From: Greg Kroah-Hartman Date: Tue, 10 Jul 2018 14:20:20 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.115~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2e0f6f9cc3f7511c1af3cf1b032a017e1143689;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch hid-debug-check-length-before-copy_to_user.patch hid-hiddev-fix-potential-spectre-v1.patch hid-i2c-hid-fix-incomplete-report-noise.patch kbuild-fix-escaping-in-.cmd-files-for-future-make.patch media-cx25840-use-subdev-host-data-for-pll-override.patch mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch pm-opp-update-voltage-in-case-freq-old_freq.patch tools-build-build.include-fix-escaping-in-.cmd-files-for.patch --- diff --git a/queue-4.9/dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch b/queue-4.9/dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch new file mode 100644 index 00000000000..044a341807b --- /dev/null +++ b/queue-4.9/dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch @@ -0,0 +1,126 @@ +From 9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Thu, 17 Nov 2016 11:24:20 -0800 +Subject: dm bufio: avoid sleeping while holding the dm_bufio lock + +From: Douglas Anderson + +commit 9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc upstream. + +We've seen in-field reports showing _lots_ (18 in one case, 41 in +another) of tasks all sitting there blocked on: + + mutex_lock+0x4c/0x68 + dm_bufio_shrink_count+0x38/0x78 + shrink_slab.part.54.constprop.65+0x100/0x464 + shrink_zone+0xa8/0x198 + +In the two cases analyzed, we see one task that looks like this: + + Workqueue: kverityd verity_prefetch_io + + __switch_to+0x9c/0xa8 + __schedule+0x440/0x6d8 + schedule+0x94/0xb4 + schedule_timeout+0x204/0x27c + schedule_timeout_uninterruptible+0x44/0x50 + wait_iff_congested+0x9c/0x1f0 + shrink_inactive_list+0x3a0/0x4cc + shrink_lruvec+0x418/0x5cc + shrink_zone+0x88/0x198 + try_to_free_pages+0x51c/0x588 + __alloc_pages_nodemask+0x648/0xa88 + __get_free_pages+0x34/0x7c + alloc_buffer+0xa4/0x144 + __bufio_new+0x84/0x278 + dm_bufio_prefetch+0x9c/0x154 + verity_prefetch_io+0xe8/0x10c + process_one_work+0x240/0x424 + worker_thread+0x2fc/0x424 + kthread+0x10c/0x114 + +...and that looks to be the one holding the mutex. + +The problem has been reproduced on fairly easily: +0. Be running Chrome OS w/ verity enabled on the root filesystem +1. Pick test patch: http://crosreview.com/412360 +2. Install launchBalloons.sh and balloon.arm from + http://crbug.com/468342 + ...that's just a memory stress test app. +3. On a 4GB rk3399 machine, run + nice ./launchBalloons.sh 4 900 100000 + ...that tries to eat 4 * 900 MB of memory and keep accessing. +4. Login to the Chrome web browser and restore many tabs + +With that, I've seen printouts like: + DOUG: long bufio 90758 ms +...and stack trace always show's we're in dm_bufio_prefetch(). + +The problem is that we try to allocate memory with GFP_NOIO while +we're holding the dm_bufio lock. Instead we should be using +GFP_NOWAIT. Using GFP_NOIO can cause us to sleep while holding the +lock and that causes the above problems. + +The current behavior explained by David Rientjes: + + It will still try reclaim initially because __GFP_WAIT (or + __GFP_KSWAPD_RECLAIM) is set by GFP_NOIO. This is the cause of + contention on dm_bufio_lock() that the thread holds. You want to + pass GFP_NOWAIT instead of GFP_NOIO to alloc_buffer() when holding a + mutex that can be contended by a concurrent slab shrinker (if + count_objects didn't use a trylock, this pattern would trivially + deadlock). + +This change significantly increases responsiveness of the system while +in this state. It makes a real difference because it unblocks kswapd. +In the bug report analyzed, kswapd was hung: + + kswapd0 D ffffffc000204fd8 0 72 2 0x00000000 + Call trace: + [] __switch_to+0x9c/0xa8 + [] __schedule+0x440/0x6d8 + [] schedule+0x94/0xb4 + [] schedule_preempt_disabled+0x28/0x44 + [] __mutex_lock_slowpath+0x120/0x1ac + [] mutex_lock+0x4c/0x68 + [] dm_bufio_shrink_count+0x38/0x78 + [] shrink_slab.part.54.constprop.65+0x100/0x464 + [] shrink_zone+0xa8/0x198 + [] balance_pgdat+0x328/0x508 + [] kswapd+0x424/0x51c + [] kthread+0x10c/0x114 + [] ret_from_fork+0x10/0x40 + +By unblocking kswapd memory pressure should be reduced. + +Suggested-by: David Rientjes +Reviewed-by: Guenter Roeck +Signed-off-by: Douglas Anderson +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-bufio.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -824,7 +824,8 @@ static struct dm_buffer *__alloc_buffer_ + * dm-bufio is resistant to allocation failures (it just keeps + * one buffer reserved in cases all the allocations fail). + * So set flags to not try too hard: +- * GFP_NOIO: don't recurse into the I/O layer ++ * GFP_NOWAIT: don't wait; if we need to sleep we'll release our ++ * mutex and wait ourselves. + * __GFP_NORETRY: don't retry and rather return failure + * __GFP_NOMEMALLOC: don't use emergency reserves + * __GFP_NOWARN: don't print a warning in case of failure +@@ -834,7 +835,7 @@ static struct dm_buffer *__alloc_buffer_ + */ + while (1) { + if (dm_bufio_cache_size_latch != 1) { +- b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN); ++ b = alloc_buffer(c, GFP_NOWAIT | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN); + if (b) + return b; + } diff --git a/queue-4.9/dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch b/queue-4.9/dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch new file mode 100644 index 00000000000..11e460e1c35 --- /dev/null +++ b/queue-4.9/dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch @@ -0,0 +1,48 @@ +From d12067f428c037b4575aaeb2be00847fc214c24a Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 23 Nov 2016 16:52:01 -0500 +Subject: dm bufio: don't take the lock in dm_bufio_shrink_count + +From: Mikulas Patocka + +commit d12067f428c037b4575aaeb2be00847fc214c24a upstream. + +dm_bufio_shrink_count() is called from do_shrink_slab to find out how many +freeable objects are there. The reported value doesn't have to be precise, +so we don't need to take the dm-bufio lock. + +Suggested-by: David Rientjes +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-bufio.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -1598,19 +1598,11 @@ dm_bufio_shrink_scan(struct shrinker *sh + static unsigned long + dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc) + { +- struct dm_bufio_client *c; +- unsigned long count; +- unsigned long retain_target; ++ struct dm_bufio_client *c = container_of(shrink, struct dm_bufio_client, shrinker); ++ unsigned long count = READ_ONCE(c->n_buffers[LIST_CLEAN]) + ++ READ_ONCE(c->n_buffers[LIST_DIRTY]); ++ unsigned long retain_target = get_retain_buffers(c); + +- c = container_of(shrink, struct dm_bufio_client, shrinker); +- if (sc->gfp_mask & __GFP_FS) +- dm_bufio_lock(c); +- else if (!dm_bufio_trylock(c)) +- return 0; +- +- count = c->n_buffers[LIST_CLEAN] + c->n_buffers[LIST_DIRTY]; +- retain_target = get_retain_buffers(c); +- dm_bufio_unlock(c); + return (count < retain_target) ? 0 : (count - retain_target); + } + diff --git a/queue-4.9/dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch b/queue-4.9/dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch new file mode 100644 index 00000000000..46c2f81120d --- /dev/null +++ b/queue-4.9/dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch @@ -0,0 +1,51 @@ +From 41c73a49df31151f4ff868f28fe4f129f113fa2c Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 23 Nov 2016 17:04:00 -0500 +Subject: dm bufio: drop the lock when doing GFP_NOIO allocation + +From: Mikulas Patocka + +commit 41c73a49df31151f4ff868f28fe4f129f113fa2c upstream. + +If the first allocation attempt using GFP_NOWAIT fails, drop the lock +and retry using GFP_NOIO allocation (lock is dropped because the +allocation can take some time). + +Note that we won't do GFP_NOIO allocation when we loop for the second +time, because the lock shouldn't be dropped between __wait_for_free_buffer +and __get_unclaimed_buffer. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-bufio.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -819,6 +819,7 @@ enum new_flag { + static struct dm_buffer *__alloc_buffer_wait_no_callback(struct dm_bufio_client *c, enum new_flag nf) + { + struct dm_buffer *b; ++ bool tried_noio_alloc = false; + + /* + * dm-bufio is resistant to allocation failures (it just keeps +@@ -843,6 +844,15 @@ static struct dm_buffer *__alloc_buffer_ + if (nf == NF_PREFETCH) + return NULL; + ++ if (dm_bufio_cache_size_latch != 1 && !tried_noio_alloc) { ++ dm_bufio_unlock(c); ++ b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN); ++ dm_bufio_lock(c); ++ if (b) ++ return b; ++ tried_noio_alloc = true; ++ } ++ + if (!list_empty(&c->reserved_buffers)) { + b = list_entry(c->reserved_buffers.next, + struct dm_buffer, lru_list); diff --git a/queue-4.9/hid-debug-check-length-before-copy_to_user.patch b/queue-4.9/hid-debug-check-length-before-copy_to_user.patch new file mode 100644 index 00000000000..79200ad4d92 --- /dev/null +++ b/queue-4.9/hid-debug-check-length-before-copy_to_user.patch @@ -0,0 +1,53 @@ +From 717adfdaf14704fd3ec7fa2c04520c0723247eac Mon Sep 17 00:00:00 2001 +From: Daniel Rosenberg +Date: Mon, 2 Jul 2018 16:59:37 -0700 +Subject: HID: debug: check length before copy_to_user() + +From: Daniel Rosenberg + +commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream. + +If our length is greater than the size of the buffer, we +overflow the buffer + +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Rosenberg +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-debug.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -1152,6 +1152,8 @@ copy_rest: + goto out; + if (list->tail > list->head) { + len = list->tail - list->head; ++ if (len > count) ++ len = count; + + if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) { + ret = -EFAULT; +@@ -1161,6 +1163,8 @@ copy_rest: + list->head += len; + } else { + len = HID_DEBUG_BUFSIZE - list->head; ++ if (len > count) ++ len = count; + + if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) { + ret = -EFAULT; +@@ -1168,7 +1172,9 @@ copy_rest: + } + list->head = 0; + ret += len; +- goto copy_rest; ++ count -= len; ++ if (count > 0) ++ goto copy_rest; + } + + } diff --git a/queue-4.9/hid-hiddev-fix-potential-spectre-v1.patch b/queue-4.9/hid-hiddev-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..2ebf9849c32 --- /dev/null +++ b/queue-4.9/hid-hiddev-fix-potential-spectre-v1.patch @@ -0,0 +1,90 @@ +From 4f65245f2d178b9cba48350620d76faa4a098841 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Fri, 29 Jun 2018 17:08:44 -0500 +Subject: HID: hiddev: fix potential Spectre v1 + +From: Gustavo A. R. Silva + +commit 4f65245f2d178b9cba48350620d76faa4a098841 upstream. + +uref->field_index, uref->usage_index, finfo.field_index and cinfo.index can be +indirectly controlled by user-space, hence leading to a potential exploitation +of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/hid/usbhid/hiddev.c:473 hiddev_ioctl_usage() warn: potential spectre issue 'report->field' (local cap) +drivers/hid/usbhid/hiddev.c:477 hiddev_ioctl_usage() warn: potential spectre issue 'field->usage' (local cap) +drivers/hid/usbhid/hiddev.c:757 hiddev_ioctl() warn: potential spectre issue 'report->field' (local cap) +drivers/hid/usbhid/hiddev.c:801 hiddev_ioctl() warn: potential spectre issue 'hid->collection' (local cap) + +Fix this by sanitizing such structure fields before using them to index +report->field, field->usage and hid->collection + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hiddev.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include "usbhid.h" + + #ifdef CONFIG_USB_DYNAMIC_MINORS +@@ -478,10 +479,14 @@ static noinline int hiddev_ioctl_usage(s + + if (uref->field_index >= report->maxfield) + goto inval; ++ uref->field_index = array_index_nospec(uref->field_index, ++ report->maxfield); + + field = report->field[uref->field_index]; + if (uref->usage_index >= field->maxusage) + goto inval; ++ uref->usage_index = array_index_nospec(uref->usage_index, ++ field->maxusage); + + uref->usage_code = field->usage[uref->usage_index].hid; + +@@ -508,6 +513,8 @@ static noinline int hiddev_ioctl_usage(s + + if (uref->field_index >= report->maxfield) + goto inval; ++ uref->field_index = array_index_nospec(uref->field_index, ++ report->maxfield); + + field = report->field[uref->field_index]; + +@@ -761,6 +768,8 @@ static long hiddev_ioctl(struct file *fi + + if (finfo.field_index >= report->maxfield) + break; ++ finfo.field_index = array_index_nospec(finfo.field_index, ++ report->maxfield); + + field = report->field[finfo.field_index]; + memset(&finfo, 0, sizeof(finfo)); +@@ -801,6 +810,8 @@ static long hiddev_ioctl(struct file *fi + + if (cinfo.index >= hid->maxcollection) + break; ++ cinfo.index = array_index_nospec(cinfo.index, ++ hid->maxcollection); + + cinfo.type = hid->collection[cinfo.index].type; + cinfo.usage = hid->collection[cinfo.index].usage; diff --git a/queue-4.9/hid-i2c-hid-fix-incomplete-report-noise.patch b/queue-4.9/hid-i2c-hid-fix-incomplete-report-noise.patch new file mode 100644 index 00000000000..54e5b48fb8b --- /dev/null +++ b/queue-4.9/hid-i2c-hid-fix-incomplete-report-noise.patch @@ -0,0 +1,46 @@ +From ef6eaf27274c0351f7059163918f3795da13199c Mon Sep 17 00:00:00 2001 +From: Jason Andryuk +Date: Fri, 22 Jun 2018 12:25:49 -0400 +Subject: HID: i2c-hid: Fix "incomplete report" noise + +From: Jason Andryuk + +commit ef6eaf27274c0351f7059163918f3795da13199c upstream. + +Commit ac75a041048b ("HID: i2c-hid: fix size check and type usage") started +writing messages when the ret_size is <= 2 from i2c_master_recv. However, my +device i2c-DLL07D1 returns 2 for a short period of time (~0.5s) after I stop +moving the pointing stick or touchpad. It varies, but you get ~50 messages +each time which spams the log hard. + +[ 95.925055] i2c_hid i2c-DLL07D1:01: i2c_hid_get_input: incomplete report (83/2) + +This has also been observed with a i2c-ALP0017. + +[ 1781.266353] i2c_hid i2c-ALP0017:00: i2c_hid_get_input: incomplete report (30/2) + +Only print the message when ret_size is totally invalid and less than 2 to cut +down on the log spam. + +Fixes: ac75a041048b ("HID: i2c-hid: fix size check and type usage") +Reported-by: John Smith +Cc: stable@vger.kernel.org +Signed-off-by: Jason Andryuk +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/i2c-hid/i2c-hid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -477,7 +477,7 @@ static void i2c_hid_get_input(struct i2c + return; + } + +- if ((ret_size > size) || (ret_size <= 2)) { ++ if ((ret_size > size) || (ret_size < 2)) { + dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", + __func__, size, ret_size); + return; diff --git a/queue-4.9/kbuild-fix-escaping-in-.cmd-files-for-future-make.patch b/queue-4.9/kbuild-fix-escaping-in-.cmd-files-for-future-make.patch new file mode 100644 index 00000000000..bcac38fe039 --- /dev/null +++ b/queue-4.9/kbuild-fix-escaping-in-.cmd-files-for-future-make.patch @@ -0,0 +1,126 @@ +From 9564a8cf422d7b58f6e857e3546d346fa970191e Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Sun, 8 Apr 2018 23:35:28 +0200 +Subject: Kbuild: fix # escaping in .cmd files for future Make +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rasmus Villemoes + +commit 9564a8cf422d7b58f6e857e3546d346fa970191e upstream. + +I tried building using a freshly built Make (4.2.1-69-g8a731d1), but +already the objtool build broke with + +orc_dump.c: In function ‘orc_dump’: +orc_dump.c:106:2: error: ‘elf_getshnum’ is deprecated [-Werror=deprecated-declarations] + if (elf_getshdrnum(elf, &nr_sections)) { + +Turns out that with that new Make, the backslash was not removed, so cpp +didn't see a #include directive, grep found nothing, and +-DLIBELF_USE_DEPRECATED was wrongly put in CFLAGS. + +Now, that new Make behaviour is documented in their NEWS file: + + * WARNING: Backward-incompatibility! + Number signs (#) appearing inside a macro reference or function invocation + no longer introduce comments and should not be escaped with backslashes: + thus a call such as: + foo := $(shell echo '#') + is legal. Previously the number sign needed to be escaped, for example: + foo := $(shell echo '\#') + Now this latter will resolve to "\#". If you want to write makefiles + portable to both versions, assign the number sign to a variable: + C := \# + foo := $(shell echo '$C') + This was claimed to be fixed in 3.81, but wasn't, for some reason. + To detect this change search for 'nocomment' in the .FEATURES variable. + +This also fixes up the two make-cmd instances to replace # with $(pound) +rather than with \#. There might very well be other places that need +similar fixup in preparation for whatever future Make release contains +the above change, but at least this builds an x86_64 defconfig with the +new make. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=197847 +Cc: Randy Dunlap +Signed-off-by: Rasmus Villemoes +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman + + +--- + scripts/Kbuild.include | 5 +++-- + tools/build/Build.include | 5 +++-- + tools/objtool/Makefile | 2 +- + tools/scripts/Makefile.include | 2 ++ + 4 files changed, 9 insertions(+), 5 deletions(-) + +--- a/scripts/Kbuild.include ++++ b/scripts/Kbuild.include +@@ -8,6 +8,7 @@ squote := ' + empty := + space := $(empty) $(empty) + space_escape := _-_SPACE_-_ ++pound := \# + + ### + # Name of target with a '.' as filename prefix. foo/bar.o => foo/.bar.o +@@ -241,11 +242,11 @@ endif + + # Replace >$< with >$$< to preserve $ when reloading the .cmd file + # (needed for make) +-# Replace >#< with >\#< to avoid starting a comment in the .cmd file ++# Replace >#< with >$(pound)< to avoid starting a comment in the .cmd file + # (needed for make) + # Replace >'< with >'\''< to be able to enclose the whole string in '...' + # (needed for the shell) +-make-cmd = $(call escsq,$(subst \#,\\\#,$(subst $$,$$$$,$(cmd_$(1))))) ++make-cmd = $(call escsq,$(subst $(pound),$$(pound),$(subst $$,$$$$,$(cmd_$(1))))) + + # Find any prerequisites that is newer than target or that does not exist. + # PHONY targets skipped in both cases. +--- a/tools/build/Build.include ++++ b/tools/build/Build.include +@@ -12,6 +12,7 @@ + # Convenient variables + comma := , + squote := ' ++pound := \# + + ### + # Name of target with a '.' as filename prefix. foo/bar.o => foo/.bar.o +@@ -43,11 +44,11 @@ echo-cmd = $(if $($(quiet)cmd_$(1)),\ + ### + # Replace >$< with >$$< to preserve $ when reloading the .cmd file + # (needed for make) +-# Replace >#< with >\#< to avoid starting a comment in the .cmd file ++# Replace >#< with >$(pound)< to avoid starting a comment in the .cmd file + # (needed for make) + # Replace >'< with >'\''< to be able to enclose the whole string in '...' + # (needed for the shell) +-make-cmd = $(call escsq,$(subst \#,\\\#,$(subst $$,$$$$,$(cmd_$(1))))) ++make-cmd = $(call escsq,$(subst $(pound),$$(pound),$(subst $$,$$$$,$(cmd_$(1))))) + + ### + # Find any prerequisites that is newer than target or that does not exist. +--- a/tools/objtool/Makefile ++++ b/tools/objtool/Makefile +@@ -35,7 +35,7 @@ CFLAGS += -Wall -Werror $(WARNINGS) -f + LDFLAGS += -lelf $(LIBSUBCMD) + + # Allow old libelf to be used: +-elfshdr := $(shell echo '\#include ' | $(CC) $(CFLAGS) -x c -E - | grep elf_getshdr) ++elfshdr := $(shell echo '$(pound)include ' | $(CC) $(CFLAGS) -x c -E - | grep elf_getshdr) + CFLAGS += $(if $(elfshdr),,-DLIBELF_USE_DEPRECATED) + + AWK = awk +--- a/tools/scripts/Makefile.include ++++ b/tools/scripts/Makefile.include +@@ -92,3 +92,5 @@ ifneq ($(silent),1) + QUIET_INSTALL = @printf ' INSTALL %s\n' $1; + endif + endif ++ ++pound := \# diff --git a/queue-4.9/media-cx25840-use-subdev-host-data-for-pll-override.patch b/queue-4.9/media-cx25840-use-subdev-host-data-for-pll-override.patch new file mode 100644 index 00000000000..26cbafa5c5c --- /dev/null +++ b/queue-4.9/media-cx25840-use-subdev-host-data-for-pll-override.patch @@ -0,0 +1,86 @@ +From 3ee9bc12342cf546313d300808ff47d7dbb8e7db Mon Sep 17 00:00:00 2001 +From: Brad Love +Date: Tue, 6 Mar 2018 14:15:34 -0500 +Subject: media: cx25840: Use subdev host data for PLL override + +From: Brad Love + +commit 3ee9bc12342cf546313d300808ff47d7dbb8e7db upstream. + +The cx25840 driver currently configures 885, 887, and 888 using +default divisors for each chip. This check to see if the cx23885 +driver has passed the cx25840 a non-default clock rate for a +specific chip. If a cx23885 board has left clk_freq at 0, the +clock default values will be used to configure the PLLs. + +This patch only has effect on 888 boards who set clk_freq to 25M. + +Signed-off-by: Brad Love +Signed-off-by: Mauro Carvalho Chehab +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/cx25840/cx25840-core.c | 28 ++++++++++++++++++++++------ + 1 file changed, 22 insertions(+), 6 deletions(-) + +--- a/drivers/media/i2c/cx25840/cx25840-core.c ++++ b/drivers/media/i2c/cx25840/cx25840-core.c +@@ -467,8 +467,13 @@ static void cx23885_initialize(struct i2 + { + DEFINE_WAIT(wait); + struct cx25840_state *state = to_state(i2c_get_clientdata(client)); ++ u32 clk_freq = 0; + struct workqueue_struct *q; + ++ /* cx23885 sets hostdata to clk_freq pointer */ ++ if (v4l2_get_subdev_hostdata(&state->sd)) ++ clk_freq = *((u32 *)v4l2_get_subdev_hostdata(&state->sd)); ++ + /* + * Come out of digital power down + * The CX23888, at least, needs this, otherwise registers aside from +@@ -504,8 +509,13 @@ static void cx23885_initialize(struct i2 + * 50.0 MHz * (0xb + 0xe8ba26/0x2000000)/4 = 5 * 28.636363 MHz + * 572.73 MHz before post divide + */ +- /* HVR1850 or 50MHz xtal */ +- cx25840_write(client, 0x2, 0x71); ++ if (clk_freq == 25000000) { ++ /* 888/ImpactVCBe or 25Mhz xtal */ ++ ; /* nothing to do */ ++ } else { ++ /* HVR1850 or 50MHz xtal */ ++ cx25840_write(client, 0x2, 0x71); ++ } + cx25840_write4(client, 0x11c, 0x01d1744c); + cx25840_write4(client, 0x118, 0x00000416); + cx25840_write4(client, 0x404, 0x0010253e); +@@ -548,9 +558,15 @@ static void cx23885_initialize(struct i2 + /* HVR1850 */ + switch (state->id) { + case CX23888_AV: +- /* 888/HVR1250 specific */ +- cx25840_write4(client, 0x10c, 0x13333333); +- cx25840_write4(client, 0x108, 0x00000515); ++ if (clk_freq == 25000000) { ++ /* 888/ImpactVCBe or 25MHz xtal */ ++ cx25840_write4(client, 0x10c, 0x01b6db7b); ++ cx25840_write4(client, 0x108, 0x00000512); ++ } else { ++ /* 888/HVR1250 or 50MHz xtal */ ++ cx25840_write4(client, 0x10c, 0x13333333); ++ cx25840_write4(client, 0x108, 0x00000515); ++ } + break; + default: + cx25840_write4(client, 0x10c, 0x002be2c9); +@@ -580,7 +596,7 @@ static void cx23885_initialize(struct i2 + * 368.64 MHz before post divide + * 122.88 MHz / 0xa = 12.288 MHz + */ +- /* HVR1850 or 50MHz xtal */ ++ /* HVR1850 or 50MHz xtal or 25MHz xtal */ + cx25840_write4(client, 0x114, 0x017dbf48); + cx25840_write4(client, 0x110, 0x000a030e); + break; diff --git a/queue-4.9/mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch b/queue-4.9/mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch new file mode 100644 index 00000000000..8d19a41c833 --- /dev/null +++ b/queue-4.9/mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch @@ -0,0 +1,75 @@ +From 7810e6781e0fcbca78b91cf65053f895bf59e85f Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Thu, 7 Jun 2018 17:09:29 -0700 +Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset + +From: Vlastimil Babka + +commit 7810e6781e0fcbca78b91cf65053f895bf59e85f upstream. + +In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for +allocations that can ignore memory policies. The zonelist is obtained +from current CPU's node. This is a problem for __GFP_THISNODE +allocations that want to allocate on a different node, e.g. because the +allocating thread has been migrated to a different CPU. + +This has been observed to break SLAB in our 4.4-based kernel, because +there it relies on __GFP_THISNODE working as intended. If a slab page +is put on wrong node's list, then further list manipulations may corrupt +the list because page_to_nid() is used to determine which node's +list_lock should be locked and thus we may take a wrong lock and race. + +Current SLAB implementation seems to be immune by luck thanks to commit +511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on +arbitrary node") but there may be others assuming that __GFP_THISNODE +works as promised. + +We can fix it by simply removing the zonelist reset completely. There +is actually no reason to reset it, because memory policies and cpusets +don't affect the zonelist choice in the first place. This was different +when commit 183f6371aac2 ("mm: ignore mempolicies when using +ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their +own restricted zonelists. + +We might consider this for 4.17 although I don't know if there's +anything currently broken. + +SLAB is currently not affected, but in kernels older than 4.7 that don't +yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page +allocated on arbitrary node") it is. That's at least 4.4 LTS. Older +ones I'll have to check. + +So stable backports should be more important, but will have to be +reviewed carefully, as the code went through many changes. BTW I think +that also the ac->preferred_zoneref reset is currently useless if we +don't also reset ac->nodemask from a mempolicy to NULL first (which we +probably should for the OOM victims etc?), but I would leave that for a +separate patch. + +Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz +Signed-off-by: Vlastimil Babka +Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") +Acked-by: Mel Gorman +Cc: Michal Hocko +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3642,7 +3642,6 @@ retry: + * orientated. + */ + if (!(alloc_flags & ALLOC_CPUSET) || (alloc_flags & ALLOC_NO_WATERMARKS)) { +- ac->zonelist = node_zonelist(numa_node_id(), gfp_mask); + ac->preferred_zoneref = first_zones_zonelist(ac->zonelist, + ac->high_zoneidx, ac->nodemask); + } diff --git a/queue-4.9/mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch b/queue-4.9/mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch new file mode 100644 index 00000000000..d2daabac0e2 --- /dev/null +++ b/queue-4.9/mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch @@ -0,0 +1,65 @@ +From 3f77f244d8ec28e3a0a81240ffac7d626390060c Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Mon, 18 Jun 2018 22:41:03 +0200 +Subject: mtd: rawnand: mxc: set spare area size register explicitly + +From: Martin Kaiser + +commit 3f77f244d8ec28e3a0a81240ffac7d626390060c upstream. + +The v21 version of the NAND flash controller contains a Spare Area Size +Register (SPAS) at offset 0x10. Its setting defaults to the maximum +spare area size of 218 bytes. The size that is set in this register is +used by the controller when it calculates the ECC bytes internally in +hardware. + +Usually, this register is updated from settings in the IIM fuses when +the system is booting from NAND flash. For other boot media, however, +the SPAS register remains at the default setting, which may not work for +the particular flash chip on the board. The same goes for flash chips +whose configuration cannot be set in the IIM fuses (e.g. chips with 2k +sector size and 128 bytes spare area size can't be configured in the IIM +fuses on imx25 systems). + +Set the SPAS register explicitly during the preset operation. Derive the +register value from mtd->oobsize that was detected during probe by +decoding the flash chip's ID bytes. + +While at it, rename the define for the spare area register's offset to +NFC_V21_RSLTSPARE_AREA. The register at offset 0x10 on v1 controllers is +different from the register on v21 controllers. + +Fixes: d484018 ("mtd: mxc_nand: set NFC registers after reset") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Kaiser +Reviewed-by: Sascha Hauer +Reviewed-by: Miquel Raynal +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/mtd/nand/mxc_nand.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/mxc_nand.c ++++ b/drivers/mtd/nand/mxc_nand.c +@@ -48,7 +48,7 @@ + #define NFC_V1_V2_CONFIG (host->regs + 0x0a) + #define NFC_V1_V2_ECC_STATUS_RESULT (host->regs + 0x0c) + #define NFC_V1_V2_RSLTMAIN_AREA (host->regs + 0x0e) +-#define NFC_V1_V2_RSLTSPARE_AREA (host->regs + 0x10) ++#define NFC_V21_RSLTSPARE_AREA (host->regs + 0x10) + #define NFC_V1_V2_WRPROT (host->regs + 0x12) + #define NFC_V1_UNLOCKSTART_BLKADDR (host->regs + 0x14) + #define NFC_V1_UNLOCKEND_BLKADDR (host->regs + 0x16) +@@ -1121,6 +1121,9 @@ static void preset_v2(struct mtd_info *m + writew(config1, NFC_V1_V2_CONFIG1); + /* preset operation */ + ++ /* spare area size in 16-bit half-words */ ++ writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA); ++ + /* Unlock the internal RAM Buffer */ + writew(0x2, NFC_V1_V2_CONFIG); + diff --git a/queue-4.9/pm-opp-update-voltage-in-case-freq-old_freq.patch b/queue-4.9/pm-opp-update-voltage-in-case-freq-old_freq.patch new file mode 100644 index 00000000000..95068c791b4 --- /dev/null +++ b/queue-4.9/pm-opp-update-voltage-in-case-freq-old_freq.patch @@ -0,0 +1,71 @@ +From c5c2a97b3ac7d1ec19e7cff9e38caca6afefc3de Mon Sep 17 00:00:00 2001 +From: Waldemar Rymarkiewicz +Date: Thu, 14 Jun 2018 15:56:08 +0200 +Subject: PM / OPP: Update voltage in case freq == old_freq + +From: Waldemar Rymarkiewicz + +commit c5c2a97b3ac7d1ec19e7cff9e38caca6afefc3de upstream. + +This commit fixes a rare but possible case when the clk rate is updated +without update of the regulator voltage. + +At boot up, CPUfreq checks if the system is running at the right freq. This +is a sanity check in case a bootloader set clk rate that is outside of freq +table present with cpufreq core. In such cases system can be unstable so +better to change it to a freq that is preset in freq-table. + +The CPUfreq takes next freq that is >= policy->cur and this is our +target_freq that needs to be set now. + +dev_pm_opp_set_rate(dev, target_freq) checks the target_freq and the +old_freq (a current rate). If these are equal it returns early. If not, +it searches for OPP (old_opp) that fits best to old_freq (not listed in +the table) and updates old_freq (!). + +Here, we can end up with old_freq = old_opp.rate = target_freq, which +is not handled in _generic_set_opp_regulator(). It's supposed to update +voltage only when freq > old_freq || freq > old_freq. + +if (freq > old_freq) { + ret = _set_opp_voltage(dev, reg, new_supply); +[...] +if (freq < old_freq) { + ret = _set_opp_voltage(dev, reg, new_supply); + if (ret) + +It results in, no voltage update while clk rate is updated. + +Example: +freq-table = { + 1000MHz 1.15V + 666MHZ 1.10V + 333MHz 1.05V +} +boot-up-freq = 800MHz # not listed in freq-table +freq = target_freq = 1GHz +old_freq = 800Mhz +old_opp = _find_freq_ceil(opp_table, &old_freq); #(old_freq is modified!) +old_freq = 1GHz + +Fixes: 6a0712f6f199 ("PM / OPP: Add dev_pm_opp_set_rate()") +Cc: 4.6+ # v4.6+ +Signed-off-by: Waldemar Rymarkiewicz +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/opp/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/power/opp/core.c ++++ b/drivers/base/power/opp/core.c +@@ -651,7 +651,7 @@ int dev_pm_opp_set_rate(struct device *d + rcu_read_unlock(); + + /* Scaling up? Scale voltage before frequency */ +- if (freq > old_freq) { ++ if (freq >= old_freq) { + ret = _set_opp_voltage(dev, reg, u_volt, u_volt_min, + u_volt_max); + if (ret) diff --git a/queue-4.9/series b/queue-4.9/series index b1dd060217a..df3e7a0b9da 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -34,3 +34,15 @@ ext4-add-more-inode-number-paranoia-checks.patch ext4-add-more-mount-time-checks-of-the-superblock.patch ext4-check-superblock-mapped-prior-to-committing.patch mlxsw-spectrum-forbid-linking-of-vlan-devices-to-devices-that-have-uppers.patch +hid-i2c-hid-fix-incomplete-report-noise.patch +hid-hiddev-fix-potential-spectre-v1.patch +hid-debug-check-length-before-copy_to_user.patch +pm-opp-update-voltage-in-case-freq-old_freq.patch +kbuild-fix-escaping-in-.cmd-files-for-future-make.patch +tools-build-build.include-fix-escaping-in-.cmd-files-for.patch +media-cx25840-use-subdev-host-data-for-pll-override.patch +mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch +dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch +dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch +mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch +dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch diff --git a/queue-4.9/tools-build-build.include-fix-escaping-in-.cmd-files-for.patch b/queue-4.9/tools-build-build.include-fix-escaping-in-.cmd-files-for.patch new file mode 100644 index 00000000000..8bf8f3cc46c --- /dev/null +++ b/queue-4.9/tools-build-build.include-fix-escaping-in-.cmd-files-for.patch @@ -0,0 +1,57 @@ +From cdfc04d354e38b4e727d4e513962310389847414 Mon Sep 17 00:00:00 2001 +From: Paul Menzel +Date: Tue, 5 Jun 2018 19:00:22 +0200 +Subject: tools/build/Build.include: fix # escaping in .cmd files for future Make + +From: Paul Menzel + +In 2016 make made a backwards incompatible change to the way '#' +characters were handled in Makefiles when used inside functions or +macros: + +http://git.savannah.gnu.org/cgit/make.git/commit/?id=c6966b323811c37acedff05b57 + +Due to this change, when attempting to run `make prepare' I get a +spurious make syntax error: + + /home/earnest/linux/tools/objtool/.fixdep.o.cmd:1: *** missing separator. Stop. + +When inspecting `.fixdep.o.cmd' it includes two lines which use +unescaped comment characters at the top: + + \# cannot find fixdep (/home/earnest/linux/tools/objtool//fixdep) + \# using basic dep data + +This is because `tools/build/Build.include' prints these '\#' +characters: + + printf '\# cannot find fixdep (%s)\n' $(fixdep) > $(dot-target).cmd; \ + printf '\# using basic dep data\n\n' >> $(dot-target).cmd; \ + +This completes commit 9564a8cf (Kbuild: fix # escaping in .cmd files for +future Make). + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=197847 +Cc: Randy Dunlap +Cc: Rasmus Villemoes +Cc: Masahiro Yamada +Signed-off-by: Paul Menzel +Signed-off-by: Greg Kroah-Hartman + +--- + tools/build/Build.include | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/build/Build.include ++++ b/tools/build/Build.include +@@ -63,8 +63,8 @@ dep-cmd = $(if $(wildcard $(fixdep)), + $(fixdep) $(depfile) $@ '$(make-cmd)' > $(dot-target).tmp; \ + rm -f $(depfile); \ + mv -f $(dot-target).tmp $(dot-target).cmd, \ +- printf '\# cannot find fixdep (%s)\n' $(fixdep) > $(dot-target).cmd; \ +- printf '\# using basic dep data\n\n' >> $(dot-target).cmd; \ ++ printf '$(pound) cannot find fixdep (%s)\n' $(fixdep) > $(dot-target).cmd; \ ++ printf '$(pound) using basic dep data\n\n' >> $(dot-target).cmd; \ + cat $(depfile) >> $(dot-target).cmd; \ + printf '%s\n' 'cmd_$@ := $(make-cmd)' >> $(dot-target).cmd) +