9 @@ static inline bool should_fail_request(s + + static inline bool bio_check_ro(struct bio *bio, struct hd_struct *part) + { +- if (part->policy && op_is_write(bio_op(bio))) { ++ const int op = bio_op(bio); ++ ++ if (part->policy && (op_is_write(op) && !op_is_flush(op))) { + char b[BDEVNAME_SIZE]; + + WARN_ONCE(1, diff --git a/queue-4.18/bpf-fix-bpffs-non-array-map-seq_show-issue.patch b/queue-4.18/bpf-fix-bpffs-non-array-map-seq_show-issue.patch new file mode 100644 index 00000000000..4a9bb9d0078 --- /dev/null +++ b/queue-4.18/bpf-fix-bpffs-non-array-map-seq_show-issue.patch @@ -0,0 +1,59 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Yonghong Song +Date: Thu, 9 Aug 2018 08:55:19 -0700 +Subject: bpf: fix bpffs non-array map seq_show issue + +From: Yonghong Song + +[ Upstream commit dc1508a579e682a1e5f1ed0753390e0aa7c23a97 ] + +In function map_seq_next() of kernel/bpf/inode.c, +the first key will be the "0" regardless of the map type. +This works for array. But for hash type, if it happens +key "0" is in the map, the bpffs map show will miss +some items if the key "0" is not the first element of +the first bucket. + +This patch fixed the issue by guaranteeing to get +the first element, if the seq_show is just started, +by passing NULL pointer key to map_get_next_key() callback. +This way, no missing elements will occur for +bpffs hash table show even if key "0" is in the map. + +Fixes: a26ca7c982cb5 ("bpf: btf: Add pretty print support to the basic arraymap") +Acked-by: Alexei Starovoitov +Signed-off-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/inode.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/kernel/bpf/inode.c ++++ b/kernel/bpf/inode.c +@@ -196,19 +196,21 @@ static void *map_seq_next(struct seq_fil + { + struct bpf_map *map = seq_file_to_map(m); + void *key = map_iter(m)->key; ++ void *prev_key; + + if (map_iter(m)->done) + return NULL; + + if (unlikely(v == SEQ_START_TOKEN)) +- goto done; ++ prev_key = NULL; ++ else ++ prev_key = key; + +- if (map->ops->map_get_next_key(map, key, key)) { ++ if (map->ops->map_get_next_key(map, prev_key, key)) { + map_iter(m)->done = true; + return NULL; + } + +-done: + ++(*pos); + return key; + } diff --git a/queue-4.18/bpf-sockmap-fix-leakage-of-smap_psock_map_entry.patch b/queue-4.18/bpf-sockmap-fix-leakage-of-smap_psock_map_entry.patch new file mode 100644 index 00000000000..2167f15bc80 --- /dev/null +++ b/queue-4.18/bpf-sockmap-fix-leakage-of-smap_psock_map_entry.patch @@ -0,0 +1,116 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Daniel Borkmann +Date: Thu, 16 Aug 2018 21:49:08 +0200 +Subject: bpf, sockmap: fix leakage of smap_psock_map_entry + +From: Daniel Borkmann + +[ Upstream commit d40b0116c94bd8fc2b63aae35ce8e66bb53bba42 ] + +While working on sockmap I noticed that we do not always kfree the +struct smap_psock_map_entry list elements which track psocks attached +to maps. In the case of sock_hash_ctx_update_elem(), these map entries +are allocated outside of __sock_map_ctx_update_elem() with their +linkage to the socket hash table filled. In the case of sock array, +the map entries are allocated inside of __sock_map_ctx_update_elem() +and added with their linkage to the psock->maps. Both additions are +under psock->maps_lock each. + +Now, we drop these elements from their psock->maps list in a few +occasions: i) in sock array via smap_list_map_remove() when an entry +is either deleted from the map from user space, or updated via +user space or BPF program where we drop the old socket at that map +slot, or the sock array is freed via sock_map_free() and drops all +its elements; ii) for sock hash via smap_list_hash_remove() in exactly +the same occasions as just described for sock array; iii) in the +bpf_tcp_close() where we remove the elements from the list via +psock_map_pop() and iterate over them dropping themselves from either +sock array or sock hash; and last but not least iv) once again in +smap_gc_work() which is a callback for deferring the work once the +psock refcount hit zero and thus the socket is being destroyed. + +Problem is that the only case where we kfree() the list entry is +in case iv), which at that point should have an empty list in +normal cases. So in cases from i) to iii) we unlink the elements +without freeing where they go out of reach from us. Hence fix is +to properly kfree() them as well to stop the leakage. Given these +are all handled under psock->maps_lock there is no need for deferred +RCU freeing. + +I later also ran with kmemleak detector and it confirmed the finding +as well where in the state before the fix the object goes unreferenced +while after the patch no kmemleak report related to BPF showed up. + + [...] + unreferenced object 0xffff880378eadae0 (size 64): + comm "test_sockmap", pid 2225, jiffies 4294720701 (age 43.504s) + hex dump (first 32 bytes): + 00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de ................ + 50 4d 75 5d 03 88 ff ff 00 00 00 00 00 00 00 00 PMu]............ + backtrace: + [<000000005225ac3c>] sock_map_ctx_update_elem.isra.21+0xd8/0x210 + [<0000000045dd6d3c>] bpf_sock_map_update+0x29/0x60 + [<00000000877723aa>] ___bpf_prog_run+0x1e1f/0x4960 + [<000000002ef89e83>] 0xffffffffffffffff + unreferenced object 0xffff880378ead240 (size 64): + comm "test_sockmap", pid 2225, jiffies 4294720701 (age 43.504s) + hex dump (first 32 bytes): + 00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de ................ + 00 44 75 5d 03 88 ff ff 00 00 00 00 00 00 00 00 .Du]............ + backtrace: + [<000000005225ac3c>] sock_map_ctx_update_elem.isra.21+0xd8/0x210 + [<0000000030e37a3a>] sock_map_update_elem+0x125/0x240 + [<000000002e5ce36e>] map_update_elem+0x4eb/0x7b0 + [<00000000db453cc9>] __x64_sys_bpf+0x1f9/0x360 + [<0000000000763660>] do_syscall_64+0x9a/0x300 + [<00000000422a2bb2>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [<000000002ef89e83>] 0xffffffffffffffff + [...] + +Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close") +Fixes: 54fedb42c653 ("bpf: sockmap, fix smap_list_map_remove when psock is in many maps") +Fixes: 2f857d04601a ("bpf: sockmap, remove STRPARSER map_flags and add multi-map support") +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Acked-by: Song Liu +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/sockmap.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/sockmap.c ++++ b/kernel/bpf/sockmap.c +@@ -376,6 +376,7 @@ static void bpf_tcp_close(struct sock *s + } + raw_spin_unlock_bh(&b->lock); + } ++ kfree(e); + e = psock_map_pop(sk, psock); + } + rcu_read_unlock(); +@@ -1685,8 +1686,10 @@ static void smap_list_map_remove(struct + + spin_lock_bh(&psock->maps_lock); + list_for_each_entry_safe(e, tmp, &psock->maps, list) { +- if (e->entry == entry) ++ if (e->entry == entry) { + list_del(&e->list); ++ kfree(e); ++ } + } + spin_unlock_bh(&psock->maps_lock); + } +@@ -1700,8 +1703,10 @@ static void smap_list_hash_remove(struct + list_for_each_entry_safe(e, tmp, &psock->maps, list) { + struct htab_elem *c = rcu_dereference(e->hash_link); + +- if (c == hash_link) ++ if (c == hash_link) { + list_del(&e->list); ++ kfree(e); ++ } + } + spin_unlock_bh(&psock->maps_lock); + } diff --git a/queue-4.18/bpf-sockmap-fix-map-elem-deletion-race-with-smap_stop_sock.patch b/queue-4.18/bpf-sockmap-fix-map-elem-deletion-race-with-smap_stop_sock.patch new file mode 100644 index 00000000000..163014d35e3 --- /dev/null +++ b/queue-4.18/bpf-sockmap-fix-map-elem-deletion-race-with-smap_stop_sock.patch @@ -0,0 +1,48 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Daniel Borkmann +Date: Thu, 16 Aug 2018 21:49:09 +0200 +Subject: bpf, sockmap: fix map elem deletion race with smap_stop_sock + +From: Daniel Borkmann + +[ Upstream commit 166ab6f0a0702fdd4d865ad5090bf3094ed83428 ] + +The smap_start_sock() and smap_stop_sock() are each protected under +the sock->sk_callback_lock from their call-sites except in the case +of sock_map_delete_elem() where we drop the old socket from the map +slot. This is racy because the same sock could be part of multiple +sock maps, so we run smap_stop_sock() in parallel, and given at that +point psock->strp_enabled might be true on both CPUs, we might for +example wrongly restore the sk->sk_data_ready / sk->sk_write_space. +Therefore, hold the sock->sk_callback_lock as well on delete. Looks +like 2f857d04601a ("bpf: sockmap, remove STRPARSER map_flags and add +multi-map support") had this right, but later on e9db4ef6bf4c ("bpf: +sockhash fix omitted bucket lock in sock_close") removed it again +from delete leaving this smap_stop_sock() instance unprotected. + +Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close") +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Acked-by: Song Liu +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/sockmap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/bpf/sockmap.c ++++ b/kernel/bpf/sockmap.c +@@ -1784,8 +1784,11 @@ static int sock_map_delete_elem(struct b + if (!psock) + goto out; + +- if (psock->bpf_parse) ++ if (psock->bpf_parse) { ++ write_lock_bh(&sock->sk_callback_lock); + smap_stop_sock(psock, sock); ++ write_unlock_bh(&sock->sk_callback_lock); ++ } + smap_list_map_remove(psock, &stab->sock_map[k]); + smap_release_sock(psock, sock); + out: diff --git a/queue-4.18/bpf-sockmap-fix-sock_map_ctx_update_elem-race-with-exist-noexist.patch b/queue-4.18/bpf-sockmap-fix-sock_map_ctx_update_elem-race-with-exist-noexist.patch new file mode 100644 index 00000000000..03fa67279b2 --- /dev/null +++ b/queue-4.18/bpf-sockmap-fix-sock_map_ctx_update_elem-race-with-exist-noexist.patch @@ -0,0 +1,291 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Daniel Borkmann +Date: Thu, 16 Aug 2018 21:49:10 +0200 +Subject: bpf, sockmap: fix sock_map_ctx_update_elem race with exist/noexist + +From: Daniel Borkmann + +[ Upstream commit 585f5a6252ee43ec8feeee07387e3fcc7e8bb292 ] + +The current code in sock_map_ctx_update_elem() allows for BPF_EXIST +and BPF_NOEXIST map update flags. While on array-like maps this approach +is rather uncommon, e.g. bpf_fd_array_map_update_elem() and others +enforce map update flags to be BPF_ANY such that xchg() can be used +directly, the current implementation in sock map does not guarantee +that such operation with BPF_EXIST / BPF_NOEXIST is atomic. + +The initial test does a READ_ONCE(stab->sock_map[i]) to fetch the +socket from the slot which is then tested for NULL / non-NULL. However +later after __sock_map_ctx_update_elem(), the actual update is done +through osock = xchg(&stab->sock_map[i], sock). Problem is that in +the meantime a different CPU could have updated / deleted a socket +on that specific slot and thus flag contraints won't hold anymore. + +I've been thinking whether best would be to just break UAPI and do +an enforcement of BPF_ANY to check if someone actually complains, +however trouble is that already in BPF kselftest we use BPF_NOEXIST +for the map update, and therefore it might have been copied into +applications already. The fix to keep the current behavior intact +would be to add a map lock similar to the sock hash bucket lock only +for covering the whole map. + +Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support") +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Acked-by: Song Liu +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/sockmap.c | 106 +++++++++++++++++++++++++++------------------------ + 1 file changed, 57 insertions(+), 49 deletions(-) + +--- a/kernel/bpf/sockmap.c ++++ b/kernel/bpf/sockmap.c +@@ -58,6 +58,7 @@ struct bpf_stab { + struct bpf_map map; + struct sock **sock_map; + struct bpf_sock_progs progs; ++ raw_spinlock_t lock; + }; + + struct bucket { +@@ -89,9 +90,9 @@ enum smap_psock_state { + + struct smap_psock_map_entry { + struct list_head list; ++ struct bpf_map *map; + struct sock **entry; + struct htab_elem __rcu *hash_link; +- struct bpf_htab __rcu *htab; + }; + + struct smap_psock { +@@ -343,13 +344,18 @@ static void bpf_tcp_close(struct sock *s + e = psock_map_pop(sk, psock); + while (e) { + if (e->entry) { +- osk = cmpxchg(e->entry, sk, NULL); ++ struct bpf_stab *stab = container_of(e->map, struct bpf_stab, map); ++ ++ raw_spin_lock_bh(&stab->lock); ++ osk = *e->entry; + if (osk == sk) { ++ *e->entry = NULL; + smap_release_sock(psock, sk); + } ++ raw_spin_unlock_bh(&stab->lock); + } else { + struct htab_elem *link = rcu_dereference(e->hash_link); +- struct bpf_htab *htab = rcu_dereference(e->htab); ++ struct bpf_htab *htab = container_of(e->map, struct bpf_htab, map); + struct hlist_head *head; + struct htab_elem *l; + struct bucket *b; +@@ -1644,6 +1650,7 @@ static struct bpf_map *sock_map_alloc(un + return ERR_PTR(-ENOMEM); + + bpf_map_init_from_attr(&stab->map, attr); ++ raw_spin_lock_init(&stab->lock); + + /* make sure page count doesn't overflow */ + cost = (u64) stab->map.max_entries * sizeof(struct sock *); +@@ -1714,14 +1721,15 @@ static void sock_map_free(struct bpf_map + * and a grace period expire to ensure psock is really safe to remove. + */ + rcu_read_lock(); ++ raw_spin_lock_bh(&stab->lock); + for (i = 0; i < stab->map.max_entries; i++) { + struct smap_psock *psock; + struct sock *sock; + +- sock = xchg(&stab->sock_map[i], NULL); ++ sock = stab->sock_map[i]; + if (!sock) + continue; +- ++ stab->sock_map[i] = NULL; + psock = smap_psock_sk(sock); + /* This check handles a racing sock event that can get the + * sk_callback_lock before this case but after xchg happens +@@ -1733,6 +1741,7 @@ static void sock_map_free(struct bpf_map + smap_release_sock(psock, sock); + } + } ++ raw_spin_unlock_bh(&stab->lock); + rcu_read_unlock(); + + sock_map_remove_complete(stab); +@@ -1776,14 +1785,16 @@ static int sock_map_delete_elem(struct b + if (k >= map->max_entries) + return -EINVAL; + +- sock = xchg(&stab->sock_map[k], NULL); ++ raw_spin_lock_bh(&stab->lock); ++ sock = stab->sock_map[k]; ++ stab->sock_map[k] = NULL; ++ raw_spin_unlock_bh(&stab->lock); + if (!sock) + return -EINVAL; + + psock = smap_psock_sk(sock); + if (!psock) +- goto out; +- ++ return 0; + if (psock->bpf_parse) { + write_lock_bh(&sock->sk_callback_lock); + smap_stop_sock(psock, sock); +@@ -1791,7 +1802,6 @@ static int sock_map_delete_elem(struct b + } + smap_list_map_remove(psock, &stab->sock_map[k]); + smap_release_sock(psock, sock); +-out: + return 0; + } + +@@ -1827,11 +1837,9 @@ out: + static int __sock_map_ctx_update_elem(struct bpf_map *map, + struct bpf_sock_progs *progs, + struct sock *sock, +- struct sock **map_link, + void *key) + { + struct bpf_prog *verdict, *parse, *tx_msg; +- struct smap_psock_map_entry *e = NULL; + struct smap_psock *psock; + bool new = false; + int err = 0; +@@ -1904,14 +1912,6 @@ static int __sock_map_ctx_update_elem(st + new = true; + } + +- if (map_link) { +- e = kzalloc(sizeof(*e), GFP_ATOMIC | __GFP_NOWARN); +- if (!e) { +- err = -ENOMEM; +- goto out_free; +- } +- } +- + /* 3. At this point we have a reference to a valid psock that is + * running. Attach any BPF programs needed. + */ +@@ -1933,17 +1933,6 @@ static int __sock_map_ctx_update_elem(st + write_unlock_bh(&sock->sk_callback_lock); + } + +- /* 4. Place psock in sockmap for use and stop any programs on +- * the old sock assuming its not the same sock we are replacing +- * it with. Because we can only have a single set of programs if +- * old_sock has a strp we can stop it. +- */ +- if (map_link) { +- e->entry = map_link; +- spin_lock_bh(&psock->maps_lock); +- list_add_tail(&e->list, &psock->maps); +- spin_unlock_bh(&psock->maps_lock); +- } + return err; + out_free: + smap_release_sock(psock, sock); +@@ -1954,7 +1943,6 @@ out_progs: + } + if (tx_msg) + bpf_prog_put(tx_msg); +- kfree(e); + return err; + } + +@@ -1964,36 +1952,57 @@ static int sock_map_ctx_update_elem(stru + { + struct bpf_stab *stab = container_of(map, struct bpf_stab, map); + struct bpf_sock_progs *progs = &stab->progs; +- struct sock *osock, *sock; ++ struct sock *osock, *sock = skops->sk; ++ struct smap_psock_map_entry *e; ++ struct smap_psock *psock; + u32 i = *(u32 *)key; + int err; + + if (unlikely(flags > BPF_EXIST)) + return -EINVAL; +- + if (unlikely(i >= stab->map.max_entries)) + return -E2BIG; + +- sock = READ_ONCE(stab->sock_map[i]); +- if (flags == BPF_EXIST && !sock) +- return -ENOENT; +- else if (flags == BPF_NOEXIST && sock) +- return -EEXIST; ++ e = kzalloc(sizeof(*e), GFP_ATOMIC | __GFP_NOWARN); ++ if (!e) ++ return -ENOMEM; + +- sock = skops->sk; +- err = __sock_map_ctx_update_elem(map, progs, sock, &stab->sock_map[i], +- key); ++ err = __sock_map_ctx_update_elem(map, progs, sock, key); + if (err) + goto out; + +- osock = xchg(&stab->sock_map[i], sock); +- if (osock) { +- struct smap_psock *opsock = smap_psock_sk(osock); ++ /* psock guaranteed to be present. */ ++ psock = smap_psock_sk(sock); ++ raw_spin_lock_bh(&stab->lock); ++ osock = stab->sock_map[i]; ++ if (osock && flags == BPF_NOEXIST) { ++ err = -EEXIST; ++ goto out_unlock; ++ } ++ if (!osock && flags == BPF_EXIST) { ++ err = -ENOENT; ++ goto out_unlock; ++ } ++ ++ e->entry = &stab->sock_map[i]; ++ e->map = map; ++ spin_lock_bh(&psock->maps_lock); ++ list_add_tail(&e->list, &psock->maps); ++ spin_unlock_bh(&psock->maps_lock); + +- smap_list_map_remove(opsock, &stab->sock_map[i]); +- smap_release_sock(opsock, osock); ++ stab->sock_map[i] = sock; ++ if (osock) { ++ psock = smap_psock_sk(osock); ++ smap_list_map_remove(psock, &stab->sock_map[i]); ++ smap_release_sock(psock, osock); + } ++ raw_spin_unlock_bh(&stab->lock); ++ return 0; ++out_unlock: ++ smap_release_sock(psock, sock); ++ raw_spin_unlock_bh(&stab->lock); + out: ++ kfree(e); + return err; + } + +@@ -2356,7 +2365,7 @@ static int sock_hash_ctx_update_elem(str + b = __select_bucket(htab, hash); + head = &b->head; + +- err = __sock_map_ctx_update_elem(map, progs, sock, NULL, key); ++ err = __sock_map_ctx_update_elem(map, progs, sock, key); + if (err) + goto err; + +@@ -2382,8 +2391,7 @@ static int sock_hash_ctx_update_elem(str + } + + rcu_assign_pointer(e->hash_link, l_new); +- rcu_assign_pointer(e->htab, +- container_of(map, struct bpf_htab, map)); ++ e->map = map; + spin_lock_bh(&psock->maps_lock); + list_add_tail(&e->list, &psock->maps); + spin_unlock_bh(&psock->maps_lock); diff --git a/queue-4.18/brcmfmac-fix-brcmf_wiphy_wowl_params-null-pointer-dereference.patch b/queue-4.18/brcmfmac-fix-brcmf_wiphy_wowl_params-null-pointer-dereference.patch new file mode 100644 index 00000000000..41df69e12fb --- /dev/null +++ b/queue-4.18/brcmfmac-fix-brcmf_wiphy_wowl_params-null-pointer-dereference.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Winnie Chang +Date: Tue, 7 Aug 2018 21:19:41 -0500 +Subject: brcmfmac: fix brcmf_wiphy_wowl_params() NULL pointer dereference + +From: Winnie Chang + +[ Upstream commit 27a8aea13053700ad2a08189024df7e341d1ee51 ] + +The kernel BUG happens when wowl is enabled from firmware. In +brcmf_wiphy_wowl_params(), cfg is a NULL pointer because it is +drvr->config returned from wiphy_to_cfg(), and drvr->config is not set +yet. To fix it, set drvr->config before brcmf_setup_wiphy() which +calls brcmf_wiphy_wowl_params(). + +Fixes: 856d5a011c86 ("brcmfmac: allocate struct brcmf_pub instance using wiphy_new()") +Signed-off-by: Winnie Chang +Signed-off-by: Chi-Hsien Lin +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -6926,15 +6926,15 @@ struct brcmf_cfg80211_info *brcmf_cfg802 + cfg->d11inf.io_type = (u8)io_type; + brcmu_d11_attach(&cfg->d11inf); + +- err = brcmf_setup_wiphy(wiphy, ifp); +- if (err < 0) +- goto priv_out; +- + /* regulatory notifer below needs access to cfg so + * assign it now. + */ + drvr->config = cfg; + ++ err = brcmf_setup_wiphy(wiphy, ifp); ++ if (err < 0) ++ goto priv_out; ++ + brcmf_dbg(INFO, "Registering custom regulatory\n"); + wiphy->reg_notifier = brcmf_cfg80211_reg_notifier; + wiphy->regulatory_flags |= REGULATORY_CUSTOM_REG; diff --git a/queue-4.18/btrfs-check-integrity-fix-null-pointer-dereference-for-degraded-mount.patch b/queue-4.18/btrfs-check-integrity-fix-null-pointer-dereference-for-degraded-mount.patch new file mode 100644 index 00000000000..9288b5458e7 --- /dev/null +++ b/queue-4.18/btrfs-check-integrity-fix-null-pointer-dereference-for-degraded-mount.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Qu Wenruo +Date: Wed, 20 Jun 2018 15:38:58 +0800 +Subject: btrfs: check-integrity: Fix NULL pointer dereference for degraded mount + +From: Qu Wenruo + +[ Upstream commit 9912bbf6440ba0555e91d3306520da01872c7c1d ] + +Commit f8f84b2dfda5 ("btrfs: index check-integrity state hash by a dev_t") +changed how btrfsic indexes device state. + +Now we need to access device->bdev->bd_dev, while for degraded mount +it's completely possible to have device->bdev as NULL, thus it will +trigger a NULL pointer dereference at mount time. + +Fix it by checking if the device is degraded before accessing +device->bdev->bd_dev. + +There are a lot of other places accessing device->bdev->bd_dev, however +the other call sites have either checked device->bdev, or the +device->bdev is passed from btrfsic_map_block(), so it won't cause harm. + +Fixes: f8f84b2dfda5 ("btrfs: index check-integrity state hash by a dev_t") +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/check-integrity.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/check-integrity.c ++++ b/fs/btrfs/check-integrity.c +@@ -1539,7 +1539,12 @@ static int btrfsic_map_block(struct btrf + } + + device = multi->stripes[0].dev; +- block_ctx_out->dev = btrfsic_dev_state_lookup(device->bdev->bd_dev); ++ if (test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state) || ++ !device->bdev || !device->name) ++ block_ctx_out->dev = NULL; ++ else ++ block_ctx_out->dev = btrfsic_dev_state_lookup( ++ device->bdev->bd_dev); + block_ctx_out->dev_bytenr = multi->stripes[0].physical; + block_ctx_out->start = bytenr; + block_ctx_out->len = len; diff --git a/queue-4.18/btrfs-do-btrfs_free_stale_devices-outside-of-device_list_add.patch b/queue-4.18/btrfs-do-btrfs_free_stale_devices-outside-of-device_list_add.patch new file mode 100644 index 00000000000..e1a597ffe4a --- /dev/null +++ b/queue-4.18/btrfs-do-btrfs_free_stale_devices-outside-of-device_list_add.patch @@ -0,0 +1,72 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Anand Jain +Date: Tue, 29 May 2018 12:28:37 +0800 +Subject: btrfs: do btrfs_free_stale_devices outside of device_list_add + +From: Anand Jain + +[ Upstream commit 4306a97449f9a0f9e5229af7889d4401315355aa ] + +btrfs_free_stale_devices() looks for device path reused for another +filesystem, and deletes the older fs_devices::device entry. + +In preparation to handle locking in device_list_add, move +btrfs_free_stale_devices outside as these two functions serve a +different purpose. + +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -750,7 +750,8 @@ error_brelse: + * error pointer when failed + */ + static noinline struct btrfs_device *device_list_add(const char *path, +- struct btrfs_super_block *disk_super) ++ struct btrfs_super_block *disk_super, ++ bool *new_device_added) + { + struct btrfs_device *device; + struct btrfs_fs_devices *fs_devices; +@@ -796,7 +797,7 @@ static noinline struct btrfs_device *dev + mutex_unlock(&fs_devices->device_list_mutex); + + device->fs_devices = fs_devices; +- btrfs_free_stale_devices(path, device); ++ *new_device_added = true; + + if (disk_super->label[0]) + pr_info("BTRFS: device label %s devid %llu transid %llu %s\n", +@@ -1221,6 +1222,7 @@ int btrfs_scan_one_device(const char *pa + struct btrfs_fs_devices **fs_devices_ret) + { + struct btrfs_super_block *disk_super; ++ bool new_device_added = false; + struct btrfs_device *device; + struct block_device *bdev; + struct page *page; +@@ -1246,11 +1248,14 @@ int btrfs_scan_one_device(const char *pa + } + + mutex_lock(&uuid_mutex); +- device = device_list_add(path, disk_super); +- if (IS_ERR(device)) ++ device = device_list_add(path, disk_super, &new_device_added); ++ if (IS_ERR(device)) { + ret = PTR_ERR(device); +- else ++ } else { + *fs_devices_ret = device->fs_devices; ++ if (new_device_added) ++ btrfs_free_stale_devices(path, device); ++ } + mutex_unlock(&uuid_mutex); + + btrfs_release_disk_super(page); diff --git a/queue-4.18/btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch b/queue-4.18/btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch new file mode 100644 index 00000000000..b83357ca3f5 --- /dev/null +++ b/queue-4.18/btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch @@ -0,0 +1,111 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Qu Wenruo +Date: Fri, 22 Jun 2018 12:35:00 +0800 +Subject: btrfs: Don't remove block group that still has pinned down bytes + +From: Qu Wenruo + +[ Upstream commit 43794446548730ac8461be30bbe47d5d027d1d16 ] + +[BUG] +Under certain KVM load and LTP tests, it is possible to hit the +following calltrace if quota is enabled: + +BTRFS critical (device vda2): unable to find logical 8820195328 length 4096 +BTRFS critical (device vda2): unable to find logical 8820195328 length 4096 + +WARNING: CPU: 0 PID: 49 at ../block/blk-core.c:172 blk_status_to_errno+0x1a/0x30 +CPU: 0 PID: 49 Comm: kworker/u2:1 Not tainted 4.12.14-15-default #1 SLE15 (unreleased) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Workqueue: btrfs-endio-write btrfs_endio_write_helper [btrfs] +task: ffff9f827b340bc0 task.stack: ffffb4f8c0304000 +RIP: 0010:blk_status_to_errno+0x1a/0x30 +Call Trace: + submit_extent_page+0x191/0x270 [btrfs] + ? btrfs_create_repair_bio+0x130/0x130 [btrfs] + __do_readpage+0x2d2/0x810 [btrfs] + ? btrfs_create_repair_bio+0x130/0x130 [btrfs] + ? run_one_async_done+0xc0/0xc0 [btrfs] + __extent_read_full_page+0xe7/0x100 [btrfs] + ? run_one_async_done+0xc0/0xc0 [btrfs] + read_extent_buffer_pages+0x1ab/0x2d0 [btrfs] + ? run_one_async_done+0xc0/0xc0 [btrfs] + btree_read_extent_buffer_pages+0x94/0xf0 [btrfs] + read_tree_block+0x31/0x60 [btrfs] + read_block_for_search.isra.35+0xf0/0x2e0 [btrfs] + btrfs_search_slot+0x46b/0xa00 [btrfs] + ? kmem_cache_alloc+0x1a8/0x510 + ? btrfs_get_token_32+0x5b/0x120 [btrfs] + find_parent_nodes+0x11d/0xeb0 [btrfs] + ? leaf_space_used+0xb8/0xd0 [btrfs] + ? btrfs_leaf_free_space+0x49/0x90 [btrfs] + ? btrfs_find_all_roots_safe+0x93/0x100 [btrfs] + btrfs_find_all_roots_safe+0x93/0x100 [btrfs] + btrfs_find_all_roots+0x45/0x60 [btrfs] + btrfs_qgroup_trace_extent_post+0x20/0x40 [btrfs] + btrfs_add_delayed_data_ref+0x1a3/0x1d0 [btrfs] + btrfs_alloc_reserved_file_extent+0x38/0x40 [btrfs] + insert_reserved_file_extent.constprop.71+0x289/0x2e0 [btrfs] + btrfs_finish_ordered_io+0x2f4/0x7f0 [btrfs] + ? pick_next_task_fair+0x2cd/0x530 + ? __switch_to+0x92/0x4b0 + btrfs_worker_helper+0x81/0x300 [btrfs] + process_one_work+0x1da/0x3f0 + worker_thread+0x2b/0x3f0 + ? process_one_work+0x3f0/0x3f0 + kthread+0x11a/0x130 + ? kthread_create_on_node+0x40/0x40 + ret_from_fork+0x35/0x40 + +BTRFS critical (device vda2): unable to find logical 8820195328 length 16384 +BTRFS: error (device vda2) in btrfs_finish_ordered_io:3023: errno=-5 IO failure +BTRFS info (device vda2): forced readonly +BTRFS error (device vda2): pending csums is 2887680 + +[CAUSE] +It's caused by race with block group auto removal: + +- There is a meta block group X, which has only one tree block + The tree block belongs to fs tree 257. +- In current transaction, some operation modified fs tree 257 + The tree block gets COWed, so the block group X is empty, and marked + as unused, queued to be deleted. +- Some workload (like fsync) wakes up cleaner_kthread() + Which will call btrfs_delete_unused_bgs() to remove unused block + groups. + So block group X along its chunk map get removed. +- Some delalloc work finished for fs tree 257 + Quota needs to get the original reference of the extent, which will + read tree blocks of commit root of 257. + Then since the chunk map gets removed, the above warning gets + triggered. + +[FIX] +Just let btrfs_delete_unused_bgs() skip block group which still has +pinned bytes. + +However there is a minor side effect: currently we only queue empty +blocks at update_block_group(), and such empty block group with pinned +bytes won't go through update_block_group() again, such block group +won't be removed, until it gets new extent allocated and removed. + +Signed-off-by: Qu Wenruo +Reviewed-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -10687,7 +10687,7 @@ void btrfs_delete_unused_bgs(struct btrf + /* Don't want to race with allocators so take the groups_sem */ + down_write(&space_info->groups_sem); + spin_lock(&block_group->lock); +- if (block_group->reserved || ++ if (block_group->reserved || block_group->pinned || + btrfs_block_group_used(&block_group->item) || + block_group->ro || + list_is_singular(&block_group->list)) { diff --git a/queue-4.18/btrfs-exit-gracefully-when-chunk-map-cannot-be-inserted-to-the-tree.patch b/queue-4.18/btrfs-exit-gracefully-when-chunk-map-cannot-be-inserted-to-the-tree.patch new file mode 100644 index 00000000000..7a3e7dd254e --- /dev/null +++ b/queue-4.18/btrfs-exit-gracefully-when-chunk-map-cannot-be-inserted-to-the-tree.patch @@ -0,0 +1,48 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Qu Wenruo +Date: Wed, 1 Aug 2018 10:37:20 +0800 +Subject: btrfs: Exit gracefully when chunk map cannot be inserted to the tree + +From: Qu Wenruo + +[ Upstream commit 64f64f43c89aca1782aa672e0586f6903c5d8979 ] + +It's entirely possible that a crafted btrfs image contains overlapping +chunks. + +Although we can't detect such problem by tree-checker, it's not a +catastrophic problem, current extent map can already detect such problem +and return -EEXIST. + +We just only need to exit gracefully and fail the mount. + +Reported-by: Xu Wen +Link: https://bugzilla.kernel.org/show_bug.cgi?id=200409 +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6563,10 +6563,14 @@ static int read_one_chunk(struct btrfs_f + write_lock(&map_tree->map_tree.lock); + ret = add_extent_mapping(&map_tree->map_tree, em, 0); + write_unlock(&map_tree->map_tree.lock); +- BUG_ON(ret); /* Tree corruption */ ++ if (ret < 0) { ++ btrfs_err(fs_info, ++ "failed to add chunk map, start=%llu len=%llu: %d", ++ em->start, em->len, ret); ++ } + free_extent_map(em); + +- return 0; ++ return ret; + } + + static void fill_device_from_item(struct extent_buffer *leaf, diff --git a/queue-4.18/btrfs-extend-locked-section-when-adding-a-new-device-in-device_list_add.patch b/queue-4.18/btrfs-extend-locked-section-when-adding-a-new-device-in-device_list_add.patch new file mode 100644 index 00000000000..18f39719ce4 --- /dev/null +++ b/queue-4.18/btrfs-extend-locked-section-when-adding-a-new-device-in-device_list_add.patch @@ -0,0 +1,96 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Anand Jain +Date: Tue, 29 May 2018 14:10:20 +0800 +Subject: btrfs: extend locked section when adding a new device in device_list_add + +From: Anand Jain + +[ Upstream commit 9c6d173ea6e4c8c939ae6c257c7fc18f7b320316 ] + +Make sure the device_list_lock is held the whole time: + +* when the device is being looked up +* new device is initialized and put to the list +* the list counters are updated (fs_devices::opened, fs_devices::total_devices) + +Signed-off-by: Anand Jain +[ update changelog ] +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -765,21 +765,26 @@ static noinline struct btrfs_device *dev + if (IS_ERR(fs_devices)) + return ERR_CAST(fs_devices); + ++ mutex_lock(&fs_devices->device_list_mutex); + list_add(&fs_devices->fs_list, &fs_uuids); + + device = NULL; + } else { ++ mutex_lock(&fs_devices->device_list_mutex); + device = find_device(fs_devices, devid, + disk_super->dev_item.uuid); + } + + if (!device) { +- if (fs_devices->opened) ++ if (fs_devices->opened) { ++ mutex_unlock(&fs_devices->device_list_mutex); + return ERR_PTR(-EBUSY); ++ } + + device = btrfs_alloc_device(NULL, &devid, + disk_super->dev_item.uuid); + if (IS_ERR(device)) { ++ mutex_unlock(&fs_devices->device_list_mutex); + /* we can safely leave the fs_devices entry around */ + return device; + } +@@ -787,14 +792,13 @@ static noinline struct btrfs_device *dev + name = rcu_string_strdup(path, GFP_NOFS); + if (!name) { + btrfs_free_device(device); ++ mutex_unlock(&fs_devices->device_list_mutex); + return ERR_PTR(-ENOMEM); + } + rcu_assign_pointer(device->name, name); + +- mutex_lock(&fs_devices->device_list_mutex); + list_add_rcu(&device->dev_list, &fs_devices->devices); + fs_devices->num_devices++; +- mutex_unlock(&fs_devices->device_list_mutex); + + device->fs_devices = fs_devices; + *new_device_added = true; +@@ -841,12 +845,15 @@ static noinline struct btrfs_device *dev + * with larger generation number or the last-in if + * generation are equal. + */ ++ mutex_unlock(&fs_devices->device_list_mutex); + return ERR_PTR(-EEXIST); + } + + name = rcu_string_strdup(path, GFP_NOFS); +- if (!name) ++ if (!name) { ++ mutex_unlock(&fs_devices->device_list_mutex); + return ERR_PTR(-ENOMEM); ++ } + rcu_string_free(device->name); + rcu_assign_pointer(device->name, name); + if (test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state)) { +@@ -866,6 +873,7 @@ static noinline struct btrfs_device *dev + + fs_devices->total_devices = btrfs_super_num_devices(disk_super); + ++ mutex_unlock(&fs_devices->device_list_mutex); + return device; + } + diff --git a/queue-4.18/btrfs-fix-a-c-compliance-issue.patch b/queue-4.18/btrfs-fix-a-c-compliance-issue.patch new file mode 100644 index 00000000000..796c6cdb364 --- /dev/null +++ b/queue-4.18/btrfs-fix-a-c-compliance-issue.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Bart Van Assche +Date: Wed, 20 Jun 2018 10:03:33 -0700 +Subject: btrfs: Fix a C compliance issue + +From: Bart Van Assche + +[ Upstream commit edf57cbf2b030781885e339f32e35a470d2f8eba ] + +The C programming language does not allow to use preprocessor statements +inside macro arguments (pr_info() is defined as a macro). Hence rework +the pr_info() statement in btrfs_print_mod_info() such that it becomes +compliant. This patch allows tools like sparse to analyze the BTRFS +source code. + +Fixes: 62e855771dac ("btrfs: convert printk(KERN_* to use pr_* calls") +Signed-off-by: Bart Van Assche +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -2370,7 +2370,7 @@ static __cold void btrfs_interface_exit( + + static void __init btrfs_print_mod_info(void) + { +- pr_info("Btrfs loaded, crc32c=%s" ++ static const char options[] = "" + #ifdef CONFIG_BTRFS_DEBUG + ", debug=on" + #endif +@@ -2383,8 +2383,8 @@ static void __init btrfs_print_mod_info( + #ifdef CONFIG_BTRFS_FS_REF_VERIFY + ", ref-verify=on" + #endif +- "\n", +- crc32c_impl()); ++ ; ++ pr_info("Btrfs loaded, crc32c=%s%s\n", crc32c_impl(), options); + } + + static int __init init_btrfs_fs(void) diff --git a/queue-4.18/btrfs-fix-in-memory-value-of-total_devices-after-seed-device-deletion.patch b/queue-4.18/btrfs-fix-in-memory-value-of-total_devices-after-seed-device-deletion.patch new file mode 100644 index 00000000000..badd46b8610 --- /dev/null +++ b/queue-4.18/btrfs-fix-in-memory-value-of-total_devices-after-seed-device-deletion.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Anand Jain +Date: Tue, 3 Jul 2018 17:07:23 +0800 +Subject: btrfs: fix in-memory value of total_devices after seed device deletion + +From: Anand Jain + +[ Upstream commit b4993e64f78a9605b45252fa9ba385c88a1f4ce9 ] + +In case of deleting the seed device the %cur_devices (seed) and the +%fs_devices (parent) are different. Now, as the parent +fs_devices::total_devices also maintains the total number of devices +including the seed device, so decrement its in-memory value for the +successful seed delete. We are already updating its corresponding +on-disk btrfs_super_block::number_devices value. + +Signed-off-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -2029,6 +2029,9 @@ int btrfs_rm_device(struct btrfs_fs_info + + cur_devices->num_devices--; + cur_devices->total_devices--; ++ /* Update total_devices of the parent fs_devices if it's seed */ ++ if (cur_devices != fs_devices) ++ fs_devices->total_devices--; + + if (test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state)) + cur_devices->missing_devices--; diff --git a/queue-4.18/btrfs-fix-mount-and-ioctl-device-scan-ioctl-race.patch b/queue-4.18/btrfs-fix-mount-and-ioctl-device-scan-ioctl-race.patch new file mode 100644 index 00000000000..5354b9284d8 --- /dev/null +++ b/queue-4.18/btrfs-fix-mount-and-ioctl-device-scan-ioctl-race.patch @@ -0,0 +1,81 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: David Sterba +Date: Tue, 19 Jun 2018 18:04:07 +0200 +Subject: btrfs: fix mount and ioctl device scan ioctl race + +From: David Sterba + +[ Upstream commit 81ffd56b5745355b70d54ca4e1bdd0d64a66ff9f ] + +Technically this extends the critical section covered by uuid_mutex to: + +- parse early mount options -- here we can call device scan on paths + that can be passed as 'device=/dev/...' + +- scan the device passed to mount + +- open the devices related to the fs_devices -- this increases + fs_devices::opened + +The race can happen when mount calls one of the scans and there's +another one called eg. by mkfs or 'btrfs dev scan': + +Mount Scan +----- ---- +scan_one_device (dev1, fsid1) + scan_one_device (dev2, fsid1) + add the device + free stale devices + fsid1 fs_devices::opened == 0 + find fsid1:dev1 + free fsid1:dev1 + if it's the last one, + free fs_devices of fsid1 + too + +open_devices (dev1, fsid1) + dev1 not found + +When fixed, the uuid mutex will make sure that mount will increase +fs_devices::opened and this will not be touched by the racing scan +ioctl. + +Reported-and-tested-by: syzbot+909a5177749d7990ffa4@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+ceb2606025ec1cc3479c@syzkaller.appspotmail.com +Reviewed-by: Anand Jain +Signed-off-by: David Sterba + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1557,19 +1557,19 @@ static struct dentry *btrfs_mount_root(s + + mutex_lock(&uuid_mutex); + error = btrfs_parse_early_options(data, mode, fs_type, &fs_devices); +- mutex_unlock(&uuid_mutex); +- if (error) ++ if (error) { ++ mutex_unlock(&uuid_mutex); + goto error_fs_info; ++ } + +- mutex_lock(&uuid_mutex); + error = btrfs_scan_one_device(device_name, mode, fs_type, &fs_devices); +- mutex_unlock(&uuid_mutex); +- if (error) ++ if (error) { ++ mutex_unlock(&uuid_mutex); + goto error_fs_info; ++ } + + fs_info->fs_devices = fs_devices; + +- mutex_lock(&uuid_mutex); + error = btrfs_open_devices(fs_devices, mode, fs_type); + mutex_unlock(&uuid_mutex); + if (error) diff --git a/queue-4.18/btrfs-lift-uuid_mutex-to-callers-of-btrfs_open_devices.patch b/queue-4.18/btrfs-lift-uuid_mutex-to-callers-of-btrfs_open_devices.patch new file mode 100644 index 00000000000..0811757ecd3 --- /dev/null +++ b/queue-4.18/btrfs-lift-uuid_mutex-to-callers-of-btrfs_open_devices.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: David Sterba +Date: Tue, 19 Jun 2018 17:09:47 +0200 +Subject: btrfs: lift uuid_mutex to callers of btrfs_open_devices + +From: David Sterba + +[ Upstream commit f5194e34cabaddd348a90f950e0a8188dd26cdc0 ] + +Prepartory work to fix race between mount and device scan. + +The callers will have to manage the critical section, eg. mount wants to +scan and then call btrfs_open_devices without the ioctl scan walking in +and modifying the fs devices in the meantime. + +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 2 ++ + fs/btrfs/volumes.c | 4 ++-- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1565,7 +1565,9 @@ static struct dentry *btrfs_mount_root(s + goto error_fs_info; + } + ++ mutex_lock(&uuid_mutex); + error = btrfs_open_devices(fs_devices, mode, fs_type); ++ mutex_unlock(&uuid_mutex); + if (error) + goto error_fs_info; + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1146,7 +1146,8 @@ int btrfs_open_devices(struct btrfs_fs_d + { + int ret; + +- mutex_lock(&uuid_mutex); ++ lockdep_assert_held(&uuid_mutex); ++ + mutex_lock(&fs_devices->device_list_mutex); + if (fs_devices->opened) { + fs_devices->opened++; +@@ -1156,7 +1157,6 @@ int btrfs_open_devices(struct btrfs_fs_d + ret = open_fs_devices(fs_devices, flags, holder); + } + mutex_unlock(&fs_devices->device_list_mutex); +- mutex_unlock(&uuid_mutex); + + return ret; + } diff --git a/queue-4.18/btrfs-lift-uuid_mutex-to-callers-of-btrfs_parse_early_options.patch b/queue-4.18/btrfs-lift-uuid_mutex-to-callers-of-btrfs_parse_early_options.patch new file mode 100644 index 00000000000..fd9b3b26f59 --- /dev/null +++ b/queue-4.18/btrfs-lift-uuid_mutex-to-callers-of-btrfs_parse_early_options.patch @@ -0,0 +1,55 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: David Sterba +Date: Tue, 19 Jun 2018 17:50:25 +0200 +Subject: btrfs: lift uuid_mutex to callers of btrfs_parse_early_options + +From: David Sterba + +[ Upstream commit 5139cff598d42b1e531f40c84691a7e945f04553 ] + +Prepartory work to fix race between mount and device scan. + +btrfs_parse_early_options calls the device scan from mount and we'll +need to let mount completely manage the critical section. + +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -892,6 +892,8 @@ static int btrfs_parse_early_options(con + char *device_name, *opts, *orig, *p; + int error = 0; + ++ lockdep_assert_held(&uuid_mutex); ++ + if (!options) + return 0; + +@@ -917,10 +919,8 @@ static int btrfs_parse_early_options(con + error = -ENOMEM; + goto out; + } +- mutex_lock(&uuid_mutex); + error = btrfs_scan_one_device(device_name, + flags, holder, fs_devices); +- mutex_unlock(&uuid_mutex); + kfree(device_name); + if (error) + goto out; +@@ -1528,8 +1528,10 @@ static struct dentry *btrfs_mount_root(s + if (!(flags & SB_RDONLY)) + mode |= FMODE_WRITE; + ++ mutex_lock(&uuid_mutex); + error = btrfs_parse_early_options(data, mode, fs_type, + &fs_devices); ++ mutex_unlock(&uuid_mutex); + if (error) { + return ERR_PTR(error); + } diff --git a/queue-4.18/btrfs-lift-uuid_mutex-to-callers-of-btrfs_scan_one_device.patch b/queue-4.18/btrfs-lift-uuid_mutex-to-callers-of-btrfs_scan_one_device.patch new file mode 100644 index 00000000000..19b4592fad7 --- /dev/null +++ b/queue-4.18/btrfs-lift-uuid_mutex-to-callers-of-btrfs_scan_one_device.patch @@ -0,0 +1,97 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: David Sterba +Date: Tue, 19 Jun 2018 16:37:36 +0200 +Subject: btrfs: lift uuid_mutex to callers of btrfs_scan_one_device + +From: David Sterba + +[ Upstream commit 899f9307c33ce4758c30a076b10ed54d5c91c6e7 ] + +Prepartory work to fix race between mount and device scan. + +The callers will have to manage the critical section, eg. mount wants to +scan and then call btrfs_open_devices without the ioctl scan walking in +and modifying the fs devices in the meantime. + +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 12 +++++++++++- + fs/btrfs/volumes.c | 4 ++-- + 2 files changed, 13 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -917,8 +917,10 @@ static int btrfs_parse_early_options(con + error = -ENOMEM; + goto out; + } ++ mutex_lock(&uuid_mutex); + error = btrfs_scan_one_device(device_name, + flags, holder, fs_devices); ++ mutex_unlock(&uuid_mutex); + kfree(device_name); + if (error) + goto out; +@@ -1539,7 +1541,9 @@ static struct dentry *btrfs_mount_root(s + return ERR_PTR(error); + } + ++ mutex_lock(&uuid_mutex); + error = btrfs_scan_one_device(device_name, mode, fs_type, &fs_devices); ++ mutex_unlock(&uuid_mutex); + if (error) + goto error_sec_opts; + +@@ -2236,15 +2240,21 @@ static long btrfs_control_ioctl(struct f + + switch (cmd) { + case BTRFS_IOC_SCAN_DEV: ++ mutex_lock(&uuid_mutex); + ret = btrfs_scan_one_device(vol->name, FMODE_READ, + &btrfs_root_fs_type, &fs_devices); ++ mutex_unlock(&uuid_mutex); + break; + case BTRFS_IOC_DEVICES_READY: ++ mutex_lock(&uuid_mutex); + ret = btrfs_scan_one_device(vol->name, FMODE_READ, + &btrfs_root_fs_type, &fs_devices); +- if (ret) ++ if (ret) { ++ mutex_unlock(&uuid_mutex); + break; ++ } + ret = !(fs_devices->num_devices == fs_devices->total_devices); ++ mutex_unlock(&uuid_mutex); + break; + case BTRFS_IOC_GET_SUPPORTED_FEATURES: + ret = btrfs_ioctl_get_supported_features((void __user*)arg); +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1241,6 +1241,8 @@ int btrfs_scan_one_device(const char *pa + int ret = 0; + u64 bytenr; + ++ lockdep_assert_held(&uuid_mutex); ++ + /* + * we would like to check all the supers, but that would make + * a btrfs mount succeed after a mkfs from a different FS. +@@ -1259,7 +1261,6 @@ int btrfs_scan_one_device(const char *pa + goto error_bdev_put; + } + +- mutex_lock(&uuid_mutex); + device = device_list_add(path, disk_super, &new_device_added); + if (IS_ERR(device)) { + ret = PTR_ERR(device); +@@ -1268,7 +1269,6 @@ int btrfs_scan_one_device(const char *pa + if (new_device_added) + btrfs_free_stale_devices(path, device); + } +- mutex_unlock(&uuid_mutex); + + btrfs_release_disk_super(page); + diff --git a/queue-4.18/btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch b/queue-4.18/btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch new file mode 100644 index 00000000000..b3b5e04a1f4 --- /dev/null +++ b/queue-4.18/btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch @@ -0,0 +1,63 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Qu Wenruo +Date: Tue, 3 Jul 2018 17:10:07 +0800 +Subject: btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized + +From: Qu Wenruo + +[ Upstream commit 389305b2aa68723c754f88d9dbd268a400e10664 ] + +Invalid reloc tree can cause kernel NULL pointer dereference when btrfs +does some cleanup of the reloc roots. + +It turns out that fs_info::reloc_ctl can be NULL in +btrfs_recover_relocation() as we allocate relocation control after all +reloc roots have been verified. +So when we hit: note, we haven't called set_reloc_control() thus +fs_info::reloc_ctl is still NULL. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199833 +Reported-by: Xu Wen +Signed-off-by: Qu Wenruo +Tested-by: Gu Jinxiang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/relocation.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -1321,18 +1321,19 @@ static void __del_reloc_root(struct btrf + struct mapping_node *node = NULL; + struct reloc_control *rc = fs_info->reloc_ctl; + +- spin_lock(&rc->reloc_root_tree.lock); +- rb_node = tree_search(&rc->reloc_root_tree.rb_root, +- root->node->start); +- if (rb_node) { +- node = rb_entry(rb_node, struct mapping_node, rb_node); +- rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); ++ if (rc) { ++ spin_lock(&rc->reloc_root_tree.lock); ++ rb_node = tree_search(&rc->reloc_root_tree.rb_root, ++ root->node->start); ++ if (rb_node) { ++ node = rb_entry(rb_node, struct mapping_node, rb_node); ++ rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); ++ } ++ spin_unlock(&rc->reloc_root_tree.lock); ++ if (!node) ++ return; ++ BUG_ON((struct btrfs_root *)node->data != root); + } +- spin_unlock(&rc->reloc_root_tree.lock); +- +- if (!node) +- return; +- BUG_ON((struct btrfs_root *)node->data != root); + + spin_lock(&fs_info->trans_lock); + list_del_init(&root->root_list); diff --git a/queue-4.18/btrfs-rename-local-devices-for-fs_devices-in-btrfs_free_stale_devices.patch b/queue-4.18/btrfs-rename-local-devices-for-fs_devices-in-btrfs_free_stale_devices.patch new file mode 100644 index 00000000000..b1e775f90d9 --- /dev/null +++ b/queue-4.18/btrfs-rename-local-devices-for-fs_devices-in-btrfs_free_stale_devices.patch @@ -0,0 +1,84 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Anand Jain +Date: Tue, 29 May 2018 15:33:08 +0800 +Subject: btrfs: rename local devices for fs_devices in btrfs_free_stale_devices( + +From: Anand Jain + +[ Upstream commit fa6d2ae540a200a17bb7ee769f9df22d411c9404 ] + +Over the years we named %fs_devices and %devices to represent the +struct btrfs_fs_devices and the struct btrfs_device. So follow the same +scheme here too. No functional changes. + +Signed-off-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 35 +++++++++++++++++------------------ + 1 file changed, 17 insertions(+), 18 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -634,43 +634,42 @@ static void pending_bios_fn(struct btrfs + * devices. + */ + static void btrfs_free_stale_devices(const char *path, +- struct btrfs_device *skip_dev) ++ struct btrfs_device *skip_device) + { +- struct btrfs_fs_devices *fs_devs, *tmp_fs_devs; +- struct btrfs_device *dev, *tmp_dev; ++ struct btrfs_fs_devices *fs_devices, *tmp_fs_devices; ++ struct btrfs_device *device, *tmp_device; + +- list_for_each_entry_safe(fs_devs, tmp_fs_devs, &fs_uuids, fs_list) { +- +- if (fs_devs->opened) ++ list_for_each_entry_safe(fs_devices, tmp_fs_devices, &fs_uuids, fs_list) { ++ if (fs_devices->opened) + continue; + +- list_for_each_entry_safe(dev, tmp_dev, +- &fs_devs->devices, dev_list) { ++ list_for_each_entry_safe(device, tmp_device, ++ &fs_devices->devices, dev_list) { + int not_found = 0; + +- if (skip_dev && skip_dev == dev) ++ if (skip_device && skip_device == device) + continue; +- if (path && !dev->name) ++ if (path && !device->name) + continue; + + rcu_read_lock(); + if (path) +- not_found = strcmp(rcu_str_deref(dev->name), ++ not_found = strcmp(rcu_str_deref(device->name), + path); + rcu_read_unlock(); + if (not_found) + continue; + + /* delete the stale device */ +- if (fs_devs->num_devices == 1) { +- btrfs_sysfs_remove_fsid(fs_devs); +- list_del(&fs_devs->fs_list); +- free_fs_devices(fs_devs); ++ if (fs_devices->num_devices == 1) { ++ btrfs_sysfs_remove_fsid(fs_devices); ++ list_del(&fs_devices->fs_list); ++ free_fs_devices(fs_devices); + break; + } else { +- fs_devs->num_devices--; +- list_del(&dev->dev_list); +- btrfs_free_device(dev); ++ fs_devices->num_devices--; ++ list_del(&device->dev_list); ++ btrfs_free_device(device); + } + } + } diff --git a/queue-4.18/btrfs-reorder-initialization-before-the-mount-locks-uuid_mutex.patch b/queue-4.18/btrfs-reorder-initialization-before-the-mount-locks-uuid_mutex.patch new file mode 100644 index 00000000000..9b667de44de --- /dev/null +++ b/queue-4.18/btrfs-reorder-initialization-before-the-mount-locks-uuid_mutex.patch @@ -0,0 +1,85 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: David Sterba +Date: Tue, 19 Jun 2018 18:01:24 +0200 +Subject: btrfs: reorder initialization before the mount locks uuid_mutex + +From: David Sterba + +[ Upstream commit 399f7f4c42e8a58c8456264d5112287aefe44cf4 ] + +In preparation to take a big lock, move resource initialization before +the critical section. It's not obvious from the diff, the desired order +is: + +- initialize mount security options +- allocate temporary fs_info +- allocate superblock buffers + +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 30 ++++++++++++++---------------- + 1 file changed, 14 insertions(+), 16 deletions(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1528,14 +1528,6 @@ static struct dentry *btrfs_mount_root(s + if (!(flags & SB_RDONLY)) + mode |= FMODE_WRITE; + +- mutex_lock(&uuid_mutex); +- error = btrfs_parse_early_options(data, mode, fs_type, +- &fs_devices); +- mutex_unlock(&uuid_mutex); +- if (error) { +- return ERR_PTR(error); +- } +- + security_init_mnt_opts(&new_sec_opts); + if (data) { + error = parse_security_options(data, &new_sec_opts); +@@ -1543,12 +1535,6 @@ static struct dentry *btrfs_mount_root(s + return ERR_PTR(error); + } + +- mutex_lock(&uuid_mutex); +- error = btrfs_scan_one_device(device_name, mode, fs_type, &fs_devices); +- mutex_unlock(&uuid_mutex); +- if (error) +- goto error_sec_opts; +- + /* + * Setup a dummy root and fs_info for test/set super. This is because + * we don't actually fill this stuff out until open_ctree, but we need +@@ -1561,8 +1547,6 @@ static struct dentry *btrfs_mount_root(s + goto error_sec_opts; + } + +- fs_info->fs_devices = fs_devices; +- + fs_info->super_copy = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_KERNEL); + fs_info->super_for_commit = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_KERNEL); + security_init_mnt_opts(&fs_info->security_opts); +@@ -1572,6 +1556,20 @@ static struct dentry *btrfs_mount_root(s + } + + mutex_lock(&uuid_mutex); ++ error = btrfs_parse_early_options(data, mode, fs_type, &fs_devices); ++ mutex_unlock(&uuid_mutex); ++ if (error) ++ goto error_fs_info; ++ ++ mutex_lock(&uuid_mutex); ++ error = btrfs_scan_one_device(device_name, mode, fs_type, &fs_devices); ++ mutex_unlock(&uuid_mutex); ++ if (error) ++ goto error_fs_info; ++ ++ fs_info->fs_devices = fs_devices; ++ ++ mutex_lock(&uuid_mutex); + error = btrfs_open_devices(fs_devices, mode, fs_type); + mutex_unlock(&uuid_mutex); + if (error) diff --git a/queue-4.18/btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch b/queue-4.18/btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch new file mode 100644 index 00000000000..b2ed5ef2219 --- /dev/null +++ b/queue-4.18/btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Misono Tomohiro +Date: Tue, 31 Jul 2018 16:20:21 +0900 +Subject: btrfs: replace: Reset on-disk dev stats value after replace + +From: Misono Tomohiro + +[ Upstream commit 1e7e1f9e3aba00c9b9c323bfeeddafe69ff21ff6 ] + +on-disk devs stats value is updated in btrfs_run_dev_stats(), +which is called during commit transaction, if device->dev_stats_ccnt +is not zero. + +Since current replace operation does not touch dev_stats_ccnt, +on-disk dev stats value is not updated. Therefore "btrfs device stats" +may return old device's value after umount/mount +(Example: See "btrfs ins dump-t -t DEV $DEV" after btrfs/100 finish). + +Fix this by just incrementing dev_stats_ccnt in +btrfs_dev_replace_finishing() when replace is succeeded and this will +update the values. + +Signed-off-by: Misono Tomohiro +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/dev-replace.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -677,6 +677,12 @@ static int btrfs_dev_replace_finishing(s + btrfs_rm_dev_replace_unblocked(fs_info); + + /* ++ * Increment dev_stats_ccnt so that btrfs_run_dev_stats() will ++ * update on-disk dev stats value during commit transaction ++ */ ++ atomic_inc(&tgt_device->dev_stats_ccnt); ++ ++ /* + * this is again a consistent state where no dev_replace procedure + * is running, the target device is part of the filesystem, the + * source device is not part of the filesystem anymore and its 1st diff --git a/queue-4.18/btrfs-tree-checker-detect-invalid-and-empty-essential-trees.patch b/queue-4.18/btrfs-tree-checker-detect-invalid-and-empty-essential-trees.patch new file mode 100644 index 00000000000..d1551c98372 --- /dev/null +++ b/queue-4.18/btrfs-tree-checker-detect-invalid-and-empty-essential-trees.patch @@ -0,0 +1,70 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Qu Wenruo +Date: Tue, 3 Jul 2018 17:10:06 +0800 +Subject: btrfs: tree-checker: Detect invalid and empty essential trees + +From: Qu Wenruo + +[ Upstream commit ba480dd4db9f1798541eb2d1c423fc95feee8d36 ] + +A crafted image has empty root tree block, which will later cause NULL +pointer dereference. + +The following trees should never be empty: +1) Tree root + Must contain at least root items for extent tree, device tree and fs + tree + +2) Chunk tree + Or we can't even bootstrap as it contains the mapping. + +3) Fs tree + At least inode item for top level inode (.). + +4) Device tree + Dev extents for chunks + +5) Extent tree + Must have corresponding extent for each chunk. + +If any of them is empty, we are sure the fs is corrupted and no need to +mount it. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199847 +Reported-by: Xu Wen +Signed-off-by: Qu Wenruo +Tested-by: Gu Jinxiang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-checker.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -396,9 +396,22 @@ static int check_leaf(struct btrfs_fs_in + * skip this check for relocation trees. + */ + if (nritems == 0 && !btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_RELOC)) { ++ u64 owner = btrfs_header_owner(leaf); + struct btrfs_root *check_root; + +- key.objectid = btrfs_header_owner(leaf); ++ /* These trees must never be empty */ ++ if (owner == BTRFS_ROOT_TREE_OBJECTID || ++ owner == BTRFS_CHUNK_TREE_OBJECTID || ++ owner == BTRFS_EXTENT_TREE_OBJECTID || ++ owner == BTRFS_DEV_TREE_OBJECTID || ++ owner == BTRFS_FS_TREE_OBJECTID || ++ owner == BTRFS_DATA_RELOC_TREE_OBJECTID) { ++ generic_err(fs_info, leaf, 0, ++ "invalid root, root %llu must never be empty", ++ owner); ++ return -EUCLEAN; ++ } ++ key.objectid = owner; + key.type = BTRFS_ROOT_ITEM_KEY; + key.offset = (u64)-1; + diff --git a/queue-4.18/btrfs-use-device_list_mutex-when-removing-stale-devices.patch b/queue-4.18/btrfs-use-device_list_mutex-when-removing-stale-devices.patch new file mode 100644 index 00000000000..61a897e7818 --- /dev/null +++ b/queue-4.18/btrfs-use-device_list_mutex-when-removing-stale-devices.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Anand Jain +Date: Tue, 29 May 2018 17:23:20 +0800 +Subject: btrfs: use device_list_mutex when removing stale devices + +From: Anand Jain + +[ Upstream commit 7bcb8164ad9435068d9bc3b83b8a002c64d63ff6 ] + +btrfs_free_stale_devices() finds a stale (not opened) device matching +path in the fs_uuid list. We are already under uuid_mutex so when we +check for each fs_devices, hold the device_list_mutex too. + +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -640,8 +640,11 @@ static void btrfs_free_stale_devices(con + struct btrfs_device *device, *tmp_device; + + list_for_each_entry_safe(fs_devices, tmp_fs_devices, &fs_uuids, fs_list) { +- if (fs_devices->opened) ++ mutex_lock(&fs_devices->device_list_mutex); ++ if (fs_devices->opened) { ++ mutex_unlock(&fs_devices->device_list_mutex); + continue; ++ } + + list_for_each_entry_safe(device, tmp_device, + &fs_devices->devices, dev_list) { +@@ -661,16 +664,18 @@ static void btrfs_free_stale_devices(con + continue; + + /* delete the stale device */ +- if (fs_devices->num_devices == 1) { +- btrfs_sysfs_remove_fsid(fs_devices); +- list_del(&fs_devices->fs_list); +- free_fs_devices(fs_devices); ++ fs_devices->num_devices--; ++ list_del(&device->dev_list); ++ btrfs_free_device(device); ++ ++ if (fs_devices->num_devices == 0) + break; +- } else { +- fs_devices->num_devices--; +- list_del(&device->dev_list); +- btrfs_free_device(device); +- } ++ } ++ mutex_unlock(&fs_devices->device_list_mutex); ++ if (fs_devices->num_devices == 0) { ++ btrfs_sysfs_remove_fsid(fs_devices); ++ list_del(&fs_devices->fs_list); ++ free_fs_devices(fs_devices); + } + } + } diff --git a/queue-4.18/cfq-suppress-compiler-warnings-about-comparisons.patch b/queue-4.18/cfq-suppress-compiler-warnings-about-comparisons.patch new file mode 100644 index 00000000000..f07e8f48dc3 --- /dev/null +++ b/queue-4.18/cfq-suppress-compiler-warnings-about-comparisons.patch @@ -0,0 +1,103 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Bart Van Assche +Date: Tue, 7 Aug 2018 16:17:29 -0700 +Subject: cfq: Suppress compiler warnings about comparisons + +From: Bart Van Assche + +[ Upstream commit f7ecb1b109da1006a08d5675debe60990e824432 ] + +This patch does not change any functionality but avoids that gcc +reports the following warnings when building with W=1: + +block/cfq-iosched.c: In function ?cfq_back_seek_max_store?: +block/cfq-iosched.c:4741:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits] + if (__data < (MIN)) \ + ^ +block/cfq-iosched.c:4756:1: note: in expansion of macro ?STORE_FUNCTION? + STORE_FUNCTION(cfq_back_seek_max_store, &cfqd->cfq_back_max, 0, UINT_MAX, 0); + ^~~~~~~~~~~~~~ +block/cfq-iosched.c: In function ?cfq_slice_idle_store?: +block/cfq-iosched.c:4741:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits] + if (__data < (MIN)) \ + ^ +block/cfq-iosched.c:4759:1: note: in expansion of macro ?STORE_FUNCTION? + STORE_FUNCTION(cfq_slice_idle_store, &cfqd->cfq_slice_idle, 0, UINT_MAX, 1); + ^~~~~~~~~~~~~~ +block/cfq-iosched.c: In function ?cfq_group_idle_store?: +block/cfq-iosched.c:4741:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits] + if (__data < (MIN)) \ + ^ +block/cfq-iosched.c:4760:1: note: in expansion of macro ?STORE_FUNCTION? + STORE_FUNCTION(cfq_group_idle_store, &cfqd->cfq_group_idle, 0, UINT_MAX, 1); + ^~~~~~~~~~~~~~ +block/cfq-iosched.c: In function ?cfq_low_latency_store?: +block/cfq-iosched.c:4741:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits] + if (__data < (MIN)) \ + ^ +block/cfq-iosched.c:4765:1: note: in expansion of macro ?STORE_FUNCTION? + STORE_FUNCTION(cfq_low_latency_store, &cfqd->cfq_latency, 0, 1, 0); + ^~~~~~~~~~~~~~ +block/cfq-iosched.c: In function ?cfq_slice_idle_us_store?: +block/cfq-iosched.c:4775:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits] + if (__data < (MIN)) \ + ^ +block/cfq-iosched.c:4782:1: note: in expansion of macro ?USEC_STORE_FUNCTION? + USEC_STORE_FUNCTION(cfq_slice_idle_us_store, &cfqd->cfq_slice_idle, 0, UINT_MAX); + ^~~~~~~~~~~~~~~~~~~ +block/cfq-iosched.c: In function ?cfq_group_idle_us_store?: +block/cfq-iosched.c:4775:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits] + if (__data < (MIN)) \ + ^ +block/cfq-iosched.c:4783:1: note: in expansion of macro ?USEC_STORE_FUNCTION? + USEC_STORE_FUNCTION(cfq_group_idle_us_store, &cfqd->cfq_group_idle, 0, UINT_MAX); + ^~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Bart Van Assche +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/cfq-iosched.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/block/cfq-iosched.c ++++ b/block/cfq-iosched.c +@@ -4735,12 +4735,13 @@ USEC_SHOW_FUNCTION(cfq_target_latency_us + static ssize_t __FUNC(struct elevator_queue *e, const char *page, size_t count) \ + { \ + struct cfq_data *cfqd = e->elevator_data; \ +- unsigned int __data; \ ++ unsigned int __data, __min = (MIN), __max = (MAX); \ ++ \ + cfq_var_store(&__data, (page)); \ +- if (__data < (MIN)) \ +- __data = (MIN); \ +- else if (__data > (MAX)) \ +- __data = (MAX); \ ++ if (__data < __min) \ ++ __data = __min; \ ++ else if (__data > __max) \ ++ __data = __max; \ + if (__CONV) \ + *(__PTR) = (u64)__data * NSEC_PER_MSEC; \ + else \ +@@ -4769,12 +4770,13 @@ STORE_FUNCTION(cfq_target_latency_store, + static ssize_t __FUNC(struct elevator_queue *e, const char *page, size_t count) \ + { \ + struct cfq_data *cfqd = e->elevator_data; \ +- unsigned int __data; \ ++ unsigned int __data, __min = (MIN), __max = (MAX); \ ++ \ + cfq_var_store(&__data, (page)); \ +- if (__data < (MIN)) \ +- __data = (MIN); \ +- else if (__data > (MAX)) \ +- __data = (MAX); \ ++ if (__data < __min) \ ++ __data = __min; \ ++ else if (__data > __max) \ ++ __data = __max; \ + *(__PTR) = (u64)__data * NSEC_PER_USEC; \ + return count; \ + } diff --git a/queue-4.18/cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch b/queue-4.18/cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch new file mode 100644 index 00000000000..6e4b6a38cfc --- /dev/null +++ b/queue-4.18/cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Ronnie Sahlberg +Date: Wed, 22 Aug 2018 12:19:24 +1000 +Subject: cifs: check if SMB2 PDU size has been padded and suppress the warning + +From: Ronnie Sahlberg + +[ Upstream commit e6c47dd0da1e3a484e778046fc10da0b20606a86 ] + +Some SMB2/3 servers, Win2016 but possibly others too, adds padding +not only between PDUs in a compound but also to the final PDU. +This padding extends the PDU to a multiple of 8 bytes. + +Check if the unexpected length looks like this might be the case +and avoid triggering the log messages for : + + "SMB2 server sent bad RFC1001 len %d not %d\n" + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2misc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -241,6 +241,13 @@ smb2_check_message(char *buf, unsigned i + return 0; + + /* ++ * Some windows servers (win2016) will pad also the final ++ * PDU in a compound to 8 bytes. ++ */ ++ if (((clc_len + 7) & ~7) == len) ++ return 0; ++ ++ /* + * MacOS server pads after SMB2.1 write response with 3 bytes + * of junk. Other servers match RFC1001 len to actual + * SMB2/SMB3 frame length (header + smb2 response specific data) diff --git a/queue-4.18/cifs-fix-memory-leak-and-remove-dead-code.patch b/queue-4.18/cifs-fix-memory-leak-and-remove-dead-code.patch new file mode 100644 index 00000000000..4d1138d057c --- /dev/null +++ b/queue-4.18/cifs-fix-memory-leak-and-remove-dead-code.patch @@ -0,0 +1,197 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Aurelien Aptel +Date: Tue, 19 Jun 2018 15:18:48 -0700 +Subject: CIFS: fix memory leak and remove dead code + +From: Aurelien Aptel + +[ Upstream commit 256b4c3f03d77d8c0dc69e3a6ceb3afd0d1810bd ] + +also fixes error code in smb311_posix_mkdir() (where +the error assignment needs to go before the goto) +a typo that Dan Carpenter and Paulo and Gustavo +pointed out. + +Signed-off-by: Aurelien Aptel +Signed-off-by: Dan Carpenter +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Paulo Alcantara +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 101 ++++++++++++++++++++++++++---------------------------- + 1 file changed, 50 insertions(+), 51 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1928,7 +1928,7 @@ int smb311_posix_mkdir(const unsigned in + { + struct smb_rqst rqst; + struct smb2_create_req *req; +- struct smb2_create_rsp *rsp; ++ struct smb2_create_rsp *rsp = NULL; + struct TCP_Server_Info *server; + struct cifs_ses *ses = tcon->ses; + struct kvec iov[3]; /* make sure at least one for each open context */ +@@ -1943,27 +1943,31 @@ int smb311_posix_mkdir(const unsigned in + char *pc_buf = NULL; + int flags = 0; + unsigned int total_len; +- __le16 *path = cifs_convert_path_to_utf16(full_path, cifs_sb); +- +- if (!path) +- return -ENOMEM; ++ __le16 *utf16_path = NULL; + + cifs_dbg(FYI, "mkdir\n"); + ++ /* resource #1: path allocation */ ++ utf16_path = cifs_convert_path_to_utf16(full_path, cifs_sb); ++ if (!utf16_path) ++ return -ENOMEM; ++ + if (ses && (ses->server)) + server = ses->server; +- else +- return -EIO; ++ else { ++ rc = -EIO; ++ goto err_free_path; ++ } + ++ /* resource #2: request */ + rc = smb2_plain_req_init(SMB2_CREATE, tcon, (void **) &req, &total_len); +- + if (rc) +- return rc; ++ goto err_free_path; ++ + + if (smb3_encryption_required(tcon)) + flags |= CIFS_TRANSFORM_REQ; + +- + req->ImpersonationLevel = IL_IMPERSONATION; + req->DesiredAccess = cpu_to_le32(FILE_WRITE_ATTRIBUTES); + /* File attributes ignored on open (used in create though) */ +@@ -1992,50 +1996,44 @@ int smb311_posix_mkdir(const unsigned in + req->sync_hdr.Flags |= SMB2_FLAGS_DFS_OPERATIONS; + rc = alloc_path_with_tree_prefix(©_path, ©_size, + &name_len, +- tcon->treeName, path); +- if (rc) { +- cifs_small_buf_release(req); +- return rc; +- } ++ tcon->treeName, utf16_path); ++ if (rc) ++ goto err_free_req; ++ + req->NameLength = cpu_to_le16(name_len * 2); + uni_path_len = copy_size; +- path = copy_path; ++ /* free before overwriting resource */ ++ kfree(utf16_path); ++ utf16_path = copy_path; + } else { +- uni_path_len = (2 * UniStrnlen((wchar_t *)path, PATH_MAX)) + 2; ++ uni_path_len = (2 * UniStrnlen((wchar_t *)utf16_path, PATH_MAX)) + 2; + /* MUST set path len (NameLength) to 0 opening root of share */ + req->NameLength = cpu_to_le16(uni_path_len - 2); + if (uni_path_len % 8 != 0) { + copy_size = roundup(uni_path_len, 8); + copy_path = kzalloc(copy_size, GFP_KERNEL); + if (!copy_path) { +- cifs_small_buf_release(req); +- return -ENOMEM; ++ rc = -ENOMEM; ++ goto err_free_req; + } +- memcpy((char *)copy_path, (const char *)path, ++ memcpy((char *)copy_path, (const char *)utf16_path, + uni_path_len); + uni_path_len = copy_size; +- path = copy_path; ++ /* free before overwriting resource */ ++ kfree(utf16_path); ++ utf16_path = copy_path; + } + } + + iov[1].iov_len = uni_path_len; +- iov[1].iov_base = path; ++ iov[1].iov_base = utf16_path; + req->RequestedOplockLevel = SMB2_OPLOCK_LEVEL_NONE; + + if (tcon->posix_extensions) { +- if (n_iov > 2) { +- struct create_context *ccontext = +- (struct create_context *)iov[n_iov-1].iov_base; +- ccontext->Next = +- cpu_to_le32(iov[n_iov-1].iov_len); +- } +- ++ /* resource #3: posix buf */ + rc = add_posix_context(iov, &n_iov, mode); +- if (rc) { +- cifs_small_buf_release(req); +- kfree(copy_path); +- return rc; +- } ++ if (rc) ++ goto err_free_req; + pc_buf = iov[n_iov-1].iov_base; + } + +@@ -2044,32 +2042,33 @@ int smb311_posix_mkdir(const unsigned in + rqst.rq_iov = iov; + rqst.rq_nvec = n_iov; + +- rc = cifs_send_recv(xid, ses, &rqst, &resp_buftype, flags, +- &rsp_iov); +- +- cifs_small_buf_release(req); +- rsp = (struct smb2_create_rsp *)rsp_iov.iov_base; +- +- if (rc != 0) { ++ /* resource #4: response buffer */ ++ rc = cifs_send_recv(xid, ses, &rqst, &resp_buftype, flags, &rsp_iov); ++ if (rc) { + cifs_stats_fail_inc(tcon, SMB2_CREATE_HE); + trace_smb3_posix_mkdir_err(xid, tcon->tid, ses->Suid, +- CREATE_NOT_FILE, FILE_WRITE_ATTRIBUTES, rc); +- goto smb311_mkdir_exit; +- } else +- trace_smb3_posix_mkdir_done(xid, rsp->PersistentFileId, tcon->tid, +- ses->Suid, CREATE_NOT_FILE, +- FILE_WRITE_ATTRIBUTES); ++ CREATE_NOT_FILE, ++ FILE_WRITE_ATTRIBUTES, rc); ++ goto err_free_rsp_buf; ++ } ++ ++ rsp = (struct smb2_create_rsp *)rsp_iov.iov_base; ++ trace_smb3_posix_mkdir_done(xid, rsp->PersistentFileId, tcon->tid, ++ ses->Suid, CREATE_NOT_FILE, ++ FILE_WRITE_ATTRIBUTES); + + SMB2_close(xid, tcon, rsp->PersistentFileId, rsp->VolatileFileId); + + /* Eventually save off posix specific response info and timestaps */ + +-smb311_mkdir_exit: +- kfree(copy_path); +- kfree(pc_buf); ++err_free_rsp_buf: + free_rsp_buf(resp_buftype, rsp); ++ kfree(pc_buf); ++err_free_req: ++ cifs_small_buf_release(req); ++err_free_path: ++ kfree(utf16_path); + return rc; +- + } + #endif /* SMB311 */ + diff --git a/queue-4.18/clk-rockchip-add-pclk_rkpwm_pmu-to-pmu-critical-clocks-in-rk3399.patch b/queue-4.18/clk-rockchip-add-pclk_rkpwm_pmu-to-pmu-critical-clocks-in-rk3399.patch new file mode 100644 index 00000000000..55970575108 --- /dev/null +++ b/queue-4.18/clk-rockchip-add-pclk_rkpwm_pmu-to-pmu-critical-clocks-in-rk3399.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Levin Du +Date: Sat, 4 Aug 2018 15:31:02 +0800 +Subject: clk: rockchip: Add pclk_rkpwm_pmu to PMU critical clocks in rk3399 + +From: Levin Du + +[ Upstream commit 640332d1a089909df08bc9f3e42888a2019c66e2 ] + +PWM2 is commonly used to control voltage of PWM regulator of VDD_LOG in +RK3399. On the Firefly-RK3399 board, PWM2 outputs 40 KHz square wave +from power on and the VDD_LOG is about 0.9V. When the kernel boots +normally into the system, the PWM2 keeps outputing PWM signal. + +But the kernel hangs randomly after "Starting kernel ..." line on that +board. When it happens, PWM2 outputs high level which causes VDD_LOG +drops to 0.4V below the normal operating voltage. + +By adding "pclk_rkpwm_pmu" to the rk3399_pmucru_critical_clocks array, +PWM clock is ensured to be prepared at startup and the PWM2 output is +normal. After repeated tests, the early boot hang is gone. + +This patch works on both Firefly-RK3399 and ROC-RK3399-PC boards. + +Signed-off-by: Levin Du +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/rockchip/clk-rk3399.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/rockchip/clk-rk3399.c ++++ b/drivers/clk/rockchip/clk-rk3399.c +@@ -1523,6 +1523,7 @@ static const char *const rk3399_pmucru_c + "pclk_pmu_src", + "fclk_cm0s_src_pmu", + "clk_timer_src_pmu", ++ "pclk_rkpwm_pmu", + }; + + static void __init rk3399_clk_init(struct device_node *np) diff --git a/queue-4.18/coccicheck-return-proper-error-code-on-fail.patch b/queue-4.18/coccicheck-return-proper-error-code-on-fail.patch new file mode 100644 index 00000000000..502584a117c --- /dev/null +++ b/queue-4.18/coccicheck-return-proper-error-code-on-fail.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Denis Efremov +Date: Fri, 10 Aug 2018 23:25:55 +0300 +Subject: coccicheck: return proper error code on fail + +From: Denis Efremov + +[ Upstream commit 512ddf7d7db056edfed3159ea7cb4e4a5eefddd4 ] + +If coccicheck fails, it should return an error code distinct from zero +to signal about an internal problem. Current code instead of exiting with +the tool's error code returns the error code of 'echo "coccicheck failed"' +which is almost always equals to zero, thus failing the original intention +of alerting about a problem. This patch fixes the code. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Denis Efremov +Acked-by: Julia Lawall +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/coccicheck | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/scripts/coccicheck ++++ b/scripts/coccicheck +@@ -128,9 +128,10 @@ run_cmd_parmap() { + fi + echo $@ >>$DEBUG_FILE + $@ 2>>$DEBUG_FILE +- if [[ $? -ne 0 ]]; then ++ err=$? ++ if [[ $err -ne 0 ]]; then + echo "coccicheck failed" +- exit $? ++ exit $err + fi + } + diff --git a/queue-4.18/dm-kcopyd-avoid-softlockup-in-run_complete_job.patch b/queue-4.18/dm-kcopyd-avoid-softlockup-in-run_complete_job.patch new file mode 100644 index 00000000000..f48b36c3616 --- /dev/null +++ b/queue-4.18/dm-kcopyd-avoid-softlockup-in-run_complete_job.patch @@ -0,0 +1,54 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: John Pittman +Date: Mon, 6 Aug 2018 15:53:12 -0400 +Subject: dm kcopyd: avoid softlockup in run_complete_job + +From: John Pittman + +[ Upstream commit 784c9a29e99eb40b842c29ecf1cc3a79e00fb629 ] + +It was reported that softlockups occur when using dm-snapshot ontop of +slow (rbd) storage. E.g.: + +[ 4047.990647] watchdog: BUG: soft lockup - CPU#10 stuck for 22s! [kworker/10:23:26177] +... +[ 4048.034151] Workqueue: kcopyd do_work [dm_mod] +[ 4048.034156] RIP: 0010:copy_callback+0x41/0x160 [dm_snapshot] +... +[ 4048.034190] Call Trace: +[ 4048.034196] ? __chunk_is_tracked+0x70/0x70 [dm_snapshot] +[ 4048.034200] run_complete_job+0x5f/0xb0 [dm_mod] +[ 4048.034205] process_jobs+0x91/0x220 [dm_mod] +[ 4048.034210] ? kcopyd_put_pages+0x40/0x40 [dm_mod] +[ 4048.034214] do_work+0x46/0xa0 [dm_mod] +[ 4048.034219] process_one_work+0x171/0x370 +[ 4048.034221] worker_thread+0x1fc/0x3f0 +[ 4048.034224] kthread+0xf8/0x130 +[ 4048.034226] ? max_active_store+0x80/0x80 +[ 4048.034227] ? kthread_bind+0x10/0x10 +[ 4048.034231] ret_from_fork+0x35/0x40 +[ 4048.034233] Kernel panic - not syncing: softlockup: hung tasks + +Fix this by calling cond_resched() after run_complete_job()'s callout to +the dm_kcopyd_notify_fn (which is dm-snap.c:copy_callback in the above +trace). + +Signed-off-by: John Pittman +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-kcopyd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/dm-kcopyd.c ++++ b/drivers/md/dm-kcopyd.c +@@ -487,6 +487,8 @@ static int run_complete_job(struct kcopy + if (atomic_dec_and_test(&kc->nr_jobs)) + wake_up(&kc->destroyq); + ++ cond_resched(); ++ + return 0; + } + diff --git a/queue-4.18/drm-amd-display-guard-against-null-crtc-in-crc-irq.patch b/queue-4.18/drm-amd-display-guard-against-null-crtc-in-crc-irq.patch new file mode 100644 index 00000000000..f78522b6b99 --- /dev/null +++ b/queue-4.18/drm-amd-display-guard-against-null-crtc-in-crc-irq.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Nicholas Kazlauskas +Date: Fri, 3 Aug 2018 10:40:20 -0400 +Subject: drm/amd/display: Guard against null crtc in CRC IRQ + +From: Nicholas Kazlauskas + +[ Upstream commit dddc0557e3a02499ce336b1e2e67f5afaecccc80 ] + +[Why] + +A null pointer deference can occur if crtc is null in +amdgpu_dm_crtc_handle_crc_irq. This can happen if get_crtc_by_otg_inst +returns NULL during dm_crtc_high_irq, leading to a hang in some IGT +test cases. + +[How] + +Check that CRTC is non-null before accessing its fields. + +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Sun peng Li +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c +@@ -98,10 +98,16 @@ int amdgpu_dm_crtc_set_crc_source(struct + */ + void amdgpu_dm_crtc_handle_crc_irq(struct drm_crtc *crtc) + { +- struct dm_crtc_state *crtc_state = to_dm_crtc_state(crtc->state); +- struct dc_stream_state *stream_state = crtc_state->stream; ++ struct dm_crtc_state *crtc_state; ++ struct dc_stream_state *stream_state; + uint32_t crcs[3]; + ++ if (crtc == NULL) ++ return; ++ ++ crtc_state = to_dm_crtc_state(crtc->state); ++ stream_state = crtc_state->stream; ++ + /* Early return if CRC capture is not enabled. */ + if (!crtc_state->crc_enabled) + return; diff --git a/queue-4.18/drm-amd-display-read-back-max-backlight-value-at-boot.patch b/queue-4.18/drm-amd-display-read-back-max-backlight-value-at-boot.patch new file mode 100644 index 00000000000..c2cd809f486 --- /dev/null +++ b/queue-4.18/drm-amd-display-read-back-max-backlight-value-at-boot.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: David Francis +Date: Wed, 18 Jul 2018 16:03:30 -0400 +Subject: drm/amd/display: Read back max backlight value at boot + +From: David Francis + +[ Upstream commit 53a53f8687faf492df2644d8c18ff0217fc18730 ] + +[Why] +If there is no program explicitly setting the backlight +brightness (for example, during a minimal install of linux), the +hardware defaults to maximum brightness but the backlight_device +defaults to 0 value. Thus, settings displays the wrong brightness +value. + +[How] +When creating the backlight device, set brightness to max + +Signed-off-by: David Francis +Reviewed-by: Harry Wentland +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -1334,6 +1334,7 @@ amdgpu_dm_register_backlight_device(stru + struct backlight_properties props = { 0 }; + + props.max_brightness = AMDGPU_MAX_BL_LEVEL; ++ props.brightness = AMDGPU_MAX_BL_LEVEL; + props.type = BACKLIGHT_RAW; + + snprintf(bl_name, sizeof(bl_name), "amdgpu_bl%d", diff --git a/queue-4.18/drm-etnaviv-fix-crash-in-gpu-suspend-when-init-failed-due-to-buffer-placement.patch b/queue-4.18/drm-etnaviv-fix-crash-in-gpu-suspend-when-init-failed-due-to-buffer-placement.patch new file mode 100644 index 00000000000..17f7970024e --- /dev/null +++ b/queue-4.18/drm-etnaviv-fix-crash-in-gpu-suspend-when-init-failed-due-to-buffer-placement.patch @@ -0,0 +1,32 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Lucas Stach +Date: Mon, 23 Jul 2018 14:27:23 +0200 +Subject: drm/etnaviv: fix crash in GPU suspend when init failed due to buffer placement + +From: Lucas Stach + +[ Upstream commit 5b147465532365dc4e2fee8499d6ca1f52dd0d16 ] + +When the suballocator was unable to provide a suitable buffer for the MMUv1 +linear window, we roll back the GPU initialization. As the GPU is runtime +resumed at that point we need to clear the kernel cmdbuf suballoc entry to +properly skip any attempt to manipulate the cmdbuf when the GPU gets shut +down in the runtime suspend later on. + +Signed-off-by: Lucas Stach +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c +@@ -799,6 +799,7 @@ int etnaviv_gpu_init(struct etnaviv_gpu + + free_buffer: + etnaviv_cmdbuf_free(&gpu->buffer); ++ gpu->buffer.suballoc = NULL; + destroy_iommu: + etnaviv_iommu_destroy(gpu->mmu); + gpu->mmu = NULL; diff --git a/queue-4.18/f2fs-avoid-race-between-zero_range-and-background-gc.patch b/queue-4.18/f2fs-avoid-race-between-zero_range-and-background-gc.patch new file mode 100644 index 00000000000..73b0f63d5b5 --- /dev/null +++ b/queue-4.18/f2fs-avoid-race-between-zero_range-and-background-gc.patch @@ -0,0 +1,75 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Chao Yu +Date: Sun, 5 Aug 2018 23:02:22 +0800 +Subject: f2fs: avoid race between zero_range and background GC + +From: Chao Yu + +[ Upstream commit c7079853c859c910b9d047a37891b4aafb8f8dd7 ] + +Thread A Background GC +- f2fs_zero_range + - truncate_pagecache_range + - gc_data_segment + - get_read_data_page + - move_data_page + - set_page_dirty + - set_cold_data + - f2fs_do_zero_range + - dn->data_blkaddr = NEW_ADDR; + - f2fs_set_data_blkaddr + +Actually, we don't need to set dirty & checked flag on the page, since +all valid data in the page should be zeroed by zero_range(). + +Use i_gc_rwsem[WRITE] to avoid such race condition. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1295,8 +1295,6 @@ static int f2fs_zero_range(struct inode + if (ret) + goto out_sem; + +- truncate_pagecache_range(inode, offset, offset + len - 1); +- + pg_start = ((unsigned long long) offset) >> PAGE_SHIFT; + pg_end = ((unsigned long long) offset + len) >> PAGE_SHIFT; + +@@ -1326,12 +1324,19 @@ static int f2fs_zero_range(struct inode + unsigned int end_offset; + pgoff_t end; + ++ down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); ++ ++ truncate_pagecache_range(inode, ++ (loff_t)index << PAGE_SHIFT, ++ ((loff_t)pg_end << PAGE_SHIFT) - 1); ++ + f2fs_lock_op(sbi); + + set_new_dnode(&dn, inode, NULL, NULL, 0); + ret = f2fs_get_dnode_of_data(&dn, index, ALLOC_NODE); + if (ret) { + f2fs_unlock_op(sbi); ++ up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); + goto out; + } + +@@ -1340,7 +1345,9 @@ static int f2fs_zero_range(struct inode + + ret = f2fs_do_zero_range(&dn, index, end); + f2fs_put_dnode(&dn); ++ + f2fs_unlock_op(sbi); ++ up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); + + f2fs_balance_fs(sbi, dn.node_changed); + diff --git a/queue-4.18/f2fs-fix-avoid-race-between-truncate-and-background-gc.patch b/queue-4.18/f2fs-fix-avoid-race-between-truncate-and-background-gc.patch new file mode 100644 index 00000000000..f23444cd0de --- /dev/null +++ b/queue-4.18/f2fs-fix-avoid-race-between-truncate-and-background-gc.patch @@ -0,0 +1,110 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Chao Yu +Date: Sun, 5 Aug 2018 23:04:25 +0800 +Subject: f2fs: fix avoid race between truncate and background GC + +From: Chao Yu + +[ Upstream commit a33c150237a20d97a174243bc658c86502f9d370 ] + +Thread A Background GC +- f2fs_setattr isize to 0 + - truncate_setsize + - gc_data_segment + - f2fs_get_read_data_page page #0 + - set_page_dirty + - set_cold_data + - f2fs_truncate + +- f2fs_setattr isize to 4k +- read 4k <--- hit data in cached page #0 + +Above race condition can cause read out invalid data in a truncated +page, fix it by i_gc_rwsem[WRITE] lock. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/data.c | 4 ++++ + fs/f2fs/file.c | 37 +++++++++++++++++++++++-------------- + 2 files changed, 27 insertions(+), 14 deletions(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2149,8 +2149,12 @@ static void f2fs_write_failed(struct add + + if (to > i_size) { + down_write(&F2FS_I(inode)->i_mmap_sem); ++ down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); ++ + truncate_pagecache(inode, i_size); + f2fs_truncate_blocks(inode, i_size, true); ++ ++ up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); + up_write(&F2FS_I(inode)->i_mmap_sem); + } + } +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -782,22 +782,26 @@ int f2fs_setattr(struct dentry *dentry, + } + + if (attr->ia_valid & ATTR_SIZE) { +- if (attr->ia_size <= i_size_read(inode)) { +- down_write(&F2FS_I(inode)->i_mmap_sem); +- truncate_setsize(inode, attr->ia_size); ++ bool to_smaller = (attr->ia_size <= i_size_read(inode)); ++ ++ down_write(&F2FS_I(inode)->i_mmap_sem); ++ down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); ++ ++ truncate_setsize(inode, attr->ia_size); ++ ++ if (to_smaller) + err = f2fs_truncate(inode); +- up_write(&F2FS_I(inode)->i_mmap_sem); +- if (err) +- return err; +- } else { +- /* +- * do not trim all blocks after i_size if target size is +- * larger than i_size. +- */ +- down_write(&F2FS_I(inode)->i_mmap_sem); +- truncate_setsize(inode, attr->ia_size); +- up_write(&F2FS_I(inode)->i_mmap_sem); ++ /* ++ * do not trim all blocks after i_size if target size is ++ * larger than i_size. ++ */ ++ up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); ++ up_write(&F2FS_I(inode)->i_mmap_sem); ++ ++ if (err) ++ return err; + ++ if (!to_smaller) { + /* should convert inline inode here */ + if (!f2fs_may_inline_data(inode)) { + err = f2fs_convert_inline_inode(inode); +@@ -944,13 +948,18 @@ static int punch_hole(struct inode *inod + + blk_start = (loff_t)pg_start << PAGE_SHIFT; + blk_end = (loff_t)pg_end << PAGE_SHIFT; ++ + down_write(&F2FS_I(inode)->i_mmap_sem); ++ down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); ++ + truncate_inode_pages_range(mapping, blk_start, + blk_end - 1); + + f2fs_lock_op(sbi); + ret = f2fs_truncate_hole(inode, pg_start, pg_end); + f2fs_unlock_op(sbi); ++ ++ up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); + up_write(&F2FS_I(inode)->i_mmap_sem); + } + } diff --git a/queue-4.18/f2fs-fix-to-clear-pg_checked-flag-in-set_page_dirty.patch b/queue-4.18/f2fs-fix-to-clear-pg_checked-flag-in-set_page_dirty.patch new file mode 100644 index 00000000000..7fa8aabc69c --- /dev/null +++ b/queue-4.18/f2fs-fix-to-clear-pg_checked-flag-in-set_page_dirty.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Chao Yu +Date: Sun, 29 Jul 2018 12:16:59 +0800 +Subject: f2fs: fix to clear PG_checked flag in set_page_dirty() + +From: Chao Yu + +[ Upstream commit 66110abc4c931f879d70e83e1281f891699364bf ] + +PG_checked flag will be set on data page during GC, later, we can +recognize such page by the flag and migrate page to cold segment. + +But previously, we don't clear this flag when invalidating data page, +after page redirtying, we will write it into wrong log. + +Let's clear PG_checked flag in set_page_dirty() to avoid this. + +Signed-off-by: Weichao Guo +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/data.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2494,6 +2494,10 @@ static int f2fs_set_data_page_dirty(stru + if (!PageUptodate(page)) + SetPageUptodate(page); + ++ /* don't remain PG_checked flag which was set during GC */ ++ if (is_cold_data(page)) ++ clear_cold_data(page); ++ + if (f2fs_is_atomic_file(inode) && !f2fs_is_commit_atomic_write(inode)) { + if (!IS_ATOMIC_WRITTEN_PAGE(page)) { + f2fs_register_inmem_page(inode, page); diff --git a/queue-4.18/fat-validate-i_start-before-using.patch b/queue-4.18/fat-validate-i_start-before-using.patch new file mode 100644 index 00000000000..389076ae5c8 --- /dev/null +++ b/queue-4.18/fat-validate-i_start-before-using.patch @@ -0,0 +1,120 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: OGAWA Hirofumi +Date: Tue, 21 Aug 2018 21:59:44 -0700 +Subject: fat: validate ->i_start before using + +From: OGAWA Hirofumi + +[ Upstream commit 0afa9626667c3659ef8bd82d42a11e39fedf235c ] + +On corrupted FATfs may have invalid ->i_start. To handle it, this checks +->i_start before using, and return proper error code. + +Link: http://lkml.kernel.org/r/87o9f8y1t5.fsf_-_@mail.parknet.co.jp +Signed-off-by: OGAWA Hirofumi +Reported-by: Anatoly Trosinenko +Tested-by: Anatoly Trosinenko +Cc: Alan Cox +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fat/cache.c | 19 ++++++++++++------- + fs/fat/fat.h | 5 +++++ + fs/fat/fatent.c | 6 +++--- + 3 files changed, 20 insertions(+), 10 deletions(-) + +--- a/fs/fat/cache.c ++++ b/fs/fat/cache.c +@@ -225,7 +225,8 @@ static inline void cache_init(struct fat + int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus) + { + struct super_block *sb = inode->i_sb; +- const int limit = sb->s_maxbytes >> MSDOS_SB(sb)->cluster_bits; ++ struct msdos_sb_info *sbi = MSDOS_SB(sb); ++ const int limit = sb->s_maxbytes >> sbi->cluster_bits; + struct fat_entry fatent; + struct fat_cache_id cid; + int nr; +@@ -234,6 +235,12 @@ int fat_get_cluster(struct inode *inode, + + *fclus = 0; + *dclus = MSDOS_I(inode)->i_start; ++ if (!fat_valid_entry(sbi, *dclus)) { ++ fat_fs_error_ratelimit(sb, ++ "%s: invalid start cluster (i_pos %lld, start %08x)", ++ __func__, MSDOS_I(inode)->i_pos, *dclus); ++ return -EIO; ++ } + if (cluster == 0) + return 0; + +@@ -250,9 +257,8 @@ int fat_get_cluster(struct inode *inode, + /* prevent the infinite loop of cluster chain */ + if (*fclus > limit) { + fat_fs_error_ratelimit(sb, +- "%s: detected the cluster chain loop" +- " (i_pos %lld)", __func__, +- MSDOS_I(inode)->i_pos); ++ "%s: detected the cluster chain loop (i_pos %lld)", ++ __func__, MSDOS_I(inode)->i_pos); + nr = -EIO; + goto out; + } +@@ -262,9 +268,8 @@ int fat_get_cluster(struct inode *inode, + goto out; + else if (nr == FAT_ENT_FREE) { + fat_fs_error_ratelimit(sb, +- "%s: invalid cluster chain (i_pos %lld)", +- __func__, +- MSDOS_I(inode)->i_pos); ++ "%s: invalid cluster chain (i_pos %lld)", ++ __func__, MSDOS_I(inode)->i_pos); + nr = -EIO; + goto out; + } else if (nr == FAT_ENT_EOF) { +--- a/fs/fat/fat.h ++++ b/fs/fat/fat.h +@@ -348,6 +348,11 @@ static inline void fatent_brelse(struct + fatent->fat_inode = NULL; + } + ++static inline bool fat_valid_entry(struct msdos_sb_info *sbi, int entry) ++{ ++ return FAT_START_ENT <= entry && entry < sbi->max_cluster; ++} ++ + extern void fat_ent_access_init(struct super_block *sb); + extern int fat_ent_read(struct inode *inode, struct fat_entry *fatent, + int entry); +--- a/fs/fat/fatent.c ++++ b/fs/fat/fatent.c +@@ -23,7 +23,7 @@ static void fat12_ent_blocknr(struct sup + { + struct msdos_sb_info *sbi = MSDOS_SB(sb); + int bytes = entry + (entry >> 1); +- WARN_ON(entry < FAT_START_ENT || sbi->max_cluster <= entry); ++ WARN_ON(!fat_valid_entry(sbi, entry)); + *offset = bytes & (sb->s_blocksize - 1); + *blocknr = sbi->fat_start + (bytes >> sb->s_blocksize_bits); + } +@@ -33,7 +33,7 @@ static void fat_ent_blocknr(struct super + { + struct msdos_sb_info *sbi = MSDOS_SB(sb); + int bytes = (entry << sbi->fatent_shift); +- WARN_ON(entry < FAT_START_ENT || sbi->max_cluster <= entry); ++ WARN_ON(!fat_valid_entry(sbi, entry)); + *offset = bytes & (sb->s_blocksize - 1); + *blocknr = sbi->fat_start + (bytes >> sb->s_blocksize_bits); + } +@@ -353,7 +353,7 @@ int fat_ent_read(struct inode *inode, st + int err, offset; + sector_t blocknr; + +- if (entry < FAT_START_ENT || sbi->max_cluster <= entry) { ++ if (!fat_valid_entry(sbi, entry)) { + fatent_brelse(fatent); + fat_fs_error(sb, "invalid access to FAT (entry 0x%08x)", entry); + return -EIO; diff --git a/queue-4.18/fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch b/queue-4.18/fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch new file mode 100644 index 00000000000..5c45d15839a --- /dev/null +++ b/queue-4.18/fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Jann Horn +Date: Tue, 21 Aug 2018 22:00:58 -0700 +Subject: fork: don't copy inconsistent signal handler state to child + +From: Jann Horn + +[ Upstream commit 06e62a46bbba20aa5286102016a04214bb446141 ] + +Before this change, if a multithreaded process forks while one of its +threads is changing a signal handler using sigaction(), the memcpy() in +copy_sighand() can race with the struct assignment in do_sigaction(). It +isn't clear whether this can cause corruption of the userspace signal +handler pointer, but it definitely can cause inconsistency between +different fields of struct sigaction. + +Take the appropriate spinlock to avoid this. + +I have tested that this patch prevents inconsistency between sa_sigaction +and sa_flags, which is possible before this patch. + +Link: http://lkml.kernel.org/r/20180702145108.73189-1-jannh@google.com +Signed-off-by: Jann Horn +Acked-by: Michal Hocko +Reviewed-by: Andrew Morton +Cc: Rik van Riel +Cc: "Peter Zijlstra (Intel)" +Cc: Kees Cook +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/fork.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1417,7 +1417,9 @@ static int copy_sighand(unsigned long cl + return -ENOMEM; + + atomic_set(&sig->count, 1); ++ spin_lock_irq(¤t->sighand->siglock); + memcpy(sig->action, current->sighand->action, sizeof(sig->action)); ++ spin_unlock_irq(¤t->sighand->siglock); + return 0; + } + diff --git a/queue-4.18/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_snapshot.patch b/queue-4.18/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_snapshot.patch new file mode 100644 index 00000000000..e973ba7165a --- /dev/null +++ b/queue-4.18/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_snapshot.patch @@ -0,0 +1,57 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Tetsuo Handa +Date: Fri, 17 Aug 2018 15:44:34 -0700 +Subject: fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot() + +From: Tetsuo Handa + +[ Upstream commit 6cd00a01f0c1ae6a852b09c59b8dd55cc6c35d1d ] + +Since only dentry->d_name.len + 1 bytes out of DNAME_INLINE_LEN bytes +are initialized at __d_alloc(), we can't copy the whole size +unconditionally. + + WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff8fa27465ac50) + 636f6e66696766732e746d70000000000010000000000000020000000188ffff + i i i i i i i i i i i i i u u u u u u u u u u i i i i i u u u u + ^ + RIP: 0010:take_dentry_name_snapshot+0x28/0x50 + RSP: 0018:ffffa83000f5bdf8 EFLAGS: 00010246 + RAX: 0000000000000020 RBX: ffff8fa274b20550 RCX: 0000000000000002 + RDX: ffffa83000f5be40 RSI: ffff8fa27465ac50 RDI: ffffa83000f5be60 + RBP: ffffa83000f5bdf8 R08: ffffa83000f5be48 R09: 0000000000000001 + R10: ffff8fa27465ac00 R11: ffff8fa27465acc0 R12: ffff8fa27465ac00 + R13: ffff8fa27465acc0 R14: 0000000000000000 R15: 0000000000000000 + FS: 00007f79737ac8c0(0000) GS:ffffffff8fc30000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffff8fa274c0b000 CR3: 0000000134aa7002 CR4: 00000000000606f0 + take_dentry_name_snapshot+0x28/0x50 + vfs_rename+0x128/0x870 + SyS_rename+0x3b2/0x3d0 + entry_SYSCALL_64_fastpath+0x1a/0xa4 + 0xffffffffffffffff + +Link: http://lkml.kernel.org/r/201709131912.GBG39012.QMJLOVFSFFOOtH@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa +Cc: Vegard Nossum +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/dcache.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -292,7 +292,8 @@ void take_dentry_name_snapshot(struct na + spin_unlock(&dentry->d_lock); + name->name = p->name; + } else { +- memcpy(name->inline_name, dentry->d_iname, DNAME_INLINE_LEN); ++ memcpy(name->inline_name, dentry->d_iname, ++ dentry->d_name.len + 1); + spin_unlock(&dentry->d_lock); + name->name = name->inline_name; + } diff --git a/queue-4.18/fs-proc-kcore.c-use-__pa_symbol-for-kcore_text-list-entries.patch b/queue-4.18/fs-proc-kcore.c-use-__pa_symbol-for-kcore_text-list-entries.patch new file mode 100644 index 00000000000..0841d9f3fd9 --- /dev/null +++ b/queue-4.18/fs-proc-kcore.c-use-__pa_symbol-for-kcore_text-list-entries.patch @@ -0,0 +1,44 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: James Morse +Date: Tue, 21 Aug 2018 21:54:48 -0700 +Subject: fs/proc/kcore.c: use __pa_symbol() for KCORE_TEXT list entries + +From: James Morse + +[ Upstream commit df865e8337c397471b95f51017fea559bc8abb4a ] + +elf_kcore_store_hdr() uses __pa() to find the physical address of +KCORE_RAM or KCORE_TEXT entries exported as program headers. + +This trips CONFIG_DEBUG_VIRTUAL's checks, as the KCORE_TEXT entries are +not in the linear map. + +Handle these two cases separately, using __pa_symbol() for the KCORE_TEXT +entries. + +Link: http://lkml.kernel.org/r/20180711131944.15252-1-james.morse@arm.com +Signed-off-by: James Morse +Cc: Alexey Dobriyan +Cc: Omar Sandoval +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/kcore.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/proc/kcore.c ++++ b/fs/proc/kcore.c +@@ -384,8 +384,10 @@ static void elf_kcore_store_hdr(char *bu + phdr->p_flags = PF_R|PF_W|PF_X; + phdr->p_offset = kc_vaddr_to_offset(m->addr) + dataoff; + phdr->p_vaddr = (size_t)m->addr; +- if (m->type == KCORE_RAM || m->type == KCORE_TEXT) ++ if (m->type == KCORE_RAM) + phdr->p_paddr = __pa(m->addr); ++ else if (m->type == KCORE_TEXT) ++ phdr->p_paddr = __pa_symbol(m->addr); + else + phdr->p_paddr = (elf_addr_t)-1; + phdr->p_filesz = phdr->p_memsz = m->size; diff --git a/queue-4.18/fs-proc-vmcore.c-hide-vmcoredd_mmap_dumps-for-nommu-builds.patch b/queue-4.18/fs-proc-vmcore.c-hide-vmcoredd_mmap_dumps-for-nommu-builds.patch new file mode 100644 index 00000000000..6c8283c55b0 --- /dev/null +++ b/queue-4.18/fs-proc-vmcore.c-hide-vmcoredd_mmap_dumps-for-nommu-builds.patch @@ -0,0 +1,50 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Arnd Bergmann +Date: Thu, 23 Aug 2018 17:00:55 -0700 +Subject: fs/proc/vmcore.c: hide vmcoredd_mmap_dumps() for nommu builds + +From: Arnd Bergmann + +[ Upstream commit a2036a1ef2ee91acab01a0ae4a534070691a42ec ] + +Without CONFIG_MMU, we get a build warning: + + fs/proc/vmcore.c:228:12: error: 'vmcoredd_mmap_dumps' defined but not used [-Werror=unused-function] + static int vmcoredd_mmap_dumps(struct vm_area_struct *vma, unsigned long dst, + +The function is only referenced from an #ifdef'ed caller, so +this uses the same #ifdef around it. + +Link: http://lkml.kernel.org/r/20180525213526.2117790-1-arnd@arndb.de +Fixes: 7efe48df8a3d ("vmcore: append device dumps to vmcore as elf notes") +Signed-off-by: Arnd Bergmann +Cc: Ganesh Goudar +Cc: "David S. Miller" +Cc: Rahul Lakkireddy +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/vmcore.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/proc/vmcore.c ++++ b/fs/proc/vmcore.c +@@ -225,6 +225,7 @@ out_unlock: + return ret; + } + ++#ifdef CONFIG_MMU + static int vmcoredd_mmap_dumps(struct vm_area_struct *vma, unsigned long dst, + u64 start, size_t size) + { +@@ -259,6 +260,7 @@ out_unlock: + mutex_unlock(&vmcoredd_mutex); + return ret; + } ++#endif /* CONFIG_MMU */ + #endif /* CONFIG_PROC_VMCORE_DEVICE_DUMP */ + + /* Read from the ELF header and then the crash dump. On error, negative value is diff --git a/queue-4.18/hfs-prevent-crash-on-exit-from-failed-search.patch b/queue-4.18/hfs-prevent-crash-on-exit-from-failed-search.patch new file mode 100644 index 00000000000..1328c457c0b --- /dev/null +++ b/queue-4.18/hfs-prevent-crash-on-exit-from-failed-search.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: "Ernesto A. Fernández" +Date: Thu, 23 Aug 2018 17:00:31 -0700 +Subject: hfs: prevent crash on exit from failed search + +From: "Ernesto A. Fernández" + +[ Upstream commit dc2572791d3a41bab94400af2b6bca9d71ccd303 ] + +hfs_find_exit() expects fd->bnode to be NULL after a search has failed. +hfs_brec_insert() may instead set it to an error-valued pointer. Fix +this to prevent a crash. + +Link: http://lkml.kernel.org/r/53d9749a029c41b4016c495fc5838c9dba3afc52.1530294815.git.ernesto.mnd.fernandez@gmail.com +Signed-off-by: Ernesto A. Fernández +Cc: Anatoly Trosinenko +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfs/brec.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/hfs/brec.c ++++ b/fs/hfs/brec.c +@@ -75,9 +75,10 @@ int hfs_brec_insert(struct hfs_find_data + if (!fd->bnode) { + if (!tree->root) + hfs_btree_inc_height(tree); +- fd->bnode = hfs_bnode_find(tree, tree->leaf_head); +- if (IS_ERR(fd->bnode)) +- return PTR_ERR(fd->bnode); ++ node = hfs_bnode_find(tree, tree->leaf_head); ++ if (IS_ERR(node)) ++ return PTR_ERR(node); ++ fd->bnode = node; + fd->record = -1; + } + new_node = NULL; diff --git a/queue-4.18/hfsplus-don-t-return-0-when-fill_super-failed.patch b/queue-4.18/hfsplus-don-t-return-0-when-fill_super-failed.patch new file mode 100644 index 00000000000..15d43103461 --- /dev/null +++ b/queue-4.18/hfsplus-don-t-return-0-when-fill_super-failed.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Tetsuo Handa +Date: Tue, 21 Aug 2018 21:59:12 -0700 +Subject: hfsplus: don't return 0 when fill_super() failed + +From: Tetsuo Handa + +[ Upstream commit 7464726cb5998846306ed0a7d6714afb2e37b25d ] + +syzbot is reporting NULL pointer dereference at mount_fs() [1]. This is +because hfsplus_fill_super() is by error returning 0 when +hfsplus_fill_super() detected invalid filesystem image, and mount_bdev() +is returning NULL because dget(s->s_root) == NULL if s->s_root == NULL, +and mount_fs() is accessing root->d_sb because IS_ERR(root) == false if +root == NULL. Fix this by returning -EINVAL when hfsplus_fill_super() +detected invalid filesystem image. + +[1] https://syzkaller.appspot.com/bug?id=21acb6850cecbc960c927229e597158cf35f33d0 + +Link: http://lkml.kernel.org/r/d83ce31a-874c-dd5b-f790-41405983a5be@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Reviewed-by: Ernesto A. Fernández +Reviewed-by: Andrew Morton +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfsplus/super.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -524,8 +524,10 @@ static int hfsplus_fill_super(struct sup + goto out_put_root; + if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { + hfs_find_exit(&fd); +- if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) ++ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) { ++ err = -EINVAL; + goto out_put_root; ++ } + inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id)); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); diff --git a/queue-4.18/hfsplus-fix-null-dereference-in-hfsplus_lookup.patch b/queue-4.18/hfsplus-fix-null-dereference-in-hfsplus_lookup.patch new file mode 100644 index 00000000000..ad371c9be37 --- /dev/null +++ b/queue-4.18/hfsplus-fix-null-dereference-in-hfsplus_lookup.patch @@ -0,0 +1,53 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: "Ernesto A. Fernández" +Date: Thu, 23 Aug 2018 17:00:25 -0700 +Subject: hfsplus: fix NULL dereference in hfsplus_lookup() + +From: "Ernesto A. Fernández" + +[ Upstream commit a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4 ] + +An HFS+ filesystem can be mounted read-only without having a metadata +directory, which is needed to support hardlinks. But if the catalog +data is corrupted, a directory lookup may still find dentries claiming +to be hardlinks. + +hfsplus_lookup() does check that ->hidden_dir is not NULL in such a +situation, but mistakenly does so after dereferencing it for the first +time. Reorder this check to prevent a crash. + +This happens when looking up corrupted catalog data (dentry) on a +filesystem with no metadata directory (this could only ever happen on a +read-only mount). Wen Xu sent the replication steps in detail to the +fsdevel list: https://bugzilla.kernel.org/show_bug.cgi?id=200297 + +Link: http://lkml.kernel.org/r/20180712215344.q44dyrhymm4ajkao@eaf +Signed-off-by: Ernesto A. Fernández +Reported-by: Wen Xu +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfsplus/dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/hfsplus/dir.c ++++ b/fs/hfsplus/dir.c +@@ -78,13 +78,13 @@ again: + cpu_to_be32(HFSP_HARDLINK_TYPE) && + entry.file.user_info.fdCreator == + cpu_to_be32(HFSP_HFSPLUS_CREATOR) && ++ HFSPLUS_SB(sb)->hidden_dir && + (entry.file.create_date == + HFSPLUS_I(HFSPLUS_SB(sb)->hidden_dir)-> + create_date || + entry.file.create_date == + HFSPLUS_I(d_inode(sb->s_root))-> +- create_date) && +- HFSPLUS_SB(sb)->hidden_dir) { ++ create_date)) { + struct qstr str; + char name[32]; + diff --git a/queue-4.18/i2c-core-acpi-make-acpi_gsb_i2c_read_bytes-check-i2c_transfer-return-value.patch b/queue-4.18/i2c-core-acpi-make-acpi_gsb_i2c_read_bytes-check-i2c_transfer-return-value.patch new file mode 100644 index 00000000000..e702bf7c76e --- /dev/null +++ b/queue-4.18/i2c-core-acpi-make-acpi_gsb_i2c_read_bytes-check-i2c_transfer-return-value.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Hans de Goede +Date: Sun, 12 Aug 2018 12:53:21 +0200 +Subject: i2c: core: ACPI: Make acpi_gsb_i2c_read_bytes() check i2c_transfer return value + +From: Hans de Goede + +[ Upstream commit 0a30446c0dca3483c384b54a431cc951e15f7e79 ] + +Currently acpi_gsb_i2c_read_bytes() directly returns i2c_transfer's return +value. i2c_transfer returns a value < 0 on error and 2 (for 2 successfully +executed transfers) on success. But the ACPI code expects 0 on success, so +currently acpi_gsb_i2c_read_bytes()'s caller does: + + if (status > 0) + status = 0; + +This commit makes acpi_gsb_i2c_read_bytes() return a value which can be +directly consumed by the ACPI code, mirroring acpi_gsb_i2c_write_bytes(), +this commit also makes acpi_gsb_i2c_read_bytes() explitcly check that +i2c_transfer returns 2, rather then accepting any value > 0. + +Signed-off-by: Hans de Goede +Acked-by: Mika Westerberg +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/i2c-core-acpi.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/i2c/i2c-core-acpi.c ++++ b/drivers/i2c/i2c-core-acpi.c +@@ -453,8 +453,12 @@ static int acpi_gsb_i2c_read_bytes(struc + else + dev_err(&client->adapter->dev, "i2c read %d bytes from client@%#x starting at reg %#x failed, error: %d\n", + data_len, client->addr, cmd, ret); +- } else { ++ /* 2 transfers must have completed successfully */ ++ } else if (ret == 2) { + memcpy(data, buffer, data_len); ++ ret = 0; ++ } else { ++ ret = -EIO; + } + + kfree(buffer); +@@ -595,8 +599,6 @@ i2c_acpi_space_handler(u32 function, acp + if (action == ACPI_READ) { + status = acpi_gsb_i2c_read_bytes(client, command, + gsb->data, info->access_length); +- if (status > 0) +- status = 0; + } else { + status = acpi_gsb_i2c_write_bytes(client, command, + gsb->data, info->access_length); diff --git a/queue-4.18/ib-hfi1-invalid-numa-node-information-can-cause-a-divide-by-zero.patch b/queue-4.18/ib-hfi1-invalid-numa-node-information-can-cause-a-divide-by-zero.patch new file mode 100644 index 00000000000..3dc4e550552 --- /dev/null +++ b/queue-4.18/ib-hfi1-invalid-numa-node-information-can-cause-a-divide-by-zero.patch @@ -0,0 +1,117 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: "Michael J. Ruhl" +Date: Wed, 15 Aug 2018 22:54:49 -0700 +Subject: IB/hfi1: Invalid NUMA node information can cause a divide by zero + +From: "Michael J. Ruhl" + +[ Upstream commit c513de490f808d8480346f9a58e6a4a5f3de12e7 ] + +If the system BIOS does not supply NUMA node information to the +PCI devices, the NUMA node is selected by choosing the current +node. + +This can lead to the following crash: + +divide error: 0000 SMP +CPU: 0 PID: 4 Comm: kworker/0:0 Tainted: G IOE +------------ 3.10.0-693.21.1.el7.x86_64 #1 +Hardware name: Intel Corporation S2600KP/S2600KP, BIOS +SE5C610.86B.01.01.0005.101720141054 10/17/2014 +Workqueue: events work_for_cpu_fn +task: ffff880174480fd0 ti: ffff880174488000 task.ti: ffff880174488000 +RIP: 0010: [] hfi1_dev_affinity_init+0x129/0x6a0 [hfi1] +RSP: 0018:ffff88017448bbf8 EFLAGS: 00010246 +RAX: 0000000000000011 RBX: ffff88107ffba6c0 RCX: ffff88085c22e130 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880824ad0000 +RBP: ffff88017448bc48 R08: 0000000000000011 R09: 0000000000000002 +R10: ffff8808582b6ca0 R11: 0000000000003151 R12: ffff8808582b6ca0 +R13: ffff8808582b6518 R14: ffff8808582b6010 R15: 0000000000000012 +FS: 0000000000000000(0000) GS:ffff88085ec00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007efc707404f0 CR3: 0000000001a02000 CR4: 00000000001607f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Call Trace: + hfi1_init_dd+0x14b3/0x27a0 [hfi1] + ? pcie_capability_write_word+0x46/0x70 + ? hfi1_pcie_init+0xc0/0x200 [hfi1] + do_init_one+0x153/0x4c0 [hfi1] + ? sched_clock_cpu+0x85/0xc0 + init_one+0x1b5/0x260 [hfi1] + local_pci_probe+0x4a/0xb0 + work_for_cpu_fn+0x1a/0x30 + process_one_work+0x17f/0x440 + worker_thread+0x278/0x3c0 + ? manage_workers.isra.24+0x2a0/0x2a0 + kthread+0xd1/0xe0 + ? insert_kthread_work+0x40/0x40 + ret_from_fork+0x77/0xb0 + ? insert_kthread_work+0x40/0x40 + +If the BIOS is not supplying NUMA information: + - set the default table count to 1 for all possible nodes + - select node 0 (instead of current NUMA) node to get consistent + performance + - generate an error indicating that the BIOS should be upgraded + +Reviewed-by: Gary Leshner +Reviewed-by: Mike Marciniszyn +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro + +Signed-off-by: Jason Gunthorpe + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/affinity.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/affinity.c ++++ b/drivers/infiniband/hw/hfi1/affinity.c +@@ -198,7 +198,7 @@ int node_affinity_init(void) + while ((dev = pci_get_device(ids->vendor, ids->device, dev))) { + node = pcibus_to_node(dev->bus); + if (node < 0) +- node = numa_node_id(); ++ goto out; + + hfi1_per_node_cntr[node]++; + } +@@ -206,6 +206,18 @@ int node_affinity_init(void) + } + + return 0; ++ ++out: ++ /* ++ * Invalid PCI NUMA node information found, note it, and populate ++ * our database 1:1. ++ */ ++ pr_err("HFI: Invalid PCI NUMA node. Performance may be affected\n"); ++ pr_err("HFI: System BIOS may need to be upgraded\n"); ++ for (node = 0; node < node_affinity.num_possible_nodes; node++) ++ hfi1_per_node_cntr[node] = 1; ++ ++ return 0; + } + + static void node_affinity_destroy(struct hfi1_affinity_node *entry) +@@ -622,8 +634,14 @@ int hfi1_dev_affinity_init(struct hfi1_d + int curr_cpu, possible, i, ret; + bool new_entry = false; + +- if (node < 0) +- node = numa_node_id(); ++ /* ++ * If the BIOS does not have the NUMA node information set, select ++ * NUMA 0 so we get consistent performance. ++ */ ++ if (node < 0) { ++ dd_dev_err(dd, "Invalid PCI NUMA node. Performance may be affected\n"); ++ node = 0; ++ } + dd->node = node; + + local_mask = cpumask_of_node(dd->node); diff --git a/queue-4.18/input-do-not-use-warn-in-input_alloc_absinfo.patch b/queue-4.18/input-do-not-use-warn-in-input_alloc_absinfo.patch new file mode 100644 index 00000000000..9b07c1b7992 --- /dev/null +++ b/queue-4.18/input-do-not-use-warn-in-input_alloc_absinfo.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Dmitry Torokhov +Date: Mon, 6 Aug 2018 15:10:40 -0700 +Subject: Input: do not use WARN() in input_alloc_absinfo() + +From: Dmitry Torokhov + +[ Upstream commit 100294cee9a98bfd4d6cb2d1c8a8aef0e959b0c4 ] + +Some of fuzzers set panic_on_warn=1 so that they can handle WARN()ings +the same way they handle full-blown kernel crashes. We used WARN() in +input_alloc_absinfo() to get a better idea where memory allocation +failed, but since then kmalloc() and friends started dumping call stack on +memory allocation failures anyway, so we are not getting anything extra +from WARN(). + +Because of the above, let's replace WARN with dev_err(). We use dev_err() +instead of simply removing message and relying on kcalloc() to give us +stack dump so that we'd know the instance of hardware device to which we +were trying to attach input device. + +Reported-by: Dmitry Vyukov +Acked-by: Dmitry Vyukov +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/input.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/input/input.c ++++ b/drivers/input/input.c +@@ -480,11 +480,19 @@ EXPORT_SYMBOL(input_inject_event); + */ + void input_alloc_absinfo(struct input_dev *dev) + { +- if (!dev->absinfo) +- dev->absinfo = kcalloc(ABS_CNT, sizeof(*dev->absinfo), +- GFP_KERNEL); ++ if (dev->absinfo) ++ return; + +- WARN(!dev->absinfo, "%s(): kcalloc() failed?\n", __func__); ++ dev->absinfo = kcalloc(ABS_CNT, sizeof(*dev->absinfo), GFP_KERNEL); ++ if (!dev->absinfo) { ++ dev_err(dev->dev.parent ?: &dev->dev, ++ "%s: unable to allocate memory\n", __func__); ++ /* ++ * We will handle this allocation failure in ++ * input_register_device() when we refuse to register input ++ * device with ABS bits but without absinfo. ++ */ ++ } + } + EXPORT_SYMBOL(input_alloc_absinfo); + diff --git a/queue-4.18/iommu-omap-fix-cache-flushes-on-l2-table-entries.patch b/queue-4.18/iommu-omap-fix-cache-flushes-on-l2-table-entries.patch new file mode 100644 index 00000000000..14799300382 --- /dev/null +++ b/queue-4.18/iommu-omap-fix-cache-flushes-on-l2-table-entries.patch @@ -0,0 +1,48 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Ralf Goebel +Date: Mon, 6 Aug 2018 17:00:36 +0200 +Subject: iommu/omap: Fix cache flushes on L2 table entries + +From: Ralf Goebel + +[ Upstream commit 04c532a1cdc7e423656c07937aa4b5c1c2b064f9 ] + +The base address used for DMA operations on the second-level table +did incorrectly include the offset for the table entry. The offset +was then added again which lead to incorrect behavior. + +Operations on the L1 table are not affected. + +The calculation of the base address is changed to point to the +beginning of the L2 table. + +Fixes: bfee0cf0ee1d ("iommu/omap: Use DMA-API for performing cache flushes") +Acked-by: Suman Anna +Signed-off-by: Ralf Goebel +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/omap-iommu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iommu/omap-iommu.c ++++ b/drivers/iommu/omap-iommu.c +@@ -550,7 +550,7 @@ static u32 *iopte_alloc(struct omap_iomm + + pte_ready: + iopte = iopte_offset(iopgd, da); +- *pt_dma = virt_to_phys(iopte); ++ *pt_dma = iopgd_page_paddr(iopgd); + dev_vdbg(obj->dev, + "%s: da:%08x pgd:%p *pgd:%08x pte:%p *pte:%08x\n", + __func__, da, iopgd, *iopgd, iopte, *iopte); +@@ -738,7 +738,7 @@ static size_t iopgtable_clear_entry_core + } + bytes *= nent; + memset(iopte, 0, nent * sizeof(*iopte)); +- pt_dma = virt_to_phys(iopte); ++ pt_dma = iopgd_page_paddr(iopgd); + flush_iopte_range(obj->dev, pt_dma, pt_offset, nent); + + /* diff --git a/queue-4.18/iommu-rockchip-handle-errors-returned-from-pm-framework.patch b/queue-4.18/iommu-rockchip-handle-errors-returned-from-pm-framework.patch new file mode 100644 index 00000000000..e4d526a85c9 --- /dev/null +++ b/queue-4.18/iommu-rockchip-handle-errors-returned-from-pm-framework.patch @@ -0,0 +1,91 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Marc Zyngier +Date: Fri, 24 Aug 2018 16:06:36 +0100 +Subject: iommu/rockchip: Handle errors returned from PM framework + +From: Marc Zyngier + +[ Upstream commit 3fc7c5c0cff3150e471f5fd12f59971c6d2c6513 ] + +pm_runtime_get_if_in_use can fail: either PM has been disabled +altogether (-EINVAL), or the device hasn't been enabled yet (0). +Sadly, the Rockchip IOMMU driver tends to conflate the two things +by considering a non-zero return value as successful. + +This has the consequence of hiding other bugs, so let's handle this +case throughout the driver, with a WARN_ON_ONCE so that we can try +and work out what happened. + +Fixes: 0f181d3cf7d98 ("iommu/rockchip: Add runtime PM support") +Reviewed-by: Heiko Stuebner +Signed-off-by: Marc Zyngier +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/rockchip-iommu.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/drivers/iommu/rockchip-iommu.c ++++ b/drivers/iommu/rockchip-iommu.c +@@ -521,10 +521,11 @@ static irqreturn_t rk_iommu_irq(int irq, + u32 int_status; + dma_addr_t iova; + irqreturn_t ret = IRQ_NONE; +- int i; ++ int i, err; + +- if (WARN_ON(!pm_runtime_get_if_in_use(iommu->dev))) +- return 0; ++ err = pm_runtime_get_if_in_use(iommu->dev); ++ if (WARN_ON_ONCE(err <= 0)) ++ return ret; + + if (WARN_ON(clk_bulk_enable(iommu->num_clocks, iommu->clocks))) + goto out; +@@ -620,11 +621,15 @@ static void rk_iommu_zap_iova(struct rk_ + spin_lock_irqsave(&rk_domain->iommus_lock, flags); + list_for_each(pos, &rk_domain->iommus) { + struct rk_iommu *iommu; ++ int ret; + + iommu = list_entry(pos, struct rk_iommu, node); + + /* Only zap TLBs of IOMMUs that are powered on. */ +- if (pm_runtime_get_if_in_use(iommu->dev)) { ++ ret = pm_runtime_get_if_in_use(iommu->dev); ++ if (WARN_ON_ONCE(ret < 0)) ++ continue; ++ if (ret) { + WARN_ON(clk_bulk_enable(iommu->num_clocks, + iommu->clocks)); + rk_iommu_zap_lines(iommu, iova, size); +@@ -891,6 +896,7 @@ static void rk_iommu_detach_device(struc + struct rk_iommu *iommu; + struct rk_iommu_domain *rk_domain = to_rk_domain(domain); + unsigned long flags; ++ int ret; + + /* Allow 'virtual devices' (eg drm) to detach from domain */ + iommu = rk_iommu_from_dev(dev); +@@ -909,7 +915,9 @@ static void rk_iommu_detach_device(struc + list_del_init(&iommu->node); + spin_unlock_irqrestore(&rk_domain->iommus_lock, flags); + +- if (pm_runtime_get_if_in_use(iommu->dev)) { ++ ret = pm_runtime_get_if_in_use(iommu->dev); ++ WARN_ON_ONCE(ret < 0); ++ if (ret > 0) { + rk_iommu_disable(iommu); + pm_runtime_put(iommu->dev); + } +@@ -946,7 +954,8 @@ static int rk_iommu_attach_device(struct + list_add_tail(&iommu->node, &rk_domain->iommus); + spin_unlock_irqrestore(&rk_domain->iommus_lock, flags); + +- if (!pm_runtime_get_if_in_use(iommu->dev)) ++ ret = pm_runtime_get_if_in_use(iommu->dev); ++ if (!ret || WARN_ON_ONCE(ret < 0)) + return 0; + + ret = rk_iommu_enable(iommu); diff --git a/queue-4.18/iommu-rockchip-move-irq-request-past-pm_runtime_enable.patch b/queue-4.18/iommu-rockchip-move-irq-request-past-pm_runtime_enable.patch new file mode 100644 index 00000000000..4695eeb3601 --- /dev/null +++ b/queue-4.18/iommu-rockchip-move-irq-request-past-pm_runtime_enable.patch @@ -0,0 +1,74 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Marc Zyngier +Date: Fri, 24 Aug 2018 16:06:37 +0100 +Subject: iommu/rockchip: Move irq request past pm_runtime_enable + +From: Marc Zyngier + +[ Upstream commit 1aa55ca9b14af6cfd987ce4fdaf548f7067a5d07 ] + +Enabling the interrupt early, before power has been applied to the +device, can result in an interrupt being delivered too early if: + +- the IOMMU shares an interrupt with a VOP +- the VOP has a pending interrupt (after a kexec, for example) + +In these conditions, we end-up taking the interrupt without +the IOMMU being ready to handle the interrupt (not powered on). + +Moving the interrupt request past the pm_runtime_enable() call +makes sure we can at least access the IOMMU registers. Note that +this is only a partial fix, and that the VOP interrupt will still +be screaming until the VOP driver kicks in, which advocates for +a more synchronized interrupt enabling/disabling approach. + +Fixes: 0f181d3cf7d98 ("iommu/rockchip: Add runtime PM support") +Reviewed-by: Heiko Stuebner +Signed-off-by: Marc Zyngier +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/rockchip-iommu.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/drivers/iommu/rockchip-iommu.c ++++ b/drivers/iommu/rockchip-iommu.c +@@ -1161,17 +1161,6 @@ static int rk_iommu_probe(struct platfor + if (iommu->num_mmu == 0) + return PTR_ERR(iommu->bases[0]); + +- i = 0; +- while ((irq = platform_get_irq(pdev, i++)) != -ENXIO) { +- if (irq < 0) +- return irq; +- +- err = devm_request_irq(iommu->dev, irq, rk_iommu_irq, +- IRQF_SHARED, dev_name(dev), iommu); +- if (err) +- return err; +- } +- + iommu->reset_disabled = device_property_read_bool(dev, + "rockchip,disable-mmu-reset"); + +@@ -1228,6 +1217,19 @@ static int rk_iommu_probe(struct platfor + + pm_runtime_enable(dev); + ++ i = 0; ++ while ((irq = platform_get_irq(pdev, i++)) != -ENXIO) { ++ if (irq < 0) ++ return irq; ++ ++ err = devm_request_irq(iommu->dev, irq, rk_iommu_irq, ++ IRQF_SHARED, dev_name(dev), iommu); ++ if (err) { ++ pm_runtime_disable(dev); ++ goto err_remove_sysfs; ++ } ++ } ++ + return 0; + err_remove_sysfs: + iommu_device_sysfs_remove(&iommu->iommu); diff --git a/queue-4.18/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch b/queue-4.18/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch new file mode 100644 index 00000000000..71077d2d5a6 --- /dev/null +++ b/queue-4.18/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch @@ -0,0 +1,83 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Tan Hu +Date: Wed, 25 Jul 2018 15:23:07 +0800 +Subject: ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() + +From: Tan Hu + +[ Upstream commit a53b42c11815d2357e31a9403ae3950517525894 ] + +We came across infinite loop in ipvs when using ipvs in docker +env. + +When ipvs receives new packets and cannot find an ipvs connection, +it will create a new connection, then if the dest is unavailable +(i.e. IP_VS_DEST_F_AVAILABLE), the packet will be dropped sliently. + +But if the dropped packet is the first packet of this connection, +the connection control timer never has a chance to start and the +ipvs connection cannot be released. This will lead to memory leak, or +infinite loop in cleanup_net() when net namespace is released like +this: + + ip_vs_conn_net_cleanup at ffffffffa0a9f31a [ip_vs] + __ip_vs_cleanup at ffffffffa0a9f60a [ip_vs] + ops_exit_list at ffffffff81567a49 + cleanup_net at ffffffff81568b40 + process_one_work at ffffffff810a851b + worker_thread at ffffffff810a9356 + kthread at ffffffff810b0b6f + ret_from_fork at ffffffff81697a18 + +race condition: + CPU1 CPU2 + ip_vs_in() + ip_vs_conn_new() + ip_vs_del_dest() + __ip_vs_unlink_dest() + ~IP_VS_DEST_F_AVAILABLE + cp->dest && !IP_VS_DEST_F_AVAILABLE + __ip_vs_conn_put + ... + cleanup_net ---> infinite looping + +Fix this by checking whether the timer already started. + +Signed-off-by: Tan Hu +Reviewed-by: Jiang Biao +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipvs/ip_vs_core.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -1972,13 +1972,20 @@ ip_vs_in(struct netns_ipvs *ipvs, unsign + if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) { + /* the destination server is not available */ + +- if (sysctl_expire_nodest_conn(ipvs)) { ++ __u32 flags = cp->flags; ++ ++ /* when timer already started, silently drop the packet.*/ ++ if (timer_pending(&cp->timer)) ++ __ip_vs_conn_put(cp); ++ else ++ ip_vs_conn_put(cp); ++ ++ if (sysctl_expire_nodest_conn(ipvs) && ++ !(flags & IP_VS_CONN_F_ONE_PACKET)) { + /* try to expire the connection immediately */ + ip_vs_conn_expire_now(cp); + } +- /* don't restart its timer, and silently +- drop the packet. */ +- __ip_vs_conn_put(cp); ++ + return NF_DROP; + } + diff --git a/queue-4.18/irqchip-bcm7038-l1-hide-cpu-offline-callback-when-building-for-smp.patch b/queue-4.18/irqchip-bcm7038-l1-hide-cpu-offline-callback-when-building-for-smp.patch new file mode 100644 index 00000000000..146e8dfea23 --- /dev/null +++ b/queue-4.18/irqchip-bcm7038-l1-hide-cpu-offline-callback-when-building-for-smp.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Jonas Gorski +Date: Thu, 9 Aug 2018 10:59:01 +0200 +Subject: irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP + +From: Jonas Gorski + +[ Upstream commit 0702bc4d2fe793018ad9aa0eb14bff7f526c4095 ] + +When compiling bmips with SMP disabled, the build fails with: + +drivers/irqchip/irq-bcm7038-l1.o: In function `bcm7038_l1_cpu_offline': +drivers/irqchip/irq-bcm7038-l1.c:242: undefined reference to `irq_set_affinity_locked' +make[5]: *** [vmlinux] Error 1 + +Fix this by adding and setting bcm7038_l1_cpu_offline only when actually +compiling for SMP. It wouldn't have been used anyway, as it requires +CPU_HOTPLUG, which in turn requires SMP. + +Fixes: 34c535793bcb ("irqchip/bcm7038-l1: Implement irq_cpu_offline() callback") +Signed-off-by: Jonas Gorski +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-bcm7038-l1.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/irqchip/irq-bcm7038-l1.c ++++ b/drivers/irqchip/irq-bcm7038-l1.c +@@ -217,6 +217,7 @@ static int bcm7038_l1_set_affinity(struc + return 0; + } + ++#ifdef CONFIG_SMP + static void bcm7038_l1_cpu_offline(struct irq_data *d) + { + struct cpumask *mask = irq_data_get_affinity_mask(d); +@@ -241,6 +242,7 @@ static void bcm7038_l1_cpu_offline(struc + } + irq_set_affinity_locked(d, &new_affinity, false); + } ++#endif + + static int __init bcm7038_l1_init_one(struct device_node *dn, + unsigned int idx, +@@ -293,7 +295,9 @@ static struct irq_chip bcm7038_l1_irq_ch + .irq_mask = bcm7038_l1_mask, + .irq_unmask = bcm7038_l1_unmask, + .irq_set_affinity = bcm7038_l1_set_affinity, ++#ifdef CONFIG_SMP + .irq_cpu_offline = bcm7038_l1_cpu_offline, ++#endif + }; + + static int bcm7038_l1_map(struct irq_domain *d, unsigned int virq, diff --git a/queue-4.18/irqchip-stm32-fix-init-error-handling.patch b/queue-4.18/irqchip-stm32-fix-init-error-handling.patch new file mode 100644 index 00000000000..25f0cf7cf98 --- /dev/null +++ b/queue-4.18/irqchip-stm32-fix-init-error-handling.patch @@ -0,0 +1,94 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Dan Carpenter +Date: Wed, 8 Aug 2018 15:03:19 +0300 +Subject: irqchip/stm32: Fix init error handling + +From: Dan Carpenter + +[ Upstream commit 4096165d55218a6f58b6c2ebc5d2428aa0aa70e4 ] + +If there are any errors in stm32_exti_host_init() then it leads to a +NULL dereference in the callers. The function should clean up after +itself. + +Fixes: f9fc1745501e ("irqchip/stm32: Add host and driver data structures") +Reviewed-by: Ludovic Barre +Signed-off-by: Dan Carpenter +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-stm32-exti.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/drivers/irqchip/irq-stm32-exti.c ++++ b/drivers/irqchip/irq-stm32-exti.c +@@ -602,17 +602,24 @@ stm32_exti_host_data *stm32_exti_host_in + sizeof(struct stm32_exti_chip_data), + GFP_KERNEL); + if (!host_data->chips_data) +- return NULL; ++ goto free_host_data; + + host_data->base = of_iomap(node, 0); + if (!host_data->base) { + pr_err("%pOF: Unable to map registers\n", node); +- return NULL; ++ goto free_chips_data; + } + + stm32_host_data = host_data; + + return host_data; ++ ++free_chips_data: ++ kfree(host_data->chips_data); ++free_host_data: ++ kfree(host_data); ++ ++ return NULL; + } + + static struct +@@ -664,10 +671,8 @@ static int __init stm32_exti_init(const + struct irq_domain *domain; + + host_data = stm32_exti_host_init(drv_data, node); +- if (!host_data) { +- ret = -ENOMEM; +- goto out_free_mem; +- } ++ if (!host_data) ++ return -ENOMEM; + + domain = irq_domain_add_linear(node, drv_data->bank_nr * IRQS_PER_BANK, + &irq_exti_domain_ops, NULL); +@@ -724,7 +729,6 @@ out_free_domain: + irq_domain_remove(domain); + out_unmap: + iounmap(host_data->base); +-out_free_mem: + kfree(host_data->chips_data); + kfree(host_data); + return ret; +@@ -751,10 +755,8 @@ __init stm32_exti_hierarchy_init(const s + } + + host_data = stm32_exti_host_init(drv_data, node); +- if (!host_data) { +- ret = -ENOMEM; +- goto out_free_mem; +- } ++ if (!host_data) ++ return -ENOMEM; + + for (i = 0; i < drv_data->bank_nr; i++) + stm32_exti_chip_init(host_data, i, node); +@@ -776,7 +778,6 @@ __init stm32_exti_hierarchy_init(const s + + out_unmap: + iounmap(host_data->base); +-out_free_mem: + kfree(host_data->chips_data); + kfree(host_data); + return ret; diff --git a/queue-4.18/kvm-nvmx-fix-fault-vector-for-vmx-operation-at-cpl-0.patch b/queue-4.18/kvm-nvmx-fix-fault-vector-for-vmx-operation-at-cpl-0.patch new file mode 100644 index 00000000000..ead5c29058b --- /dev/null +++ b/queue-4.18/kvm-nvmx-fix-fault-vector-for-vmx-operation-at-cpl-0.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Jim Mattson +Date: Fri, 27 Jul 2018 09:18:50 -0700 +Subject: kvm: nVMX: Fix fault vector for VMX operation at CPL > 0 + +From: Jim Mattson + +[ Upstream commit 36090bf43a6b835a42f515cb515ff6fa293a25fe ] + +The fault that should be raised for a privilege level violation is #GP +rather than #UD. + +Fixes: 727ba748e110b4 ("kvm: nVMX: Enforce cpl=0 for VMX instructions") +Signed-off-by: Jim Mattson +Reviewed-by: David Hildenbrand +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8123,7 +8123,7 @@ static int handle_vmon(struct kvm_vcpu * + + /* CPL=0 must be checked manually. */ + if (vmx_get_cpl(vcpu)) { +- kvm_queue_exception(vcpu, UD_VECTOR); ++ kvm_inject_gp(vcpu, 0); + return 1; + } + +@@ -8187,7 +8187,7 @@ static int handle_vmon(struct kvm_vcpu * + static int nested_vmx_check_permission(struct kvm_vcpu *vcpu) + { + if (vmx_get_cpl(vcpu)) { +- kvm_queue_exception(vcpu, UD_VECTOR); ++ kvm_inject_gp(vcpu, 0); + return 0; + } + diff --git a/queue-4.18/kvm-vmx-track-host_state.loaded-using-a-loaded_vmcs-pointer.patch b/queue-4.18/kvm-vmx-track-host_state.loaded-using-a-loaded_vmcs-pointer.patch new file mode 100644 index 00000000000..a174517e138 --- /dev/null +++ b/queue-4.18/kvm-vmx-track-host_state.loaded-using-a-loaded_vmcs-pointer.patch @@ -0,0 +1,102 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Sean Christopherson +Date: Mon, 23 Jul 2018 12:32:42 -0700 +Subject: KVM: vmx: track host_state.loaded using a loaded_vmcs pointer + +From: Sean Christopherson + +[ Upstream commit bd9966de4e14fb559e89a06f7f5c9aab2cc028b9 ] + +Using 'struct loaded_vmcs*' to track whether the CPU registers +contain host or guest state kills two birds with one stone. + + 1. The (effective) boolean host_state.loaded is poorly named. + It does not track whether or not host state is loaded into + the CPU registers (which most readers would expect), but + rather tracks if host state has been saved AND guest state + is loaded. + + 2. Using a loaded_vmcs pointer provides a more robust framework + for the optimized guest/host state switching, especially when + consideration per-VMCS enhancements. To that end, WARN_ONCE + if we try to switch to host state with a different VMCS than + was last used to save host state. + +Resolve an occurrence of the new WARN by setting loaded_vmcs after +the call to vmx_vcpu_put() in vmx_switch_vmcs(). + +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -939,17 +939,21 @@ struct vcpu_vmx { + /* + * loaded_vmcs points to the VMCS currently used in this vcpu. For a + * non-nested (L1) guest, it always points to vmcs01. For a nested +- * guest (L2), it points to a different VMCS. ++ * guest (L2), it points to a different VMCS. loaded_cpu_state points ++ * to the VMCS whose state is loaded into the CPU registers that only ++ * need to be switched when transitioning to/from the kernel; a NULL ++ * value indicates that host state is loaded. + */ + struct loaded_vmcs vmcs01; + struct loaded_vmcs *loaded_vmcs; ++ struct loaded_vmcs *loaded_cpu_state; + bool __launched; /* temporary, used in vmx_vcpu_run */ + struct msr_autoload { + struct vmx_msrs guest; + struct vmx_msrs host; + } msr_autoload; ++ + struct { +- int loaded; + u16 fs_sel, gs_sel, ldt_sel; + #ifdef CONFIG_X86_64 + u16 ds_sel, es_sel; +@@ -2750,10 +2754,11 @@ static void vmx_save_host_state(struct k + #endif + int i; + +- if (vmx->host_state.loaded) ++ if (vmx->loaded_cpu_state) + return; + +- vmx->host_state.loaded = 1; ++ vmx->loaded_cpu_state = vmx->loaded_vmcs; ++ + /* + * Set host fs and gs selectors. Unfortunately, 22.2.3 does not + * allow segment selectors with cpl > 0 or ti == 1. +@@ -2815,11 +2820,14 @@ static void vmx_save_host_state(struct k + + static void __vmx_load_host_state(struct vcpu_vmx *vmx) + { +- if (!vmx->host_state.loaded) ++ if (!vmx->loaded_cpu_state) + return; + ++ WARN_ON_ONCE(vmx->loaded_cpu_state != vmx->loaded_vmcs); ++ + ++vmx->vcpu.stat.host_state_reload; +- vmx->host_state.loaded = 0; ++ vmx->loaded_cpu_state = NULL; ++ + #ifdef CONFIG_X86_64 + if (is_long_mode(&vmx->vcpu)) + rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base); +@@ -10517,8 +10525,8 @@ static void vmx_switch_vmcs(struct kvm_v + return; + + cpu = get_cpu(); +- vmx->loaded_vmcs = vmcs; + vmx_vcpu_put(vcpu); ++ vmx->loaded_vmcs = vmcs; + vmx_vcpu_load(vcpu, cpu); + put_cpu(); + } diff --git a/queue-4.18/mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch b/queue-4.18/mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch new file mode 100644 index 00000000000..3099641494e --- /dev/null +++ b/queue-4.18/mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch @@ -0,0 +1,59 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Guenter Roeck +Date: Fri, 3 Aug 2018 20:59:51 -0700 +Subject: mfd: sm501: Set coherent_dma_mask when creating subdevices + +From: Guenter Roeck + +[ Upstream commit 2f606da78230f09cf1a71fde6ee91d0c710fa2b2 ] + +Instantiating the sm501 OHCI subdevice results in a kernel warning. + +sm501-usb sm501-usb: SM501 OHCI +sm501-usb sm501-usb: new USB bus registered, assigned bus number 1 +WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 +ohci_init+0x194/0x2d8 +Modules linked in: + +CPU: 0 PID: 1 Comm: swapper Tainted: G W +4.18.0-rc7-00178-g0b5b1f9a78b5 #1 +PC is at ohci_init+0x194/0x2d8 +PR is at ohci_init+0x168/0x2d8 +PC : 8c27844c SP : 8f81dd94 SR : 40008001 +TEA : 29613060 +R0 : 00000000 R1 : 00000000 R2 : 00000000 R3 : 00000202 +R4 : 8fa98b88 R5 : 8c277e68 R6 : 00000000 R7 : 00000000 +R8 : 8f965814 R9 : 8c388100 R10 : 8fa98800 R11 : 8fa98928 +R12 : 8c48302c R13 : 8fa98920 R14 : 8c48302c +MACH: 00000096 MACL: 0000017c GBR : 00000000 PR : 8c278420 + +Call trace: + [<(ptrval)>] usb_add_hcd+0x1e8/0x6ec + [<(ptrval)>] _dev_info+0x0/0x54 + [<(ptrval)>] arch_local_save_flags+0x0/0x8 + [<(ptrval)>] arch_local_irq_restore+0x0/0x24 + [<(ptrval)>] ohci_hcd_sm501_drv_probe+0x114/0x2d8 +... + +Initialize coherent_dma_mask when creating SM501 subdevices to fix +the problem. + +Fixes: b6d6454fdb66f ("mfd: SM501 core driver") +Signed-off-by: Guenter Roeck +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/sm501.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mfd/sm501.c ++++ b/drivers/mfd/sm501.c +@@ -715,6 +715,7 @@ sm501_create_subdev(struct sm501_devdata + smdev->pdev.name = name; + smdev->pdev.id = sm->pdev_id; + smdev->pdev.dev.parent = sm->dev; ++ smdev->pdev.dev.coherent_dma_mask = 0xffffffff; + + if (res_count) { + smdev->pdev.resource = (struct resource *)(smdev+1); diff --git a/queue-4.18/mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch b/queue-4.18/mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch new file mode 100644 index 00000000000..70619d09dc1 --- /dev/null +++ b/queue-4.18/mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Andrey Ryabinin +Date: Fri, 17 Aug 2018 15:46:57 -0700 +Subject: mm/fadvise.c: fix signed overflow UBSAN complaint + +From: Andrey Ryabinin + +[ Upstream commit a718e28f538441a3b6612da9ff226973376cdf0f ] + +Signed integer overflow is undefined according to the C standard. The +overflow in ksys_fadvise64_64() is deliberate, but since it is signed +overflow, UBSAN complains: + + UBSAN: Undefined behaviour in mm/fadvise.c:76:10 + signed integer overflow: + 4 + 9223372036854775805 cannot be represented in type 'long long int' + +Use unsigned types to do math. Unsigned overflow is defined so UBSAN +will not complain about it. This patch doesn't change generated code. + +[akpm@linux-foundation.org: add comment explaining the casts] +Link: http://lkml.kernel.org/r/20180629184453.7614-1-aryabinin@virtuozzo.com +Signed-off-by: Andrey Ryabinin +Reported-by: +Reviewed-by: Andrew Morton +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/fadvise.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/mm/fadvise.c ++++ b/mm/fadvise.c +@@ -72,8 +72,12 @@ int ksys_fadvise64_64(int fd, loff_t off + goto out; + } + +- /* Careful about overflows. Len == 0 means "as much as possible" */ +- endbyte = offset + len; ++ /* ++ * Careful about overflows. Len == 0 means "as much as possible". Use ++ * unsigned math because signed overflows are undefined and UBSan ++ * complains. ++ */ ++ endbyte = (u64)offset + (u64)len; + if (!len || endbyte < len) + endbyte = -1; + else diff --git a/queue-4.18/mm-make-deferred_struct_page_init-explicitly-depend-on-sparsemem.patch b/queue-4.18/mm-make-deferred_struct_page_init-explicitly-depend-on-sparsemem.patch new file mode 100644 index 00000000000..6da1dc2497e --- /dev/null +++ b/queue-4.18/mm-make-deferred_struct_page_init-explicitly-depend-on-sparsemem.patch @@ -0,0 +1,115 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Mike Rapoport +Date: Fri, 17 Aug 2018 15:47:07 -0700 +Subject: mm: make DEFERRED_STRUCT_PAGE_INIT explicitly depend on SPARSEMEM + +From: Mike Rapoport + +[ Upstream commit d39f8fb4b7776dcb09ec3bf7a321547083078ee3 ] + +The deferred memory initialization relies on section definitions, e.g +PAGES_PER_SECTION, that are only available when CONFIG_SPARSEMEM=y on +most architectures. + +Initially DEFERRED_STRUCT_PAGE_INIT depended on explicit +ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT configuration option, but since +the commit 2e3ca40f03bb13709df4 ("mm: relax deferred struct page +requirements") this requirement was relaxed and now it is possible to +enable DEFERRED_STRUCT_PAGE_INIT on architectures that support +DISCONTINGMEM and NO_BOOTMEM which causes build failures. + +For instance, setting SMP=y and DEFERRED_STRUCT_PAGE_INIT=y on arc +causes the following build failure: + + CC mm/page_alloc.o + mm/page_alloc.c: In function 'update_defer_init': + mm/page_alloc.c:321:14: error: 'PAGES_PER_SECTION' + undeclared (first use in this function); did you mean 'USEC_PER_SEC'? + (pfn & (PAGES_PER_SECTION - 1)) == 0) { + ^~~~~~~~~~~~~~~~~ + USEC_PER_SEC + mm/page_alloc.c:321:14: note: each undeclared identifier is reported only once for each function it appears in + In file included from include/linux/cache.h:5:0, + from include/linux/printk.h:9, + from include/linux/kernel.h:14, + from include/asm-generic/bug.h:18, + from arch/arc/include/asm/bug.h:32, + from include/linux/bug.h:5, + from include/linux/mmdebug.h:5, + from include/linux/mm.h:9, + from mm/page_alloc.c:18: + mm/page_alloc.c: In function 'deferred_grow_zone': + mm/page_alloc.c:1624:52: error: 'PAGES_PER_SECTION' undeclared (first use in this function); did you mean 'USEC_PER_SEC'? + unsigned long nr_pages_needed = ALIGN(1 << order, PAGES_PER_SECTION); + ^ + include/uapi/linux/kernel.h:11:47: note: in definition of macro '__ALIGN_KERNEL_MASK' + #define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask)) + ^~~~ + include/linux/kernel.h:58:22: note: in expansion of macro '__ALIGN_KERNEL' + #define ALIGN(x, a) __ALIGN_KERNEL((x), (a)) + ^~~~~~~~~~~~~~ + mm/page_alloc.c:1624:34: note: in expansion of macro 'ALIGN' + unsigned long nr_pages_needed = ALIGN(1 << order, PAGES_PER_SECTION); + ^~~~~ + In file included from include/asm-generic/bug.h:18:0, + from arch/arc/include/asm/bug.h:32, + from include/linux/bug.h:5, + from include/linux/mmdebug.h:5, + from include/linux/mm.h:9, + from mm/page_alloc.c:18: + mm/page_alloc.c: In function 'free_area_init_node': + mm/page_alloc.c:6379:50: error: 'PAGES_PER_SECTION' undeclared (first use in this function); did you mean 'USEC_PER_SEC'? + pgdat->static_init_pgcnt = min_t(unsigned long, PAGES_PER_SECTION, + ^ + include/linux/kernel.h:812:22: note: in definition of macro '__typecheck' + (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) + ^ + include/linux/kernel.h:836:24: note: in expansion of macro '__safe_cmp' + __builtin_choose_expr(__safe_cmp(x, y), \ + ^~~~~~~~~~ + include/linux/kernel.h:904:27: note: in expansion of macro '__careful_cmp' + #define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <) + ^~~~~~~~~~~~~ + mm/page_alloc.c:6379:29: note: in expansion of macro 'min_t' + pgdat->static_init_pgcnt = min_t(unsigned long, PAGES_PER_SECTION, + ^~~~~ + include/linux/kernel.h:836:2: error: first argument to '__builtin_choose_expr' not a constant + __builtin_choose_expr(__safe_cmp(x, y), \ + ^ + include/linux/kernel.h:904:27: note: in expansion of macro '__careful_cmp' + #define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <) + ^~~~~~~~~~~~~ + mm/page_alloc.c:6379:29: note: in expansion of macro 'min_t' + pgdat->static_init_pgcnt = min_t(unsigned long, PAGES_PER_SECTION, + ^~~~~ + scripts/Makefile.build:317: recipe for target 'mm/page_alloc.o' failed + +Let's make the DEFERRED_STRUCT_PAGE_INIT explicitly depend on SPARSEMEM +as the systems that support DISCONTIGMEM do not seem to have that huge +amounts of memory that would make DEFERRED_STRUCT_PAGE_INIT relevant. + +Link: http://lkml.kernel.org/r/1530279308-24988-1-git-send-email-rppt@linux.vnet.ibm.com +Signed-off-by: Mike Rapoport +Acked-by: Michal Hocko +Reviewed-by: Pavel Tatashin +Tested-by: Randy Dunlap +Cc: Pasha Tatashin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -635,7 +635,7 @@ config DEFERRED_STRUCT_PAGE_INIT + bool "Defer initialisation of struct pages to kthreads" + default n + depends on NO_BOOTMEM +- depends on !FLATMEM ++ depends on SPARSEMEM + depends on !NEED_PER_CPU_KM + help + Ordinarily all struct pages are initialised during early boot in a diff --git a/queue-4.18/net-9p-fix-error-path-of-p9_virtio_probe.patch b/queue-4.18/net-9p-fix-error-path-of-p9_virtio_probe.patch new file mode 100644 index 00000000000..9d2a936a84c --- /dev/null +++ b/queue-4.18/net-9p-fix-error-path-of-p9_virtio_probe.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Jean-Philippe Brucker +Date: Tue, 17 Jul 2018 19:14:45 -0700 +Subject: net/9p: fix error path of p9_virtio_probe + +From: Jean-Philippe Brucker + +[ Upstream commit 92aef4675d5b1b55404e1532379e343bed0e5cf2 ] + +Currently when virtio_find_single_vq fails, we go through del_vqs which +throws a warning (Trying to free already-free IRQ). Skip del_vqs if vq +allocation failed. + +Link: http://lkml.kernel.org/r/20180524101021.49880-1-jean-philippe.brucker@arm.com +Signed-off-by: Jean-Philippe Brucker +Reviewed-by: Greg Kurz +Cc: Eric Van Hensbergen +Cc: Ron Minnich +Cc: Latchesar Ionkov +Signed-off-by: Andrew Morton +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/trans_virtio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -571,7 +571,7 @@ static int p9_virtio_probe(struct virtio + chan->vq = virtio_find_single_vq(vdev, req_done, "requests"); + if (IS_ERR(chan->vq)) { + err = PTR_ERR(chan->vq); +- goto out_free_vq; ++ goto out_free_chan; + } + chan->vq->vdev->priv = chan; + spin_lock_init(&chan->lock); +@@ -624,6 +624,7 @@ out_free_tag: + kfree(tag); + out_free_vq: + vdev->config->del_vqs(vdev); ++out_free_chan: + kfree(chan); + fail: + return err; diff --git a/queue-4.18/net-9p-trans_fd.c-fix-race-by-holding-the-lock.patch b/queue-4.18/net-9p-trans_fd.c-fix-race-by-holding-the-lock.patch new file mode 100644 index 00000000000..6d1b1fc7000 --- /dev/null +++ b/queue-4.18/net-9p-trans_fd.c-fix-race-by-holding-the-lock.patch @@ -0,0 +1,75 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Tomas Bortoli +Date: Mon, 23 Jul 2018 20:42:53 +0200 +Subject: net/9p/trans_fd.c: fix race by holding the lock + +From: Tomas Bortoli + +[ Upstream commit 9f476d7c540cb57556d3cc7e78704e6cd5100f5f ] + +It may be possible to run p9_fd_cancel() with a deleted req->req_list +and incur in a double del. To fix hold the client->lock while changing +the status, so the other threads will be synchronized. + +Link: http://lkml.kernel.org/r/20180723184253.6682-1-tomasbortoli@gmail.com +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+735d926e9d1317c3310c@syzkaller.appspotmail.com +To: Eric Van Hensbergen +To: Ron Minnich +To: Latchesar Ionkov +Cc: Yiwen Jiang +Cc: David S. Miller +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/trans_fd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -199,15 +199,14 @@ static void p9_mux_poll_stop(struct p9_c + static void p9_conn_cancel(struct p9_conn *m, int err) + { + struct p9_req_t *req, *rtmp; +- unsigned long flags; + LIST_HEAD(cancel_list); + + p9_debug(P9_DEBUG_ERROR, "mux %p err %d\n", m, err); + +- spin_lock_irqsave(&m->client->lock, flags); ++ spin_lock(&m->client->lock); + + if (m->err) { +- spin_unlock_irqrestore(&m->client->lock, flags); ++ spin_unlock(&m->client->lock); + return; + } + +@@ -219,7 +218,6 @@ static void p9_conn_cancel(struct p9_con + list_for_each_entry_safe(req, rtmp, &m->unsent_req_list, req_list) { + list_move(&req->req_list, &cancel_list); + } +- spin_unlock_irqrestore(&m->client->lock, flags); + + list_for_each_entry_safe(req, rtmp, &cancel_list, req_list) { + p9_debug(P9_DEBUG_ERROR, "call back req %p\n", req); +@@ -228,6 +226,7 @@ static void p9_conn_cancel(struct p9_con + req->t_err = err; + p9_client_cb(m->client, req, REQ_STATUS_ERROR); + } ++ spin_unlock(&m->client->lock); + } + + static __poll_t +@@ -375,8 +374,9 @@ static void p9_read_work(struct work_str + if (m->req->status != REQ_STATUS_ERROR) + status = REQ_STATUS_RCVD; + list_del(&m->req->req_list); +- spin_unlock(&m->client->lock); ++ /* update req->status while holding client->lock */ + p9_client_cb(m->client, m->req, status); ++ spin_unlock(&m->client->lock); + m->rc.sdata = NULL; + m->rc.offset = 0; + m->rc.capacity = 0; diff --git a/queue-4.18/net-hns3-fix-for-command-format-parsing-error-in-hclge_is_all_function_id_zero.patch b/queue-4.18/net-hns3-fix-for-command-format-parsing-error-in-hclge_is_all_function_id_zero.patch new file mode 100644 index 00000000000..3c0e19f7b83 --- /dev/null +++ b/queue-4.18/net-hns3-fix-for-command-format-parsing-error-in-hclge_is_all_function_id_zero.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Xi Wang +Date: Tue, 14 Aug 2018 17:13:13 +0100 +Subject: net: hns3: Fix for command format parsing error in hclge_is_all_function_id_zero + +From: Xi Wang + +[ Upstream commit 6c39d5278e62956238a681e4cfc69fae5507fc57 ] + +According to the functional specification of hardware, the first +descriptor of response from command 'lookup vlan talbe' is not valid. +Currently, the first descriptor is parsed as normal value, which will +cause an expected error. + +This patch fixes this problem by skipping the first descriptor. + +Fixes: 46a3df9f9718 ("net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support") +Signed-off-by: Xi Wang +Signed-off-by: Peng Li +Signed-off-by: Salil Mehta +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -3911,7 +3911,7 @@ static bool hclge_is_all_function_id_zer + #define HCLGE_FUNC_NUMBER_PER_DESC 6 + int i, j; + +- for (i = 0; i < HCLGE_DESC_NUMBER; i++) ++ for (i = 1; i < HCLGE_DESC_NUMBER; i++) + for (j = 0; j < HCLGE_FUNC_NUMBER_PER_DESC; j++) + if (desc[i].data[j]) + return false; diff --git a/queue-4.18/net-hns3-fix-for-phy-link-issue-when-using-marvell-phy-driver.patch b/queue-4.18/net-hns3-fix-for-phy-link-issue-when-using-marvell-phy-driver.patch new file mode 100644 index 00000000000..4c0220dd877 --- /dev/null +++ b/queue-4.18/net-hns3-fix-for-phy-link-issue-when-using-marvell-phy-driver.patch @@ -0,0 +1,44 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Jian Shen +Date: Tue, 14 Aug 2018 17:13:15 +0100 +Subject: net: hns3: Fix for phy link issue when using marvell phy driver + +From: Jian Shen + +[ Upstream commit 60081dcc4fce385ade26d3145b2479789df0b7e5 ] + +For marvell phy m88e1510, bit SUPPORTED_FIBRE of phydev->supported +is default on. Both phy_resume() and phy_suspend() will check the +SUPPORTED_FIBRE bit and write register of fibre page. + +Currently in hns3 driver, the SUPPORTED_FIBRE bit will be cleared +after phy_connect_direct() finished. Because phy_resume() is called +in phy_connect_direct(), and phy_suspend() is called when disconnect +phy device, so the operation for fibre page register is not symmetrical. +It will cause phy link issue when reload hns3 driver. + +This patch fixes it by disable the SUPPORTED_FIBRE before connecting +phy. + +Fixes: 256727da7395 ("net: hns3: Add MDIO support to HNS3 Ethernet driver for hip08 SoC") +Signed-off-by: Jian Shen +Signed-off-by: Peng Li +Signed-off-by: Salil Mehta +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +@@ -208,6 +208,8 @@ int hclge_mac_start_phy(struct hclge_dev + if (!phydev) + return 0; + ++ phydev->supported &= ~SUPPORTED_FIBRE; ++ + ret = phy_connect_direct(netdev, phydev, + hclge_mac_adjust_link, + PHY_INTERFACE_MODE_SGMII); diff --git a/queue-4.18/net-xdp-fix-suspicious-rcu-usage-warning.patch b/queue-4.18/net-xdp-fix-suspicious-rcu-usage-warning.patch new file mode 100644 index 00000000000..05f8f67b2ca --- /dev/null +++ b/queue-4.18/net-xdp-fix-suspicious-rcu-usage-warning.patch @@ -0,0 +1,100 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Tariq Toukan +Date: Mon, 13 Aug 2018 12:21:58 +0300 +Subject: net/xdp: Fix suspicious RCU usage warning + +From: Tariq Toukan + +[ Upstream commit 21b172ee11b6ec260bd7e6a27b11a8a8d392fce5 ] + +Fix the warning below by calling rhashtable_lookup_fast. +Also, make some code movements for better quality and human +readability. + +[ 342.450870] WARNING: suspicious RCU usage +[ 342.455856] 4.18.0-rc2+ #17 Tainted: G O +[ 342.462210] ----------------------------- +[ 342.467202] ./include/linux/rhashtable.h:481 suspicious rcu_dereference_check() usage! +[ 342.476568] +[ 342.476568] other info that might help us debug this: +[ 342.476568] +[ 342.486978] +[ 342.486978] rcu_scheduler_active = 2, debug_locks = 1 +[ 342.495211] 4 locks held by modprobe/3934: +[ 342.500265] #0: 00000000e23116b2 (mlx5_intf_mutex){+.+.}, at: +mlx5_unregister_interface+0x18/0x90 [mlx5_core] +[ 342.511953] #1: 00000000ca16db96 (rtnl_mutex){+.+.}, at: unregister_netdev+0xe/0x20 +[ 342.521109] #2: 00000000a46e2c4b (&priv->state_lock){+.+.}, at: mlx5e_close+0x29/0x60 +[mlx5_core] +[ 342.531642] #3: 0000000060c5bde3 (mem_id_lock){+.+.}, at: xdp_rxq_info_unreg+0x93/0x6b0 +[ 342.541206] +[ 342.541206] stack backtrace: +[ 342.547075] CPU: 12 PID: 3934 Comm: modprobe Tainted: G O 4.18.0-rc2+ #17 +[ 342.556621] Hardware name: Dell Inc. PowerEdge R730/0H21J3, BIOS 1.5.4 10/002/2015 +[ 342.565606] Call Trace: +[ 342.568861] dump_stack+0x78/0xb3 +[ 342.573086] xdp_rxq_info_unreg+0x3f5/0x6b0 +[ 342.578285] ? __call_rcu+0x220/0x300 +[ 342.582911] mlx5e_free_rq+0x38/0xc0 [mlx5_core] +[ 342.588602] mlx5e_close_channel+0x20/0x120 [mlx5_core] +[ 342.594976] mlx5e_close_channels+0x26/0x40 [mlx5_core] +[ 342.601345] mlx5e_close_locked+0x44/0x50 [mlx5_core] +[ 342.607519] mlx5e_close+0x42/0x60 [mlx5_core] +[ 342.613005] __dev_close_many+0xb1/0x120 +[ 342.617911] dev_close_many+0xa2/0x170 +[ 342.622622] rollback_registered_many+0x148/0x460 +[ 342.628401] ? __lock_acquire+0x48d/0x11b0 +[ 342.633498] ? unregister_netdev+0xe/0x20 +[ 342.638495] rollback_registered+0x56/0x90 +[ 342.643588] unregister_netdevice_queue+0x7e/0x100 +[ 342.649461] unregister_netdev+0x18/0x20 +[ 342.654362] mlx5e_remove+0x2a/0x50 [mlx5_core] +[ 342.659944] mlx5_remove_device+0xe5/0x110 [mlx5_core] +[ 342.666208] mlx5_unregister_interface+0x39/0x90 [mlx5_core] +[ 342.673038] cleanup+0x5/0xbfc [mlx5_core] +[ 342.678094] __x64_sys_delete_module+0x16b/0x240 +[ 342.683725] ? do_syscall_64+0x1c/0x210 +[ 342.688476] do_syscall_64+0x5a/0x210 +[ 342.693025] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 8d5d88527587 ("xdp: rhashtable with allocator ID to pointer mapping") +Signed-off-by: Tariq Toukan +Suggested-by: Daniel Borkmann +Cc: Jesper Dangaard Brouer +Acked-by: Jesper Dangaard Brouer +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/xdp.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +--- a/net/core/xdp.c ++++ b/net/core/xdp.c +@@ -95,23 +95,15 @@ static void __xdp_rxq_info_unreg_mem_mod + { + struct xdp_mem_allocator *xa; + int id = xdp_rxq->mem.id; +- int err; + + if (id == 0) + return; + + mutex_lock(&mem_id_lock); + +- xa = rhashtable_lookup(mem_id_ht, &id, mem_id_rht_params); +- if (!xa) { +- mutex_unlock(&mem_id_lock); +- return; +- } +- +- err = rhashtable_remove_fast(mem_id_ht, &xa->node, mem_id_rht_params); +- WARN_ON(err); +- +- call_rcu(&xa->rcu, __xdp_mem_allocator_rcu_free); ++ xa = rhashtable_lookup_fast(mem_id_ht, &id, mem_id_rht_params); ++ if (xa && !rhashtable_remove_fast(mem_id_ht, &xa->node, mem_id_rht_params)) ++ call_rcu(&xa->rcu, __xdp_mem_allocator_rcu_free); + + mutex_unlock(&mem_id_lock); + } diff --git a/queue-4.18/netfilter-fix-memory-leaks-on-netlink_dump_start-error.patch b/queue-4.18/netfilter-fix-memory-leaks-on-netlink_dump_start-error.patch new file mode 100644 index 00000000000..a0abc49158d --- /dev/null +++ b/queue-4.18/netfilter-fix-memory-leaks-on-netlink_dump_start-error.patch @@ -0,0 +1,138 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Florian Westphal +Date: Tue, 31 Jul 2018 13:41:23 +0200 +Subject: netfilter: fix memory leaks on netlink_dump_start error + +From: Florian Westphal + +[ Upstream commit 3e673b23b541b8e7f773b2d378d6eb99831741cd ] + +Shaochun Chen points out we leak dumper filter state allocations +stored in dump_control->data in case there is an error before netlink sets +cb_running (after which ->done will be called at some point). + +In order to fix this, add .start functions and move allocations there. + +Same pattern as used in commit 90fd131afc565159c9e0ea742f082b337e10f8c6 +("netfilter: nf_tables: move dumper state allocation into ->start"). + +Reported-by: shaochun chen +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++--------- + net/netfilter/nfnetlink_acct.c | 29 +++++++++++++---------------- + 2 files changed, 30 insertions(+), 25 deletions(-) + +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -821,6 +821,21 @@ ctnetlink_alloc_filter(const struct nlat + #endif + } + ++static int ctnetlink_start(struct netlink_callback *cb) ++{ ++ const struct nlattr * const *cda = cb->data; ++ struct ctnetlink_filter *filter = NULL; ++ ++ if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) { ++ filter = ctnetlink_alloc_filter(cda); ++ if (IS_ERR(filter)) ++ return PTR_ERR(filter); ++ } ++ ++ cb->data = filter; ++ return 0; ++} ++ + static int ctnetlink_filter_match(struct nf_conn *ct, void *data) + { + struct ctnetlink_filter *filter = data; +@@ -1240,19 +1255,12 @@ static int ctnetlink_get_conntrack(struc + + if (nlh->nlmsg_flags & NLM_F_DUMP) { + struct netlink_dump_control c = { ++ .start = ctnetlink_start, + .dump = ctnetlink_dump_table, + .done = ctnetlink_done, ++ .data = (void *)cda, + }; + +- if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) { +- struct ctnetlink_filter *filter; +- +- filter = ctnetlink_alloc_filter(cda); +- if (IS_ERR(filter)) +- return PTR_ERR(filter); +- +- c.data = filter; +- } + return netlink_dump_start(ctnl, skb, nlh, &c); + } + +--- a/net/netfilter/nfnetlink_acct.c ++++ b/net/netfilter/nfnetlink_acct.c +@@ -238,29 +238,33 @@ static const struct nla_policy filter_po + [NFACCT_FILTER_VALUE] = { .type = NLA_U32 }, + }; + +-static struct nfacct_filter * +-nfacct_filter_alloc(const struct nlattr * const attr) ++static int nfnl_acct_start(struct netlink_callback *cb) + { +- struct nfacct_filter *filter; ++ const struct nlattr *const attr = cb->data; + struct nlattr *tb[NFACCT_FILTER_MAX + 1]; ++ struct nfacct_filter *filter; + int err; + ++ if (!attr) ++ return 0; ++ + err = nla_parse_nested(tb, NFACCT_FILTER_MAX, attr, filter_policy, + NULL); + if (err < 0) +- return ERR_PTR(err); ++ return err; + + if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE]) +- return ERR_PTR(-EINVAL); ++ return -EINVAL; + + filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL); + if (!filter) +- return ERR_PTR(-ENOMEM); ++ return -ENOMEM; + + filter->mask = ntohl(nla_get_be32(tb[NFACCT_FILTER_MASK])); + filter->value = ntohl(nla_get_be32(tb[NFACCT_FILTER_VALUE])); ++ cb->data = filter; + +- return filter; ++ return 0; + } + + static int nfnl_acct_get(struct net *net, struct sock *nfnl, +@@ -275,18 +279,11 @@ static int nfnl_acct_get(struct net *net + if (nlh->nlmsg_flags & NLM_F_DUMP) { + struct netlink_dump_control c = { + .dump = nfnl_acct_dump, ++ .start = nfnl_acct_start, + .done = nfnl_acct_done, ++ .data = (void *)tb[NFACCT_FILTER], + }; + +- if (tb[NFACCT_FILTER]) { +- struct nfacct_filter *filter; +- +- filter = nfacct_filter_alloc(tb[NFACCT_FILTER]); +- if (IS_ERR(filter)) +- return PTR_ERR(filter); +- +- c.data = filter; +- } + return netlink_dump_start(nfnl, skb, nlh, &c); + } + diff --git a/queue-4.18/netfilter-ip6t_rpfilter-set-f_iface-for-linklocal-addresses.patch b/queue-4.18/netfilter-ip6t_rpfilter-set-f_iface-for-linklocal-addresses.patch new file mode 100644 index 00000000000..b7c19041925 --- /dev/null +++ b/queue-4.18/netfilter-ip6t_rpfilter-set-f_iface-for-linklocal-addresses.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Florian Westphal +Date: Wed, 25 Jul 2018 21:38:43 +0200 +Subject: netfilter: ip6t_rpfilter: set F_IFACE for linklocal addresses + +From: Florian Westphal + +[ Upstream commit da786717e0894886301ed2536843c13f9e8fd53e ] + +Roman reports that DHCPv6 client no longer sees replies from server +due to + +ip6tables -t raw -A PREROUTING -m rpfilter --invert -j DROP + +rule. We need to set the F_IFACE flag for linklocal addresses, they +are scoped per-device. + +Fixes: 47b7e7f82802 ("netfilter: don't set F_IFACE on ipv6 fib lookups") +Reported-by: Roman Mamedov +Tested-by: Roman Mamedov +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/netfilter/ip6t_rpfilter.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/net/ipv6/netfilter/ip6t_rpfilter.c ++++ b/net/ipv6/netfilter/ip6t_rpfilter.c +@@ -26,6 +26,12 @@ static bool rpfilter_addr_unicast(const + return addr_type & IPV6_ADDR_UNICAST; + } + ++static bool rpfilter_addr_linklocal(const struct in6_addr *addr) ++{ ++ int addr_type = ipv6_addr_type(addr); ++ return addr_type & IPV6_ADDR_LINKLOCAL; ++} ++ + static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb, + const struct net_device *dev, u8 flags) + { +@@ -48,7 +54,11 @@ static bool rpfilter_lookup_reverse6(str + } + + fl6.flowi6_mark = flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0; +- if ((flags & XT_RPFILTER_LOOSE) == 0) ++ ++ if (rpfilter_addr_linklocal(&iph->saddr)) { ++ lookup_flags |= RT6_LOOKUP_F_IFACE; ++ fl6.flowi6_oif = dev->ifindex; ++ } else if ((flags & XT_RPFILTER_LOOSE) == 0) + fl6.flowi6_oif = dev->ifindex; + + rt = (void *)ip6_route_lookup(net, &fl6, skb, lookup_flags); diff --git a/queue-4.18/netfilter-x_tables-do-not-fail-xt_alloc_table_info-too-easilly.patch b/queue-4.18/netfilter-x_tables-do-not-fail-xt_alloc_table_info-too-easilly.patch new file mode 100644 index 00000000000..8f1479e6e91 --- /dev/null +++ b/queue-4.18/netfilter-x_tables-do-not-fail-xt_alloc_table_info-too-easilly.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Michal Hocko +Date: Tue, 7 Aug 2018 21:54:00 +0200 +Subject: netfilter: x_tables: do not fail xt_alloc_table_info too easilly + +From: Michal Hocko + +[ Upstream commit a148ce15375fc664ad64762c751c0c2aecb2cafe ] + +eacd86ca3b03 ("net/netfilter/x_tables.c: use kvmalloc() +in xt_alloc_table_info()") has unintentionally fortified +xt_alloc_table_info allocation when __GFP_RETRY has been dropped from +the vmalloc fallback. Later on there was a syzbot report that this +can lead to OOM killer invocations when tables are too large and +0537250fdc6c ("netfilter: x_tables: make allocation less aggressive") +has been merged to restore the original behavior. Georgi Nikolov however +noticed that he is not able to install his iptables anymore so this can +be seen as a regression. + +The primary argument for 0537250fdc6c was that this allocation path +shouldn't really trigger the OOM killer and kill innocent tasks. On the +other hand the interface requires root and as such should allow what the +admin asks for. Root inside a namespaces makes this more complicated +because those might be not trusted in general. If they are not then such +namespaces should be restricted anyway. Therefore drop the __GFP_NORETRY +and replace it by __GFP_ACCOUNT to enfore memcg constrains on it. + +Fixes: 0537250fdc6c ("netfilter: x_tables: make allocation less aggressive") +Reported-by: Georgi Nikolov +Suggested-by: Vlastimil Babka +Acked-by: Florian Westphal +Signed-off-by: Michal Hocko +Acked-by: Vlastimil Babka +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/x_tables.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1178,12 +1178,7 @@ struct xt_table_info *xt_alloc_table_inf + if (sz < sizeof(*info) || sz >= XT_MAX_TABLE_SIZE) + return NULL; + +- /* __GFP_NORETRY is not fully supported by kvmalloc but it should +- * work reasonably well if sz is too large and bail out rather +- * than shoot all processes down before realizing there is nothing +- * more to reclaim. +- */ +- info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY); ++ info = kvmalloc(sz, GFP_KERNEL_ACCOUNT); + if (!info) + return NULL; + diff --git a/queue-4.18/nfsv4-fix-error-handling-in-nfs4_sp4_select_mode.patch b/queue-4.18/nfsv4-fix-error-handling-in-nfs4_sp4_select_mode.patch new file mode 100644 index 00000000000..07a421f6bce --- /dev/null +++ b/queue-4.18/nfsv4-fix-error-handling-in-nfs4_sp4_select_mode.patch @@ -0,0 +1,31 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Wei Yongjun +Date: Thu, 2 Aug 2018 05:42:04 +0000 +Subject: NFSv4: Fix error handling in nfs4_sp4_select_mode() + +From: Wei Yongjun + +[ Upstream commit 72bf75cfc00c02aa66ef6133048f37aa5d88825c ] + +Error code is set in the error handling cases but never used. Fix it. + +Fixes: 937e3133cd0b ("NFSv4.1: Ensure we clear the SP4_MACH_CRED flags in nfs4_sp4_select_mode()") +Signed-off-by: Wei Yongjun +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -7734,7 +7734,7 @@ static int nfs4_sp4_select_mode(struct n + } + out: + clp->cl_sp4_flags = flags; +- return 0; ++ return ret; + } + + struct nfs41_exchange_id_data { diff --git a/queue-4.18/pci-match-root-port-s-mps-to-endpoint-s-mpss-as-necessary.patch b/queue-4.18/pci-match-root-port-s-mps-to-endpoint-s-mpss-as-necessary.patch new file mode 100644 index 00000000000..d76a8180966 --- /dev/null +++ b/queue-4.18/pci-match-root-port-s-mps-to-endpoint-s-mpss-as-necessary.patch @@ -0,0 +1,78 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Myron Stowe +Date: Mon, 13 Aug 2018 12:19:46 -0600 +Subject: PCI: Match Root Port's MPS to endpoint's MPSS as necessary + +From: Myron Stowe + +[ Upstream commit 9f0e89359775ee21fe1ea732e34edb52aef5addf ] + +In commit 27d868b5e6cf ("PCI: Set MPS to match upstream bridge"), we made +sure every device's MPS setting matches its upstream bridge, making it more +likely that a hot-added device will work in a system with an optimized MPS +configuration. + +Recently I've started encountering systems where the endpoint device's MPSS +capability is less than its Root Port's current MPS value, thus the +endpoint is not capable of matching its upstream bridge's MPS setting (see: +bugzilla via "Link:" below). This leaves the system vulnerable - the +upstream Root Port could respond with larger TLPs than the device can +handle, and the device will consider them to be 'Malformed'. + +One could use the "pci=pcie_bus_safe" kernel parameter to work around the +issue, but that forces a user to supply a kernel parameter to get the +system to function reliably and may end up limiting MPS settings of other +unrelated, sub-topologies which could benefit from maintaining their larger +values. + +Augment Keith's approach to include tuning down a Root Port's MPS setting +when its hot-added endpoint device is not capable of matching it. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527 +Signed-off-by: Myron Stowe +Signed-off-by: Bjorn Helgaas +Acked-by: Jon Mason +Cc: Keith Busch +Cc: Sinan Kaya +Cc: Dongdong Liu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/probe.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1725,7 +1725,7 @@ int pci_setup_device(struct pci_dev *dev + static void pci_configure_mps(struct pci_dev *dev) + { + struct pci_dev *bridge = pci_upstream_bridge(dev); +- int mps, p_mps, rc; ++ int mps, mpss, p_mps, rc; + + if (!pci_is_pcie(dev) || !bridge || !pci_is_pcie(bridge)) + return; +@@ -1753,6 +1753,14 @@ static void pci_configure_mps(struct pci + if (pcie_bus_config != PCIE_BUS_DEFAULT) + return; + ++ mpss = 128 << dev->pcie_mpss; ++ if (mpss < p_mps && pci_pcie_type(bridge) == PCI_EXP_TYPE_ROOT_PORT) { ++ pcie_set_mps(bridge, mpss); ++ pci_info(dev, "Upstream bridge's Max Payload Size set to %d (was %d, max %d)\n", ++ mpss, p_mps, 128 << bridge->pcie_mpss); ++ p_mps = pcie_get_mps(bridge); ++ } ++ + rc = pcie_set_mps(dev, p_mps); + if (rc) { + pci_warn(dev, "can't set Max Payload Size to %d; if necessary, use \"pci=pcie_bus_safe\" and report a bug\n", +@@ -1761,7 +1769,7 @@ static void pci_configure_mps(struct pci + } + + pci_info(dev, "Max Payload Size set to %d (was %d, max %d)\n", +- p_mps, mps, 128 << dev->pcie_mpss); ++ p_mps, mps, mpss); + } + + static struct hpp_type0 pci_default_type0 = { diff --git a/queue-4.18/pci-mvebu-fix-i-o-space-end-address-calculation.patch b/queue-4.18/pci-mvebu-fix-i-o-space-end-address-calculation.patch new file mode 100644 index 00000000000..a2f2b0e4fcb --- /dev/null +++ b/queue-4.18/pci-mvebu-fix-i-o-space-end-address-calculation.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Thomas Petazzoni +Date: Fri, 3 Aug 2018 16:38:44 +0200 +Subject: PCI: mvebu: Fix I/O space end address calculation + +From: Thomas Petazzoni + +[ Upstream commit dfd0309fd7b30a5baffaf47b2fccb88b46d64d69 ] + +pcie->realio.end should be the address of last byte of the area, +therefore using resource_size() of another resource is not correct, we +must substract 1 to get the address of the last byte. + +Fixes: 11be65472a427 ("PCI: mvebu: Adapt to the new device tree layout") +Signed-off-by: Thomas Petazzoni +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pci-mvebu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/controller/pci-mvebu.c ++++ b/drivers/pci/controller/pci-mvebu.c +@@ -1219,7 +1219,7 @@ static int mvebu_pcie_probe(struct platf + pcie->realio.start = PCIBIOS_MIN_IO; + pcie->realio.end = min_t(resource_size_t, + IO_SPACE_LIMIT, +- resource_size(&pcie->io)); ++ resource_size(&pcie->io) - 1); + } else + pcie->realio = pcie->io; + diff --git a/queue-4.18/perf-arm-spe-fix-uninitialized-record-error-variable.patch b/queue-4.18/perf-arm-spe-fix-uninitialized-record-error-variable.patch new file mode 100644 index 00000000000..d52cc2eb964 --- /dev/null +++ b/queue-4.18/perf-arm-spe-fix-uninitialized-record-error-variable.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Kim Phillips +Date: Fri, 10 Aug 2018 17:45:12 -0500 +Subject: perf arm spe: Fix uninitialized record error variable + +From: Kim Phillips + +[ Upstream commit 344353366591acf659a0d0dea498611da78d67e2 ] + +The auxtrace init variable 'err' was not being initialized, leading perf +to abort early in an SPE record command when there was no explicit +error, rather only based whatever memory contents were on the stack. +Initialize it explicitly on getting an SPE successfully, the same way +cs-etm does. + +Signed-off-by: Kim Phillips +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Dongjiu Geng +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: ffd3d18c20b8 ("perf tools: Add ARM Statistical Profiling Extensions (SPE) support") +Link: http://lkml.kernel.org/r/20180810174512.52900813e57cbccf18ce99a2@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/arch/arm64/util/arm-spe.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/perf/arch/arm64/util/arm-spe.c ++++ b/tools/perf/arch/arm64/util/arm-spe.c +@@ -194,6 +194,7 @@ struct auxtrace_record *arm_spe_recordin + sper->itr.read_finish = arm_spe_read_finish; + sper->itr.alignment = 0; + ++ *err = 0; + return &sper->itr; + } + diff --git a/queue-4.18/perf-probe-powerpc-fix-trace-event-post-processing.patch b/queue-4.18/perf-probe-powerpc-fix-trace-event-post-processing.patch new file mode 100644 index 00000000000..4affea1f69b --- /dev/null +++ b/queue-4.18/perf-probe-powerpc-fix-trace-event-post-processing.patch @@ -0,0 +1,161 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Sandipan Das +Date: Thu, 9 Aug 2018 21:49:29 +0530 +Subject: perf probe powerpc: Fix trace event post-processing + +From: Sandipan Das + +[ Upstream commit 354b064b8ebc1e1ede58550ca9e08bfa81e6af43 ] + +In some cases, a symbol may have multiple aliases. Attempting to add an +entry probe for such symbols results in a probe being added at an +incorrect location while it fails altogether for return probes. This is +only applicable for binaries with debug information. + +During the arch-dependent post-processing, the offset from the start of +the symbol at which the probe is to be attached is determined and added +to the start address of the symbol to get the probe's location. In case +there are multiple aliases, this offset gets added multiple times for +each alias of the symbol and we end up with an incorrect probe location. + +This can be verified on a powerpc64le system as shown below. + + $ nm /lib/modules/$(uname -r)/build/vmlinux | grep "sys_open$" + ... + c000000000414290 T __se_sys_open + c000000000414290 T sys_open + + $ objdump -d /lib/modules/$(uname -r)/build/vmlinux | grep -A 10 "<__se_sys_open>:" + + c000000000414290 <__se_sys_open>: + c000000000414290: 19 01 4c 3c addis r2,r12,281 + c000000000414294: 70 c4 42 38 addi r2,r2,-15248 + c000000000414298: a6 02 08 7c mflr r0 + c00000000041429c: e8 ff a1 fb std r29,-24(r1) + c0000000004142a0: f0 ff c1 fb std r30,-16(r1) + c0000000004142a4: f8 ff e1 fb std r31,-8(r1) + c0000000004142a8: 10 00 01 f8 std r0,16(r1) + c0000000004142ac: c1 ff 21 f8 stdu r1,-64(r1) + c0000000004142b0: 78 23 9f 7c mr r31,r4 + c0000000004142b4: 78 1b 7e 7c mr r30,r3 + + For both the entry probe and the return probe, the probe location + should be _text+4276888 (0xc000000000414298). Since another alias + exists for 'sys_open', the post-processing code will end up adding + the offset (8 for powerpc64le) twice and perf will attempt to add + the probe at _text+4276896 (0xc0000000004142a0) instead. + +Before: + + # perf probe -v -a sys_open + + probe-definition(0): sys_open + symbol:sys_open file:(null) line:0 offset:0 return:0 lazy:(null) + 0 arguments + Looking at the vmlinux_path (8 entries long) + Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols + Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux + Try to find probe point from debuginfo. + Symbol sys_open address found : c000000000414290 + Matched function: __se_sys_open [2ad03a0] + Probe point found: __se_sys_open+0 + Found 1 probe_trace_events. + Opening /sys/kernel/debug/tracing/kprobe_events write=1 + Writing event: p:probe/sys_open _text+4276896 + Added new event: + probe:sys_open (on sys_open) + ... + + # perf probe -v -a sys_open%return $retval + + probe-definition(0): sys_open%return + symbol:sys_open file:(null) line:0 offset:0 return:1 lazy:(null) + 0 arguments + Looking at the vmlinux_path (8 entries long) + Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols + Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux + Try to find probe point from debuginfo. + Symbol sys_open address found : c000000000414290 + Matched function: __se_sys_open [2ad03a0] + Probe point found: __se_sys_open+0 + Found 1 probe_trace_events. + Opening /sys/kernel/debug/tracing/README write=0 + Opening /sys/kernel/debug/tracing/kprobe_events write=1 + Parsing probe_events: p:probe/sys_open _text+4276896 + Group:probe Event:sys_open probe:p + Writing event: r:probe/sys_open__return _text+4276896 + Failed to write event: Invalid argument + Error: Failed to add events. Reason: Invalid argument (Code: -22) + +After: + + # perf probe -v -a sys_open + + probe-definition(0): sys_open + symbol:sys_open file:(null) line:0 offset:0 return:0 lazy:(null) + 0 arguments + Looking at the vmlinux_path (8 entries long) + Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols + Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux + Try to find probe point from debuginfo. + Symbol sys_open address found : c000000000414290 + Matched function: __se_sys_open [2ad03a0] + Probe point found: __se_sys_open+0 + Found 1 probe_trace_events. + Opening /sys/kernel/debug/tracing/kprobe_events write=1 + Writing event: p:probe/sys_open _text+4276888 + Added new event: + probe:sys_open (on sys_open) + ... + + # perf probe -v -a sys_open%return $retval + + probe-definition(0): sys_open%return + symbol:sys_open file:(null) line:0 offset:0 return:1 lazy:(null) + 0 arguments + Looking at the vmlinux_path (8 entries long) + Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols + Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux + Try to find probe point from debuginfo. + Symbol sys_open address found : c000000000414290 + Matched function: __se_sys_open [2ad03a0] + Probe point found: __se_sys_open+0 + Found 1 probe_trace_events. + Opening /sys/kernel/debug/tracing/README write=0 + Opening /sys/kernel/debug/tracing/kprobe_events write=1 + Parsing probe_events: p:probe/sys_open _text+4276888 + Group:probe Event:sys_open probe:p + Writing event: r:probe/sys_open__return _text+4276888 + Added new event: + probe:sys_open__return (on sys_open%return) + ... + +Reported-by: Aneesh Kumar +Signed-off-by: Sandipan Das +Acked-by: Naveen N. Rao +Cc: Aneesh Kumar +Cc: Jiri Olsa +Cc: Ravi Bangoria +Fixes: 99e608b5954c ("perf probe ppc64le: Fix probe location when using DWARF") +Link: http://lkml.kernel.org/r/20180809161929.35058-1-sandipan@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/arch/powerpc/util/sym-handling.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/perf/arch/powerpc/util/sym-handling.c ++++ b/tools/perf/arch/powerpc/util/sym-handling.c +@@ -141,8 +141,10 @@ void arch__post_process_probe_trace_even + for (i = 0; i < ntevs; i++) { + tev = &pev->tevs[i]; + map__for_each_symbol(map, sym, tmp) { +- if (map->unmap_ip(map, sym->start) == tev->point.address) ++ if (map->unmap_ip(map, sym->start) == tev->point.address) { + arch__fix_tev_from_maps(pev, tev, map, sym); ++ break; ++ } + } + } + } diff --git a/queue-4.18/perf-python-fix-pyrf_evlist__read_on_cpu-interface.patch b/queue-4.18/perf-python-fix-pyrf_evlist__read_on_cpu-interface.patch new file mode 100644 index 00000000000..4f856067155 --- /dev/null +++ b/queue-4.18/perf-python-fix-pyrf_evlist__read_on_cpu-interface.patch @@ -0,0 +1,102 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Jiri Olsa +Date: Fri, 17 Aug 2018 13:45:56 +0200 +Subject: perf python: Fix pyrf_evlist__read_on_cpu() interface + +From: Jiri Olsa + +[ Upstream commit 721f0dfc3ce821c6a32820ab63edfb48ed4af075 ] + +Jaroslav reported errors from valgrind over perf python script: + + # echo 0 > /sys/devices/system/cpu/cpu4/online + # valgrind ./test.py + ==7524== Memcheck, a memory error detector + ... + ==7524== Command: ./test.py + ==7524== + pid 7526 exited + ==7524== Invalid read of size 8 + ==7524== at 0xCC2C2B3: perf_mmap__read_forward (evlist.c:780) + ==7524== by 0xCC2A681: pyrf_evlist__read_on_cpu (python.c:959) + ... + ==7524== Address 0x65c4868 is 16 bytes after a block of size 459,36.. + ==7524== at 0x4C2B955: calloc (vg_replace_malloc.c:711) + ==7524== by 0xCC2F484: zalloc (util.h:35) + ==7524== by 0xCC2F484: perf_evlist__alloc_mmap (evlist.c:978) + ... + +The reason for this is in the python interface, that allows a script to +pass arbitrary cpu number, which is then used to access struct +perf_evlist::mmap array. That's obviously wrong and works only when if +all cpus are available and fails if some cpu is missing, like in the +example above. + +This patch makes pyrf_evlist__read_on_cpu() search the evlist's maps +array for the proper map to access. + +It's linear search at the moment. Based on the way how is the +read_on_cpu used, I don't think we need to be fast in here. But we +could add some hash in the middle to make it fast/er. + +We don't allow python interface to set write_backward event attribute, +so it's safe to check only evlist's mmaps. + +Reported-by: Jaroslav Å karvada +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Joe Mario +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180817114556.28000-3-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/python.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/python.c ++++ b/tools/perf/util/python.c +@@ -11,6 +11,7 @@ + #include "cpumap.h" + #include "print_binary.h" + #include "thread_map.h" ++#include "mmap.h" + + #if PY_MAJOR_VERSION < 3 + #define _PyUnicode_FromString(arg) \ +@@ -976,6 +977,20 @@ static PyObject *pyrf_evlist__add(struct + return Py_BuildValue("i", evlist->nr_entries); + } + ++static struct perf_mmap *get_md(struct perf_evlist *evlist, int cpu) ++{ ++ int i; ++ ++ for (i = 0; i < evlist->nr_mmaps; i++) { ++ struct perf_mmap *md = &evlist->mmap[i]; ++ ++ if (md->cpu == cpu) ++ return md; ++ } ++ ++ return NULL; ++} ++ + static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist, + PyObject *args, PyObject *kwargs) + { +@@ -990,7 +1005,10 @@ static PyObject *pyrf_evlist__read_on_cp + &cpu, &sample_id_all)) + return NULL; + +- md = &evlist->mmap[cpu]; ++ md = get_md(evlist, cpu); ++ if (!md) ++ return NULL; ++ + if (perf_mmap__read_init(md) < 0) + goto end; + diff --git a/queue-4.18/perf-tools-check-for-null-when-copying-nsinfo.patch b/queue-4.18/perf-tools-check-for-null-when-copying-nsinfo.patch new file mode 100644 index 00000000000..a4801402413 --- /dev/null +++ b/queue-4.18/perf-tools-check-for-null-when-copying-nsinfo.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Benno Evers +Date: Fri, 10 Aug 2018 15:36:13 +0200 +Subject: perf tools: Check for null when copying nsinfo. + +From: Benno Evers + +[ Upstream commit 3f4417d693b43fa240ac8bde4487f67745ca23d8 ] + +The argument to nsinfo__copy() was assumed to be valid, but some code paths +exist that will lead to NULL being passed. + +In particular, running 'perf script -D' on a perf.data file containing an +PERF_RECORD_MMAP event associating the '[vdso]' dso with pid 0 earlier in +the event stream will lead to a segfault. + +Since all calling code is already checking for a non-null return value, +just return NULL for this case as well. + +Signed-off-by: Benno Evers +Acked-by: Namhyung Kim +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Krister Johansen +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180810133614.9925-1-bevers@mesosphere.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/namespaces.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/tools/perf/util/namespaces.c ++++ b/tools/perf/util/namespaces.c +@@ -139,6 +139,9 @@ struct nsinfo *nsinfo__copy(struct nsinf + { + struct nsinfo *nnsi; + ++ if (nsi == NULL) ++ return NULL; ++ + nnsi = calloc(1, sizeof(*nnsi)); + if (nnsi != NULL) { + nnsi->pid = nsi->pid; diff --git a/queue-4.18/pinctrl-axp209-fix-null-pointer-dereference-after-allocation.patch b/queue-4.18/pinctrl-axp209-fix-null-pointer-dereference-after-allocation.patch new file mode 100644 index 00000000000..df374529c85 --- /dev/null +++ b/queue-4.18/pinctrl-axp209-fix-null-pointer-dereference-after-allocation.patch @@ -0,0 +1,95 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Anton Vasilyev +Date: Mon, 6 Aug 2018 19:06:35 +0300 +Subject: pinctrl: axp209: Fix NULL pointer dereference after allocation + +From: Anton Vasilyev + +[ Upstream commit 504c76979bccec66e4c2e41f6a006e49e284466f ] + +There is no check that allocation in axp20x_funcs_groups_from_mask +is successful. +The patch adds corresponding check and return values. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Acked-by: Chen-Yu Tsai +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-axp209.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +--- a/drivers/pinctrl/pinctrl-axp209.c ++++ b/drivers/pinctrl/pinctrl-axp209.c +@@ -316,7 +316,7 @@ static const struct pinctrl_ops axp20x_p + .get_group_pins = axp20x_group_pins, + }; + +-static void axp20x_funcs_groups_from_mask(struct device *dev, unsigned int mask, ++static int axp20x_funcs_groups_from_mask(struct device *dev, unsigned int mask, + unsigned int mask_len, + struct axp20x_pinctrl_function *func, + const struct pinctrl_pin_desc *pins) +@@ -331,18 +331,22 @@ static void axp20x_funcs_groups_from_mas + func->groups = devm_kcalloc(dev, + ngroups, sizeof(const char *), + GFP_KERNEL); ++ if (!func->groups) ++ return -ENOMEM; + group = func->groups; + for_each_set_bit(bit, &mask_cpy, mask_len) { + *group = pins[bit].name; + group++; + } + } ++ ++ return 0; + } + +-static void axp20x_build_funcs_groups(struct platform_device *pdev) ++static int axp20x_build_funcs_groups(struct platform_device *pdev) + { + struct axp20x_pctl *pctl = platform_get_drvdata(pdev); +- int i, pin, npins = pctl->desc->npins; ++ int i, ret, pin, npins = pctl->desc->npins; + + pctl->funcs[AXP20X_FUNC_GPIO_OUT].name = "gpio_out"; + pctl->funcs[AXP20X_FUNC_GPIO_OUT].muxval = AXP20X_MUX_GPIO_OUT; +@@ -366,13 +370,19 @@ static void axp20x_build_funcs_groups(st + pctl->funcs[i].groups[pin] = pctl->desc->pins[pin].name; + } + +- axp20x_funcs_groups_from_mask(&pdev->dev, pctl->desc->ldo_mask, ++ ret = axp20x_funcs_groups_from_mask(&pdev->dev, pctl->desc->ldo_mask, + npins, &pctl->funcs[AXP20X_FUNC_LDO], + pctl->desc->pins); ++ if (ret) ++ return ret; + +- axp20x_funcs_groups_from_mask(&pdev->dev, pctl->desc->adc_mask, ++ ret = axp20x_funcs_groups_from_mask(&pdev->dev, pctl->desc->adc_mask, + npins, &pctl->funcs[AXP20X_FUNC_ADC], + pctl->desc->pins); ++ if (ret) ++ return ret; ++ ++ return 0; + } + + static const struct of_device_id axp20x_pctl_match[] = { +@@ -424,7 +434,11 @@ static int axp20x_pctl_probe(struct plat + + platform_set_drvdata(pdev, pctl); + +- axp20x_build_funcs_groups(pdev); ++ ret = axp20x_build_funcs_groups(pdev); ++ if (ret) { ++ dev_err(&pdev->dev, "failed to build groups\n"); ++ return ret; ++ } + + pctrl_desc = devm_kzalloc(&pdev->dev, sizeof(*pctrl_desc), GFP_KERNEL); + if (!pctrl_desc) diff --git a/queue-4.18/platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch b/queue-4.18/platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch new file mode 100644 index 00000000000..17db518c6ae --- /dev/null +++ b/queue-4.18/platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Aleh Filipovich +Date: Fri, 10 Aug 2018 22:07:25 +0200 +Subject: platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360 + +From: Aleh Filipovich + +[ Upstream commit 880b29ac107d15644bf4da228376ba3cd6af6d71 ] + +Add entry to WMI keymap for lid flip event on Asus UX360. + +On Asus Zenbook ux360 flipping lid from/to tablet mode triggers +keyscan code 0xfa which cannot be handled and results in kernel +log message "Unknown key fa pressed". + +Signed-off-by: Aleh Filipovich +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/asus-nb-wmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -496,6 +496,7 @@ static const struct key_entry asus_nb_wm + { KE_KEY, 0xC4, { KEY_KBDILLUMUP } }, + { KE_KEY, 0xC5, { KEY_KBDILLUMDOWN } }, + { KE_IGNORE, 0xC6, }, /* Ambient Light Sensor notification */ ++ { KE_KEY, 0xFA, { KEY_PROG2 } }, /* Lid flip action */ + { KE_END, 0}, + }; + diff --git a/queue-4.18/platform-x86-intel_punit_ipc-fix-build-errors.patch b/queue-4.18/platform-x86-intel_punit_ipc-fix-build-errors.patch new file mode 100644 index 00000000000..7feb02706d4 --- /dev/null +++ b/queue-4.18/platform-x86-intel_punit_ipc-fix-build-errors.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Randy Dunlap +Date: Wed, 15 Aug 2018 09:12:07 -0700 +Subject: platform/x86: intel_punit_ipc: fix build errors + +From: Randy Dunlap + +[ Upstream commit 340fd4cff43f18bace9358d4decdc9b6ed0715be ] + +Fix build errors by #including . + +../drivers/platform/x86/intel_punit_ipc.c: In function 'ipc_read_status': +../drivers/platform/x86/intel_punit_ipc.c:55:2: error: implicit declaration of function 'readl' [-Werror=implicit-function-declaration] + return readl(ipcdev->base[type][BASE_IFACE]); +../drivers/platform/x86/intel_punit_ipc.c: In function 'ipc_write_cmd': +../drivers/platform/x86/intel_punit_ipc.c:60:2: error: implicit declaration of function 'writel' [-Werror=implicit-function-declaration] + writel(cmd, ipcdev->base[type][BASE_IFACE]); + +Fixes: 447ae3166702 ("x86: Don't include linux/irq.h from asm/hardirq.h") +Signed-off-by: Randy Dunlap +Cc: Zha Qipeng +Cc: platform-driver-x86@vger.kernel.org +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel_punit_ipc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/platform/x86/intel_punit_ipc.c ++++ b/drivers/platform/x86/intel_punit_ipc.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + diff --git a/queue-4.18/powerpc-64s-make-rfi_flush_fallback-a-little-more-robust.patch b/queue-4.18/powerpc-64s-make-rfi_flush_fallback-a-little-more-robust.patch new file mode 100644 index 00000000000..79ab83e14ab --- /dev/null +++ b/queue-4.18/powerpc-64s-make-rfi_flush_fallback-a-little-more-robust.patch @@ -0,0 +1,99 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Michael Ellerman +Date: Thu, 26 Jul 2018 22:42:44 +1000 +Subject: powerpc/64s: Make rfi_flush_fallback a little more robust + +From: Michael Ellerman + +[ Upstream commit 78ee9946371f5848ddfc88ab1a43867df8f17d83 ] + +Because rfi_flush_fallback runs immediately before the return to +userspace it currently runs with the user r1 (stack pointer). This +means if we oops in there we will report a bad kernel stack pointer in +the exception entry path, eg: + + Bad kernel stack pointer 7ffff7150e40 at c0000000000023b4 + Oops: Bad kernel stack pointer, sig: 6 [#1] + LE SMP NR_CPUS=32 NUMA PowerNV + Modules linked in: + CPU: 0 PID: 1246 Comm: klogd Not tainted 4.18.0-rc2-gcc-7.3.1-00175-g0443f8a69ba3 #7 + NIP: c0000000000023b4 LR: 0000000010053e00 CTR: 0000000000000040 + REGS: c0000000fffe7d40 TRAP: 4100 Not tainted (4.18.0-rc2-gcc-7.3.1-00175-g0443f8a69ba3) + MSR: 9000000002803031 CR: 44000442 XER: 20000000 + CFAR: c00000000000bac8 IRQMASK: c0000000f1e66a80 + GPR00: 0000000002000000 00007ffff7150e40 00007fff93a99900 0000000000000020 + ... + NIP [c0000000000023b4] rfi_flush_fallback+0x34/0x80 + LR [0000000010053e00] 0x10053e00 + +Although the NIP tells us where we were, and the TRAP number tells us +what happened, it would still be nicer if we could report the actual +exception rather than barfing about the stack pointer. + +We an do that fairly simply by loading the kernel stack pointer on +entry and restoring the user value before returning. That way we see a +regular oops such as: + + Unrecoverable exception 4100 at c00000000000239c + Oops: Unrecoverable exception, sig: 6 [#1] + LE SMP NR_CPUS=32 NUMA PowerNV + Modules linked in: + CPU: 0 PID: 1251 Comm: klogd Not tainted 4.18.0-rc3-gcc-7.3.1-00097-g4ebfcac65acd-dirty #40 + NIP: c00000000000239c LR: 0000000010053e00 CTR: 0000000000000040 + REGS: c0000000f1e17bb0 TRAP: 4100 Not tainted (4.18.0-rc3-gcc-7.3.1-00097-g4ebfcac65acd-dirty) + MSR: 9000000002803031 CR: 44000442 XER: 20000000 + CFAR: c00000000000bac8 IRQMASK: 0 + ... + NIP [c00000000000239c] rfi_flush_fallback+0x3c/0x80 + LR [0000000010053e00] 0x10053e00 + Call Trace: + [c0000000f1e17e30] [c00000000000b9e4] system_call+0x5c/0x70 (unreliable) + +Note this shouldn't make the kernel stack pointer vulnerable to a +meltdown attack, because it should be flushed from the cache before we +return to userspace. The user r1 value will be in the cache, because +we load it in the return path, but that is harmless. + +Signed-off-by: Michael Ellerman +Reviewed-by: Nicholas Piggin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/exceptions-64s.S | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -1526,6 +1526,8 @@ TRAMP_REAL_BEGIN(stf_barrier_fallback) + TRAMP_REAL_BEGIN(rfi_flush_fallback) + SET_SCRATCH0(r13); + GET_PACA(r13); ++ std r1,PACA_EXRFI+EX_R12(r13) ++ ld r1,PACAKSAVE(r13) + std r9,PACA_EXRFI+EX_R9(r13) + std r10,PACA_EXRFI+EX_R10(r13) + std r11,PACA_EXRFI+EX_R11(r13) +@@ -1560,12 +1562,15 @@ TRAMP_REAL_BEGIN(rfi_flush_fallback) + ld r9,PACA_EXRFI+EX_R9(r13) + ld r10,PACA_EXRFI+EX_R10(r13) + ld r11,PACA_EXRFI+EX_R11(r13) ++ ld r1,PACA_EXRFI+EX_R12(r13) + GET_SCRATCH0(r13); + rfid + + TRAMP_REAL_BEGIN(hrfi_flush_fallback) + SET_SCRATCH0(r13); + GET_PACA(r13); ++ std r1,PACA_EXRFI+EX_R12(r13) ++ ld r1,PACAKSAVE(r13) + std r9,PACA_EXRFI+EX_R9(r13) + std r10,PACA_EXRFI+EX_R10(r13) + std r11,PACA_EXRFI+EX_R11(r13) +@@ -1600,6 +1605,7 @@ TRAMP_REAL_BEGIN(hrfi_flush_fallback) + ld r9,PACA_EXRFI+EX_R9(r13) + ld r10,PACA_EXRFI+EX_R10(r13) + ld r11,PACA_EXRFI+EX_R11(r13) ++ ld r1,PACA_EXRFI+EX_R12(r13) + GET_SCRATCH0(r13); + hrfid + diff --git a/queue-4.18/powerpc-fix-size-calculation-using-resource_size.patch b/queue-4.18/powerpc-fix-size-calculation-using-resource_size.patch new file mode 100644 index 00000000000..7550962e914 --- /dev/null +++ b/queue-4.18/powerpc-fix-size-calculation-using-resource_size.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Dan Carpenter +Date: Wed, 8 Aug 2018 14:57:24 +0300 +Subject: powerpc: Fix size calculation using resource_size() + +From: Dan Carpenter + +[ Upstream commit c42d3be0c06f0c1c416054022aa535c08a1f9b39 ] + +The problem is the the calculation should be "end - start + 1" but the +plus one is missing in this calculation. + +Fixes: 8626816e905e ("powerpc: add support for MPIC message register API") +Signed-off-by: Dan Carpenter +Reviewed-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/sysdev/mpic_msgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/sysdev/mpic_msgr.c ++++ b/arch/powerpc/sysdev/mpic_msgr.c +@@ -196,7 +196,7 @@ static int mpic_msgr_probe(struct platfo + + /* IO map the message register block. */ + of_address_to_resource(np, 0, &rsrc); +- msgr_block_addr = ioremap(rsrc.start, rsrc.end - rsrc.start); ++ msgr_block_addr = ioremap(rsrc.start, resource_size(&rsrc)); + if (!msgr_block_addr) { + dev_err(&dev->dev, "Failed to iomap MPIC message registers"); + return -EFAULT; diff --git a/queue-4.18/powerpc-platforms-85xx-fix-t1042rdb_diu.c-build-errors-warning.patch b/queue-4.18/powerpc-platforms-85xx-fix-t1042rdb_diu.c-build-errors-warning.patch new file mode 100644 index 00000000000..4ccbea3647d --- /dev/null +++ b/queue-4.18/powerpc-platforms-85xx-fix-t1042rdb_diu.c-build-errors-warning.patch @@ -0,0 +1,53 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Randy Dunlap +Date: Sun, 15 Jul 2018 10:34:46 -0700 +Subject: powerpc/platforms/85xx: fix t1042rdb_diu.c build errors & warning + +From: Randy Dunlap + +[ Upstream commit f5daf77a55ef0e695cc90c440ed6503073ac5e07 ] + +Fix build errors and warnings in t1042rdb_diu.c by adding header files +and MODULE_LICENSE(). + +../arch/powerpc/platforms/85xx/t1042rdb_diu.c:152:1: warning: data definition has no type or storage class + early_initcall(t1042rdb_diu_init); +../arch/powerpc/platforms/85xx/t1042rdb_diu.c:152:1: error: type defaults to 'int' in declaration of 'early_initcall' [-Werror=implicit-int] +../arch/powerpc/platforms/85xx/t1042rdb_diu.c:152:1: warning: parameter names (without types) in function declaration + +and +WARNING: modpost: missing MODULE_LICENSE() in arch/powerpc/platforms/85xx/t1042rdb_diu.o + +Signed-off-by: Randy Dunlap +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Michael Ellerman +Cc: Scott Wood +Cc: Kumar Gala +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/85xx/t1042rdb_diu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/powerpc/platforms/85xx/t1042rdb_diu.c ++++ b/arch/powerpc/platforms/85xx/t1042rdb_diu.c +@@ -9,8 +9,10 @@ + * option) any later version. + */ + ++#include + #include + #include ++#include + #include + #include + +@@ -150,3 +152,5 @@ static int __init t1042rdb_diu_init(void + } + + early_initcall(t1042rdb_diu_init); ++ ++MODULE_LICENSE("GPL"); diff --git a/queue-4.18/powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch b/queue-4.18/powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch new file mode 100644 index 00000000000..922d2ddff84 --- /dev/null +++ b/queue-4.18/powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Mahesh Salgaonkar +Date: Wed, 4 Jul 2018 23:27:02 +0530 +Subject: powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX. + +From: Mahesh Salgaonkar + +[ Upstream commit 74e96bf44f430cf7a01de19ba6cf49b361cdfd6e ] + +The global mce data buffer that used to copy rtas error log is of 2048 +(RTAS_ERROR_LOG_MAX) bytes in size. Before the copy we read +extended_log_length from rtas error log header, then use max of +extended_log_length and RTAS_ERROR_LOG_MAX as a size of data to be copied. +Ideally the platform (phyp) will never send extended error log with +size > 2048. But if that happens, then we have a risk of buffer overrun +and corruption. Fix this by using min_t instead. + +Fixes: d368514c3097 ("powerpc: Fix corruption when grabbing FWNMI data") +Reported-by: Michal Suchanek +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/ras.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -371,7 +371,7 @@ static struct rtas_error_log *fwnmi_get_ + int len, error_log_length; + + error_log_length = 8 + rtas_error_extended_log_length(h); +- len = max_t(int, error_log_length, RTAS_ERROR_LOG_MAX); ++ len = min_t(int, error_log_length, RTAS_ERROR_LOG_MAX); + memset(global_mce_data_buf, 0, RTAS_ERROR_LOG_MAX); + memcpy(global_mce_data_buf, h, len); + errhdr = (struct rtas_error_log *)global_mce_data_buf; diff --git a/queue-4.18/powerpc-topology-get-topology-for-shared-processors-at-boot.patch b/queue-4.18/powerpc-topology-get-topology-for-shared-processors-at-boot.patch new file mode 100644 index 00000000000..e61262257a5 --- /dev/null +++ b/queue-4.18/powerpc-topology-get-topology-for-shared-processors-at-boot.patch @@ -0,0 +1,225 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Srikar Dronamraju +Date: Fri, 17 Aug 2018 20:24:39 +0530 +Subject: powerpc/topology: Get topology for shared processors at boot + +From: Srikar Dronamraju + +[ Upstream commit 2ea62630681027c455117aa471ea3ab8bb099ead ] + +On a shared LPAR, Phyp will not update the CPU associativity at boot +time. Just after the boot system does recognize itself as a shared +LPAR and trigger a request for correct CPU associativity. But by then +the scheduler would have already created/destroyed its sched domains. + +This causes + - Broken load balance across Nodes causing islands of cores. + - Performance degradation esp if the system is lightly loaded + - dmesg to wrongly report all CPUs to be in Node 0. + - Messages in dmesg saying borken topology. + - With commit 051f3ca02e46 ("sched/topology: Introduce NUMA identity + node sched domain"), can cause rcu stalls at boot up. + +The sched_domains_numa_masks table which is used to generate cpumasks +is only created at boot time just before creating sched domains and +never updated. Hence, its better to get the topology correct before +the sched domains are created. + +For example on 64 core Power 8 shared LPAR, dmesg reports + + Brought up 512 CPUs + Node 0 CPUs: 0-511 + Node 1 CPUs: + Node 2 CPUs: + Node 3 CPUs: + Node 4 CPUs: + Node 5 CPUs: + Node 6 CPUs: + Node 7 CPUs: + Node 8 CPUs: + Node 9 CPUs: + Node 10 CPUs: + Node 11 CPUs: + ... + BUG: arch topology borken + the DIE domain not a subset of the NUMA domain + BUG: arch topology borken + the DIE domain not a subset of the NUMA domain + +numactl/lscpu output will still be correct with cores spreading across +all nodes: + + Socket(s): 64 + NUMA node(s): 12 + Model: 2.0 (pvr 004d 0200) + Model name: POWER8 (architected), altivec supported + Hypervisor vendor: pHyp + Virtualization type: para + L1d cache: 64K + L1i cache: 32K + NUMA node0 CPU(s): 0-7,32-39,64-71,96-103,176-183,272-279,368-375,464-471 + NUMA node1 CPU(s): 8-15,40-47,72-79,104-111,184-191,280-287,376-383,472-479 + NUMA node2 CPU(s): 16-23,48-55,80-87,112-119,192-199,288-295,384-391,480-487 + NUMA node3 CPU(s): 24-31,56-63,88-95,120-127,200-207,296-303,392-399,488-495 + NUMA node4 CPU(s): 208-215,304-311,400-407,496-503 + NUMA node5 CPU(s): 168-175,264-271,360-367,456-463 + NUMA node6 CPU(s): 128-135,224-231,320-327,416-423 + NUMA node7 CPU(s): 136-143,232-239,328-335,424-431 + NUMA node8 CPU(s): 216-223,312-319,408-415,504-511 + NUMA node9 CPU(s): 144-151,240-247,336-343,432-439 + NUMA node10 CPU(s): 152-159,248-255,344-351,440-447 + NUMA node11 CPU(s): 160-167,256-263,352-359,448-455 + +Currently on this LPAR, the scheduler detects 2 levels of Numa and +created numa sched domains for all CPUs, but it finds a single DIE +domain consisting of all CPUs. Hence it deletes all numa sched +domains. + +To address this, detect the shared processor and update topology soon +after CPUs are setup so that correct topology is updated just before +scheduler creates sched domain. + +With the fix, dmesg reports: + + numa: Node 0 CPUs: 0-7 32-39 64-71 96-103 176-183 272-279 368-375 464-471 + numa: Node 1 CPUs: 8-15 40-47 72-79 104-111 184-191 280-287 376-383 472-479 + numa: Node 2 CPUs: 16-23 48-55 80-87 112-119 192-199 288-295 384-391 480-487 + numa: Node 3 CPUs: 24-31 56-63 88-95 120-127 200-207 296-303 392-399 488-495 + numa: Node 4 CPUs: 208-215 304-311 400-407 496-503 + numa: Node 5 CPUs: 168-175 264-271 360-367 456-463 + numa: Node 6 CPUs: 128-135 224-231 320-327 416-423 + numa: Node 7 CPUs: 136-143 232-239 328-335 424-431 + numa: Node 8 CPUs: 216-223 312-319 408-415 504-511 + numa: Node 9 CPUs: 144-151 240-247 336-343 432-439 + numa: Node 10 CPUs: 152-159 248-255 344-351 440-447 + numa: Node 11 CPUs: 160-167 256-263 352-359 448-455 + +and lscpu also reports: + + Socket(s): 64 + NUMA node(s): 12 + Model: 2.0 (pvr 004d 0200) + Model name: POWER8 (architected), altivec supported + Hypervisor vendor: pHyp + Virtualization type: para + L1d cache: 64K + L1i cache: 32K + NUMA node0 CPU(s): 0-7,32-39,64-71,96-103,176-183,272-279,368-375,464-471 + NUMA node1 CPU(s): 8-15,40-47,72-79,104-111,184-191,280-287,376-383,472-479 + NUMA node2 CPU(s): 16-23,48-55,80-87,112-119,192-199,288-295,384-391,480-487 + NUMA node3 CPU(s): 24-31,56-63,88-95,120-127,200-207,296-303,392-399,488-495 + NUMA node4 CPU(s): 208-215,304-311,400-407,496-503 + NUMA node5 CPU(s): 168-175,264-271,360-367,456-463 + NUMA node6 CPU(s): 128-135,224-231,320-327,416-423 + NUMA node7 CPU(s): 136-143,232-239,328-335,424-431 + NUMA node8 CPU(s): 216-223,312-319,408-415,504-511 + NUMA node9 CPU(s): 144-151,240-247,336-343,432-439 + NUMA node10 CPU(s): 152-159,248-255,344-351,440-447 + NUMA node11 CPU(s): 160-167,256-263,352-359,448-455 + +Reported-by: Manjunatha H R +Signed-off-by: Srikar Dronamraju +[mpe: Trim / format change log] +Tested-by: Michael Ellerman +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/topology.h | 5 +++++ + arch/powerpc/kernel/smp.c | 5 +++++ + arch/powerpc/mm/numa.c | 20 ++++++++++---------- + 3 files changed, 20 insertions(+), 10 deletions(-) + +--- a/arch/powerpc/include/asm/topology.h ++++ b/arch/powerpc/include/asm/topology.h +@@ -92,6 +92,7 @@ extern int stop_topology_update(void); + extern int prrn_is_enabled(void); + extern int find_and_online_cpu_nid(int cpu); + extern int timed_topology_update(int nsecs); ++extern void __init shared_proc_topology_init(void); + #else + static inline int start_topology_update(void) + { +@@ -113,6 +114,10 @@ static inline int timed_topology_update( + { + return 0; + } ++ ++#ifdef CONFIG_SMP ++static inline void shared_proc_topology_init(void) {} ++#endif + #endif /* CONFIG_NUMA && CONFIG_PPC_SPLPAR */ + + #include +--- a/arch/powerpc/kernel/smp.c ++++ b/arch/powerpc/kernel/smp.c +@@ -1156,6 +1156,11 @@ void __init smp_cpus_done(unsigned int m + if (smp_ops && smp_ops->bringup_done) + smp_ops->bringup_done(); + ++ /* ++ * On a shared LPAR, associativity needs to be requested. ++ * Hence, get numa topology before dumping cpu topology ++ */ ++ shared_proc_topology_init(); + dump_numa_cpu_topology(); + + /* +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -1078,7 +1078,6 @@ static int prrn_enabled; + static void reset_topology_timer(void); + static int topology_timer_secs = 1; + static int topology_inited; +-static int topology_update_needed; + + /* + * Change polling interval for associativity changes. +@@ -1306,11 +1305,8 @@ int numa_update_cpu_topology(bool cpus_l + struct device *dev; + int weight, new_nid, i = 0; + +- if (!prrn_enabled && !vphn_enabled) { +- if (!topology_inited) +- topology_update_needed = 1; ++ if (!prrn_enabled && !vphn_enabled && topology_inited) + return 0; +- } + + weight = cpumask_weight(&cpu_associativity_changes_mask); + if (!weight) +@@ -1423,7 +1419,6 @@ int numa_update_cpu_topology(bool cpus_l + + out: + kfree(updates); +- topology_update_needed = 0; + return changed; + } + +@@ -1551,6 +1546,15 @@ int prrn_is_enabled(void) + return prrn_enabled; + } + ++void __init shared_proc_topology_init(void) ++{ ++ if (lppaca_shared_proc(get_lppaca())) { ++ bitmap_fill(cpumask_bits(&cpu_associativity_changes_mask), ++ nr_cpumask_bits); ++ numa_update_cpu_topology(false); ++ } ++} ++ + static int topology_read(struct seq_file *file, void *v) + { + if (vphn_enabled || prrn_enabled) +@@ -1608,10 +1612,6 @@ static int topology_update_init(void) + return -ENOMEM; + + topology_inited = 1; +- if (topology_update_needed) +- bitmap_fill(cpumask_bits(&cpu_associativity_changes_mask), +- nr_cpumask_bits); +- + return 0; + } + device_initcall(topology_update_init); diff --git a/queue-4.18/powerpc-uaccess-enable-get_user-u64-p-on-32-bit.patch b/queue-4.18/powerpc-uaccess-enable-get_user-u64-p-on-32-bit.patch new file mode 100644 index 00000000000..242812e08ad --- /dev/null +++ b/queue-4.18/powerpc-uaccess-enable-get_user-u64-p-on-32-bit.patch @@ -0,0 +1,85 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Michael Ellerman +Date: Tue, 10 Jul 2018 16:20:56 +1000 +Subject: powerpc/uaccess: Enable get_user(u64, *p) on 32-bit + +From: Michael Ellerman + +[ Upstream commit f7a6947cd49b7ff4e03f1b4f7e7b223003d752ca ] + +Currently if you build a 32-bit powerpc kernel and use get_user() to +load a u64 value it will fail to build with eg: + + kernel/rseq.o: In function `rseq_get_rseq_cs': + kernel/rseq.c:123: undefined reference to `__get_user_bad' + +This is hitting the check in __get_user_size() that makes sure the +size we're copying doesn't exceed the size of the destination: + + #define __get_user_size(x, ptr, size, retval) + do { + retval = 0; + __chk_user_ptr(ptr); + if (size > sizeof(x)) + (x) = __get_user_bad(); + +Which doesn't immediately make sense because the size of the +destination is u64, but it's not really, because __get_user_check() +etc. internally create an unsigned long and copy into that: + + #define __get_user_check(x, ptr, size) + ({ + long __gu_err = -EFAULT; + unsigned long __gu_val = 0; + +The problem being that on 32-bit unsigned long is not big enough to +hold a u64. We can fix this with a trick from hpa in the x86 code, we +statically check the type of x and set the type of __gu_val to either +unsigned long or unsigned long long. + +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/uaccess.h | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/include/asm/uaccess.h ++++ b/arch/powerpc/include/asm/uaccess.h +@@ -250,10 +250,17 @@ do { \ + } \ + } while (0) + ++/* ++ * This is a type: either unsigned long, if the argument fits into ++ * that type, or otherwise unsigned long long. ++ */ ++#define __long_type(x) \ ++ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) ++ + #define __get_user_nocheck(x, ptr, size) \ + ({ \ + long __gu_err; \ +- unsigned long __gu_val; \ ++ __long_type(*(ptr)) __gu_val; \ + const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \ + __chk_user_ptr(ptr); \ + if (!is_kernel_addr((unsigned long)__gu_addr)) \ +@@ -267,7 +274,7 @@ do { \ + #define __get_user_check(x, ptr, size) \ + ({ \ + long __gu_err = -EFAULT; \ +- unsigned long __gu_val = 0; \ ++ __long_type(*(ptr)) __gu_val = 0; \ + const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \ + might_fault(); \ + if (access_ok(VERIFY_READ, __gu_addr, (size))) { \ +@@ -281,7 +288,7 @@ do { \ + #define __get_user_nosleep(x, ptr, size) \ + ({ \ + long __gu_err; \ +- unsigned long __gu_val; \ ++ __long_type(*(ptr)) __gu_val; \ + const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \ + __chk_user_ptr(ptr); \ + barrier_nospec(); \ diff --git a/queue-4.18/pwm-meson-fix-mux-clock-names.patch b/queue-4.18/pwm-meson-fix-mux-clock-names.patch new file mode 100644 index 00000000000..b692fd3b116 --- /dev/null +++ b/queue-4.18/pwm-meson-fix-mux-clock-names.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Jerome Brunet +Date: Wed, 1 Aug 2018 12:57:20 +0200 +Subject: pwm: meson: Fix mux clock names + +From: Jerome Brunet + +[ Upstream commit b96e9eb62841c519ba1db32d036628be3cdef91f ] + +Current clock name looks like this: +/soc/bus@ffd00000/pwm@1b000#mux0 + +This is bad because CCF uses the clock to create a directory in clk debugfs. +With such name, the directory creation (silently) fails and the debugfs +entry end up being created at the debugfs root. + +With this change, the clock name will now be: +ffd1b000.pwm#mux0 + +This matches the clock naming scheme used in the ethernet and mmc driver. +It also fixes the problem with debugfs. + +Fixes: 36af66a79056 ("pwm: Convert to using %pOF instead of full_name") +Signed-off-by: Jerome Brunet +Acked-by: Neil Armstrong +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-meson.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/pwm/pwm-meson.c ++++ b/drivers/pwm/pwm-meson.c +@@ -458,7 +458,6 @@ static int meson_pwm_init_channels(struc + struct meson_pwm_channel *channels) + { + struct device *dev = meson->chip.dev; +- struct device_node *np = dev->of_node; + struct clk_init_data init; + unsigned int i; + char name[255]; +@@ -467,7 +466,7 @@ static int meson_pwm_init_channels(struc + for (i = 0; i < meson->chip.npwm; i++) { + struct meson_pwm_channel *channel = &channels[i]; + +- snprintf(name, sizeof(name), "%pOF#mux%u", np, i); ++ snprintf(name, sizeof(name), "%s#mux%u", dev_name(dev), i); + + init.name = name; + init.ops = &clk_mux_ops; diff --git a/queue-4.18/rdma-hns-fix-usage-of-bitmap-allocation-functions-return-values.patch b/queue-4.18/rdma-hns-fix-usage-of-bitmap-allocation-functions-return-values.patch new file mode 100644 index 00000000000..c0fb1914873 --- /dev/null +++ b/queue-4.18/rdma-hns-fix-usage-of-bitmap-allocation-functions-return-values.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Gal Pressman +Date: Thu, 9 Aug 2018 22:00:47 +0300 +Subject: RDMA/hns: Fix usage of bitmap allocation functions return values + +From: Gal Pressman + +[ Upstream commit a1ceeca679dccc492235f0f629d9e9f7b3d51ca8 ] + +hns bitmap allocation functions return 0 on success and -1 on failure. +Callers of these functions wrongly used their return value as an errno, +fix that by making a proper conversion. + +Fixes: a598c6f4c5a8 ("IB/hns: Simplify function of pd alloc and qp alloc") +Signed-off-by: Gal Pressman +Acked-by: Lijun Ou +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hns/hns_roce_pd.c | 2 +- + drivers/infiniband/hw/hns/hns_roce_qp.c | 5 ++++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/hns/hns_roce_pd.c ++++ b/drivers/infiniband/hw/hns/hns_roce_pd.c +@@ -37,7 +37,7 @@ + + static int hns_roce_pd_alloc(struct hns_roce_dev *hr_dev, unsigned long *pdn) + { +- return hns_roce_bitmap_alloc(&hr_dev->pd_bitmap, pdn); ++ return hns_roce_bitmap_alloc(&hr_dev->pd_bitmap, pdn) ? -ENOMEM : 0; + } + + static void hns_roce_pd_free(struct hns_roce_dev *hr_dev, unsigned long pdn) +--- a/drivers/infiniband/hw/hns/hns_roce_qp.c ++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c +@@ -115,7 +115,10 @@ static int hns_roce_reserve_range_qp(str + { + struct hns_roce_qp_table *qp_table = &hr_dev->qp_table; + +- return hns_roce_bitmap_alloc_range(&qp_table->bitmap, cnt, align, base); ++ return hns_roce_bitmap_alloc_range(&qp_table->bitmap, cnt, align, ++ base) ? ++ -ENOMEM : ++ 0; + } + + enum hns_roce_qp_state to_hns_roce_state(enum ib_qp_state state) diff --git a/queue-4.18/rds-ib-fix-passing-zero-to-err_ptr-warning.patch b/queue-4.18/rds-ib-fix-passing-zero-to-err_ptr-warning.patch new file mode 100644 index 00000000000..b6f5205f67c --- /dev/null +++ b/queue-4.18/rds-ib-fix-passing-zero-to-err_ptr-warning.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: YueHaibing +Date: Tue, 7 Aug 2018 19:34:16 +0800 +Subject: RDS: IB: fix 'passing zero to ERR_PTR()' warning + +From: YueHaibing + +[ Upstream commit 5941923da29e84bc9e2a1abb2c14fffaf8d71e2f ] + +Fix a static code checker warning: + net/rds/ib_frmr.c:82 rds_ib_alloc_frmr() warn: passing zero to 'ERR_PTR' + +The error path for ib_alloc_mr failure should set err to PTR_ERR. + +Fixes: 1659185fb4d0 ("RDS: IB: Support Fastreg MR (FRMR) memory registration mode") +Signed-off-by: YueHaibing +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib_frmr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rds/ib_frmr.c ++++ b/net/rds/ib_frmr.c +@@ -61,6 +61,7 @@ static struct rds_ib_mr *rds_ib_alloc_fr + pool->fmr_attr.max_pages); + if (IS_ERR(frmr->mr)) { + pr_warn("RDS/IB: %s failed to allocate MR", __func__); ++ err = PTR_ERR(frmr->mr); + goto out_no_cigar; + } + diff --git a/queue-4.18/reiserfs-change-j_timestamp-type-to-time64_t.patch b/queue-4.18/reiserfs-change-j_timestamp-type-to-time64_t.patch new file mode 100644 index 00000000000..e595f3de63c --- /dev/null +++ b/queue-4.18/reiserfs-change-j_timestamp-type-to-time64_t.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Arnd Bergmann +Date: Tue, 21 Aug 2018 21:59:34 -0700 +Subject: reiserfs: change j_timestamp type to time64_t + +From: Arnd Bergmann + +[ Upstream commit 8b73ce6a4bae4fe12bcb2c361c0da4183c2e1b6f ] + +This uses the deprecated time_t type but is write-only, and could be +removed, but as Jeff explains, having a timestamp can be usefule for +post-mortem analysis in crash dumps. + +In order to remove one of the last instances of time_t, this changes the +type to time64_t, same as j_trans_start_time. + +Link: http://lkml.kernel.org/r/20180622133315.221210-1-arnd@arndb.de +Signed-off-by: Arnd Bergmann +Cc: Jan Kara +Cc: Jeff Mahoney +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/reiserfs/reiserfs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/reiserfs/reiserfs.h ++++ b/fs/reiserfs/reiserfs.h +@@ -271,7 +271,7 @@ struct reiserfs_journal_list { + + struct mutex j_commit_mutex; + unsigned int j_trans_id; +- time_t j_timestamp; ++ time64_t j_timestamp; /* write-only but useful for crash dump analysis */ + struct reiserfs_list_bitmap *j_list_bitmap; + struct buffer_head *j_commit_bh; /* commit buffer head */ + struct reiserfs_journal_cnode *j_realblock; diff --git a/queue-4.18/risc-v-use-kbuild_cflags-instead-of-kcflags-when-building-the-vdso.patch b/queue-4.18/risc-v-use-kbuild_cflags-instead-of-kcflags-when-building-the-vdso.patch new file mode 100644 index 00000000000..6858ed71654 --- /dev/null +++ b/queue-4.18/risc-v-use-kbuild_cflags-instead-of-kcflags-when-building-the-vdso.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Palmer Dabbelt +Date: Wed, 4 Jul 2018 14:07:14 -0700 +Subject: RISC-V: Use KBUILD_CFLAGS instead of KCFLAGS when building the vDSO + +From: Palmer Dabbelt + +[ Upstream commit 4938c79bd0f5f3650c8c2cd4cdc972f0a6962ce4 ] + +If you use a 64-bit compiler to build a 32-bit kernel then you'll get an +error when building the vDSO due to a library mismatch. The happens +because the relevant "-march" argument isn't supplied to the GCC run +that generates one of the vDSO intermediate files. + +I'm not actually sure what the right thing to do here is as I'm not +particularly familiar with the kernel build system. I poked the +documentation and it appears that KCFLAGS is the correct thing to do +(it's suggested that should be used when building modules), but we set +KBUILD_CFLAGS in arch/riscv/Makefile. + +This does at least fix the build error. + +Reviewed-by: Christoph Hellwig +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/vdso/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/riscv/kernel/vdso/Makefile ++++ b/arch/riscv/kernel/vdso/Makefile +@@ -52,8 +52,8 @@ $(obj)/%.so: $(obj)/%.so.dbg FORCE + # Add -lgcc so rv32 gets static muldi3 and lshrdi3 definitions. + # Make sure only to export the intended __vdso_xxx symbol offsets. + quiet_cmd_vdsold = VDSOLD $@ +- cmd_vdsold = $(CC) $(KCFLAGS) $(call cc-option, -no-pie) -nostdlib $(SYSCFLAGS_$(@F)) \ +- -Wl,-T,$(filter-out FORCE,$^) -o $@.tmp -lgcc && \ ++ cmd_vdsold = $(CC) $(KBUILD_CFLAGS) $(call cc-option, -no-pie) -nostdlib -nostartfiles $(SYSCFLAGS_$(@F)) \ ++ -Wl,-T,$(filter-out FORCE,$^) -o $@.tmp && \ + $(CROSS_COMPILE)objcopy \ + $(patsubst %, -G __vdso_%, $(vdso-syms)) $@.tmp $@ + diff --git a/queue-4.18/s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch b/queue-4.18/s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch new file mode 100644 index 00000000000..5968a03a985 --- /dev/null +++ b/queue-4.18/s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Stefan Haberland +Date: Wed, 25 Jul 2018 14:00:47 +0200 +Subject: s390/dasd: fix hanging offline processing due to canceled worker + +From: Stefan Haberland + +[ Upstream commit 669f3765b755fd8739ab46ce3a9c6292ce8b3d2a ] + +During offline processing two worker threads are canceled without +freeing the device reference which leads to a hanging offline process. + +Reviewed-by: Jan Hoeppner +Signed-off-by: Stefan Haberland +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd_eckd.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -2035,8 +2035,11 @@ static int dasd_eckd_basic_to_ready(stru + + static int dasd_eckd_online_to_ready(struct dasd_device *device) + { +- cancel_work_sync(&device->reload_device); +- cancel_work_sync(&device->kick_validate); ++ if (cancel_work_sync(&device->reload_device)) ++ dasd_put_device(device); ++ if (cancel_work_sync(&device->kick_validate)) ++ dasd_put_device(device); ++ + return 0; + }; + diff --git a/queue-4.18/s390-dasd-fix-panic-for-failed-online-processing.patch b/queue-4.18/s390-dasd-fix-panic-for-failed-online-processing.patch new file mode 100644 index 00000000000..316afaa960f --- /dev/null +++ b/queue-4.18/s390-dasd-fix-panic-for-failed-online-processing.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Stefan Haberland +Date: Wed, 25 Jul 2018 13:27:10 +0200 +Subject: s390/dasd: fix panic for failed online processing + +From: Stefan Haberland + +[ Upstream commit 7c6553d4db03350dad0110c3224194c19df76a8f ] + +Fix a panic that occurs for a device that got an error in +dasd_eckd_check_characteristics() during online processing. +For example the read configuration data command may have failed. + +If this error occurs the device is not being set online and the earlier +invoked steps during online processing are rolled back. Therefore +dasd_eckd_uncheck_device() is called which needs a valid private +structure. But this pointer is not valid if +dasd_eckd_check_characteristics() has failed. + +Check for a valid device->private pointer to prevent a panic. + +Reviewed-by: Jan Hoeppner +Signed-off-by: Stefan Haberland +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd_eckd.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -1780,6 +1780,9 @@ static void dasd_eckd_uncheck_device(str + struct dasd_eckd_private *private = device->private; + int i; + ++ if (!private) ++ return; ++ + dasd_alias_disconnect_device_from_lcu(device); + private->ned = NULL; + private->sneq = NULL; diff --git a/queue-4.18/s390-kdump-fix-memleak-in-nt_vmcoreinfo.patch b/queue-4.18/s390-kdump-fix-memleak-in-nt_vmcoreinfo.patch new file mode 100644 index 00000000000..f05f250f554 --- /dev/null +++ b/queue-4.18/s390-kdump-fix-memleak-in-nt_vmcoreinfo.patch @@ -0,0 +1,68 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Philipp Rudo +Date: Mon, 13 Aug 2018 11:16:57 +0200 +Subject: s390/kdump: Fix memleak in nt_vmcoreinfo + +From: Philipp Rudo + +[ Upstream commit 2d2e7075b87181ed0c675e4936e20bdadba02e1f ] + +The vmcoreinfo of a crashed system is potentially fragmented. Thus the +crash kernel has an intermediate step where the vmcoreinfo is copied into a +temporary, continuous buffer in the crash kernel memory. This temporary +buffer is never freed. Free it now to prevent the memleak. + +While at it replace all occurrences of "VMCOREINFO" by its corresponding +macro to prevent potential renaming issues. + +Signed-off-by: Philipp Rudo +Acked-by: Heiko Carstens +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/crash_dump.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/arch/s390/kernel/crash_dump.c ++++ b/arch/s390/kernel/crash_dump.c +@@ -404,11 +404,13 @@ static void *get_vmcoreinfo_old(unsigned + if (copy_oldmem_kernel(nt_name, addr + sizeof(note), + sizeof(nt_name) - 1)) + return NULL; +- if (strcmp(nt_name, "VMCOREINFO") != 0) ++ if (strcmp(nt_name, VMCOREINFO_NOTE_NAME) != 0) + return NULL; + vmcoreinfo = kzalloc_panic(note.n_descsz); +- if (copy_oldmem_kernel(vmcoreinfo, addr + 24, note.n_descsz)) ++ if (copy_oldmem_kernel(vmcoreinfo, addr + 24, note.n_descsz)) { ++ kfree(vmcoreinfo); + return NULL; ++ } + *size = note.n_descsz; + return vmcoreinfo; + } +@@ -418,15 +420,20 @@ static void *get_vmcoreinfo_old(unsigned + */ + static void *nt_vmcoreinfo(void *ptr) + { ++ const char *name = VMCOREINFO_NOTE_NAME; + unsigned long size; + void *vmcoreinfo; + + vmcoreinfo = os_info_old_entry(OS_INFO_VMCOREINFO, &size); +- if (!vmcoreinfo) +- vmcoreinfo = get_vmcoreinfo_old(&size); ++ if (vmcoreinfo) ++ return nt_init_name(ptr, 0, vmcoreinfo, size, name); ++ ++ vmcoreinfo = get_vmcoreinfo_old(&size); + if (!vmcoreinfo) + return ptr; +- return nt_init_name(ptr, 0, vmcoreinfo, size, "VMCOREINFO"); ++ ptr = nt_init_name(ptr, 0, vmcoreinfo, size, name); ++ kfree(vmcoreinfo); ++ return ptr; + } + + /* diff --git a/queue-4.18/samples-bpf-all-xdp-samples-should-unload-xdp-bpf-prog-on-sigterm.patch b/queue-4.18/samples-bpf-all-xdp-samples-should-unload-xdp-bpf-prog-on-sigterm.patch new file mode 100644 index 00000000000..34c5af0d8c0 --- /dev/null +++ b/queue-4.18/samples-bpf-all-xdp-samples-should-unload-xdp-bpf-prog-on-sigterm.patch @@ -0,0 +1,59 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Jesper Dangaard Brouer +Date: Wed, 15 Aug 2018 16:57:14 +0200 +Subject: samples/bpf: all XDP samples should unload xdp/bpf prog on SIGTERM + +From: Jesper Dangaard Brouer + +[ Upstream commit 817b89beb9d8876450fcde9155e17425c329569d ] + +It is common XDP practice to unload/deattach the XDP bpf program, +when the XDP sample program is Ctrl-C interrupted (SIGINT) or +killed (SIGTERM). + +The samples/bpf programs xdp_redirect_cpu and xdp_rxq_info, +forgot to trap signal SIGTERM (which is the default signal used +by the kill command). + +This was discovered by Red Hat QA, which automated scripts depend +on killing the XDP sample program after a timeout period. + +Fixes: fad3917e361b ("samples/bpf: add cpumap sample program xdp_redirect_cpu") +Fixes: 0fca931a6f21 ("samples/bpf: program demonstrating access to xdp_rxq_info") +Reported-by: Jean-Tsung Hsiao +Signed-off-by: Jesper Dangaard Brouer +Acked-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + samples/bpf/xdp_redirect_cpu_user.c | 3 ++- + samples/bpf/xdp_rxq_info_user.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/samples/bpf/xdp_redirect_cpu_user.c ++++ b/samples/bpf/xdp_redirect_cpu_user.c +@@ -679,8 +679,9 @@ int main(int argc, char **argv) + return EXIT_FAIL_OPTION; + } + +- /* Remove XDP program when program is interrupted */ ++ /* Remove XDP program when program is interrupted or killed */ + signal(SIGINT, int_exit); ++ signal(SIGTERM, int_exit); + + if (bpf_set_link_xdp_fd(ifindex, prog_fd[prog_num], xdp_flags) < 0) { + fprintf(stderr, "link set xdp fd failed\n"); +--- a/samples/bpf/xdp_rxq_info_user.c ++++ b/samples/bpf/xdp_rxq_info_user.c +@@ -534,8 +534,9 @@ int main(int argc, char **argv) + exit(EXIT_FAIL_BPF); + } + +- /* Remove XDP program when program is interrupted */ ++ /* Remove XDP program when program is interrupted or killed */ + signal(SIGINT, int_exit); ++ signal(SIGTERM, int_exit); + + if (bpf_set_link_xdp_fd(ifindex, prog_fd, xdp_flags) < 0) { + fprintf(stderr, "link set xdp fd failed\n"); diff --git a/queue-4.18/scripts-modpost-check-memory-allocation-results.patch b/queue-4.18/scripts-modpost-check-memory-allocation-results.patch new file mode 100644 index 00000000000..a82c244dcea --- /dev/null +++ b/queue-4.18/scripts-modpost-check-memory-allocation-results.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Randy Dunlap +Date: Wed, 15 Aug 2018 12:30:38 -0700 +Subject: scripts: modpost: check memory allocation results + +From: Randy Dunlap + +[ Upstream commit 1f3aa9002dc6a0d59a4b599b4fc8f01cf43ef014 ] + +Fix missing error check for memory allocation functions in +scripts/mod/modpost.c. + +Fixes kernel bugzilla #200319: +https://bugzilla.kernel.org/show_bug.cgi?id=200319 + +Signed-off-by: Randy Dunlap +Cc: Yuexing Wang +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/mod/modpost.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -672,7 +672,7 @@ static void handle_modversions(struct mo + if (ELF_ST_TYPE(sym->st_info) == STT_SPARC_REGISTER) + break; + if (symname[0] == '.') { +- char *munged = strdup(symname); ++ char *munged = NOFAIL(strdup(symname)); + munged[0] = '_'; + munged[1] = toupper(munged[1]); + symname = munged; +@@ -1318,7 +1318,7 @@ static Elf_Sym *find_elf_symbol2(struct + static char *sec2annotation(const char *s) + { + if (match(s, init_exit_sections)) { +- char *p = malloc(20); ++ char *p = NOFAIL(malloc(20)); + char *r = p; + + *p++ = '_'; +@@ -1338,7 +1338,7 @@ static char *sec2annotation(const char * + strcat(p, " "); + return r; + } else { +- return strdup(""); ++ return NOFAIL(strdup("")); + } + } + +@@ -2036,7 +2036,7 @@ void buf_write(struct buffer *buf, const + { + if (buf->size - buf->pos < len) { + buf->size += len + SZ; +- buf->p = realloc(buf->p, buf->size); ++ buf->p = NOFAIL(realloc(buf->p, buf->size)); + } + strncpy(buf->p + buf->pos, s, len); + buf->pos += len; diff --git a/queue-4.18/scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch b/queue-4.18/scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch new file mode 100644 index 00000000000..68cebfd19cc --- /dev/null +++ b/queue-4.18/scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Dan Carpenter +Date: Wed, 8 Aug 2018 17:29:09 +0300 +Subject: scsi: aic94xx: fix an error code in aic94xx_init() + +From: Dan Carpenter + +[ Upstream commit 0756c57bce3d26da2592d834d8910b6887021701 ] + +We accidentally return success instead of -ENOMEM on this error path. + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Johannes Thumshirn +Reviewed-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/aic94xx/aic94xx_init.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/aic94xx/aic94xx_init.c ++++ b/drivers/scsi/aic94xx/aic94xx_init.c +@@ -1030,8 +1030,10 @@ static int __init aic94xx_init(void) + + aic94xx_transport_template = + sas_domain_attach_transport(&aic94xx_transport_functions); +- if (!aic94xx_transport_template) ++ if (!aic94xx_transport_template) { ++ err = -ENOMEM; + goto out_destroy_caches; ++ } + + err = pci_register_driver(&aic94xx_pci_driver); + if (err) diff --git a/queue-4.18/selftests-powerpc-kill-child-processes-on-sigint.patch b/queue-4.18/selftests-powerpc-kill-child-processes-on-sigint.patch new file mode 100644 index 00000000000..18aac395281 --- /dev/null +++ b/queue-4.18/selftests-powerpc-kill-child-processes-on-sigint.patch @@ -0,0 +1,72 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Breno Leitao +Date: Tue, 7 Aug 2018 11:15:39 -0300 +Subject: selftests/powerpc: Kill child processes on SIGINT + +From: Breno Leitao + +[ Upstream commit 7c27a26e1ed5a7dd709aa19685d2c98f64e1cf0c ] + +There are some powerpc selftests, as tm/tm-unavailable, that run for a long +period (>120 seconds), and if it is interrupted, as pressing CRTL-C +(SIGINT), the foreground process (harness) dies but the child process and +threads continue to execute (with PPID = 1 now) in background. + +In this case, you'd think the whole test exited, but there are remaining +threads and processes being executed in background. Sometimes these +zombies processes are doing annoying things, as consuming the whole CPU or +dumping things to STDOUT. + +This patch fixes this problem by attaching an empty signal handler to +SIGINT in the harness process. This handler will interrupt (EINTR) the +parent process waitpid() call, letting the code to follow through the +normal flow, which will kill all the processes in the child process group. + +This patch also fixes a typo. + +Signed-off-by: Breno Leitao +Signed-off-by: Gustavo Romero +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/powerpc/harness.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/tools/testing/selftests/powerpc/harness.c ++++ b/tools/testing/selftests/powerpc/harness.c +@@ -85,13 +85,13 @@ wait: + return status; + } + +-static void alarm_handler(int signum) ++static void sig_handler(int signum) + { +- /* Jut wake us up from waitpid */ ++ /* Just wake us up from waitpid */ + } + +-static struct sigaction alarm_action = { +- .sa_handler = alarm_handler, ++static struct sigaction sig_action = { ++ .sa_handler = sig_handler, + }; + + void test_harness_set_timeout(uint64_t time) +@@ -106,8 +106,14 @@ int test_harness(int (test_function)(voi + test_start(name); + test_set_git_version(GIT_VERSION); + +- if (sigaction(SIGALRM, &alarm_action, NULL)) { +- perror("sigaction"); ++ if (sigaction(SIGINT, &sig_action, NULL)) { ++ perror("sigaction (sigint)"); ++ test_error(name); ++ return 1; ++ } ++ ++ if (sigaction(SIGALRM, &sig_action, NULL)) { ++ perror("sigaction (sigalrm)"); + test_error(name); + return 1; + } diff --git a/queue-4.18/selinux-cleanup-dentry-and-inodes-on-error-in-selinuxfs.patch b/queue-4.18/selinux-cleanup-dentry-and-inodes-on-error-in-selinuxfs.patch new file mode 100644 index 00000000000..7cd36b66fb0 --- /dev/null +++ b/queue-4.18/selinux-cleanup-dentry-and-inodes-on-error-in-selinuxfs.patch @@ -0,0 +1,119 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: nixiaoming +Date: Sun, 5 Aug 2018 17:10:36 +0800 +Subject: selinux: cleanup dentry and inodes on error in selinuxfs + +From: nixiaoming + +[ Upstream commit 7e4237faa7213c1cc1d0aa65a44c67ba4729ce9f ] + +If the resource requested by d_alloc_name is not added to the linked +list through d_add, then dput needs to be called to release the +subsequent abnormal branch to avoid resource leakage. + +Add missing dput to selinuxfs.c + +Signed-off-by: nixiaoming +[PM: tweak the subject line] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/selinuxfs.c | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -1365,13 +1365,18 @@ static int sel_make_bools(struct selinux + + ret = -ENOMEM; + inode = sel_make_inode(dir->d_sb, S_IFREG | S_IRUGO | S_IWUSR); +- if (!inode) ++ if (!inode) { ++ dput(dentry); + goto out; ++ } + + ret = -ENAMETOOLONG; + len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]); +- if (len >= PAGE_SIZE) ++ if (len >= PAGE_SIZE) { ++ dput(dentry); ++ iput(inode); + goto out; ++ } + + isec = (struct inode_security_struct *)inode->i_security; + ret = security_genfs_sid(fsi->state, "selinuxfs", page, +@@ -1586,8 +1591,10 @@ static int sel_make_avc_files(struct den + return -ENOMEM; + + inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode); +- if (!inode) ++ if (!inode) { ++ dput(dentry); + return -ENOMEM; ++ } + + inode->i_fop = files[i].ops; + inode->i_ino = ++fsi->last_ino; +@@ -1632,8 +1639,10 @@ static int sel_make_initcon_files(struct + return -ENOMEM; + + inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); +- if (!inode) ++ if (!inode) { ++ dput(dentry); + return -ENOMEM; ++ } + + inode->i_fop = &sel_initcon_ops; + inode->i_ino = i|SEL_INITCON_INO_OFFSET; +@@ -1733,8 +1742,10 @@ static int sel_make_perm_files(char *obj + + rc = -ENOMEM; + inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); +- if (!inode) ++ if (!inode) { ++ dput(dentry); + goto out; ++ } + + inode->i_fop = &sel_perm_ops; + /* i+1 since perm values are 1-indexed */ +@@ -1763,8 +1774,10 @@ static int sel_make_class_dir_entries(ch + return -ENOMEM; + + inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); +- if (!inode) ++ if (!inode) { ++ dput(dentry); + return -ENOMEM; ++ } + + inode->i_fop = &sel_class_ops; + inode->i_ino = sel_class_to_ino(index); +@@ -1838,8 +1851,10 @@ static int sel_make_policycap(struct sel + return -ENOMEM; + + inode = sel_make_inode(fsi->sb, S_IFREG | 0444); +- if (inode == NULL) ++ if (inode == NULL) { ++ dput(dentry); + return -ENOMEM; ++ } + + inode->i_fop = &sel_policycap_ops; + inode->i_ino = iter | SEL_POLICYCAP_INO_OFFSET; +@@ -1932,8 +1947,10 @@ static int sel_fill_super(struct super_b + + ret = -ENOMEM; + inode = sel_make_inode(sb, S_IFCHR | S_IRUGO | S_IWUGO); +- if (!inode) ++ if (!inode) { ++ dput(dentry); + goto err; ++ } + + inode->i_ino = ++fsi->last_ino; + isec = (struct inode_security_struct *)inode->i_security; diff --git a/queue-4.18/series b/queue-4.18/series index 1d2de5e0131..1eb3ec2616e 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -34,3 +34,120 @@ sctp-hold-transport-before-accessing-its-asoc-in-sctp_transport_get_next.patch mlxsw-spectrum_switchdev-do-not-leak-rifs-when-removing-bridge.patch vhost-correctly-check-the-iova-range-when-waking-virtqueue.patch hv_netvsc-ignore-devices-that-are-not-pci.patch +cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch +hfsplus-don-t-return-0-when-fill_super-failed.patch +hfs-prevent-crash-on-exit-from-failed-search.patch +sunrpc-don-t-use-stack-buffer-with-scatterlist.patch +fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch +fs-proc-vmcore.c-hide-vmcoredd_mmap_dumps-for-nommu-builds.patch +reiserfs-change-j_timestamp-type-to-time64_t.patch +iommu-rockchip-handle-errors-returned-from-pm-framework.patch +hfsplus-fix-null-dereference-in-hfsplus_lookup.patch +iommu-rockchip-move-irq-request-past-pm_runtime_enable.patch +fs-proc-kcore.c-use-__pa_symbol-for-kcore_text-list-entries.patch +fat-validate-i_start-before-using.patch +workqueue-skip-lockdep-wq-dependency-in-cancel_work_sync.patch +workqueue-re-add-lockdep-dependencies-for-flushing.patch +scripts-modpost-check-memory-allocation-results.patch +apparmor-fix-an-error-code-in-__aa_create_ns.patch +virtio-pci-legacy-validate-queue-pfn.patch +x86-mce-add-notifier_block-forward-declaration.patch +i2c-core-acpi-make-acpi_gsb_i2c_read_bytes-check-i2c_transfer-return-value.patch +ib-hfi1-invalid-numa-node-information-can-cause-a-divide-by-zero.patch +pwm-meson-fix-mux-clock-names.patch +perf-python-fix-pyrf_evlist__read_on_cpu-interface.patch +powerpc-topology-get-topology-for-shared-processors-at-boot.patch +mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch +mm-make-deferred_struct_page_init-explicitly-depend-on-sparsemem.patch +fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_snapshot.patch +platform-x86-intel_punit_ipc-fix-build-errors.patch +bpf-sockmap-fix-map-elem-deletion-race-with-smap_stop_sock.patch +tcp-ulp-fix-leftover-icsk_ulp_ops-preventing-sock-from-reattach.patch +bpf-sockmap-fix-sock_map_ctx_update_elem-race-with-exist-noexist.patch +net-xdp-fix-suspicious-rcu-usage-warning.patch +bpf-sockmap-fix-leakage-of-smap_psock_map_entry.patch +samples-bpf-all-xdp-samples-should-unload-xdp-bpf-prog-on-sigterm.patch +netfilter-ip6t_rpfilter-set-f_iface-for-linklocal-addresses.patch +s390-kdump-fix-memleak-in-nt_vmcoreinfo.patch +ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch +mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch +netfilter-x_tables-do-not-fail-xt_alloc_table_info-too-easilly.patch +tracing-handle-cc_flags_ftrace-more-accurately.patch +platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch +netfilter-fix-memory-leaks-on-netlink_dump_start-error.patch +tcp-ulp-add-alias-for-all-ulp-modules.patch +ubi-initialize-fastmap-checkmapping-correctly.patch +rdma-hns-fix-usage-of-bitmap-allocation-functions-return-values.patch +acpica-acpica-add-status-check-for-acpi_hw_read-before-assigning-return-value.patch +perf-arm-spe-fix-uninitialized-record-error-variable.patch +net-hns3-fix-for-command-format-parsing-error-in-hclge_is_all_function_id_zero.patch +block-don-t-warn-for-flush-on-read-only-device.patch +net-hns3-fix-for-phy-link-issue-when-using-marvell-phy-driver.patch +pci-match-root-port-s-mps-to-endpoint-s-mpss-as-necessary.patch +drm-amd-display-guard-against-null-crtc-in-crc-irq.patch +coccicheck-return-proper-error-code-on-fail.patch +perf-tools-check-for-null-when-copying-nsinfo.patch +f2fs-avoid-race-between-zero_range-and-background-gc.patch +f2fs-fix-avoid-race-between-truncate-and-background-gc.patch +risc-v-use-kbuild_cflags-instead-of-kcflags-when-building-the-vdso.patch +irqchip-stm32-fix-init-error-handling.patch +irqchip-bcm7038-l1-hide-cpu-offline-callback-when-building-for-smp.patch +net-9p-trans_fd.c-fix-race-by-holding-the-lock.patch +net-9p-fix-error-path-of-p9_virtio_probe.patch +f2fs-fix-to-clear-pg_checked-flag-in-set_page_dirty.patch +pinctrl-axp209-fix-null-pointer-dereference-after-allocation.patch +bpf-fix-bpffs-non-array-map-seq_show-issue.patch +powerpc-uaccess-enable-get_user-u64-p-on-32-bit.patch +powerpc-fix-size-calculation-using-resource_size.patch +perf-probe-powerpc-fix-trace-event-post-processing.patch +block-bvec_nr_vecs-returns-value-for-wrong-slab.patch +brcmfmac-fix-brcmf_wiphy_wowl_params-null-pointer-dereference.patch +s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch +s390-dasd-fix-panic-for-failed-online-processing.patch +acpi-scan-initialize-status-to-acpi_sta_default.patch +blk-mq-count-the-hctx-as-active-before-allocating-tag.patch +scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch +nfsv4-fix-error-handling-in-nfs4_sp4_select_mode.patch +input-do-not-use-warn-in-input_alloc_absinfo.patch +xen-balloon-fix-balloon-initialization-for-pvh-dom0.patch +pci-mvebu-fix-i-o-space-end-address-calculation.patch +dm-kcopyd-avoid-softlockup-in-run_complete_job.patch +staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch +asoc-rt5677-fix-initialization-of-rt5677_of_match.data.patch +iommu-omap-fix-cache-flushes-on-l2-table-entries.patch +selftests-powerpc-kill-child-processes-on-sigint.patch +selinux-cleanup-dentry-and-inodes-on-error-in-selinuxfs.patch +rds-ib-fix-passing-zero-to-err_ptr-warning.patch +cfq-suppress-compiler-warnings-about-comparisons.patch +smb3-fix-reset-of-bytes-read-and-written-stats.patch +cifs-fix-memory-leak-and-remove-dead-code.patch +smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch +smb3-if-server-does-not-support-posix-do-not-allow-posix-mount-option.patch +powerpc-platforms-85xx-fix-t1042rdb_diu.c-build-errors-warning.patch +powerpc-64s-make-rfi_flush_fallback-a-little-more-robust.patch +um-fix-parallel-building-with-o-option.patch +powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch +clk-rockchip-add-pclk_rkpwm_pmu-to-pmu-critical-clocks-in-rk3399.patch +drm-amd-display-read-back-max-backlight-value-at-boot.patch +kvm-vmx-track-host_state.loaded-using-a-loaded_vmcs-pointer.patch +kvm-nvmx-fix-fault-vector-for-vmx-operation-at-cpl-0.patch +drm-etnaviv-fix-crash-in-gpu-suspend-when-init-failed-due-to-buffer-placement.patch +btrfs-exit-gracefully-when-chunk-map-cannot-be-inserted-to-the-tree.patch +btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch +btrfs-fix-in-memory-value-of-total_devices-after-seed-device-deletion.patch +btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch +btrfs-tree-checker-detect-invalid-and-empty-essential-trees.patch +btrfs-check-integrity-fix-null-pointer-dereference-for-degraded-mount.patch +btrfs-lift-uuid_mutex-to-callers-of-btrfs_open_devices.patch +btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch +btrfs-fix-a-c-compliance-issue.patch +arm64-rockchip-force-config_pm-on-rockchip-systems.patch +arm-rockchip-force-config_pm-on-rockchip-systems.patch +btrfs-do-btrfs_free_stale_devices-outside-of-device_list_add.patch +btrfs-extend-locked-section-when-adding-a-new-device-in-device_list_add.patch +btrfs-rename-local-devices-for-fs_devices-in-btrfs_free_stale_devices.patch +btrfs-use-device_list_mutex-when-removing-stale-devices.patch +btrfs-lift-uuid_mutex-to-callers-of-btrfs_scan_one_device.patch +btrfs-lift-uuid_mutex-to-callers-of-btrfs_parse_early_options.patch +btrfs-reorder-initialization-before-the-mount-locks-uuid_mutex.patch +btrfs-fix-mount-and-ioctl-device-scan-ioctl-race.patch diff --git a/queue-4.18/smb3-fix-reset-of-bytes-read-and-written-stats.patch b/queue-4.18/smb3-fix-reset-of-bytes-read-and-written-stats.patch new file mode 100644 index 00000000000..d4544562335 --- /dev/null +++ b/queue-4.18/smb3-fix-reset-of-bytes-read-and-written-stats.patch @@ -0,0 +1,60 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Steve French +Date: Wed, 1 Aug 2018 00:56:12 -0500 +Subject: smb3: fix reset of bytes read and written stats + +From: Steve French + +[ Upstream commit c281bc0c7412308c7ec0888904f7c99353da4796 ] + +echo 0 > /proc/fs/cifs/Stats is supposed to reset the stats +but there were four (see example below) that were not reset +(bytes read and witten, total vfs ops and max ops +at one time). + +... +0 session 0 share reconnects +Total vfs operations: 100 maximum at one time: 2 + +1) \\localhost\test +SMBs: 0 +Bytes read: 502092 Bytes written: 31457286 +TreeConnects: 0 total 0 failed +TreeDisconnects: 0 total 0 failed +... + +This patch fixes cifs_stats_proc_write to properly reset +those four. + +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifs_debug.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/cifs/cifs_debug.c ++++ b/fs/cifs/cifs_debug.c +@@ -383,6 +383,10 @@ static ssize_t cifs_stats_proc_write(str + atomic_set(&totBufAllocCount, 0); + atomic_set(&totSmBufAllocCount, 0); + #endif /* CONFIG_CIFS_STATS2 */ ++ spin_lock(&GlobalMid_Lock); ++ GlobalMaxActiveXid = 0; ++ GlobalCurrentXid = 0; ++ spin_unlock(&GlobalMid_Lock); + spin_lock(&cifs_tcp_ses_lock); + list_for_each(tmp1, &cifs_tcp_ses_list) { + server = list_entry(tmp1, struct TCP_Server_Info, +@@ -395,6 +399,10 @@ static ssize_t cifs_stats_proc_write(str + struct cifs_tcon, + tcon_list); + atomic_set(&tcon->num_smbs_sent, 0); ++ spin_lock(&tcon->stat_lock); ++ tcon->bytes_read = 0; ++ tcon->bytes_written = 0; ++ spin_unlock(&tcon->stat_lock); + if (server->ops->clear_stats) + server->ops->clear_stats(tcon); + } diff --git a/queue-4.18/smb3-if-server-does-not-support-posix-do-not-allow-posix-mount-option.patch b/queue-4.18/smb3-if-server-does-not-support-posix-do-not-allow-posix-mount-option.patch new file mode 100644 index 00000000000..902e9ba0452 --- /dev/null +++ b/queue-4.18/smb3-if-server-does-not-support-posix-do-not-allow-posix-mount-option.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Steve French +Date: Mon, 18 Jun 2018 14:01:59 -0500 +Subject: smb3: if server does not support posix do not allow posix mount option + +From: Steve French + +[ Upstream commit 8505c8bfd85a260c9dc5c47e15bd8c5357fcbcd2 ] + +If user specifies "posix" on an SMB3.11 mount, then fail the mount +if server does not return the POSIX negotiate context indicating +support for posix. + +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/connect.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -3031,11 +3031,15 @@ cifs_get_tcon(struct cifs_ses *ses, stru + } + + #ifdef CONFIG_CIFS_SMB311 +- if ((volume_info->linux_ext) && (ses->server->posix_ext_supported)) { +- if (ses->server->vals->protocol_id == SMB311_PROT_ID) { ++ if (volume_info->linux_ext) { ++ if (ses->server->posix_ext_supported) { + tcon->posix_extensions = true; + printk_once(KERN_WARNING + "SMB3.11 POSIX Extensions are experimental\n"); ++ } else { ++ cifs_dbg(VFS, "Server does not support mounting with posix SMB3.11 extensions.\n"); ++ rc = -EOPNOTSUPP; ++ goto out_fail; + } + } + #endif /* 311 */ diff --git a/queue-4.18/smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch b/queue-4.18/smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch new file mode 100644 index 00000000000..785edb38ff2 --- /dev/null +++ b/queue-4.18/smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Steve French +Date: Mon, 23 Jul 2018 09:15:18 -0500 +Subject: SMB3: Number of requests sent should be displayed for SMB3 not just CIFS + +From: Steve French + +[ Upstream commit 289131e1f1e6ad8c661ec05e176b8f0915672059 ] + +For SMB2/SMB3 the number of requests sent was not displayed +in /proc/fs/cifs/Stats unless CONFIG_CIFS_STATS2 was +enabled (only number of failed requests displayed). As +with earlier dialects, we should be displaying these +counters if CONFIG_CIFS_STATS is enabled. They +are important for debugging. + +e.g. when you cat /proc/fs/cifs/Stats (before the patch) +Resources in use +CIFS Session: 1 +Share (unique mount targets): 2 +SMB Request/Response Buffer: 1 Pool size: 5 +SMB Small Req/Resp Buffer: 1 Pool size: 30 +Operations (MIDs): 0 + +0 session 0 share reconnects +Total vfs operations: 690 maximum at one time: 2 + +1) \\localhost\test +SMBs: 975 +Negotiates: 0 sent 0 failed +SessionSetups: 0 sent 0 failed +Logoffs: 0 sent 0 failed +TreeConnects: 0 sent 0 failed +TreeDisconnects: 0 sent 0 failed +Creates: 0 sent 2 failed +Closes: 0 sent 0 failed +Flushes: 0 sent 0 failed +Reads: 0 sent 0 failed +Writes: 0 sent 0 failed +Locks: 0 sent 0 failed +IOCTLs: 0 sent 1 failed +Cancels: 0 sent 0 failed +Echos: 0 sent 0 failed +QueryDirectories: 0 sent 63 failed + +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Reviewed-by: Pavel Shilovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -360,7 +360,7 @@ smb2_plain_req_init(__le16 smb2_command, + total_len); + + if (tcon != NULL) { +-#ifdef CONFIG_CIFS_STATS2 ++#ifdef CONFIG_CIFS_STATS + uint16_t com_code = le16_to_cpu(smb2_command); + cifs_stats_inc(&tcon->stats.smb2_stats.smb2_com_sent[com_code]); + #endif diff --git a/queue-4.18/staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch b/queue-4.18/staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch new file mode 100644 index 00000000000..3257db8790b --- /dev/null +++ b/queue-4.18/staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Ian Abbott +Date: Mon, 6 Aug 2018 11:05:13 +0100 +Subject: staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice + +From: Ian Abbott + +[ Upstream commit e083926b3e269d4064825dcf2ad50c636fddf8cf ] + +The PFI subdevice flags indicate that the subdevice is readable and +writeable, but that is only true for the supported "M-series" boards, +not the older "E-series" boards. Only set the SDF_READABLE and +SDF_WRITABLE subdevice flags for the M-series boards. These two flags +are mainly for informational purposes. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/ni_mio_common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/ni_mio_common.c ++++ b/drivers/staging/comedi/drivers/ni_mio_common.c +@@ -5446,11 +5446,11 @@ static int ni_E_init(struct comedi_devic + /* Digital I/O (PFI) subdevice */ + s = &dev->subdevices[NI_PFI_DIO_SUBDEV]; + s->type = COMEDI_SUBD_DIO; +- s->subdev_flags = SDF_READABLE | SDF_WRITABLE | SDF_INTERNAL; + s->maxdata = 1; + if (devpriv->is_m_series) { + s->n_chan = 16; + s->insn_bits = ni_pfi_insn_bits; ++ s->subdev_flags = SDF_READABLE | SDF_WRITABLE | SDF_INTERNAL; + + ni_writew(dev, s->state, NI_M_PFI_DO_REG); + for (i = 0; i < NUM_PFI_OUTPUT_SELECT_REGS; ++i) { +@@ -5459,6 +5459,7 @@ static int ni_E_init(struct comedi_devic + } + } else { + s->n_chan = 10; ++ s->subdev_flags = SDF_INTERNAL; + } + s->insn_config = ni_pfi_insn_config; + diff --git a/queue-4.18/sunrpc-don-t-use-stack-buffer-with-scatterlist.patch b/queue-4.18/sunrpc-don-t-use-stack-buffer-with-scatterlist.patch new file mode 100644 index 00000000000..afdbfa04498 --- /dev/null +++ b/queue-4.18/sunrpc-don-t-use-stack-buffer-with-scatterlist.patch @@ -0,0 +1,105 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Laura Abbott +Date: Fri, 17 Aug 2018 14:43:54 -0700 +Subject: sunrpc: Don't use stack buffer with scatterlist + +From: Laura Abbott + +[ Upstream commit 44090cc876926277329e1608bafc01b9f6da627f ] + +Fedora got a bug report from NFS: + +kernel BUG at include/linux/scatterlist.h:143! +... +RIP: 0010:sg_init_one+0x7d/0x90 +.. + make_checksum+0x4e7/0x760 [rpcsec_gss_krb5] + gss_get_mic_kerberos+0x26e/0x310 [rpcsec_gss_krb5] + gss_marshal+0x126/0x1a0 [auth_rpcgss] + ? __local_bh_enable_ip+0x80/0xe0 + ? call_transmit_status+0x1d0/0x1d0 [sunrpc] + call_transmit+0x137/0x230 [sunrpc] + __rpc_execute+0x9b/0x490 [sunrpc] + rpc_run_task+0x119/0x150 [sunrpc] + nfs4_run_exchange_id+0x1bd/0x250 [nfsv4] + _nfs4_proc_exchange_id+0x2d/0x490 [nfsv4] + nfs41_discover_server_trunking+0x1c/0xa0 [nfsv4] + nfs4_discover_server_trunking+0x80/0x270 [nfsv4] + nfs4_init_client+0x16e/0x240 [nfsv4] + ? nfs_get_client+0x4c9/0x5d0 [nfs] + ? _raw_spin_unlock+0x24/0x30 + ? nfs_get_client+0x4c9/0x5d0 [nfs] + nfs4_set_client+0xb2/0x100 [nfsv4] + nfs4_create_server+0xff/0x290 [nfsv4] + nfs4_remote_mount+0x28/0x50 [nfsv4] + mount_fs+0x3b/0x16a + vfs_kern_mount.part.35+0x54/0x160 + nfs_do_root_mount+0x7f/0xc0 [nfsv4] + nfs4_try_mount+0x43/0x70 [nfsv4] + ? get_nfs_version+0x21/0x80 [nfs] + nfs_fs_mount+0x789/0xbf0 [nfs] + ? pcpu_alloc+0x6ca/0x7e0 + ? nfs_clone_super+0x70/0x70 [nfs] + ? nfs_parse_mount_options+0xb40/0xb40 [nfs] + mount_fs+0x3b/0x16a + vfs_kern_mount.part.35+0x54/0x160 + do_mount+0x1fd/0xd50 + ksys_mount+0xba/0xd0 + __x64_sys_mount+0x21/0x30 + do_syscall_64+0x60/0x1f0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +This is BUG_ON(!virt_addr_valid(buf)) triggered by using a stack +allocated buffer with a scatterlist. Convert the buffer for +rc4salt to be dynamically allocated instead. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1615258 +Signed-off-by: Laura Abbott +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/auth_gss/gss_krb5_crypto.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c ++++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c +@@ -169,7 +169,7 @@ make_checksum_hmac_md5(struct krb5_ctx * + struct scatterlist sg[1]; + int err = -1; + u8 *checksumdata; +- u8 rc4salt[4]; ++ u8 *rc4salt; + struct crypto_ahash *md5; + struct crypto_ahash *hmac_md5; + struct ahash_request *req; +@@ -183,14 +183,18 @@ make_checksum_hmac_md5(struct krb5_ctx * + return GSS_S_FAILURE; + } + ++ rc4salt = kmalloc_array(4, sizeof(*rc4salt), GFP_NOFS); ++ if (!rc4salt) ++ return GSS_S_FAILURE; ++ + if (arcfour_hmac_md5_usage_to_salt(usage, rc4salt)) { + dprintk("%s: invalid usage value %u\n", __func__, usage); +- return GSS_S_FAILURE; ++ goto out_free_rc4salt; + } + + checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_NOFS); + if (!checksumdata) +- return GSS_S_FAILURE; ++ goto out_free_rc4salt; + + md5 = crypto_alloc_ahash("md5", 0, CRYPTO_ALG_ASYNC); + if (IS_ERR(md5)) +@@ -258,6 +262,8 @@ out_free_md5: + crypto_free_ahash(md5); + out_free_cksum: + kfree(checksumdata); ++out_free_rc4salt: ++ kfree(rc4salt); + return err ? GSS_S_FAILURE : 0; + } + diff --git a/queue-4.18/tcp-ulp-add-alias-for-all-ulp-modules.patch b/queue-4.18/tcp-ulp-add-alias-for-all-ulp-modules.patch new file mode 100644 index 00000000000..4be7ba850d2 --- /dev/null +++ b/queue-4.18/tcp-ulp-add-alias-for-all-ulp-modules.patch @@ -0,0 +1,93 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Daniel Borkmann +Date: Thu, 16 Aug 2018 21:49:06 +0200 +Subject: tcp, ulp: add alias for all ulp modules + +From: Daniel Borkmann + +[ Upstream commit 037b0b86ecf5646f8eae777d8b52ff8b401692ec ] + +Lets not turn the TCP ULP lookup into an arbitrary module loader as +we only intend to load ULP modules through this mechanism, not other +unrelated kernel modules: + + [root@bar]# cat foo.c + #include + #include + #include + #include + + int main(void) + { + int sock = socket(PF_INET, SOCK_STREAM, 0); + setsockopt(sock, IPPROTO_TCP, TCP_ULP, "sctp", sizeof("sctp")); + return 0; + } + + [root@bar]# gcc foo.c -O2 -Wall + [root@bar]# lsmod | grep sctp + [root@bar]# ./a.out + [root@bar]# lsmod | grep sctp + sctp 1077248 4 + libcrc32c 16384 3 nf_conntrack,nf_nat,sctp + [root@bar]# + +Fix it by adding module alias to TCP ULP modules, so probing module +via request_module() will be limited to tcp-ulp-[name]. The existing +modules like kTLS will load fine given tcp-ulp-tls alias, but others +will fail to load: + + [root@bar]# lsmod | grep sctp + [root@bar]# ./a.out + [root@bar]# lsmod | grep sctp + [root@bar]# + +Sockmap is not affected from this since it's either built-in or not. + +Fixes: 734942cc4ea6 ("tcp: ULP infrastructure") +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Acked-by: Song Liu +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 4 ++++ + net/ipv4/tcp_ulp.c | 2 +- + net/tls/tls_main.c | 1 + + 3 files changed, 6 insertions(+), 1 deletion(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -2023,6 +2023,10 @@ int tcp_set_ulp_id(struct sock *sk, cons + void tcp_get_available_ulp(char *buf, size_t len); + void tcp_cleanup_ulp(struct sock *sk); + ++#define MODULE_ALIAS_TCP_ULP(name) \ ++ __MODULE_INFO(alias, alias_userspace, name); \ ++ __MODULE_INFO(alias, alias_tcp_ulp, "tcp-ulp-" name) ++ + /* Call BPF_SOCK_OPS program that returns an int. If the return value + * is < 0, then the BPF op failed (for example if the loaded BPF + * program does not support the chosen operation or there is no BPF +--- a/net/ipv4/tcp_ulp.c ++++ b/net/ipv4/tcp_ulp.c +@@ -51,7 +51,7 @@ static const struct tcp_ulp_ops *__tcp_u + #ifdef CONFIG_MODULES + if (!ulp && capable(CAP_NET_ADMIN)) { + rcu_read_unlock(); +- request_module("%s", name); ++ request_module("tcp-ulp-%s", name); + rcu_read_lock(); + ulp = tcp_ulp_find(name); + } +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -45,6 +45,7 @@ + MODULE_AUTHOR("Mellanox Technologies"); + MODULE_DESCRIPTION("Transport Layer Security Support"); + MODULE_LICENSE("Dual BSD/GPL"); ++MODULE_ALIAS_TCP_ULP("tls"); + + enum { + TLSV4, diff --git a/queue-4.18/tcp-ulp-fix-leftover-icsk_ulp_ops-preventing-sock-from-reattach.patch b/queue-4.18/tcp-ulp-fix-leftover-icsk_ulp_ops-preventing-sock-from-reattach.patch new file mode 100644 index 00000000000..3f689af42ae --- /dev/null +++ b/queue-4.18/tcp-ulp-fix-leftover-icsk_ulp_ops-preventing-sock-from-reattach.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Daniel Borkmann +Date: Thu, 16 Aug 2018 21:49:07 +0200 +Subject: tcp, ulp: fix leftover icsk_ulp_ops preventing sock from reattach + +From: Daniel Borkmann + +[ Upstream commit 90545cdc3f2b2ea700e24335610cd181e73756da ] + +I found that in BPF sockmap programs once we either delete a socket +from the map or we updated a map slot and the old socket was purged +from the map that these socket can never get reattached into a map +even though their related psock has been dropped entirely at that +point. + +Reason is that tcp_cleanup_ulp() leaves the old icsk->icsk_ulp_ops +intact, so that on the next tcp_set_ulp_id() the kernel returns an +-EEXIST thinking there is still some active ULP attached. + +BPF sockmap is the only one that has this issue as the other user, +kTLS, only calls tcp_cleanup_ulp() from tcp_v4_destroy_sock() whereas +sockmap semantics allow dropping the socket from the map with all +related psock state being cleaned up. + +Fixes: 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks") +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Acked-by: Song Liu +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ulp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv4/tcp_ulp.c ++++ b/net/ipv4/tcp_ulp.c +@@ -129,6 +129,8 @@ void tcp_cleanup_ulp(struct sock *sk) + if (icsk->icsk_ulp_ops->release) + icsk->icsk_ulp_ops->release(sk); + module_put(icsk->icsk_ulp_ops->owner); ++ ++ icsk->icsk_ulp_ops = NULL; + } + + /* Change upper layer protocol for socket */ diff --git a/queue-4.18/tracing-handle-cc_flags_ftrace-more-accurately.patch b/queue-4.18/tracing-handle-cc_flags_ftrace-more-accurately.patch new file mode 100644 index 00000000000..2f02ef5d212 --- /dev/null +++ b/queue-4.18/tracing-handle-cc_flags_ftrace-more-accurately.patch @@ -0,0 +1,54 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Vasily Gorbik +Date: Mon, 6 Aug 2018 15:17:42 +0200 +Subject: tracing: Handle CC_FLAGS_FTRACE more accurately + +From: Vasily Gorbik + +[ Upstream commit f28bc3c32c059ab4d13f52155fabd3e20f477f65 ] + +CC_FLAGS_FTRACE is exported and later used to remove ftrace relevant +build flags from files which should be built without ftrace support. +For that reason add -mfentry to CC_FLAGS_FTRACE as well. That fixes +a problem with vdso32 build on s390, where -mfentry could not be used +together with -m31 flag. + +At the same time flags like -pg and -mfentry are not relevant for asm +files, so avoid adding them to KBUILD_AFLAGS. + +Introduce CC_FLAGS_USING instead of CC_USING_FENTRY to collect +-DCC_USING_FENTRY (and future alike) which are relevant for both +KBUILD_CFLAGS and KBUILD_AFLAGS. + +Link: http://lkml.kernel.org/r/patch-1.thread-aa7b8d.git-42971afe87de.your-ad-here.call-01533557518-ext-9465@work.hours + +Signed-off-by: Vasily Gorbik +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Makefile | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/Makefile ++++ b/Makefile +@@ -747,12 +747,15 @@ ifdef CONFIG_FUNCTION_TRACER + ifndef CC_FLAGS_FTRACE + CC_FLAGS_FTRACE := -pg + endif +-export CC_FLAGS_FTRACE + ifdef CONFIG_HAVE_FENTRY +-CC_USING_FENTRY := $(call cc-option, -mfentry -DCC_USING_FENTRY) ++ ifeq ($(call cc-option-yn, -mfentry),y) ++ CC_FLAGS_FTRACE += -mfentry ++ CC_FLAGS_USING += -DCC_USING_FENTRY ++ endif + endif +-KBUILD_CFLAGS += $(CC_FLAGS_FTRACE) $(CC_USING_FENTRY) +-KBUILD_AFLAGS += $(CC_USING_FENTRY) ++export CC_FLAGS_FTRACE ++KBUILD_CFLAGS += $(CC_FLAGS_FTRACE) $(CC_FLAGS_USING) ++KBUILD_AFLAGS += $(CC_FLAGS_USING) + ifdef CONFIG_DYNAMIC_FTRACE + ifdef CONFIG_HAVE_C_RECORDMCOUNT + BUILD_C_RECORDMCOUNT := y diff --git a/queue-4.18/ubi-initialize-fastmap-checkmapping-correctly.patch b/queue-4.18/ubi-initialize-fastmap-checkmapping-correctly.patch new file mode 100644 index 00000000000..ff4e8f78794 --- /dev/null +++ b/queue-4.18/ubi-initialize-fastmap-checkmapping-correctly.patch @@ -0,0 +1,57 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Richard Weinberger +Date: Tue, 12 Jun 2018 09:33:16 +0200 +Subject: ubi: Initialize Fastmap checkmapping correctly + +From: Richard Weinberger + +[ Upstream commit 25677478474a91fa1b46f19a4a591a9848bca6fb ] + +We cannot do it last, otherwithse it will be skipped for dynamic +volumes. + +Reported-by: Lachmann, Juergen +Fixes: 34653fd8c46e ("ubi: fastmap: Check each mapping only once") +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/ubi/vtbl.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/mtd/ubi/vtbl.c ++++ b/drivers/mtd/ubi/vtbl.c +@@ -579,6 +579,16 @@ static int init_volumes(struct ubi_devic + reserved_pebs += vol->reserved_pebs; + + /* ++ * We use ubi->peb_count and not vol->reserved_pebs because ++ * we want to keep the code simple. Otherwise we'd have to ++ * resize/check the bitmap upon volume resize too. ++ * Allocating a few bytes more does not hurt. ++ */ ++ err = ubi_fastmap_init_checkmap(vol, ubi->peb_count); ++ if (err) ++ return err; ++ ++ /* + * In case of dynamic volume UBI knows nothing about how many + * data is stored there. So assume the whole volume is used. + */ +@@ -620,16 +630,6 @@ static int init_volumes(struct ubi_devic + (long long)(vol->used_ebs - 1) * vol->usable_leb_size; + vol->used_bytes += av->last_data_size; + vol->last_eb_bytes = av->last_data_size; +- +- /* +- * We use ubi->peb_count and not vol->reserved_pebs because +- * we want to keep the code simple. Otherwise we'd have to +- * resize/check the bitmap upon volume resize too. +- * Allocating a few bytes more does not hurt. +- */ +- err = ubi_fastmap_init_checkmap(vol, ubi->peb_count); +- if (err) +- return err; + } + + /* And add the layout volume */ diff --git a/queue-4.18/um-fix-parallel-building-with-o-option.patch b/queue-4.18/um-fix-parallel-building-with-o-option.patch new file mode 100644 index 00000000000..ee87cfbfcc0 --- /dev/null +++ b/queue-4.18/um-fix-parallel-building-with-o-option.patch @@ -0,0 +1,73 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Masahiro Yamada +Date: Sat, 4 Aug 2018 13:47:01 +0900 +Subject: um: fix parallel building with O= option + +From: Masahiro Yamada + +[ Upstream commit 13d3d01e26b942ada7cfced68ccb6db49597874a ] + +Randy Dunlap reports UML occasionally fails to build with -j and +O= options. + + make[1]: Entering directory '/home/rdunlap/mmotm-2018-0802-1529/UM64' + UPD include/generated/uapi/linux/version.h + WRAP arch/x86/include/generated/asm/dma-contiguous.h + WRAP arch/x86/include/generated/asm/export.h + WRAP arch/x86/include/generated/asm/early_ioremap.h + WRAP arch/x86/include/generated/asm/mcs_spinlock.h + WRAP arch/x86/include/generated/asm/mm-arch-hooks.h + WRAP arch/x86/include/generated/uapi/asm/bpf_perf_event.h + WRAP arch/x86/include/generated/uapi/asm/poll.h + GEN ./Makefile + make[2]: *** No rule to make target 'archheaders'. Stop. + arch/um/Makefile:119: recipe for target 'archheaders' failed + make[1]: *** [archheaders] Error 2 + make[1]: *** Waiting for unfinished jobs.... + UPD include/config/kernel.release + make[1]: *** wait: No child processes. Stop. + Makefile:146: recipe for target 'sub-make' failed + make: *** [sub-make] Error 2 + +The cause of the problem is the use of '$(MAKE) KBUILD_SRC=', +which recurses to the top Makefile via the $(objtree)/Makefile +generated by scripts/mkmakefile. + +When you run "make -j O= ARCH=um", Make can execute +'archheaders' and 'outputmakefile' targets simultaneously because +there is no dependency between them. + +If it happens, + + $(Q)$(MAKE) KBUILD_SRC= ARCH=$(HEADER_ARCH) archheaders + +... tries to run $(objtree)/Makefile that is being updated. + +The correct way for the recursion is + + $(Q)$(MAKE) -f $(srctree)/Makefile ARCH=$(HEADER_ARCH) archheaders + +..., which does not rely on the generated Makefile. + +Reported-by: Randy Dunlap +Signed-off-by: Masahiro Yamada +Tested-by: Randy Dunlap +Acked-by: Richard Weinberger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/um/Makefile | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/um/Makefile ++++ b/arch/um/Makefile +@@ -122,8 +122,7 @@ archheaders: + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.asm-generic \ + kbuild-file=$(HOST_DIR)/include/uapi/asm/Kbuild \ + obj=$(HOST_DIR)/include/generated/uapi/asm +- $(Q)$(MAKE) KBUILD_SRC= ARCH=$(HEADER_ARCH) archheaders +- ++ $(Q)$(MAKE) -f $(srctree)/Makefile ARCH=$(HEADER_ARCH) archheaders + + archprepare: include/generated/user_constants.h + diff --git a/queue-4.18/virtio-pci-legacy-validate-queue-pfn.patch b/queue-4.18/virtio-pci-legacy-validate-queue-pfn.patch new file mode 100644 index 00000000000..70833de02db --- /dev/null +++ b/queue-4.18/virtio-pci-legacy-validate-queue-pfn.patch @@ -0,0 +1,70 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Suzuki K Poulose +Date: Wed, 18 Jul 2018 10:18:45 +0100 +Subject: virtio: pci-legacy: Validate queue pfn + +From: Suzuki K Poulose + +[ Upstream commit 69599206ea9a3f8f2e94d46580579cbf9d08ad6c ] + +Legacy PCI over virtio uses a 32bit PFN for the queue. If the +queue pfn is too large to fit in 32bits, which we could hit on +arm64 systems with 52bit physical addresses (even with 64K page +size), we simply miss out a proper link to the other side of +the queue. + +Add a check to validate the PFN, rather than silently breaking +the devices. + +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Marc Zyngier +Cc: Christoffer Dall +Cc: Peter Maydel +Cc: Jean-Philippe Brucker +Signed-off-by: Suzuki K Poulose +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virtio/virtio_pci_legacy.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/virtio/virtio_pci_legacy.c ++++ b/drivers/virtio/virtio_pci_legacy.c +@@ -122,6 +122,7 @@ static struct virtqueue *setup_vq(struct + struct virtqueue *vq; + u16 num; + int err; ++ u64 q_pfn; + + /* Select the queue we're interested in */ + iowrite16(index, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_SEL); +@@ -141,9 +142,17 @@ static struct virtqueue *setup_vq(struct + if (!vq) + return ERR_PTR(-ENOMEM); + ++ q_pfn = virtqueue_get_desc_addr(vq) >> VIRTIO_PCI_QUEUE_ADDR_SHIFT; ++ if (q_pfn >> 32) { ++ dev_err(&vp_dev->pci_dev->dev, ++ "platform bug: legacy virtio-mmio must not be used with RAM above 0x%llxGB\n", ++ 0x1ULL << (32 + PAGE_SHIFT - 30)); ++ err = -E2BIG; ++ goto out_del_vq; ++ } ++ + /* activate the queue */ +- iowrite32(virtqueue_get_desc_addr(vq) >> VIRTIO_PCI_QUEUE_ADDR_SHIFT, +- vp_dev->ioaddr + VIRTIO_PCI_QUEUE_PFN); ++ iowrite32(q_pfn, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_PFN); + + vq->priv = (void __force *)vp_dev->ioaddr + VIRTIO_PCI_QUEUE_NOTIFY; + +@@ -160,6 +169,7 @@ static struct virtqueue *setup_vq(struct + + out_deactivate: + iowrite32(0, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_PFN); ++out_del_vq: + vring_del_virtqueue(vq); + return ERR_PTR(err); + } diff --git a/queue-4.18/workqueue-re-add-lockdep-dependencies-for-flushing.patch b/queue-4.18/workqueue-re-add-lockdep-dependencies-for-flushing.patch new file mode 100644 index 00000000000..b03f4b410aa --- /dev/null +++ b/queue-4.18/workqueue-re-add-lockdep-dependencies-for-flushing.patch @@ -0,0 +1,69 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Johannes Berg +Date: Wed, 22 Aug 2018 11:49:04 +0200 +Subject: workqueue: re-add lockdep dependencies for flushing + +From: Johannes Berg + +[ Upstream commit 87915adc3f0acdf03c776df42e308e5a155c19af ] + +In flush_work(), we need to create a lockdep dependency so that +the following scenario is appropriately tagged as a problem: + + work_function() + { + mutex_lock(&mutex); + ... + } + + other_function() + { + mutex_lock(&mutex); + flush_work(&work); // or cancel_work_sync(&work); + } + +This is a problem since the work might be running and be blocked +on trying to acquire the mutex. + +Similarly, in flush_workqueue(). + +These were removed after cross-release partially caught these +problems, but now cross-release was reverted anyway. IMHO the +removal was erroneous anyway though, since lockdep should be +able to catch potential problems, not just actual ones, and +cross-release would only have caught the problem when actually +invoking wait_for_completion(). + +Fixes: fd1a5b04dfb8 ("workqueue: Remove now redundant lock acquisitions wrt. workqueue flushes") +Signed-off-by: Johannes Berg +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/workqueue.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -2652,6 +2652,9 @@ void flush_workqueue(struct workqueue_st + if (WARN_ON(!wq_online)) + return; + ++ lock_map_acquire(&wq->lockdep_map); ++ lock_map_release(&wq->lockdep_map); ++ + mutex_lock(&wq->mutex); + + /* +@@ -2905,6 +2908,11 @@ static bool __flush_work(struct work_str + if (WARN_ON(!wq_online)) + return false; + ++ if (!from_cancel) { ++ lock_map_acquire(&work->lockdep_map); ++ lock_map_release(&work->lockdep_map); ++ } ++ + if (start_flush_work(work, &barr, from_cancel)) { + wait_for_completion(&barr.done); + destroy_work_on_stack(&barr.work); diff --git a/queue-4.18/workqueue-skip-lockdep-wq-dependency-in-cancel_work_sync.patch b/queue-4.18/workqueue-skip-lockdep-wq-dependency-in-cancel_work_sync.patch new file mode 100644 index 00000000000..c250cec79ce --- /dev/null +++ b/queue-4.18/workqueue-skip-lockdep-wq-dependency-in-cancel_work_sync.patch @@ -0,0 +1,116 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Johannes Berg +Date: Wed, 22 Aug 2018 11:49:03 +0200 +Subject: workqueue: skip lockdep wq dependency in cancel_work_sync() + +From: Johannes Berg + +[ Upstream commit d6e89786bed977f37f55ffca11e563f6d2b1e3b5 ] + +In cancel_work_sync(), we can only have one of two cases, even +with an ordered workqueue: + * the work isn't running, just cancelled before it started + * the work is running, but then nothing else can be on the + workqueue before it + +Thus, we need to skip the lockdep workqueue dependency handling, +otherwise we get false positive reports from lockdep saying that +we have a potential deadlock when the workqueue also has other +work items with locking, e.g. + + work1_function() { mutex_lock(&mutex); ... } + work2_function() { /* nothing */ } + + other_function() { + queue_work(ordered_wq, &work1); + queue_work(ordered_wq, &work2); + mutex_lock(&mutex); + cancel_work_sync(&work2); + } + +As described above, this isn't a problem, but lockdep will +currently flag it as if cancel_work_sync() was flush_work(), +which *is* a problem. + +Signed-off-by: Johannes Berg +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/workqueue.c | 37 ++++++++++++++++++++++--------------- + 1 file changed, 22 insertions(+), 15 deletions(-) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -2843,7 +2843,8 @@ reflush: + } + EXPORT_SYMBOL_GPL(drain_workqueue); + +-static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr) ++static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr, ++ bool from_cancel) + { + struct worker *worker = NULL; + struct worker_pool *pool; +@@ -2885,7 +2886,8 @@ static bool start_flush_work(struct work + * workqueues the deadlock happens when the rescuer stalls, blocking + * forward progress. + */ +- if (pwq->wq->saved_max_active == 1 || pwq->wq->rescuer) { ++ if (!from_cancel && ++ (pwq->wq->saved_max_active == 1 || pwq->wq->rescuer)) { + lock_map_acquire(&pwq->wq->lockdep_map); + lock_map_release(&pwq->wq->lockdep_map); + } +@@ -2896,6 +2898,22 @@ already_gone: + return false; + } + ++static bool __flush_work(struct work_struct *work, bool from_cancel) ++{ ++ struct wq_barrier barr; ++ ++ if (WARN_ON(!wq_online)) ++ return false; ++ ++ if (start_flush_work(work, &barr, from_cancel)) { ++ wait_for_completion(&barr.done); ++ destroy_work_on_stack(&barr.work); ++ return true; ++ } else { ++ return false; ++ } ++} ++ + /** + * flush_work - wait for a work to finish executing the last queueing instance + * @work: the work to flush +@@ -2909,18 +2927,7 @@ already_gone: + */ + bool flush_work(struct work_struct *work) + { +- struct wq_barrier barr; +- +- if (WARN_ON(!wq_online)) +- return false; +- +- if (start_flush_work(work, &barr)) { +- wait_for_completion(&barr.done); +- destroy_work_on_stack(&barr.work); +- return true; +- } else { +- return false; +- } ++ return __flush_work(work, false); + } + EXPORT_SYMBOL_GPL(flush_work); + +@@ -2986,7 +2993,7 @@ static bool __cancel_work_timer(struct w + * isn't executing. + */ + if (wq_online) +- flush_work(work); ++ __flush_work(work, true); + + clear_work_data(work); + diff --git a/queue-4.18/x86-mce-add-notifier_block-forward-declaration.patch b/queue-4.18/x86-mce-add-notifier_block-forward-declaration.patch new file mode 100644 index 00000000000..0d47b5f0b28 --- /dev/null +++ b/queue-4.18/x86-mce-add-notifier_block-forward-declaration.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Arnd Bergmann +Date: Fri, 17 Aug 2018 12:01:36 +0200 +Subject: x86/mce: Add notifier_block forward declaration + +From: Arnd Bergmann + +[ Upstream commit 704ae091b061082b37a9968621af4c290c641d50 ] + +Without linux/irq.h, there is no declaration of notifier_block, leading to +a build warning: + +In file included from arch/x86/kernel/cpu/mcheck/threshold.c:10: +arch/x86/include/asm/mce.h:151:46: error: 'struct notifier_block' declared inside parameter list will not be visible outside of this definition or declaration [-Werror] + +It's sufficient to declare the struct tag here, which avoids pulling in +more header files. + +Fixes: 447ae3166702 ("x86: Don't include linux/irq.h from asm/hardirq.h") +Signed-off-by: Arnd Bergmann +Signed-off-by: Thomas Gleixner +Cc: Nicolai Stange +Cc: "H. Peter Anvin" +Cc: Greg Kroah-Hartman +Cc: Borislav Petkov +Link: https://lkml.kernel.org/r/20180817100156.3009043-1-arnd@arndb.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/mce.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/include/asm/mce.h ++++ b/arch/x86/include/asm/mce.h +@@ -148,6 +148,7 @@ enum mce_notifier_prios { + MCE_PRIO_LOWEST = 0, + }; + ++struct notifier_block; + extern void mce_register_decode_chain(struct notifier_block *nb); + extern void mce_unregister_decode_chain(struct notifier_block *nb); + diff --git a/queue-4.18/xen-balloon-fix-balloon-initialization-for-pvh-dom0.patch b/queue-4.18/xen-balloon-fix-balloon-initialization-for-pvh-dom0.patch new file mode 100644 index 00000000000..64707cc5185 --- /dev/null +++ b/queue-4.18/xen-balloon-fix-balloon-initialization-for-pvh-dom0.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Sep 11 12:05:55 CEST 2018 +From: Roger Pau Monne +Date: Wed, 8 Aug 2018 13:46:41 +0200 +Subject: xen/balloon: fix balloon initialization for PVH Dom0 + +From: Roger Pau Monne + +[ Upstream commit 3596924a233e45aa918c961a902170fc4916461b ] + +The current balloon code tries to calculate a delta factor for the +balloon target when running in HVM mode in order to account for memory +used by the firmware. + +This workaround for memory accounting doesn't work properly on a PVH +Dom0, that has a static-max value different from the target value even +at startup. Note that this is not a problem for DomUs because guests are +started with a static-max value that matches the amount of RAM in the +memory map. + +Fix this by forcefully setting target_diff for Dom0, regardless of +it's mode. + +Reported-by: Gabriel Bercarug +Signed-off-by: Roger Pau Monné +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xen-balloon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/xen-balloon.c ++++ b/drivers/xen/xen-balloon.c +@@ -81,7 +81,7 @@ static void watch_target(struct xenbus_w + static_max = new_target; + else + static_max >>= PAGE_SHIFT - 10; +- target_diff = xen_pv_domain() ? 0 ++ target_diff = (xen_pv_domain() || xen_initial_domain()) ? 0 + : static_max - balloon_stats.target_pages; + } +