From: Greg Kroah-Hartman Date: Mon, 17 Sep 2018 10:39:32 +0000 (+0200) Subject: 4.18-stable patches X-Git-Tag: v4.18.9~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b32f6c9ddb249dd3282f3d398f9b1a5a7cdd5e6d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: alsa-hda-realtek-add-mute-led-quirk-for-hp-spectre-x360.patch arc-enable-swap.patch asoc-soc-pcm-use-delay-set-in-component-pointer-function.patch ata-libahci-allow-reconfigure-of-devslp-register.patch ata-libahci-correct-setting-of-devslp-register.patch ath10k-disable-bundle-mgmt-tx-completion-event-support.patch ath10k-prevent-active-scans-on-potential-unusable-channels.patch ath9k-report-tx-status-on-eosp.patch ath9k_hw-fix-channel-maximum-power-level-test.patch blk-mq-fix-updating-tags-depth.patch bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch clk-scmi-fix-the-rounding-of-clock-rate.patch device-dax-avoid-hang-on-error-before-devm_memremap_pages.patch dm-cache-only-allow-a-single-io_mode-cache-feature-to-be-requested.patch drivers-hv-vmbus-cleanup-synic-memory-free-path.patch drm-amd-display-prevent-psr-from-being-enabled-if-initialization-fails.patch ethtool-remove-trailing-semicolon-for-static-inline.patch f2fs-avoid-potential-deadlock-in-f2fs_sbi_store.patch f2fs-do-not-set-free-of-current-section.patch f2fs-fix-defined-but-not-used-build-warnings.patch f2fs-fix-to-active-page-in-lru-list-for-read-path.patch f2fs-fix-to-detect-looped-node-chain-correctly.patch f2fs-fix-to-do-sanity-check-with-extra_attr-feature.patch f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of-inline-inode.patch f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch f2fs-fix-to-propagate-return-value-of-scan_nat_page.patch f2fs-fix-to-skip-gc-if-type-in-ssa-and-sit-is-inconsistent.patch f2fs-fix-to-wait-on-page-writeback-before-updating-page.patch f2fs-fix-uninitialized-return-in-f2fs_ioc_shutdown.patch f2fs-issue-discard-align-to-section-in-lfs-mode.patch f2fs-keep-alloc_valid_block_count-in-sync.patch f2fs-try-grabbing-node-page-lock-aggressively-in-sync-scenario.patch firmware-vpd-fix-section-enabled-flag-on-vpd_section_destroy.patch gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch gpio-pxa-disable-pinctrl-calls-for-pxa3xx.patch gpio-tegra-move-driver-registration-to-subsys_init-level.patch gpu-ipu-v3-default-to-id-0-on-missing-of-alias.patch i2c-aspeed-add-an-explicit-type-casting-for-get_clk_reg_val.patch ib-ipoib-set-ah-valid-flag-in-multicast-send-flow.patch input-atmel_mxt_ts-only-use-first-t9-instance.patch iommu-arm-smmu-v3-abort-all-transactions-if-smmu-is-enabled-in-kdump-kernel.patch iommu-ipmmu-vmsa-fix-allocation-in-atomic-context.patch iwlwifi-pcie-don-t-access-periphery-registers-when-not-available.patch macintosh-via-pmu-add-missing-mmio-accessors.patch md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch media-camss-csid-configure-data-type-and-decode-format-properly.patch media-davinci-vpif_display-mix-memory-leak-on-probe-error-path.patch media-dw2102-fix-memleak-on-sequence-of-probes.patch media-em28xx-explicitly-disable-ts-packet-filter.patch media-em28xx-fix-dual-transport-stream-operation.patch media-em28xx-fix-dualhd-disconnect-oops.patch media-helene-fix-xtal-frequency-setting-at-power-on.patch media-rcar-csi2-update-stream-start-for-v3m.patch media-s5p-mfc-fix-buffer-look-up-in-s5p_mfc_handle_frame_-new-copy_time-functions.patch mfd-rave-sp-initialize-flow-control-and-parity-of-the-port.patch mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch mips-generic-fix-missing-of_node_put.patch mips-mscc-ocelot-fix-length-of-memory-address-space-for-miim.patch mips-octeon-add-missing-of_node_put.patch mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch misc-mic-scif-fix-scif_get_new_port-error-handling.patch misc-ti-st-fix-memory-leak-in-the-error-path-of-probe.patch mtd-rawnand-make-subop-helpers-return-unsigned-values.patch net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch net-mvneta-fix-mtu-change-on-port-without-link.patch net-phy-fix-the-register-offsets-in-broadcom-iproc-mdio-mux-driver.patch nfs-referrals-not-inheriting-proto-setting-from-parent.patch nfsv4.0-fix-client-reference-leak-in-callback.patch nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch partitions-aix-append-null-character-to-print-data-from-disk.patch partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch pci-mobiveil-add-missing-..-pci.h-include.patch pci-mobiveil-fix-struct-mobiveil_pcie.pcie_reg_base-address-type.patch perf-build-fix-installation-directory-for-ebpf.patch perf-c2c-report-fix-crash-for-empty-browser.patch perf-evlist-fix-error-out-while-applying-initial-delay-and-lbr.patch perf-tools-allow-overriding-max_nr_cpus-at-compile-time.patch pinctrl-amd-only-handle-irq-if-it-is-pending-and-unmasked.patch pinctrl-berlin-fix-pctrl-functions-allocation-in-berlin_pinctrl_build_state.patch pinctrl-imx-off-by-one-in-imx_pinconf_group_dbg_show.patch pktcdvd-fix-possible-spectre-v1-for-pkt_devs.patch powerpc-4xx-fix-error-return-path-in-ppc4xx_msi_probe.patch powerpc-mm-don-t-report-puds-as-memory-leaks-when-using-kmemleak.patch powerpc-powernv-fix-concurrency-issue-with-npu-mmio_atsd_usage.patch powerpc-pseries-fix-eeh-recovery-of-some-iov-devices.patch rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch rdma-hns-add-illegal-hop_num-judgement.patch rdma-hns-update-the-data-type-of-immediate-data.patch regulator-tps65217-fix-null-pointer-dereference-on-probe.patch rpmsg-core-add-support-to-power-domains-for-devices.patch scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch scsi-lpfc-fix-driver-crash-when-re-registering-nvme-rports.patch scsi-qla2xxx-fix-session-state-stuck-in-get-port-db.patch scsi-qla2xxx-fix-unintended-logout.patch scsi-qla2xxx-silent-erroneous-message.patch scsi-target-fix-__transport_register_session-locking.patch scsi-tcmu-do-not-set-max_blocks-if-data_bitmap-has-been-setup.patch selftests-bpf-fix-a-typo-in-map-in-map-test.patch tc-testing-flush-gact-actions-on-test-teardown.patch tc-testing-remove-duplicate-spaces-in-connmark-match-patterns.patch thermal-rcar_thermal-avoid-null-dereference-in-absence-of-irq-resources.patch thermal_hwmon-sanitize-attribute-name-passed-to-hwmon.patch timers-clear-timer_base-must_forward_clk-with-timer_base-lock-held.patch tools-testing-nvdimm-kaddr-and-pfn-can-be-null-to-direct_access.patch tpm-tpm_i2c_infineon-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch tpm_tis_spi-pass-the-spi-irq-down-to-the-driver.patch tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch uio-fix-possible-circular-locking-dependency.patch uio-potential-double-frees-if-__uio_register_device-fails.patch wlcore-set-rx_status-boottime_ns-field-on-rx.patch x86-kexec-allocate-8k-pgds-for-pti.patch x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch --- diff --git a/queue-4.18/alsa-hda-realtek-add-mute-led-quirk-for-hp-spectre-x360.patch b/queue-4.18/alsa-hda-realtek-add-mute-led-quirk-for-hp-spectre-x360.patch new file mode 100644 index 00000000000..ede7e081479 --- /dev/null +++ b/queue-4.18/alsa-hda-realtek-add-mute-led-quirk-for-hp-spectre-x360.patch @@ -0,0 +1,32 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Alexandru Gagniuc +Date: Sat, 4 Aug 2018 11:44:44 -0500 +Subject: ALSA: hda/realtek - Add mute LED quirk for HP Spectre x360 + +From: Alexandru Gagniuc + +[ Upstream commit 56e40eb6d656194e55ce2012fee9d5a496270aaa ] + +This device has the same issues as the HP x360 wrt the MUTE LED and +the front speakers not working. This patch fixes the MUTE LED issue, +but doesn't touch the HDA verbs. The fix for the x360 does not work +on the Spectre. + +Signed-off-by: Alexandru Gagniuc +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6530,6 +6530,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x827e, "HP x360", ALC295_FIXUP_HP_X360), + SND_PCI_QUIRK(0x103c, 0x82bf, "HP", ALC221_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x82c0, "HP", ALC221_FIXUP_HP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x103c, 0x83b9, "HP Spectre x360", ALC269_FIXUP_HP_MUTE_LED_MIC3), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), diff --git a/queue-4.18/arc-enable-swap.patch b/queue-4.18/arc-enable-swap.patch new file mode 100644 index 00000000000..6b1e77281a5 --- /dev/null +++ b/queue-4.18/arc-enable-swap.patch @@ -0,0 +1,51 @@ +From c83532fb0fe053d2e43e9387354cb1b52ba26427 Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Thu, 2 Aug 2018 11:50:16 +0300 +Subject: ARC: [plat-axs*]: Enable SWAP + +From: Alexey Brodkin + +commit c83532fb0fe053d2e43e9387354cb1b52ba26427 upstream. + +SWAP support on ARC was fixed earlier by +commit 6e3761145a9b ("ARC: Fix CONFIG_SWAP") +so now we may safely enable it on platforms that +have external media like USB and SD-card. + +Note: it was already allowed for HSDK + +Signed-off-by: Alexey Brodkin +Cc: stable@vger.kernel.org # 6e3761145a9b: ARC: Fix CONFIG_SWAP +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/configs/axs101_defconfig | 1 - + arch/arc/configs/axs103_defconfig | 1 - + arch/arc/configs/axs103_smp_defconfig | 1 - + 3 files changed, 3 deletions(-) + +--- a/arch/arc/configs/axs101_defconfig ++++ b/arch/arc/configs/axs101_defconfig +@@ -1,5 +1,4 @@ + CONFIG_DEFAULT_HOSTNAME="ARCLinux" +-# CONFIG_SWAP is not set + CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + # CONFIG_CROSS_MEMORY_ATTACH is not set +--- a/arch/arc/configs/axs103_defconfig ++++ b/arch/arc/configs/axs103_defconfig +@@ -1,5 +1,4 @@ + CONFIG_DEFAULT_HOSTNAME="ARCLinux" +-# CONFIG_SWAP is not set + CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + # CONFIG_CROSS_MEMORY_ATTACH is not set +--- a/arch/arc/configs/axs103_smp_defconfig ++++ b/arch/arc/configs/axs103_smp_defconfig +@@ -1,5 +1,4 @@ + CONFIG_DEFAULT_HOSTNAME="ARCLinux" +-# CONFIG_SWAP is not set + CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + # CONFIG_CROSS_MEMORY_ATTACH is not set diff --git a/queue-4.18/asoc-soc-pcm-use-delay-set-in-component-pointer-function.patch b/queue-4.18/asoc-soc-pcm-use-delay-set-in-component-pointer-function.patch new file mode 100644 index 00000000000..8868a788b31 --- /dev/null +++ b/queue-4.18/asoc-soc-pcm-use-delay-set-in-component-pointer-function.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Akshu Agrawal +Date: Wed, 1 Aug 2018 15:37:33 +0530 +Subject: ASoC: soc-pcm: Use delay set in component pointer function + +From: Akshu Agrawal + +[ Upstream commit 9fb4c2bf130b922c77c16a8368732699799c40de ] + +Take into account the base delay set in pointer callback. + +There are cases where a pointer function populates +runtime->delay, such as: +./sound/pci/hda/hda_controller.c +./sound/soc/intel/atom/sst-mfld-platform-pcm.c + +This delay was getting lost and was overwritten by delays +from codec or cpu dai delay function if exposed. + +Now, +Total delay = base delay + cpu_dai delay + codec_dai delay + +Signed-off-by: Akshu Agrawal +Reviewed-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-pcm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -1165,6 +1165,9 @@ static snd_pcm_uframes_t soc_pcm_pointer + snd_pcm_sframes_t codec_delay = 0; + int i; + ++ /* clearing the previous total delay */ ++ runtime->delay = 0; ++ + for_each_rtdcom(rtd, rtdcom) { + component = rtdcom->component; + +@@ -1176,6 +1179,8 @@ static snd_pcm_uframes_t soc_pcm_pointer + offset = component->driver->ops->pointer(substream); + break; + } ++ /* base delay if assigned in pointer callback */ ++ delay = runtime->delay; + + if (cpu_dai->driver->ops->delay) + delay += cpu_dai->driver->ops->delay(substream, cpu_dai); diff --git a/queue-4.18/ata-libahci-allow-reconfigure-of-devslp-register.patch b/queue-4.18/ata-libahci-allow-reconfigure-of-devslp-register.patch new file mode 100644 index 00000000000..3107316589a --- /dev/null +++ b/queue-4.18/ata-libahci-allow-reconfigure-of-devslp-register.patch @@ -0,0 +1,75 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Srinivas Pandruvada +Date: Mon, 2 Jul 2018 12:01:54 -0700 +Subject: ata: libahci: Allow reconfigure of DEVSLP register + +From: Srinivas Pandruvada + +[ Upstream commit 11c291461b6ea8d1195a96d6bba6673a94aacebc ] + +There are two modes in which DEVSLP can be entered. The OS initiated or +hardware autonomous. + +In hardware autonomous mode, BIOS configures the AHCI controller and the +device to enable DEVSLP. But they may not be ideal for all cases. So in +this case, OS should be able to reconfigure DEVSLP register. + +Currently if the DEVSLP is already enabled, we can't set again as it will +simply return. There are some systems where the firmware is setting high +DITO by default, in this case we can't modify here to correct settings. +With the default in several seconds, we are not able to transition to +DEVSLP. + +This change will allow reconfiguration of devslp register if DITO is +different. + +Signed-off-by: Srinivas Pandruvada +Reviewed-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libahci.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -2107,7 +2107,7 @@ static void ahci_set_aggressive_devslp(s + struct ahci_host_priv *hpriv = ap->host->private_data; + void __iomem *port_mmio = ahci_port_base(ap); + struct ata_device *dev = ap->link.device; +- u32 devslp, dm, dito, mdat, deto; ++ u32 devslp, dm, dito, mdat, deto, dito_conf; + int rc; + unsigned int err_mask; + +@@ -2131,8 +2131,15 @@ static void ahci_set_aggressive_devslp(s + return; + } + +- /* device sleep was already enabled */ +- if (devslp & PORT_DEVSLP_ADSE) ++ dm = (devslp & PORT_DEVSLP_DM_MASK) >> PORT_DEVSLP_DM_OFFSET; ++ dito = devslp_idle_timeout / (dm + 1); ++ if (dito > 0x3ff) ++ dito = 0x3ff; ++ ++ dito_conf = (devslp >> PORT_DEVSLP_DITO_OFFSET) & 0x3FF; ++ ++ /* device sleep was already enabled and same dito */ ++ if ((devslp & PORT_DEVSLP_ADSE) && (dito_conf == dito)) + return; + + /* set DITO, MDAT, DETO and enable DevSlp, need to stop engine first */ +@@ -2140,11 +2147,6 @@ static void ahci_set_aggressive_devslp(s + if (rc) + return; + +- dm = (devslp & PORT_DEVSLP_DM_MASK) >> PORT_DEVSLP_DM_OFFSET; +- dito = devslp_idle_timeout / (dm + 1); +- if (dito > 0x3ff) +- dito = 0x3ff; +- + /* Use the nominal value 10 ms if the read MDAT is zero, + * the nominal value of DETO is 20 ms. + */ diff --git a/queue-4.18/ata-libahci-correct-setting-of-devslp-register.patch b/queue-4.18/ata-libahci-correct-setting-of-devslp-register.patch new file mode 100644 index 00000000000..a7431c4c30b --- /dev/null +++ b/queue-4.18/ata-libahci-correct-setting-of-devslp-register.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Srinivas Pandruvada +Date: Mon, 2 Jul 2018 12:01:53 -0700 +Subject: ata: libahci: Correct setting of DEVSLP register + +From: Srinivas Pandruvada + +[ Upstream commit 2dbb3ec29a6c069035857a2fc4c24e80e5dfe3cc ] + +We have seen that on some platforms, SATA device never show any DEVSLP +residency. This prevent power gating of SATA IP, which prevent system +to transition to low power mode in systems with SLP_S0 aka modern +standby systems. The PHY logic is off only in DEVSLP not in slumber. +Reference: +https://www.intel.com/content/dam/www/public/us/en/documents/datasheets +/332995-skylake-i-o-platform-datasheet-volume-1.pdf +Section 28.7.6.1 + +Here driver is trying to do read-modify-write the devslp register. But +not resetting the bits for which this driver will modify values (DITO, +MDAT and DETO). So simply reset those bits before updating to new values. + +Signed-off-by: Srinivas Pandruvada +Reviewed-by: Rafael J. Wysocki +Reviewed-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libahci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -2164,6 +2164,8 @@ static void ahci_set_aggressive_devslp(s + deto = 20; + } + ++ /* Make dito, mdat, deto bits to 0s */ ++ devslp &= ~GENMASK_ULL(24, 2); + devslp |= ((dito << PORT_DEVSLP_DITO_OFFSET) | + (mdat << PORT_DEVSLP_MDAT_OFFSET) | + (deto << PORT_DEVSLP_DETO_OFFSET) | diff --git a/queue-4.18/ath10k-disable-bundle-mgmt-tx-completion-event-support.patch b/queue-4.18/ath10k-disable-bundle-mgmt-tx-completion-event-support.patch new file mode 100644 index 00000000000..4ee88fc7fbe --- /dev/null +++ b/queue-4.18/ath10k-disable-bundle-mgmt-tx-completion-event-support.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Surabhi Vishnoi +Date: Wed, 25 Jul 2018 10:59:41 +0300 +Subject: ath10k: disable bundle mgmt tx completion event support + +From: Surabhi Vishnoi + +[ Upstream commit 673bc519c55843c68c3aecff71a4101e79d28d2b ] + +The tx completion of multiple mgmt frames can be bundled +in a single event and sent by the firmware to host, if this +capability is not disabled explicitly by the host. If the host +cannot handle the bundled mgmt tx completion, this capability +support needs to be disabled in the wmi init cmd, sent to the firmware. + +Add the host capability indication flag in the wmi ready command, +to let firmware know the features supported by the host driver. +This field is ignored if it is not supported by firmware. + +Set the host capability indication flag(i.e. host_capab) to zero, +for disabling the support of bundle mgmt tx completion. This will +indicate the firmware to send completion event for every mgmt tx +completion, instead of bundling them together and sending in a single +event. + +Tested HW: WCN3990 +Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1 + +Signed-off-by: Surabhi Vishnoi +Signed-off-by: Rakesh Pillai +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/wmi-tlv.c | 5 +++++ + drivers/net/wireless/ath/ath10k/wmi-tlv.h | 5 +++++ + 2 files changed, 10 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +@@ -1584,6 +1584,11 @@ static struct sk_buff *ath10k_wmi_tlv_op + cfg->keep_alive_pattern_size = __cpu_to_le32(0); + cfg->max_tdls_concurrent_sleep_sta = __cpu_to_le32(1); + cfg->max_tdls_concurrent_buffer_sta = __cpu_to_le32(1); ++ cfg->wmi_send_separate = __cpu_to_le32(0); ++ cfg->num_ocb_vdevs = __cpu_to_le32(0); ++ cfg->num_ocb_channels = __cpu_to_le32(0); ++ cfg->num_ocb_schedules = __cpu_to_le32(0); ++ cfg->host_capab = __cpu_to_le32(0); + + ath10k_wmi_put_host_mem_chunks(ar, chunks); + +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.h ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.h +@@ -1670,6 +1670,11 @@ struct wmi_tlv_resource_config { + __le32 keep_alive_pattern_size; + __le32 max_tdls_concurrent_sleep_sta; + __le32 max_tdls_concurrent_buffer_sta; ++ __le32 wmi_send_separate; ++ __le32 num_ocb_vdevs; ++ __le32 num_ocb_channels; ++ __le32 num_ocb_schedules; ++ __le32 host_capab; + } __packed; + + struct wmi_tlv_init_cmd { diff --git a/queue-4.18/ath10k-prevent-active-scans-on-potential-unusable-channels.patch b/queue-4.18/ath10k-prevent-active-scans-on-potential-unusable-channels.patch new file mode 100644 index 00000000000..128163082e5 --- /dev/null +++ b/queue-4.18/ath10k-prevent-active-scans-on-potential-unusable-channels.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Sven Eckelmann +Date: Thu, 26 Jul 2018 15:59:48 +0200 +Subject: ath10k: prevent active scans on potential unusable channels + +From: Sven Eckelmann + +[ Upstream commit 3f259111583801013cb605bb4414aa529adccf1c ] + +The QCA4019 hw1.0 firmware 10.4-3.2.1-00050 and 10.4-3.5.3-00053 (and most +likely all other) seem to ignore the WMI_CHAN_FLAG_DFS flag during the +scan. This results in transmission (probe requests) on channels which are +not "available" for transmissions. + +Since the firmware is closed source and nothing can be done from our side +to fix the problem in it, the driver has to work around this problem. The +WMI_CHAN_FLAG_PASSIVE seems to be interpreted by the firmware to not +scan actively on a channel unless an AP was detected on it. Simple probe +requests will then be transmitted by the STA on the channel. + +ath10k must therefore also use this flag when it queues a radar channel for +scanning. This should reduce the chance of an active scan when the channel +might be "unusable" for transmissions. + +Fixes: e8a50f8ba44b ("ath10k: introduce DFS implementation") +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -3085,6 +3085,13 @@ static int ath10k_update_channel_list(st + passive = channel->flags & IEEE80211_CHAN_NO_IR; + ch->passive = passive; + ++ /* the firmware is ignoring the "radar" flag of the ++ * channel and is scanning actively using Probe Requests ++ * on "Radar detection"/DFS channels which are not ++ * marked as "available" ++ */ ++ ch->passive |= ch->chan_radar; ++ + ch->freq = channel->center_freq; + ch->band_center_freq1 = channel->center_freq; + ch->min_power = 0; diff --git a/queue-4.18/ath9k-report-tx-status-on-eosp.patch b/queue-4.18/ath9k-report-tx-status-on-eosp.patch new file mode 100644 index 00000000000..b28549c6c7f --- /dev/null +++ b/queue-4.18/ath9k-report-tx-status-on-eosp.patch @@ -0,0 +1,31 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Felix Fietkau +Date: Mon, 30 Jul 2018 21:31:23 +0300 +Subject: ath9k: report tx status on EOSP + +From: Felix Fietkau + +[ Upstream commit 36e14a787dd0b459760de3622e9709edb745a6af ] + +Fixes missed indications of end of U-APSD service period to mac80211 + +Signed-off-by: Felix Fietkau +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/xmit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -86,7 +86,8 @@ static void ath_tx_status(struct ieee802 + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + struct ieee80211_sta *sta = info->status.status_driver_data[0]; + +- if (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS) { ++ if (info->flags & (IEEE80211_TX_CTL_REQ_TX_STATUS | ++ IEEE80211_TX_STATUS_EOSP)) { + ieee80211_tx_status(hw, skb); + return; + } diff --git a/queue-4.18/ath9k_hw-fix-channel-maximum-power-level-test.patch b/queue-4.18/ath9k_hw-fix-channel-maximum-power-level-test.patch new file mode 100644 index 00000000000..85ff62fb2bb --- /dev/null +++ b/queue-4.18/ath9k_hw-fix-channel-maximum-power-level-test.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Felix Fietkau +Date: Mon, 30 Jul 2018 21:31:28 +0300 +Subject: ath9k_hw: fix channel maximum power level test + +From: Felix Fietkau + +[ Upstream commit 461d8a6bb9879b0e619752d040292e67aa06f1d2 ] + +The tx power applied by set_txpower is limited by the CTL (conformance +test limit) entries in the EEPROM. These can change based on the user +configured regulatory domain. +Depending on the EEPROM data this can cause the tx power to become too +limited, if the original regdomain CTLs impose lower limits than the CTLs +of the user configured regdomain. + +To fix this issue, set the initial channel limits without any CTL +restrictions and only apply the CTL at run time when setting the channel +and the real tx power. + +Signed-off-by: Felix Fietkau +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/hw.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -2942,16 +2942,19 @@ void ath9k_hw_apply_txpower(struct ath_h + struct ath_regulatory *reg = ath9k_hw_regulatory(ah); + struct ieee80211_channel *channel; + int chan_pwr, new_pwr; ++ u16 ctl = NO_CTL; + + if (!chan) + return; + ++ if (!test) ++ ctl = ath9k_regd_get_ctl(reg, chan); ++ + channel = chan->chan; + chan_pwr = min_t(int, channel->max_power * 2, MAX_RATE_POWER); + new_pwr = min_t(int, chan_pwr, reg->power_limit); + +- ah->eep_ops->set_txpower(ah, chan, +- ath9k_regd_get_ctl(reg, chan), ++ ah->eep_ops->set_txpower(ah, chan, ctl, + get_antenna_gain(ah, chan), new_pwr, test); + } + diff --git a/queue-4.18/blk-mq-fix-updating-tags-depth.patch b/queue-4.18/blk-mq-fix-updating-tags-depth.patch new file mode 100644 index 00000000000..edf5e88284d --- /dev/null +++ b/queue-4.18/blk-mq-fix-updating-tags-depth.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Ming Lei +Date: Thu, 2 Aug 2018 18:23:26 +0800 +Subject: blk-mq: fix updating tags depth + +From: Ming Lei + +[ Upstream commit 75d6e175fc511e95ae3eb8f708680133bc211ed3 ] + +The passed 'nr' from userspace represents the total depth, meantime +inside 'struct blk_mq_tags', 'nr_tags' stores the total tag depth, +and 'nr_reserved_tags' stores the reserved part. + +There are two issues in blk_mq_tag_update_depth() now: + +1) for growing tags, we should have used the passed 'nr', and keep the +number of reserved tags not changed. + +2) the passed 'nr' should have been used for checking against +'tags->nr_tags', instead of number of the normal part. + +This patch fixes the above two cases, and avoids kernel crash caused +by wrong resizing sbitmap queue. + +Cc: "Ewan D. Milne" +Cc: Christoph Hellwig +Cc: Bart Van Assche +Cc: Omar Sandoval +Tested by: Marco Patalano +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq-tag.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/block/blk-mq-tag.c ++++ b/block/blk-mq-tag.c +@@ -402,8 +402,6 @@ int blk_mq_tag_update_depth(struct blk_m + if (tdepth <= tags->nr_reserved_tags) + return -EINVAL; + +- tdepth -= tags->nr_reserved_tags; +- + /* + * If we are allowed to grow beyond the original size, allocate + * a new set of tags before freeing the old one. +@@ -423,7 +421,8 @@ int blk_mq_tag_update_depth(struct blk_m + if (tdepth > 16 * BLKDEV_MAX_RQ) + return -EINVAL; + +- new = blk_mq_alloc_rq_map(set, hctx->queue_num, tdepth, 0); ++ new = blk_mq_alloc_rq_map(set, hctx->queue_num, tdepth, ++ tags->nr_reserved_tags); + if (!new) + return -ENOMEM; + ret = blk_mq_alloc_rqs(set, new, hctx->queue_num, tdepth); +@@ -440,7 +439,8 @@ int blk_mq_tag_update_depth(struct blk_m + * Don't need (or can't) update reserved tags here, they + * remain static and should never need resizing. + */ +- sbitmap_queue_resize(&tags->bitmap_tags, tdepth); ++ sbitmap_queue_resize(&tags->bitmap_tags, ++ tdepth - tags->nr_reserved_tags); + } + + return 0; diff --git a/queue-4.18/bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch b/queue-4.18/bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch new file mode 100644 index 00000000000..a230e267c6a --- /dev/null +++ b/queue-4.18/bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Johan Hedberg +Date: Sat, 4 Aug 2018 23:40:26 +0300 +Subject: Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV + +From: Johan Hedberg + +[ Upstream commit 6c3711ec64fd23a9abc8aaf59a9429569a6282df ] + +This driver was recently updated to use serdev, so add the appropriate +dependency. Without this one can get compiler warnings like this if +CONFIG_SERIAL_DEV_BUS is not enabled: + + CC [M] drivers/bluetooth/hci_h5.o +drivers/bluetooth/hci_h5.c:934:36: warning: ‘h5_serdev_driver’ defined but not used [-Wunused-variable] + static struct serdev_device_driver h5_serdev_driver = { + ^~~~~~~~~~~~~~~~ + +Signed-off-by: Johan Hedberg +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/Kconfig ++++ b/drivers/bluetooth/Kconfig +@@ -159,6 +159,7 @@ config BT_HCIUART_LL + config BT_HCIUART_3WIRE + bool "Three-wire UART (H5) protocol support" + depends on BT_HCIUART ++ depends on BT_HCIUART_SERDEV + help + The HCI Three-wire UART Transport Layer makes it possible to + user the Bluetooth HCI over a serial port interface. The HCI diff --git a/queue-4.18/bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch b/queue-4.18/bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch new file mode 100644 index 00000000000..8e6d8171732 --- /dev/null +++ b/queue-4.18/bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Marcel Holtmann +Date: Mon, 30 Jul 2018 13:57:41 +0200 +Subject: Bluetooth: hidp: Fix handling of strncpy for hid->name information + +From: Marcel Holtmann + +[ Upstream commit b3cadaa485f0c20add1644a5c877b0765b285c0c ] + +This fixes two issues with setting hid->name information. + + CC net/bluetooth/hidp/core.o +In function ‘hidp_setup_hid’, + inlined from ‘hidp_session_dev_init’ at net/bluetooth/hidp/core.c:815:9, + inlined from ‘hidp_session_new’ at net/bluetooth/hidp/core.c:953:8, + inlined from ‘hidp_connection_add’ at net/bluetooth/hidp/core.c:1366:8: +net/bluetooth/hidp/core.c:778:2: warning: ‘strncpy’ output may be truncated copying 127 bytes from a string of length 127 [-Wstringop-truncation] + strncpy(hid->name, req->name, sizeof(req->name) - 1); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CC net/bluetooth/hidp/core.o +net/bluetooth/hidp/core.c: In function ‘hidp_setup_hid’: +net/bluetooth/hidp/core.c:778:38: warning: argument to ‘sizeof’ in ‘strncpy’ call is the same expression as the source; did you mean to use the size of the destination? [-Wsizeof-pointer-memaccess] + strncpy(hid->name, req->name, sizeof(req->name)); + ^ + +Signed-off-by: Marcel Holtmann +Signed-off-by: Johan Hedberg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hidp/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -775,7 +775,7 @@ static int hidp_setup_hid(struct hidp_se + hid->version = req->version; + hid->country = req->country; + +- strncpy(hid->name, req->name, sizeof(req->name) - 1); ++ strncpy(hid->name, req->name, sizeof(hid->name)); + + snprintf(hid->phys, sizeof(hid->phys), "%pMR", + &l2cap_pi(session->ctrl_sock->sk)->chan->src); diff --git a/queue-4.18/clk-scmi-fix-the-rounding-of-clock-rate.patch b/queue-4.18/clk-scmi-fix-the-rounding-of-clock-rate.patch new file mode 100644 index 00000000000..3680858d0be --- /dev/null +++ b/queue-4.18/clk-scmi-fix-the-rounding-of-clock-rate.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Amit Daniel Kachhap +Date: Tue, 31 Jul 2018 11:25:55 +0530 +Subject: clk: scmi: Fix the rounding of clock rate + +From: Amit Daniel Kachhap + +[ Upstream commit 7a8655e19bdb3be43f6a3b4768c9b0928a2585fc ] + +This fix rounds the clock rate properly by using quotient and not +remainder in the calculation. This issue was found while testing HDMI +in the Juno platform. + +Fixes: 6d6a1d82eaef7 ("clk: add support for clocks provided by SCMI") +Acked-by: Sudeep Holla +Signed-off-by: Amit Daniel Kachhap +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-scmi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/clk/clk-scmi.c ++++ b/drivers/clk/clk-scmi.c +@@ -38,7 +38,6 @@ static unsigned long scmi_clk_recalc_rat + static long scmi_clk_round_rate(struct clk_hw *hw, unsigned long rate, + unsigned long *parent_rate) + { +- int step; + u64 fmin, fmax, ftmp; + struct scmi_clk *clk = to_scmi_clk(hw); + +@@ -60,9 +59,9 @@ static long scmi_clk_round_rate(struct c + + ftmp = rate - fmin; + ftmp += clk->info->range.step_size - 1; /* to round up */ +- step = do_div(ftmp, clk->info->range.step_size); ++ do_div(ftmp, clk->info->range.step_size); + +- return step * clk->info->range.step_size + fmin; ++ return ftmp * clk->info->range.step_size + fmin; + } + + static int scmi_clk_set_rate(struct clk_hw *hw, unsigned long rate, diff --git a/queue-4.18/device-dax-avoid-hang-on-error-before-devm_memremap_pages.patch b/queue-4.18/device-dax-avoid-hang-on-error-before-devm_memremap_pages.patch new file mode 100644 index 00000000000..9033be1d654 --- /dev/null +++ b/queue-4.18/device-dax-avoid-hang-on-error-before-devm_memremap_pages.patch @@ -0,0 +1,62 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Stefan Hajnoczi +Date: Tue, 31 Jul 2018 15:32:46 +0100 +Subject: device-dax: avoid hang on error before devm_memremap_pages() + +From: Stefan Hajnoczi + +[ Upstream commit b7751410c180a05fdc21268f8661b1480169b0df ] + +dax_pmem_percpu_exit() waits for dax_pmem_percpu_release() to invoke the +dax_pmem->cmp completion. Unfortunately this approach to cleaning up +the percpu_ref only works after devm_memremap_pages() was successful. + +If devm_add_action_or_reset() or devm_memremap_pages() fails, +dax_pmem_percpu_release() is not invoked. Therefore +dax_pmem_percpu_exit() hangs waiting for the completion: + + rc = devm_add_action_or_reset(dev, dax_pmem_percpu_exit, + &dax_pmem->ref); + if (rc) + return rc; + + dax_pmem->pgmap.ref = &dax_pmem->ref; + addr = devm_memremap_pages(dev, &dax_pmem->pgmap); + +Avoid the hang by calling percpu_ref_exit() in the error paths instead +of going through dax_pmem_percpu_exit(). + +Signed-off-by: Stefan Hajnoczi +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dax/pmem.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/dax/pmem.c ++++ b/drivers/dax/pmem.c +@@ -105,15 +105,19 @@ static int dax_pmem_probe(struct device + if (rc) + return rc; + +- rc = devm_add_action_or_reset(dev, dax_pmem_percpu_exit, +- &dax_pmem->ref); +- if (rc) ++ rc = devm_add_action(dev, dax_pmem_percpu_exit, &dax_pmem->ref); ++ if (rc) { ++ percpu_ref_exit(&dax_pmem->ref); + return rc; ++ } + + dax_pmem->pgmap.ref = &dax_pmem->ref; + addr = devm_memremap_pages(dev, &dax_pmem->pgmap); +- if (IS_ERR(addr)) ++ if (IS_ERR(addr)) { ++ devm_remove_action(dev, dax_pmem_percpu_exit, &dax_pmem->ref); ++ percpu_ref_exit(&dax_pmem->ref); + return PTR_ERR(addr); ++ } + + rc = devm_add_action_or_reset(dev, dax_pmem_percpu_kill, + &dax_pmem->ref); diff --git a/queue-4.18/dm-cache-only-allow-a-single-io_mode-cache-feature-to-be-requested.patch b/queue-4.18/dm-cache-only-allow-a-single-io_mode-cache-feature-to-be-requested.patch new file mode 100644 index 00000000000..367db8dcf0d --- /dev/null +++ b/queue-4.18/dm-cache-only-allow-a-single-io_mode-cache-feature-to-be-requested.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: John Pittman +Date: Thu, 21 Jun 2018 17:35:33 -0400 +Subject: dm cache: only allow a single io_mode cache feature to be requested + +From: John Pittman + +[ Upstream commit af9313c32c0fa2a0ac3b113669273833d60cc9de ] + +More than one io_mode feature can be requested when creating a dm cache +device (as is: last one wins). The io_mode selections are incompatible +with one another, we should force them to be selected exclusively. Add +a counter to check for more than one io_mode selection. + +Fixes: 629d0a8a1a10 ("dm cache metadata: add "metadata2" feature") +Signed-off-by: John Pittman +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-target.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -2250,7 +2250,7 @@ static int parse_features(struct cache_a + {0, 2, "Invalid number of cache feature arguments"}, + }; + +- int r; ++ int r, mode_ctr = 0; + unsigned argc; + const char *arg; + struct cache_features *cf = &ca->features; +@@ -2264,14 +2264,20 @@ static int parse_features(struct cache_a + while (argc--) { + arg = dm_shift_arg(as); + +- if (!strcasecmp(arg, "writeback")) ++ if (!strcasecmp(arg, "writeback")) { + cf->io_mode = CM_IO_WRITEBACK; ++ mode_ctr++; ++ } + +- else if (!strcasecmp(arg, "writethrough")) ++ else if (!strcasecmp(arg, "writethrough")) { + cf->io_mode = CM_IO_WRITETHROUGH; ++ mode_ctr++; ++ } + +- else if (!strcasecmp(arg, "passthrough")) ++ else if (!strcasecmp(arg, "passthrough")) { + cf->io_mode = CM_IO_PASSTHROUGH; ++ mode_ctr++; ++ } + + else if (!strcasecmp(arg, "metadata2")) + cf->metadata_version = 2; +@@ -2282,6 +2288,11 @@ static int parse_features(struct cache_a + } + } + ++ if (mode_ctr > 1) { ++ *error = "Duplicate cache io_mode features requested"; ++ return -EINVAL; ++ } ++ + return 0; + } + diff --git a/queue-4.18/drivers-hv-vmbus-cleanup-synic-memory-free-path.patch b/queue-4.18/drivers-hv-vmbus-cleanup-synic-memory-free-path.patch new file mode 100644 index 00000000000..1ab760ea22e --- /dev/null +++ b/queue-4.18/drivers-hv-vmbus-cleanup-synic-memory-free-path.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Michael Kelley +Date: Thu, 2 Aug 2018 03:08:25 +0000 +Subject: Drivers: hv: vmbus: Cleanup synic memory free path + +From: Michael Kelley + +[ Upstream commit 572086325ce9a9e348b8748e830653f3959e88b6 ] + +clk_evt memory is not being freed when the synic is shutdown +or when there is an allocation error. Add the appropriate +kfree() call, along with a comment to clarify how the memory +gets freed after an allocation error. Make the free path +consistent by removing checks for NULL since kfree() and +free_page() already do the check. + +Signed-off-by: Michael Kelley +Reported-by: Dan Carpenter +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hv/hv.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/hv/hv.c ++++ b/drivers/hv/hv.c +@@ -242,6 +242,10 @@ int hv_synic_alloc(void) + + return 0; + err: ++ /* ++ * Any memory allocations that succeeded will be freed when ++ * the caller cleans up by calling hv_synic_free() ++ */ + return -ENOMEM; + } + +@@ -254,12 +258,10 @@ void hv_synic_free(void) + struct hv_per_cpu_context *hv_cpu + = per_cpu_ptr(hv_context.cpu_context, cpu); + +- if (hv_cpu->synic_event_page) +- free_page((unsigned long)hv_cpu->synic_event_page); +- if (hv_cpu->synic_message_page) +- free_page((unsigned long)hv_cpu->synic_message_page); +- if (hv_cpu->post_msg_page) +- free_page((unsigned long)hv_cpu->post_msg_page); ++ kfree(hv_cpu->clk_evt); ++ free_page((unsigned long)hv_cpu->synic_event_page); ++ free_page((unsigned long)hv_cpu->synic_message_page); ++ free_page((unsigned long)hv_cpu->post_msg_page); + } + + kfree(hv_context.hv_numa_map); diff --git a/queue-4.18/drm-amd-display-prevent-psr-from-being-enabled-if-initialization-fails.patch b/queue-4.18/drm-amd-display-prevent-psr-from-being-enabled-if-initialization-fails.patch new file mode 100644 index 00000000000..8ca9f8a21f0 --- /dev/null +++ b/queue-4.18/drm-amd-display-prevent-psr-from-being-enabled-if-initialization-fails.patch @@ -0,0 +1,122 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Anthony Koo +Date: Tue, 17 Jul 2018 09:43:44 -0400 +Subject: drm/amd/display: Prevent PSR from being enabled if initialization fails + +From: Anthony Koo + +[ Upstream commit 9907704174e0ad4ed02766fac4049971e583323d ] + +[Why] +PSR_SET command is sent to the microcontroller in order to initialize +parameters needed for PSR feature, such as telling the microcontroller +which pipe is driving the PSR supported panel. When this command is +skipped or fails, the microcontroller may program the wrong thing if +driver tries to enable PSR. + +[How] +If PSR_SET fails, do not set psr_enable flag to indicate the feature is +not yet initialized. + +Signed-off-by: Anthony Koo +Reviewed-by: Aric Cyr +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.c | 38 +++++++++++++++----------- + drivers/gpu/drm/amd/display/dc/inc/hw/dmcu.h | 2 - + 2 files changed, 24 insertions(+), 16 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.c +@@ -150,7 +150,7 @@ static void dce_dmcu_set_psr_enable(stru + } + } + +-static void dce_dmcu_setup_psr(struct dmcu *dmcu, ++static bool dce_dmcu_setup_psr(struct dmcu *dmcu, + struct dc_link *link, + struct psr_context *psr_context) + { +@@ -261,6 +261,8 @@ static void dce_dmcu_setup_psr(struct dm + + /* notifyDMCUMsg */ + REG_UPDATE(MASTER_COMM_CNTL_REG, MASTER_COMM_INTERRUPT, 1); ++ ++ return true; + } + + static bool dce_is_dmcu_initialized(struct dmcu *dmcu) +@@ -545,24 +547,25 @@ static void dcn10_dmcu_set_psr_enable(st + * least a few frames. Should never hit the max retry assert below. + */ + if (wait == true) { +- for (retryCount = 0; retryCount <= 1000; retryCount++) { +- dcn10_get_dmcu_psr_state(dmcu, &psr_state); +- if (enable) { +- if (psr_state != 0) +- break; +- } else { +- if (psr_state == 0) +- break; ++ for (retryCount = 0; retryCount <= 1000; retryCount++) { ++ dcn10_get_dmcu_psr_state(dmcu, &psr_state); ++ if (enable) { ++ if (psr_state != 0) ++ break; ++ } else { ++ if (psr_state == 0) ++ break; ++ } ++ udelay(500); + } +- udelay(500); +- } + +- /* assert if max retry hit */ +- ASSERT(retryCount <= 1000); ++ /* assert if max retry hit */ ++ if (retryCount >= 1000) ++ ASSERT(0); + } + } + +-static void dcn10_dmcu_setup_psr(struct dmcu *dmcu, ++static bool dcn10_dmcu_setup_psr(struct dmcu *dmcu, + struct dc_link *link, + struct psr_context *psr_context) + { +@@ -577,7 +580,7 @@ static void dcn10_dmcu_setup_psr(struct + + /* If microcontroller is not running, do nothing */ + if (dmcu->dmcu_state != DMCU_RUNNING) +- return; ++ return false; + + link->link_enc->funcs->psr_program_dp_dphy_fast_training(link->link_enc, + psr_context->psrExitLinkTrainingRequired); +@@ -677,6 +680,11 @@ static void dcn10_dmcu_setup_psr(struct + + /* notifyDMCUMsg */ + REG_UPDATE(MASTER_COMM_CNTL_REG, MASTER_COMM_INTERRUPT, 1); ++ ++ /* waitDMCUReadyForCmd */ ++ REG_WAIT(MASTER_COMM_CNTL_REG, MASTER_COMM_INTERRUPT, 0, 1, 10000); ++ ++ return true; + } + + static void dcn10_psr_wait_loop( +--- a/drivers/gpu/drm/amd/display/dc/inc/hw/dmcu.h ++++ b/drivers/gpu/drm/amd/display/dc/inc/hw/dmcu.h +@@ -48,7 +48,7 @@ struct dmcu_funcs { + const char *src, + unsigned int bytes); + void (*set_psr_enable)(struct dmcu *dmcu, bool enable, bool wait); +- void (*setup_psr)(struct dmcu *dmcu, ++ bool (*setup_psr)(struct dmcu *dmcu, + struct dc_link *link, + struct psr_context *psr_context); + void (*get_psr_state)(struct dmcu *dmcu, uint32_t *psr_state); diff --git a/queue-4.18/ethtool-remove-trailing-semicolon-for-static-inline.patch b/queue-4.18/ethtool-remove-trailing-semicolon-for-static-inline.patch new file mode 100644 index 00000000000..2519d4ec0c9 --- /dev/null +++ b/queue-4.18/ethtool-remove-trailing-semicolon-for-static-inline.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Florian Fainelli +Date: Sat, 4 Aug 2018 14:20:40 -0700 +Subject: ethtool: Remove trailing semicolon for static inline + +From: Florian Fainelli + +[ Upstream commit d89d41556141a527030a15233135ba622ba3350d ] + +Android's header sanitization tool chokes on static inline functions having a +trailing semicolon, leading to an incorrectly parsed header file. While the +tool should obviously be fixed, also fix the header files for the two affected +functions: ethtool_get_flow_spec_ring() and ethtool_get_flow_spec_ring_vf(). + +Fixes: 8cf6f497de40 ("ethtool: Add helper routines to pass vf to rx_flow_spec") +Reporetd-by: Blair Prescott +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/ethtool.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/uapi/linux/ethtool.h ++++ b/include/uapi/linux/ethtool.h +@@ -902,13 +902,13 @@ struct ethtool_rx_flow_spec { + static inline __u64 ethtool_get_flow_spec_ring(__u64 ring_cookie) + { + return ETHTOOL_RX_FLOW_SPEC_RING & ring_cookie; +-}; ++} + + static inline __u64 ethtool_get_flow_spec_ring_vf(__u64 ring_cookie) + { + return (ETHTOOL_RX_FLOW_SPEC_RING_VF & ring_cookie) >> + ETHTOOL_RX_FLOW_SPEC_RING_VF_OFF; +-}; ++} + + /** + * struct ethtool_rxnfc - command to get or set RX flow classification rules diff --git a/queue-4.18/f2fs-avoid-potential-deadlock-in-f2fs_sbi_store.patch b/queue-4.18/f2fs-avoid-potential-deadlock-in-f2fs_sbi_store.patch new file mode 100644 index 00000000000..7b7a9b81ad3 --- /dev/null +++ b/queue-4.18/f2fs-avoid-potential-deadlock-in-f2fs_sbi_store.patch @@ -0,0 +1,82 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Jaegeuk Kim +Date: Sun, 15 Jul 2018 09:58:08 +0900 +Subject: f2fs: avoid potential deadlock in f2fs_sbi_store + +From: Jaegeuk Kim + +[ Upstream commit a1933c09ef84c2fd187e05b560ddc6e1267d6508 ] + +[ 155.018460] ====================================================== +[ 155.021431] WARNING: possible circular locking dependency detected +[ 155.024339] 4.18.0-rc3+ #5 Tainted: G OE +[ 155.026879] ------------------------------------------------------ +[ 155.029783] umount/2901 is trying to acquire lock: +[ 155.032187] 00000000c4282f1f (kn->count#130){++++}, at: kernfs_remove+0x1f/0x30 +[ 155.035439] +[ 155.035439] but task is already holding lock: +[ 155.038892] 0000000056e4307b (&type->s_umount_key#41){++++}, at: deactivate_super+0x33/0x50 +[ 155.042602] +[ 155.042602] which lock already depends on the new lock. +[ 155.042602] +[ 155.047465] +[ 155.047465] the existing dependency chain (in reverse order) is: +[ 155.051354] +[ 155.051354] -> #1 (&type->s_umount_key#41){++++}: +[ 155.054768] f2fs_sbi_store+0x61/0x460 [f2fs] +[ 155.057083] kernfs_fop_write+0x113/0x1a0 +[ 155.059277] __vfs_write+0x36/0x180 +[ 155.061250] vfs_write+0xbe/0x1b0 +[ 155.063179] ksys_write+0x55/0xc0 +[ 155.065068] do_syscall_64+0x60/0x1b0 +[ 155.067071] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 155.069529] +[ 155.069529] -> #0 (kn->count#130){++++}: +[ 155.072421] __kernfs_remove+0x26f/0x2e0 +[ 155.074452] kernfs_remove+0x1f/0x30 +[ 155.076342] kobject_del.part.5+0xe/0x40 +[ 155.078354] f2fs_put_super+0x12d/0x290 [f2fs] +[ 155.080500] generic_shutdown_super+0x6c/0x110 +[ 155.082655] kill_block_super+0x21/0x50 +[ 155.084634] kill_f2fs_super+0x9c/0xc0 [f2fs] +[ 155.086726] deactivate_locked_super+0x3f/0x70 +[ 155.088826] cleanup_mnt+0x3b/0x70 +[ 155.090584] task_work_run+0x93/0xc0 +[ 155.092367] exit_to_usermode_loop+0xf0/0x100 +[ 155.094466] do_syscall_64+0x162/0x1b0 +[ 155.096312] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 155.098603] +[ 155.098603] other info that might help us debug this: +[ 155.098603] +[ 155.102418] Possible unsafe locking scenario: +[ 155.102418] +[ 155.105134] CPU0 CPU1 +[ 155.107037] ---- ---- +[ 155.108910] lock(&type->s_umount_key#41); +[ 155.110674] lock(kn->count#130); +[ 155.113010] lock(&type->s_umount_key#41); +[ 155.115608] lock(kn->count#130); + +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/sysfs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -287,8 +287,10 @@ static ssize_t f2fs_sbi_store(struct f2f + bool gc_entry = (!strcmp(a->attr.name, "gc_urgent") || + a->struct_type == GC_THREAD); + +- if (gc_entry) +- down_read(&sbi->sb->s_umount); ++ if (gc_entry) { ++ if (!down_read_trylock(&sbi->sb->s_umount)) ++ return -EAGAIN; ++ } + ret = __sbi_store(a, sbi, buf, count); + if (gc_entry) + up_read(&sbi->sb->s_umount); diff --git a/queue-4.18/f2fs-do-not-set-free-of-current-section.patch b/queue-4.18/f2fs-do-not-set-free-of-current-section.patch new file mode 100644 index 00000000000..63bd2b17824 --- /dev/null +++ b/queue-4.18/f2fs-do-not-set-free-of-current-section.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Yunlong Song +Date: Thu, 12 Jul 2018 23:09:26 +0800 +Subject: f2fs: do not set free of current section + +From: Yunlong Song + +[ Upstream commit 3611ce9911267cb93d364bd71ddea6821278d11f ] + +For the case when sbi->segs_per_sec > 1, take section:segment = 5 for +example, if segment 1 is just used and allocate new segment 2, and the +blocks of segment 1 is invalidated, at this time, the previous code will +use __set_test_and_free to free the free_secmap and free_sections++, +this is not correct since it is still a current section, so fix it. + +Signed-off-by: Yunlong Song +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/segment.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -448,6 +448,8 @@ static inline void __set_test_and_free(s + if (test_and_clear_bit(segno, free_i->free_segmap)) { + free_i->free_segments++; + ++ if (IS_CURSEC(sbi, secno)) ++ goto skip_free; + next = find_next_bit(free_i->free_segmap, + start_segno + sbi->segs_per_sec, start_segno); + if (next >= start_segno + sbi->segs_per_sec) { +@@ -455,6 +457,7 @@ static inline void __set_test_and_free(s + free_i->free_sections++; + } + } ++skip_free: + spin_unlock(&free_i->segmap_lock); + } + diff --git a/queue-4.18/f2fs-fix-defined-but-not-used-build-warnings.patch b/queue-4.18/f2fs-fix-defined-but-not-used-build-warnings.patch new file mode 100644 index 00000000000..bc8b8d6659d --- /dev/null +++ b/queue-4.18/f2fs-fix-defined-but-not-used-build-warnings.patch @@ -0,0 +1,67 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Randy Dunlap +Date: Fri, 6 Jul 2018 20:50:57 -0700 +Subject: f2fs: fix defined but not used build warnings + +From: Randy Dunlap + +[ Upstream commit cb15d1e43db0a6341c1e26ac6a2c74e61b74f1aa ] + +Fix build warnings in f2fs when CONFIG_PROC_FS is not enabled +by marking the unused functions as __maybe_unused. + +../fs/f2fs/sysfs.c:519:12: warning: 'segment_info_seq_show' defined but not used [-Wunused-function] +../fs/f2fs/sysfs.c:546:12: warning: 'segment_bits_seq_show' defined but not used [-Wunused-function] +../fs/f2fs/sysfs.c:570:12: warning: 'iostat_info_seq_show' defined but not used [-Wunused-function] + +Signed-off-by: Randy Dunlap +Cc: Jaegeuk Kim +Cc: Chao Yu +Cc: linux-f2fs-devel@lists.sourceforge.net +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/sysfs.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -9,6 +9,7 @@ + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ ++#include + #include + #include + #include +@@ -516,7 +517,8 @@ static struct kobject f2fs_feat = { + .kset = &f2fs_kset, + }; + +-static int segment_info_seq_show(struct seq_file *seq, void *offset) ++static int __maybe_unused segment_info_seq_show(struct seq_file *seq, ++ void *offset) + { + struct super_block *sb = seq->private; + struct f2fs_sb_info *sbi = F2FS_SB(sb); +@@ -543,7 +545,8 @@ static int segment_info_seq_show(struct + return 0; + } + +-static int segment_bits_seq_show(struct seq_file *seq, void *offset) ++static int __maybe_unused segment_bits_seq_show(struct seq_file *seq, ++ void *offset) + { + struct super_block *sb = seq->private; + struct f2fs_sb_info *sbi = F2FS_SB(sb); +@@ -567,7 +570,8 @@ static int segment_bits_seq_show(struct + return 0; + } + +-static int iostat_info_seq_show(struct seq_file *seq, void *offset) ++static int __maybe_unused iostat_info_seq_show(struct seq_file *seq, ++ void *offset) + { + struct super_block *sb = seq->private; + struct f2fs_sb_info *sbi = F2FS_SB(sb); diff --git a/queue-4.18/f2fs-fix-to-active-page-in-lru-list-for-read-path.patch b/queue-4.18/f2fs-fix-to-active-page-in-lru-list-for-read-path.patch new file mode 100644 index 00000000000..617766c9eb2 --- /dev/null +++ b/queue-4.18/f2fs-fix-to-active-page-in-lru-list-for-read-path.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Chao Yu +Date: Fri, 27 Jul 2018 18:15:14 +0800 +Subject: f2fs: fix to active page in lru list for read path + +From: Chao Yu + +[ Upstream commit 82cf4f132e6d16dca6fc3bd955019246141bc645 ] + +If config CONFIG_F2FS_FAULT_INJECTION is on, for both read or write path +we will call find_lock_page() to get the page, but for read path, it +missed to passing FGP_ACCESSED to allocator to active the page in LRU +list, result in being reclaimed in advance incorrectly, fix it. + +Reported-by: Xianrong Zhou +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/f2fs.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1954,8 +1954,13 @@ static inline struct page *f2fs_grab_cac + pgoff_t index, bool for_write) + { + #ifdef CONFIG_F2FS_FAULT_INJECTION +- struct page *page = find_lock_page(mapping, index); ++ struct page *page; + ++ if (!for_write) ++ page = find_get_page_flags(mapping, index, ++ FGP_LOCK | FGP_ACCESSED); ++ else ++ page = find_lock_page(mapping, index); + if (page) + return page; + diff --git a/queue-4.18/f2fs-fix-to-detect-looped-node-chain-correctly.patch b/queue-4.18/f2fs-fix-to-detect-looped-node-chain-correctly.patch new file mode 100644 index 00000000000..de6eedee9c5 --- /dev/null +++ b/queue-4.18/f2fs-fix-to-detect-looped-node-chain-correctly.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Chao Yu +Date: Thu, 5 Jul 2018 19:37:00 +0800 +Subject: f2fs: fix to detect looped node chain correctly + +From: Chao Yu + +[ Upstream commit 82902c06bd17dbf6e8184299842ca5c68880970f ] + +Below dmesg was printed when testing generic/388 of fstest: + +F2FS-fs (zram1): find_fsync_dnodes: detect looped node chain, blkaddr:526615, next:526616 +F2FS-fs (zram1): Cannot recover all fsync data errno=-22 +F2FS-fs (zram1): Mounted with checkpoint version = 22300d0e +F2FS-fs (zram1): find_fsync_dnodes: detect looped node chain, blkaddr:526615, next:526616 +F2FS-fs (zram1): Cannot recover all fsync data errno=-22 + +The reason is that we initialize free_blocks with free blocks of +filesystem, so if filesystem is full, free_blocks can be zero, +below condition will be true, so that, it will fail recovery. + +if (++loop_cnt >= free_blocks || + blkaddr == next_blkaddr_of_node(page)) + +To fix this issue, initialize free_blocks with correct value which +includes over-privision blocks. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/recovery.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -241,8 +241,8 @@ static int find_fsync_dnodes(struct f2fs + struct page *page = NULL; + block_t blkaddr; + unsigned int loop_cnt = 0; +- unsigned int free_blocks = sbi->user_block_count - +- valid_user_blocks(sbi); ++ unsigned int free_blocks = MAIN_SEGS(sbi) * sbi->blocks_per_seg - ++ valid_user_blocks(sbi); + int err = 0; + + /* get node pages in the current segment */ diff --git a/queue-4.18/f2fs-fix-to-do-sanity-check-with-extra_attr-feature.patch b/queue-4.18/f2fs-fix-to-do-sanity-check-with-extra_attr-feature.patch new file mode 100644 index 00000000000..1f005a988c3 --- /dev/null +++ b/queue-4.18/f2fs-fix-to-do-sanity-check-with-extra_attr-feature.patch @@ -0,0 +1,302 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Chao Yu +Date: Mon, 25 Jun 2018 23:29:49 +0800 +Subject: f2fs: fix to do sanity check with extra_attr feature + +From: Chao Yu + +[ Upstream commit 76d56d4ab4f2a9e4f085c7d77172194ddaccf7d2 ] + +If FI_EXTRA_ATTR is set in inode by fuzzing, inode.i_addr[0] will be +parsed as inode.i_extra_isize, then in __recover_inline_status, inline +data address will beyond boundary of page, result in accessing invalid +memory. + +So in this condition, during reading inode page, let's do sanity check +with EXTRA_ATTR feature of fs and extra_attr bit of inode, if they're +inconsistent, deny to load this inode. + +- Overview +Out-of-bound access in f2fs_iget() when mounting a corrupted f2fs image + +- Reproduce + +The following message will be got in KASAN build of 4.18 upstream kernel. +[ 819.392227] ================================================================== +[ 819.393901] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0x736/0x1530 +[ 819.395329] Read of size 4 at addr ffff8801f099c968 by task mount/1292 + +[ 819.397079] CPU: 1 PID: 1292 Comm: mount Not tainted 4.18.0-rc1+ #4 +[ 819.397082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 819.397088] Call Trace: +[ 819.397124] dump_stack+0x7b/0xb5 +[ 819.397154] print_address_description+0x70/0x290 +[ 819.397159] kasan_report+0x291/0x390 +[ 819.397163] ? f2fs_iget+0x736/0x1530 +[ 819.397176] check_memory_region+0x139/0x190 +[ 819.397182] __asan_loadN+0xf/0x20 +[ 819.397185] f2fs_iget+0x736/0x1530 +[ 819.397197] f2fs_fill_super+0x1b4f/0x2b40 +[ 819.397202] ? f2fs_fill_super+0x1b4f/0x2b40 +[ 819.397208] ? f2fs_commit_super+0x1b0/0x1b0 +[ 819.397227] ? set_blocksize+0x90/0x140 +[ 819.397241] mount_bdev+0x1c5/0x210 +[ 819.397245] ? f2fs_commit_super+0x1b0/0x1b0 +[ 819.397252] f2fs_mount+0x15/0x20 +[ 819.397256] mount_fs+0x60/0x1a0 +[ 819.397267] ? alloc_vfsmnt+0x309/0x360 +[ 819.397272] vfs_kern_mount+0x6b/0x1a0 +[ 819.397282] do_mount+0x34a/0x18c0 +[ 819.397300] ? lockref_put_or_lock+0xcf/0x160 +[ 819.397306] ? copy_mount_string+0x20/0x20 +[ 819.397318] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 819.397324] ? kasan_check_write+0x14/0x20 +[ 819.397334] ? _copy_from_user+0x6a/0x90 +[ 819.397353] ? memdup_user+0x42/0x60 +[ 819.397359] ksys_mount+0x83/0xd0 +[ 819.397365] __x64_sys_mount+0x67/0x80 +[ 819.397388] do_syscall_64+0x78/0x170 +[ 819.397403] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 819.397422] RIP: 0033:0x7f54c667cb9a +[ 819.397424] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 +[ 819.397483] RSP: 002b:00007ffd8f46cd08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 819.397496] RAX: ffffffffffffffda RBX: 0000000000dfa030 RCX: 00007f54c667cb9a +[ 819.397498] RDX: 0000000000dfa210 RSI: 0000000000dfbf30 RDI: 0000000000e02ec0 +[ 819.397501] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 819.397503] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000e02ec0 +[ 819.397505] R13: 0000000000dfa210 R14: 0000000000000000 R15: 0000000000000003 + +[ 819.397866] Allocated by task 139: +[ 819.398702] save_stack+0x46/0xd0 +[ 819.398705] kasan_kmalloc+0xad/0xe0 +[ 819.398709] kasan_slab_alloc+0x11/0x20 +[ 819.398713] kmem_cache_alloc+0xd1/0x1e0 +[ 819.398717] dup_fd+0x50/0x4c0 +[ 819.398740] copy_process.part.37+0xbed/0x32e0 +[ 819.398744] _do_fork+0x16e/0x590 +[ 819.398748] __x64_sys_clone+0x69/0x80 +[ 819.398752] do_syscall_64+0x78/0x170 +[ 819.398756] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 819.399097] Freed by task 159: +[ 819.399743] save_stack+0x46/0xd0 +[ 819.399747] __kasan_slab_free+0x13c/0x1a0 +[ 819.399750] kasan_slab_free+0xe/0x10 +[ 819.399754] kmem_cache_free+0x89/0x1e0 +[ 819.399757] put_files_struct+0x132/0x150 +[ 819.399761] exit_files+0x62/0x70 +[ 819.399766] do_exit+0x47b/0x1390 +[ 819.399770] do_group_exit+0x86/0x130 +[ 819.399774] __x64_sys_exit_group+0x2c/0x30 +[ 819.399778] do_syscall_64+0x78/0x170 +[ 819.399782] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 819.400115] The buggy address belongs to the object at ffff8801f099c680 + which belongs to the cache files_cache of size 704 +[ 819.403234] The buggy address is located 40 bytes to the right of + 704-byte region [ffff8801f099c680, ffff8801f099c940) +[ 819.405689] The buggy address belongs to the page: +[ 819.406709] page:ffffea0007c26700 count:1 mapcount:0 mapping:ffff8801f69a3340 index:0xffff8801f099d380 compound_mapcount: 0 +[ 819.408984] flags: 0x2ffff0000008100(slab|head) +[ 819.409932] raw: 02ffff0000008100 ffffea00077fb600 0000000200000002 ffff8801f69a3340 +[ 819.411514] raw: ffff8801f099d380 0000000080130000 00000001ffffffff 0000000000000000 +[ 819.413073] page dumped because: kasan: bad access detected + +[ 819.414539] Memory state around the buggy address: +[ 819.415521] ffff8801f099c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 819.416981] ffff8801f099c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 819.418454] >ffff8801f099c900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 819.419921] ^ +[ 819.421265] ffff8801f099c980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb +[ 819.422745] ffff8801f099ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 819.424206] ================================================================== +[ 819.425668] Disabling lock debugging due to kernel taint +[ 819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3 + +The kernel still mounts the image. If you run the following program on the mounted folder mnt, + +(poc.c) + +static void activity(char *mpoint) { + + char *foo_bar_baz; + int err; + + static int buf[8192]; + memset(buf, 0, sizeof(buf)); + + err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint); + int fd = open(foo_bar_baz, O_RDONLY, 0); + if (fd >= 0) { + read(fd, (char *)buf, 11); + close(fd); + } +} + +int main(int argc, char *argv[]) { + activity(argv[1]); + return 0; +} + +You can get kernel crash: +[ 819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3 +[ 918.028501] BUG: unable to handle kernel paging request at ffffed0048000d82 +[ 918.044020] PGD 23ffee067 P4D 23ffee067 PUD 23fbef067 PMD 0 +[ 918.045207] Oops: 0000 [#1] SMP KASAN PTI +[ 918.046048] CPU: 0 PID: 1309 Comm: poc Tainted: G B 4.18.0-rc1+ #4 +[ 918.047573] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 918.049552] RIP: 0010:check_memory_region+0x5e/0x190 +[ 918.050565] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0 +[ 918.054322] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202 +[ 918.055400] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14 +[ 918.056832] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10 +[ 918.058253] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82 +[ 918.059717] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83 +[ 918.061159] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08 +[ 918.062614] FS: 00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 918.064246] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 918.065412] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0 +[ 918.066882] Call Trace: +[ 918.067410] __asan_loadN+0xf/0x20 +[ 918.068149] f2fs_find_target_dentry+0xf4/0x270 +[ 918.069083] ? __get_node_page+0x331/0x5b0 +[ 918.069925] f2fs_find_in_inline_dir+0x24b/0x310 +[ 918.070881] ? f2fs_recover_inline_data+0x4c0/0x4c0 +[ 918.071905] ? unwind_next_frame.part.5+0x34f/0x490 +[ 918.072901] ? unwind_dump+0x290/0x290 +[ 918.073695] ? is_bpf_text_address+0xe/0x20 +[ 918.074566] __f2fs_find_entry+0x599/0x670 +[ 918.075408] ? kasan_unpoison_shadow+0x36/0x50 +[ 918.076315] ? kasan_kmalloc+0xad/0xe0 +[ 918.077100] ? memcg_kmem_put_cache+0x55/0xa0 +[ 918.077998] ? f2fs_find_target_dentry+0x270/0x270 +[ 918.079006] ? d_set_d_op+0x30/0x100 +[ 918.079749] ? __d_lookup_rcu+0x69/0x2e0 +[ 918.080556] ? __d_alloc+0x275/0x450 +[ 918.081297] ? kasan_check_write+0x14/0x20 +[ 918.082135] ? memset+0x31/0x40 +[ 918.082820] ? fscrypt_setup_filename+0x1ec/0x4c0 +[ 918.083782] ? d_alloc_parallel+0x5bb/0x8c0 +[ 918.084640] f2fs_find_entry+0xe9/0x110 +[ 918.085432] ? __f2fs_find_entry+0x670/0x670 +[ 918.086308] ? kasan_check_write+0x14/0x20 +[ 918.087163] f2fs_lookup+0x297/0x590 +[ 918.087902] ? f2fs_link+0x2b0/0x2b0 +[ 918.088646] ? legitimize_path.isra.29+0x61/0xa0 +[ 918.089589] __lookup_slow+0x12e/0x240 +[ 918.090371] ? may_delete+0x2b0/0x2b0 +[ 918.091123] ? __nd_alloc_stack+0xa0/0xa0 +[ 918.091944] lookup_slow+0x44/0x60 +[ 918.092642] walk_component+0x3ee/0xa40 +[ 918.093428] ? is_bpf_text_address+0xe/0x20 +[ 918.094283] ? pick_link+0x3e0/0x3e0 +[ 918.095047] ? in_group_p+0xa5/0xe0 +[ 918.095771] ? generic_permission+0x53/0x1e0 +[ 918.096666] ? security_inode_permission+0x1d/0x70 +[ 918.097646] ? inode_permission+0x7a/0x1f0 +[ 918.098497] link_path_walk+0x2a2/0x7b0 +[ 918.099298] ? apparmor_capget+0x3d0/0x3d0 +[ 918.100140] ? walk_component+0xa40/0xa40 +[ 918.100958] ? path_init+0x2e6/0x580 +[ 918.101695] path_openat+0x1bb/0x2160 +[ 918.102471] ? __save_stack_trace+0x92/0x100 +[ 918.103352] ? save_stack+0xb5/0xd0 +[ 918.104070] ? vfs_unlink+0x250/0x250 +[ 918.104822] ? save_stack+0x46/0xd0 +[ 918.105538] ? kasan_slab_alloc+0x11/0x20 +[ 918.106370] ? kmem_cache_alloc+0xd1/0x1e0 +[ 918.107213] ? getname_flags+0x76/0x2c0 +[ 918.107997] ? getname+0x12/0x20 +[ 918.108677] ? do_sys_open+0x14b/0x2c0 +[ 918.109450] ? __x64_sys_open+0x4c/0x60 +[ 918.110255] ? do_syscall_64+0x78/0x170 +[ 918.111083] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 918.112148] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 918.113204] ? f2fs_empty_inline_dir+0x1e0/0x1e0 +[ 918.114150] ? timespec64_trunc+0x5c/0x90 +[ 918.114993] ? wb_io_lists_depopulated+0x1a/0xc0 +[ 918.115937] ? inode_io_list_move_locked+0x102/0x110 +[ 918.116949] do_filp_open+0x12b/0x1d0 +[ 918.117709] ? may_open_dev+0x50/0x50 +[ 918.118475] ? kasan_kmalloc+0xad/0xe0 +[ 918.119246] do_sys_open+0x17c/0x2c0 +[ 918.119983] ? do_sys_open+0x17c/0x2c0 +[ 918.120751] ? filp_open+0x60/0x60 +[ 918.121463] ? task_work_run+0x4d/0xf0 +[ 918.122237] __x64_sys_open+0x4c/0x60 +[ 918.123001] do_syscall_64+0x78/0x170 +[ 918.123759] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 918.124802] RIP: 0033:0x7fac96e3e040 +[ 918.125537] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24 +[ 918.129341] RSP: 002b:00007fff1b37f848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 +[ 918.130870] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fac96e3e040 +[ 918.132295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000122d080 +[ 918.133748] RBP: 00007fff1b37f9b0 R08: 00007fac9710bbd8 R09: 0000000000000001 +[ 918.135209] R10: 000000000000069d R11: 0000000000000246 R12: 0000000000400c20 +[ 918.136650] R13: 00007fff1b37fab0 R14: 0000000000000000 R15: 0000000000000000 +[ 918.138093] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy +[ 918.147924] CR2: ffffed0048000d82 +[ 918.148619] ---[ end trace 4ce02f25ff7d3df5 ]--- +[ 918.149563] RIP: 0010:check_memory_region+0x5e/0x190 +[ 918.150576] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0 +[ 918.154360] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202 +[ 918.155411] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14 +[ 918.156833] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10 +[ 918.158257] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82 +[ 918.159722] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83 +[ 918.161149] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08 +[ 918.162587] FS: 00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 918.164203] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 918.165356] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0 + +Reported-by: Wen Xu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inode.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -197,6 +197,16 @@ static bool sanity_check_inode(struct in + __func__, inode->i_ino); + return false; + } ++ ++ if (f2fs_has_extra_attr(inode) && ++ !f2fs_sb_has_extra_attr(sbi->sb)) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_msg(sbi->sb, KERN_WARNING, ++ "%s: inode (ino=%lx) is with extra_attr, " ++ "but extra_attr feature is off", ++ __func__, inode->i_ino); ++ return false; ++ } + return true; + } + +@@ -249,6 +259,11 @@ static int do_read_inode(struct inode *i + + get_inline_info(inode, ri); + ++ if (!sanity_check_inode(inode)) { ++ f2fs_put_page(node_page, 1); ++ return -EINVAL; ++ } ++ + fi->i_extra_isize = f2fs_has_extra_attr(inode) ? + le16_to_cpu(ri->i_extra_isize) : 0; + +@@ -330,10 +345,6 @@ struct inode *f2fs_iget(struct super_blo + ret = do_read_inode(inode); + if (ret) + goto bad_inode; +- if (!sanity_check_inode(inode)) { +- ret = -EINVAL; +- goto bad_inode; +- } + make_now: + if (ino == F2FS_NODE_INO(sbi)) { + inode->i_mapping->a_ops = &f2fs_node_aops; diff --git a/queue-4.18/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of-inline-inode.patch b/queue-4.18/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of-inline-inode.patch new file mode 100644 index 00000000000..ac4b092dd66 --- /dev/null +++ b/queue-4.18/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of-inline-inode.patch @@ -0,0 +1,155 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Chao Yu +Date: Sat, 30 Jun 2018 18:13:40 +0800 +Subject: f2fs: fix to do sanity check with reserved blkaddr of inline inode + +From: Chao Yu + +[ Upstream commit 4dbe38dc386910c668c75ae616b99b823b59f3eb ] + +As Wen Xu reported in bugzilla, after image was injected with random data +by fuzzing, inline inode would contain invalid reserved blkaddr, then +during inline conversion, we will encounter illegal memory accessing +reported by KASAN, the root cause of this is when writing out converted +inline page, we will use invalid reserved blkaddr to update sit bitmap, +result in accessing memory beyond sit bitmap boundary. + +In order to fix this issue, let's do sanity check with reserved block +address of inline inode to avoid above condition. + +https://bugzilla.kernel.org/show_bug.cgi?id=200179 + +[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0 +[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741 + +[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G W 4.17.0+ #1 +[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 1428.846860] Call Trace: +[ 1428.846868] dump_stack+0x71/0xab +[ 1428.846875] print_address_description+0x6b/0x290 +[ 1428.846881] kasan_report+0x28e/0x390 +[ 1428.846888] ? update_sit_entry+0x80/0x7f0 +[ 1428.846898] update_sit_entry+0x80/0x7f0 +[ 1428.846906] f2fs_allocate_data_block+0x6db/0xc70 +[ 1428.846914] ? f2fs_get_node_info+0x14f/0x590 +[ 1428.846920] do_write_page+0xc8/0x150 +[ 1428.846928] f2fs_outplace_write_data+0xfe/0x210 +[ 1428.846935] ? f2fs_do_write_node_page+0x170/0x170 +[ 1428.846941] ? radix_tree_tag_clear+0xff/0x130 +[ 1428.846946] ? __mod_node_page_state+0x22/0xa0 +[ 1428.846951] ? inc_zone_page_state+0x54/0x100 +[ 1428.846956] ? __test_set_page_writeback+0x336/0x5d0 +[ 1428.846964] f2fs_convert_inline_page+0x407/0x6d0 +[ 1428.846971] ? f2fs_read_inline_data+0x3b0/0x3b0 +[ 1428.846978] ? __get_node_page+0x335/0x6b0 +[ 1428.846987] f2fs_convert_inline_inode+0x41b/0x500 +[ 1428.846994] ? f2fs_convert_inline_page+0x6d0/0x6d0 +[ 1428.847000] ? kasan_unpoison_shadow+0x31/0x40 +[ 1428.847005] ? kasan_kmalloc+0xa6/0xd0 +[ 1428.847024] f2fs_file_mmap+0x79/0xc0 +[ 1428.847029] mmap_region+0x58b/0x880 +[ 1428.847037] ? arch_get_unmapped_area+0x370/0x370 +[ 1428.847042] do_mmap+0x55b/0x7a0 +[ 1428.847048] vm_mmap_pgoff+0x16f/0x1c0 +[ 1428.847055] ? vma_is_stack_for_current+0x50/0x50 +[ 1428.847062] ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160 +[ 1428.847068] ? do_sys_open+0x206/0x2a0 +[ 1428.847073] ? __fget+0xb4/0x100 +[ 1428.847079] ksys_mmap_pgoff+0x278/0x360 +[ 1428.847085] ? find_mergeable_anon_vma+0x50/0x50 +[ 1428.847091] do_syscall_64+0x73/0x160 +[ 1428.847098] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 1428.847102] RIP: 0033:0x7fb1430766ba +[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 +[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 +[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba +[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000 +[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000 +[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000 +[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000 + +[ 1428.847252] Allocated by task 2683: +[ 1428.847372] kasan_kmalloc+0xa6/0xd0 +[ 1428.847380] kmem_cache_alloc+0xc8/0x1e0 +[ 1428.847385] getname_flags+0x73/0x2b0 +[ 1428.847390] user_path_at_empty+0x1d/0x40 +[ 1428.847395] vfs_statx+0xc1/0x150 +[ 1428.847401] __do_sys_newlstat+0x7e/0xd0 +[ 1428.847405] do_syscall_64+0x73/0x160 +[ 1428.847411] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 1428.847466] Freed by task 2683: +[ 1428.847566] __kasan_slab_free+0x137/0x190 +[ 1428.847571] kmem_cache_free+0x85/0x1e0 +[ 1428.847575] filename_lookup+0x191/0x280 +[ 1428.847580] vfs_statx+0xc1/0x150 +[ 1428.847585] __do_sys_newlstat+0x7e/0xd0 +[ 1428.847590] do_syscall_64+0x73/0x160 +[ 1428.847596] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 1428.847648] The buggy address belongs to the object at ffff880194483300 + which belongs to the cache names_cache of size 4096 +[ 1428.847946] The buggy address is located 576 bytes inside of + 4096-byte region [ffff880194483300, ffff880194484300) +[ 1428.848234] The buggy address belongs to the page: +[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0 +[ 1428.848606] flags: 0x17fff8000008100(slab|head) +[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380 +[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 +[ 1428.849122] page dumped because: kasan: bad access detected + +[ 1428.849305] Memory state around the buggy address: +[ 1428.849436] ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1428.849620] ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1428.849985] ^ +[ 1428.850120] ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1428.850303] ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1428.850498] ================================================================== + +Reported-by: Wen Xu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inline.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/fs/f2fs/inline.c ++++ b/fs/f2fs/inline.c +@@ -130,6 +130,16 @@ int f2fs_convert_inline_page(struct dnod + if (err) + return err; + ++ if (unlikely(dn->data_blkaddr != NEW_ADDR)) { ++ f2fs_put_dnode(dn); ++ set_sbi_flag(fio.sbi, SBI_NEED_FSCK); ++ f2fs_msg(fio.sbi->sb, KERN_WARNING, ++ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, " ++ "run fsck to fix.", ++ __func__, dn->inode->i_ino, dn->data_blkaddr); ++ return -EINVAL; ++ } ++ + f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page)); + + f2fs_do_read_inline_data(page, dn->inode_page); +@@ -363,6 +373,17 @@ static int f2fs_move_inline_dirents(stru + if (err) + goto out; + ++ if (unlikely(dn.data_blkaddr != NEW_ADDR)) { ++ f2fs_put_dnode(&dn); ++ set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK); ++ f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING, ++ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, " ++ "run fsck to fix.", ++ __func__, dir->i_ino, dn.data_blkaddr); ++ err = -EINVAL; ++ goto out; ++ } ++ + f2fs_wait_on_page_writeback(page, DATA, true); + + dentry_blk = page_address(page); diff --git a/queue-4.18/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch b/queue-4.18/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch new file mode 100644 index 00000000000..40166d27dd2 --- /dev/null +++ b/queue-4.18/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch @@ -0,0 +1,98 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Chao Yu +Date: Sat, 23 Jun 2018 00:12:36 +0800 +Subject: f2fs: fix to do sanity check with secs_per_zone + +From: Chao Yu + +[ Upstream commit 42bf546c1fe3f3654bdf914e977acbc2b80a5be5 ] + +As Wen Xu reported in below link: + +https://bugzilla.kernel.org/show_bug.cgi?id=200183 + +- Overview +Divide zero in reset_curseg() when mounting a crafted f2fs image + +- Reproduce + +- Kernel message +[ 588.281510] divide error: 0000 [#1] SMP KASAN PTI +[ 588.282701] CPU: 0 PID: 1293 Comm: mount Not tainted 4.18.0-rc1+ #4 +[ 588.284000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 588.286178] RIP: 0010:reset_curseg+0x94/0x1a0 +[ 588.298166] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246 +[ 588.299360] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b +[ 588.300809] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64 +[ 588.305272] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000 +[ 588.306822] FS: 00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 588.308456] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 588.309623] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0 +[ 588.311085] Call Trace: +[ 588.311637] f2fs_build_segment_manager+0x103f/0x3410 +[ 588.316136] ? f2fs_commit_super+0x1b0/0x1b0 +[ 588.317031] ? set_blocksize+0x90/0x140 +[ 588.319473] f2fs_mount+0x15/0x20 +[ 588.320166] mount_fs+0x60/0x1a0 +[ 588.320847] ? alloc_vfsmnt+0x309/0x360 +[ 588.321647] vfs_kern_mount+0x6b/0x1a0 +[ 588.322432] do_mount+0x34a/0x18c0 +[ 588.323175] ? strndup_user+0x46/0x70 +[ 588.323937] ? copy_mount_string+0x20/0x20 +[ 588.324793] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 588.325702] ? kasan_check_write+0x14/0x20 +[ 588.326562] ? _copy_from_user+0x6a/0x90 +[ 588.327375] ? memdup_user+0x42/0x60 +[ 588.328118] ksys_mount+0x83/0xd0 +[ 588.328808] __x64_sys_mount+0x67/0x80 +[ 588.329607] do_syscall_64+0x78/0x170 +[ 588.330400] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 588.331461] RIP: 0033:0x7fad848e8b9a +[ 588.336022] RSP: 002b:00007ffd7c5b6be8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 588.337547] RAX: ffffffffffffffda RBX: 00000000016f8030 RCX: 00007fad848e8b9a +[ 588.338999] RDX: 00000000016f8210 RSI: 00000000016f9f30 RDI: 0000000001700ec0 +[ 588.340442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 588.341887] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001700ec0 +[ 588.343341] R13: 00000000016f8210 R14: 0000000000000000 R15: 0000000000000003 +[ 588.354891] ---[ end trace 4ce02f25ff7d3df5 ]--- +[ 588.355862] RIP: 0010:reset_curseg+0x94/0x1a0 +[ 588.360742] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246 +[ 588.361812] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b +[ 588.363485] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64 +[ 588.365213] RBP: ffff8801e88d7968 R08: ffffed003c32266f R09: ffffed003c32266f +[ 588.366661] R10: 0000000000000001 R11: ffffed003c32266e R12: ffff8801f0337700 +[ 588.368110] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000 +[ 588.370057] FS: 00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 588.372099] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 588.373291] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0 + +- Location +https://elixir.bootlin.com/linux/latest/source/fs/f2fs/segment.c#L2147 + curseg->zone = GET_ZONE_FROM_SEG(sbi, curseg->segno); + +If secs_per_zone is corrupted due to fuzzing test, it will cause divide +zero operation when using GET_ZONE_FROM_SEG macro, so we should do more +sanity check with secs_per_zone during mount to avoid this issue. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2229,9 +2229,9 @@ static int sanity_check_raw_super(struct + return 1; + } + +- if (secs_per_zone > total_sections) { ++ if (secs_per_zone > total_sections || !secs_per_zone) { + f2fs_msg(sb, KERN_INFO, +- "Wrong secs_per_zone (%u > %u)", ++ "Wrong secs_per_zone / total_sections (%u, %u)", + secs_per_zone, total_sections); + return 1; + } diff --git a/queue-4.18/f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch b/queue-4.18/f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch new file mode 100644 index 00000000000..4e0c2655238 --- /dev/null +++ b/queue-4.18/f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch @@ -0,0 +1,223 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Chao Yu +Date: Sat, 23 Jun 2018 11:25:19 +0800 +Subject: f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize + +From: Chao Yu + +[ Upstream commit c77ec61ca0a49544ca81881cc5d5529858f7e196 ] + +This patch adds to do sanity check with {sit,nat}_ver_bitmap_bytesize +during mount, in order to avoid accessing across cache boundary with +this abnormal bitmap size. + +- Overview +buffer overrun in build_sit_info() when mounting a crafted f2fs image + +- Reproduce + +- Kernel message +[ 548.580867] F2FS-fs (loop0): Invalid log blocks per segment (8201) + +[ 548.580877] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock +[ 548.584979] ================================================================== +[ 548.586568] BUG: KASAN: use-after-free in kmemdup+0x36/0x50 +[ 548.587715] Read of size 64 at addr ffff8801e9c265ff by task mount/1295 + +[ 548.589428] CPU: 1 PID: 1295 Comm: mount Not tainted 4.18.0-rc1+ #4 +[ 548.589432] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 548.589438] Call Trace: +[ 548.589474] dump_stack+0x7b/0xb5 +[ 548.589487] print_address_description+0x70/0x290 +[ 548.589492] kasan_report+0x291/0x390 +[ 548.589496] ? kmemdup+0x36/0x50 +[ 548.589509] check_memory_region+0x139/0x190 +[ 548.589514] memcpy+0x23/0x50 +[ 548.589518] kmemdup+0x36/0x50 +[ 548.589545] f2fs_build_segment_manager+0x8fa/0x3410 +[ 548.589551] ? __asan_loadN+0xf/0x20 +[ 548.589560] ? f2fs_sanity_check_ckpt+0x1be/0x240 +[ 548.589566] ? f2fs_flush_sit_entries+0x10c0/0x10c0 +[ 548.589587] ? __put_user_ns+0x40/0x40 +[ 548.589604] ? find_next_bit+0x57/0x90 +[ 548.589610] f2fs_fill_super+0x194b/0x2b40 +[ 548.589617] ? f2fs_commit_super+0x1b0/0x1b0 +[ 548.589637] ? set_blocksize+0x90/0x140 +[ 548.589651] mount_bdev+0x1c5/0x210 +[ 548.589655] ? f2fs_commit_super+0x1b0/0x1b0 +[ 548.589667] f2fs_mount+0x15/0x20 +[ 548.589672] mount_fs+0x60/0x1a0 +[ 548.589683] ? alloc_vfsmnt+0x309/0x360 +[ 548.589688] vfs_kern_mount+0x6b/0x1a0 +[ 548.589699] do_mount+0x34a/0x18c0 +[ 548.589710] ? lockref_put_or_lock+0xcf/0x160 +[ 548.589716] ? copy_mount_string+0x20/0x20 +[ 548.589728] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 548.589734] ? kasan_check_write+0x14/0x20 +[ 548.589740] ? _copy_from_user+0x6a/0x90 +[ 548.589744] ? memdup_user+0x42/0x60 +[ 548.589750] ksys_mount+0x83/0xd0 +[ 548.589755] __x64_sys_mount+0x67/0x80 +[ 548.589781] do_syscall_64+0x78/0x170 +[ 548.589797] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 548.589820] RIP: 0033:0x7f76fc331b9a +[ 548.589821] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 +[ 548.589880] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 548.589890] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a +[ 548.589892] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0 +[ 548.589895] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 548.589897] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0 +[ 548.589900] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003 + +[ 548.590242] The buggy address belongs to the page: +[ 548.591243] page:ffffea0007a70980 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +[ 548.592886] flags: 0x2ffff0000000000() +[ 548.593665] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000 +[ 548.595258] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 548.603713] page dumped because: kasan: bad access detected + +[ 548.605203] Memory state around the buggy address: +[ 548.606198] ffff8801e9c26480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.607676] ffff8801e9c26500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.609157] >ffff8801e9c26580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.610629] ^ +[ 548.612088] ffff8801e9c26600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.613674] ffff8801e9c26680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.615141] ================================================================== +[ 548.616613] Disabling lock debugging due to kernel taint +[ 548.622871] WARNING: CPU: 1 PID: 1295 at mm/page_alloc.c:4065 __alloc_pages_slowpath+0xe4a/0x1420 +[ 548.622878] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy +[ 548.623217] CPU: 1 PID: 1295 Comm: mount Tainted: G B 4.18.0-rc1+ #4 +[ 548.623219] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 548.623226] RIP: 0010:__alloc_pages_slowpath+0xe4a/0x1420 +[ 548.623227] Code: ff ff 01 89 85 c8 fe ff ff e9 91 fc ff ff 41 89 c5 e9 5c fc ff ff 0f 0b 89 f8 25 ff ff f7 ff 89 85 8c fe ff ff e9 d5 f2 ff ff <0f> 0b e9 65 f2 ff ff 65 8b 05 38 81 d2 47 f6 c4 01 74 1c 65 48 8b +[ 548.623281] RSP: 0018:ffff8801f28c7678 EFLAGS: 00010246 +[ 548.623284] RAX: 0000000000000000 RBX: 00000000006040c0 RCX: ffffffffb82f73b7 +[ 548.623287] RDX: 1ffff1003e518eeb RSI: 000000000000000c RDI: 0000000000000000 +[ 548.623290] RBP: ffff8801f28c7880 R08: 0000000000000000 R09: ffffed0047fff2c5 +[ 548.623292] R10: 0000000000000001 R11: ffffed0047fff2c4 R12: ffff8801e88de040 +[ 548.623295] R13: 00000000006040c0 R14: 000000000000000c R15: ffff8801f28c7938 +[ 548.623299] FS: 00007f76fca51840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 +[ 548.623302] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 548.623304] CR2: 00007f19b9171760 CR3: 00000001ed952000 CR4: 00000000000006e0 +[ 548.623317] Call Trace: +[ 548.623325] ? kasan_check_read+0x11/0x20 +[ 548.623330] ? __zone_watermark_ok+0x92/0x240 +[ 548.623336] ? get_page_from_freelist+0x1c3/0x1d90 +[ 548.623347] ? _raw_spin_lock_irqsave+0x2a/0x60 +[ 548.623353] ? warn_alloc+0x250/0x250 +[ 548.623358] ? save_stack+0x46/0xd0 +[ 548.623361] ? kasan_kmalloc+0xad/0xe0 +[ 548.623366] ? __isolate_free_page+0x2a0/0x2a0 +[ 548.623370] ? mount_fs+0x60/0x1a0 +[ 548.623374] ? vfs_kern_mount+0x6b/0x1a0 +[ 548.623378] ? do_mount+0x34a/0x18c0 +[ 548.623383] ? ksys_mount+0x83/0xd0 +[ 548.623387] ? __x64_sys_mount+0x67/0x80 +[ 548.623391] ? do_syscall_64+0x78/0x170 +[ 548.623396] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 548.623401] __alloc_pages_nodemask+0x3c5/0x400 +[ 548.623407] ? __alloc_pages_slowpath+0x1420/0x1420 +[ 548.623412] ? __mutex_lock_slowpath+0x20/0x20 +[ 548.623417] ? kvmalloc_node+0x31/0x80 +[ 548.623424] alloc_pages_current+0x75/0x110 +[ 548.623436] kmalloc_order+0x24/0x60 +[ 548.623442] kmalloc_order_trace+0x24/0xb0 +[ 548.623448] __kmalloc_track_caller+0x207/0x220 +[ 548.623455] ? f2fs_build_node_manager+0x399/0xbb0 +[ 548.623460] kmemdup+0x20/0x50 +[ 548.623465] f2fs_build_node_manager+0x399/0xbb0 +[ 548.623470] f2fs_fill_super+0x195e/0x2b40 +[ 548.623477] ? f2fs_commit_super+0x1b0/0x1b0 +[ 548.623481] ? set_blocksize+0x90/0x140 +[ 548.623486] mount_bdev+0x1c5/0x210 +[ 548.623489] ? f2fs_commit_super+0x1b0/0x1b0 +[ 548.623495] f2fs_mount+0x15/0x20 +[ 548.623498] mount_fs+0x60/0x1a0 +[ 548.623503] ? alloc_vfsmnt+0x309/0x360 +[ 548.623508] vfs_kern_mount+0x6b/0x1a0 +[ 548.623513] do_mount+0x34a/0x18c0 +[ 548.623518] ? lockref_put_or_lock+0xcf/0x160 +[ 548.623523] ? copy_mount_string+0x20/0x20 +[ 548.623528] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 548.623533] ? kasan_check_write+0x14/0x20 +[ 548.623537] ? _copy_from_user+0x6a/0x90 +[ 548.623542] ? memdup_user+0x42/0x60 +[ 548.623547] ksys_mount+0x83/0xd0 +[ 548.623552] __x64_sys_mount+0x67/0x80 +[ 548.623557] do_syscall_64+0x78/0x170 +[ 548.623562] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 548.623566] RIP: 0033:0x7f76fc331b9a +[ 548.623567] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 +[ 548.623632] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 548.623636] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a +[ 548.623639] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0 +[ 548.623641] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 548.623643] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0 +[ 548.623646] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003 +[ 548.623650] ---[ end trace 4ce02f25ff7d3df5 ]--- +[ 548.623656] F2FS-fs (loop0): Failed to initialize F2FS node manager +[ 548.627936] F2FS-fs (loop0): Invalid log blocks per segment (8201) + +[ 548.627940] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock +[ 548.635835] F2FS-fs (loop0): Failed to initialize F2FS node manager + +- Location +https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.c#L3578 + + sit_i->sit_bitmap = kmemdup(src_bitmap, bitmap_size, GFP_KERNEL); + +Buffer overrun happens when doing memcpy. I suspect there is missing (inconsistent) checks on bitmap_size. + +Reported by Wen Xu (wen.xu@gatech.edu) from SSLab, Gatech. + +Reported-by: Wen Xu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2282,12 +2282,17 @@ int f2fs_sanity_check_ckpt(struct f2fs_s + struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi); + unsigned int ovp_segments, reserved_segments; + unsigned int main_segs, blocks_per_seg; ++ unsigned int sit_segs, nat_segs; ++ unsigned int sit_bitmap_size, nat_bitmap_size; ++ unsigned int log_blocks_per_seg; + int i; + + total = le32_to_cpu(raw_super->segment_count); + fsmeta = le32_to_cpu(raw_super->segment_count_ckpt); +- fsmeta += le32_to_cpu(raw_super->segment_count_sit); +- fsmeta += le32_to_cpu(raw_super->segment_count_nat); ++ sit_segs = le32_to_cpu(raw_super->segment_count_sit); ++ fsmeta += sit_segs; ++ nat_segs = le32_to_cpu(raw_super->segment_count_nat); ++ fsmeta += nat_segs; + fsmeta += le32_to_cpu(ckpt->rsvd_segment_count); + fsmeta += le32_to_cpu(raw_super->segment_count_ssa); + +@@ -2318,6 +2323,18 @@ int f2fs_sanity_check_ckpt(struct f2fs_s + return 1; + } + ++ sit_bitmap_size = le32_to_cpu(ckpt->sit_ver_bitmap_bytesize); ++ nat_bitmap_size = le32_to_cpu(ckpt->nat_ver_bitmap_bytesize); ++ log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg); ++ ++ if (sit_bitmap_size != ((sit_segs / 2) << log_blocks_per_seg) / 8 || ++ nat_bitmap_size != ((nat_segs / 2) << log_blocks_per_seg) / 8) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Wrong bitmap size: sit: %u, nat:%u", ++ sit_bitmap_size, nat_bitmap_size); ++ return 1; ++ } ++ + if (unlikely(f2fs_cp_error(sbi))) { + f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck"); + return 1; diff --git a/queue-4.18/f2fs-fix-to-propagate-return-value-of-scan_nat_page.patch b/queue-4.18/f2fs-fix-to-propagate-return-value-of-scan_nat_page.patch new file mode 100644 index 00000000000..202d8ae547a --- /dev/null +++ b/queue-4.18/f2fs-fix-to-propagate-return-value-of-scan_nat_page.patch @@ -0,0 +1,206 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Chao Yu +Date: Fri, 15 Jun 2018 14:45:57 +0800 +Subject: f2fs: fix to propagate return value of scan_nat_page() + +From: Chao Yu + +[ Upstream commit e2374015f27fe5ee5d5c37966e2faf396cdaaa65 ] + +As Anatoly Trosinenko reported in bugzilla: + +How to reproduce: +1. Compile the 73fcb1a370c76 version of the kernel using the config attached +2. Unpack and mount the attached filesystem image as F2FS +3. The kernel will BUG() on mount (BUGs are explicitly enabled in config) + +[ 2.233612] F2FS-fs (sda): Found nat_bits in checkpoint +[ 2.248422] ------------[ cut here ]------------ +[ 2.248857] kernel BUG at fs/f2fs/node.c:1967! +[ 2.249760] invalid opcode: 0000 [#1] SMP NOPTI +[ 2.250219] Modules linked in: +[ 2.251848] CPU: 0 PID: 944 Comm: mount Not tainted 4.17.0-rc5+ #1 +[ 2.252331] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +[ 2.253305] RIP: 0010:build_free_nids+0x337/0x3f0 +[ 2.253672] RSP: 0018:ffffae7fc0857c50 EFLAGS: 00000246 +[ 2.254080] RAX: 00000000ffffffff RBX: 0000000000000123 RCX: 0000000000000001 +[ 2.254638] RDX: ffff9aa7063d5c00 RSI: 0000000000000122 RDI: ffff9aa705852e00 +[ 2.255190] RBP: ffff9aa705852e00 R08: 0000000000000001 R09: ffff9aa7059090c0 +[ 2.255719] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9aa705852e00 +[ 2.256242] R13: ffff9aa7063ad000 R14: ffff9aa705919000 R15: 0000000000000123 +[ 2.256809] FS: 00000000023078c0(0000) GS:ffff9aa707800000(0000) knlGS:0000000000000000 +[ 2.258654] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2.259153] CR2: 00000000005511ae CR3: 0000000005872000 CR4: 00000000000006f0 +[ 2.259801] Call Trace: +[ 2.260583] build_node_manager+0x5cd/0x600 +[ 2.260963] f2fs_fill_super+0x66a/0x17c0 +[ 2.261300] ? f2fs_commit_super+0xe0/0xe0 +[ 2.261622] mount_bdev+0x16e/0x1a0 +[ 2.261899] mount_fs+0x30/0x150 +[ 2.262398] vfs_kern_mount.part.28+0x4f/0xf0 +[ 2.262743] do_mount+0x5d0/0xc60 +[ 2.263010] ? _copy_from_user+0x37/0x60 +[ 2.263313] ? memdup_user+0x39/0x60 +[ 2.263692] ksys_mount+0x7b/0xd0 +[ 2.263960] __x64_sys_mount+0x1c/0x20 +[ 2.264268] do_syscall_64+0x43/0xf0 +[ 2.264560] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 2.265095] RIP: 0033:0x48d31a +[ 2.265502] RSP: 002b:00007ffc6fe60a08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 +[ 2.266089] RAX: ffffffffffffffda RBX: 0000000000008000 RCX: 000000000048d31a +[ 2.266607] RDX: 00007ffc6fe62fa5 RSI: 00007ffc6fe62f9d RDI: 00007ffc6fe62f94 +[ 2.267130] RBP: 00000000023078a0 R08: 0000000000000000 R09: 0000000000000000 +[ 2.267670] R10: 0000000000008000 R11: 0000000000000246 R12: 0000000000000000 +[ 2.268192] R13: 0000000000000000 R14: 00007ffc6fe60c78 R15: 0000000000000000 +[ 2.268767] Code: e8 5f c3 ff ff 83 c3 01 41 83 c7 01 81 fb c7 01 00 00 74 48 44 39 7d 04 76 42 48 63 c3 48 8d 04 c0 41 8b 44 06 05 83 f8 ff 75 c1 <0f> 0b 49 8b 45 50 48 8d b8 b0 00 00 00 e8 37 59 69 00 b9 01 00 +[ 2.270434] RIP: build_free_nids+0x337/0x3f0 RSP: ffffae7fc0857c50 +[ 2.271426] ---[ end trace ab20c06cd3c8fde4 ]--- + +During loading NAT entries, we will do sanity check, once the entry info +is corrupted, it will cause BUG_ON directly to protect user data from +being overwrited. + +In this case, it will be better to just return failure on mount() instead +of panic, so that user can get hint from kmsg and try fsck for recovery +immediately rather than after an abnormal reboot. + +https://bugzilla.kernel.org/show_bug.cgi?id=199769 + +Reported-by: Anatoly Trosinenko +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/f2fs.h | 2 +- + fs/f2fs/node.c | 42 ++++++++++++++++++++++++++++++------------ + 2 files changed, 31 insertions(+), 13 deletions(-) + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -2819,7 +2819,7 @@ int f2fs_fsync_node_pages(struct f2fs_sb + int f2fs_sync_node_pages(struct f2fs_sb_info *sbi, + struct writeback_control *wbc, + bool do_balance, enum iostat_type io_type); +-void f2fs_build_free_nids(struct f2fs_sb_info *sbi, bool sync, bool mount); ++int f2fs_build_free_nids(struct f2fs_sb_info *sbi, bool sync, bool mount); + bool f2fs_alloc_nid(struct f2fs_sb_info *sbi, nid_t *nid); + void f2fs_alloc_nid_done(struct f2fs_sb_info *sbi, nid_t nid); + void f2fs_alloc_nid_failed(struct f2fs_sb_info *sbi, nid_t nid); +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1970,7 +1970,7 @@ static void remove_free_nid(struct f2fs_ + kmem_cache_free(free_nid_slab, i); + } + +-static void scan_nat_page(struct f2fs_sb_info *sbi, ++static int scan_nat_page(struct f2fs_sb_info *sbi, + struct page *nat_page, nid_t start_nid) + { + struct f2fs_nm_info *nm_i = NM_I(sbi); +@@ -1988,7 +1988,10 @@ static void scan_nat_page(struct f2fs_sb + break; + + blk_addr = le32_to_cpu(nat_blk->entries[i].block_addr); +- f2fs_bug_on(sbi, blk_addr == NEW_ADDR); ++ ++ if (blk_addr == NEW_ADDR) ++ return -EINVAL; ++ + if (blk_addr == NULL_ADDR) { + add_free_nid(sbi, start_nid, true, true); + } else { +@@ -1997,6 +2000,8 @@ static void scan_nat_page(struct f2fs_sb + spin_unlock(&NM_I(sbi)->nid_list_lock); + } + } ++ ++ return 0; + } + + static void scan_curseg_cache(struct f2fs_sb_info *sbi) +@@ -2052,11 +2057,11 @@ out: + up_read(&nm_i->nat_tree_lock); + } + +-static void __f2fs_build_free_nids(struct f2fs_sb_info *sbi, ++static int __f2fs_build_free_nids(struct f2fs_sb_info *sbi, + bool sync, bool mount) + { + struct f2fs_nm_info *nm_i = NM_I(sbi); +- int i = 0; ++ int i = 0, ret; + nid_t nid = nm_i->next_scan_nid; + + if (unlikely(nid >= nm_i->max_nid)) +@@ -2064,17 +2069,17 @@ static void __f2fs_build_free_nids(struc + + /* Enough entries */ + if (nm_i->nid_cnt[FREE_NID] >= NAT_ENTRY_PER_BLOCK) +- return; ++ return 0; + + if (!sync && !f2fs_available_free_memory(sbi, FREE_NIDS)) +- return; ++ return 0; + + if (!mount) { + /* try to find free nids in free_nid_bitmap */ + scan_free_nid_bits(sbi); + + if (nm_i->nid_cnt[FREE_NID] >= NAT_ENTRY_PER_BLOCK) +- return; ++ return 0; + } + + /* readahead nat pages to be scanned */ +@@ -2088,8 +2093,16 @@ static void __f2fs_build_free_nids(struc + nm_i->nat_block_bitmap)) { + struct page *page = get_current_nat_page(sbi, nid); + +- scan_nat_page(sbi, page, nid); ++ ret = scan_nat_page(sbi, page, nid); + f2fs_put_page(page, 1); ++ ++ if (ret) { ++ up_read(&nm_i->nat_tree_lock); ++ f2fs_bug_on(sbi, !mount); ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "NAT is corrupt, run fsck to fix it"); ++ return -EINVAL; ++ } + } + + nid += (NAT_ENTRY_PER_BLOCK - (nid % NAT_ENTRY_PER_BLOCK)); +@@ -2110,13 +2123,19 @@ static void __f2fs_build_free_nids(struc + + f2fs_ra_meta_pages(sbi, NAT_BLOCK_OFFSET(nm_i->next_scan_nid), + nm_i->ra_nid_pages, META_NAT, false); ++ ++ return 0; + } + +-void f2fs_build_free_nids(struct f2fs_sb_info *sbi, bool sync, bool mount) ++int f2fs_build_free_nids(struct f2fs_sb_info *sbi, bool sync, bool mount) + { ++ int ret; ++ + mutex_lock(&NM_I(sbi)->build_lock); +- __f2fs_build_free_nids(sbi, sync, mount); ++ ret = __f2fs_build_free_nids(sbi, sync, mount); + mutex_unlock(&NM_I(sbi)->build_lock); ++ ++ return ret; + } + + /* +@@ -2803,8 +2822,7 @@ int f2fs_build_node_manager(struct f2fs_ + /* load free nid status from nat_bits table */ + load_free_nid_bitmap(sbi); + +- f2fs_build_free_nids(sbi, true, true); +- return 0; ++ return f2fs_build_free_nids(sbi, true, true); + } + + void f2fs_destroy_node_manager(struct f2fs_sb_info *sbi) diff --git a/queue-4.18/f2fs-fix-to-skip-gc-if-type-in-ssa-and-sit-is-inconsistent.patch b/queue-4.18/f2fs-fix-to-skip-gc-if-type-in-ssa-and-sit-is-inconsistent.patch new file mode 100644 index 00000000000..ae98a7dd91a --- /dev/null +++ b/queue-4.18/f2fs-fix-to-skip-gc-if-type-in-ssa-and-sit-is-inconsistent.patch @@ -0,0 +1,74 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Chao Yu +Date: Wed, 4 Jul 2018 21:20:05 +0800 +Subject: f2fs: fix to skip GC if type in SSA and SIT is inconsistent + +From: Chao Yu + +[ Upstream commit 10d255c3540239c7920f52d2eb223756e186af56 ] + +If segment type in SSA and SIT is inconsistent, we will encounter below +BUG_ON during GC, to avoid this panic, let's just skip doing GC on such +segment. + +The bug is triggered with image reported in below link: + +https://bugzilla.kernel.org/show_bug.cgi?id=200223 + +[ 388.060262] ------------[ cut here ]------------ +[ 388.060268] kernel BUG at /home/y00370721/git/devf2fs/gc.c:989! +[ 388.061172] invalid opcode: 0000 [#1] SMP +[ 388.061773] Modules linked in: f2fs(O) bluetooth ecdh_generic xt_tcpudp iptable_filter ip_tables x_tables lp ttm drm_kms_helper drm intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel fb_sys_fops ppdev aes_x86_64 syscopyarea crypto_simd sysfillrect parport_pc joydev sysimgblt glue_helper parport cryptd i2c_piix4 serio_raw mac_hid btrfs hid_generic usbhid hid raid6_pq psmouse pata_acpi floppy +[ 388.064247] CPU: 7 PID: 4151 Comm: f2fs_gc-7:0 Tainted: G O 4.13.0-rc1+ #26 +[ 388.065306] Hardware name: Xen HVM domU, BIOS 4.1.2_115-900.260_ 11/06/2015 +[ 388.066058] task: ffff880201583b80 task.stack: ffffc90004d7c000 +[ 388.069948] RIP: 0010:do_garbage_collect+0xcc8/0xcd0 [f2fs] +[ 388.070766] RSP: 0018:ffffc90004d7fc68 EFLAGS: 00010202 +[ 388.071783] RAX: ffff8801ed227000 RBX: 0000000000000001 RCX: ffffea0007b489c0 +[ 388.072700] RDX: ffff880000000000 RSI: 0000000000000001 RDI: ffffea0007b489c0 +[ 388.073607] RBP: ffffc90004d7fd58 R08: 0000000000000003 R09: ffffea0007b489dc +[ 388.074619] R10: 0000000000000000 R11: 0052782ab317138d R12: 0000000000000018 +[ 388.075625] R13: 0000000000000018 R14: ffff880211ceb000 R15: ffff880211ceb000 +[ 388.076687] FS: 0000000000000000(0000) GS:ffff880214fc0000(0000) knlGS:0000000000000000 +[ 388.083277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 388.084536] CR2: 0000000000e18c60 CR3: 00000001ecf2e000 CR4: 00000000001406e0 +[ 388.085748] Call Trace: +[ 388.086690] ? find_next_bit+0xb/0x10 +[ 388.088091] f2fs_gc+0x1a8/0x9d0 [f2fs] +[ 388.088888] ? lock_timer_base+0x7d/0xa0 +[ 388.090213] ? try_to_del_timer_sync+0x44/0x60 +[ 388.091698] gc_thread_func+0x342/0x4b0 [f2fs] +[ 388.092892] ? wait_woken+0x80/0x80 +[ 388.094098] kthread+0x109/0x140 +[ 388.095010] ? f2fs_gc+0x9d0/0x9d0 [f2fs] +[ 388.096043] ? kthread_park+0x60/0x60 +[ 388.097281] ret_from_fork+0x25/0x30 +[ 388.098401] Code: ff ff 48 83 e8 01 48 89 44 24 58 e9 27 f8 ff ff 48 83 e8 01 e9 78 fc ff ff 48 8d 78 ff e9 17 fb ff ff 48 83 ef 01 e9 4d f4 ff ff <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 +[ 388.100864] RIP: do_garbage_collect+0xcc8/0xcd0 [f2fs] RSP: ffffc90004d7fc68 +[ 388.101810] ---[ end trace 81c73d6e6b7da61d ]--- + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -986,7 +986,13 @@ static int do_garbage_collect(struct f2f + goto next; + + sum = page_address(sum_page); +- f2fs_bug_on(sbi, type != GET_SUM_TYPE((&sum->footer))); ++ if (type != GET_SUM_TYPE((&sum->footer))) { ++ f2fs_msg(sbi->sb, KERN_ERR, "Inconsistent segment (%u) " ++ "type [%d, %d] in SSA and SIT", ++ segno, type, GET_SUM_TYPE((&sum->footer))); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ goto next; ++ } + + /* + * this is to avoid deadlock: diff --git a/queue-4.18/f2fs-fix-to-wait-on-page-writeback-before-updating-page.patch b/queue-4.18/f2fs-fix-to-wait-on-page-writeback-before-updating-page.patch new file mode 100644 index 00000000000..fe6379541a2 --- /dev/null +++ b/queue-4.18/f2fs-fix-to-wait-on-page-writeback-before-updating-page.patch @@ -0,0 +1,30 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Chao Yu +Date: Thu, 21 Jun 2018 22:38:28 +0800 +Subject: f2fs: fix to wait on page writeback before updating page + +From: Chao Yu + +[ Upstream commit 6aead1617b3adf2b7e2c56f0f13e4e0ee42ebb4a ] + +In error path of f2fs_move_rehashed_dirents, inode page could be writeback +state, so we should wait on inode page writeback before updating it. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inline.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/f2fs/inline.c ++++ b/fs/f2fs/inline.c +@@ -498,6 +498,7 @@ static int f2fs_move_rehashed_dirents(st + return 0; + recover: + lock_page(ipage); ++ f2fs_wait_on_page_writeback(ipage, NODE, true); + memcpy(inline_dentry, backup_dentry, MAX_INLINE_DATA(dir)); + f2fs_i_depth_write(dir, 0); + f2fs_i_size_write(dir, MAX_INLINE_DATA(dir)); diff --git a/queue-4.18/f2fs-fix-uninitialized-return-in-f2fs_ioc_shutdown.patch b/queue-4.18/f2fs-fix-uninitialized-return-in-f2fs_ioc_shutdown.patch new file mode 100644 index 00000000000..de4f34cef3a --- /dev/null +++ b/queue-4.18/f2fs-fix-uninitialized-return-in-f2fs_ioc_shutdown.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Dan Carpenter +Date: Wed, 20 Jun 2018 13:39:53 +0300 +Subject: f2fs: Fix uninitialized return in f2fs_ioc_shutdown() + +From: Dan Carpenter + +[ Upstream commit 2a96d8ad94ce57cb0072f7a660b1039720c47716 ] + +"ret" can be uninitialized on the success path when "in == +F2FS_GOING_DOWN_FULLSYNC". + +Fixes: 60b2b4ee2bc0 ("f2fs: Fix deadlock in shutdown ioctl") +Signed-off-by: Dan Carpenter +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1882,7 +1882,7 @@ static int f2fs_ioc_shutdown(struct file + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct super_block *sb = sbi->sb; + __u32 in; +- int ret; ++ int ret = 0; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; diff --git a/queue-4.18/f2fs-issue-discard-align-to-section-in-lfs-mode.patch b/queue-4.18/f2fs-issue-discard-align-to-section-in-lfs-mode.patch new file mode 100644 index 00000000000..0b4145e6f32 --- /dev/null +++ b/queue-4.18/f2fs-issue-discard-align-to-section-in-lfs-mode.patch @@ -0,0 +1,105 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Yunlong Song +Date: Thu, 19 Jul 2018 20:58:15 +0800 +Subject: f2fs: issue discard align to section in LFS mode + +From: Yunlong Song + +[ Upstream commit ad6672bbc527727dc8968e8d92687f55ae928ce5 ] + +For the case when sbi->segs_per_sec > 1 with lfs mode, take +section:segment = 5 for example, if the section prefree_map is +...previous section | current section (1 1 0 1 1) | next section..., +then the start = x, end = x + 1, after start = start_segno + +sbi->segs_per_sec, start = x + 5, then it will skip x + 3 and x + 4, but +their bitmap is still set, which will cause duplicated +f2fs_issue_discard of this same section in the next write_checkpoint: + +round 1: section bitmap : 1 1 1 1 1, all valid, prefree_map: 0 0 0 0 0 +then rm data block NO.2, block NO.2 becomes invalid, prefree_map: 0 0 1 0 0 +write_checkpoint: section bitmap: 1 1 0 1 1, prefree_map: 0 0 0 0 0, +prefree of NO.2 is cleared, and no discard issued + +round 2: rm data block NO.0, NO.1, NO.3, NO.4 +all invalid, but prefree bit of NO.2 is set and cleared in round 1, then +prefree_map: 1 1 0 1 1 +write_checkpoint: section bitmap: 0 0 0 0 0, prefree_map: 0 0 0 1 1, no +valid blocks of this section, so discard issued, but this time prefree +bit of NO.3 and NO.4 is skipped due to start = start_segno + sbi->segs_per_sec; + +round 3: +write_checkpoint: section bitmap: 0 0 0 0 0, prefree_map: 0 0 0 1 1 -> +0 0 0 0 0, no valid blocks of this section, so discard issued, +this time prefree bit of NO.3 and NO.4 is cleared, but the discard of +this section is sent again... + +To fix this problem, we can align the start and end value to section +boundary for fstrim and real-time discard operation, and decide to issue +discard only when the whole section is invalid, which can issue discard +aligned to section size as much as possible and avoid redundant discard. + +Signed-off-by: Yunlong Song +Signed-off-by: Chao Yu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/segment.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -1643,21 +1643,30 @@ void f2fs_clear_prefree_segments(struct + unsigned int start = 0, end = -1; + unsigned int secno, start_segno; + bool force = (cpc->reason & CP_DISCARD); ++ bool need_align = test_opt(sbi, LFS) && sbi->segs_per_sec > 1; + + mutex_lock(&dirty_i->seglist_lock); + + while (1) { + int i; ++ ++ if (need_align && end != -1) ++ end--; + start = find_next_bit(prefree_map, MAIN_SEGS(sbi), end + 1); + if (start >= MAIN_SEGS(sbi)) + break; + end = find_next_zero_bit(prefree_map, MAIN_SEGS(sbi), + start + 1); + +- for (i = start; i < end; i++) +- clear_bit(i, prefree_map); ++ if (need_align) { ++ start = rounddown(start, sbi->segs_per_sec); ++ end = roundup(end, sbi->segs_per_sec); ++ } + +- dirty_i->nr_dirty[PRE] -= end - start; ++ for (i = start; i < end; i++) { ++ if (test_and_clear_bit(i, prefree_map)) ++ dirty_i->nr_dirty[PRE]--; ++ } + + if (!test_opt(sbi, DISCARD)) + continue; +@@ -2437,6 +2446,7 @@ int f2fs_trim_fs(struct f2fs_sb_info *sb + struct discard_policy dpolicy; + unsigned long long trimmed = 0; + int err = 0; ++ bool need_align = test_opt(sbi, LFS) && sbi->segs_per_sec > 1; + + if (start >= MAX_BLKADDR(sbi) || range->len < sbi->blocksize) + return -EINVAL; +@@ -2454,6 +2464,10 @@ int f2fs_trim_fs(struct f2fs_sb_info *sb + start_segno = (start <= MAIN_BLKADDR(sbi)) ? 0 : GET_SEGNO(sbi, start); + end_segno = (end >= MAX_BLKADDR(sbi)) ? MAIN_SEGS(sbi) - 1 : + GET_SEGNO(sbi, end); ++ if (need_align) { ++ start_segno = rounddown(start_segno, sbi->segs_per_sec); ++ end_segno = roundup(end_segno + 1, sbi->segs_per_sec) - 1; ++ } + + cpc.reason = CP_DISCARD; + cpc.trim_minlen = max_t(__u64, 1, F2FS_BYTES_TO_BLK(range->minlen)); diff --git a/queue-4.18/f2fs-keep-alloc_valid_block_count-in-sync.patch b/queue-4.18/f2fs-keep-alloc_valid_block_count-in-sync.patch new file mode 100644 index 00000000000..277f8667a7b --- /dev/null +++ b/queue-4.18/f2fs-keep-alloc_valid_block_count-in-sync.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Daniel Rosenberg +Date: Mon, 9 Jul 2018 20:32:42 -0700 +Subject: f2fs: Keep alloc_valid_block_count in sync + +From: Daniel Rosenberg + +[ Upstream commit 36b877af7992893b6d1ddbe96971cab5ab9e50eb ] + +If we attempt to request more blocks than we have room for, we try to +instead request as much as we can, however, alloc_valid_block_count +is not decremented to match the new value, allowing it to drift higher +until the next checkpoint. This always decrements it when the requested +amount cannot be fulfilled. + +Signed-off-by: Daniel Rosenberg +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/f2fs.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1680,18 +1680,20 @@ static inline int inc_valid_block_count( + sbi->total_valid_block_count -= diff; + if (!*count) { + spin_unlock(&sbi->stat_lock); +- percpu_counter_sub(&sbi->alloc_valid_block_count, diff); + goto enospc; + } + } + spin_unlock(&sbi->stat_lock); + +- if (unlikely(release)) ++ if (unlikely(release)) { ++ percpu_counter_sub(&sbi->alloc_valid_block_count, release); + dquot_release_reservation_block(inode, release); ++ } + f2fs_i_blocks_write(inode, *count, true, true); + return 0; + + enospc: ++ percpu_counter_sub(&sbi->alloc_valid_block_count, release); + dquot_release_reservation_block(inode, release); + return -ENOSPC; + } diff --git a/queue-4.18/f2fs-try-grabbing-node-page-lock-aggressively-in-sync-scenario.patch b/queue-4.18/f2fs-try-grabbing-node-page-lock-aggressively-in-sync-scenario.patch new file mode 100644 index 00000000000..62b47834c0c --- /dev/null +++ b/queue-4.18/f2fs-try-grabbing-node-page-lock-aggressively-in-sync-scenario.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Chao Yu +Date: Wed, 4 Jul 2018 18:04:10 +0800 +Subject: f2fs: try grabbing node page lock aggressively in sync scenario + +From: Chao Yu + +[ Upstream commit 4b270a8cc5047682f0a3f3f9af3b498408dbd2bc ] + +In synchronous scenario, like in checkpoint(), we are going to flush +dirty node pages to device synchronously, we can easily failed +writebacking node page due to trylock_page() failure, especially in +condition of intensive lock competition, which can cause long latency +of checkpoint(). So let's use lock_page() in synchronous scenario to +avoid this issue. + +Signed-off-by: Yunlei He +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1633,7 +1633,9 @@ next_step: + !is_cold_node(page))) + continue; + lock_node: +- if (!trylock_page(page)) ++ if (wbc->sync_mode == WB_SYNC_ALL) ++ lock_page(page); ++ else if (!trylock_page(page)) + continue; + + if (unlikely(page->mapping != NODE_MAPPING(sbi))) { diff --git a/queue-4.18/firmware-vpd-fix-section-enabled-flag-on-vpd_section_destroy.patch b/queue-4.18/firmware-vpd-fix-section-enabled-flag-on-vpd_section_destroy.patch new file mode 100644 index 00000000000..502f93322e0 --- /dev/null +++ b/queue-4.18/firmware-vpd-fix-section-enabled-flag-on-vpd_section_destroy.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Anton Vasilyev +Date: Tue, 24 Jul 2018 18:10:38 +0300 +Subject: firmware: vpd: Fix section enabled flag on vpd_section_destroy + +From: Anton Vasilyev + +[ Upstream commit 45ca3f76de0507ecf143f770570af2942f263812 ] + +static struct ro_vpd and rw_vpd are initialized by vpd_sections_init() +in vpd_probe() based on header's ro and rw sizes. +In vpd_remove() vpd_section_destroy() performs deinitialization based +on enabled flag, which is set to true by vpd_sections_init(). +This leads to call of vpd_section_destroy() on already destroyed section +for probe-release-probe-release sequence if first probe performs +ro_vpd initialization and second probe does not initialize it. + +The patch adds changing enabled flag on vpd_section_destroy and adds +cleanup on the error path of vpd_sections_init. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Reviewed-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/google/vpd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/firmware/google/vpd.c ++++ b/drivers/firmware/google/vpd.c +@@ -246,6 +246,7 @@ static int vpd_section_destroy(struct vp + sysfs_remove_bin_file(vpd_kobj, &sec->bin_attr); + kfree(sec->raw_name); + memunmap(sec->baseaddr); ++ sec->enabled = false; + } + + return 0; +@@ -279,8 +280,10 @@ static int vpd_sections_init(phys_addr_t + ret = vpd_section_init("rw", &rw_vpd, + physaddr + sizeof(struct vpd_cbmem) + + header.ro_size, header.rw_size); +- if (ret) ++ if (ret) { ++ vpd_section_destroy(&ro_vpd); + return ret; ++ } + } + + return 0; diff --git a/queue-4.18/gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch b/queue-4.18/gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch new file mode 100644 index 00000000000..86eaabc0c8d --- /dev/null +++ b/queue-4.18/gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Anton Vasilyev +Date: Mon, 23 Jul 2018 19:53:30 +0300 +Subject: gpio: ml-ioh: Fix buffer underwrite on probe error path + +From: Anton Vasilyev + +[ Upstream commit 4bf4eed44bfe288f459496eaf38089502ef91a79 ] + +If ioh_gpio_probe() fails on devm_irq_alloc_descs() then chip may point +to any element of chip_save array, so reverse iteration from pointer chip +may become chip_save[-1] and gpiochip_remove() will operate with wrong +memory. + +The patch fix the error path of ioh_gpio_probe() to correctly bypass +chip_save array. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-ml-ioh.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-ml-ioh.c ++++ b/drivers/gpio/gpio-ml-ioh.c +@@ -496,9 +496,10 @@ static int ioh_gpio_probe(struct pci_dev + return 0; + + err_gpiochip_add: ++ chip = chip_save; + while (--i >= 0) { +- chip--; + gpiochip_remove(&chip->gpio); ++ chip++; + } + kfree(chip_save); + diff --git a/queue-4.18/gpio-pxa-disable-pinctrl-calls-for-pxa3xx.patch b/queue-4.18/gpio-pxa-disable-pinctrl-calls-for-pxa3xx.patch new file mode 100644 index 00000000000..35ad89c9f4f --- /dev/null +++ b/queue-4.18/gpio-pxa-disable-pinctrl-calls-for-pxa3xx.patch @@ -0,0 +1,94 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Daniel Mack +Date: Fri, 13 Jul 2018 18:15:38 +0200 +Subject: gpio: pxa: disable pinctrl calls for PXA3xx + +From: Daniel Mack + +[ Upstream commit 9dabfdd84bdfa25f0df486dd3de43e53e79a1892 ] + +The pxa3xx driver uses the pinctrl-single driver since a while which +does not implement a .gpio_set_direction() callback. The pinmux core +will simply return 0 in this case, and the pxa3xx gpio driver hence +believes the pinctrl driver did its job and returns as well. + +This effectively makes pxa_gpio_direction_{input,output} no-ops. + +To fix this, do not call into the pinctrl subsystem for the PXA3xx +platform for now. We can revert this once the pinctrl-single driver +learned to support setting pin directions. + +Signed-off-by: Daniel Mack +Acked-by: Robert Jarzmik +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-pxa.c | 35 +++++++++++++++++++++++++++-------- + 1 file changed, 27 insertions(+), 8 deletions(-) + +--- a/drivers/gpio/gpio-pxa.c ++++ b/drivers/gpio/gpio-pxa.c +@@ -241,6 +241,17 @@ int pxa_irq_to_gpio(int irq) + return irq_gpio0; + } + ++static bool pxa_gpio_has_pinctrl(void) ++{ ++ switch (gpio_type) { ++ case PXA3XX_GPIO: ++ return false; ++ ++ default: ++ return true; ++ } ++} ++ + static int pxa_gpio_to_irq(struct gpio_chip *chip, unsigned offset) + { + struct pxa_gpio_chip *pchip = chip_to_pxachip(chip); +@@ -255,9 +266,11 @@ static int pxa_gpio_direction_input(stru + unsigned long flags; + int ret; + +- ret = pinctrl_gpio_direction_input(chip->base + offset); +- if (!ret) +- return 0; ++ if (pxa_gpio_has_pinctrl()) { ++ ret = pinctrl_gpio_direction_input(chip->base + offset); ++ if (!ret) ++ return 0; ++ } + + spin_lock_irqsave(&gpio_lock, flags); + +@@ -282,9 +295,11 @@ static int pxa_gpio_direction_output(str + + writel_relaxed(mask, base + (value ? GPSR_OFFSET : GPCR_OFFSET)); + +- ret = pinctrl_gpio_direction_output(chip->base + offset); +- if (ret) +- return ret; ++ if (pxa_gpio_has_pinctrl()) { ++ ret = pinctrl_gpio_direction_output(chip->base + offset); ++ if (ret) ++ return ret; ++ } + + spin_lock_irqsave(&gpio_lock, flags); + +@@ -348,8 +363,12 @@ static int pxa_init_gpio_chip(struct pxa + pchip->chip.set = pxa_gpio_set; + pchip->chip.to_irq = pxa_gpio_to_irq; + pchip->chip.ngpio = ngpio; +- pchip->chip.request = gpiochip_generic_request; +- pchip->chip.free = gpiochip_generic_free; ++ ++ if (pxa_gpio_has_pinctrl()) { ++ pchip->chip.request = gpiochip_generic_request; ++ pchip->chip.free = gpiochip_generic_free; ++ } ++ + #ifdef CONFIG_OF_GPIO + pchip->chip.of_node = np; + pchip->chip.of_xlate = pxa_gpio_of_xlate; diff --git a/queue-4.18/gpio-tegra-move-driver-registration-to-subsys_init-level.patch b/queue-4.18/gpio-tegra-move-driver-registration-to-subsys_init-level.patch new file mode 100644 index 00000000000..ba1a7e23ecf --- /dev/null +++ b/queue-4.18/gpio-tegra-move-driver-registration-to-subsys_init-level.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Dmitry Osipenko +Date: Thu, 2 Aug 2018 14:11:44 +0300 +Subject: gpio: tegra: Move driver registration to subsys_init level + +From: Dmitry Osipenko + +[ Upstream commit 40b25bce0adbe641a744d1291bc0e51fb7f3c3d8 ] + +There is a bug in regards to deferred probing within the drivers core +that causes GPIO-driver to suspend after its users. The bug appears if +GPIO-driver probe is getting deferred, which happens after introducing +dependency on PINCTRL-driver for the GPIO-driver by defining "gpio-ranges" +property in device-tree. The bug in the drivers core is old (more than 4 +years now) and is well known, unfortunately there is no easy fix for it. +The good news is that we can workaround the deferred probe issue by +changing GPIO / PINCTRL drivers registration order and hence by moving +PINCTRL driver registration to the arch_init level and GPIO to the +subsys_init. + +Signed-off-by: Dmitry Osipenko +Acked-by: Stefan Agner +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-tegra.c ++++ b/drivers/gpio/gpio-tegra.c +@@ -720,4 +720,4 @@ static int __init tegra_gpio_init(void) + { + return platform_driver_register(&tegra_gpio_driver); + } +-postcore_initcall(tegra_gpio_init); ++subsys_initcall(tegra_gpio_init); diff --git a/queue-4.18/gpu-ipu-v3-default-to-id-0-on-missing-of-alias.patch b/queue-4.18/gpu-ipu-v3-default-to-id-0-on-missing-of-alias.patch new file mode 100644 index 00000000000..4d379d59b92 --- /dev/null +++ b/queue-4.18/gpu-ipu-v3-default-to-id-0-on-missing-of-alias.patch @@ -0,0 +1,30 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Philipp Zabel +Date: Thu, 21 Jun 2018 21:13:38 +0200 +Subject: gpu: ipu-v3: default to id 0 on missing OF alias + +From: Philipp Zabel + +[ Upstream commit 2d87e6c1b99c402360fdfe19ce4f579ab2f96adf ] + +This is better than storing -ENODEV in the id number. This fixes SoCs +with only one IPU that don't specify an IPU alias in the device tree. + +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/ipu-v3/ipu-common.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -1401,6 +1401,8 @@ static int ipu_probe(struct platform_dev + return -ENODEV; + + ipu->id = of_alias_get_id(np, "ipu"); ++ if (ipu->id < 0) ++ ipu->id = 0; + + if (of_device_is_compatible(np, "fsl,imx6qp-ipu") && + IS_ENABLED(CONFIG_DRM)) { diff --git a/queue-4.18/i2c-aspeed-add-an-explicit-type-casting-for-get_clk_reg_val.patch b/queue-4.18/i2c-aspeed-add-an-explicit-type-casting-for-get_clk_reg_val.patch new file mode 100644 index 00000000000..cb85c40ed36 --- /dev/null +++ b/queue-4.18/i2c-aspeed-add-an-explicit-type-casting-for-get_clk_reg_val.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Jae Hyun Yoo +Date: Tue, 24 Jul 2018 13:36:15 -0700 +Subject: i2c: aspeed: Add an explicit type casting for *get_clk_reg_val + +From: Jae Hyun Yoo + +[ Upstream commit 5799c4b2f1dbc0166d9b1d94443deaafc6e7a070 ] + +This commit fixes this sparse warning: +drivers/i2c/busses/i2c-aspeed.c:875:38: warning: incorrect type in assignment (different modifiers) +drivers/i2c/busses/i2c-aspeed.c:875:38: expected unsigned int ( *get_clk_reg_val )( ... ) +drivers/i2c/busses/i2c-aspeed.c:875:38: got void const *const data + +Reported-by: Wolfram Sang +Signed-off-by: Jae Hyun Yoo +Reviewed-by: Brendan Higgins +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-aspeed.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-aspeed.c ++++ b/drivers/i2c/busses/i2c-aspeed.c +@@ -868,7 +868,7 @@ static int aspeed_i2c_probe_bus(struct p + if (!match) + bus->get_clk_reg_val = aspeed_i2c_24xx_get_clk_reg_val; + else +- bus->get_clk_reg_val = match->data; ++ bus->get_clk_reg_val = (u32 (*)(u32))match->data; + + /* Initialize the I2C adapter */ + spin_lock_init(&bus->lock); diff --git a/queue-4.18/ib-ipoib-set-ah-valid-flag-in-multicast-send-flow.patch b/queue-4.18/ib-ipoib-set-ah-valid-flag-in-multicast-send-flow.patch new file mode 100644 index 00000000000..accd9ea0ebc --- /dev/null +++ b/queue-4.18/ib-ipoib-set-ah-valid-flag-in-multicast-send-flow.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Denis Drozdov +Date: Sun, 29 Jul 2018 11:42:28 +0300 +Subject: IB/IPoIB: Set ah valid flag in multicast send flow + +From: Denis Drozdov + +[ Upstream commit 75da96067ade4e7854379ec2f7834f3497652b1a ] + +The change of ipoib_ah data structure with adding "valid" flag and +checks of ah->valid in ipoib_start_xmit affected multicast packet flow. + +Since the multicast flow doesn't invoke path_rec_start, "ah->valid" flag +remains unset, so that ipoib_start_xmit end up with neigh_refresh_path +instead of sending the packet using neigh. + +"ah->valid" has to be set in multicast send flow. As a result IPoIB +starts sending packets via neigh immediately and eliminates 60sec delay +of neigh keep alive interval. + +The typical example of this issue are two sequential arpings: + +arping 11.134.208.9 -> got response (mcast_send) +arping 11.134.208.9 -> no response (ah->valid = 0) + +Fixes: fa9391dbad4b ("RDMA/ipoib: Update paths on CLIENT_REREG/SM_CHANGE events") +Signed-off-by: Denis Drozdov +Reviewed-by: Erez Shitrit +Reviewed-by: Feras Daoud +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +@@ -822,6 +822,7 @@ void ipoib_mcast_send(struct net_device + if (neigh && list_empty(&neigh->list)) { + kref_get(&mcast->ah->ref); + neigh->ah = mcast->ah; ++ neigh->ah->valid = 1; + list_add_tail(&neigh->list, &mcast->neigh_list); + } + } diff --git a/queue-4.18/input-atmel_mxt_ts-only-use-first-t9-instance.patch b/queue-4.18/input-atmel_mxt_ts-only-use-first-t9-instance.patch new file mode 100644 index 00000000000..f31770d8073 --- /dev/null +++ b/queue-4.18/input-atmel_mxt_ts-only-use-first-t9-instance.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Nick Dyer +Date: Fri, 27 Jul 2018 11:44:20 -0700 +Subject: Input: atmel_mxt_ts - only use first T9 instance + +From: Nick Dyer + +[ Upstream commit 36f5d9ef26e52edff046b4b097855db89bf0cd4a ] + +The driver only registers one input device, which uses the screen +parameters from the first T9 instance. The first T63 instance also uses +those parameters. + +It is incorrect to send input reports from the second instances of these +objects if they are enabled: the input scaling will be wrong and the +positions will be mashed together. + +This also causes problems on Android if the number of slots exceeds 32. + +In the future, this could be handled by looking for enabled touch object +instances and creating an input device for each one. + +Signed-off-by: Nick Dyer +Acked-by: Benson Leung +Acked-by: Yufeng Shen +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/atmel_mxt_ts.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/input/touchscreen/atmel_mxt_ts.c ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c +@@ -1658,10 +1658,11 @@ static int mxt_parse_object_table(struct + break; + case MXT_TOUCH_MULTI_T9: + data->multitouch = MXT_TOUCH_MULTI_T9; ++ /* Only handle messages from first T9 instance */ + data->T9_reportid_min = min_id; +- data->T9_reportid_max = max_id; +- data->num_touchids = object->num_report_ids +- * mxt_obj_instances(object); ++ data->T9_reportid_max = min_id + ++ object->num_report_ids - 1; ++ data->num_touchids = object->num_report_ids; + break; + case MXT_SPT_MESSAGECOUNT_T44: + data->T44_address = object->start_address; diff --git a/queue-4.18/iommu-arm-smmu-v3-abort-all-transactions-if-smmu-is-enabled-in-kdump-kernel.patch b/queue-4.18/iommu-arm-smmu-v3-abort-all-transactions-if-smmu-is-enabled-in-kdump-kernel.patch new file mode 100644 index 00000000000..c2c1062a204 --- /dev/null +++ b/queue-4.18/iommu-arm-smmu-v3-abort-all-transactions-if-smmu-is-enabled-in-kdump-kernel.patch @@ -0,0 +1,81 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Will Deacon +Date: Wed, 25 Jul 2018 15:58:43 +0100 +Subject: iommu/arm-smmu-v3: Abort all transactions if SMMU is enabled in kdump kernel + +From: Will Deacon + +[ Upstream commit b63b3439b85609338e4faabd5d2588dbda137e5c ] + +If we find that the SMMU is enabled during probe, we reset it by +re-initialising its registers and either enabling translation or placing +it into bypass based on the disable_bypass commandline option. + +In the case of a kdump kernel, the SMMU won't have been shutdown cleanly +by the previous kernel and there may be concurrent DMA through the SMMU. +Rather than reset the SMMU to bypass, which would likely lead to rampant +data corruption, we can instead configure the SMMU to abort all incoming +transactions when we find that it is enabled from within a kdump kernel. + +Reported-by: Sameer Goel +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/arm-smmu-v3.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2211,8 +2212,12 @@ static int arm_smmu_update_gbpa(struct a + reg &= ~clr; + reg |= set; + writel_relaxed(reg | GBPA_UPDATE, gbpa); +- return readl_relaxed_poll_timeout(gbpa, reg, !(reg & GBPA_UPDATE), +- 1, ARM_SMMU_POLL_TIMEOUT_US); ++ ret = readl_relaxed_poll_timeout(gbpa, reg, !(reg & GBPA_UPDATE), ++ 1, ARM_SMMU_POLL_TIMEOUT_US); ++ ++ if (ret) ++ dev_err(smmu->dev, "GBPA not responding to update\n"); ++ return ret; + } + + static void arm_smmu_free_msis(void *data) +@@ -2392,8 +2397,15 @@ static int arm_smmu_device_reset(struct + + /* Clear CR0 and sync (disables SMMU and queue processing) */ + reg = readl_relaxed(smmu->base + ARM_SMMU_CR0); +- if (reg & CR0_SMMUEN) ++ if (reg & CR0_SMMUEN) { ++ if (is_kdump_kernel()) { ++ arm_smmu_update_gbpa(smmu, GBPA_ABORT, 0); ++ arm_smmu_device_disable(smmu); ++ return -EBUSY; ++ } ++ + dev_warn(smmu->dev, "SMMU currently enabled! Resetting...\n"); ++ } + + ret = arm_smmu_device_disable(smmu); + if (ret) +@@ -2491,10 +2503,8 @@ static int arm_smmu_device_reset(struct + enables |= CR0_SMMUEN; + } else { + ret = arm_smmu_update_gbpa(smmu, 0, GBPA_ABORT); +- if (ret) { +- dev_err(smmu->dev, "GBPA not responding to update\n"); ++ if (ret) + return ret; +- } + } + ret = arm_smmu_write_reg_sync(smmu, enables, ARM_SMMU_CR0, + ARM_SMMU_CR0ACK); diff --git a/queue-4.18/iommu-ipmmu-vmsa-fix-allocation-in-atomic-context.patch b/queue-4.18/iommu-ipmmu-vmsa-fix-allocation-in-atomic-context.patch new file mode 100644 index 00000000000..d89dc5c29aa --- /dev/null +++ b/queue-4.18/iommu-ipmmu-vmsa-fix-allocation-in-atomic-context.patch @@ -0,0 +1,87 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 20 Jul 2018 18:16:59 +0200 +Subject: iommu/ipmmu-vmsa: Fix allocation in atomic context + +From: Geert Uytterhoeven + +[ Upstream commit 46583e8c48c5a094ba28060615b3a7c8c576690f ] + +When attaching a device to an IOMMU group with +CONFIG_DEBUG_ATOMIC_SLEEP=y: + + BUG: sleeping function called from invalid context at mm/slab.h:421 + in_atomic(): 1, irqs_disabled(): 128, pid: 61, name: kworker/1:1 + ... + Call trace: + ... + arm_lpae_alloc_pgtable+0x114/0x184 + arm_64_lpae_alloc_pgtable_s1+0x2c/0x128 + arm_32_lpae_alloc_pgtable_s1+0x40/0x6c + alloc_io_pgtable_ops+0x60/0x88 + ipmmu_attach_device+0x140/0x334 + +ipmmu_attach_device() takes a spinlock, while arm_lpae_alloc_pgtable() +allocates memory using GFP_KERNEL. Originally, the ipmmu-vmsa driver +had its own custom page table allocation implementation using +GFP_ATOMIC, hence the spinlock was fine. + +Fix this by replacing the spinlock by a mutex, like the arm-smmu driver +does. + +Fixes: f20ed39f53145e45 ("iommu/ipmmu-vmsa: Use the ARM LPAE page table allocator") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Laurent Pinchart +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/ipmmu-vmsa.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/iommu/ipmmu-vmsa.c ++++ b/drivers/iommu/ipmmu-vmsa.c +@@ -73,7 +73,7 @@ struct ipmmu_vmsa_domain { + struct io_pgtable_ops *iop; + + unsigned int context_id; +- spinlock_t lock; /* Protects mappings */ ++ struct mutex mutex; /* Protects mappings */ + }; + + static struct ipmmu_vmsa_domain *to_vmsa_domain(struct iommu_domain *dom) +@@ -595,7 +595,7 @@ static struct iommu_domain *__ipmmu_doma + if (!domain) + return NULL; + +- spin_lock_init(&domain->lock); ++ mutex_init(&domain->mutex); + + return &domain->io_domain; + } +@@ -641,7 +641,6 @@ static int ipmmu_attach_device(struct io + struct iommu_fwspec *fwspec = dev->iommu_fwspec; + struct ipmmu_vmsa_device *mmu = to_ipmmu(dev); + struct ipmmu_vmsa_domain *domain = to_vmsa_domain(io_domain); +- unsigned long flags; + unsigned int i; + int ret = 0; + +@@ -650,7 +649,7 @@ static int ipmmu_attach_device(struct io + return -ENXIO; + } + +- spin_lock_irqsave(&domain->lock, flags); ++ mutex_lock(&domain->mutex); + + if (!domain->mmu) { + /* The domain hasn't been used yet, initialize it. */ +@@ -674,7 +673,7 @@ static int ipmmu_attach_device(struct io + } else + dev_info(dev, "Reusing IPMMU context %u\n", domain->context_id); + +- spin_unlock_irqrestore(&domain->lock, flags); ++ mutex_unlock(&domain->mutex); + + if (ret < 0) + return ret; diff --git a/queue-4.18/iwlwifi-pcie-don-t-access-periphery-registers-when-not-available.patch b/queue-4.18/iwlwifi-pcie-don-t-access-periphery-registers-when-not-available.patch new file mode 100644 index 00000000000..21f5e949b26 --- /dev/null +++ b/queue-4.18/iwlwifi-pcie-don-t-access-periphery-registers-when-not-available.patch @@ -0,0 +1,91 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Emmanuel Grumbach +Date: Tue, 13 Mar 2018 14:12:40 +0200 +Subject: iwlwifi: pcie: don't access periphery registers when not available + +From: Emmanuel Grumbach + +[ Upstream commit f98ad635c097c29339b7a7d6947173000485893d ] + +The periphery can't be accessed before we set the +INIT_DONE bit which initializes the device. + +A previous patch added a reconfiguration of the MSI-X +tables upon resume, but at that point in the flow, +INIT_DONE wasn't set. Since the reconfiguration of the +MSI-X tables require periphery access, it failed. + +The difference between WoWLAN and without WoWLAN is that +in WoWLAN, iwl_trans_pcie_d3_suspend clears the INIT_DONE +without clearing the STATUS_DEVICE_ENABLED bit in the +software status. Because of that, the resume code thinks +that the device is enabled, but the INIT_DONE bit has been +cleared. + +To fix this, don't reconfigure the MSI-X tables in case +WoWLAN is enabled. It will be done in +iwl_trans_pcie_d3_resume anyway. + +Fixes: 52848a79b9d2 ("iwlwifi: pcie: reconfigure MSI-X HW on resume") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 4 ++++ + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 24 ++++++++++++------------ + 2 files changed, 16 insertions(+), 12 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -1003,6 +1003,10 @@ static int iwl_pci_resume(struct device + if (!trans->op_mode) + return 0; + ++ /* In WOWLAN, let iwl_trans_pcie_d3_resume do the rest of the work */ ++ if (test_bit(STATUS_DEVICE_ENABLED, &trans->status)) ++ return 0; ++ + /* reconfigure the MSI-X mapping to get the correct IRQ for rfkill */ + iwl_pcie_conf_msix_hw(trans_pcie); + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1539,18 +1539,6 @@ static int iwl_trans_pcie_d3_resume(stru + + iwl_pcie_enable_rx_wake(trans, true); + +- /* +- * Reconfigure IVAR table in case of MSIX or reset ict table in +- * MSI mode since HW reset erased it. +- * Also enables interrupts - none will happen as +- * the device doesn't know we're waking it up, only when +- * the opmode actually tells it after this call. +- */ +- iwl_pcie_conf_msix_hw(trans_pcie); +- if (!trans_pcie->msix_enabled) +- iwl_pcie_reset_ict(trans); +- iwl_enable_interrupts(trans); +- + iwl_set_bit(trans, CSR_GP_CNTRL, + BIT(trans->cfg->csr->flag_mac_access_req)); + iwl_set_bit(trans, CSR_GP_CNTRL, +@@ -1568,6 +1556,18 @@ static int iwl_trans_pcie_d3_resume(stru + return ret; + } + ++ /* ++ * Reconfigure IVAR table in case of MSIX or reset ict table in ++ * MSI mode since HW reset erased it. ++ * Also enables interrupts - none will happen as ++ * the device doesn't know we're waking it up, only when ++ * the opmode actually tells it after this call. ++ */ ++ iwl_pcie_conf_msix_hw(trans_pcie); ++ if (!trans_pcie->msix_enabled) ++ iwl_pcie_reset_ict(trans); ++ iwl_enable_interrupts(trans); ++ + iwl_pcie_set_pwr(trans, false); + + if (!reset) { diff --git a/queue-4.18/macintosh-via-pmu-add-missing-mmio-accessors.patch b/queue-4.18/macintosh-via-pmu-add-missing-mmio-accessors.patch new file mode 100644 index 00000000000..bf61fb981bb --- /dev/null +++ b/queue-4.18/macintosh-via-pmu-add-missing-mmio-accessors.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Finn Thain +Date: Mon, 2 Jul 2018 04:21:18 -0400 +Subject: macintosh/via-pmu: Add missing mmio accessors + +From: Finn Thain + +[ Upstream commit 576d5290d678a651b9f36050fc1717e0573aca13 ] + +Add missing in_8() accessors to init_pmu() and pmu_sr_intr(). + +This fixes several sparse warnings: +drivers/macintosh/via-pmu.c:536:29: warning: dereference of noderef expression +drivers/macintosh/via-pmu.c:537:33: warning: dereference of noderef expression +drivers/macintosh/via-pmu.c:1455:17: warning: dereference of noderef expression +drivers/macintosh/via-pmu.c:1456:69: warning: dereference of noderef expression + +Tested-by: Stan Johnson +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/macintosh/via-pmu.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/macintosh/via-pmu.c ++++ b/drivers/macintosh/via-pmu.c +@@ -534,8 +534,9 @@ init_pmu(void) + int timeout; + struct adb_request req; + +- out_8(&via[B], via[B] | TREQ); /* negate TREQ */ +- out_8(&via[DIRB], (via[DIRB] | TREQ) & ~TACK); /* TACK in, TREQ out */ ++ /* Negate TREQ. Set TACK to input and TREQ to output. */ ++ out_8(&via[B], in_8(&via[B]) | TREQ); ++ out_8(&via[DIRB], (in_8(&via[DIRB]) | TREQ) & ~TACK); + + pmu_request(&req, NULL, 2, PMU_SET_INTR_MASK, pmu_intr_mask); + timeout = 100000; +@@ -1418,8 +1419,8 @@ pmu_sr_intr(void) + struct adb_request *req; + int bite = 0; + +- if (via[B] & TREQ) { +- printk(KERN_ERR "PMU: spurious SR intr (%x)\n", via[B]); ++ if (in_8(&via[B]) & TREQ) { ++ printk(KERN_ERR "PMU: spurious SR intr (%x)\n", in_8(&via[B])); + out_8(&via[IFR], SR_INT); + return NULL; + } diff --git a/queue-4.18/md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch b/queue-4.18/md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch new file mode 100644 index 00000000000..2335bd75e3b --- /dev/null +++ b/queue-4.18/md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: BingJing Chang +Date: Wed, 1 Aug 2018 17:08:36 +0800 +Subject: md/raid5: fix data corruption of replacements after originals dropped + +From: BingJing Chang + +[ Upstream commit d63e2fc804c46e50eee825c5d3a7228e07048b47 ] + +During raid5 replacement, the stripes can be marked with R5_NeedReplace +flag. Data can be read from being-replaced devices and written to +replacing spares without reading all other devices. (It's 'replace' +mode. s.replacing = 1) If a being-replaced device is dropped, the +replacement progress will be interrupted and resumed with pure recovery +mode. However, existing stripes before being interrupted cannot read +from the dropped device anymore. It prints lots of WARN_ON messages. +And it results in data corruption because existing stripes write +problematic data into its replacement device and update the progress. + +\# Erase disks (1MB + 2GB) +dd if=/dev/zero of=/dev/sda bs=1MB count=2049 +dd if=/dev/zero of=/dev/sdb bs=1MB count=2049 +dd if=/dev/zero of=/dev/sdc bs=1MB count=2049 +dd if=/dev/zero of=/dev/sdd bs=1MB count=2049 +mdadm -C /dev/md0 -amd -R -l5 -n3 -x0 /dev/sd[abc] -z 2097152 +\# Ensure array stores non-zero data +dd if=/root/data_4GB.iso of=/dev/md0 bs=1MB +\# Start replacement +mdadm /dev/md0 -a /dev/sdd +mdadm /dev/md0 --replace /dev/sda + +Then, Hot-plug out /dev/sda during recovery, and wait for recovery done. +echo check > /sys/block/md0/md/sync_action +cat /sys/block/md0/md/mismatch_cnt # it will be greater than 0. + +Soon after you hot-plug out /dev/sda, you will see many WARN_ON +messages. The replacement recovery will be interrupted shortly. After +the recovery finishes, it will result in data corruption. + +Actually, it's just an unhandled case of replacement. In commit + (md/raid5: fix interaction of 'replace' and 'recovery'.), +if a NeedReplace device is not UPTODATE then that is an error, the +commit just simply print WARN_ON but also mark these corrupted stripes +with R5_WantReplace. (it means it's ready for writes.) + +To fix this case, we can leverage 'sync and replace' mode mentioned in +commit <9a3e1101b827> (md/raid5: detect and handle replacements during +recovery.). We can add logics to detect and use 'sync and replace' mode +for these stripes. + +Reported-by: Alex Chen +Reviewed-by: Alex Wu +Reviewed-by: Chung-Chiang Cheng +Signed-off-by: BingJing Chang +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -4521,6 +4521,12 @@ static void analyse_stripe(struct stripe + s->failed++; + if (rdev && !test_bit(Faulty, &rdev->flags)) + do_recovery = 1; ++ else if (!rdev) { ++ rdev = rcu_dereference( ++ conf->disks[i].replacement); ++ if (rdev && !test_bit(Faulty, &rdev->flags)) ++ do_recovery = 1; ++ } + } + + if (test_bit(R5_InJournal, &dev->flags)) diff --git a/queue-4.18/media-camss-csid-configure-data-type-and-decode-format-properly.patch b/queue-4.18/media-camss-csid-configure-data-type-and-decode-format-properly.patch new file mode 100644 index 00000000000..4b8dfbdf223 --- /dev/null +++ b/queue-4.18/media-camss-csid-configure-data-type-and-decode-format-properly.patch @@ -0,0 +1,74 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Todor Tomov +Date: Wed, 25 Jul 2018 12:38:20 -0400 +Subject: media: camss: csid: Configure data type and decode format properly + +From: Todor Tomov + +[ Upstream commit c628e78899ff8006b5f9d8206da54ed3bb994342 ] + +The CSID decodes the input data stream. When the input comes from +the Test Generator the format of the stream is set on the source +media pad. When the input comes from the CSIPHY the format is the +one on the sink media pad. Use the proper format for each case. + +Signed-off-by: Todor Tomov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/camss-8x16/camss-csid.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/media/platform/qcom/camss-8x16/camss-csid.c ++++ b/drivers/media/platform/qcom/camss-8x16/camss-csid.c +@@ -392,9 +392,6 @@ static int csid_set_stream(struct v4l2_s + !media_entity_remote_pad(&csid->pads[MSM_CSID_PAD_SINK])) + return -ENOLINK; + +- dt = csid_get_fmt_entry(csid->fmt[MSM_CSID_PAD_SRC].code)-> +- data_type; +- + if (tg->enabled) { + /* Config Test Generator */ + struct v4l2_mbus_framefmt *f = +@@ -416,6 +413,9 @@ static int csid_set_stream(struct v4l2_s + writel_relaxed(val, csid->base + + CAMSS_CSID_TG_DT_n_CGG_0(0)); + ++ dt = csid_get_fmt_entry( ++ csid->fmt[MSM_CSID_PAD_SRC].code)->data_type; ++ + /* 5:0 data type */ + val = dt; + writel_relaxed(val, csid->base + +@@ -425,6 +425,9 @@ static int csid_set_stream(struct v4l2_s + val = tg->payload_mode; + writel_relaxed(val, csid->base + + CAMSS_CSID_TG_DT_n_CGG_2(0)); ++ ++ df = csid_get_fmt_entry( ++ csid->fmt[MSM_CSID_PAD_SRC].code)->decode_format; + } else { + struct csid_phy_config *phy = &csid->phy; + +@@ -439,13 +442,16 @@ static int csid_set_stream(struct v4l2_s + + writel_relaxed(val, + csid->base + CAMSS_CSID_CORE_CTRL_1); ++ ++ dt = csid_get_fmt_entry( ++ csid->fmt[MSM_CSID_PAD_SINK].code)->data_type; ++ df = csid_get_fmt_entry( ++ csid->fmt[MSM_CSID_PAD_SINK].code)->decode_format; + } + + /* Config LUT */ + + dt_shift = (cid % 4) * 8; +- df = csid_get_fmt_entry(csid->fmt[MSM_CSID_PAD_SINK].code)-> +- decode_format; + + val = readl_relaxed(csid->base + CAMSS_CSID_CID_LUT_VC_n(vc)); + val &= ~(0xff << dt_shift); diff --git a/queue-4.18/media-davinci-vpif_display-mix-memory-leak-on-probe-error-path.patch b/queue-4.18/media-davinci-vpif_display-mix-memory-leak-on-probe-error-path.patch new file mode 100644 index 00000000000..9b663cb3d42 --- /dev/null +++ b/queue-4.18/media-davinci-vpif_display-mix-memory-leak-on-probe-error-path.patch @@ -0,0 +1,94 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 07:52:20 -0400 +Subject: media: davinci: vpif_display: Mix memory leak on probe error path + +From: Anton Vasilyev + +[ Upstream commit 61e641f36ed81ae473177c085f0bfd83ad3b55ed ] + +If vpif_probe() fails on v4l2_device_register() then memory allocated +at initialize_vpif() for global vpif_obj.dev[i] become unreleased. + +The patch adds deallocation of vpif_obj.dev[i] on the error path and +removes duplicated check on platform_data presence. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/davinci/vpif_display.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +--- a/drivers/media/platform/davinci/vpif_display.c ++++ b/drivers/media/platform/davinci/vpif_display.c +@@ -1114,6 +1114,14 @@ vpif_init_free_channel_objects: + return err; + } + ++static void free_vpif_objs(void) ++{ ++ int i; ++ ++ for (i = 0; i < VPIF_DISPLAY_MAX_DEVICES; i++) ++ kfree(vpif_obj.dev[i]); ++} ++ + static int vpif_async_bound(struct v4l2_async_notifier *notifier, + struct v4l2_subdev *subdev, + struct v4l2_async_subdev *asd) +@@ -1255,11 +1263,6 @@ static __init int vpif_probe(struct plat + return -EINVAL; + } + +- if (!pdev->dev.platform_data) { +- dev_warn(&pdev->dev, "Missing platform data. Giving up.\n"); +- return -EINVAL; +- } +- + vpif_dev = &pdev->dev; + err = initialize_vpif(); + +@@ -1271,7 +1274,7 @@ static __init int vpif_probe(struct plat + err = v4l2_device_register(vpif_dev, &vpif_obj.v4l2_dev); + if (err) { + v4l2_err(vpif_dev->driver, "Error registering v4l2 device\n"); +- return err; ++ goto vpif_free; + } + + while ((res = platform_get_resource(pdev, IORESOURCE_IRQ, res_idx))) { +@@ -1314,7 +1317,10 @@ static __init int vpif_probe(struct plat + if (vpif_obj.sd[i]) + vpif_obj.sd[i]->grp_id = 1 << i; + } +- vpif_probe_complete(); ++ err = vpif_probe_complete(); ++ if (err) { ++ goto probe_subdev_out; ++ } + } else { + vpif_obj.notifier.subdevs = vpif_obj.config->asd; + vpif_obj.notifier.num_subdevs = vpif_obj.config->asd_sizes[0]; +@@ -1334,6 +1340,8 @@ probe_subdev_out: + kfree(vpif_obj.sd); + vpif_unregister: + v4l2_device_unregister(&vpif_obj.v4l2_dev); ++vpif_free: ++ free_vpif_objs(); + + return err; + } +@@ -1355,8 +1363,8 @@ static int vpif_remove(struct platform_d + ch = vpif_obj.dev[i]; + /* Unregister video device */ + video_unregister_device(&ch->video_dev); +- kfree(vpif_obj.dev[i]); + } ++ free_vpif_objs(); + + return 0; + } diff --git a/queue-4.18/media-dw2102-fix-memleak-on-sequence-of-probes.patch b/queue-4.18/media-dw2102-fix-memleak-on-sequence-of-probes.patch new file mode 100644 index 00000000000..23ddefab3c4 --- /dev/null +++ b/queue-4.18/media-dw2102-fix-memleak-on-sequence-of-probes.patch @@ -0,0 +1,90 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Anton Vasilyev +Date: Mon, 23 Jul 2018 13:04:54 -0400 +Subject: media: dw2102: Fix memleak on sequence of probes + +From: Anton Vasilyev + +[ Upstream commit 299c7007e93645067e1d2743f4e50156de78c4ff ] + +Each call to dw2102_probe() allocates memory by kmemdup for structures +p1100, s660, p7500 and s421, but there is no their deallocation. +dvb_usb_device_init() copies the corresponding structure into +dvb_usb_device->props, so there is no use of original structure after +dvb_usb_device_init(). + +The patch moves structures from global scope to local and adds their +deallocation. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb/dw2102.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -2101,14 +2101,12 @@ static struct dvb_usb_device_properties + } + }; + +-static struct dvb_usb_device_properties *p1100; + static const struct dvb_usb_device_description d1100 = { + "Prof 1100 USB ", + {&dw2102_table[PROF_1100], NULL}, + {NULL}, + }; + +-static struct dvb_usb_device_properties *s660; + static const struct dvb_usb_device_description d660 = { + "TeVii S660 USB", + {&dw2102_table[TEVII_S660], NULL}, +@@ -2127,14 +2125,12 @@ static const struct dvb_usb_device_descr + {NULL}, + }; + +-static struct dvb_usb_device_properties *p7500; + static const struct dvb_usb_device_description d7500 = { + "Prof 7500 USB DVB-S2", + {&dw2102_table[PROF_7500], NULL}, + {NULL}, + }; + +-static struct dvb_usb_device_properties *s421; + static const struct dvb_usb_device_description d421 = { + "TeVii S421 PCI", + {&dw2102_table[TEVII_S421], NULL}, +@@ -2334,6 +2330,11 @@ static int dw2102_probe(struct usb_inter + const struct usb_device_id *id) + { + int retval = -ENOMEM; ++ struct dvb_usb_device_properties *p1100; ++ struct dvb_usb_device_properties *s660; ++ struct dvb_usb_device_properties *p7500; ++ struct dvb_usb_device_properties *s421; ++ + p1100 = kmemdup(&s6x0_properties, + sizeof(struct dvb_usb_device_properties), GFP_KERNEL); + if (!p1100) +@@ -2402,8 +2403,16 @@ static int dw2102_probe(struct usb_inter + 0 == dvb_usb_device_init(intf, &t220_properties, + THIS_MODULE, NULL, adapter_nr) || + 0 == dvb_usb_device_init(intf, &tt_s2_4600_properties, +- THIS_MODULE, NULL, adapter_nr)) ++ THIS_MODULE, NULL, adapter_nr)) { ++ ++ /* clean up copied properties */ ++ kfree(s421); ++ kfree(p7500); ++ kfree(s660); ++ kfree(p1100); ++ + return 0; ++ } + + retval = -ENODEV; + kfree(s421); diff --git a/queue-4.18/media-em28xx-explicitly-disable-ts-packet-filter.patch b/queue-4.18/media-em28xx-explicitly-disable-ts-packet-filter.patch new file mode 100644 index 00000000000..2eadfe05f36 --- /dev/null +++ b/queue-4.18/media-em28xx-explicitly-disable-ts-packet-filter.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Robert Schlabbach +Date: Sat, 16 Jun 2018 15:04:22 -0400 +Subject: media: em28xx: explicitly disable TS packet filter + +From: Robert Schlabbach + +[ Upstream commit 157eb9a0b75e97ad390c6e50c7381b0a0e02fe97 ] + +The em28xx driver never touched the EM2874 register bits that control +the transport stream packet filters, leaving them at whatever default +the firmware has set. E.g. the Pinnacle 290e disables them by default, +while the Hauppauge WinTV dualHD enables discarding NULL packets by +default. + +However, some applications require NULL packets, e.g. to determine the +load in DOCSIS segments, so discarding NULL packets is undesired for +such applications. + +This patch simply extends the bit mask when starting or stopping the +transport stream packet capture, so that the filter bits are cleared. +It has been verified that this makes the Hauppauge WinTV dualHD pass +an unfiltered DVB-C stream including NULL packets, which it didn't +before. + +Signed-off-by: Robert Schlabbach +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/em28xx/em28xx-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/em28xx/em28xx-core.c ++++ b/drivers/media/usb/em28xx/em28xx-core.c +@@ -655,12 +655,12 @@ int em28xx_capture_start(struct em28xx * + rc = em28xx_write_reg_bits(dev, + EM2874_R5F_TS_ENABLE, + start ? EM2874_TS1_CAPTURE_ENABLE : 0x00, +- EM2874_TS1_CAPTURE_ENABLE); ++ EM2874_TS1_CAPTURE_ENABLE | EM2874_TS1_FILTER_ENABLE | EM2874_TS1_NULL_DISCARD); + else + rc = em28xx_write_reg_bits(dev, + EM2874_R5F_TS_ENABLE, + start ? EM2874_TS2_CAPTURE_ENABLE : 0x00, +- EM2874_TS2_CAPTURE_ENABLE); ++ EM2874_TS2_CAPTURE_ENABLE | EM2874_TS2_FILTER_ENABLE | EM2874_TS2_NULL_DISCARD); + } else { + /* FIXME: which is the best order? */ + /* video registers are sampled by VREF */ diff --git a/queue-4.18/media-em28xx-fix-dual-transport-stream-operation.patch b/queue-4.18/media-em28xx-fix-dual-transport-stream-operation.patch new file mode 100644 index 00000000000..d000517bc3e --- /dev/null +++ b/queue-4.18/media-em28xx-fix-dual-transport-stream-operation.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Brad Love +Date: Thu, 28 Jun 2018 13:29:09 -0400 +Subject: media: em28xx: Fix dual transport stream operation + +From: Brad Love + +[ Upstream commit a7853c257a3ea0907467a1750ff45de4d9ba1915 ] + +Addresses the following, which introduced a regression itself: + +Commit 509f89652f83 ("media: em28xx: fix a regression with HVR-950") + +The regression fix breaks dual transport stream support. Currently, +when a tuner starts streaming it sets alt mode on the USB interface. +The problem is, in a dual tuner model, both tuners share the same +USB interface, so when the second tuner becomes active and sets alt +mode on the interface it kills streaming on the other port. + +This patch addresses the regression by only setting alt mode +on the USB interface during em28xx_start_streaming, if the +device is not a dual tuner model. This allows all older and +single tuner devices to explicitly set alt mode during stream +startup. Testers report both isoc and bulk DualHD models work +correctly with the alt mode set only once, in em28xx_dvb_init. + +Fixes: 509f89652f83 ("media: em28xx: fix a regression with HVR-950") +Signed-off-by: Brad Love +Signed-off-by: Michael Ira Krufky +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/em28xx/em28xx-dvb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/em28xx/em28xx-dvb.c ++++ b/drivers/media/usb/em28xx/em28xx-dvb.c +@@ -218,7 +218,9 @@ static int em28xx_start_streaming(struct + dvb_alt = dev->dvb_alt_isoc; + } + +- usb_set_interface(udev, dev->ifnum, dvb_alt); ++ if (!dev->board.has_dual_ts) ++ usb_set_interface(udev, dev->ifnum, dvb_alt); ++ + rc = em28xx_set_mode(dev, EM28XX_DIGITAL_MODE); + if (rc < 0) + return rc; diff --git a/queue-4.18/media-em28xx-fix-dualhd-disconnect-oops.patch b/queue-4.18/media-em28xx-fix-dualhd-disconnect-oops.patch new file mode 100644 index 00000000000..ba4bf490879 --- /dev/null +++ b/queue-4.18/media-em28xx-fix-dualhd-disconnect-oops.patch @@ -0,0 +1,93 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Brad Love +Date: Wed, 27 Jun 2018 11:32:01 -0400 +Subject: media: em28xx: Fix DualHD disconnect oops + +From: Brad Love + +[ Upstream commit 20cdcaf903298d54b834daedf65a2ddef70cae0a ] + +During the duplication of em28xx state for the second tuner pair +a pointer to alt_max_pkt_size_isoc is copied. During tear down +the second tuner is destroyed first and kfrees alt_max_pkt_size_isoc, +then the first tuner is destroyed and kfrees it again. The property +should only be kfree'd if the tuner is PRIMARY_TS. + +[ 354.888560] ------------[ cut here ]------------ +[ 354.888562] kernel BUG at mm/slub.c:296! +[ 354.888574] invalid opcode: 0000 [#1] SMP NOPTI +[ 354.888869] CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.18.0-rc1+ #20 +[ 354.889140] Hardware name: MSI MS-7A39/B350M GAMING PRO (MS-7A39), BIOS 2.G0 04/27/2018 +[ 354.889408] Workqueue: usb_hub_wq hub_event +[ 354.889679] RIP: 0010:__slab_free+0x217/0x370 +[ 354.889942] Code: bb c0 e8 07 41 38 c7 72 39 48 83 c4 70 5b 41 5a 41 5c 41 5d 41 5e 41 5f 5d 49 8d 62 f8 c3 f3 90 49 8b 04 24 a8 01 75 f6 eb 82 <0f> 0b 44 89 45 80 48 89 4d 88 e8 aa fa ff ff 85 c0 74 cc e9 b7 fe +[ 354.890598] RSP: 0018:ffffb84c41a4fad0 EFLAGS: 00010246 +[ 354.890934] RAX: ffff948646e85150 RBX: ffff948646e85150 RCX: ffff948646e85150 +[ 354.891280] RDX: 00000000820001d9 RSI: fffffa8fd01ba140 RDI: ffff94865e807c00 +[ 354.891649] RBP: ffffb84c41a4fb70 R08: 0000000000000001 R09: ffffffffc059ce21 +[ 354.892025] R10: ffff948646e85150 R11: 0000000000000001 R12: fffffa8fd01ba140 +[ 354.892403] R13: ffff948646e85150 R14: ffff94865e807c00 R15: ffff94864c92e0a0 +[ 354.892780] FS: 0000000000000000(0000) GS:ffff94865ec40000(0000) knlGS:0000000000000000 +[ 354.893150] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 354.893530] CR2: 00007f4e476da950 CR3: 000000040112c000 CR4: 00000000003406e0 +[ 354.893917] Call Trace: +[ 354.894315] ? __dev_printk+0x3c/0x80 +[ 354.894695] ? _dev_info+0x64/0x80 +[ 354.895082] ? em28xx_free_device+0x41/0x50 [em28xx] +[ 354.895464] kfree+0x17a/0x190 +[ 354.895852] ? kfree+0x17a/0x190 +[ 354.896310] em28xx_free_device+0x41/0x50 [em28xx] +[ 354.896698] em28xx_usb_disconnect+0xfa/0x110 [em28xx] +[ 354.897083] usb_unbind_interface+0x7a/0x270 +[ 354.897475] device_release_driver_internal+0x17c/0x250 +[ 354.897864] device_release_driver+0x12/0x20 +[ 354.898252] bus_remove_device+0xec/0x160 +[ 354.898639] device_del+0x13d/0x320 +[ 354.899018] ? usb_remove_ep_devs+0x1f/0x30 +[ 354.899392] usb_disable_device+0x9e/0x270 +[ 354.899772] usb_disconnect+0x92/0x2a0 +[ 354.900149] hub_event+0x98e/0x1650 +[ 354.900519] ? sched_clock_cpu+0x11/0xa0 +[ 354.900890] process_one_work+0x167/0x3f0 +[ 354.901251] worker_thread+0x4d/0x460 +[ 354.901610] kthread+0x105/0x140 +[ 354.901964] ? rescuer_thread+0x360/0x360 +[ 354.902318] ? kthread_associate_blkcg+0xa0/0xa0 +[ 354.902672] ret_from_fork+0x22/0x40 +[ 354.903024] Modules linked in: rc_hauppauge em28xx_rc rc_core si2157 lgdt3306a i2c_mux em28xx_dvb dvb_core videobuf2_vmalloc videobuf2_memops videobuf2_common snd_hda_codec_hdmi nls_iso8859_1 edac_mce_amd kvm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi aesni_intel snd_seq_midi_event aes_x86_64 snd_rawmidi crypto_simd em28xx cryptd glue_helper asix tveeprom usbnet snd_seq v4l2_common mii videodev snd_seq_device media input_leds snd_timer joydev ccp k10temp wmi_bmof snd soundcore mac_hid sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables vfio_pci vfio_virqfd irqbypass vfio_iommu_type1 vfio nouveau mxm_wmi video i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops i2c_piix4 drm ahci libahci +[ 354.905129] wmi gpio_amdpt gpio_generic hid_generic usbhid hid +[ 354.908140] ---[ end trace c230d02716298c34 ]--- +[ 354.908145] RIP: 0010:__slab_free+0x217/0x370 +[ 354.908147] Code: bb c0 e8 07 41 38 c7 72 39 48 83 c4 70 5b 41 5a 41 5c 41 5d 41 5e 41 5f 5d 49 8d 62 f8 c3 f3 90 49 8b 04 24 a8 01 75 f6 eb 82 <0f> 0b 44 89 45 80 48 89 4d 88 e8 aa fa ff ff 85 c0 74 cc e9 b7 fe +[ 354.908183] RSP: 0018:ffffb84c41a4fad0 EFLAGS: 00010246 +[ 354.908186] RAX: ffff948646e85150 RBX: ffff948646e85150 RCX: ffff948646e85150 +[ 354.908189] RDX: 00000000820001d9 RSI: fffffa8fd01ba140 RDI: ffff94865e807c00 +[ 354.908191] RBP: ffffb84c41a4fb70 R08: 0000000000000001 R09: ffffffffc059ce21 +[ 354.908193] R10: ffff948646e85150 R11: 0000000000000001 R12: fffffa8fd01ba140 +[ 354.908195] R13: ffff948646e85150 R14: ffff94865e807c00 R15: ffff94864c92e0a0 +[ 354.908198] FS: 0000000000000000(0000) GS:ffff94865ec40000(0000) knlGS:0000000000000000 +[ 354.908201] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 354.908203] CR2: 00007f4e476da950 CR3: 000000016b20a000 CR4: 00000000003406e0 + +Signed-off-by: Brad Love +Signed-off-by: Michael Ira Krufky +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/em28xx/em28xx-cards.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -3376,7 +3376,9 @@ void em28xx_free_device(struct kref *ref + if (!dev->disconnected) + em28xx_release_resources(dev); + +- kfree(dev->alt_max_pkt_size_isoc); ++ if (dev->ts == PRIMARY_TS) ++ kfree(dev->alt_max_pkt_size_isoc); ++ + kfree(dev); + } + EXPORT_SYMBOL_GPL(em28xx_free_device); diff --git a/queue-4.18/media-helene-fix-xtal-frequency-setting-at-power-on.patch b/queue-4.18/media-helene-fix-xtal-frequency-setting-at-power-on.patch new file mode 100644 index 00000000000..dc6ebce302a --- /dev/null +++ b/queue-4.18/media-helene-fix-xtal-frequency-setting-at-power-on.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Katsuhiro Suzuki +Date: Mon, 28 May 2018 21:09:20 -0400 +Subject: media: helene: fix xtal frequency setting at power on + +From: Katsuhiro Suzuki + +[ Upstream commit a00e5f074b3f3cd39d1ccdc53d4d805b014df3f3 ] + +This patch fixes crystal frequency setting when power on this device. + +Signed-off-by: Katsuhiro Suzuki +Acked-by: Abylay Ospan +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/helene.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/helene.c ++++ b/drivers/media/dvb-frontends/helene.c +@@ -897,7 +897,10 @@ static int helene_x_pon(struct helene_pr + helene_write_regs(priv, 0x99, cdata, sizeof(cdata)); + + /* 0x81 - 0x94 */ +- data[0] = 0x18; /* xtal 24 MHz */ ++ if (priv->xtal == SONY_HELENE_XTAL_16000) ++ data[0] = 0x10; /* xtal 16 MHz */ ++ else ++ data[0] = 0x18; /* xtal 24 MHz */ + data[1] = (uint8_t)(0x80 | (0x04 & 0x1F)); /* 4 x 25 = 100uA */ + data[2] = (uint8_t)(0x80 | (0x26 & 0x7F)); /* 38 x 0.25 = 9.5pF */ + data[3] = 0x80; /* REFOUT signal output 500mVpp */ diff --git a/queue-4.18/media-rcar-csi2-update-stream-start-for-v3m.patch b/queue-4.18/media-rcar-csi2-update-stream-start-for-v3m.patch new file mode 100644 index 00000000000..40f99bcd6fd --- /dev/null +++ b/queue-4.18/media-rcar-csi2-update-stream-start-for-v3m.patch @@ -0,0 +1,80 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: "Niklas Söderlund" +Date: Thu, 26 Jul 2018 18:36:57 -0400 +Subject: media: rcar-csi2: update stream start for V3M + +From: "Niklas Söderlund" + +[ Upstream commit 4070fc9ade52f7d0ad1397fe74f564ae95e68a4f ] + +Latest errata document updates the start procedure for V3M. This change +in addition to adhering to the datasheet update fixes capture on early +revisions of V3M. + +Signed-off-by: Niklas Söderlund +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/rcar-vin/rcar-csi2.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/media/platform/rcar-vin/rcar-csi2.c ++++ b/drivers/media/platform/rcar-vin/rcar-csi2.c +@@ -339,6 +339,7 @@ enum rcar_csi2_pads { + + struct rcar_csi2_info { + int (*init_phtw)(struct rcar_csi2 *priv, unsigned int mbps); ++ int (*confirm_start)(struct rcar_csi2 *priv); + const struct rcsi2_mbps_reg *hsfreqrange; + unsigned int csi0clkfreqrange; + bool clear_ulps; +@@ -545,6 +546,13 @@ static int rcsi2_start(struct rcar_csi2 + if (ret) + return ret; + ++ /* Confirm start */ ++ if (priv->info->confirm_start) { ++ ret = priv->info->confirm_start(priv); ++ if (ret) ++ return ret; ++ } ++ + /* Clear Ultra Low Power interrupt. */ + if (priv->info->clear_ulps) + rcsi2_write(priv, INTSTATE_REG, +@@ -881,6 +889,11 @@ static int rcsi2_init_phtw_h3_v3h_m3n(st + + static int rcsi2_init_phtw_v3m_e3(struct rcar_csi2 *priv, unsigned int mbps) + { ++ return rcsi2_phtw_write_mbps(priv, mbps, phtw_mbps_v3m_e3, 0x44); ++} ++ ++static int rcsi2_confirm_start_v3m_e3(struct rcar_csi2 *priv) ++{ + static const struct phtw_value step1[] = { + { .data = 0xed, .code = 0x34 }, + { .data = 0xed, .code = 0x44 }, +@@ -890,12 +903,6 @@ static int rcsi2_init_phtw_v3m_e3(struct + { /* sentinel */ }, + }; + +- int ret; +- +- ret = rcsi2_phtw_write_mbps(priv, mbps, phtw_mbps_v3m_e3, 0x44); +- if (ret) +- return ret; +- + return rcsi2_phtw_write_array(priv, step1); + } + +@@ -949,6 +956,7 @@ static const struct rcar_csi2_info rcar_ + + static const struct rcar_csi2_info rcar_csi2_info_r8a77970 = { + .init_phtw = rcsi2_init_phtw_v3m_e3, ++ .confirm_start = rcsi2_confirm_start_v3m_e3, + }; + + static const struct of_device_id rcar_csi2_of_table[] = { diff --git a/queue-4.18/media-s5p-mfc-fix-buffer-look-up-in-s5p_mfc_handle_frame_-new-copy_time-functions.patch b/queue-4.18/media-s5p-mfc-fix-buffer-look-up-in-s5p_mfc_handle_frame_-new-copy_time-functions.patch new file mode 100644 index 00000000000..1802cbf2b07 --- /dev/null +++ b/queue-4.18/media-s5p-mfc-fix-buffer-look-up-in-s5p_mfc_handle_frame_-new-copy_time-functions.patch @@ -0,0 +1,98 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Sylwester Nawrocki +Date: Tue, 5 Jun 2018 09:33:59 -0400 +Subject: media: s5p-mfc: Fix buffer look up in s5p_mfc_handle_frame_{new, copy_time} functions + +From: Sylwester Nawrocki + +[ Upstream commit 4faeaf9c0f4581667ce5826f9c90c4fd463ef086 ] + +Look up of buffers in s5p_mfc_handle_frame_new, s5p_mfc_handle_frame_copy_time +functions is not working properly for DMA addresses above 2 GiB. As a result +flags and timestamp of returned buffers are not set correctly and it breaks +operation of GStreamer/OMX plugins which rely on the CAPTURE buffer queue +flags. + +Due to improper return type of the get_dec_y_adr, get_dspl_y_adr callbacks +and sign bit extension these callbacks return incorrect address values, +e.g. 0xfffffffffefc0000 instead of 0x00000000fefc0000. Then the statement: + +"if (vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0) == dec_y_addr)" + +is always false, which breaks looking up capture queue buffers. + +To ensure proper matching by address u32 type is used for the DMA +addresses. This should work on all related SoCs, since the MFC DMA +address width is not larger than 32-bit. + +Changes done in this patch are minimal as there is a larger patch series +pending refactoring the whole driver. + +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -254,24 +254,24 @@ static void s5p_mfc_handle_frame_all_ext + static void s5p_mfc_handle_frame_copy_time(struct s5p_mfc_ctx *ctx) + { + struct s5p_mfc_dev *dev = ctx->dev; +- struct s5p_mfc_buf *dst_buf, *src_buf; +- size_t dec_y_addr; ++ struct s5p_mfc_buf *dst_buf, *src_buf; ++ u32 dec_y_addr; + unsigned int frame_type; + + /* Make sure we actually have a new frame before continuing. */ + frame_type = s5p_mfc_hw_call(dev->mfc_ops, get_dec_frame_type, dev); + if (frame_type == S5P_FIMV_DECODE_FRAME_SKIPPED) + return; +- dec_y_addr = s5p_mfc_hw_call(dev->mfc_ops, get_dec_y_adr, dev); ++ dec_y_addr = (u32)s5p_mfc_hw_call(dev->mfc_ops, get_dec_y_adr, dev); + + /* Copy timestamp / timecode from decoded src to dst and set + appropriate flags. */ + src_buf = list_entry(ctx->src_queue.next, struct s5p_mfc_buf, list); + list_for_each_entry(dst_buf, &ctx->dst_queue, list) { +- if (vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0) +- == dec_y_addr) { +- dst_buf->b->timecode = +- src_buf->b->timecode; ++ u32 addr = (u32)vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0); ++ ++ if (addr == dec_y_addr) { ++ dst_buf->b->timecode = src_buf->b->timecode; + dst_buf->b->vb2_buf.timestamp = + src_buf->b->vb2_buf.timestamp; + dst_buf->b->flags &= +@@ -307,10 +307,10 @@ static void s5p_mfc_handle_frame_new(str + { + struct s5p_mfc_dev *dev = ctx->dev; + struct s5p_mfc_buf *dst_buf; +- size_t dspl_y_addr; ++ u32 dspl_y_addr; + unsigned int frame_type; + +- dspl_y_addr = s5p_mfc_hw_call(dev->mfc_ops, get_dspl_y_adr, dev); ++ dspl_y_addr = (u32)s5p_mfc_hw_call(dev->mfc_ops, get_dspl_y_adr, dev); + if (IS_MFCV6_PLUS(dev)) + frame_type = s5p_mfc_hw_call(dev->mfc_ops, + get_disp_frame_type, ctx); +@@ -329,9 +329,10 @@ static void s5p_mfc_handle_frame_new(str + /* The MFC returns address of the buffer, now we have to + * check which videobuf does it correspond to */ + list_for_each_entry(dst_buf, &ctx->dst_queue, list) { ++ u32 addr = (u32)vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0); ++ + /* Check if this is the buffer we're looking for */ +- if (vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0) +- == dspl_y_addr) { ++ if (addr == dspl_y_addr) { + list_del(&dst_buf->list); + ctx->dst_queue_cnt--; + dst_buf->b->sequence = ctx->sequence; diff --git a/queue-4.18/mfd-rave-sp-initialize-flow-control-and-parity-of-the-port.patch b/queue-4.18/mfd-rave-sp-initialize-flow-control-and-parity-of-the-port.patch new file mode 100644 index 00000000000..99b15bfe00d --- /dev/null +++ b/queue-4.18/mfd-rave-sp-initialize-flow-control-and-parity-of-the-port.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Andrey Smirnov +Date: Fri, 6 Jul 2018 19:41:05 -0700 +Subject: mfd: rave-sp: Initialize flow control and parity of the port + +From: Andrey Smirnov + +[ Upstream commit 6c450bdf13ebe110821a74960936cec936edae49 ] + +Relying on serial port defaults for flow control and parity can result +in complete breakdown of communication with RAVE SP on some platforms +where defaults are not what we need them to be. One such case is +VF610-base ZII SPU3 board (not supported upstream). To avoid this +problem in the future, add code to explicitly configure both. + +Signed-off-by: Andrey Smirnov +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/rave-sp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/mfd/rave-sp.c ++++ b/drivers/mfd/rave-sp.c +@@ -776,6 +776,13 @@ static int rave_sp_probe(struct serdev_d + return ret; + + serdev_device_set_baudrate(serdev, baud); ++ serdev_device_set_flow_control(serdev, false); ++ ++ ret = serdev_device_set_parity(serdev, SERDEV_PARITY_NONE); ++ if (ret) { ++ dev_err(dev, "Failed to set parity\n"); ++ return ret; ++ } + + ret = rave_sp_get_status(sp); + if (ret) { diff --git a/queue-4.18/mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch b/queue-4.18/mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch new file mode 100644 index 00000000000..9439f8d1ca1 --- /dev/null +++ b/queue-4.18/mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch @@ -0,0 +1,61 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Zumeng Chen +Date: Wed, 4 Jul 2018 12:35:29 +0800 +Subject: mfd: ti_am335x_tscadc: Fix struct clk memory leak + +From: Zumeng Chen + +[ Upstream commit c2b1509c77a99a0dcea0a9051ca743cb88385f50 ] + +Use devm_elk_get() to let Linux manage struct clk memory to avoid the following +memory leakage report: + +unreferenced object 0xdd75efc0 (size 64): + comm "systemd-udevd", pid 186, jiffies 4294945126 (age 1195.750s) + hex dump (first 32 bytes): + 61 64 63 5f 74 73 63 5f 66 63 6b 00 00 00 00 00 adc_tsc_fck..... + 00 00 00 00 92 03 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x40/0x74 + [] __kmalloc_track_caller+0x198/0x388 + [] kstrdup+0x40/0x5c + [] kstrdup_const+0x30/0x3c + [] __clk_create_clk+0x60/0xac + [] clk_get_sys+0x74/0x144 + [] clk_get+0x5c/0x68 + [] ti_tscadc_probe+0x260/0x468 [ti_am335x_tscadc] + [] platform_drv_probe+0x60/0xac + [] driver_probe_device+0x214/0x2dc + [] __driver_attach+0x94/0xc0 + [] bus_for_each_dev+0x90/0xa0 + [] driver_attach+0x28/0x30 + [] bus_add_driver+0x184/0x1ec + [] driver_register+0xb0/0xf0 + [] __platform_driver_register+0x40/0x54 + +Signed-off-by: Zumeng Chen +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/ti_am335x_tscadc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/mfd/ti_am335x_tscadc.c ++++ b/drivers/mfd/ti_am335x_tscadc.c +@@ -209,14 +209,13 @@ static int ti_tscadc_probe(struct platfo + * The TSC_ADC_SS controller design assumes the OCP clock is + * at least 6x faster than the ADC clock. + */ +- clk = clk_get(&pdev->dev, "adc_tsc_fck"); ++ clk = devm_clk_get(&pdev->dev, "adc_tsc_fck"); + if (IS_ERR(clk)) { + dev_err(&pdev->dev, "failed to get TSC fck\n"); + err = PTR_ERR(clk); + goto err_disable_clk; + } + clock_rate = clk_get_rate(clk); +- clk_put(clk); + tscadc->clk_div = clock_rate / ADC_CLK; + + /* TSCADC_CLKDIV needs to be configured to the value minus 1 */ diff --git a/queue-4.18/mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch b/queue-4.18/mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch new file mode 100644 index 00000000000..895a2108107 --- /dev/null +++ b/queue-4.18/mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Paul Burton +Date: Fri, 27 Jul 2018 18:23:19 -0700 +Subject: MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET + +From: Paul Burton + +[ Upstream commit 0494d7ffdcebc6935410ea0719b24ab626675351 ] + +isa_virt_to_bus() & isa_bus_to_virt() claim to treat ISA bus addresses +as being identical to physical addresses, but they fail to do so in the +presence of a non-zero PHYS_OFFSET. + +Correct this by having them use virt_to_phys() & phys_to_virt(), which +consolidates the calculations to one place & ensures that ISA bus +addresses do indeed match physical addresses. + +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20047/ +Cc: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: Vladimir Kondratiev +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/io.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/mips/include/asm/io.h ++++ b/arch/mips/include/asm/io.h +@@ -141,14 +141,14 @@ static inline void * phys_to_virt(unsign + /* + * ISA I/O bus memory addresses are 1:1 with the physical address. + */ +-static inline unsigned long isa_virt_to_bus(volatile void * address) ++static inline unsigned long isa_virt_to_bus(volatile void *address) + { +- return (unsigned long)address - PAGE_OFFSET; ++ return virt_to_phys(address); + } + +-static inline void * isa_bus_to_virt(unsigned long address) ++static inline void *isa_bus_to_virt(unsigned long address) + { +- return (void *)(address + PAGE_OFFSET); ++ return phys_to_virt(address); + } + + #define isa_page_to_bus page_to_phys diff --git a/queue-4.18/mips-generic-fix-missing-of_node_put.patch b/queue-4.18/mips-generic-fix-missing-of_node_put.patch new file mode 100644 index 00000000000..b4d26d37014 --- /dev/null +++ b/queue-4.18/mips-generic-fix-missing-of_node_put.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Nicholas Mc Guire +Date: Wed, 11 Jul 2018 20:32:45 +0200 +Subject: MIPS: generic: fix missing of_node_put() + +From: Nicholas Mc Guire + +[ Upstream commit 28ec2238f37e72a3a40a7eb46893e7651bcc40a6 ] + +of_find_compatible_node() returns a device_node pointer with refcount +incremented and must be decremented explicitly. + As this code is using the result only to check presence of the interrupt +controller (!NULL) but not actually using the result otherwise the +refcount can be decremented here immediately again. + +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/19820/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/generic/init.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/generic/init.c ++++ b/arch/mips/generic/init.c +@@ -204,6 +204,7 @@ void __init arch_init_irq(void) + "mti,cpu-interrupt-controller"); + if (!cpu_has_veic && !intc_node) + mips_cpu_irq_init(); ++ of_node_put(intc_node); + + irqchip_init(); + } diff --git a/queue-4.18/mips-mscc-ocelot-fix-length-of-memory-address-space-for-miim.patch b/queue-4.18/mips-mscc-ocelot-fix-length-of-memory-address-space-for-miim.patch new file mode 100644 index 00000000000..ad043c7a96f --- /dev/null +++ b/queue-4.18/mips-mscc-ocelot-fix-length-of-memory-address-space-for-miim.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Quentin Schulz +Date: Wed, 25 Jul 2018 14:21:32 +0200 +Subject: MIPS: mscc: ocelot: fix length of memory address space for MIIM + +From: Quentin Schulz + +[ Upstream commit 49e5bb13adc11fe6e2e40f65c04f3a461aea1fec ] + +The length of memory address space for MIIM0 is from 0x7107009c to +0x710700bf included which is 36 bytes long in decimal, or 0x24 bytes in +hexadecimal and not 0x36. + +Fixes: 49b031690abe ("MIPS: mscc: Add switch to ocelot") + +Signed-off-by: Quentin Schulz +Acked-by: Alexandre Belloni +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20013/ +Cc: robh+dt@kernel.org +Cc: mark.rutland@arm.com +Cc: ralf@linux-mips.org +Cc: jhogan@kernel.org +Cc: linux-mips@linux-mips.org +Cc: devicetree@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: thomas.petazzoni@bootlin.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/boot/dts/mscc/ocelot.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/boot/dts/mscc/ocelot.dtsi ++++ b/arch/mips/boot/dts/mscc/ocelot.dtsi +@@ -184,7 +184,7 @@ + #address-cells = <1>; + #size-cells = <0>; + compatible = "mscc,ocelot-miim"; +- reg = <0x107009c 0x36>, <0x10700f0 0x8>; ++ reg = <0x107009c 0x24>, <0x10700f0 0x8>; + interrupts = <14>; + status = "disabled"; + diff --git a/queue-4.18/mips-octeon-add-missing-of_node_put.patch b/queue-4.18/mips-octeon-add-missing-of_node_put.patch new file mode 100644 index 00000000000..03d7257a471 --- /dev/null +++ b/queue-4.18/mips-octeon-add-missing-of_node_put.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Nicholas Mc Guire +Date: Sat, 16 Jun 2018 09:06:33 +0200 +Subject: MIPS: Octeon: add missing of_node_put() + +From: Nicholas Mc Guire + +[ Upstream commit b1259519e618d479ede8a0db5474b3aff99f5056 ] + +The call to of_find_node_by_name returns a node pointer with refcount +incremented thus it must be explicitly decremented here after the last +usage. + +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/19558/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/cavium-octeon/octeon-platform.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/mips/cavium-octeon/octeon-platform.c ++++ b/arch/mips/cavium-octeon/octeon-platform.c +@@ -322,6 +322,7 @@ static int __init octeon_ehci_device_ini + return 0; + + pd = of_find_device_by_node(ehci_node); ++ of_node_put(ehci_node); + if (!pd) + return 0; + +@@ -384,6 +385,7 @@ static int __init octeon_ohci_device_ini + return 0; + + pd = of_find_device_by_node(ohci_node); ++ of_node_put(ohci_node); + if (!pd) + return 0; + diff --git a/queue-4.18/mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch b/queue-4.18/mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch new file mode 100644 index 00000000000..2f8239442d7 --- /dev/null +++ b/queue-4.18/mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Paul Burton +Date: Fri, 25 Nov 2016 18:46:09 +0000 +Subject: MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON + +From: Paul Burton + +[ Upstream commit d4da0e97baea8768b3d66ccef3967bebd50dfc3b ] + +If a driver causes DMA cache maintenance with a zero length then we +currently BUG and kill the kernel. As this is a scenario that we may +well be able to recover from, WARN & return in the condition instead. + +Signed-off-by: Paul Burton +Acked-by: Florian Fainelli +Patchwork: https://patchwork.linux-mips.org/patch/14623/ +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/c-r4k.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -835,7 +835,8 @@ static void r4k_flush_icache_user_range( + static void r4k_dma_cache_wback_inv(unsigned long addr, unsigned long size) + { + /* Catch bad driver code */ +- BUG_ON(size == 0); ++ if (WARN_ON(size == 0)) ++ return; + + preempt_disable(); + if (cpu_has_inclusive_pcaches) { +@@ -871,7 +872,8 @@ static void r4k_dma_cache_wback_inv(unsi + static void r4k_dma_cache_inv(unsigned long addr, unsigned long size) + { + /* Catch bad driver code */ +- BUG_ON(size == 0); ++ if (WARN_ON(size == 0)) ++ return; + + preempt_disable(); + if (cpu_has_inclusive_pcaches) { diff --git a/queue-4.18/misc-mic-scif-fix-scif_get_new_port-error-handling.patch b/queue-4.18/misc-mic-scif-fix-scif_get_new_port-error-handling.patch new file mode 100644 index 00000000000..9d8d39cb3ca --- /dev/null +++ b/queue-4.18/misc-mic-scif-fix-scif_get_new_port-error-handling.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Dan Carpenter +Date: Thu, 2 Aug 2018 11:42:22 +0300 +Subject: misc: mic: SCIF Fix scif_get_new_port() error handling + +From: Dan Carpenter + +[ Upstream commit a39284ae9d2ad09975c8ae33f1bd0f05fbfbf6ee ] + +There are only 2 callers of scif_get_new_port() and both appear to get +the error handling wrong. Both treat zero returns as error, but it +actually returns negative error codes and >= 0 on success. + +Fixes: e9089f43c9a7 ("misc: mic: SCIF open close bind and listen APIs") +Signed-off-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mic/scif/scif_api.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +--- a/drivers/misc/mic/scif/scif_api.c ++++ b/drivers/misc/mic/scif/scif_api.c +@@ -370,11 +370,10 @@ int scif_bind(scif_epd_t epd, u16 pn) + goto scif_bind_exit; + } + } else { +- pn = scif_get_new_port(); +- if (!pn) { +- ret = -ENOSPC; ++ ret = scif_get_new_port(); ++ if (ret < 0) + goto scif_bind_exit; +- } ++ pn = ret; + } + + ep->state = SCIFEP_BOUND; +@@ -648,13 +647,12 @@ int __scif_connect(scif_epd_t epd, struc + err = -EISCONN; + break; + case SCIFEP_UNBOUND: +- ep->port.port = scif_get_new_port(); +- if (!ep->port.port) { +- err = -ENOSPC; +- } else { +- ep->port.node = scif_info.nodeid; +- ep->conn_async_state = ASYNC_CONN_IDLE; +- } ++ err = scif_get_new_port(); ++ if (err < 0) ++ break; ++ ep->port.port = err; ++ ep->port.node = scif_info.nodeid; ++ ep->conn_async_state = ASYNC_CONN_IDLE; + /* Fall through */ + case SCIFEP_BOUND: + /* diff --git a/queue-4.18/misc-ti-st-fix-memory-leak-in-the-error-path-of-probe.patch b/queue-4.18/misc-ti-st-fix-memory-leak-in-the-error-path-of-probe.patch new file mode 100644 index 00000000000..371694dda04 --- /dev/null +++ b/queue-4.18/misc-ti-st-fix-memory-leak-in-the-error-path-of-probe.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 18:45:36 +0300 +Subject: misc: ti-st: Fix memory leak in the error path of probe() + +From: Anton Vasilyev + +[ Upstream commit 81ae962d7f180c0092859440c82996cccb254976 ] + +Free resources instead of direct return of the error code if kim_probe +fails. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/ti-st/st_kim.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/ti-st/st_kim.c ++++ b/drivers/misc/ti-st/st_kim.c +@@ -756,14 +756,14 @@ static int kim_probe(struct platform_dev + err = gpio_request(kim_gdata->nshutdown, "kim"); + if (unlikely(err)) { + pr_err(" gpio %d request failed ", kim_gdata->nshutdown); +- return err; ++ goto err_sysfs_group; + } + + /* Configure nShutdown GPIO as output=0 */ + err = gpio_direction_output(kim_gdata->nshutdown, 0); + if (unlikely(err)) { + pr_err(" unable to configure gpio %d", kim_gdata->nshutdown); +- return err; ++ goto err_sysfs_group; + } + /* get reference of pdev for request_firmware + */ diff --git a/queue-4.18/mtd-rawnand-make-subop-helpers-return-unsigned-values.patch b/queue-4.18/mtd-rawnand-make-subop-helpers-return-unsigned-values.patch new file mode 100644 index 00000000000..31fb3972051 --- /dev/null +++ b/queue-4.18/mtd-rawnand-make-subop-helpers-return-unsigned-values.patch @@ -0,0 +1,140 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Miquel Raynal +Date: Thu, 19 Jul 2018 00:09:12 +0200 +Subject: mtd: rawnand: make subop helpers return unsigned values + +From: Miquel Raynal + +[ Upstream commit 760c435e0f85ed19e48a90d746ce1de2cd02def7 ] + +A report from Colin Ian King pointed a CoverityScan issue where error +values on these helpers where not checked in the drivers. These +helpers can error out only in case of a software bug in driver code, +not because of a runtime/hardware error. Hence, let's WARN_ON() in this +case and return 0 which is harmless anyway. + +Fixes: 8878b126df76 ("mtd: nand: add ->exec_op() implementation") +Signed-off-by: Miquel Raynal +Reviewed-by: Boris Brezillon +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/nand_base.c | 44 +++++++++++++++++++-------------------- + include/linux/mtd/rawnand.h | 16 +++++++------- + 2 files changed, 30 insertions(+), 30 deletions(-) + +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -2668,8 +2668,8 @@ static bool nand_subop_instr_is_valid(co + return subop && instr_idx < subop->ninstrs; + } + +-static int nand_subop_get_start_off(const struct nand_subop *subop, +- unsigned int instr_idx) ++static unsigned int nand_subop_get_start_off(const struct nand_subop *subop, ++ unsigned int instr_idx) + { + if (instr_idx) + return 0; +@@ -2688,12 +2688,12 @@ static int nand_subop_get_start_off(cons + * + * Given an address instruction, returns the offset of the first cycle to issue. + */ +-int nand_subop_get_addr_start_off(const struct nand_subop *subop, +- unsigned int instr_idx) ++unsigned int nand_subop_get_addr_start_off(const struct nand_subop *subop, ++ unsigned int instr_idx) + { +- if (!nand_subop_instr_is_valid(subop, instr_idx) || +- subop->instrs[instr_idx].type != NAND_OP_ADDR_INSTR) +- return -EINVAL; ++ if (WARN_ON(!nand_subop_instr_is_valid(subop, instr_idx) || ++ subop->instrs[instr_idx].type != NAND_OP_ADDR_INSTR)) ++ return 0; + + return nand_subop_get_start_off(subop, instr_idx); + } +@@ -2710,14 +2710,14 @@ EXPORT_SYMBOL_GPL(nand_subop_get_addr_st + * + * Given an address instruction, returns the number of address cycle to issue. + */ +-int nand_subop_get_num_addr_cyc(const struct nand_subop *subop, +- unsigned int instr_idx) ++unsigned int nand_subop_get_num_addr_cyc(const struct nand_subop *subop, ++ unsigned int instr_idx) + { + int start_off, end_off; + +- if (!nand_subop_instr_is_valid(subop, instr_idx) || +- subop->instrs[instr_idx].type != NAND_OP_ADDR_INSTR) +- return -EINVAL; ++ if (WARN_ON(!nand_subop_instr_is_valid(subop, instr_idx) || ++ subop->instrs[instr_idx].type != NAND_OP_ADDR_INSTR)) ++ return 0; + + start_off = nand_subop_get_addr_start_off(subop, instr_idx); + +@@ -2742,12 +2742,12 @@ EXPORT_SYMBOL_GPL(nand_subop_get_num_add + * + * Given a data instruction, returns the offset to start from. + */ +-int nand_subop_get_data_start_off(const struct nand_subop *subop, +- unsigned int instr_idx) ++unsigned int nand_subop_get_data_start_off(const struct nand_subop *subop, ++ unsigned int instr_idx) + { +- if (!nand_subop_instr_is_valid(subop, instr_idx) || +- !nand_instr_is_data(&subop->instrs[instr_idx])) +- return -EINVAL; ++ if (WARN_ON(!nand_subop_instr_is_valid(subop, instr_idx) || ++ !nand_instr_is_data(&subop->instrs[instr_idx]))) ++ return 0; + + return nand_subop_get_start_off(subop, instr_idx); + } +@@ -2764,14 +2764,14 @@ EXPORT_SYMBOL_GPL(nand_subop_get_data_st + * + * Returns the length of the chunk of data to send/receive. + */ +-int nand_subop_get_data_len(const struct nand_subop *subop, +- unsigned int instr_idx) ++unsigned int nand_subop_get_data_len(const struct nand_subop *subop, ++ unsigned int instr_idx) + { + int start_off = 0, end_off; + +- if (!nand_subop_instr_is_valid(subop, instr_idx) || +- !nand_instr_is_data(&subop->instrs[instr_idx])) +- return -EINVAL; ++ if (WARN_ON(!nand_subop_instr_is_valid(subop, instr_idx) || ++ !nand_instr_is_data(&subop->instrs[instr_idx]))) ++ return 0; + + start_off = nand_subop_get_data_start_off(subop, instr_idx); + +--- a/include/linux/mtd/rawnand.h ++++ b/include/linux/mtd/rawnand.h +@@ -986,14 +986,14 @@ struct nand_subop { + unsigned int last_instr_end_off; + }; + +-int nand_subop_get_addr_start_off(const struct nand_subop *subop, +- unsigned int op_id); +-int nand_subop_get_num_addr_cyc(const struct nand_subop *subop, +- unsigned int op_id); +-int nand_subop_get_data_start_off(const struct nand_subop *subop, +- unsigned int op_id); +-int nand_subop_get_data_len(const struct nand_subop *subop, +- unsigned int op_id); ++unsigned int nand_subop_get_addr_start_off(const struct nand_subop *subop, ++ unsigned int op_id); ++unsigned int nand_subop_get_num_addr_cyc(const struct nand_subop *subop, ++ unsigned int op_id); ++unsigned int nand_subop_get_data_start_off(const struct nand_subop *subop, ++ unsigned int op_id); ++unsigned int nand_subop_get_data_len(const struct nand_subop *subop, ++ unsigned int op_id); + + /** + * struct nand_op_parser_addr_constraints - Constraints for address instructions diff --git a/queue-4.18/net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch b/queue-4.18/net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch new file mode 100644 index 00000000000..a4b8950c06c --- /dev/null +++ b/queue-4.18/net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Petr Machata +Date: Fri, 27 Jul 2018 15:26:55 +0300 +Subject: net: dcb: For wild-card lookups, use priority -1, not 0 + +From: Petr Machata + +[ Upstream commit 08193d1a893c802c4b807e4d522865061f4e9f4f ] + +The function dcb_app_lookup walks the list of specified DCB APP entries, +looking for one that matches a given criteria: ifindex, selector, +protocol ID and optionally also priority. The "don't care" value for +priority is set to 0, because that priority has not been allowed under +CEE regime, which predates the IEEE standardization. + +Under IEEE, 0 is a valid priority number. But because dcb_app_lookup +considers zero a wild card, attempts to add an APP entry with priority 0 +fail when other entries exist for a given ifindex / selector / PID +triplet. + +Fix by changing the wild-card value to -1. + +Signed-off-by: Petr Machata +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -1786,7 +1786,7 @@ static struct dcb_app_type *dcb_app_look + if (itr->app.selector == app->selector && + itr->app.protocol == app->protocol && + itr->ifindex == ifindex && +- (!prio || itr->app.priority == prio)) ++ ((prio == -1) || itr->app.priority == prio)) + return itr; + } + +@@ -1821,7 +1821,8 @@ u8 dcb_getapp(struct net_device *dev, st + u8 prio = 0; + + spin_lock_bh(&dcb_lock); +- if ((itr = dcb_app_lookup(app, dev->ifindex, 0))) ++ itr = dcb_app_lookup(app, dev->ifindex, -1); ++ if (itr) + prio = itr->app.priority; + spin_unlock_bh(&dcb_lock); + +@@ -1849,7 +1850,8 @@ int dcb_setapp(struct net_device *dev, s + + spin_lock_bh(&dcb_lock); + /* Search for existing match and replace */ +- if ((itr = dcb_app_lookup(new, dev->ifindex, 0))) { ++ itr = dcb_app_lookup(new, dev->ifindex, -1); ++ if (itr) { + if (new->priority) + itr->app.priority = new->priority; + else { +@@ -1882,7 +1884,8 @@ u8 dcb_ieee_getapp_mask(struct net_devic + u8 prio = 0; + + spin_lock_bh(&dcb_lock); +- if ((itr = dcb_app_lookup(app, dev->ifindex, 0))) ++ itr = dcb_app_lookup(app, dev->ifindex, -1); ++ if (itr) + prio |= 1 << itr->app.priority; + spin_unlock_bh(&dcb_lock); + diff --git a/queue-4.18/net-mvneta-fix-mtu-change-on-port-without-link.patch b/queue-4.18/net-mvneta-fix-mtu-change-on-port-without-link.patch new file mode 100644 index 00000000000..9a29c3ba075 --- /dev/null +++ b/queue-4.18/net-mvneta-fix-mtu-change-on-port-without-link.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Yelena Krivosheev +Date: Wed, 18 Jul 2018 18:10:51 +0200 +Subject: net: mvneta: fix mtu change on port without link + +From: Yelena Krivosheev + +[ Upstream commit 8466baf788ec3e18836bd9c91ba0b1a07af25878 ] + +It is incorrect to enable TX/RX queues (call by mvneta_port_up()) for +port without link. Indeed MTU change for interface without link causes TX +queues to stuck. + +Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP +network unit") +Signed-off-by: Yelena Krivosheev +[gregory.clement: adding Fixes tags and rewording commit log] +Signed-off-by: Gregory CLEMENT +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvneta.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -3196,7 +3196,6 @@ static int mvneta_change_mtu(struct net_ + + on_each_cpu(mvneta_percpu_enable, pp, true); + mvneta_start_dev(pp); +- mvneta_port_up(pp); + + netdev_update_features(dev); + diff --git a/queue-4.18/net-phy-fix-the-register-offsets-in-broadcom-iproc-mdio-mux-driver.patch b/queue-4.18/net-phy-fix-the-register-offsets-in-broadcom-iproc-mdio-mux-driver.patch new file mode 100644 index 00000000000..74fa21cf53d --- /dev/null +++ b/queue-4.18/net-phy-fix-the-register-offsets-in-broadcom-iproc-mdio-mux-driver.patch @@ -0,0 +1,79 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Arun Parameswaran +Date: Wed, 1 Aug 2018 17:53:47 -0700 +Subject: net: phy: Fix the register offsets in Broadcom iProc mdio mux driver + +From: Arun Parameswaran + +[ Upstream commit 77fefa93bfebe4df44f154f2aa5938e32630d0bf ] + +Modify the register offsets in the Broadcom iProc mdio mux to start +from the top of the register address space. + +Earlier, the base address pointed to the end of the block's register +space. The base address will now point to the start of the mdio's +address space. The offsets have been fixed to match this. + +Signed-off-by: Arun Parameswaran +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio-mux-bcm-iproc.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/net/phy/mdio-mux-bcm-iproc.c ++++ b/drivers/net/phy/mdio-mux-bcm-iproc.c +@@ -22,7 +22,7 @@ + #include + #include + +-#define MDIO_PARAM_OFFSET 0x00 ++#define MDIO_PARAM_OFFSET 0x23c + #define MDIO_PARAM_MIIM_CYCLE 29 + #define MDIO_PARAM_INTERNAL_SEL 25 + #define MDIO_PARAM_BUS_ID 22 +@@ -30,20 +30,22 @@ + #define MDIO_PARAM_PHY_ID 16 + #define MDIO_PARAM_PHY_DATA 0 + +-#define MDIO_READ_OFFSET 0x04 ++#define MDIO_READ_OFFSET 0x240 + #define MDIO_READ_DATA_MASK 0xffff +-#define MDIO_ADDR_OFFSET 0x08 ++#define MDIO_ADDR_OFFSET 0x244 + +-#define MDIO_CTRL_OFFSET 0x0C ++#define MDIO_CTRL_OFFSET 0x248 + #define MDIO_CTRL_WRITE_OP 0x1 + #define MDIO_CTRL_READ_OP 0x2 + +-#define MDIO_STAT_OFFSET 0x10 ++#define MDIO_STAT_OFFSET 0x24c + #define MDIO_STAT_DONE 1 + + #define BUS_MAX_ADDR 32 + #define EXT_BUS_START_ADDR 16 + ++#define MDIO_REG_ADDR_SPACE_SIZE 0x250 ++ + struct iproc_mdiomux_desc { + void *mux_handle; + void __iomem *base; +@@ -169,6 +171,14 @@ static int mdio_mux_iproc_probe(struct p + md->dev = &pdev->dev; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (res->start & 0xfff) { ++ /* For backward compatibility in case the ++ * base address is specified with an offset. ++ */ ++ dev_info(&pdev->dev, "fix base address in dt-blob\n"); ++ res->start &= ~0xfff; ++ res->end = res->start + MDIO_REG_ADDR_SPACE_SIZE - 1; ++ } + md->base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(md->base)) { + dev_err(&pdev->dev, "failed to ioremap register\n"); diff --git a/queue-4.18/nfs-referrals-not-inheriting-proto-setting-from-parent.patch b/queue-4.18/nfs-referrals-not-inheriting-proto-setting-from-parent.patch new file mode 100644 index 00000000000..fb3ee57613b --- /dev/null +++ b/queue-4.18/nfs-referrals-not-inheriting-proto-setting-from-parent.patch @@ -0,0 +1,57 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Calum Mackay +Date: Thu, 5 Jul 2018 17:08:08 +0100 +Subject: nfs: Referrals not inheriting proto setting from parent + +From: Calum Mackay + +[ Upstream commit 23a88ade7131aa259c532ab17685c76de562242b ] + +Commit 530ea4219231 ("nfs: Referrals should use the same proto setting +as their parent") encloses the fix with #ifdef CONFIG_SUNRPC_XPRT_RDMA. + +CONFIG_SUNRPC_XPRT_RDMA is a tristate option, so it should be tested +with #if IS_ENABLED(). + +Fixes: 530ea4219231 ("nfs: Referrals should use the same proto setting as their parent") +Reported-by: Helen Chao +Tested-by: Helen Chao +Reviewed-by: Chuck Lever +Reviewed-by: Bill Baker +Signed-off-by: Calum Mackay +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4client.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1127,7 +1127,7 @@ struct nfs_server *nfs4_create_referral_ + nfs_server_copy_userdata(server, parent_server); + + /* Get a client representation */ +-#ifdef CONFIG_SUNRPC_XPRT_RDMA ++#if IS_ENABLED(CONFIG_SUNRPC_XPRT_RDMA) + rpc_set_port(data->addr, NFS_RDMA_PORT); + error = nfs4_set_client(server, data->hostname, + data->addr, +@@ -1139,7 +1139,7 @@ struct nfs_server *nfs4_create_referral_ + parent_client->cl_net); + if (!error) + goto init_server; +-#endif /* CONFIG_SUNRPC_XPRT_RDMA */ ++#endif /* IS_ENABLED(CONFIG_SUNRPC_XPRT_RDMA) */ + + rpc_set_port(data->addr, NFS_PORT); + error = nfs4_set_client(server, data->hostname, +@@ -1153,7 +1153,7 @@ struct nfs_server *nfs4_create_referral_ + if (error < 0) + goto error; + +-#ifdef CONFIG_SUNRPC_XPRT_RDMA ++#if IS_ENABLED(CONFIG_SUNRPC_XPRT_RDMA) + init_server: + #endif + error = nfs_init_server_rpcclient(server, parent_server->client->cl_timeout, data->authflavor); diff --git a/queue-4.18/nfsv4.0-fix-client-reference-leak-in-callback.patch b/queue-4.18/nfsv4.0-fix-client-reference-leak-in-callback.patch new file mode 100644 index 00000000000..112757077a9 --- /dev/null +++ b/queue-4.18/nfsv4.0-fix-client-reference-leak-in-callback.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Olga Kornievskaia +Date: Thu, 26 Jul 2018 16:04:47 -0400 +Subject: NFSv4.0 fix client reference leak in callback + +From: Olga Kornievskaia + +[ Upstream commit 32cd3ee511f4e07ca25d71163b50e704808d22f4 ] + +If there is an error during processing of a callback message, it leads +to refrence leak on the client structure and eventually an unclean +superblock. + +Signed-off-by: Olga Kornievskaia +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/callback_xdr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/nfs/callback_xdr.c ++++ b/fs/nfs/callback_xdr.c +@@ -883,16 +883,21 @@ static __be32 nfs4_callback_compound(str + + if (hdr_arg.minorversion == 0) { + cps.clp = nfs4_find_client_ident(SVC_NET(rqstp), hdr_arg.cb_ident); +- if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp)) ++ if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp)) { ++ if (cps.clp) ++ nfs_put_client(cps.clp); + goto out_invalidcred; ++ } + } + + cps.minorversion = hdr_arg.minorversion; + hdr_res.taglen = hdr_arg.taglen; + hdr_res.tag = hdr_arg.tag; +- if (encode_compound_hdr_res(&xdr_out, &hdr_res) != 0) ++ if (encode_compound_hdr_res(&xdr_out, &hdr_res) != 0) { ++ if (cps.clp) ++ nfs_put_client(cps.clp); + return rpc_system_err; +- ++ } + while (status == 0 && nops != hdr_arg.nops) { + status = process_op(nops, rqstp, &xdr_in, + rqstp->rq_argp, &xdr_out, rqstp->rq_resp, diff --git a/queue-4.18/nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch b/queue-4.18/nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch new file mode 100644 index 00000000000..f6640ad1898 --- /dev/null +++ b/queue-4.18/nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Trond Myklebust +Date: Thu, 12 Jul 2018 14:19:03 -0400 +Subject: NFSv4.1: Fix a potential layoutget/layoutrecall deadlock + +From: Trond Myklebust + +[ Upstream commit bd3d16a887b0c19a2a20d35ffed499e3a3637feb ] + +If the client is sending a layoutget, but the server issues a callback +to recall what it thinks may be an outstanding layout, then we may find +an uninitialised layout attached to the inode due to the layoutget. +In that case, it is appropriate to return NFS4ERR_NOMATCHING_LAYOUT +rather than NFS4ERR_DELAY, as the latter can end up deadlocking. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/callback_proc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -215,9 +215,9 @@ static u32 pnfs_check_callback_stateid(s + { + u32 oldseq, newseq; + +- /* Is the stateid still not initialised? */ ++ /* Is the stateid not initialised? */ + if (!pnfs_layout_is_valid(lo)) +- return NFS4ERR_DELAY; ++ return NFS4ERR_NOMATCHING_LAYOUT; + + /* Mismatched stateid? */ + if (!nfs4_stateid_match_other(&lo->plh_stateid, new)) diff --git a/queue-4.18/partitions-aix-append-null-character-to-print-data-from-disk.patch b/queue-4.18/partitions-aix-append-null-character-to-print-data-from-disk.patch new file mode 100644 index 00000000000..591e4bb7bfe --- /dev/null +++ b/queue-4.18/partitions-aix-append-null-character-to-print-data-from-disk.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Mauricio Faria de Oliveira +Date: Wed, 25 Jul 2018 22:46:29 -0300 +Subject: partitions/aix: append null character to print data from disk + +From: Mauricio Faria de Oliveira + +[ Upstream commit d43fdae7bac2def8c4314b5a49822cb7f08a45f1 ] + +Even if properly initialized, the lvname array (i.e., strings) +is read from disk, and might contain corrupt data (e.g., lack +the null terminating character for strings). + +So, make sure the partition name string used in pr_warn() has +the null terminating character. + +Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files") +Suggested-by: Daniel J. Axtens +Signed-off-by: Mauricio Faria de Oliveira +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/aix.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/block/partitions/aix.c ++++ b/block/partitions/aix.c +@@ -282,10 +282,14 @@ int aix_partition(struct parsed_partitio + next_lp_ix += 1; + } + for (i = 0; i < state->limit; i += 1) +- if (lvip[i].pps_found && !lvip[i].lv_is_contiguous) ++ if (lvip[i].pps_found && !lvip[i].lv_is_contiguous) { ++ char tmp[sizeof(n[i].name) + 1]; // null char ++ ++ snprintf(tmp, sizeof(tmp), "%s", n[i].name); + pr_warn("partition %s (%u pp's found) is " + "not contiguous\n", +- n[i].name, lvip[i].pps_found); ++ tmp, lvip[i].pps_found); ++ } + kfree(pvd); + } + kfree(n); diff --git a/queue-4.18/partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch b/queue-4.18/partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch new file mode 100644 index 00000000000..c2fe6b40d7c --- /dev/null +++ b/queue-4.18/partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch @@ -0,0 +1,58 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Mauricio Faria de Oliveira +Date: Wed, 25 Jul 2018 22:46:28 -0300 +Subject: partitions/aix: fix usage of uninitialized lv_info and lvname structures + +From: Mauricio Faria de Oliveira + +[ Upstream commit 14cb2c8a6c5dae57ee3e2da10fa3db2b9087e39e ] + +The if-block that sets a successful return value in aix_partition() +uses 'lvip[].pps_per_lv' and 'n[].name' potentially uninitialized. + +For example, if 'numlvs' is zero or alloc_lvn() fails, neither is +initialized, but are used anyway if alloc_pvd() succeeds after it. + +So, make the alloc_pvd() call conditional on their initialization. + +This has been hit when attaching an apparently corrupted/stressed +AIX LUN, misleading the kernel to pr_warn() invalid data and hang. + + [...] partition (null) (11 pp's found) is not contiguous + [...] partition (null) (2 pp's found) is not contiguous + [...] partition (null) (3 pp's found) is not contiguous + [...] partition (null) (64 pp's found) is not contiguous + +Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files") +Signed-off-by: Mauricio Faria de Oliveira +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/aix.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/block/partitions/aix.c ++++ b/block/partitions/aix.c +@@ -178,7 +178,7 @@ int aix_partition(struct parsed_partitio + u32 vgda_sector = 0; + u32 vgda_len = 0; + int numlvs = 0; +- struct pvd *pvd; ++ struct pvd *pvd = NULL; + struct lv_info { + unsigned short pps_per_lv; + unsigned short pps_found; +@@ -232,10 +232,11 @@ int aix_partition(struct parsed_partitio + if (lvip[i].pps_per_lv) + foundlvs += 1; + } ++ /* pvd loops depend on n[].name and lvip[].pps_per_lv */ ++ pvd = alloc_pvd(state, vgda_sector + 17); + } + put_dev_sector(sect); + } +- pvd = alloc_pvd(state, vgda_sector + 17); + if (pvd) { + int numpps = be16_to_cpu(pvd->pp_count); + int psn_part1 = be32_to_cpu(pvd->psn_part1); diff --git a/queue-4.18/pci-mobiveil-add-missing-..-pci.h-include.patch b/queue-4.18/pci-mobiveil-add-missing-..-pci.h-include.patch new file mode 100644 index 00000000000..f26819ea36f --- /dev/null +++ b/queue-4.18/pci-mobiveil-add-missing-..-pci.h-include.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Lorenzo Pieralisi +Date: Mon, 30 Jul 2018 13:24:33 +0100 +Subject: PCI: mobiveil: Add missing ../pci.h include + +From: Lorenzo Pieralisi + +[ Upstream commit d3743012230f8dab30d47caba1f2ee9e382385e7 ] + +PCI mobiveil host controller driver currently fails to compile +with the following error: + +drivers/pci/controller/pcie-mobiveil.c: In function +'mobiveil_pcie_probe': +drivers/pci/controller/pcie-mobiveil.c:788:8: error: implicit +declaration of function 'devm_of_pci_get_host_bridge_resources'; did you +mean 'pci_get_host_bridge_device'? +[-Werror=implicit-function-declaration] + ret = devm_of_pci_get_host_bridge_resources(dev, 0, 0xff, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + pci_get_host_bridge_device + +Add the missing include file to pull in the required function declaration. + +Fixes: 9af6bcb11e12 ("PCI: mobiveil: Add Mobiveil PCIe Host Bridge IP +driver") +Signed-off-by: Lorenzo Pieralisi +Cc: Bjorn Helgaas +Cc: Subrahmanya Lingappa +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-mobiveil.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/controller/pcie-mobiveil.c ++++ b/drivers/pci/controller/pcie-mobiveil.c +@@ -23,6 +23,8 @@ + #include + #include + ++#include "../pci.h" ++ + /* register offsets and bit positions */ + + /* diff --git a/queue-4.18/pci-mobiveil-fix-struct-mobiveil_pcie.pcie_reg_base-address-type.patch b/queue-4.18/pci-mobiveil-fix-struct-mobiveil_pcie.pcie_reg_base-address-type.patch new file mode 100644 index 00000000000..8a3c1446790 --- /dev/null +++ b/queue-4.18/pci-mobiveil-fix-struct-mobiveil_pcie.pcie_reg_base-address-type.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Lorenzo Pieralisi +Date: Mon, 30 Jul 2018 13:24:12 +0100 +Subject: PCI: mobiveil: Fix struct mobiveil_pcie.pcie_reg_base address type + +From: Lorenzo Pieralisi + +[ Upstream commit af3f606e0bbb6d811c50b7b90fe324b07fb7cab8 ] + +The field pcie_reg_base in struct mobiveil_pcie represents a physical +address so it should be of phys_addr_t type rather than void __iomem*; +this results in the following compilation warnings: + +drivers/pci/controller/pcie-mobiveil.c: In function +'mobiveil_pcie_parse_dt': +drivers/pci/controller/pcie-mobiveil.c:326:22: warning: assignment makes +pointer from integer without a cast [-Wint-conversion] + pcie->pcie_reg_base = res->start; + ^ +drivers/pci/controller/pcie-mobiveil.c: In function +'mobiveil_pcie_enable_msi': +drivers/pci/controller/pcie-mobiveil.c:485:25: warning: initialization +makes integer from pointer without a cast [-Wint-conversion] + phys_addr_t msg_addr = pcie->pcie_reg_base; + ^~~~ +drivers/pci/controller/pcie-mobiveil.c: In function +'mobiveil_compose_msi_msg': +drivers/pci/controller/pcie-mobiveil.c:640:21: warning: initialization +makes integer from pointer without a cast [-Wint-conversion] + phys_addr_t addr = pcie->pcie_reg_base + (data->hwirq * sizeof(int)); + +Fix the type and with it the compilation warnings. + +Fixes: 9af6bcb11e12 ("PCI: mobiveil: Add Mobiveil PCIe Host Bridge IP +driver") +Signed-off-by: Lorenzo Pieralisi +Cc: Bjorn Helgaas +Cc: Subrahmanya Lingappa +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-mobiveil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/controller/pcie-mobiveil.c ++++ b/drivers/pci/controller/pcie-mobiveil.c +@@ -132,7 +132,7 @@ struct mobiveil_pcie { + void __iomem *config_axi_slave_base; /* endpoint config base */ + void __iomem *csr_axi_slave_base; /* root port config base */ + void __iomem *apb_csr_base; /* MSI register base */ +- void __iomem *pcie_reg_base; /* Physical PCIe Controller Base */ ++ phys_addr_t pcie_reg_base; /* Physical PCIe Controller Base */ + struct irq_domain *intx_domain; + raw_spinlock_t intx_mask_lock; + int irq; diff --git a/queue-4.18/perf-build-fix-installation-directory-for-ebpf.patch b/queue-4.18/perf-build-fix-installation-directory-for-ebpf.patch new file mode 100644 index 00000000000..ef3fb5a20f1 --- /dev/null +++ b/queue-4.18/perf-build-fix-installation-directory-for-ebpf.patch @@ -0,0 +1,147 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Thomas Richter +Date: Tue, 31 Jul 2018 09:32:54 +0200 +Subject: perf build: Fix installation directory for eBPF + +From: Thomas Richter + +[ Upstream commit 83868bf71d2eb7700b37f1ea188007f0125e4ee4 ] + +The perf tool build and install is controlled via a Makefile. The +'install' rule creates directories and copies files. Among them are +header files installed in /usr/lib/include/perf/bpf/. + +However all listed examples are installing its header files in + + /usr/lib//...[/include]/header.h + +and not in + + /usr/lib/include//.../header.h. + +Background information: + +Building the Fedora 28 glibc RPM on s390x and s390 fails on s390 (gcc +-m31) as gcc is not able to find header-files like stdbool.h. + +In the glibc.spec file, you can see that glibc is configured with +"--with-headers". In this case, first -nostdinc is added to the CFLAGS +and then further include paths are added via -isystem. One of those +paths should contain header files like stdbool.h. + +In order to get this path, gcc is invoked with: + +- on Fedora 28 (with 4.18 kernel): + + $ gcc -print-file-name=include + /usr/lib/gcc/s390x-redhat-linux/8/include + $ gcc -m31 -print-file-name=include + /usr/lib/gcc/s390x-redhat-linux/8/../../../../lib/include + => If perf is installed, this is: /usr/lib/include + On my machine this directory is only containing the directory "perf". + If perf is not installed gcc returns: /usr/lib/gcc/s390x-redhat-linux/8/include + +- on Ubuntu 18.04 (with 4.15 kernel): + + $ gcc -print-file-name=include + /usr/lib/gcc/s390x-linux-gnu/7/include + $ gcc -m31 -print-file-name=include + /usr/lib/gcc/s390x-linux-gnu/7/include + => gcc returns the correct path even if perf is installed. + +In each case, the introduction of the subdirectory /usr/lib/include +leads to the regression that one can not build the glibc RPM for s390 +anymore as gcc can not find headers like stdbool.h. + +To remedy this install bpf.h to /usr/lib/perf/include/bpf/bpf.h + +Output before using the command 'perf test -Fv 40': + + echo '...[bpf-program-source]...' | /usr/bin/clang ... \ + -I/root/lib/include/perf/bpf ... + ^^^^^^^^^^^^ +... + [root@p23lp27 perf]# perf test -F 40 + 40: BPF filter : + 40.1: Basic BPF filtering : Ok + 40.2: BPF pinning : Ok + 40.3: BPF prologue generation : Ok + 40.4: BPF relocation checker : Ok + [root@p23lp27 perf]# + +Output after using command 'perf test -Fv 40': + + echo '...[bpf-program-source]...' | /usr/bin/clang ... \ + -I/root/lib/perf/include/bpf ... + ^^^^^^^^^^^^ +... + [root@p23lp27 perf]# perf test -F 40 + 40: BPF filter : + 40.1: Basic BPF filtering : Ok + 40.2: BPF pinning : Ok + 40.3: BPF prologue generation : Ok + 40.4: BPF relocation checker : Ok + [root@p23lp27 perf]# + +Committer testing: + +While the above 'perf test -F 40' (or 'perf test bpf') will allow us +to see that the correct path is now added via -I, to actually test this +we better try to use a bpf script that includes files in the changed +directory. + +We have the files that now reside in /root/lib/perf/examples/bpf/ to do +just that: + + # tail -8 /root/lib/perf/examples/bpf/5sec.c + #include + + int probe(hrtimer_nanosleep, rqtp->tv_sec)(void *ctx, int err, long sec) + { + return sec == 5; + } + + license(GPL); + # perf trace -e *sleep -e /root/lib/perf/examples/bpf/5sec.c sleep 4 + 0.333 (4000.086 ms): sleep/9248 nanosleep(rqtp: 0x7ffc155f3300) = 0 + # perf trace -e *sleep -e /root/lib/perf/examples/bpf/5sec.c sleep 5 + 0.287 ( ): sleep/9659 nanosleep(rqtp: 0x7ffeafe38200) ... + 0.290 ( ): perf_bpf_probe:hrtimer_nanosleep:(ffffffff9911efe0) tv_sec=5 + 0.287 (5000.059 ms): sleep/9659 ... [continued]: nanosleep()) = 0 + # perf trace -e *sleep -e /root/lib/perf/examples/bpf/5sec.c sleep 6 + 0.247 (5999.951 ms): sleep/10068 nanosleep(rqtp: 0x7fff2086d900) = 0 + # perf trace -e *sleep -e /root/lib/perf/examples/bpf/5sec.c sleep 5.987 + 0.293 ( ): sleep/10489 nanosleep(rqtp: 0x7ffdd4fc10e0) ... + 0.296 ( ): perf_bpf_probe:hrtimer_nanosleep:(ffffffff9911efe0) tv_sec=5 + 0.293 (5986.912 ms): sleep/10489 ... [continued]: nanosleep()) = 0 + # + +Suggested-by: Stefan Liebler +Suggested-by: Arnaldo Carvalho de Melo +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Tested-by: Arnaldo Carvalho de Melo +Cc: Heiko Carstens +Cc: Martin Schwidefsky +Fixes: 1b16fffa389d ("perf llvm-utils: Add bpf include path to clang command line") +Link: http://lkml.kernel.org/r/20180731073254.91090-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/Makefile.config | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -905,8 +905,8 @@ bindir = $(abspath $(prefix)/$(bindir_re + mandir = share/man + infodir = share/info + perfexecdir = libexec/perf-core +-perf_include_dir = lib/include/perf +-perf_examples_dir = lib/examples/perf ++perf_include_dir = lib/perf/include ++perf_examples_dir = lib/perf/examples + sharedir = $(prefix)/share + template_dir = share/perf-core/templates + STRACE_GROUPS_DIR = share/perf-core/strace/groups diff --git a/queue-4.18/perf-c2c-report-fix-crash-for-empty-browser.patch b/queue-4.18/perf-c2c-report-fix-crash-for-empty-browser.patch new file mode 100644 index 00000000000..27d104e1348 --- /dev/null +++ b/queue-4.18/perf-c2c-report-fix-crash-for-empty-browser.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Jiri Olsa +Date: Tue, 24 Jul 2018 08:20:08 +0200 +Subject: perf c2c report: Fix crash for empty browser + +From: Jiri Olsa + +[ Upstream commit 73978332572ccf5e364c31e9a70ba953f8202b46 ] + +'perf c2c' scans read/write accesses and tries to find false sharing +cases, so when the events it wants were not asked for or ended up not +taking place, we get no histograms. + +So do not try to display entry details if there's not any. Currently +this ends up in crash: + + $ perf c2c report # then press 'd' + perf: Segmentation fault + $ + +Committer testing: + +Before: + +Record a perf.data file without events of interest to 'perf c2c report', +then call it and press 'd': + + # perf record sleep 1 + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.001 MB perf.data (6 samples) ] + # perf c2c report + perf: Segmentation fault + -------- backtrace -------- + perf[0x5b1d2a] + /lib64/libc.so.6(+0x346df)[0x7fcb566e36df] + perf[0x46fcae] + perf[0x4a9f1e] + perf[0x4aa220] + perf(main+0x301)[0x42c561] + /lib64/libc.so.6(__libc_start_main+0xe9)[0x7fcb566cff29] + perf(_start+0x29)[0x42c999] + # + +After the patch the segfault doesn't take place, a follow up patch to +tell the user why nothing changes when 'd' is pressed would be good. + +Reported-by: rodia@autistici.org +Signed-off-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Don Zickus +Cc: Joe Mario +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: f1c5fd4d0bb9 ("perf c2c report: Add TUI cacheline browser") +Link: http://lkml.kernel.org/r/20180724062008.26126-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-c2c.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/tools/perf/builtin-c2c.c ++++ b/tools/perf/builtin-c2c.c +@@ -2349,6 +2349,9 @@ static int perf_c2c__browse_cacheline(st + " s Toggle full length of symbol and source line columns \n" + " q Return back to cacheline list \n"; + ++ if (!he) ++ return 0; ++ + /* Display compact version first. */ + c2c.symbol_full = false; + diff --git a/queue-4.18/perf-evlist-fix-error-out-while-applying-initial-delay-and-lbr.patch b/queue-4.18/perf-evlist-fix-error-out-while-applying-initial-delay-and-lbr.patch new file mode 100644 index 00000000000..be6b361924a --- /dev/null +++ b/queue-4.18/perf-evlist-fix-error-out-while-applying-initial-delay-and-lbr.patch @@ -0,0 +1,79 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Kan Liang +Date: Mon, 9 Jul 2018 07:15:22 -0700 +Subject: perf evlist: Fix error out while applying initial delay and LBR + +From: Kan Liang + +[ Upstream commit 95035c5e167ae6e740b1ddd30210ae0eaf39a5db ] + +'perf record' will error out if both --delay and LBR are applied. + +For example: + + # perf record -D 1000 -a -e cycles -j any -- sleep 2 + Error: + dummy:HG: PMU Hardware doesn't support sampling/overflow-interrupts. + Try 'perf stat' + # + +A dummy event is added implicitly for initial delay, which has the same +configurations as real sampling events. The dummy event is a software +event. If LBR is configured, perf must error out. + +The dummy event will only be used to track PERF_RECORD_MMAP while perf +waits for the initial delay to enable the real events. The BRANCH_STACK +bit can be safely cleared for the dummy event. + +After applying the patch: + + # perf record -D 1000 -a -e cycles -j any -- sleep 2 + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 1.054 MB perf.data (828 samples) ] + # + +Reported-by: Sunil K Pandey +Signed-off-by: Kan Liang +Acked-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Andi Kleen +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1531145722-16404-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/evsel.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -848,6 +848,12 @@ static void apply_config_terms(struct pe + } + } + ++static bool is_dummy_event(struct perf_evsel *evsel) ++{ ++ return (evsel->attr.type == PERF_TYPE_SOFTWARE) && ++ (evsel->attr.config == PERF_COUNT_SW_DUMMY); ++} ++ + /* + * The enable_on_exec/disabled value strategy: + * +@@ -1086,6 +1092,14 @@ void perf_evsel__config(struct perf_evse + else + perf_evsel__reset_sample_bit(evsel, PERIOD); + } ++ ++ /* ++ * For initial_delay, a dummy event is added implicitly. ++ * The software event will trigger -EOPNOTSUPP error out, ++ * if BRANCH_STACK bit is set. ++ */ ++ if (opts->initial_delay && is_dummy_event(evsel)) ++ perf_evsel__reset_sample_bit(evsel, BRANCH_STACK); + } + + static int perf_evsel__alloc_fd(struct perf_evsel *evsel, int ncpus, int nthreads) diff --git a/queue-4.18/perf-tools-allow-overriding-max_nr_cpus-at-compile-time.patch b/queue-4.18/perf-tools-allow-overriding-max_nr_cpus-at-compile-time.patch new file mode 100644 index 00000000000..4b8550b7e84 --- /dev/null +++ b/queue-4.18/perf-tools-allow-overriding-max_nr_cpus-at-compile-time.patch @@ -0,0 +1,74 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Christophe Leroy +Date: Fri, 22 Sep 2017 13:20:43 +0200 +Subject: perf tools: Allow overriding MAX_NR_CPUS at compile time + +From: Christophe Leroy + +[ Upstream commit 21b8732eb4479b579bda9ee38e62b2c312c2a0e5 ] + +After update of kernel, the perf tool doesn't run anymore on my 32MB RAM +powerpc board, but still runs on a 128MB RAM board: + + ~# strace perf + execve("/usr/sbin/perf", ["perf"], [/* 12 vars */]) = -1 ENOMEM (Cannot allocate memory) + --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} --- + +++ killed by SIGSEGV +++ + Segmentation fault + +objdump -x shows that .bss section has a huge size of 24Mbytes: + + 27 .bss 016baca8 101cebb8 101cebb8 001cd988 2**3 + +With especially the following objects having quite big size: + + 10205f80 l O .bss 00140000 runtime_cycles_stats + 10345f80 l O .bss 00140000 runtime_stalled_cycles_front_stats + 10485f80 l O .bss 00140000 runtime_stalled_cycles_back_stats + 105c5f80 l O .bss 00140000 runtime_branches_stats + 10705f80 l O .bss 00140000 runtime_cacherefs_stats + 10845f80 l O .bss 00140000 runtime_l1_dcache_stats + 10985f80 l O .bss 00140000 runtime_l1_icache_stats + 10ac5f80 l O .bss 00140000 runtime_ll_cache_stats + 10c05f80 l O .bss 00140000 runtime_itlb_cache_stats + 10d45f80 l O .bss 00140000 runtime_dtlb_cache_stats + 10e85f80 l O .bss 00140000 runtime_cycles_in_tx_stats + 10fc5f80 l O .bss 00140000 runtime_transaction_stats + 11105f80 l O .bss 00140000 runtime_elision_stats + 11245f80 l O .bss 00140000 runtime_topdown_total_slots + 11385f80 l O .bss 00140000 runtime_topdown_slots_retired + 114c5f80 l O .bss 00140000 runtime_topdown_slots_issued + 11605f80 l O .bss 00140000 runtime_topdown_fetch_bubbles + 11745f80 l O .bss 00140000 runtime_topdown_recovery_bubbles + +This is due to commit 4d255766d28b1 ("perf: Bump max number of cpus +to 1024"), because many tables are sized with MAX_NR_CPUS + +This patch gives the opportunity to redefine MAX_NR_CPUS via + + $ make EXTRA_CFLAGS=-DMAX_NR_CPUS=1 + +Signed-off-by: Christophe Leroy +Cc: Alexander Shishkin +Cc: Peter Zijlstra +Cc: linuxppc-dev@lists.ozlabs.org +Link: http://lkml.kernel.org/r/20170922112043.8349468C57@po15668-vm-win7.idsi0.si.c-s.fr +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/perf.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/perf/perf.h ++++ b/tools/perf/perf.h +@@ -25,7 +25,9 @@ static inline unsigned long long rdclock + return ts.tv_sec * 1000000000ULL + ts.tv_nsec; + } + ++#ifndef MAX_NR_CPUS + #define MAX_NR_CPUS 1024 ++#endif + + extern const char *input_name; + extern bool perf_host, perf_guest; diff --git a/queue-4.18/pinctrl-amd-only-handle-irq-if-it-is-pending-and-unmasked.patch b/queue-4.18/pinctrl-amd-only-handle-irq-if-it-is-pending-and-unmasked.patch new file mode 100644 index 00000000000..3592430da44 --- /dev/null +++ b/queue-4.18/pinctrl-amd-only-handle-irq-if-it-is-pending-and-unmasked.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Daniel Kurtz +Date: Mon, 16 Jul 2018 18:57:18 -0600 +Subject: pinctrl/amd: only handle irq if it is pending and unmasked + +From: Daniel Kurtz + +[ Upstream commit 8bbed1eef001fdfc0ee9595f64cc4f769d265af4 ] + +The AMD pinctrl driver demultiplexes GPIO interrupts and fires off their +individual handlers. + +If one of these GPIO irqs is configured as a level interrupt, and its +downstream handler is a threaded ONESHOT interrupt, the GPIO interrupt +source is masked by handle_level_irq() until the eventual return of the +threaded irq handler. During this time the level GPIO interrupt status +will still report as high until the actual gpio source is cleared - both +in the individual GPIO interrupt status bit (INTERRUPT_STS_OFF) and in +its corresponding "WAKE_INT_STATUS_REG" bit. + +Thus, if another GPIO interrupt occurs during this time, +amd_gpio_irq_handler() will see that the (masked-and-not-yet-cleared) +level irq is still pending and incorrectly call its handler again. + +To fix this, have amd_gpio_irq_handler() check for both interrupts status +and mask before calling generic_handle_irq(). + +Note: Is it possible that this bug was the source of the interrupt storm +on Ryzen when using chained interrupts before commit ba714a9c1dea85 +("pinctrl/amd: Use regular interrupt instead of chained")? + +Signed-off-by: Daniel Kurtz +Acked-by: Thomas Gleixner +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -552,7 +552,8 @@ static irqreturn_t amd_gpio_irq_handler( + /* Each status bit covers four pins */ + for (i = 0; i < 4; i++) { + regval = readl(regs + i); +- if (!(regval & PIN_IRQ_PENDING)) ++ if (!(regval & PIN_IRQ_PENDING) || ++ !(regval & BIT(INTERRUPT_MASK_OFF))) + continue; + irq = irq_find_mapping(gc->irq.domain, irqnr + i); + generic_handle_irq(irq); diff --git a/queue-4.18/pinctrl-berlin-fix-pctrl-functions-allocation-in-berlin_pinctrl_build_state.patch b/queue-4.18/pinctrl-berlin-fix-pctrl-functions-allocation-in-berlin_pinctrl_build_state.patch new file mode 100644 index 00000000000..bd77a60ce8e --- /dev/null +++ b/queue-4.18/pinctrl-berlin-fix-pctrl-functions-allocation-in-berlin_pinctrl_build_state.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: YueHaibing +Date: Wed, 1 Aug 2018 13:10:49 +0800 +Subject: pinctrl: berlin: fix 'pctrl->functions' allocation in berlin_pinctrl_build_state + +From: YueHaibing + +[ Upstream commit b5031b7db77dc47f474f0efc2b2552c32b7bb59d ] + +fixes following Smatch static check warning: + + drivers/pinctrl/berlin/berlin.c:237 berlin_pinctrl_build_state() + warn: passing devm_ allocated variable to kfree. 'pctrl->functions' + +As we will be calling krealloc() on pointer 'pctrl->functions', which means +kfree() will be called in there, devm_kzalloc() shouldn't be used with +the allocation in the first place. Fix the warning by calling kcalloc() +and managing the free procedure in error path on our own. + +Fixes: 3de68d331c24 ("pinctrl: berlin: add the core pinctrl driver for Marvell Berlin SoCs") +Signed-off-by: YueHaibing +Reviewed-by: Jisheng Zhang +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/berlin/berlin.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/pinctrl/berlin/berlin.c ++++ b/drivers/pinctrl/berlin/berlin.c +@@ -216,10 +216,8 @@ static int berlin_pinctrl_build_state(st + } + + /* we will reallocate later */ +- pctrl->functions = devm_kcalloc(&pdev->dev, +- max_functions, +- sizeof(*pctrl->functions), +- GFP_KERNEL); ++ pctrl->functions = kcalloc(max_functions, ++ sizeof(*pctrl->functions), GFP_KERNEL); + if (!pctrl->functions) + return -ENOMEM; + +@@ -257,8 +255,10 @@ static int berlin_pinctrl_build_state(st + function++; + } + +- if (!found) ++ if (!found) { ++ kfree(pctrl->functions); + return -EINVAL; ++ } + + if (!function->groups) { + function->groups = +@@ -267,8 +267,10 @@ static int berlin_pinctrl_build_state(st + sizeof(char *), + GFP_KERNEL); + +- if (!function->groups) ++ if (!function->groups) { ++ kfree(pctrl->functions); + return -ENOMEM; ++ } + } + + groups = function->groups; diff --git a/queue-4.18/pinctrl-imx-off-by-one-in-imx_pinconf_group_dbg_show.patch b/queue-4.18/pinctrl-imx-off-by-one-in-imx_pinconf_group_dbg_show.patch new file mode 100644 index 00000000000..341abd79546 --- /dev/null +++ b/queue-4.18/pinctrl-imx-off-by-one-in-imx_pinconf_group_dbg_show.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Dan Carpenter +Date: Thu, 19 Jul 2018 11:16:48 +0300 +Subject: pinctrl: imx: off by one in imx_pinconf_group_dbg_show() + +From: Dan Carpenter + +[ Upstream commit b4859f3edb47825f62d1b2efdd75fe7945996f49 ] + +The > should really be >= here. It's harmless because +pinctrl_generic_get_group() will return a NULL if group is invalid. + +Fixes: ae75ff814538 ("pinctrl: pinctrl-imx: add imx pinctrl core driver") +Reported-by: Dong Aisheng +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/freescale/pinctrl-imx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/freescale/pinctrl-imx.c ++++ b/drivers/pinctrl/freescale/pinctrl-imx.c +@@ -383,7 +383,7 @@ static void imx_pinconf_group_dbg_show(s + const char *name; + int i, ret; + +- if (group > pctldev->num_groups) ++ if (group >= pctldev->num_groups) + return; + + seq_puts(s, "\n"); diff --git a/queue-4.18/pktcdvd-fix-possible-spectre-v1-for-pkt_devs.patch b/queue-4.18/pktcdvd-fix-possible-spectre-v1-for-pkt_devs.patch new file mode 100644 index 00000000000..08548c8fcd5 --- /dev/null +++ b/queue-4.18/pktcdvd-fix-possible-spectre-v1-for-pkt_devs.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Jinbum Park +Date: Sat, 28 Jul 2018 13:20:44 +0900 +Subject: pktcdvd: Fix possible Spectre-v1 for pkt_devs + +From: Jinbum Park + +[ Upstream commit 55690c07b44a82cc3359ce0c233f4ba7d80ba145 ] + +User controls @dev_minor which to be used as index of pkt_devs. +So, It can be exploited via Spectre-like attack. (speculative execution) + +This kind of attack leaks address of pkt_devs, [1] +It leads an attacker to bypass security mechanism such as KASLR. + +So sanitize @dev_minor before using it to prevent attack. + +[1] https://github.com/jinb-park/linux-exploit/ +tree/master/exploit-remaining-spectre-gadget/leak_pkt_devs.c + +Signed-off-by: Jinbum Park +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/pktcdvd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/block/pktcdvd.c ++++ b/drivers/block/pktcdvd.c +@@ -67,7 +67,7 @@ + #include + #include + #include +- ++#include + #include + + #define DRIVER_NAME "pktcdvd" +@@ -2231,6 +2231,8 @@ static struct pktcdvd_device *pkt_find_d + { + if (dev_minor >= MAX_WRITERS) + return NULL; ++ ++ dev_minor = array_index_nospec(dev_minor, MAX_WRITERS); + return pkt_devs[dev_minor]; + } + diff --git a/queue-4.18/powerpc-4xx-fix-error-return-path-in-ppc4xx_msi_probe.patch b/queue-4.18/powerpc-4xx-fix-error-return-path-in-ppc4xx_msi_probe.patch new file mode 100644 index 00000000000..1bc8369b97b --- /dev/null +++ b/queue-4.18/powerpc-4xx-fix-error-return-path-in-ppc4xx_msi_probe.patch @@ -0,0 +1,197 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Guenter Roeck +Date: Mon, 30 Jul 2018 18:44:14 -0700 +Subject: powerpc/4xx: Fix error return path in ppc4xx_msi_probe() + +From: Guenter Roeck + +[ Upstream commit 6e0495c2e8ac39b1aad0a4588fe64413ce9028c0 ] + +An arbitrary error in ppc4xx_msi_probe() quite likely results in a +crash similar to the following, seen after dma_alloc_coherent() +returned an error. + + Unable to handle kernel paging request for data at address 0x00000000 + Faulting instruction address: 0xc001bff0 + Oops: Kernel access of bad area, sig: 11 [#1] + BE Canyonlands + Modules linked in: + CPU: 0 PID: 1 Comm: swapper Tainted: G W + 4.18.0-rc6-00010-gff33d1030a6c #1 + NIP: c001bff0 LR: c001c418 CTR: c01faa7c + REGS: cf82db40 TRAP: 0300 Tainted: G W + (4.18.0-rc6-00010-gff33d1030a6c) + MSR: 00029000 CR: 28002024 XER: 00000000 + DEAR: 00000000 ESR: 00000000 + GPR00: c001c418 cf82dbf0 cf828000 cf8de400 00000000 00000000 000000c4 000000c4 + GPR08: c0481ea4 00000000 00000000 000000c4 22002024 00000000 c00025e8 00000000 + GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 c0492380 0000004a + GPR24: 00029000 0000000c 00000000 cf8de410 c0494d60 c0494d60 cf8bebc0 00000001 + NIP [c001bff0] ppc4xx_of_msi_remove+0x48/0xa0 + LR [c001c418] ppc4xx_msi_probe+0x294/0x3b8 + Call Trace: + [cf82dbf0] [00029000] 0x29000 (unreliable) + [cf82dc10] [c001c418] ppc4xx_msi_probe+0x294/0x3b8 + [cf82dc70] [c0209fbc] platform_drv_probe+0x40/0x9c + [cf82dc90] [c0208240] driver_probe_device+0x2a8/0x350 + [cf82dcc0] [c0206204] bus_for_each_drv+0x60/0xac + [cf82dcf0] [c0207e88] __device_attach+0xe8/0x160 + [cf82dd20] [c02071e0] bus_probe_device+0xa0/0xbc + [cf82dd40] [c02050c8] device_add+0x404/0x5c4 + [cf82dd90] [c0288978] of_platform_device_create_pdata+0x88/0xd8 + [cf82ddb0] [c0288b70] of_platform_bus_create+0x134/0x220 + [cf82de10] [c0288bcc] of_platform_bus_create+0x190/0x220 + [cf82de70] [c0288cf4] of_platform_bus_probe+0x98/0xec + [cf82de90] [c0449650] __machine_initcall_canyonlands_ppc460ex_device_probe+0x38/0x54 + [cf82dea0] [c0002404] do_one_initcall+0x40/0x188 + [cf82df00] [c043daec] kernel_init_freeable+0x130/0x1d0 + [cf82df30] [c0002600] kernel_init+0x18/0x104 + [cf82df40] [c000c23c] ret_from_kernel_thread+0x14/0x1c + Instruction dump: + 90010024 813d0024 2f890000 83c30058 41bd0014 48000038 813d0024 7f89f800 + 409d002c 813e000c 57ea103a 3bff0001 <7c69502e> 2f830000 419effe0 4803b26d + ---[ end trace 8cf551077ecfc42a ]--- + +Fix it up. Specifically, + +- Return valid error codes from ppc4xx_setup_pcieh_hw(), have it clean + up after itself, and only access hardware after all possible error + conditions have been handled. +- Use devm_kzalloc() instead of kzalloc() in ppc4xx_msi_probe() + +Signed-off-by: Guenter Roeck +Reviewed-by: Christoph Hellwig +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/4xx/msi.c | 51 ++++++++++++++++++++++----------------- + 1 file changed, 30 insertions(+), 21 deletions(-) + +--- a/arch/powerpc/platforms/4xx/msi.c ++++ b/arch/powerpc/platforms/4xx/msi.c +@@ -146,13 +146,19 @@ static int ppc4xx_setup_pcieh_hw(struct + const u32 *sdr_addr; + dma_addr_t msi_phys; + void *msi_virt; ++ int err; + + sdr_addr = of_get_property(dev->dev.of_node, "sdr-base", NULL); + if (!sdr_addr) +- return -1; ++ return -EINVAL; + +- mtdcri(SDR0, *sdr_addr, upper_32_bits(res.start)); /*HIGH addr */ +- mtdcri(SDR0, *sdr_addr + 1, lower_32_bits(res.start)); /* Low addr */ ++ msi_data = of_get_property(dev->dev.of_node, "msi-data", NULL); ++ if (!msi_data) ++ return -EINVAL; ++ ++ msi_mask = of_get_property(dev->dev.of_node, "msi-mask", NULL); ++ if (!msi_mask) ++ return -EINVAL; + + msi->msi_dev = of_find_node_by_name(NULL, "ppc4xx-msi"); + if (!msi->msi_dev) +@@ -160,30 +166,30 @@ static int ppc4xx_setup_pcieh_hw(struct + + msi->msi_regs = of_iomap(msi->msi_dev, 0); + if (!msi->msi_regs) { +- dev_err(&dev->dev, "of_iomap problem failed\n"); +- return -ENOMEM; ++ dev_err(&dev->dev, "of_iomap failed\n"); ++ err = -ENOMEM; ++ goto node_put; + } + dev_dbg(&dev->dev, "PCIE-MSI: msi register mapped 0x%x 0x%x\n", + (u32) (msi->msi_regs + PEIH_TERMADH), (u32) (msi->msi_regs)); + + msi_virt = dma_alloc_coherent(&dev->dev, 64, &msi_phys, GFP_KERNEL); +- if (!msi_virt) +- return -ENOMEM; ++ if (!msi_virt) { ++ err = -ENOMEM; ++ goto iounmap; ++ } + msi->msi_addr_hi = upper_32_bits(msi_phys); + msi->msi_addr_lo = lower_32_bits(msi_phys & 0xffffffff); + dev_dbg(&dev->dev, "PCIE-MSI: msi address high 0x%x, low 0x%x\n", + msi->msi_addr_hi, msi->msi_addr_lo); + ++ mtdcri(SDR0, *sdr_addr, upper_32_bits(res.start)); /*HIGH addr */ ++ mtdcri(SDR0, *sdr_addr + 1, lower_32_bits(res.start)); /* Low addr */ ++ + /* Progam the Interrupt handler Termination addr registers */ + out_be32(msi->msi_regs + PEIH_TERMADH, msi->msi_addr_hi); + out_be32(msi->msi_regs + PEIH_TERMADL, msi->msi_addr_lo); + +- msi_data = of_get_property(dev->dev.of_node, "msi-data", NULL); +- if (!msi_data) +- return -1; +- msi_mask = of_get_property(dev->dev.of_node, "msi-mask", NULL); +- if (!msi_mask) +- return -1; + /* Program MSI Expected data and Mask bits */ + out_be32(msi->msi_regs + PEIH_MSIED, *msi_data); + out_be32(msi->msi_regs + PEIH_MSIMK, *msi_mask); +@@ -191,6 +197,12 @@ static int ppc4xx_setup_pcieh_hw(struct + dma_free_coherent(&dev->dev, 64, msi_virt, msi_phys); + + return 0; ++ ++iounmap: ++ iounmap(msi->msi_regs); ++node_put: ++ of_node_put(msi->msi_dev); ++ return err; + } + + static int ppc4xx_of_msi_remove(struct platform_device *dev) +@@ -209,7 +221,6 @@ static int ppc4xx_of_msi_remove(struct p + msi_bitmap_free(&msi->bitmap); + iounmap(msi->msi_regs); + of_node_put(msi->msi_dev); +- kfree(msi); + + return 0; + } +@@ -223,18 +234,16 @@ static int ppc4xx_msi_probe(struct platf + + dev_dbg(&dev->dev, "PCIE-MSI: Setting up MSI support...\n"); + +- msi = kzalloc(sizeof(*msi), GFP_KERNEL); +- if (!msi) { +- dev_err(&dev->dev, "No memory for MSI structure\n"); ++ msi = devm_kzalloc(&dev->dev, sizeof(*msi), GFP_KERNEL); ++ if (!msi) + return -ENOMEM; +- } + dev->dev.platform_data = msi; + + /* Get MSI ranges */ + err = of_address_to_resource(dev->dev.of_node, 0, &res); + if (err) { + dev_err(&dev->dev, "%pOF resource error!\n", dev->dev.of_node); +- goto error_out; ++ return err; + } + + msi_irqs = of_irq_count(dev->dev.of_node); +@@ -243,7 +252,7 @@ static int ppc4xx_msi_probe(struct platf + + err = ppc4xx_setup_pcieh_hw(dev, res, msi); + if (err) +- goto error_out; ++ return err; + + err = ppc4xx_msi_init_allocator(dev, msi); + if (err) { +@@ -256,7 +265,7 @@ static int ppc4xx_msi_probe(struct platf + phb->controller_ops.setup_msi_irqs = ppc4xx_setup_msi_irqs; + phb->controller_ops.teardown_msi_irqs = ppc4xx_teardown_msi_irqs; + } +- return err; ++ return 0; + + error_out: + ppc4xx_of_msi_remove(dev); diff --git a/queue-4.18/powerpc-mm-don-t-report-puds-as-memory-leaks-when-using-kmemleak.patch b/queue-4.18/powerpc-mm-don-t-report-puds-as-memory-leaks-when-using-kmemleak.patch new file mode 100644 index 00000000000..607b936a0b4 --- /dev/null +++ b/queue-4.18/powerpc-mm-don-t-report-puds-as-memory-leaks-when-using-kmemleak.patch @@ -0,0 +1,127 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Michael Ellerman +Date: Fri, 20 Jul 2018 00:33:16 +1000 +Subject: powerpc/mm: Don't report PUDs as memory leaks when using kmemleak + +From: Michael Ellerman + +[ Upstream commit a984506c542e26b31cbb446438f8439fa2253b2e ] + +Paul Menzel reported that kmemleak was producing reports such as: + + unreferenced object 0xc0000000f8b80000 (size 16384): + comm "init", pid 1, jiffies 4294937416 (age 312.240s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000d997deb7>] __pud_alloc+0x80/0x190 + [<0000000087f2e8a3>] move_page_tables+0xbac/0xdc0 + [<00000000091e51c2>] shift_arg_pages+0xc0/0x210 + [<00000000ab88670c>] setup_arg_pages+0x22c/0x2a0 + [<0000000060871529>] load_elf_binary+0x41c/0x1648 + [<00000000ecd9d2d4>] search_binary_handler.part.11+0xbc/0x280 + [<0000000034e0cdd7>] __do_execve_file.isra.13+0x73c/0x940 + [<000000005f953a6e>] sys_execve+0x58/0x70 + [<000000009700a858>] system_call+0x5c/0x70 + +Indicating that a PUD was being leaked. + +However what's really happening is that kmemleak is not able to +recognise the references from the PGD to the PUD, because they are not +fully qualified pointers. + +We can confirm that in xmon, eg: + +Find the task struct for pid 1 "init": + 0:mon> P + task_struct ->thread.ksp PID PPID S P CMD + c0000001fe7c0000 c0000001fe803960 1 0 S 13 systemd + +Dump virtual address 0 to find the PGD: + 0:mon> dv 0 c0000001fe7c0000 + pgd @ 0xc0000000f8b01000 + +Dump the memory of the PGD: + 0:mon> d c0000000f8b01000 + c0000000f8b01000 00000000f8b90000 0000000000000000 |................| + c0000000f8b01010 0000000000000000 0000000000000000 |................| + c0000000f8b01020 0000000000000000 0000000000000000 |................| + c0000000f8b01030 0000000000000000 00000000f8b80000 |................| + ^^^^^^^^^^^^^^^^ + +There we can see the reference to our supposedly leaked PUD. But +because it's missing the leading 0xc, kmemleak won't recognise it. + +We can confirm it's still in use by translating an address that is +mapped via it: + 0:mon> dv 7fff94000000 c0000001fe7c0000 + pgd @ 0xc0000000f8b01000 + pgdp @ 0xc0000000f8b01038 = 0x00000000f8b80000 <-- + pudp @ 0xc0000000f8b81ff8 = 0x00000000037c4000 + pmdp @ 0xc0000000037c5ca0 = 0x00000000fbd89000 + ptep @ 0xc0000000fbd89000 = 0xc0800001d5ce0386 + Maps physical address = 0x00000001d5ce0000 + Flags = Accessed Dirty Read Write + +The fix is fairly simple. We need to tell kmemleak to ignore PUD +allocations and never report them as leaks. We can also tell it not to +scan the PGD, because it will never find pointers in there. However it +will still notice if we allocate a PGD and then leak it. + +Reported-by: Paul Menzel +Signed-off-by: Michael Ellerman +Tested-by: Paul Menzel +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/book3s/64/pgalloc.h | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/book3s/64/pgalloc.h ++++ b/arch/powerpc/include/asm/book3s/64/pgalloc.h +@@ -9,6 +9,7 @@ + + #include + #include ++#include + #include + + struct vmemmap_backing { +@@ -83,6 +84,13 @@ static inline pgd_t *pgd_alloc(struct mm + pgd = kmem_cache_alloc(PGT_CACHE(PGD_INDEX_SIZE), + pgtable_gfp_flags(mm, GFP_KERNEL)); + /* ++ * Don't scan the PGD for pointers, it contains references to PUDs but ++ * those references are not full pointers and so can't be recognised by ++ * kmemleak. ++ */ ++ kmemleak_no_scan(pgd); ++ ++ /* + * With hugetlb, we don't clear the second half of the page table. + * If we share the same slab cache with the pmd or pud level table, + * we need to make sure we zero out the full table on alloc. +@@ -110,8 +118,19 @@ static inline void pgd_populate(struct m + + static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr) + { +- return kmem_cache_alloc(PGT_CACHE(PUD_CACHE_INDEX), +- pgtable_gfp_flags(mm, GFP_KERNEL)); ++ pud_t *pud; ++ ++ pud = kmem_cache_alloc(PGT_CACHE(PUD_CACHE_INDEX), ++ pgtable_gfp_flags(mm, GFP_KERNEL)); ++ /* ++ * Tell kmemleak to ignore the PUD, that means don't scan it for ++ * pointers and don't consider it a leak. PUDs are typically only ++ * referred to by their PGD, but kmemleak is not able to recognise those ++ * as pointers, leading to false leak reports. ++ */ ++ kmemleak_ignore(pud); ++ ++ return pud; + } + + static inline void pud_free(struct mm_struct *mm, pud_t *pud) diff --git a/queue-4.18/powerpc-powernv-fix-concurrency-issue-with-npu-mmio_atsd_usage.patch b/queue-4.18/powerpc-powernv-fix-concurrency-issue-with-npu-mmio_atsd_usage.patch new file mode 100644 index 00000000000..2cf09c588d2 --- /dev/null +++ b/queue-4.18/powerpc-powernv-fix-concurrency-issue-with-npu-mmio_atsd_usage.patch @@ -0,0 +1,51 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Reza Arbab +Date: Thu, 2 Aug 2018 23:03:36 -0500 +Subject: powerpc/powernv: Fix concurrency issue with npu->mmio_atsd_usage + +From: Reza Arbab + +[ Upstream commit 9eab9901b015f489199105c470de1ffc337cfabb ] + +We've encountered a performance issue when multiple processors stress +{get,put}_mmio_atsd_reg(). These functions contend for +mmio_atsd_usage, an unsigned long used as a bitmask. + +The accesses to mmio_atsd_usage are done using test_and_set_bit_lock() +and clear_bit_unlock(). As implemented, both of these will require +a (successful) stwcx to that same cache line. + +What we end up with is thread A, attempting to unlock, being slowed by +other threads repeatedly attempting to lock. A's stwcx instructions +fail and retry because the memory reservation is lost every time a +different thread beats it to the punch. + +There may be a long-term way to fix this at a larger scale, but for +now resolve the immediate problem by gating our call to +test_and_set_bit_lock() with one to test_bit(), which is obviously +implemented without using a store. + +Fixes: 1ab66d1fbada ("powerpc/powernv: Introduce address translation services for Nvlink2") +Signed-off-by: Reza Arbab +Acked-by: Alistair Popple +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/npu-dma.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/powernv/npu-dma.c ++++ b/arch/powerpc/platforms/powernv/npu-dma.c +@@ -437,8 +437,9 @@ static int get_mmio_atsd_reg(struct npu + int i; + + for (i = 0; i < npu->mmio_atsd_count; i++) { +- if (!test_and_set_bit_lock(i, &npu->mmio_atsd_usage)) +- return i; ++ if (!test_bit(i, &npu->mmio_atsd_usage)) ++ if (!test_and_set_bit_lock(i, &npu->mmio_atsd_usage)) ++ return i; + } + + return -ENOSPC; diff --git a/queue-4.18/powerpc-pseries-fix-eeh-recovery-of-some-iov-devices.patch b/queue-4.18/powerpc-pseries-fix-eeh-recovery-of-some-iov-devices.patch new file mode 100644 index 00000000000..39b74c7ccb0 --- /dev/null +++ b/queue-4.18/powerpc-pseries-fix-eeh-recovery-of-some-iov-devices.patch @@ -0,0 +1,89 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Sam Bobroff +Date: Mon, 30 Jul 2018 11:59:14 +1000 +Subject: powerpc/pseries: fix EEH recovery of some IOV devices + +From: Sam Bobroff + +[ Upstream commit b87b9cf4935325c98522823caeddd333022a1c62 ] + +EEH recovery currently fails on pSeries for some IOV capable PCI +devices, if CONFIG_PCI_IOV is on and the hypervisor doesn't provide +certain device tree properties for the device. (Found on an IOV +capable device using the ipr driver.) + +Recovery fails in pci_enable_resources() at the check on r->parent, +because r->flags is set and r->parent is not. This state is due to +sriov_init() setting the start, end and flags members of the IOV BARs +but the parent not being set later in +pseries_pci_fixup_iov_resources(), because the +"ibm,open-sriov-vf-bar-info" property is missing. + +Correct this by zeroing the resource flags for IOV BARs when they +can't be configured (this is the same method used by sriov_init() and +__pci_read_base()). + +VFs cleared this way can't be enabled later, because that requires +another device tree property, "ibm,number-of-configurable-vfs" as well +as support for the RTAS function "ibm_map_pes". These are all part of +hypervisor support for IOV and it seems unlikely that a hypervisor +would ever partially, but not fully, support it. (None are currently +provided by QEMU/KVM.) + +Signed-off-by: Sam Bobroff +Reviewed-by: Bryant G. Ly +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/setup.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -647,6 +647,15 @@ void of_pci_parse_iov_addrs(struct pci_d + } + } + ++static void pseries_disable_sriov_resources(struct pci_dev *pdev) ++{ ++ int i; ++ ++ pci_warn(pdev, "No hypervisor support for SR-IOV on this device, IOV BARs disabled.\n"); ++ for (i = 0; i < PCI_SRIOV_NUM_BARS; i++) ++ pdev->resource[i + PCI_IOV_RESOURCES].flags = 0; ++} ++ + static void pseries_pci_fixup_resources(struct pci_dev *pdev) + { + const int *indexes; +@@ -654,10 +663,10 @@ static void pseries_pci_fixup_resources( + + /*Firmware must support open sriov otherwise dont configure*/ + indexes = of_get_property(dn, "ibm,open-sriov-vf-bar-info", NULL); +- if (!indexes) +- return; +- /* Assign the addresses from device tree*/ +- of_pci_set_vf_bar_size(pdev, indexes); ++ if (indexes) ++ of_pci_set_vf_bar_size(pdev, indexes); ++ else ++ pseries_disable_sriov_resources(pdev); + } + + static void pseries_pci_fixup_iov_resources(struct pci_dev *pdev) +@@ -669,10 +678,10 @@ static void pseries_pci_fixup_iov_resour + return; + /*Firmware must support open sriov otherwise dont configure*/ + indexes = of_get_property(dn, "ibm,open-sriov-vf-bar-info", NULL); +- if (!indexes) +- return; +- /* Assign the addresses from device tree*/ +- of_pci_parse_iov_addrs(pdev, indexes); ++ if (indexes) ++ of_pci_parse_iov_addrs(pdev, indexes); ++ else ++ pseries_disable_sriov_resources(pdev); + } + + static resource_size_t pseries_pci_iov_resource_alignment(struct pci_dev *pdev, diff --git a/queue-4.18/rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch b/queue-4.18/rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch new file mode 100644 index 00000000000..469e1cd06c6 --- /dev/null +++ b/queue-4.18/rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Parav Pandit +Date: Mon, 16 Jul 2018 11:50:13 +0300 +Subject: RDMA/cma: Do not ignore net namespace for unbound cm_id + +From: Parav Pandit + +[ Upstream commit 643d213a9a034fa04f5575a40dfc8548e33ce04f ] + +Currently if the cm_id is not bound to any netdevice, than for such cm_id, +net namespace is ignored; which is incorrect. + +Regardless of cm_id bound to a netdevice or not, net namespace must +match. When a cm_id is bound to a netdevice, in such case net namespace +and netdevice both must match. + +Fixes: 4c21b5bcef73 ("IB/cma: Add net_dev and private data checks to RDMA CM") +Signed-off-by: Parav Pandit +Reviewed-by: Daniel Jurgens +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1445,9 +1445,16 @@ static bool cma_match_net_dev(const stru + (addr->src_addr.ss_family == AF_IB || + rdma_protocol_roce(id->device, port_num)); + +- return !addr->dev_addr.bound_dev_if || +- (net_eq(dev_net(net_dev), addr->dev_addr.net) && +- addr->dev_addr.bound_dev_if == net_dev->ifindex); ++ /* ++ * Net namespaces must match, and if the listner is listening ++ * on a specific netdevice than netdevice must match as well. ++ */ ++ if (net_eq(dev_net(net_dev), addr->dev_addr.net) && ++ (!!addr->dev_addr.bound_dev_if == ++ (addr->dev_addr.bound_dev_if == net_dev->ifindex))) ++ return true; ++ else ++ return false; + } + + static struct rdma_id_private *cma_find_listener( diff --git a/queue-4.18/rdma-hns-add-illegal-hop_num-judgement.patch b/queue-4.18/rdma-hns-add-illegal-hop_num-judgement.patch new file mode 100644 index 00000000000..5eafec77cd3 --- /dev/null +++ b/queue-4.18/rdma-hns-add-illegal-hop_num-judgement.patch @@ -0,0 +1,32 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Lijun Ou +Date: Wed, 25 Jul 2018 15:29:37 +0800 +Subject: RDMA/hns: Add illegal hop_num judgement + +From: Lijun Ou + +[ Upstream commit 26f63b9c33ceda12fb9136a1d0c80e03c9ebb514 ] + +When hop_num is more than three, it need to return -EINVAL. This patch +fixes it. + +Signed-off-by: Lijun Ou +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hns/hns_roce_hem.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -494,6 +494,9 @@ static int hns_roce_table_mhop_get(struc + step_idx = 1; + } else if (hop_num == HNS_ROCE_HOP_NUM_0) { + step_idx = 0; ++ } else { ++ ret = -EINVAL; ++ goto err_dma_alloc_l1; + } + + /* set HEM base address to hardware */ diff --git a/queue-4.18/rdma-hns-update-the-data-type-of-immediate-data.patch b/queue-4.18/rdma-hns-update-the-data-type-of-immediate-data.patch new file mode 100644 index 00000000000..1c897da8978 --- /dev/null +++ b/queue-4.18/rdma-hns-update-the-data-type-of-immediate-data.patch @@ -0,0 +1,92 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Lijun Ou +Date: Wed, 25 Jul 2018 15:29:40 +0800 +Subject: RDMA/hns: Update the data type of immediate data + +From: Lijun Ou + +[ Upstream commit 0c4a0e2987a51415de73180ce9f389a99b3dddd1 ] + +Because the data structure of hip08 is little endian, it needs to fix the +immediate field of wqe and cqe into __le32. + +Signed-off-by: Lijun Ou +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 12 ++++++++---- + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 6 +++--- + 2 files changed, 11 insertions(+), 7 deletions(-) + +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -273,7 +273,8 @@ static int hns_roce_v2_post_send(struct + switch (wr->opcode) { + case IB_WR_SEND_WITH_IMM: + case IB_WR_RDMA_WRITE_WITH_IMM: +- ud_sq_wqe->immtdata = wr->ex.imm_data; ++ ud_sq_wqe->immtdata = ++ cpu_to_le32(be32_to_cpu(wr->ex.imm_data)); + break; + default: + ud_sq_wqe->immtdata = 0; +@@ -371,7 +372,8 @@ static int hns_roce_v2_post_send(struct + switch (wr->opcode) { + case IB_WR_SEND_WITH_IMM: + case IB_WR_RDMA_WRITE_WITH_IMM: +- rc_sq_wqe->immtdata = wr->ex.imm_data; ++ rc_sq_wqe->immtdata = ++ cpu_to_le32(be32_to_cpu(wr->ex.imm_data)); + break; + case IB_WR_SEND_WITH_INV: + rc_sq_wqe->inv_key = +@@ -1931,7 +1933,8 @@ static int hns_roce_v2_poll_one(struct h + case HNS_ROCE_V2_OPCODE_RDMA_WRITE_IMM: + wc->opcode = IB_WC_RECV_RDMA_WITH_IMM; + wc->wc_flags = IB_WC_WITH_IMM; +- wc->ex.imm_data = cqe->immtdata; ++ wc->ex.imm_data = ++ cpu_to_be32(le32_to_cpu(cqe->immtdata)); + break; + case HNS_ROCE_V2_OPCODE_SEND: + wc->opcode = IB_WC_RECV; +@@ -1940,7 +1943,8 @@ static int hns_roce_v2_poll_one(struct h + case HNS_ROCE_V2_OPCODE_SEND_WITH_IMM: + wc->opcode = IB_WC_RECV; + wc->wc_flags = IB_WC_WITH_IMM; +- wc->ex.imm_data = cqe->immtdata; ++ wc->ex.imm_data = ++ cpu_to_be32(le32_to_cpu(cqe->immtdata)); + break; + case HNS_ROCE_V2_OPCODE_SEND_WITH_INV: + wc->opcode = IB_WC_RECV; +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -768,7 +768,7 @@ struct hns_roce_v2_cqe { + __le32 byte_4; + union { + __le32 rkey; +- __be32 immtdata; ++ __le32 immtdata; + }; + __le32 byte_12; + __le32 byte_16; +@@ -926,7 +926,7 @@ struct hns_roce_v2_cq_db { + struct hns_roce_v2_ud_send_wqe { + __le32 byte_4; + __le32 msg_len; +- __be32 immtdata; ++ __le32 immtdata; + __le32 byte_16; + __le32 byte_20; + __le32 byte_24; +@@ -1012,7 +1012,7 @@ struct hns_roce_v2_rc_send_wqe { + __le32 msg_len; + union { + __le32 inv_key; +- __be32 immtdata; ++ __le32 immtdata; + }; + __le32 byte_16; + __le32 byte_20; diff --git a/queue-4.18/regulator-tps65217-fix-null-pointer-dereference-on-probe.patch b/queue-4.18/regulator-tps65217-fix-null-pointer-dereference-on-probe.patch new file mode 100644 index 00000000000..0c00cb1ab19 --- /dev/null +++ b/queue-4.18/regulator-tps65217-fix-null-pointer-dereference-on-probe.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 16:59:29 +0300 +Subject: regulator: tps65217: Fix NULL pointer dereference on probe + +From: Anton Vasilyev + +[ Upstream commit 4f919ca2bf6da826ba1a4316e1b8e9c94e5dbeb2 ] + +There is no check that tps->strobes is allocated successfully in +tps65217_regulator_probe(). +The patch adds corresponding check. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/tps65217-regulator.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/regulator/tps65217-regulator.c ++++ b/drivers/regulator/tps65217-regulator.c +@@ -232,6 +232,8 @@ static int tps65217_regulator_probe(stru + tps->strobes = devm_kcalloc(&pdev->dev, + TPS65217_NUM_REGULATOR, sizeof(u8), + GFP_KERNEL); ++ if (!tps->strobes) ++ return -ENOMEM; + + platform_set_drvdata(pdev, tps); + diff --git a/queue-4.18/rpmsg-core-add-support-to-power-domains-for-devices.patch b/queue-4.18/rpmsg-core-add-support-to-power-domains-for-devices.patch new file mode 100644 index 00000000000..3b8a072a43b --- /dev/null +++ b/queue-4.18/rpmsg-core-add-support-to-power-domains-for-devices.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Srinivas Kandagatla +Date: Fri, 15 Jun 2018 10:59:39 +0100 +Subject: rpmsg: core: add support to power domains for devices + +From: Srinivas Kandagatla + +[ Upstream commit fe782affd0f440a4e60e2cc81b8f2eccb2923113 ] + +Some of the rpmsg devices need to switch on power domains to communicate +with remote processor. For example on Qualcomm DB820c platform LPASS +power domain needs to switched on for any kind of audio services. +This patch adds the missing power domain support in rpmsg core. + +Without this patch attempting to play audio via QDSP on DB820c would +reboot the system. + +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rpmsg/rpmsg_core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/rpmsg/rpmsg_core.c ++++ b/drivers/rpmsg/rpmsg_core.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + + #include "rpmsg_internal.h" +@@ -449,6 +450,10 @@ static int rpmsg_dev_probe(struct device + struct rpmsg_endpoint *ept = NULL; + int err; + ++ err = dev_pm_domain_attach(dev, true); ++ if (err) ++ goto out; ++ + if (rpdrv->callback) { + strncpy(chinfo.name, rpdev->id.name, RPMSG_NAME_SIZE); + chinfo.src = rpdev->src; +@@ -490,6 +495,8 @@ static int rpmsg_dev_remove(struct devic + + rpdrv->remove(rpdev); + ++ dev_pm_domain_detach(dev, true); ++ + if (rpdev->ept) + rpmsg_destroy_ept(rpdev->ept); + diff --git a/queue-4.18/scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch b/queue-4.18/scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch new file mode 100644 index 00000000000..2f6a543537f --- /dev/null +++ b/queue-4.18/scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch @@ -0,0 +1,105 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 16:51:57 +0300 +Subject: scsi: 3ware: fix return 0 on the error path of probe + +From: Anton Vasilyev + +[ Upstream commit 4dc98c1995482262e70e83ef029135247fafe0f2 ] + +tw_probe() returns 0 in case of fail of tw_initialize_device_extension(), +pci_resource_start() or tw_reset_sequence() and releases resources. +twl_probe() returns 0 in case of fail of twl_initialize_device_extension(), +pci_iomap() and twl_reset_sequence(). twa_probe() returns 0 in case of +fail of tw_initialize_device_extension(), ioremap() and +twa_reset_sequence(). + +The patch adds retval initialization for these cases. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Acked-by: Adam Radford +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/3w-9xxx.c | 6 +++++- + drivers/scsi/3w-sas.c | 3 +++ + drivers/scsi/3w-xxxx.c | 2 ++ + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/3w-9xxx.c ++++ b/drivers/scsi/3w-9xxx.c +@@ -2038,6 +2038,7 @@ static int twa_probe(struct pci_dev *pde + + if (twa_initialize_device_extension(tw_dev)) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x25, "Failed to initialize device extension"); ++ retval = -ENOMEM; + goto out_free_device_extension; + } + +@@ -2060,6 +2061,7 @@ static int twa_probe(struct pci_dev *pde + tw_dev->base_addr = ioremap(mem_addr, mem_len); + if (!tw_dev->base_addr) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x35, "Failed to ioremap"); ++ retval = -ENOMEM; + goto out_release_mem_region; + } + +@@ -2067,8 +2069,10 @@ static int twa_probe(struct pci_dev *pde + TW_DISABLE_INTERRUPTS(tw_dev); + + /* Initialize the card */ +- if (twa_reset_sequence(tw_dev, 0)) ++ if (twa_reset_sequence(tw_dev, 0)) { ++ retval = -ENOMEM; + goto out_iounmap; ++ } + + /* Set host specific parameters */ + if ((pdev->device == PCI_DEVICE_ID_3WARE_9650SE) || +--- a/drivers/scsi/3w-sas.c ++++ b/drivers/scsi/3w-sas.c +@@ -1594,6 +1594,7 @@ static int twl_probe(struct pci_dev *pde + + if (twl_initialize_device_extension(tw_dev)) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1a, "Failed to initialize device extension"); ++ retval = -ENOMEM; + goto out_free_device_extension; + } + +@@ -1608,6 +1609,7 @@ static int twl_probe(struct pci_dev *pde + tw_dev->base_addr = pci_iomap(pdev, 1, 0); + if (!tw_dev->base_addr) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1c, "Failed to ioremap"); ++ retval = -ENOMEM; + goto out_release_mem_region; + } + +@@ -1617,6 +1619,7 @@ static int twl_probe(struct pci_dev *pde + /* Initialize the card */ + if (twl_reset_sequence(tw_dev, 0)) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1d, "Controller reset failed during probe"); ++ retval = -ENOMEM; + goto out_iounmap; + } + +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -2280,6 +2280,7 @@ static int tw_probe(struct pci_dev *pdev + + if (tw_initialize_device_extension(tw_dev)) { + printk(KERN_WARNING "3w-xxxx: Failed to initialize device extension."); ++ retval = -ENOMEM; + goto out_free_device_extension; + } + +@@ -2294,6 +2295,7 @@ static int tw_probe(struct pci_dev *pdev + tw_dev->base_addr = pci_resource_start(pdev, 0); + if (!tw_dev->base_addr) { + printk(KERN_WARNING "3w-xxxx: Failed to get io address."); ++ retval = -ENOMEM; + goto out_release_mem_region; + } + diff --git a/queue-4.18/scsi-lpfc-fix-driver-crash-when-re-registering-nvme-rports.patch b/queue-4.18/scsi-lpfc-fix-driver-crash-when-re-registering-nvme-rports.patch new file mode 100644 index 00000000000..69b05d1a848 --- /dev/null +++ b/queue-4.18/scsi-lpfc-fix-driver-crash-when-re-registering-nvme-rports.patch @@ -0,0 +1,106 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: James Smart +Date: Tue, 31 Jul 2018 17:23:21 -0700 +Subject: scsi: lpfc: Fix driver crash when re-registering NVME rports. + +From: James Smart + +[ Upstream commit 93a3922da428ec0752e8b2ab00c42dadbbf805a9 ] + +During remote port loss fault testing, the driver crashed with the +following trace: + +general protection fault: 0000 [#1] SMP +RIP: ... lpfc_nvme_register_port+0x250/0x480 [lpfc] +Call Trace: + lpfc_nlp_state_cleanup+0x1b3/0x7a0 [lpfc] + lpfc_nlp_set_state+0xa6/0x1d0 [lpfc] + lpfc_cmpl_prli_prli_issue+0x213/0x440 + lpfc_disc_state_machine+0x7e/0x1e0 [lpfc] + lpfc_cmpl_els_prli+0x18a/0x200 [lpfc] + lpfc_sli_sp_handle_rspiocb+0x3b5/0x6f0 [lpfc] + lpfc_sli_handle_slow_ring_event_s4+0x161/0x240 [lpfc] + lpfc_work_done+0x948/0x14c0 [lpfc] + lpfc_do_work+0x16f/0x180 [lpfc] + kthread+0xc9/0xe0 + ret_from_fork+0x55/0x80 + +After registering a new remoteport, the driver is pulling an ndlp pointer +from the lpfc rport associated with the private area of a newly registered +remoteport. The private area is uninitialized, so it's garbage. + +Correct by pulling the the lpfc rport pointer from the entering ndlp point, +then ndlp value from at rport. Note the entering ndlp may be replacing by +the rport->ndlp due to an address change swap. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_nvme.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_nvme.c ++++ b/drivers/scsi/lpfc/lpfc_nvme.c +@@ -2687,7 +2687,7 @@ lpfc_nvme_register_port(struct lpfc_vpor + struct lpfc_nvme_rport *oldrport; + struct nvme_fc_remote_port *remote_port; + struct nvme_fc_port_info rpinfo; +- struct lpfc_nodelist *prev_ndlp; ++ struct lpfc_nodelist *prev_ndlp = NULL; + + lpfc_printf_vlog(ndlp->vport, KERN_INFO, LOG_NVME_DISC, + "6006 Register NVME PORT. DID x%06x nlptype x%x\n", +@@ -2736,23 +2736,29 @@ lpfc_nvme_register_port(struct lpfc_vpor + spin_unlock_irq(&vport->phba->hbalock); + rport = remote_port->private; + if (oldrport) { ++ /* New remoteport record does not guarantee valid ++ * host private memory area. ++ */ ++ prev_ndlp = oldrport->ndlp; + if (oldrport == remote_port->private) { +- /* Same remoteport. Just reuse. */ ++ /* Same remoteport - ndlp should match. ++ * Just reuse. ++ */ + lpfc_printf_vlog(ndlp->vport, KERN_INFO, + LOG_NVME_DISC, + "6014 Rebinding lport to " + "remoteport %p wwpn 0x%llx, " +- "Data: x%x x%x %p x%x x%06x\n", ++ "Data: x%x x%x %p %p x%x x%06x\n", + remote_port, + remote_port->port_name, + remote_port->port_id, + remote_port->port_role, ++ prev_ndlp, + ndlp, + ndlp->nlp_type, + ndlp->nlp_DID); + return 0; + } +- prev_ndlp = rport->ndlp; + + /* Sever the ndlp<->rport association + * before dropping the ndlp ref from +@@ -2786,13 +2792,13 @@ lpfc_nvme_register_port(struct lpfc_vpor + lpfc_printf_vlog(vport, KERN_INFO, + LOG_NVME_DISC | LOG_NODE, + "6022 Binding new rport to " +- "lport %p Remoteport %p WWNN 0x%llx, " ++ "lport %p Remoteport %p rport %p WWNN 0x%llx, " + "Rport WWPN 0x%llx DID " +- "x%06x Role x%x, ndlp %p\n", +- lport, remote_port, ++ "x%06x Role x%x, ndlp %p prev_ndlp %p\n", ++ lport, remote_port, rport, + rpinfo.node_name, rpinfo.port_name, + rpinfo.port_id, rpinfo.port_role, +- ndlp); ++ ndlp, prev_ndlp); + } else { + lpfc_printf_vlog(vport, KERN_ERR, + LOG_NVME_DISC | LOG_NODE, diff --git a/queue-4.18/scsi-qla2xxx-fix-session-state-stuck-in-get-port-db.patch b/queue-4.18/scsi-qla2xxx-fix-session-state-stuck-in-get-port-db.patch new file mode 100644 index 00000000000..527544f65ae --- /dev/null +++ b/queue-4.18/scsi-qla2xxx-fix-session-state-stuck-in-get-port-db.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Quinn Tran +Date: Thu, 2 Aug 2018 13:16:50 -0700 +Subject: scsi: qla2xxx: Fix session state stuck in Get Port DB + +From: Quinn Tran + +[ Upstream commit 8fde6977ac478c00eeb2beccfdd4a6ad44219f6c ] + +This patch sets discovery state back to GNL (Get Name List) when session is +stuck at GPDB (Get Port DataBase). This will allow state machine to retry +login and move session state ahead in discovery. + +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_init.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -1074,9 +1074,12 @@ void qla24xx_handle_gpdb_event(scsi_qla_ + case PDS_PLOGI_COMPLETE: + case PDS_PRLI_PENDING: + case PDS_PRLI2_PENDING: +- ql_dbg(ql_dbg_disc, vha, 0x20d5, "%s %d %8phC relogin needed\n", +- __func__, __LINE__, fcport->port_name); +- set_bit(RELOGIN_NEEDED, &vha->dpc_flags); ++ /* Set discovery state back to GNL to Relogin attempt */ ++ if (qla_dual_mode_enabled(vha) || ++ qla_ini_mode_enabled(vha)) { ++ fcport->disc_state = DSC_GNL; ++ set_bit(RELOGIN_NEEDED, &vha->dpc_flags); ++ } + return; + case PDS_LOGO_PENDING: + case PDS_PORT_UNAVAILABLE: diff --git a/queue-4.18/scsi-qla2xxx-fix-unintended-logout.patch b/queue-4.18/scsi-qla2xxx-fix-unintended-logout.patch new file mode 100644 index 00000000000..279baf0bb33 --- /dev/null +++ b/queue-4.18/scsi-qla2xxx-fix-unintended-logout.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Quinn Tran +Date: Thu, 2 Aug 2018 13:16:51 -0700 +Subject: scsi: qla2xxx: Fix unintended Logout + +From: Quinn Tran + +[ Upstream commit cb97f2c2e8d9f8c71ddbf04ad57e163ee6d86474 ] + +During normal IO, FW can return IO with 'port unavailble' status. Driver +would send a LOGO to remote port for session resync. On an off chance, a +PLOGI could arrive before sending the LOGO. This patch will skip sendiing +LOGO if a PLOGI just came in. + +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_target.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -982,8 +982,9 @@ void qlt_free_session_done(struct work_s + + logo.id = sess->d_id; + logo.cmd_count = 0; ++ if (!own) ++ qlt_send_first_logo(vha, &logo); + sess->send_els_logo = 0; +- qlt_send_first_logo(vha, &logo); + } + + if (sess->logout_on_delete && sess->loop_id != FC_NO_LOOP_ID) { diff --git a/queue-4.18/scsi-qla2xxx-silent-erroneous-message.patch b/queue-4.18/scsi-qla2xxx-silent-erroneous-message.patch new file mode 100644 index 00000000000..f063c5f65dd --- /dev/null +++ b/queue-4.18/scsi-qla2xxx-silent-erroneous-message.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Quinn Tran +Date: Thu, 2 Aug 2018 13:16:48 -0700 +Subject: scsi: qla2xxx: Silent erroneous message + +From: Quinn Tran + +[ Upstream commit 3f915271b12e11183c606bed1c3dfff0983662d3 ] + +Driver uses shadow pointer instead of Mirror pointer for firmware dump +collection. Skip those entries for Mirror pointers for Request/Response +queue from firmware dump template reading. + +Following messages are printed in log messages: + + qla27xx_fwdt_entry_t268: unknown buffer 4 + qla27xx_fwdt_entry_t268: unknown buffer 5 + +This patch fixes these error messages by adding skip_entry() to not read +them from template. + +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_tmpl.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_tmpl.c ++++ b/drivers/scsi/qla2xxx/qla_tmpl.c +@@ -571,6 +571,15 @@ qla27xx_fwdt_entry_t268(struct scsi_qla_ + } + break; + ++ case T268_BUF_TYPE_REQ_MIRROR: ++ case T268_BUF_TYPE_RSP_MIRROR: ++ /* ++ * Mirror pointers are not implemented in the ++ * driver, instead shadow pointers are used by ++ * the drier. Skip these entries. ++ */ ++ qla27xx_skip_entry(ent, buf); ++ break; + default: + ql_dbg(ql_dbg_async, vha, 0xd02b, + "%s: unknown buffer %x\n", __func__, ent->t268.buf_type); diff --git a/queue-4.18/scsi-target-fix-__transport_register_session-locking.patch b/queue-4.18/scsi-target-fix-__transport_register_session-locking.patch new file mode 100644 index 00000000000..346a6bbbbf5 --- /dev/null +++ b/queue-4.18/scsi-target-fix-__transport_register_session-locking.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Mike Christie +Date: Thu, 2 Aug 2018 12:12:20 -0500 +Subject: scsi: target: fix __transport_register_session locking + +From: Mike Christie + +[ Upstream commit 6a64f6e1591322beb8ce16e952a53582caf2a15c ] + +When __transport_register_session is called from transport_register_session +irqs will already have been disabled, so we do not want the unlock irq call +to enable them until the higher level has done the final +spin_unlock_irqrestore/ spin_unlock_irq. + +This has __transport_register_session use the save/restore call. + +Signed-off-by: Mike Christie +Reviewed-by: Bart Van Assche +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_transport.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -316,6 +316,7 @@ void __transport_register_session( + { + const struct target_core_fabric_ops *tfo = se_tpg->se_tpg_tfo; + unsigned char buf[PR_REG_ISID_LEN]; ++ unsigned long flags; + + se_sess->se_tpg = se_tpg; + se_sess->fabric_sess_ptr = fabric_sess_ptr; +@@ -352,7 +353,7 @@ void __transport_register_session( + se_sess->sess_bin_isid = get_unaligned_be64(&buf[0]); + } + +- spin_lock_irq(&se_nacl->nacl_sess_lock); ++ spin_lock_irqsave(&se_nacl->nacl_sess_lock, flags); + /* + * The se_nacl->nacl_sess pointer will be set to the + * last active I_T Nexus for each struct se_node_acl. +@@ -361,7 +362,7 @@ void __transport_register_session( + + list_add_tail(&se_sess->sess_acl_list, + &se_nacl->acl_sess_list); +- spin_unlock_irq(&se_nacl->nacl_sess_lock); ++ spin_unlock_irqrestore(&se_nacl->nacl_sess_lock, flags); + } + list_add_tail(&se_sess->sess_list, &se_tpg->tpg_sess_list); + diff --git a/queue-4.18/scsi-tcmu-do-not-set-max_blocks-if-data_bitmap-has-been-setup.patch b/queue-4.18/scsi-tcmu-do-not-set-max_blocks-if-data_bitmap-has-been-setup.patch new file mode 100644 index 00000000000..ec1fd6cdcb5 --- /dev/null +++ b/queue-4.18/scsi-tcmu-do-not-set-max_blocks-if-data_bitmap-has-been-setup.patch @@ -0,0 +1,138 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Mike Christie +Date: Mon, 23 Jul 2018 14:07:49 -0500 +Subject: scsi: tcmu: do not set max_blocks if data_bitmap has been setup + +From: Mike Christie + +[ Upstream commit c97840c84f5a4362a596a2751e9245a979377a16 ] + +This patch prevents a bug where data_bitmap is allocated in +tcmu_configure_device, userspace changes the max_blocks setting, the device +is mapped to a LUN, then we try to access the data_bitmap based on the new +max_blocks limit which may now be out of range. + +To prevent this, we just check if data_bitmap has been setup. If it has +then we fail the max_blocks update operation. + +Signed-off-by: Mike Christie +Reviewed-by: Xiubo Li +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_user.c | 73 ++++++++++++++++++++------------------ + 1 file changed, 40 insertions(+), 33 deletions(-) + +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -1745,9 +1745,11 @@ static int tcmu_configure_device(struct + + info = &udev->uio_info; + ++ mutex_lock(&udev->cmdr_lock); + udev->data_bitmap = kcalloc(BITS_TO_LONGS(udev->max_blocks), + sizeof(unsigned long), + GFP_KERNEL); ++ mutex_unlock(&udev->cmdr_lock); + if (!udev->data_bitmap) { + ret = -ENOMEM; + goto err_bitmap_alloc; +@@ -1957,7 +1959,7 @@ static match_table_t tokens = { + {Opt_hw_block_size, "hw_block_size=%u"}, + {Opt_hw_max_sectors, "hw_max_sectors=%u"}, + {Opt_nl_reply_supported, "nl_reply_supported=%d"}, +- {Opt_max_data_area_mb, "max_data_area_mb=%u"}, ++ {Opt_max_data_area_mb, "max_data_area_mb=%d"}, + {Opt_err, NULL} + }; + +@@ -1985,13 +1987,48 @@ static int tcmu_set_dev_attrib(substring + return 0; + } + ++static int tcmu_set_max_blocks_param(struct tcmu_dev *udev, substring_t *arg) ++{ ++ int val, ret; ++ ++ ret = match_int(arg, &val); ++ if (ret < 0) { ++ pr_err("match_int() failed for max_data_area_mb=. Error %d.\n", ++ ret); ++ return ret; ++ } ++ ++ if (val <= 0) { ++ pr_err("Invalid max_data_area %d.\n", val); ++ return -EINVAL; ++ } ++ ++ mutex_lock(&udev->cmdr_lock); ++ if (udev->data_bitmap) { ++ pr_err("Cannot set max_data_area_mb after it has been enabled.\n"); ++ ret = -EINVAL; ++ goto unlock; ++ } ++ ++ udev->max_blocks = TCMU_MBS_TO_BLOCKS(val); ++ if (udev->max_blocks > tcmu_global_max_blocks) { ++ pr_err("%d is too large. Adjusting max_data_area_mb to global limit of %u\n", ++ val, TCMU_BLOCKS_TO_MBS(tcmu_global_max_blocks)); ++ udev->max_blocks = tcmu_global_max_blocks; ++ } ++ ++unlock: ++ mutex_unlock(&udev->cmdr_lock); ++ return ret; ++} ++ + static ssize_t tcmu_set_configfs_dev_params(struct se_device *dev, + const char *page, ssize_t count) + { + struct tcmu_dev *udev = TCMU_DEV(dev); + char *orig, *ptr, *opts, *arg_p; + substring_t args[MAX_OPT_ARGS]; +- int ret = 0, token, tmpval; ++ int ret = 0, token; + + opts = kstrdup(page, GFP_KERNEL); + if (!opts) +@@ -2044,37 +2081,7 @@ static ssize_t tcmu_set_configfs_dev_par + pr_err("kstrtoint() failed for nl_reply_supported=\n"); + break; + case Opt_max_data_area_mb: +- if (dev->export_count) { +- pr_err("Unable to set max_data_area_mb while exports exist\n"); +- ret = -EINVAL; +- break; +- } +- +- arg_p = match_strdup(&args[0]); +- if (!arg_p) { +- ret = -ENOMEM; +- break; +- } +- ret = kstrtoint(arg_p, 0, &tmpval); +- kfree(arg_p); +- if (ret < 0) { +- pr_err("kstrtoint() failed for max_data_area_mb=\n"); +- break; +- } +- +- if (tmpval <= 0) { +- pr_err("Invalid max_data_area %d\n", tmpval); +- ret = -EINVAL; +- break; +- } +- +- udev->max_blocks = TCMU_MBS_TO_BLOCKS(tmpval); +- if (udev->max_blocks > tcmu_global_max_blocks) { +- pr_err("%d is too large. Adjusting max_data_area_mb to global limit of %u\n", +- tmpval, +- TCMU_BLOCKS_TO_MBS(tcmu_global_max_blocks)); +- udev->max_blocks = tcmu_global_max_blocks; +- } ++ ret = tcmu_set_max_blocks_param(udev, &args[0]); + break; + default: + break; diff --git a/queue-4.18/selftests-bpf-fix-a-typo-in-map-in-map-test.patch b/queue-4.18/selftests-bpf-fix-a-typo-in-map-in-map-test.patch new file mode 100644 index 00000000000..cce72e0c15a --- /dev/null +++ b/queue-4.18/selftests-bpf-fix-a-typo-in-map-in-map-test.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Roman Gushchin +Date: Thu, 2 Aug 2018 15:47:10 -0700 +Subject: selftests/bpf: fix a typo in map in map test + +From: Roman Gushchin + +[ Upstream commit 0069fb854364da79fd99236ea620affc8e1152d5 ] + +Commit fbeb1603bf4e ("bpf: verifier: MOV64 don't mark dst reg unbounded") +revealed a typo in commit fb30d4b71214 ("bpf: Add tests for map-in-map"): +BPF_MOV64_REG(BPF_REG_0, 0) was used instead of +BPF_MOV64_IMM(BPF_REG_0, 0). + +I've noticed the problem by running bpf kselftests. + +Fixes: fb30d4b71214 ("bpf: Add tests for map-in-map") +Signed-off-by: Roman Gushchin +Cc: Martin KaFai Lau +Cc: Arthur Fabre +Cc: Daniel Borkmann +Cc: Alexei Starovoitov +Acked-by: Martin KaFai Lau +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/test_verifier.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/testing/selftests/bpf/test_verifier.c ++++ b/tools/testing/selftests/bpf/test_verifier.c +@@ -6997,7 +6997,7 @@ static struct bpf_test tests[] = { + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, + BPF_FUNC_map_lookup_elem), +- BPF_MOV64_REG(BPF_REG_0, 0), ++ BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .fixup_map_in_map = { 3 }, +@@ -7020,7 +7020,7 @@ static struct bpf_test tests[] = { + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, + BPF_FUNC_map_lookup_elem), +- BPF_MOV64_REG(BPF_REG_0, 0), ++ BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .fixup_map_in_map = { 3 }, +@@ -7042,7 +7042,7 @@ static struct bpf_test tests[] = { + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, + BPF_FUNC_map_lookup_elem), +- BPF_MOV64_REG(BPF_REG_0, 0), ++ BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .fixup_map_in_map = { 3 }, diff --git a/queue-4.18/series b/queue-4.18/series index 23c9da62b7a..91702edd1f5 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -39,3 +39,118 @@ x86-microcode-update-the-new-microcode-revision-unconditionally.patch x86-process-don-t-mix-user-kernel-regs-in-64bit-__show_regs.patch x86-apic-vector-make-error-return-value-negative.patch switchtec-fix-spectre-v1-vulnerability.patch +arc-enable-swap.patch +tc-testing-flush-gact-actions-on-test-teardown.patch +tc-testing-remove-duplicate-spaces-in-connmark-match-patterns.patch +misc-mic-scif-fix-scif_get_new_port-error-handling.patch +alsa-hda-realtek-add-mute-led-quirk-for-hp-spectre-x360.patch +ethtool-remove-trailing-semicolon-for-static-inline.patch +i2c-aspeed-add-an-explicit-type-casting-for-get_clk_reg_val.patch +bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch +pinctrl-berlin-fix-pctrl-functions-allocation-in-berlin_pinctrl_build_state.patch +gpio-tegra-move-driver-registration-to-subsys_init-level.patch +powerpc-powernv-fix-concurrency-issue-with-npu-mmio_atsd_usage.patch +powerpc-4xx-fix-error-return-path-in-ppc4xx_msi_probe.patch +selftests-bpf-fix-a-typo-in-map-in-map-test.patch +media-davinci-vpif_display-mix-memory-leak-on-probe-error-path.patch +media-dw2102-fix-memleak-on-sequence-of-probes.patch +net-phy-fix-the-register-offsets-in-broadcom-iproc-mdio-mux-driver.patch +scsi-qla2xxx-fix-unintended-logout.patch +scsi-qla2xxx-fix-session-state-stuck-in-get-port-db.patch +scsi-qla2xxx-silent-erroneous-message.patch +clk-scmi-fix-the-rounding-of-clock-rate.patch +blk-mq-fix-updating-tags-depth.patch +scsi-lpfc-fix-driver-crash-when-re-registering-nvme-rports.patch +scsi-target-fix-__transport_register_session-locking.patch +md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch +timers-clear-timer_base-must_forward_clk-with-timer_base-lock-held.patch +media-camss-csid-configure-data-type-and-decode-format-properly.patch +gpu-ipu-v3-default-to-id-0-on-missing-of-alias.patch +misc-ti-st-fix-memory-leak-in-the-error-path-of-probe.patch +uio-potential-double-frees-if-__uio_register_device-fails.patch +firmware-vpd-fix-section-enabled-flag-on-vpd_section_destroy.patch +drivers-hv-vmbus-cleanup-synic-memory-free-path.patch +tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch +uio-fix-possible-circular-locking-dependency.patch +iwlwifi-pcie-don-t-access-periphery-registers-when-not-available.patch +ib-ipoib-set-ah-valid-flag-in-multicast-send-flow.patch +f2fs-fix-to-active-page-in-lru-list-for-read-path.patch +f2fs-do-not-set-free-of-current-section.patch +f2fs-keep-alloc_valid_block_count-in-sync.patch +f2fs-issue-discard-align-to-section-in-lfs-mode.patch +f2fs-fix-defined-but-not-used-build-warnings.patch +f2fs-fix-to-detect-looped-node-chain-correctly.patch +asoc-soc-pcm-use-delay-set-in-component-pointer-function.patch +perf-tools-allow-overriding-max_nr_cpus-at-compile-time.patch +device-dax-avoid-hang-on-error-before-devm_memremap_pages.patch +nfsv4.0-fix-client-reference-leak-in-callback.patch +perf-c2c-report-fix-crash-for-empty-browser.patch +perf-evlist-fix-error-out-while-applying-initial-delay-and-lbr.patch +powerpc-pseries-fix-eeh-recovery-of-some-iov-devices.patch +macintosh-via-pmu-add-missing-mmio-accessors.patch +perf-build-fix-installation-directory-for-ebpf.patch +ath9k-report-tx-status-on-eosp.patch +ath9k_hw-fix-channel-maximum-power-level-test.patch +ath10k-prevent-active-scans-on-potential-unusable-channels.patch +wlcore-set-rx_status-boottime_ns-field-on-rx.patch +rpmsg-core-add-support-to-power-domains-for-devices.patch +mtd-rawnand-make-subop-helpers-return-unsigned-values.patch +scsi-tcmu-do-not-set-max_blocks-if-data_bitmap-has-been-setup.patch +mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch +ata-libahci-allow-reconfigure-of-devslp-register.patch +ata-libahci-correct-setting-of-devslp-register.patch +nfs-referrals-not-inheriting-proto-setting-from-parent.patch +scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch +tools-testing-nvdimm-kaddr-and-pfn-can-be-null-to-direct_access.patch +ath10k-disable-bundle-mgmt-tx-completion-event-support.patch +media-em28xx-explicitly-disable-ts-packet-filter.patch +pci-mobiveil-add-missing-..-pci.h-include.patch +pci-mobiveil-fix-struct-mobiveil_pcie.pcie_reg_base-address-type.patch +powerpc-mm-don-t-report-puds-as-memory-leaks-when-using-kmemleak.patch +bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch +x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch +x86-kexec-allocate-8k-pgds-for-pti.patch +regulator-tps65217-fix-null-pointer-dereference-on-probe.patch +pinctrl-imx-off-by-one-in-imx_pinconf_group_dbg_show.patch +gpio-pxa-disable-pinctrl-calls-for-pxa3xx.patch +gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch +pinctrl-amd-only-handle-irq-if-it-is-pending-and-unmasked.patch +net-mvneta-fix-mtu-change-on-port-without-link.patch +f2fs-try-grabbing-node-page-lock-aggressively-in-sync-scenario.patch +pktcdvd-fix-possible-spectre-v1-for-pkt_devs.patch +f2fs-fix-to-skip-gc-if-type-in-ssa-and-sit-is-inconsistent.patch +tpm_tis_spi-pass-the-spi-irq-down-to-the-driver.patch +tpm-tpm_i2c_infineon-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch +f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of-inline-inode.patch +mips-octeon-add-missing-of_node_put.patch +mips-generic-fix-missing-of_node_put.patch +thermal-rcar_thermal-avoid-null-dereference-in-absence-of-irq-resources.patch +thermal_hwmon-sanitize-attribute-name-passed-to-hwmon.patch +net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch +dm-cache-only-allow-a-single-io_mode-cache-feature-to-be-requested.patch +input-atmel_mxt_ts-only-use-first-t9-instance.patch +media-s5p-mfc-fix-buffer-look-up-in-s5p_mfc_handle_frame_-new-copy_time-functions.patch +partitions-aix-append-null-character-to-print-data-from-disk.patch +partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch +media-rcar-csi2-update-stream-start-for-v3m.patch +media-helene-fix-xtal-frequency-setting-at-power-on.patch +drm-amd-display-prevent-psr-from-being-enabled-if-initialization-fails.patch +media-em28xx-fix-dual-transport-stream-operation.patch +iommu-arm-smmu-v3-abort-all-transactions-if-smmu-is-enabled-in-kdump-kernel.patch +f2fs-fix-to-wait-on-page-writeback-before-updating-page.patch +f2fs-fix-uninitialized-return-in-f2fs_ioc_shutdown.patch +media-em28xx-fix-dualhd-disconnect-oops.patch +f2fs-avoid-potential-deadlock-in-f2fs_sbi_store.patch +f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch +mfd-rave-sp-initialize-flow-control-and-parity-of-the-port.patch +iommu-ipmmu-vmsa-fix-allocation-in-atomic-context.patch +mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch +f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch +f2fs-fix-to-propagate-return-value-of-scan_nat_page.patch +f2fs-fix-to-do-sanity-check-with-extra_attr-feature.patch +rdma-hns-add-illegal-hop_num-judgement.patch +nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch +rdma-hns-update-the-data-type-of-immediate-data.patch +mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch +mips-mscc-ocelot-fix-length-of-memory-address-space-for-miim.patch +rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch diff --git a/queue-4.18/tc-testing-flush-gact-actions-on-test-teardown.patch b/queue-4.18/tc-testing-flush-gact-actions-on-test-teardown.patch new file mode 100644 index 00000000000..79326e87bd7 --- /dev/null +++ b/queue-4.18/tc-testing-flush-gact-actions-on-test-teardown.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Vlad Buslov +Date: Sun, 5 Aug 2018 22:36:25 +0300 +Subject: tc-testing: flush gact actions on test teardown + +From: Vlad Buslov + +[ Upstream commit 0c62f8a820b7fdeacf5ad9f9e24b53043d372c97 ] + +Test 6fb4 creates one mirred and one pipe action, but only flushes mirred +on teardown. Leaking pipe action causes failures in other tests. + +Add additional teardown command to also flush gact actions. + +Signed-off-by: Vlad Buslov +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/tc-tests/actions/mirred.json | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/tc-testing/tc-tests/actions/mirred.json ++++ b/tools/testing/selftests/tc-testing/tc-tests/actions/mirred.json +@@ -44,7 +44,8 @@ + "matchPattern": "action order [0-9]*: mirred \\(Egress Redirect to device lo\\).*index 2 ref", + "matchCount": "1", + "teardown": [ +- "$TC actions flush action mirred" ++ "$TC actions flush action mirred", ++ "$TC actions flush action gact" + ] + }, + { diff --git a/queue-4.18/tc-testing-remove-duplicate-spaces-in-connmark-match-patterns.patch b/queue-4.18/tc-testing-remove-duplicate-spaces-in-connmark-match-patterns.patch new file mode 100644 index 00000000000..25d4f5a6a98 --- /dev/null +++ b/queue-4.18/tc-testing-remove-duplicate-spaces-in-connmark-match-patterns.patch @@ -0,0 +1,133 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Vlad Buslov +Date: Sun, 5 Aug 2018 22:36:44 +0300 +Subject: tc-testing: remove duplicate spaces in connmark match patterns + +From: Vlad Buslov + +[ Upstream commit 757a9a39d483ae415a712388c33d4042a98b751f ] + +Match patterns for some connmark tests contain duplicate whitespace that is +not present in actual tc output. This causes tests to fail because they +can't match required action, even when it was successfully created. + +Fixes: 1dad0f9ffff7 ("tc-testing: add connmark action tests") +Signed-off-by: Vlad Buslov +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/tc-tests/actions/connmark.json | 24 +++++----- + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/tools/testing/selftests/tc-testing/tc-tests/actions/connmark.json ++++ b/tools/testing/selftests/tc-testing/tc-tests/actions/connmark.json +@@ -17,7 +17,7 @@ + "cmdUnderTest": "$TC actions add action connmark", + "expExitCode": "0", + "verifyCmd": "$TC actions list action connmark", +- "matchPattern": "action order [0-9]+: connmark zone 0 pipe", ++ "matchPattern": "action order [0-9]+: connmark zone 0 pipe", + "matchCount": "1", + "teardown": [ + "$TC actions flush action connmark" +@@ -41,7 +41,7 @@ + "cmdUnderTest": "$TC actions add action connmark pass index 1", + "expExitCode": "0", + "verifyCmd": "$TC actions get action connmark index 1", +- "matchPattern": "action order [0-9]+: connmark zone 0 pass.*index 1 ref", ++ "matchPattern": "action order [0-9]+: connmark zone 0 pass.*index 1 ref", + "matchCount": "1", + "teardown": [ + "$TC actions flush action connmark" +@@ -65,7 +65,7 @@ + "cmdUnderTest": "$TC actions add action connmark drop index 100", + "expExitCode": "0", + "verifyCmd": "$TC actions get action connmark index 100", +- "matchPattern": "action order [0-9]+: connmark zone 0 drop.*index 100 ref", ++ "matchPattern": "action order [0-9]+: connmark zone 0 drop.*index 100 ref", + "matchCount": "1", + "teardown": [ + "$TC actions flush action connmark" +@@ -89,7 +89,7 @@ + "cmdUnderTest": "$TC actions add action connmark pipe index 455", + "expExitCode": "0", + "verifyCmd": "$TC actions get action connmark index 455", +- "matchPattern": "action order [0-9]+: connmark zone 0 pipe.*index 455 ref", ++ "matchPattern": "action order [0-9]+: connmark zone 0 pipe.*index 455 ref", + "matchCount": "1", + "teardown": [ + "$TC actions flush action connmark" +@@ -113,7 +113,7 @@ + "cmdUnderTest": "$TC actions add action connmark reclassify index 7", + "expExitCode": "0", + "verifyCmd": "$TC actions list action connmark", +- "matchPattern": "action order [0-9]+: connmark zone 0 reclassify.*index 7 ref", ++ "matchPattern": "action order [0-9]+: connmark zone 0 reclassify.*index 7 ref", + "matchCount": "1", + "teardown": [ + "$TC actions flush action connmark" +@@ -137,7 +137,7 @@ + "cmdUnderTest": "$TC actions add action connmark continue index 17", + "expExitCode": "0", + "verifyCmd": "$TC actions list action connmark", +- "matchPattern": "action order [0-9]+: connmark zone 0 continue.*index 17 ref", ++ "matchPattern": "action order [0-9]+: connmark zone 0 continue.*index 17 ref", + "matchCount": "1", + "teardown": [ + "$TC actions flush action connmark" +@@ -161,7 +161,7 @@ + "cmdUnderTest": "$TC actions add action connmark jump 10 index 17", + "expExitCode": "0", + "verifyCmd": "$TC actions list action connmark", +- "matchPattern": "action order [0-9]+: connmark zone 0 jump 10.*index 17 ref", ++ "matchPattern": "action order [0-9]+: connmark zone 0 jump 10.*index 17 ref", + "matchCount": "1", + "teardown": [ + "$TC actions flush action connmark" +@@ -185,7 +185,7 @@ + "cmdUnderTest": "$TC actions add action connmark zone 100 pipe index 1", + "expExitCode": "0", + "verifyCmd": "$TC actions get action connmark index 1", +- "matchPattern": "action order [0-9]+: connmark zone 100 pipe.*index 1 ref", ++ "matchPattern": "action order [0-9]+: connmark zone 100 pipe.*index 1 ref", + "matchCount": "1", + "teardown": [ + "$TC actions flush action connmark" +@@ -209,7 +209,7 @@ + "cmdUnderTest": "$TC actions add action connmark zone 65536 reclassify index 21", + "expExitCode": "255", + "verifyCmd": "$TC actions get action connmark index 1", +- "matchPattern": "action order [0-9]+: connmark zone 65536 reclassify.*index 21 ref", ++ "matchPattern": "action order [0-9]+: connmark zone 65536 reclassify.*index 21 ref", + "matchCount": "0", + "teardown": [ + "$TC actions flush action connmark" +@@ -233,7 +233,7 @@ + "cmdUnderTest": "$TC actions add action connmark zone 655 unsupp_arg pass index 2", + "expExitCode": "255", + "verifyCmd": "$TC actions get action connmark index 2", +- "matchPattern": "action order [0-9]+: connmark zone 655 unsupp_arg pass.*index 2 ref", ++ "matchPattern": "action order [0-9]+: connmark zone 655 unsupp_arg pass.*index 2 ref", + "matchCount": "0", + "teardown": [ + "$TC actions flush action connmark" +@@ -258,7 +258,7 @@ + "cmdUnderTest": "$TC actions replace action connmark zone 555 reclassify index 555", + "expExitCode": "0", + "verifyCmd": "$TC actions get action connmark index 555", +- "matchPattern": "action order [0-9]+: connmark zone 555 reclassify.*index 555 ref", ++ "matchPattern": "action order [0-9]+: connmark zone 555 reclassify.*index 555 ref", + "matchCount": "1", + "teardown": [ + "$TC actions flush action connmark" +@@ -282,7 +282,7 @@ + "cmdUnderTest": "$TC actions add action connmark zone 555 pipe index 5 cookie aabbccddeeff112233445566778800a1", + "expExitCode": "0", + "verifyCmd": "$TC actions get action connmark index 5", +- "matchPattern": "action order [0-9]+: connmark zone 555 pipe.*index 5 ref.*cookie aabbccddeeff112233445566778800a1", ++ "matchPattern": "action order [0-9]+: connmark zone 555 pipe.*index 5 ref.*cookie aabbccddeeff112233445566778800a1", + "matchCount": "1", + "teardown": [ + "$TC actions flush action connmark" diff --git a/queue-4.18/thermal-rcar_thermal-avoid-null-dereference-in-absence-of-irq-resources.patch b/queue-4.18/thermal-rcar_thermal-avoid-null-dereference-in-absence-of-irq-resources.patch new file mode 100644 index 00000000000..bd21e4aa26a --- /dev/null +++ b/queue-4.18/thermal-rcar_thermal-avoid-null-dereference-in-absence-of-irq-resources.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Simon Horman +Date: Tue, 24 Jul 2018 13:14:13 +0200 +Subject: thermal: rcar_thermal: avoid NULL dereference in absence of IRQ resources + +From: Simon Horman + +[ Upstream commit 542cdf4068049458e1411b120bd5a4bbe3ddc49a ] + +Ensure that the base address used by a call to rcar_thermal_common_write() +may be NULL if the SOC supports interrupts for use with the thermal device +but none are defined in DT as is the case for R-Car H1 (r8a7779). Guard +against this condition to prevent a NULL dereference when the device is +probed. + +Tested on: +* R-Mobile APE6 (r8a73a4) / APE6EVM +* R-Car H1 (r8a7779) / Marzen +* R-Car H2 (r8a7790) / Lager +* R-Car M2-W (r8a7791) / Koelsch +* R-Car M2-N (r8a7793) / Gose +* R-Car D3 ES1.0 (r8a77995) / Draak + +Fixes: 1969d9dc2079 ("thermal: rcar_thermal: add r8a77995 support") +Signed-off-by: Simon Horman +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Eduardo Valentin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/rcar_thermal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/thermal/rcar_thermal.c ++++ b/drivers/thermal/rcar_thermal.c +@@ -598,7 +598,7 @@ static int rcar_thermal_probe(struct pla + enr_bits |= 3 << (i * 8); + } + +- if (enr_bits) ++ if (common->base && enr_bits) + rcar_thermal_common_write(common, ENR, enr_bits); + + dev_info(dev, "%d sensor probed\n", i); diff --git a/queue-4.18/thermal_hwmon-sanitize-attribute-name-passed-to-hwmon.patch b/queue-4.18/thermal_hwmon-sanitize-attribute-name-passed-to-hwmon.patch new file mode 100644 index 00000000000..f54f1c77bae --- /dev/null +++ b/queue-4.18/thermal_hwmon-sanitize-attribute-name-passed-to-hwmon.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Sep 17 12:37:53 CEST 2018 +From: Marc Zyngier +Date: Tue, 10 Jul 2018 16:40:34 +0100 +Subject: thermal_hwmon: Sanitize attribute name passed to hwmon + +From: Marc Zyngier + +[ Upstream commit 409ef0bacacf72c51cc876349ae3fdf7cf726d47 ] + +My Chromebook Plus (kevin) is spitting the following at boot time: + +(NULL device *): hwmon: 'sbs-9-000b' is not a valid name attribute, please fix + +Clearly, __hwmon_device_register is unhappy about the property name. +Some investigation reveals that thermal_add_hwmon_sysfs doesn't +sanitize the name of the attribute. + +In order to keep it quiet, let's replace '-' with '_' in hwmon->type +This is consistent with what iio-hwmon does since b92fe9e3379c8. + +Signed-off-by: Marc Zyngier +Tested-by: Enric Balletbo i Serra +Signed-off-by: Eduardo Valentin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/thermal_hwmon.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thermal/thermal_hwmon.c ++++ b/drivers/thermal/thermal_hwmon.c +@@ -142,6 +142,7 @@ int thermal_add_hwmon_sysfs(struct therm + + INIT_LIST_HEAD(&hwmon->tz_list); + strlcpy(hwmon->type, tz->type, THERMAL_NAME_LENGTH); ++ strreplace(hwmon->type, '-', '_'); + hwmon->device = hwmon_device_register_with_info(NULL, hwmon->type, + hwmon, NULL, NULL); + if (IS_ERR(hwmon->device)) { diff --git a/queue-4.18/timers-clear-timer_base-must_forward_clk-with-timer_base-lock-held.patch b/queue-4.18/timers-clear-timer_base-must_forward_clk-with-timer_base-lock-held.patch new file mode 100644 index 00000000000..6342829b4e1 --- /dev/null +++ b/queue-4.18/timers-clear-timer_base-must_forward_clk-with-timer_base-lock-held.patch @@ -0,0 +1,98 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Gaurav Kohli +Date: Thu, 2 Aug 2018 14:21:03 +0530 +Subject: timers: Clear timer_base::must_forward_clk with timer_base::lock held + +From: Gaurav Kohli + +[ Upstream commit 363e934d8811d799c88faffc5bfca782fd728334 ] + +timer_base::must_forward_clock is indicating that the base clock might be +stale due to a long idle sleep. + +The forwarding of the base clock takes place in the timer softirq or when a +timer is enqueued to a base which is idle. If the enqueue of timer to an +idle base happens from a remote CPU, then the following race can happen: + + CPU0 CPU1 + run_timer_softirq mod_timer + + base = lock_timer_base(timer); + base->must_forward_clk = false + if (base->must_forward_clk) + forward(base); -> skipped + + enqueue_timer(base, timer, idx); + -> idx is calculated high due to + stale base + unlock_timer_base(timer); + base = lock_timer_base(timer); + forward(base); + +The root cause is that timer_base::must_forward_clk is cleared outside the +timer_base::lock held region, so the remote queuing CPU observes it as +cleared, but the base clock is still stale. This can cause large +granularity values for timers, i.e. the accuracy of the expiry time +suffers. + +Prevent this by clearing the flag with timer_base::lock held, so that the +forwarding takes place before the cleared flag is observable by a remote +CPU. + +Signed-off-by: Gaurav Kohli +Signed-off-by: Thomas Gleixner +Cc: john.stultz@linaro.org +Cc: sboyd@kernel.org +Cc: linux-arm-msm@vger.kernel.org +Link: https://lkml.kernel.org/r/1533199863-22748-1-git-send-email-gkohli@codeaurora.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/timer.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1657,6 +1657,22 @@ static inline void __run_timers(struct t + + raw_spin_lock_irq(&base->lock); + ++ /* ++ * timer_base::must_forward_clk must be cleared before running ++ * timers so that any timer functions that call mod_timer() will ++ * not try to forward the base. Idle tracking / clock forwarding ++ * logic is only used with BASE_STD timers. ++ * ++ * The must_forward_clk flag is cleared unconditionally also for ++ * the deferrable base. The deferrable base is not affected by idle ++ * tracking and never forwarded, so clearing the flag is a NOOP. ++ * ++ * The fact that the deferrable base is never forwarded can cause ++ * large variations in granularity for deferrable timers, but they ++ * can be deferred for long periods due to idle anyway. ++ */ ++ base->must_forward_clk = false; ++ + while (time_after_eq(jiffies, base->clk)) { + + levels = collect_expired_timers(base, heads); +@@ -1676,19 +1692,6 @@ static __latent_entropy void run_timer_s + { + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); + +- /* +- * must_forward_clk must be cleared before running timers so that any +- * timer functions that call mod_timer will not try to forward the +- * base. idle trcking / clock forwarding logic is only used with +- * BASE_STD timers. +- * +- * The deferrable base does not do idle tracking at all, so we do +- * not forward it. This can result in very large variations in +- * granularity for deferrable timers, but they can be deferred for +- * long periods due to idle. +- */ +- base->must_forward_clk = false; +- + __run_timers(base); + if (IS_ENABLED(CONFIG_NO_HZ_COMMON)) + __run_timers(this_cpu_ptr(&timer_bases[BASE_DEF])); diff --git a/queue-4.18/tools-testing-nvdimm-kaddr-and-pfn-can-be-null-to-direct_access.patch b/queue-4.18/tools-testing-nvdimm-kaddr-and-pfn-can-be-null-to-direct_access.patch new file mode 100644 index 00000000000..e4e7ed515d0 --- /dev/null +++ b/queue-4.18/tools-testing-nvdimm-kaddr-and-pfn-can-be-null-to-direct_access.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Huaisheng Ye +Date: Mon, 30 Jul 2018 15:15:45 +0800 +Subject: tools/testing/nvdimm: kaddr and pfn can be NULL to ->direct_access() + +From: Huaisheng Ye + +[ Upstream commit 45df5d3dc0c7289c1e67afe6d2ba806ad5174314 ] + +The mock / test version of pmem_direct_access() needs to check the +validity of pointers kaddr and pfn for NULL assignment. If anyone +equals to NULL, it doesn't need to calculate the value. + +If pointer equals to NULL, that is to say callers may have no need for +kaddr or pfn, so this patch is prepared for allowing them to pass in +NULL instead of having to pass in a local pointer or variable that +they then just throw away. + +Suggested-by: Dan Williams +Signed-off-by: Huaisheng Ye +Reviewed-by: Ross Zwisler +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/nvdimm/pmem-dax.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/tools/testing/nvdimm/pmem-dax.c ++++ b/tools/testing/nvdimm/pmem-dax.c +@@ -31,17 +31,21 @@ long __pmem_direct_access(struct pmem_de + if (get_nfit_res(pmem->phys_addr + offset)) { + struct page *page; + +- *kaddr = pmem->virt_addr + offset; ++ if (kaddr) ++ *kaddr = pmem->virt_addr + offset; + page = vmalloc_to_page(pmem->virt_addr + offset); +- *pfn = page_to_pfn_t(page); ++ if (pfn) ++ *pfn = page_to_pfn_t(page); + pr_debug_ratelimited("%s: pmem: %p pgoff: %#lx pfn: %#lx\n", + __func__, pmem, pgoff, page_to_pfn(page)); + + return 1; + } + +- *kaddr = pmem->virt_addr + offset; +- *pfn = phys_to_pfn_t(pmem->phys_addr + offset, pmem->pfn_flags); ++ if (kaddr) ++ *kaddr = pmem->virt_addr + offset; ++ if (pfn) ++ *pfn = phys_to_pfn_t(pmem->phys_addr + offset, pmem->pfn_flags); + + /* + * If badblocks are present, limit known good range to the diff --git a/queue-4.18/tpm-tpm_i2c_infineon-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch b/queue-4.18/tpm-tpm_i2c_infineon-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch new file mode 100644 index 00000000000..367403ccbee --- /dev/null +++ b/queue-4.18/tpm-tpm_i2c_infineon-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch @@ -0,0 +1,62 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Peter Rosin +Date: Wed, 20 Jun 2018 07:17:54 +0200 +Subject: tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) + +From: Peter Rosin + +[ Upstream commit bb853aac2c478ce78116128263801189408ad2a8 ] + +Locking the root adapter for __i2c_transfer will deadlock if the +device sits behind a mux-locked I2C mux. Switch to the finer-grained +i2c_lock_bus with the I2C_LOCK_SEGMENT flag. If the device does not +sit behind a mux-locked mux, the two locking variants are equivalent. + +Signed-off-by: Peter Rosin +Reviewed-by: Jarkko Sakkinen +Tested-by: Alexander Steffen +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_i2c_infineon.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/char/tpm/tpm_i2c_infineon.c ++++ b/drivers/char/tpm/tpm_i2c_infineon.c +@@ -117,7 +117,7 @@ static int iic_tpm_read(u8 addr, u8 *buf + /* Lock the adapter for the duration of the whole sequence. */ + if (!tpm_dev.client->adapter->algo->master_xfer) + return -EOPNOTSUPP; +- i2c_lock_adapter(tpm_dev.client->adapter); ++ i2c_lock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT); + + if (tpm_dev.chip_type == SLB9645) { + /* use a combined read for newer chips +@@ -192,7 +192,7 @@ static int iic_tpm_read(u8 addr, u8 *buf + } + + out: +- i2c_unlock_adapter(tpm_dev.client->adapter); ++ i2c_unlock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT); + /* take care of 'guard time' */ + usleep_range(SLEEP_DURATION_LOW, SLEEP_DURATION_HI); + +@@ -224,7 +224,7 @@ static int iic_tpm_write_generic(u8 addr + + if (!tpm_dev.client->adapter->algo->master_xfer) + return -EOPNOTSUPP; +- i2c_lock_adapter(tpm_dev.client->adapter); ++ i2c_lock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT); + + /* prepend the 'register address' to the buffer */ + tpm_dev.buf[0] = addr; +@@ -243,7 +243,7 @@ static int iic_tpm_write_generic(u8 addr + usleep_range(sleep_low, sleep_hi); + } + +- i2c_unlock_adapter(tpm_dev.client->adapter); ++ i2c_unlock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT); + /* take care of 'guard time' */ + usleep_range(SLEEP_DURATION_LOW, SLEEP_DURATION_HI); + diff --git a/queue-4.18/tpm_tis_spi-pass-the-spi-irq-down-to-the-driver.patch b/queue-4.18/tpm_tis_spi-pass-the-spi-irq-down-to-the-driver.patch new file mode 100644 index 00000000000..ac40add70e7 --- /dev/null +++ b/queue-4.18/tpm_tis_spi-pass-the-spi-irq-down-to-the-driver.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Linus Walleij +Date: Fri, 8 Jun 2018 09:09:07 +0200 +Subject: tpm_tis_spi: Pass the SPI IRQ down to the driver + +From: Linus Walleij + +[ Upstream commit 1a339b658d9dbe1471f67b78237cf8fa08bbbeb5 ] + +An SPI TPM device managed directly on an embedded board using +the SPI bus and some GPIO or similar line as IRQ handler will +pass the IRQn from the TPM device associated with the SPI +device. This is already handled by the SPI core, so make sure +to pass this down to the core as well. + +(The TPM core habit of using -1 to signal no IRQ is dubious +(as IRQ 0 is NO_IRQ) but I do not want to mess with that +semantic in this patch.) + +Cc: Mark Brown +Signed-off-by: Linus Walleij +Reviewed-by: Jarkko Sakkinen +Tested-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_tis_spi.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm_tis_spi.c ++++ b/drivers/char/tpm/tpm_tis_spi.c +@@ -199,6 +199,7 @@ static const struct tpm_tis_phy_ops tpm_ + static int tpm_tis_spi_probe(struct spi_device *dev) + { + struct tpm_tis_spi_phy *phy; ++ int irq; + + phy = devm_kzalloc(&dev->dev, sizeof(struct tpm_tis_spi_phy), + GFP_KERNEL); +@@ -211,7 +212,13 @@ static int tpm_tis_spi_probe(struct spi_ + if (!phy->iobuf) + return -ENOMEM; + +- return tpm_tis_core_init(&dev->dev, &phy->priv, -1, &tpm_spi_phy_ops, ++ /* If the SPI device has an IRQ then use that */ ++ if (dev->irq > 0) ++ irq = dev->irq; ++ else ++ irq = -1; ++ ++ return tpm_tis_core_init(&dev->dev, &phy->priv, irq, &tpm_spi_phy_ops, + NULL); + } + diff --git a/queue-4.18/tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch b/queue-4.18/tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch new file mode 100644 index 00000000000..e089b1a14a9 --- /dev/null +++ b/queue-4.18/tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 16:39:31 +0300 +Subject: tty: rocket: Fix possible buffer overwrite on register_PCI + +From: Anton Vasilyev + +[ Upstream commit 0419056ec8fd01ddf5460d2dba0491aad22657dd ] + +If number of isa and pci boards exceed NUM_BOARDS on the path +rp_init()->init_PCI()->register_PCI() then buffer overwrite occurs +in register_PCI() on assign rcktpt_io_addr[i]. + +The patch adds check on upper bound for index of registered +board in register_PCI. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/rocket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/rocket.c ++++ b/drivers/tty/rocket.c +@@ -1881,7 +1881,7 @@ static __init int register_PCI(int i, st + ByteIO_t UPCIRingInd = 0; + + if (!dev || !pci_match_id(rocket_pci_ids, dev) || +- pci_enable_device(dev)) ++ pci_enable_device(dev) || i >= NUM_BOARDS) + return 0; + + rcktpt_io_addr[i] = pci_resource_start(dev, 0); diff --git a/queue-4.18/uio-fix-possible-circular-locking-dependency.patch b/queue-4.18/uio-fix-possible-circular-locking-dependency.patch new file mode 100644 index 00000000000..d2921a679b2 --- /dev/null +++ b/queue-4.18/uio-fix-possible-circular-locking-dependency.patch @@ -0,0 +1,117 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Xiubo Li +Date: Mon, 30 Jul 2018 03:11:48 -0400 +Subject: uio: fix possible circular locking dependency + +From: Xiubo Li + +[ Upstream commit b34e9a15b37b8ddbf06a4da142b0c39c74211eb4 ] + +The call trace: +XXX/1910 is trying to acquire lock: + (&mm->mmap_sem){++++++}, at: [] might_fault+0x57/0xb0 + +but task is already holding lock: + (&idev->info_lock){+.+...}, at: [] uio_write+0x46/0x130 [uio] + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (&idev->info_lock){+.+...}: + [] lock_acquire+0x99/0x1e0 + [] mutex_lock_nested+0x93/0x410 + [] uio_mmap+0x2d/0x170 [uio] + [] mmap_region+0x428/0x650 + [] do_mmap+0x3b8/0x4e0 + [] vm_mmap_pgoff+0xd3/0x120 + [] SyS_mmap_pgoff+0x1f1/0x270 + [] SyS_mmap+0x22/0x30 + [] system_call_fastpath+0x1c/0x21 + +-> #0 (&mm->mmap_sem){++++++}: + [] __lock_acquire+0xdac/0x15f0 + [] lock_acquire+0x99/0x1e0 + [] might_fault+0x84/0xb0 + [] uio_write+0xb4/0x130 [uio] + [] vfs_write+0xc3/0x1f0 + [] SyS_write+0x8a/0x100 + [] system_call_fastpath+0x1c/0x21 + +other info that might help us debug this: + Possible unsafe locking scenario: + CPU0 CPU1 + ---- ---- + lock(&idev->info_lock); + lock(&mm->mmap_sem); + lock(&idev->info_lock); + lock(&mm->mmap_sem); + + *** DEADLOCK *** +1 lock held by XXX/1910: + #0: (&idev->info_lock){+.+...}, at: [] uio_write+0x46/0x130 [uio] + +stack backtrace: +CPU: 0 PID: 1910 Comm: XXX Kdump: loaded Not tainted #1 +Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017 +Call Trace: + [] dump_stack+0x19/0x1b + [] print_circular_bug+0x1f9/0x207 + [] check_prevs_add+0x957/0x960 + [] __lock_acquire+0xdac/0x15f0 + [] ? mark_held_locks+0xb9/0x140 + [] lock_acquire+0x99/0x1e0 + [] ? might_fault+0x57/0xb0 + [] might_fault+0x84/0xb0 + [] ? might_fault+0x57/0xb0 + [] uio_write+0xb4/0x130 [uio] + [] vfs_write+0xc3/0x1f0 + [] ? fget_light+0xfc/0x510 + [] SyS_write+0x8a/0x100 + [] system_call_fastpath+0x1c/0x21 + +Signed-off-by: Xiubo Li +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -622,6 +622,12 @@ static ssize_t uio_write(struct file *fi + ssize_t retval; + s32 irq_on; + ++ if (count != sizeof(s32)) ++ return -EINVAL; ++ ++ if (copy_from_user(&irq_on, buf, count)) ++ return -EFAULT; ++ + mutex_lock(&idev->info_lock); + if (!idev->info) { + retval = -EINVAL; +@@ -633,21 +639,11 @@ static ssize_t uio_write(struct file *fi + goto out; + } + +- if (count != sizeof(s32)) { +- retval = -EINVAL; +- goto out; +- } +- + if (!idev->info->irqcontrol) { + retval = -ENOSYS; + goto out; + } + +- if (copy_from_user(&irq_on, buf, count)) { +- retval = -EFAULT; +- goto out; +- } +- + retval = idev->info->irqcontrol(idev->info, irq_on); + + out: diff --git a/queue-4.18/uio-potential-double-frees-if-__uio_register_device-fails.patch b/queue-4.18/uio-potential-double-frees-if-__uio_register_device-fails.patch new file mode 100644 index 00000000000..bec2decd379 --- /dev/null +++ b/queue-4.18/uio-potential-double-frees-if-__uio_register_device-fails.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Dan Carpenter +Date: Thu, 2 Aug 2018 11:24:47 +0300 +Subject: uio: potential double frees if __uio_register_device() fails + +From: Dan Carpenter + +[ Upstream commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 ] + +The uio_unregister_device() function assumes that if "info->uio_dev" is +non-NULL that means "info" is fully allocated. Setting info->uio_de +has to be the last thing in the function. + +In the current code, if request_threaded_irq() fails then we return with +info->uio_dev set to non-NULL but info is not fully allocated and it can +lead to double frees. + +Fixes: beafc54c4e2f ("UIO: Add the User IO core code") +Signed-off-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -955,8 +955,6 @@ int __uio_register_device(struct module + if (ret) + goto err_uio_dev_add_attributes; + +- info->uio_dev = idev; +- + if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) { + /* + * Note that we deliberately don't use devm_request_irq +@@ -972,6 +970,7 @@ int __uio_register_device(struct module + goto err_request_irq; + } + ++ info->uio_dev = idev; + return 0; + + err_request_irq: diff --git a/queue-4.18/wlcore-set-rx_status-boottime_ns-field-on-rx.patch b/queue-4.18/wlcore-set-rx_status-boottime_ns-field-on-rx.patch new file mode 100644 index 00000000000..7505fc4bf73 --- /dev/null +++ b/queue-4.18/wlcore-set-rx_status-boottime_ns-field-on-rx.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Loic Poulain +Date: Fri, 27 Jul 2018 18:30:23 +0200 +Subject: wlcore: Set rx_status boottime_ns field on rx + +From: Loic Poulain + +[ Upstream commit 37a634f60fd6dfbda2c312657eec7ef0750546e7 ] + +When receiving a beacon or probe response, we should update the +boottime_ns field which is the timestamp the frame was received at. +(cf mac80211.h) + +This fixes a scanning issue with Android since it relies on this +timestamp to determine when the AP has been seen for the last time +(via the nl80211 BSS_LAST_SEEN_BOOTTIME parameter). + +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ti/wlcore/rx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ti/wlcore/rx.c ++++ b/drivers/net/wireless/ti/wlcore/rx.c +@@ -59,7 +59,7 @@ static u32 wlcore_rx_get_align_buf_size( + static void wl1271_rx_status(struct wl1271 *wl, + struct wl1271_rx_descriptor *desc, + struct ieee80211_rx_status *status, +- u8 beacon) ++ u8 beacon, u8 probe_rsp) + { + memset(status, 0, sizeof(struct ieee80211_rx_status)); + +@@ -106,6 +106,9 @@ static void wl1271_rx_status(struct wl12 + } + } + ++ if (beacon || probe_rsp) ++ status->boottime_ns = ktime_get_boot_ns(); ++ + if (beacon) + wlcore_set_pending_regdomain_ch(wl, (u16)desc->channel, + status->band); +@@ -191,7 +194,8 @@ static int wl1271_rx_handle_data(struct + if (ieee80211_is_data_present(hdr->frame_control)) + is_data = 1; + +- wl1271_rx_status(wl, desc, IEEE80211_SKB_RXCB(skb), beacon); ++ wl1271_rx_status(wl, desc, IEEE80211_SKB_RXCB(skb), beacon, ++ ieee80211_is_probe_resp(hdr->frame_control)); + wlcore_hw_set_rx_csum(wl, desc, skb); + + seq_num = (le16_to_cpu(hdr->seq_ctrl) & IEEE80211_SCTL_SEQ) >> 4; diff --git a/queue-4.18/x86-kexec-allocate-8k-pgds-for-pti.patch b/queue-4.18/x86-kexec-allocate-8k-pgds-for-pti.patch new file mode 100644 index 00000000000..6b24b4bb6a8 --- /dev/null +++ b/queue-4.18/x86-kexec-allocate-8k-pgds-for-pti.patch @@ -0,0 +1,82 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Joerg Roedel +Date: Wed, 25 Jul 2018 17:48:03 +0200 +Subject: x86/kexec: Allocate 8k PGDs for PTI + +From: Joerg Roedel + +[ Upstream commit ca38dc8f2724d101038b1205122c93a1c7f38f11 ] + +Fuzzing the PTI-x86-32 code with trinity showed unhandled +kernel paging request oops-messages that looked a lot like +silent data corruption. + +Lot's of debugging and testing lead to the kexec-32bit code, +which is still allocating 4k PGDs when PTI is enabled. But +since it uses native_set_pud() to build the page-table, it +will unevitably call into __pti_set_user_pgtbl(), which +writes beyond the allocated 4k page. + +Use PGD_ALLOCATION_ORDER to allocate PGDs in the kexec code +to fix the issue. + +Signed-off-by: Joerg Roedel +Signed-off-by: Thomas Gleixner +Tested-by: David H. Gutteridge +Cc: "H . Peter Anvin" +Cc: linux-mm@kvack.org +Cc: Linus Torvalds +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Peter Zijlstra +Cc: Borislav Petkov +Cc: Jiri Kosina +Cc: Boris Ostrovsky +Cc: Brian Gerst +Cc: David Laight +Cc: Denys Vlasenko +Cc: Eduardo Valentin +Cc: Greg KH +Cc: Will Deacon +Cc: aliguori@amazon.com +Cc: daniel.gruss@iaik.tugraz.at +Cc: hughd@google.com +Cc: keescook@google.com +Cc: Andrea Arcangeli +Cc: Waiman Long +Cc: Pavel Machek +Cc: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: joro@8bytes.org +Link: https://lkml.kernel.org/r/1532533683-5988-4-git-send-email-joro@8bytes.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/machine_kexec_32.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/machine_kexec_32.c ++++ b/arch/x86/kernel/machine_kexec_32.c +@@ -56,7 +56,7 @@ static void load_segments(void) + + static void machine_kexec_free_page_tables(struct kimage *image) + { +- free_page((unsigned long)image->arch.pgd); ++ free_pages((unsigned long)image->arch.pgd, PGD_ALLOCATION_ORDER); + image->arch.pgd = NULL; + #ifdef CONFIG_X86_PAE + free_page((unsigned long)image->arch.pmd0); +@@ -72,7 +72,8 @@ static void machine_kexec_free_page_tabl + + static int machine_kexec_alloc_page_tables(struct kimage *image) + { +- image->arch.pgd = (pgd_t *)get_zeroed_page(GFP_KERNEL); ++ image->arch.pgd = (pgd_t *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, ++ PGD_ALLOCATION_ORDER); + #ifdef CONFIG_X86_PAE + image->arch.pmd0 = (pmd_t *)get_zeroed_page(GFP_KERNEL); + image->arch.pmd1 = (pmd_t *)get_zeroed_page(GFP_KERNEL); diff --git a/queue-4.18/x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch b/queue-4.18/x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch new file mode 100644 index 00000000000..064359d8f22 --- /dev/null +++ b/queue-4.18/x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch @@ -0,0 +1,63 @@ +From foo@baz Mon Sep 17 12:37:52 CEST 2018 +From: Joerg Roedel +Date: Wed, 25 Jul 2018 17:48:01 +0200 +Subject: x86/mm: Remove in_nmi() warning from vmalloc_fault() + +From: Joerg Roedel + +[ Upstream commit 6863ea0cda8725072522cd78bda332d9a0b73150 ] + +It is perfectly okay to take page-faults, especially on the +vmalloc area while executing an NMI handler. Remove the +warning. + +Signed-off-by: Joerg Roedel +Signed-off-by: Thomas Gleixner +Tested-by: David H. Gutteridge +Cc: "H . Peter Anvin" +Cc: linux-mm@kvack.org +Cc: Linus Torvalds +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Peter Zijlstra +Cc: Borislav Petkov +Cc: Jiri Kosina +Cc: Boris Ostrovsky +Cc: Brian Gerst +Cc: David Laight +Cc: Denys Vlasenko +Cc: Eduardo Valentin +Cc: Greg KH +Cc: Will Deacon +Cc: aliguori@amazon.com +Cc: daniel.gruss@iaik.tugraz.at +Cc: hughd@google.com +Cc: keescook@google.com +Cc: Andrea Arcangeli +Cc: Waiman Long +Cc: Pavel Machek +Cc: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: joro@8bytes.org +Link: https://lkml.kernel.org/r/1532533683-5988-2-git-send-email-joro@8bytes.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/fault.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -317,8 +317,6 @@ static noinline int vmalloc_fault(unsign + if (!(address >= VMALLOC_START && address < VMALLOC_END)) + return -1; + +- WARN_ON_ONCE(in_nmi()); +- + /* + * Synchronize this task's top level page-table + * with the 'reference' page table.