From: Greg Kroah-Hartman Date: Sat, 2 Feb 2019 12:10:19 +0000 (+0100) Subject: 4.20-stable patches X-Git-Tag: v4.20.7~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=afec7dd2ba084832cb7335d69fff7bafa9a6156e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.20-stable patches added patches: alsa-hda-realtek-fixed-hp_pin-no-value.patch alsa-pcm-fix-tight-loop-of-oss-capture-stream.patch alsa-usb-audio-add-opus-3-to-quirks-for-native-dsd-support.patch arm-cns3xxx-fix-writing-to-wrong-pci-config-registers-after-alignment.patch arm64-do-not-issue-ipis-for-user-executable-ptes.patch arm64-hibernate-clean-the-__hyp_text-to-poc-after-resume.patch arm64-hyp-stub-forbid-kprobing-of-the-hyp-stub.patch arm64-kaslr-ensure-randomized-quantities-are-clean-also-when-kaslr-is-off.patch cifs-do-not-consider-enodata-as-stat-failure-for-reads.patch cifs-do-not-count-enodata-as-failure-for-query-directory.patch cifs-fix-possible-oops-and-memory-leaks-in-async-io.patch cifs-fix-trace-command-logging-for-smb2-reads-and-writes.patch cifs-fix-use-after-free-of-the-lease-keys.patch fs-dcache-fix-incorrect-nr_dentry_unused-accounting-in-shrink_dcache_sb.patch gfs2-revert-fix-loop-in-gfs2_rbm_find.patch gpio-altera-a10sr-set-proper-output-level-for-direction_output.patch gpio-pcf857x-fix-interrupts-on-multiple-instances.patch gpio-sprd-fix-incorrect-irq-type-setting-for-the-async-eic.patch gpio-sprd-fix-the-incorrect-data-register.patch gpiolib-fix-line-event-timestamps-for-nested-irqs.patch ib-hfi1-add-limit-test-for-rc-uc-send-via-loopback.patch ib-hfi1-remove-overly-conservative-vm_exec-flag-check.patch ib-uverbs-fix-oops-in-uverbs_user_mmap_disassociate.patch ib-uverbs-fix-oops-upon-device-disassociation.patch iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions.patch mmc-bcm2835-fix-dma-channel-leak-on-probe-error.patch mmc-mediatek-fix-incorrect-register-setting-of-hs400_cmd_int_delay.patch nfs-fix-up-return-value-on-fatal-errors-in-nfs_page_async_flush.patch selftests-seccomp-enhance-per-arch-ptrace-syscall-skip-tests.patch --- diff --git a/queue-4.20/alsa-hda-realtek-fixed-hp_pin-no-value.patch b/queue-4.20/alsa-hda-realtek-fixed-hp_pin-no-value.patch new file mode 100644 index 00000000000..349c04df2e9 --- /dev/null +++ b/queue-4.20/alsa-hda-realtek-fixed-hp_pin-no-value.patch @@ -0,0 +1,155 @@ +From 693abe11aa6b27aed6eb8222162f8fb986325cef Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Tue, 29 Jan 2019 15:38:21 +0800 +Subject: ALSA: hda/realtek - Fixed hp_pin no value + +From: Kailang Yang + +commit 693abe11aa6b27aed6eb8222162f8fb986325cef upstream. + +Fix hp_pin always no value. + +[More notes on the changes: + + The hp_pin value that is referred in alc294_hp_init() is always zero + at the moment the function gets called, hence this is actually + useless as in the current code. + + And, this kind of init sequence should be called from the codec init + callback, instead of the parser function. So, the first fix in this + patch to move the call call into its own init_hook. + + OTOH, this function is needed to be called only once after the boot, + and it'd take too long for invoking at each resume (where the init + callback gets called). So we add a new flag and invoke this only + once as an additional fix. + + The one case is still not covered, though: S4 resume. But this + change itself won't lead to any regression in that regard, so we + leave S4 issue as is for now and fix it later. -- tiwai ] + +Fixes: bde1a7459623 ("ALSA: hda/realtek - Fixed headphone issue for ALC700") +Signed-off-by: Kailang Yang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 78 ++++++++++++++++++++++++------------------ + 1 file changed, 45 insertions(+), 33 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -117,6 +117,7 @@ struct alc_spec { + int codec_variant; /* flag for other variants */ + unsigned int has_alc5505_dsp:1; + unsigned int no_depop_delay:1; ++ unsigned int done_hp_init:1; + + /* for PLL fix */ + hda_nid_t pll_nid; +@@ -3372,6 +3373,48 @@ static void alc_default_shutup(struct hd + snd_hda_shutup_pins(codec); + } + ++static void alc294_hp_init(struct hda_codec *codec) ++{ ++ struct alc_spec *spec = codec->spec; ++ hda_nid_t hp_pin = spec->gen.autocfg.hp_pins[0]; ++ int i, val; ++ ++ if (!hp_pin) ++ return; ++ ++ snd_hda_codec_write(codec, hp_pin, 0, ++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); ++ ++ msleep(100); ++ ++ snd_hda_codec_write(codec, hp_pin, 0, ++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0); ++ ++ alc_update_coef_idx(codec, 0x6f, 0x000f, 0);/* Set HP depop to manual mode */ ++ alc_update_coefex_idx(codec, 0x58, 0x00, 0x8000, 0x8000); /* HP depop procedure start */ ++ ++ /* Wait for depop procedure finish */ ++ val = alc_read_coefex_idx(codec, 0x58, 0x01); ++ for (i = 0; i < 20 && val & 0x0080; i++) { ++ msleep(50); ++ val = alc_read_coefex_idx(codec, 0x58, 0x01); ++ } ++ /* Set HP depop to auto mode */ ++ alc_update_coef_idx(codec, 0x6f, 0x000f, 0x000b); ++ msleep(50); ++} ++ ++static void alc294_init(struct hda_codec *codec) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (!spec->done_hp_init) { ++ alc294_hp_init(codec); ++ spec->done_hp_init = true; ++ } ++ alc_default_init(codec); ++} ++ + static void alc5505_coef_set(struct hda_codec *codec, unsigned int index_reg, + unsigned int val) + { +@@ -7288,37 +7331,6 @@ static void alc269_fill_coef(struct hda_ + alc_update_coef_idx(codec, 0x4, 0, 1<<11); + } + +-static void alc294_hp_init(struct hda_codec *codec) +-{ +- struct alc_spec *spec = codec->spec; +- hda_nid_t hp_pin = spec->gen.autocfg.hp_pins[0]; +- int i, val; +- +- if (!hp_pin) +- return; +- +- snd_hda_codec_write(codec, hp_pin, 0, +- AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); +- +- msleep(100); +- +- snd_hda_codec_write(codec, hp_pin, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0); +- +- alc_update_coef_idx(codec, 0x6f, 0x000f, 0);/* Set HP depop to manual mode */ +- alc_update_coefex_idx(codec, 0x58, 0x00, 0x8000, 0x8000); /* HP depop procedure start */ +- +- /* Wait for depop procedure finish */ +- val = alc_read_coefex_idx(codec, 0x58, 0x01); +- for (i = 0; i < 20 && val & 0x0080; i++) { +- msleep(50); +- val = alc_read_coefex_idx(codec, 0x58, 0x01); +- } +- /* Set HP depop to auto mode */ +- alc_update_coef_idx(codec, 0x6f, 0x000f, 0x000b); +- msleep(50); +-} +- + /* + */ + static int patch_alc269(struct hda_codec *codec) +@@ -7444,7 +7456,7 @@ static int patch_alc269(struct hda_codec + spec->codec_variant = ALC269_TYPE_ALC294; + spec->gen.mixer_nid = 0; /* ALC2x4 does not have any loopback mixer path */ + alc_update_coef_idx(codec, 0x6b, 0x0018, (1<<4) | (1<<3)); /* UAJ MIC Vref control by verb */ +- alc294_hp_init(codec); ++ spec->init_hook = alc294_init; + break; + case 0x10ec0300: + spec->codec_variant = ALC269_TYPE_ALC300; +@@ -7456,7 +7468,7 @@ static int patch_alc269(struct hda_codec + spec->codec_variant = ALC269_TYPE_ALC700; + spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */ + alc_update_coef_idx(codec, 0x4a, 1 << 15, 0); /* Combo jack auto trigger control */ +- alc294_hp_init(codec); ++ spec->init_hook = alc294_init; + break; + + } diff --git a/queue-4.20/alsa-pcm-fix-tight-loop-of-oss-capture-stream.patch b/queue-4.20/alsa-pcm-fix-tight-loop-of-oss-capture-stream.patch new file mode 100644 index 00000000000..56dac93b23b --- /dev/null +++ b/queue-4.20/alsa-pcm-fix-tight-loop-of-oss-capture-stream.patch @@ -0,0 +1,66 @@ +From e190161f96b88ffae870405fd6c3fdd1d2e7f98d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 25 Jan 2019 17:11:32 +0100 +Subject: ALSA: pcm: Fix tight loop of OSS capture stream + +From: Takashi Iwai + +commit e190161f96b88ffae870405fd6c3fdd1d2e7f98d upstream. + +When the trigger=off is passed for a PCM OSS stream, it sets the +start_threshold of the given substream to the boundary size, so that +it won't be automatically started. This can be problematic for a +capture stream, unfortunately, as detected by syzkaller. The scenario +is like the following: + +- In __snd_pcm_lib_xfer() that is invoked from snd_pcm_oss_read() + loop, we have a check whether the stream was already started or the + stream can be auto-started. +- The function at this check returns 0 with trigger=off since we + explicitly disable the auto-start. +- The loop continues and repeats calling __snd_pcm_lib_xfer() tightly, + which may lead to an RCU stall. + +This patch fixes the bug by simply allowing the wait for non-started +stream in the case of OSS capture. For native usages, it's supposed +to be done by the caller side (which is user-space), hence it returns +zero like before. + +(In theory, __snd_pcm_lib_xfer() could wait even for the native API + usage cases, too; but I'd like to stay in a safer side for not + breaking the existing stuff for now.) + +Reported-by: syzbot+fbe0496f92a0ce7b786c@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_lib.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -2112,6 +2112,13 @@ int pcm_lib_apply_appl_ptr(struct snd_pc + return 0; + } + ++/* allow waiting for a capture stream that hasn't been started */ ++#if IS_ENABLED(CONFIG_SND_PCM_OSS) ++#define wait_capture_start(substream) ((substream)->oss.oss) ++#else ++#define wait_capture_start(substream) false ++#endif ++ + /* the common loop for read/write data */ + snd_pcm_sframes_t __snd_pcm_lib_xfer(struct snd_pcm_substream *substream, + void *data, bool interleaved, +@@ -2182,7 +2189,7 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str + err = snd_pcm_start(substream); + if (err < 0) + goto _end_unlock; +- } else { ++ } else if (!wait_capture_start(substream)) { + /* nothing to do */ + err = 0; + goto _end_unlock; diff --git a/queue-4.20/alsa-usb-audio-add-opus-3-to-quirks-for-native-dsd-support.patch b/queue-4.20/alsa-usb-audio-add-opus-3-to-quirks-for-native-dsd-support.patch new file mode 100644 index 00000000000..697c41562e4 --- /dev/null +++ b/queue-4.20/alsa-usb-audio-add-opus-3-to-quirks-for-native-dsd-support.patch @@ -0,0 +1,36 @@ +From 9e6966646b6bc5078d579151b90016522d4ff2cb Mon Sep 17 00:00:00 2001 +From: Olek Poplavsky +Date: Thu, 24 Jan 2019 23:30:03 -0500 +Subject: ALSA: usb-audio: Add Opus #3 to quirks for native DSD support + +From: Olek Poplavsky + +commit 9e6966646b6bc5078d579151b90016522d4ff2cb upstream. + +This patch adds quirk VID/PID IDs for the Opus #3 DAP (made by 'The Bit') +in order to enable Native DSD support. + +[ NOTE: this could be handled in the generic way with fp->dvd_raw if + we add 0x10cb to the vendor whitelist, but since 0x10cb shows a + different vendor name (Erantech), put to the individual entry at + this time -- tiwai ] + +Signed-off-by: Olek Poplavsky +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1373,6 +1373,7 @@ u64 snd_usb_interface_dsd_format_quirks( + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + break; + ++ case USB_ID(0x10cb, 0x0103): /* The Bit Opus #3; with fp->dsd_raw */ + case USB_ID(0x152a, 0x85de): /* SMSL D1 DAC */ + case USB_ID(0x16d0, 0x09dd): /* Encore mDSD */ + case USB_ID(0x0d8c, 0x0316): /* Hegel HD12 DSD */ diff --git a/queue-4.20/arm-cns3xxx-fix-writing-to-wrong-pci-config-registers-after-alignment.patch b/queue-4.20/arm-cns3xxx-fix-writing-to-wrong-pci-config-registers-after-alignment.patch new file mode 100644 index 00000000000..ca98b3f202f --- /dev/null +++ b/queue-4.20/arm-cns3xxx-fix-writing-to-wrong-pci-config-registers-after-alignment.patch @@ -0,0 +1,67 @@ +From 65dbb423cf28232fed1732b779249d6164c5999b Mon Sep 17 00:00:00 2001 +From: Koen Vandeputte +Date: Thu, 31 Jan 2019 15:00:01 -0600 +Subject: ARM: cns3xxx: Fix writing to wrong PCI config registers after alignment + +From: Koen Vandeputte + +commit 65dbb423cf28232fed1732b779249d6164c5999b upstream. + +Originally, cns3xxx used its own functions for mapping, reading and +writing config registers. + +Commit 802b7c06adc7 ("ARM: cns3xxx: Convert PCI to use generic config +accessors") removed the internal PCI config write function in favor of +the generic one: + + cns3xxx_pci_write_config() --> pci_generic_config_write() + +cns3xxx_pci_write_config() expected aligned addresses, being produced by +cns3xxx_pci_map_bus() while the generic one pci_generic_config_write() +actually expects the real address as both the function and hardware are +capable of byte-aligned writes. + +This currently leads to pci_generic_config_write() writing to the wrong +registers. + +For instance, upon ath9k module loading: + +- driver ath9k gets loaded +- The driver wants to write value 0xA8 to register PCI_LATENCY_TIMER, + located at 0x0D +- cns3xxx_pci_map_bus() aligns the address to 0x0C +- pci_generic_config_write() effectively writes 0xA8 into register 0x0C + (CACHE_LINE_SIZE) + +Fix the bug by removing the alignment in the cns3xxx mapping function. + +Fixes: 802b7c06adc7 ("ARM: cns3xxx: Convert PCI to use generic config accessors") +Signed-off-by: Koen Vandeputte +[lorenzo.pieralisi@arm.com: updated commit log] +Signed-off-by: Lorenzo Pieralisi +Acked-by: Krzysztof Halasa +Acked-by: Tim Harvey +Acked-by: Arnd Bergmann +CC: stable@vger.kernel.org # v4.0+ +CC: Bjorn Helgaas +CC: Olof Johansson +CC: Robin Leblon +CC: Rob Herring +CC: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-cns3xxx/pcie.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-cns3xxx/pcie.c ++++ b/arch/arm/mach-cns3xxx/pcie.c +@@ -83,7 +83,7 @@ static void __iomem *cns3xxx_pci_map_bus + } else /* remote PCI bus */ + base = cnspci->cfg1_regs + ((busno & 0xf) << 20); + +- return base + (where & 0xffc) + (devfn << 12); ++ return base + where + (devfn << 12); + } + + static int cns3xxx_pci_read_config(struct pci_bus *bus, unsigned int devfn, diff --git a/queue-4.20/arm64-do-not-issue-ipis-for-user-executable-ptes.patch b/queue-4.20/arm64-do-not-issue-ipis-for-user-executable-ptes.patch new file mode 100644 index 00000000000..7d31232906c --- /dev/null +++ b/queue-4.20/arm64-do-not-issue-ipis-for-user-executable-ptes.patch @@ -0,0 +1,43 @@ +From 132fdc379eb143932d209a20fd581e1ce7630960 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Thu, 24 Jan 2019 17:28:37 +0000 +Subject: arm64: Do not issue IPIs for user executable ptes + +From: Catalin Marinas + +commit 132fdc379eb143932d209a20fd581e1ce7630960 upstream. + +Commit 3b8c9f1cdfc5 ("arm64: IPI each CPU after invalidating the I-cache +for kernel mappings") was aimed at fixing the I-cache invalidation for +kernel mappings. However, it inadvertently caused all cache maintenance +for user mappings via set_pte_at() -> __sync_icache_dcache() -> +sync_icache_aliases() to call kick_all_cpus_sync(). + +Reported-by: Shijith Thotton +Tested-by: Shijith Thotton +Reported-by: Wandun Chen +Fixes: 3b8c9f1cdfc5 ("arm64: IPI each CPU after invalidating the I-cache for kernel mappings") +Cc: # 4.19.x- +Signed-off-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/flush.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/arm64/mm/flush.c ++++ b/arch/arm64/mm/flush.c +@@ -33,7 +33,11 @@ void sync_icache_aliases(void *kaddr, un + __clean_dcache_area_pou(kaddr, len); + __flush_icache_all(); + } else { +- flush_icache_range(addr, addr + len); ++ /* ++ * Don't issue kick_all_cpus_sync() after I-cache invalidation ++ * for user mappings. ++ */ ++ __flush_icache_range(addr, addr + len); + } + } + diff --git a/queue-4.20/arm64-hibernate-clean-the-__hyp_text-to-poc-after-resume.patch b/queue-4.20/arm64-hibernate-clean-the-__hyp_text-to-poc-after-resume.patch new file mode 100644 index 00000000000..f20dd2e19be --- /dev/null +++ b/queue-4.20/arm64-hibernate-clean-the-__hyp_text-to-poc-after-resume.patch @@ -0,0 +1,44 @@ +From f7daa9c8fd191724b9ab9580a7be55cd1a67d799 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Thu, 24 Jan 2019 16:32:57 +0000 +Subject: arm64: hibernate: Clean the __hyp_text to PoC after resume + +From: James Morse + +commit f7daa9c8fd191724b9ab9580a7be55cd1a67d799 upstream. + +During resume hibernate restores all physical memory. Any memory +that is accessed with the MMU disabled needs to be cleaned to the +PoC. + +KVMs __hyp_text was previously ommitted as it runs with the MMU +enabled, but now that the hyp-stub is located in this section, +we must clean __hyp_text too. + +This ensures secondary CPUs that come online after hibernate +has finished resuming, and load KVM via the freshly written +hyp-stub see the correct instructions. + +Signed-off-by: James Morse +Cc: stable@vger.kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/hibernate.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/hibernate.c ++++ b/arch/arm64/kernel/hibernate.c +@@ -299,8 +299,10 @@ int swsusp_arch_suspend(void) + dcache_clean_range(__idmap_text_start, __idmap_text_end); + + /* Clean kvm setup code to PoC? */ +- if (el2_reset_needed()) ++ if (el2_reset_needed()) { + dcache_clean_range(__hyp_idmap_text_start, __hyp_idmap_text_end); ++ dcache_clean_range(__hyp_text_start, __hyp_text_end); ++ } + + /* make the crash dump kernel image protected again */ + crash_post_resume(); diff --git a/queue-4.20/arm64-hyp-stub-forbid-kprobing-of-the-hyp-stub.patch b/queue-4.20/arm64-hyp-stub-forbid-kprobing-of-the-hyp-stub.patch new file mode 100644 index 00000000000..1eccd762b01 --- /dev/null +++ b/queue-4.20/arm64-hyp-stub-forbid-kprobing-of-the-hyp-stub.patch @@ -0,0 +1,37 @@ +From 8fac5cbdfe0f01254d9d265c6aa1a95f94f58595 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Thu, 24 Jan 2019 16:32:56 +0000 +Subject: arm64: hyp-stub: Forbid kprobing of the hyp-stub + +From: James Morse + +commit 8fac5cbdfe0f01254d9d265c6aa1a95f94f58595 upstream. + +The hyp-stub is loaded by the kernel's early startup code at EL2 +during boot, before KVM takes ownership later. The hyp-stub's +text is part of the regular kernel text, meaning it can be kprobed. + +A breakpoint in the hyp-stub causes the CPU to spin in el2_sync_invalid. + +Add it to the __hyp_text. + +Signed-off-by: James Morse +Cc: stable@vger.kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/hyp-stub.S | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/kernel/hyp-stub.S ++++ b/arch/arm64/kernel/hyp-stub.S +@@ -28,6 +28,8 @@ + #include + + .text ++ .pushsection .hyp.text, "ax" ++ + .align 11 + + ENTRY(__hyp_stub_vectors) diff --git a/queue-4.20/arm64-kaslr-ensure-randomized-quantities-are-clean-also-when-kaslr-is-off.patch b/queue-4.20/arm64-kaslr-ensure-randomized-quantities-are-clean-also-when-kaslr-is-off.patch new file mode 100644 index 00000000000..097deb9d01b --- /dev/null +++ b/queue-4.20/arm64-kaslr-ensure-randomized-quantities-are-clean-also-when-kaslr-is-off.patch @@ -0,0 +1,46 @@ +From 8ea235932314311f15ea6cf65c1393ed7e31af70 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sun, 27 Jan 2019 09:29:42 +0100 +Subject: arm64: kaslr: ensure randomized quantities are clean also when kaslr is off + +From: Ard Biesheuvel + +commit 8ea235932314311f15ea6cf65c1393ed7e31af70 upstream. + +Commit 1598ecda7b23 ("arm64: kaslr: ensure randomized quantities are +clean to the PoC") added cache maintenance to ensure that global +variables set by the kaslr init routine are not wiped clean due to +cache invalidation occurring during the second round of page table +creation. + +However, if kaslr_early_init() exits early with no randomization +being applied (either due to the lack of a seed, or because the user +has disabled kaslr explicitly), no cache maintenance is performed, +leading to the same issue we attempted to fix earlier, as far as the +module_alloc_base variable is concerned. + +Note that module_alloc_base cannot be initialized statically, because +that would cause it to be subject to a R_AARCH64_RELATIVE relocation, +causing it to be overwritten by the second round of KASLR relocation +processing. + +Fixes: f80fb3a3d508 ("arm64: add support for kernel ASLR") +Cc: # v4.6+ +Signed-off-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/kaslr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/kernel/kaslr.c ++++ b/arch/arm64/kernel/kaslr.c +@@ -88,6 +88,7 @@ u64 __init kaslr_early_init(u64 dt_phys) + * we end up running with module randomization disabled. + */ + module_alloc_base = (u64)_etext - MODULES_VSIZE; ++ __flush_dcache_area(&module_alloc_base, sizeof(module_alloc_base)); + + /* + * Try to map the FDT early. If this fails, we simply bail, diff --git a/queue-4.20/cifs-do-not-consider-enodata-as-stat-failure-for-reads.patch b/queue-4.20/cifs-do-not-consider-enodata-as-stat-failure-for-reads.patch new file mode 100644 index 00000000000..b9920aace5d --- /dev/null +++ b/queue-4.20/cifs-do-not-consider-enodata-as-stat-failure-for-reads.patch @@ -0,0 +1,34 @@ +From 082aaa8700415f6471ec9c5ef0c8307ca214989a Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Fri, 18 Jan 2019 15:54:34 -0800 +Subject: CIFS: Do not consider -ENODATA as stat failure for reads + +From: Pavel Shilovsky + +commit 082aaa8700415f6471ec9c5ef0c8307ca214989a upstream. + +When doing reads beyound the end of a file the server returns +error STATUS_END_OF_FILE error which is mapped to -ENODATA. +Currently we report it as a failure which confuses read stats. +Change it to not consider -ENODATA as failure for stat purposes. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3139,7 +3139,7 @@ smb2_readv_callback(struct mid_q_entry * + rdata->mr = NULL; + } + #endif +- if (rdata->result) { ++ if (rdata->result && rdata->result != -ENODATA) { + cifs_stats_fail_inc(tcon, SMB2_READ_HE); + trace_smb3_read_err(0 /* xid */, + rdata->cfile->fid.persistent_fid, diff --git a/queue-4.20/cifs-do-not-count-enodata-as-failure-for-query-directory.patch b/queue-4.20/cifs-do-not-count-enodata-as-failure-for-query-directory.patch new file mode 100644 index 00000000000..7a2d7b394fb --- /dev/null +++ b/queue-4.20/cifs-do-not-count-enodata-as-failure-for-query-directory.patch @@ -0,0 +1,31 @@ +From 8e6e72aeceaaed5aeeb1cb43d3085de7ceb14f79 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Sat, 26 Jan 2019 12:21:32 -0800 +Subject: CIFS: Do not count -ENODATA as failure for query directory + +From: Pavel Shilovsky + +commit 8e6e72aeceaaed5aeeb1cb43d3085de7ceb14f79 upstream. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3726,8 +3726,8 @@ SMB2_query_directory(const unsigned int + rsp->sync_hdr.Status == STATUS_NO_MORE_FILES) { + srch_inf->endOfSearch = true; + rc = 0; +- } +- cifs_stats_fail_inc(tcon, SMB2_QUERY_DIRECTORY_HE); ++ } else ++ cifs_stats_fail_inc(tcon, SMB2_QUERY_DIRECTORY_HE); + goto qdir_exit; + } + diff --git a/queue-4.20/cifs-fix-possible-oops-and-memory-leaks-in-async-io.patch b/queue-4.20/cifs-fix-possible-oops-and-memory-leaks-in-async-io.patch new file mode 100644 index 00000000000..ec5e0c4c82c --- /dev/null +++ b/queue-4.20/cifs-fix-possible-oops-and-memory-leaks-in-async-io.patch @@ -0,0 +1,64 @@ +From 9bda8723da2d55b1de833b98cf802b88006e5b69 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Wed, 23 Jan 2019 17:12:09 -0800 +Subject: CIFS: Fix possible oops and memory leaks in async IO + +From: Pavel Shilovsky + +commit 9bda8723da2d55b1de833b98cf802b88006e5b69 upstream. + +Allocation of a page array for non-cached IO was separated from +allocation of rdata and wdata structures and this introduced memory +leaks and a possible null pointer dereference. This patch fixes +these problems. + +Cc: +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -2670,6 +2670,7 @@ cifs_write_from_iter(loff_t offset, size + + rc = cifs_write_allocate_pages(wdata->pages, nr_pages); + if (rc) { ++ kvfree(wdata->pages); + kfree(wdata); + add_credits_and_wake_if(server, credits, 0); + break; +@@ -2681,6 +2682,7 @@ cifs_write_from_iter(loff_t offset, size + if (rc) { + for (i = 0; i < nr_pages; i++) + put_page(wdata->pages[i]); ++ kvfree(wdata->pages); + kfree(wdata); + add_credits_and_wake_if(server, credits, 0); + break; +@@ -3360,8 +3362,12 @@ cifs_send_async_read(loff_t offset, size + } + + rc = cifs_read_allocate_pages(rdata, npages); +- if (rc) +- goto error; ++ if (rc) { ++ kvfree(rdata->pages); ++ kfree(rdata); ++ add_credits_and_wake_if(server, credits, 0); ++ break; ++ } + + rdata->tailsz = PAGE_SIZE; + } +@@ -3381,7 +3387,6 @@ cifs_send_async_read(loff_t offset, size + if (!rdata->cfile->invalidHandle || + !(rc = cifs_reopen_file(rdata->cfile, true))) + rc = server->ops->async_readv(rdata); +-error: + if (rc) { + add_credits_and_wake_if(server, rdata->credits, 0); + kref_put(&rdata->refcount, diff --git a/queue-4.20/cifs-fix-trace-command-logging-for-smb2-reads-and-writes.patch b/queue-4.20/cifs-fix-trace-command-logging-for-smb2-reads-and-writes.patch new file mode 100644 index 00000000000..042e68c5b27 --- /dev/null +++ b/queue-4.20/cifs-fix-trace-command-logging-for-smb2-reads-and-writes.patch @@ -0,0 +1,109 @@ +From 7d42e72fe8ee5ab70b1af843dd7d8615e6fb0abe Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Fri, 25 Jan 2019 11:38:53 -0800 +Subject: CIFS: Fix trace command logging for SMB2 reads and writes + +From: Pavel Shilovsky + +commit 7d42e72fe8ee5ab70b1af843dd7d8615e6fb0abe upstream. + +Currently we log success once we send an async IO request to +the server. Instead we need to analyse a response and then log +success or failure for a particular command. Also fix argument +list for read logging. + +Cc: # 4.18 +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 46 ++++++++++++++++++++++++++++++---------------- + 1 file changed, 30 insertions(+), 16 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3139,8 +3139,17 @@ smb2_readv_callback(struct mid_q_entry * + rdata->mr = NULL; + } + #endif +- if (rdata->result) ++ if (rdata->result) { + cifs_stats_fail_inc(tcon, SMB2_READ_HE); ++ trace_smb3_read_err(0 /* xid */, ++ rdata->cfile->fid.persistent_fid, ++ tcon->tid, tcon->ses->Suid, rdata->offset, ++ rdata->bytes, rdata->result); ++ } else ++ trace_smb3_read_done(0 /* xid */, ++ rdata->cfile->fid.persistent_fid, ++ tcon->tid, tcon->ses->Suid, ++ rdata->offset, rdata->got_bytes); + + queue_work(cifsiod_wq, &rdata->work); + DeleteMidQEntry(mid); +@@ -3215,13 +3224,11 @@ smb2_async_readv(struct cifs_readdata *r + if (rc) { + kref_put(&rdata->refcount, cifs_readdata_release); + cifs_stats_fail_inc(io_parms.tcon, SMB2_READ_HE); +- trace_smb3_read_err(rc, 0 /* xid */, io_parms.persistent_fid, +- io_parms.tcon->tid, io_parms.tcon->ses->Suid, +- io_parms.offset, io_parms.length); +- } else +- trace_smb3_read_done(0 /* xid */, io_parms.persistent_fid, +- io_parms.tcon->tid, io_parms.tcon->ses->Suid, +- io_parms.offset, io_parms.length); ++ trace_smb3_read_err(0 /* xid */, io_parms.persistent_fid, ++ io_parms.tcon->tid, ++ io_parms.tcon->ses->Suid, ++ io_parms.offset, io_parms.length, rc); ++ } + + cifs_small_buf_release(buf); + return rc; +@@ -3265,10 +3272,11 @@ SMB2_read(const unsigned int xid, struct + if (rc != -ENODATA) { + cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE); + cifs_dbg(VFS, "Send error in read = %d\n", rc); ++ trace_smb3_read_err(xid, req->PersistentFileId, ++ io_parms->tcon->tid, ses->Suid, ++ io_parms->offset, io_parms->length, ++ rc); + } +- trace_smb3_read_err(rc, xid, req->PersistentFileId, +- io_parms->tcon->tid, ses->Suid, +- io_parms->offset, io_parms->length); + free_rsp_buf(resp_buftype, rsp_iov.iov_base); + return rc == -ENODATA ? 0 : rc; + } else +@@ -3354,8 +3362,17 @@ smb2_writev_callback(struct mid_q_entry + wdata->mr = NULL; + } + #endif +- if (wdata->result) ++ if (wdata->result) { + cifs_stats_fail_inc(tcon, SMB2_WRITE_HE); ++ trace_smb3_write_err(0 /* no xid */, ++ wdata->cfile->fid.persistent_fid, ++ tcon->tid, tcon->ses->Suid, wdata->offset, ++ wdata->bytes, wdata->result); ++ } else ++ trace_smb3_write_done(0 /* no xid */, ++ wdata->cfile->fid.persistent_fid, ++ tcon->tid, tcon->ses->Suid, ++ wdata->offset, wdata->bytes); + + queue_work(cifsiod_wq, &wdata->work); + DeleteMidQEntry(mid); +@@ -3497,10 +3514,7 @@ smb2_async_writev(struct cifs_writedata + wdata->bytes, rc); + kref_put(&wdata->refcount, release); + cifs_stats_fail_inc(tcon, SMB2_WRITE_HE); +- } else +- trace_smb3_write_done(0 /* no xid */, req->PersistentFileId, +- tcon->tid, tcon->ses->Suid, wdata->offset, +- wdata->bytes); ++ } + + async_writev_out: + cifs_small_buf_release(req); diff --git a/queue-4.20/cifs-fix-use-after-free-of-the-lease-keys.patch b/queue-4.20/cifs-fix-use-after-free-of-the-lease-keys.patch new file mode 100644 index 00000000000..9a14d1966d6 --- /dev/null +++ b/queue-4.20/cifs-fix-use-after-free-of-the-lease-keys.patch @@ -0,0 +1,40 @@ +From d339adc12a4f885b572c5412e4869af8939db854 Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Thu, 31 Jan 2019 13:46:07 +0100 +Subject: CIFS: fix use-after-free of the lease keys + +From: Aurelien Aptel + +commit d339adc12a4f885b572c5412e4869af8939db854 upstream. + +The request buffers are freed right before copying the pointers. +Use the func args instead which are identical and still valid. + +Simple reproducer (requires KASAN enabled) on a cifs mount: + +echo foo > foo ; tail -f foo & rm foo + +Cc: # 4.20 +Fixes: 179e44d49c2f ("smb3: add tracepoint for sending lease break responses to server") +Signed-off-by: Aurelien Aptel +Signed-off-by: Steve French +Reviewed-by: Paulo Alcantara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -4339,8 +4339,8 @@ SMB2_lease_break(const unsigned int xid, + rc = cifs_send_recv(xid, ses, &rqst, &resp_buf_type, flags, &rsp_iov); + cifs_small_buf_release(req); + +- please_key_low = (__u64 *)req->LeaseKey; +- please_key_high = (__u64 *)(req->LeaseKey+8); ++ please_key_low = (__u64 *)lease_key; ++ please_key_high = (__u64 *)(lease_key+8); + if (rc) { + cifs_stats_fail_inc(tcon, SMB2_OPLOCK_BREAK_HE); + trace_smb3_lease_err(le32_to_cpu(lease_state), tcon->tid, diff --git a/queue-4.20/fs-dcache-fix-incorrect-nr_dentry_unused-accounting-in-shrink_dcache_sb.patch b/queue-4.20/fs-dcache-fix-incorrect-nr_dentry_unused-accounting-in-shrink_dcache_sb.patch new file mode 100644 index 00000000000..ee437463ebc --- /dev/null +++ b/queue-4.20/fs-dcache-fix-incorrect-nr_dentry_unused-accounting-in-shrink_dcache_sb.patch @@ -0,0 +1,50 @@ +From 1dbd449c9943e3145148cc893c2461b72ba6fef0 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Wed, 30 Jan 2019 13:52:36 -0500 +Subject: fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() + +From: Waiman Long + +commit 1dbd449c9943e3145148cc893c2461b72ba6fef0 upstream. + +The nr_dentry_unused per-cpu counter tracks dentries in both the LRU +lists and the shrink lists where the DCACHE_LRU_LIST bit is set. + +The shrink_dcache_sb() function moves dentries from the LRU list to a +shrink list and subtracts the dentry count from nr_dentry_unused. This +is incorrect as the nr_dentry_unused count will also be decremented in +shrink_dentry_list() via d_shrink_del(). + +To fix this double decrement, the decrement in the shrink_dcache_sb() +function is taken out. + +Fixes: 4e717f5c1083 ("list_lru: remove special case function list_lru_dispose_all." +Cc: stable@kernel.org +Signed-off-by: Waiman Long +Reviewed-by: Dave Chinner +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dcache.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1188,15 +1188,11 @@ static enum lru_status dentry_lru_isolat + */ + void shrink_dcache_sb(struct super_block *sb) + { +- long freed; +- + do { + LIST_HEAD(dispose); + +- freed = list_lru_walk(&sb->s_dentry_lru, ++ list_lru_walk(&sb->s_dentry_lru, + dentry_lru_isolate_shrink, &dispose, 1024); +- +- this_cpu_sub(nr_dentry_unused, freed); + shrink_dentry_list(&dispose); + } while (list_lru_count(&sb->s_dentry_lru) > 0); + } diff --git a/queue-4.20/gfs2-revert-fix-loop-in-gfs2_rbm_find.patch b/queue-4.20/gfs2-revert-fix-loop-in-gfs2_rbm_find.patch new file mode 100644 index 00000000000..584dcd48156 --- /dev/null +++ b/queue-4.20/gfs2-revert-fix-loop-in-gfs2_rbm_find.patch @@ -0,0 +1,38 @@ +From e74c98ca2d6ae4376cc15fa2a22483430909d96b Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Wed, 30 Jan 2019 21:30:36 +0100 +Subject: gfs2: Revert "Fix loop in gfs2_rbm_find" + +From: Andreas Gruenbacher + +commit e74c98ca2d6ae4376cc15fa2a22483430909d96b upstream. + +This reverts commit 2d29f6b96d8f80322ed2dd895bca590491c38d34. + +It turns out that the fix can lead to a ~20 percent performance regression +in initial writes to the page cache according to iozone. Let's revert this +for now to have more time for a proper fix. + +Cc: stable@vger.kernel.org # v3.13+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/rgrp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -1780,9 +1780,9 @@ static int gfs2_rbm_find(struct gfs2_rbm + goto next_iter; + } + if (ret == -E2BIG) { +- n += rbm->bii - initial_bii; + rbm->bii = 0; + rbm->offset = 0; ++ n += (rbm->bii - initial_bii); + goto res_covered_end_of_rgrp; + } + return ret; diff --git a/queue-4.20/gpio-altera-a10sr-set-proper-output-level-for-direction_output.patch b/queue-4.20/gpio-altera-a10sr-set-proper-output-level-for-direction_output.patch new file mode 100644 index 00000000000..30468ae0f79 --- /dev/null +++ b/queue-4.20/gpio-altera-a10sr-set-proper-output-level-for-direction_output.patch @@ -0,0 +1,38 @@ +From 2095a45e345e669ea77a9b34bdd7de5ceb422f93 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Wed, 23 Jan 2019 08:00:57 +0800 +Subject: gpio: altera-a10sr: Set proper output level for direction_output + +From: Axel Lin + +commit 2095a45e345e669ea77a9b34bdd7de5ceb422f93 upstream. + +The altr_a10sr_gpio_direction_output should set proper output level +based on the value argument. + +Fixes: 26a48c4cc2f1 ("gpio: altera-a10sr: Add A10 System Resource Chip GPIO support.") +Cc: +Signed-off-by: Axel Lin +Tested by: Thor Thayer +Reviewed by: Thor Thayer +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-altera-a10sr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-altera-a10sr.c ++++ b/drivers/gpio/gpio-altera-a10sr.c +@@ -66,8 +66,10 @@ static int altr_a10sr_gpio_direction_inp + static int altr_a10sr_gpio_direction_output(struct gpio_chip *gc, + unsigned int nr, int value) + { +- if (nr <= (ALTR_A10SR_OUT_VALID_RANGE_HI - ALTR_A10SR_LED_VALID_SHIFT)) ++ if (nr <= (ALTR_A10SR_OUT_VALID_RANGE_HI - ALTR_A10SR_LED_VALID_SHIFT)) { ++ altr_a10sr_gpio_set(gc, nr, value); + return 0; ++ } + return -EINVAL; + } + diff --git a/queue-4.20/gpio-pcf857x-fix-interrupts-on-multiple-instances.patch b/queue-4.20/gpio-pcf857x-fix-interrupts-on-multiple-instances.patch new file mode 100644 index 00000000000..6fb47338628 --- /dev/null +++ b/queue-4.20/gpio-pcf857x-fix-interrupts-on-multiple-instances.patch @@ -0,0 +1,87 @@ +From 2486e67374aa8b7854c2de32869642c2873b3d53 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Wed, 9 Jan 2019 11:11:24 +0200 +Subject: gpio: pcf857x: Fix interrupts on multiple instances + +From: Roger Quadros + +commit 2486e67374aa8b7854c2de32869642c2873b3d53 upstream. + +When multiple instances of pcf857x chips are present, a fix up +message [1] is printed during the probe of the 2nd and later +instances. + +The issue is that the driver is using the same irq_chip data +structure between multiple instances. + +Fix this by allocating the irq_chip data structure per instance. + +[1] fix up message addressed by this patch +[ 1.212100] gpio gpiochip9: (pcf8575): detected irqchip that is shared with multiple gpiochips: please fix the driver. + +Cc: Stable +Signed-off-by: Roger Quadros +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-pcf857x.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +--- a/drivers/gpio/gpio-pcf857x.c ++++ b/drivers/gpio/gpio-pcf857x.c +@@ -84,6 +84,7 @@ MODULE_DEVICE_TABLE(of, pcf857x_of_table + */ + struct pcf857x { + struct gpio_chip chip; ++ struct irq_chip irqchip; + struct i2c_client *client; + struct mutex lock; /* protect 'out' */ + unsigned out; /* software latch */ +@@ -252,18 +253,6 @@ static void pcf857x_irq_bus_sync_unlock( + mutex_unlock(&gpio->lock); + } + +-static struct irq_chip pcf857x_irq_chip = { +- .name = "pcf857x", +- .irq_enable = pcf857x_irq_enable, +- .irq_disable = pcf857x_irq_disable, +- .irq_ack = noop, +- .irq_mask = noop, +- .irq_unmask = noop, +- .irq_set_wake = pcf857x_irq_set_wake, +- .irq_bus_lock = pcf857x_irq_bus_lock, +- .irq_bus_sync_unlock = pcf857x_irq_bus_sync_unlock, +-}; +- + /*-------------------------------------------------------------------------*/ + + static int pcf857x_probe(struct i2c_client *client, +@@ -376,8 +365,17 @@ static int pcf857x_probe(struct i2c_clie + + /* Enable irqchip if we have an interrupt */ + if (client->irq) { ++ gpio->irqchip.name = "pcf857x", ++ gpio->irqchip.irq_enable = pcf857x_irq_enable, ++ gpio->irqchip.irq_disable = pcf857x_irq_disable, ++ gpio->irqchip.irq_ack = noop, ++ gpio->irqchip.irq_mask = noop, ++ gpio->irqchip.irq_unmask = noop, ++ gpio->irqchip.irq_set_wake = pcf857x_irq_set_wake, ++ gpio->irqchip.irq_bus_lock = pcf857x_irq_bus_lock, ++ gpio->irqchip.irq_bus_sync_unlock = pcf857x_irq_bus_sync_unlock, + status = gpiochip_irqchip_add_nested(&gpio->chip, +- &pcf857x_irq_chip, ++ &gpio->irqchip, + 0, handle_level_irq, + IRQ_TYPE_NONE); + if (status) { +@@ -392,7 +390,7 @@ static int pcf857x_probe(struct i2c_clie + if (status) + goto fail; + +- gpiochip_set_nested_irqchip(&gpio->chip, &pcf857x_irq_chip, ++ gpiochip_set_nested_irqchip(&gpio->chip, &gpio->irqchip, + client->irq); + gpio->irq_parent = client->irq; + } diff --git a/queue-4.20/gpio-sprd-fix-incorrect-irq-type-setting-for-the-async-eic.patch b/queue-4.20/gpio-sprd-fix-incorrect-irq-type-setting-for-the-async-eic.patch new file mode 100644 index 00000000000..e6fe6ff1f0b --- /dev/null +++ b/queue-4.20/gpio-sprd-fix-incorrect-irq-type-setting-for-the-async-eic.patch @@ -0,0 +1,35 @@ +From f785ffb61605734b518afa766d1b5445e9f38c8d Mon Sep 17 00:00:00 2001 +From: Neo Hou +Date: Wed, 16 Jan 2019 13:06:14 +0800 +Subject: gpio: sprd: Fix incorrect irq type setting for the async EIC + +From: Neo Hou + +commit f785ffb61605734b518afa766d1b5445e9f38c8d upstream. + +When setting async EIC as IRQ_TYPE_EDGE_BOTH type, we missed to set the +SPRD_EIC_ASYNC_INTMODE register to 0, which means detecting edge signals. + +Thus this patch fixes the issue. + +Fixes: 25518e024e3a ("gpio: Add Spreadtrum EIC driver support") +Cc: +Signed-off-by: Neo Hou +Signed-off-by: Baolin Wang +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-eic-sprd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpio-eic-sprd.c ++++ b/drivers/gpio/gpio-eic-sprd.c +@@ -379,6 +379,7 @@ static int sprd_eic_irq_set_type(struct + irq_set_handler_locked(data, handle_edge_irq); + break; + case IRQ_TYPE_EDGE_BOTH: ++ sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTMODE, 0); + sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTBOTH, 1); + irq_set_handler_locked(data, handle_edge_irq); + break; diff --git a/queue-4.20/gpio-sprd-fix-the-incorrect-data-register.patch b/queue-4.20/gpio-sprd-fix-the-incorrect-data-register.patch new file mode 100644 index 00000000000..fc520d325d3 --- /dev/null +++ b/queue-4.20/gpio-sprd-fix-the-incorrect-data-register.patch @@ -0,0 +1,45 @@ +From 09d158d52d2bceda736797a61b6c13d7fc83707b Mon Sep 17 00:00:00 2001 +From: Neo Hou +Date: Wed, 16 Jan 2019 13:06:13 +0800 +Subject: gpio: sprd: Fix the incorrect data register + +From: Neo Hou + +commit 09d158d52d2bceda736797a61b6c13d7fc83707b upstream. + +Since differnt type EICs have its own data register to read, thus fix the +incorrect data register. + +Fixes: 25518e024e3a ("gpio: Add Spreadtrum EIC driver support") +Cc: +Signed-off-by: Neo Hou +Signed-off-by: Baolin Wang +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-eic-sprd.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-eic-sprd.c ++++ b/drivers/gpio/gpio-eic-sprd.c +@@ -180,7 +180,18 @@ static void sprd_eic_free(struct gpio_ch + + static int sprd_eic_get(struct gpio_chip *chip, unsigned int offset) + { +- return sprd_eic_read(chip, offset, SPRD_EIC_DBNC_DATA); ++ struct sprd_eic *sprd_eic = gpiochip_get_data(chip); ++ ++ switch (sprd_eic->type) { ++ case SPRD_EIC_DEBOUNCE: ++ return sprd_eic_read(chip, offset, SPRD_EIC_DBNC_DATA); ++ case SPRD_EIC_ASYNC: ++ return sprd_eic_read(chip, offset, SPRD_EIC_ASYNC_DATA); ++ case SPRD_EIC_SYNC: ++ return sprd_eic_read(chip, offset, SPRD_EIC_SYNC_DATA); ++ default: ++ return -ENOTSUPP; ++ } + } + + static int sprd_eic_direction_input(struct gpio_chip *chip, unsigned int offset) diff --git a/queue-4.20/gpiolib-fix-line-event-timestamps-for-nested-irqs.patch b/queue-4.20/gpiolib-fix-line-event-timestamps-for-nested-irqs.patch new file mode 100644 index 00000000000..07b42a2932b --- /dev/null +++ b/queue-4.20/gpiolib-fix-line-event-timestamps-for-nested-irqs.patch @@ -0,0 +1,46 @@ +From 1033be58992f818dc564196ded2bcc3f360bc297 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 4 Jan 2019 11:24:20 +0100 +Subject: gpiolib: fix line event timestamps for nested irqs + +From: Bartosz Golaszewski + +commit 1033be58992f818dc564196ded2bcc3f360bc297 upstream. + +Nested interrupts run inside the calling thread's context and the top +half handler is never called which means that we never read the +timestamp. + +This issue came up when trying to read line events from a gpiochip +using regmap_irq_chip for interrupts. + +Fix it by reading the timestamp from the irq thread function if it's +still 0 by the time the second handler is called. + +Fixes: d58f2bf261fd ("gpio: Timestamp events in hardirq handler") +Cc: stable@vger.kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -828,7 +828,14 @@ static irqreturn_t lineevent_irq_thread( + /* Do not leak kernel stack to userspace */ + memset(&ge, 0, sizeof(ge)); + +- ge.timestamp = le->timestamp; ++ /* ++ * We may be running from a nested threaded interrupt in which case ++ * we didn't get the timestamp from lineevent_irq_handler(). ++ */ ++ if (!le->timestamp) ++ ge.timestamp = ktime_get_real_ns(); ++ else ++ ge.timestamp = le->timestamp; + + if (le->eflags & GPIOEVENT_REQUEST_RISING_EDGE + && le->eflags & GPIOEVENT_REQUEST_FALLING_EDGE) { diff --git a/queue-4.20/ib-hfi1-add-limit-test-for-rc-uc-send-via-loopback.patch b/queue-4.20/ib-hfi1-add-limit-test-for-rc-uc-send-via-loopback.patch new file mode 100644 index 00000000000..1fc42afea18 --- /dev/null +++ b/queue-4.20/ib-hfi1-add-limit-test-for-rc-uc-send-via-loopback.patch @@ -0,0 +1,54 @@ +From 09ce351dff8e7636af0beb72cd4a86c3904a0500 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Thu, 17 Jan 2019 12:42:16 -0800 +Subject: IB/hfi1: Add limit test for RC/UC send via loopback + +From: Mike Marciniszyn + +commit 09ce351dff8e7636af0beb72cd4a86c3904a0500 upstream. + +Fix potential memory corruption and panic in loopback for IB_WR_SEND +variants. + +The code blindly assumes the posted length will fit in the fetched rwqe, +which is not a valid assumption. + +Fix by adding a limit test, and triggering the appropriate send completion +and putting the QP in an error state. This mimics the handling for +non-loopback QPs. + +Fixes: 15703461533a ("IB/{hfi1, qib, rdmavt}: Move ruc_loopback to rdmavt") +Cc: #v4.20+ +Reviewed-by: Michael J. Ruhl +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/sw/rdmavt/qp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/sw/rdmavt/qp.c ++++ b/drivers/infiniband/sw/rdmavt/qp.c +@@ -2903,6 +2903,8 @@ send: + goto op_err; + if (!ret) + goto rnr_nak; ++ if (wqe->length > qp->r_len) ++ goto inv_err; + break; + + case IB_WR_RDMA_WRITE_WITH_IMM: +@@ -3071,7 +3073,10 @@ op_err: + goto err; + + inv_err: +- send_status = IB_WC_REM_INV_REQ_ERR; ++ send_status = ++ sqp->ibqp.qp_type == IB_QPT_RC ? ++ IB_WC_REM_INV_REQ_ERR : ++ IB_WC_SUCCESS; + wc.status = IB_WC_LOC_QP_OP_ERR; + goto err; + diff --git a/queue-4.20/ib-hfi1-remove-overly-conservative-vm_exec-flag-check.patch b/queue-4.20/ib-hfi1-remove-overly-conservative-vm_exec-flag-check.patch new file mode 100644 index 00000000000..22b307a286f --- /dev/null +++ b/queue-4.20/ib-hfi1-remove-overly-conservative-vm_exec-flag-check.patch @@ -0,0 +1,47 @@ +From 7709b0dc265f28695487712c45f02bbd1f98415d Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Thu, 17 Jan 2019 12:42:04 -0800 +Subject: IB/hfi1: Remove overly conservative VM_EXEC flag check + +From: Michael J. Ruhl + +commit 7709b0dc265f28695487712c45f02bbd1f98415d upstream. + +Applications that use the stack for execution purposes cause userspace PSM +jobs to fail during mmap(). + +Both Fortran (non-standard format parsing) and C (callback functions +located in the stack) applications can be written such that stack +execution is required. The linker notes this via the gnu_stack ELF flag. + +This causes READ_IMPLIES_EXEC to be set which forces all PROT_READ mmaps +to have PROT_EXEC for the process. + +Checking for VM_EXEC bit and failing the request with EPERM is overly +conservative and will break any PSM application using executable stacks. + +Cc: #v4.14+ +Fixes: 12220267645c ("IB/hfi: Protect against writable mmap") +Reviewed-by: Mike Marciniszyn +Reviewed-by: Dennis Dalessandro +Reviewed-by: Ira Weiny +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/file_ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hfi1/file_ops.c ++++ b/drivers/infiniband/hw/hfi1/file_ops.c +@@ -488,7 +488,7 @@ static int hfi1_file_mmap(struct file *f + vmf = 1; + break; + case STATUS: +- if (flags & (unsigned long)(VM_WRITE | VM_EXEC)) { ++ if (flags & VM_WRITE) { + ret = -EPERM; + goto done; + } diff --git a/queue-4.20/ib-uverbs-fix-oops-in-uverbs_user_mmap_disassociate.patch b/queue-4.20/ib-uverbs-fix-oops-in-uverbs_user_mmap_disassociate.patch new file mode 100644 index 00000000000..a7f399f7f34 --- /dev/null +++ b/queue-4.20/ib-uverbs-fix-oops-in-uverbs_user_mmap_disassociate.patch @@ -0,0 +1,97 @@ +From 7b21b69ab203136fdc153c7707fa6c409e523c2e Mon Sep 17 00:00:00 2001 +From: Yishai Hadas +Date: Sun, 27 Jan 2019 10:11:27 +0200 +Subject: IB/uverbs: Fix OOPs in uverbs_user_mmap_disassociate + +From: Yishai Hadas + +commit 7b21b69ab203136fdc153c7707fa6c409e523c2e upstream. + +The vma->vm_mm can become impossible to get before rdma_umap_close() is +called, in this case we must not try to get an mm that is already +undergoing process exit. In this case there is no need to wait for +anything as the VMA will be destroyed by another thread soon and is +already effectively 'unreachable' by userspace. + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + PGD 800000012bc50067 P4D 800000012bc50067 PUD 129db5067 PMD 0 + Oops: 0000 [#1] SMP PTI + CPU: 1 PID: 2050 Comm: bash Tainted: G W OE 4.20.0-rc6+ #3 + Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + RIP: 0010:__rb_erase_color+0xb9/0x280 + Code: 84 17 01 00 00 48 3b 68 10 0f 84 15 01 00 00 48 89 + 58 08 48 89 de 48 89 ef 4c 89 e3 e8 90 84 22 00 e9 60 ff ff ff 48 8b 5d + 10 03 01 0f 84 9c 00 00 00 48 8b 43 10 48 85 c0 74 09 f6 00 01 0f + RSP: 0018:ffffbecfc090bab8 EFLAGS: 00010246 + RAX: ffff97616346cf30 RBX: 0000000000000000 RCX: 0000000000000101 + RDX: 0000000000000000 RSI: ffff97623b6ca828 RDI: ffff97621ef10828 + RBP: ffff97621ef10828 R08: ffff97621ef10828 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: ffff97623b6ca838 + R13: ffffffffbb3fef50 R14: ffff97623b6ca828 R15: 0000000000000000 + FS: 00007f7a5c31d740(0000) GS:ffff97623bb00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 000000011255a000 CR4: 00000000000006e0 + Call Trace: + unlink_file_vma+0x3b/0x50 + free_pgtables+0xa1/0x110 + exit_mmap+0xca/0x1a0 + ? mlx5_ib_dealloc_pd+0x28/0x30 [mlx5_ib] + mmput+0x54/0x140 + uverbs_user_mmap_disassociate+0xcc/0x160 [ib_uverbs] + uverbs_destroy_ufile_hw+0xf7/0x120 [ib_uverbs] + ib_uverbs_remove_one+0xea/0x240 [ib_uverbs] + ib_unregister_device+0xfb/0x200 [ib_core] + mlx5_ib_remove+0x51/0xe0 [mlx5_ib] + mlx5_remove_device+0xc1/0xd0 [mlx5_core] + mlx5_unregister_device+0x3d/0xb0 [mlx5_core] + remove_one+0x2a/0x90 [mlx5_core] + pci_device_remove+0x3b/0xc0 + device_release_driver_internal+0x16d/0x240 + unbind_store+0xb2/0x100 + kernfs_fop_write+0x102/0x180 + __vfs_write+0x36/0x1a0 + ? __alloc_fd+0xa9/0x170 + ? set_close_on_exec+0x49/0x70 + vfs_write+0xad/0x1a0 + ksys_write+0x52/0xc0 + do_syscall_64+0x5b/0x180 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Cc: # 4.19 +Fixes: 5f9794dc94f5 ("RDMA/ucontext: Add a core API for mmaping driver IO memory") +Signed-off-by: Yishai Hadas +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_main.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -1000,11 +1000,19 @@ void uverbs_user_mmap_disassociate(struc + + /* Get an arbitrary mm pointer that hasn't been cleaned yet */ + mutex_lock(&ufile->umap_lock); +- if (!list_empty(&ufile->umaps)) { +- mm = list_first_entry(&ufile->umaps, +- struct rdma_umap_priv, list) +- ->vma->vm_mm; +- mmget(mm); ++ while (!list_empty(&ufile->umaps)) { ++ int ret; ++ ++ priv = list_first_entry(&ufile->umaps, ++ struct rdma_umap_priv, list); ++ mm = priv->vma->vm_mm; ++ ret = mmget_not_zero(mm); ++ if (!ret) { ++ list_del_init(&priv->list); ++ mm = NULL; ++ continue; ++ } ++ break; + } + mutex_unlock(&ufile->umap_lock); + if (!mm) diff --git a/queue-4.20/ib-uverbs-fix-oops-upon-device-disassociation.patch b/queue-4.20/ib-uverbs-fix-oops-upon-device-disassociation.patch new file mode 100644 index 00000000000..d9ac2be6c7b --- /dev/null +++ b/queue-4.20/ib-uverbs-fix-oops-upon-device-disassociation.patch @@ -0,0 +1,99 @@ +From 425784aa5b029eeb80498c73a68f62c3ad1d3b3f Mon Sep 17 00:00:00 2001 +From: Yishai Hadas +Date: Thu, 24 Jan 2019 14:33:12 +0200 +Subject: IB/uverbs: Fix OOPs upon device disassociation + +From: Yishai Hadas + +commit 425784aa5b029eeb80498c73a68f62c3ad1d3b3f upstream. + +The async_file might be freed before the disassociation has been ended, +causing qp shutdown to use after free on it. + +Since uverbs_destroy_ufile_hw is not a fence, it returns if a +disassociation is ongoing in another thread. It has to be written this way +to avoid deadlock. However this means that the ufile FD close cannot +destroy anything that may still be used by an active kref, such as the the +async_file. + +To fix that move the kref_put() to be in ib_uverbs_release_file(). + + BUG: unable to handle kernel paging request at ffffffffba682787 + PGD bc80e067 P4D bc80e067 PUD bc80f063 PMD 1313df163 PTE 80000000bc682061 + Oops: 0003 [#1] SMP PTI + CPU: 1 PID: 32410 Comm: bash Tainted: G OE 4.20.0-rc6+ #3 + Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + RIP: 0010:__pv_queued_spin_lock_slowpath+0x1b3/0x2a0 + Code: 98 83 e2 60 49 89 df 48 8b 04 c5 80 18 72 ba 48 8d + ba 80 32 02 00 ba 00 80 00 00 4c 8d 65 14 41 bd 01 00 00 00 48 01 c7 85 + d2 <48> 89 2f 48 89 fb 74 14 8b 45 08 85 c0 75 42 84 d2 74 6b f3 90 83 + RSP: 0018:ffffc1bbc064fb58 EFLAGS: 00010006 + RAX: ffffffffba65f4e7 RBX: ffff9f209c656c00 RCX: 0000000000000001 + RDX: 0000000000008000 RSI: 0000000000000000 RDI: ffffffffba682787 + RBP: ffff9f217bb23280 R08: 0000000000000001 R09: 0000000000000000 + R10: ffff9f209d2c7800 R11: ffffffffffffffe8 R12: ffff9f217bb23294 + R13: 0000000000000001 R14: 0000000000000000 R15: ffff9f209c656c00 + FS: 00007fac55aad740(0000) GS:ffff9f217bb00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffffffba682787 CR3: 000000012f8e0000 CR4: 00000000000006e0 + Call Trace: + _raw_spin_lock_irq+0x27/0x30 + ib_uverbs_release_uevent+0x1e/0xa0 [ib_uverbs] + uverbs_free_qp+0x7e/0x90 [ib_uverbs] + destroy_hw_idr_uobject+0x1c/0x50 [ib_uverbs] + uverbs_destroy_uobject+0x2e/0x180 [ib_uverbs] + __uverbs_cleanup_ufile+0x73/0x90 [ib_uverbs] + uverbs_destroy_ufile_hw+0x5d/0x120 [ib_uverbs] + ib_uverbs_remove_one+0xea/0x240 [ib_uverbs] + ib_unregister_device+0xfb/0x200 [ib_core] + mlx5_ib_remove+0x51/0xe0 [mlx5_ib] + mlx5_remove_device+0xc1/0xd0 [mlx5_core] + mlx5_unregister_device+0x3d/0xb0 [mlx5_core] + remove_one+0x2a/0x90 [mlx5_core] + pci_device_remove+0x3b/0xc0 + device_release_driver_internal+0x16d/0x240 + unbind_store+0xb2/0x100 + kernfs_fop_write+0x102/0x180 + __vfs_write+0x36/0x1a0 + ? __alloc_fd+0xa9/0x170 + ? set_close_on_exec+0x49/0x70 + vfs_write+0xad/0x1a0 + ksys_write+0x52/0xc0 + do_syscall_64+0x5b/0x180 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7fac551aac60 + +Cc: # 4.2 +Fixes: 036b10635739 ("IB/uverbs: Enable device removal when there are active user space applications") +Signed-off-by: Yishai Hadas +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_main.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -262,6 +262,9 @@ void ib_uverbs_release_file(struct kref + if (atomic_dec_and_test(&file->device->refcount)) + ib_uverbs_comp_dev(file->device); + ++ if (file->async_file) ++ kref_put(&file->async_file->ref, ++ ib_uverbs_release_async_event_file); + put_device(&file->device->dev); + kfree(file); + } +@@ -1132,10 +1135,6 @@ static int ib_uverbs_close(struct inode + list_del_init(&file->list); + mutex_unlock(&file->device->lists_mutex); + +- if (file->async_file) +- kref_put(&file->async_file->ref, +- ib_uverbs_release_async_event_file); +- + kref_put(&file->ref, ib_uverbs_release_file); + + return 0; diff --git a/queue-4.20/iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions.patch b/queue-4.20/iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions.patch new file mode 100644 index 00000000000..74cdf53d2d2 --- /dev/null +++ b/queue-4.20/iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions.patch @@ -0,0 +1,43 @@ +From 198bc3252ea3a45b0c5d500e6a5b91cfdd08f001 Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Wed, 16 Jan 2019 20:11:44 +0100 +Subject: iommu/vt-d: Fix memory leak in intel_iommu_put_resv_regions() + +From: Gerald Schaefer + +commit 198bc3252ea3a45b0c5d500e6a5b91cfdd08f001 upstream. + +Commit 9d3a4de4cb8d ("iommu: Disambiguate MSI region types") changed +the reserved region type in intel_iommu_get_resv_regions() from +IOMMU_RESV_RESERVED to IOMMU_RESV_MSI, but it forgot to also change +the type in intel_iommu_put_resv_regions(). + +This leads to a memory leak, because now the check in +intel_iommu_put_resv_regions() for IOMMU_RESV_RESERVED will never +be true, and no allocated regions will be freed. + +Fix this by changing the region type in intel_iommu_put_resv_regions() +to IOMMU_RESV_MSI, matching the type of the allocated regions. + +Fixes: 9d3a4de4cb8d ("iommu: Disambiguate MSI region types") +Cc: # v4.11+ +Signed-off-by: Gerald Schaefer +Reviewed-by: Eric Auger +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -5204,7 +5204,7 @@ static void intel_iommu_put_resv_regions + struct iommu_resv_region *entry, *next; + + list_for_each_entry_safe(entry, next, head, list) { +- if (entry->type == IOMMU_RESV_RESERVED) ++ if (entry->type == IOMMU_RESV_MSI) + kfree(entry); + } + } diff --git a/queue-4.20/mmc-bcm2835-fix-dma-channel-leak-on-probe-error.patch b/queue-4.20/mmc-bcm2835-fix-dma-channel-leak-on-probe-error.patch new file mode 100644 index 00000000000..e5a5f8ece65 --- /dev/null +++ b/queue-4.20/mmc-bcm2835-fix-dma-channel-leak-on-probe-error.patch @@ -0,0 +1,37 @@ +From 8c9620b1cc9b69e82fa8d4081d646d0016b602e7 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sat, 19 Jan 2019 16:31:00 +0100 +Subject: mmc: bcm2835: Fix DMA channel leak on probe error + +From: Lukas Wunner + +commit 8c9620b1cc9b69e82fa8d4081d646d0016b602e7 upstream. + +The BCM2835 MMC host driver requests a DMA channel on probe but neglects +to release the channel in the probe error path. The channel may +therefore be leaked, in particular if devm_clk_get() causes probe +deferral. Fix it. + +Fixes: 660fc733bd74 ("mmc: bcm2835: Add new driver for the sdhost controller.") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v4.12+ +Cc: Frank Pavlic +Tested-by: Stefan Wahren +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/bcm2835.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mmc/host/bcm2835.c ++++ b/drivers/mmc/host/bcm2835.c +@@ -1427,6 +1427,8 @@ static int bcm2835_probe(struct platform + + err: + dev_dbg(dev, "%s -> err %d\n", __func__, ret); ++ if (host->dma_chan_rxtx) ++ dma_release_channel(host->dma_chan_rxtx); + mmc_free_host(mmc); + + return ret; diff --git a/queue-4.20/mmc-mediatek-fix-incorrect-register-setting-of-hs400_cmd_int_delay.patch b/queue-4.20/mmc-mediatek-fix-incorrect-register-setting-of-hs400_cmd_int_delay.patch new file mode 100644 index 00000000000..ca2f876dc28 --- /dev/null +++ b/queue-4.20/mmc-mediatek-fix-incorrect-register-setting-of-hs400_cmd_int_delay.patch @@ -0,0 +1,33 @@ +From 3751e008da0df4384031bd66a516c0292f915605 Mon Sep 17 00:00:00 2001 +From: Chaotian Jing +Date: Wed, 23 Jan 2019 20:05:25 +0800 +Subject: mmc: mediatek: fix incorrect register setting of hs400_cmd_int_delay + +From: Chaotian Jing + +commit 3751e008da0df4384031bd66a516c0292f915605 upstream. + +to set cmd internal delay, need set PAD_TUNE register but not PAD_CMD_TUNE +register. + +Signed-off-by: Chaotian Jing +Fixes: 1ede5cb88a29 ("mmc: mediatek: Use data tune for CMD line tune") +Cc: stable@vger.kernel.org # v4.12+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/mtk-sd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -846,7 +846,7 @@ static void msdc_set_mclk(struct msdc_ho + + if (timing == MMC_TIMING_MMC_HS400 && + host->dev_comp->hs400_tune) +- sdr_set_field(host->base + PAD_CMD_TUNE, ++ sdr_set_field(host->base + tune_reg, + MSDC_PAD_TUNE_CMDRRDLY, + host->hs400_cmd_int_delay); + dev_dbg(host->dev, "sclk: %d, timing: %d\n", host->mmc->actual_clock, diff --git a/queue-4.20/nfs-fix-up-return-value-on-fatal-errors-in-nfs_page_async_flush.patch b/queue-4.20/nfs-fix-up-return-value-on-fatal-errors-in-nfs_page_async_flush.patch new file mode 100644 index 00000000000..7583faa585e --- /dev/null +++ b/queue-4.20/nfs-fix-up-return-value-on-fatal-errors-in-nfs_page_async_flush.patch @@ -0,0 +1,52 @@ +From 8fc75bed96bb94e23ca51bd9be4daf65c57697bf Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 29 Jan 2019 15:52:55 -0500 +Subject: NFS: Fix up return value on fatal errors in nfs_page_async_flush() + +From: Trond Myklebust + +commit 8fc75bed96bb94e23ca51bd9be4daf65c57697bf upstream. + +Ensure that we return the fatal error value that caused us to exit +nfs_page_async_flush(). + +Fixes: c373fff7bd25 ("NFSv4: Don't special case "launder"") +Signed-off-by: Trond Myklebust +Cc: stable@vger.kernel.org # v4.12+ +Reviewed-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/write.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -621,11 +621,12 @@ static int nfs_page_async_flush(struct n + nfs_set_page_writeback(page); + WARN_ON_ONCE(test_bit(PG_CLEAN, &req->wb_flags)); + +- ret = 0; ++ ret = req->wb_context->error; + /* If there is a fatal error that covers this write, just exit */ +- if (nfs_error_is_fatal_on_server(req->wb_context->error)) ++ if (nfs_error_is_fatal_on_server(ret)) + goto out_launder; + ++ ret = 0; + if (!nfs_pageio_add_request(pgio, req)) { + ret = pgio->pg_error; + /* +@@ -635,9 +636,9 @@ static int nfs_page_async_flush(struct n + nfs_context_set_write_error(req->wb_context, ret); + if (nfs_error_is_fatal_on_server(ret)) + goto out_launder; +- } ++ } else ++ ret = -EAGAIN; + nfs_redirty_request(req); +- ret = -EAGAIN; + } else + nfs_add_stats(page_file_mapping(page)->host, + NFSIOS_WRITEPAGES, 1); diff --git a/queue-4.20/selftests-seccomp-enhance-per-arch-ptrace-syscall-skip-tests.patch b/queue-4.20/selftests-seccomp-enhance-per-arch-ptrace-syscall-skip-tests.patch new file mode 100644 index 00000000000..267ed48f5a1 --- /dev/null +++ b/queue-4.20/selftests-seccomp-enhance-per-arch-ptrace-syscall-skip-tests.patch @@ -0,0 +1,176 @@ +From ed5f13261cb65b02c611ae9971677f33581d4286 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 25 Jan 2019 10:33:59 -0800 +Subject: selftests/seccomp: Enhance per-arch ptrace syscall skip tests + +From: Kees Cook + +commit ed5f13261cb65b02c611ae9971677f33581d4286 upstream. + +Passing EPERM during syscall skipping was confusing since the test wasn't +actually exercising the errno evaluation -- it was just passing a literal +"1" (EPERM). Instead, expand the tests to check both direct value returns +(positive, 45000 in this case), and errno values (negative, -ESRCH in this +case) to check both fake success and fake failure during syscall skipping. + +Reported-by: Colin Ian King +Fixes: a33b2d0359a0 ("selftests/seccomp: Add tests for basic ptrace actions") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 72 ++++++++++++++++++++------ + 1 file changed, 57 insertions(+), 15 deletions(-) + +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -1563,7 +1563,16 @@ TEST_F(TRACE_poke, getpid_runs_normally) + #ifdef SYSCALL_NUM_RET_SHARE_REG + # define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action) + #else +-# define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(val, action) ++# define EXPECT_SYSCALL_RETURN(val, action) \ ++ do { \ ++ errno = 0; \ ++ if (val < 0) { \ ++ EXPECT_EQ(-1, action); \ ++ EXPECT_EQ(-(val), errno); \ ++ } else { \ ++ EXPECT_EQ(val, action); \ ++ } \ ++ } while (0) + #endif + + /* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for +@@ -1602,7 +1611,7 @@ int get_syscall(struct __test_metadata * + + /* Architecture-specific syscall changing routine. */ + void change_syscall(struct __test_metadata *_metadata, +- pid_t tracee, int syscall) ++ pid_t tracee, int syscall, int result) + { + int ret; + ARCH_REGS regs; +@@ -1661,7 +1670,7 @@ void change_syscall(struct __test_metada + #ifdef SYSCALL_NUM_RET_SHARE_REG + TH_LOG("Can't modify syscall return on this architecture"); + #else +- regs.SYSCALL_RET = EPERM; ++ regs.SYSCALL_RET = result; + #endif + + #ifdef HAVE_GETREGS +@@ -1689,14 +1698,19 @@ void tracer_syscall(struct __test_metada + case 0x1002: + /* change getpid to getppid. */ + EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee)); +- change_syscall(_metadata, tracee, __NR_getppid); ++ change_syscall(_metadata, tracee, __NR_getppid, 0); + break; + case 0x1003: +- /* skip gettid. */ ++ /* skip gettid with valid return code. */ + EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee)); +- change_syscall(_metadata, tracee, -1); ++ change_syscall(_metadata, tracee, -1, 45000); + break; + case 0x1004: ++ /* skip openat with error. */ ++ EXPECT_EQ(__NR_openat, get_syscall(_metadata, tracee)); ++ change_syscall(_metadata, tracee, -1, -ESRCH); ++ break; ++ case 0x1005: + /* do nothing (allow getppid) */ + EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee)); + break; +@@ -1729,9 +1743,11 @@ void tracer_ptrace(struct __test_metadat + nr = get_syscall(_metadata, tracee); + + if (nr == __NR_getpid) +- change_syscall(_metadata, tracee, __NR_getppid); ++ change_syscall(_metadata, tracee, __NR_getppid, 0); ++ if (nr == __NR_gettid) ++ change_syscall(_metadata, tracee, -1, 45000); + if (nr == __NR_openat) +- change_syscall(_metadata, tracee, -1); ++ change_syscall(_metadata, tracee, -1, -ESRCH); + } + + FIXTURE_DATA(TRACE_syscall) { +@@ -1748,8 +1764,10 @@ FIXTURE_SETUP(TRACE_syscall) + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1002), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_gettid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1003), +- BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), ++ BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_openat, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1004), ++ BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), ++ BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1005), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + +@@ -1797,15 +1815,26 @@ TEST_F(TRACE_syscall, ptrace_syscall_red + EXPECT_NE(self->mypid, syscall(__NR_getpid)); + } + +-TEST_F(TRACE_syscall, ptrace_syscall_dropped) ++TEST_F(TRACE_syscall, ptrace_syscall_errno) ++{ ++ /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ ++ teardown_trace_fixture(_metadata, self->tracer); ++ self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, ++ true); ++ ++ /* Tracer should skip the open syscall, resulting in ESRCH. */ ++ EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat)); ++} ++ ++TEST_F(TRACE_syscall, ptrace_syscall_faked) + { + /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ + teardown_trace_fixture(_metadata, self->tracer); + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + true); + +- /* Tracer should skip the open syscall, resulting in EPERM. */ +- EXPECT_SYSCALL_RETURN(EPERM, syscall(__NR_openat)); ++ /* Tracer should skip the gettid syscall, resulting fake pid. */ ++ EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid)); + } + + TEST_F(TRACE_syscall, syscall_allowed) +@@ -1838,7 +1867,21 @@ TEST_F(TRACE_syscall, syscall_redirected + EXPECT_NE(self->mypid, syscall(__NR_getpid)); + } + +-TEST_F(TRACE_syscall, syscall_dropped) ++TEST_F(TRACE_syscall, syscall_errno) ++{ ++ long ret; ++ ++ ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); ++ ASSERT_EQ(0, ret); ++ ++ ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); ++ ASSERT_EQ(0, ret); ++ ++ /* openat has been skipped and an errno return. */ ++ EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat)); ++} ++ ++TEST_F(TRACE_syscall, syscall_faked) + { + long ret; + +@@ -1849,8 +1892,7 @@ TEST_F(TRACE_syscall, syscall_dropped) + ASSERT_EQ(0, ret); + + /* gettid has been skipped and an altered return value stored. */ +- EXPECT_SYSCALL_RETURN(EPERM, syscall(__NR_gettid)); +- EXPECT_NE(self->mytid, syscall(__NR_gettid)); ++ EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid)); + } + + TEST_F(TRACE_syscall, skip_after_RET_TRACE) diff --git a/queue-4.20/series b/queue-4.20/series index a5a35c22d08..873f72f7e2b 100644 --- a/queue-4.20/series +++ b/queue-4.20/series @@ -32,3 +32,32 @@ virtio_net-don-t-process-redirected-xdp-frames-when-xdp-is-disabled.patch virtio_net-use-xdp_return_frame-to-free-xdp_frames-on-destroying-vqs.patch virtio_net-differentiate-sk_buff-and-xdp_frame-on-freeing.patch ipv6-consider-sk_bound_dev_if-when-binding-a-socket-to-an-address.patch +cifs-do-not-count-enodata-as-failure-for-query-directory.patch +cifs-fix-possible-oops-and-memory-leaks-in-async-io.patch +cifs-fix-trace-command-logging-for-smb2-reads-and-writes.patch +cifs-fix-use-after-free-of-the-lease-keys.patch +cifs-do-not-consider-enodata-as-stat-failure-for-reads.patch +fs-dcache-fix-incorrect-nr_dentry_unused-accounting-in-shrink_dcache_sb.patch +iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions.patch +selftests-seccomp-enhance-per-arch-ptrace-syscall-skip-tests.patch +nfs-fix-up-return-value-on-fatal-errors-in-nfs_page_async_flush.patch +arm-cns3xxx-fix-writing-to-wrong-pci-config-registers-after-alignment.patch +arm64-kaslr-ensure-randomized-quantities-are-clean-also-when-kaslr-is-off.patch +arm64-do-not-issue-ipis-for-user-executable-ptes.patch +arm64-hyp-stub-forbid-kprobing-of-the-hyp-stub.patch +arm64-hibernate-clean-the-__hyp_text-to-poc-after-resume.patch +gpio-altera-a10sr-set-proper-output-level-for-direction_output.patch +gpiolib-fix-line-event-timestamps-for-nested-irqs.patch +gpio-pcf857x-fix-interrupts-on-multiple-instances.patch +gpio-sprd-fix-the-incorrect-data-register.patch +gpio-sprd-fix-incorrect-irq-type-setting-for-the-async-eic.patch +gfs2-revert-fix-loop-in-gfs2_rbm_find.patch +mmc-bcm2835-fix-dma-channel-leak-on-probe-error.patch +mmc-mediatek-fix-incorrect-register-setting-of-hs400_cmd_int_delay.patch +alsa-usb-audio-add-opus-3-to-quirks-for-native-dsd-support.patch +alsa-hda-realtek-fixed-hp_pin-no-value.patch +alsa-pcm-fix-tight-loop-of-oss-capture-stream.patch +ib-uverbs-fix-oops-upon-device-disassociation.patch +ib-uverbs-fix-oops-in-uverbs_user_mmap_disassociate.patch +ib-hfi1-remove-overly-conservative-vm_exec-flag-check.patch +ib-hfi1-add-limit-test-for-rc-uc-send-via-loopback.patch