From: Sasha Levin Date: Sun, 4 Aug 2019 15:43:02 +0000 (-0400) Subject: fixes for 5.2 X-Git-Tag: v4.4.188~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bda6640c6551eafaf003ff72045929769c6ca859;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 5.2 Signed-off-by: Sasha Levin --- diff --git a/queue-5.2/acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch b/queue-5.2/acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch new file mode 100644 index 00000000000..8042970550a --- /dev/null +++ b/queue-5.2/acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch @@ -0,0 +1,51 @@ +From e372ba19ee26de28b572dfa2c212d1a21f65b40b Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 10 Jul 2019 15:05:43 +0200 +Subject: ACPI: blacklist: fix clang warning for unused DMI table + +[ Upstream commit b80d6a42bdc97bdb6139107d6034222e9843c6e2 ] + +When CONFIG_DMI is disabled, we only have a tentative declaration, +which causes a warning from clang: + +drivers/acpi/blacklist.c:20:35: error: tentative array definition assumed to have one element [-Werror] +static const struct dmi_system_id acpi_rev_dmi_table[] __initconst; + +As the variable is not actually used here, hide it entirely +in an #ifdef to shut up the warning. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/blacklist.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c +index ad2c565f5cbe0..a86a770c9b798 100644 +--- a/drivers/acpi/blacklist.c ++++ b/drivers/acpi/blacklist.c +@@ -17,7 +17,9 @@ + + #include "internal.h" + ++#ifdef CONFIG_DMI + static const struct dmi_system_id acpi_rev_dmi_table[] __initconst; ++#endif + + /* + * POLICY: If *anything* doesn't work, put it on the blacklist. +@@ -61,7 +63,9 @@ int __init acpi_blacklisted(void) + } + + (void)early_acpi_osi_init(); ++#ifdef CONFIG_DMI + dmi_check_system(acpi_rev_dmi_table); ++#endif + + return blacklisted; + } +-- +2.20.1 + diff --git a/queue-5.2/acpi-fix-false-positive-wuninitialized-warning.patch b/queue-5.2/acpi-fix-false-positive-wuninitialized-warning.patch new file mode 100644 index 00000000000..941d6e6da72 --- /dev/null +++ b/queue-5.2/acpi-fix-false-positive-wuninitialized-warning.patch @@ -0,0 +1,58 @@ +From 900cda6de355e1d3217256b3d9cfddbf9ff68bf0 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:01:21 +0200 +Subject: ACPI: fix false-positive -Wuninitialized warning + +[ Upstream commit dfd6f9ad36368b8dbd5f5a2b2f0a4705ae69a323 ] + +clang gets confused by an uninitialized variable in what looks +to it like a never executed code path: + +arch/x86/kernel/acpi/boot.c:618:13: error: variable 'polarity' is uninitialized when used here [-Werror,-Wuninitialized] + polarity = polarity ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH; + ^~~~~~~~ +arch/x86/kernel/acpi/boot.c:606:32: note: initialize the variable 'polarity' to silence this warning + int rc, irq, trigger, polarity; + ^ + = 0 +arch/x86/kernel/acpi/boot.c:617:12: error: variable 'trigger' is uninitialized when used here [-Werror,-Wuninitialized] + trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE; + ^~~~~~~ +arch/x86/kernel/acpi/boot.c:606:22: note: initialize the variable 'trigger' to silence this warning + int rc, irq, trigger, polarity; + ^ + = 0 + +This is unfortunately a design decision in clang and won't be fixed. + +Changing the acpi_get_override_irq() macro to an inline function +reliably avoids the issue. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Andy Shevchenko +Reviewed-by: Nathan Chancellor +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + include/linux/acpi.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index d315d86844e49..872ab208c8ad8 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -317,7 +317,10 @@ void acpi_set_irq_model(enum acpi_irq_model_id model, + #ifdef CONFIG_X86_IO_APIC + extern int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity); + #else +-#define acpi_get_override_irq(gsi, trigger, polarity) (-1) ++static inline int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity) ++{ ++ return -1; ++} + #endif + /* + * This function undoes the effect of one call to acpi_register_gsi(). +-- +2.20.1 + diff --git a/queue-5.2/arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch b/queue-5.2/arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch new file mode 100644 index 00000000000..ba989d56d77 --- /dev/null +++ b/queue-5.2/arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch @@ -0,0 +1,66 @@ +From 7de43171850d5192e8573aece9913c65c9896998 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 3 May 2019 16:45:37 -0700 +Subject: ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again + +[ Upstream commit 99fa066710f75f18f4d9a5bc5f6a711968a581d5 ] + +When I try to boot rk3288-veyron-mickey I totally fail to make the +eMMC work. Specifically my logs (on Chrome OS 4.19): + + mmc_host mmc1: card is non-removable. + mmc_host mmc1: Bus speed (slot 0) = 400000Hz (slot req 400000Hz, actual 400000HZ div = 0) + mmc_host mmc1: Bus speed (slot 0) = 50000000Hz (slot req 52000000Hz, actual 50000000HZ div = 0) + mmc1: switch to bus width 8 failed + mmc1: switch to bus width 4 failed + mmc1: new high speed MMC card at address 0001 + mmcblk1: mmc1:0001 HAG2e 14.7 GiB + mmcblk1boot0: mmc1:0001 HAG2e partition 1 4.00 MiB + mmcblk1boot1: mmc1:0001 HAG2e partition 2 4.00 MiB + mmcblk1rpmb: mmc1:0001 HAG2e partition 3 4.00 MiB, chardev (243:0) + mmc_host mmc1: Bus speed (slot 0) = 400000Hz (slot req 400000Hz, actual 400000HZ div = 0) + mmc_host mmc1: Bus speed (slot 0) = 50000000Hz (slot req 52000000Hz, actual 50000000HZ div = 0) + mmc1: switch to bus width 8 failed + mmc1: switch to bus width 4 failed + mmc1: tried to HW reset card, got error -110 + mmcblk1: error -110 requesting status + mmcblk1: recovery failed! + print_req_error: I/O error, dev mmcblk1, sector 0 + ... + +When I remove the '/delete-property/mmc-hs200-1_8v' then everything is +hunky dory. + +That line comes from the original submission of the mickey dts +upstream, so presumably at the time the HS200 was failing and just +enumerating things as a high speed device was fine. ...or maybe it's +just that some mickey devices work when enumerating at "high speed", +just not mine? + +In any case, hs200 seems good now. Let's turn it on. + +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288-veyron-mickey.dts | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/arm/boot/dts/rk3288-veyron-mickey.dts b/arch/arm/boot/dts/rk3288-veyron-mickey.dts +index e852594417b58..b13f87792e9f0 100644 +--- a/arch/arm/boot/dts/rk3288-veyron-mickey.dts ++++ b/arch/arm/boot/dts/rk3288-veyron-mickey.dts +@@ -128,10 +128,6 @@ + }; + }; + +-&emmc { +- /delete-property/mmc-hs200-1_8v; +-}; +- + &i2c2 { + status = "disabled"; + }; +-- +2.20.1 + diff --git a/queue-5.2/arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch b/queue-5.2/arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch new file mode 100644 index 00000000000..532ce52e542 --- /dev/null +++ b/queue-5.2/arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch @@ -0,0 +1,57 @@ +From a79d002a64ebfa24d63f2f8be3c55af9c82a7aa9 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 3 May 2019 16:41:42 -0700 +Subject: ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200 + +[ Upstream commit 1c0479023412ab7834f2e98b796eb0d8c627cd62 ] + +As some point hs200 was failing on rk3288-veyron-minnie. See commit +984926781122 ("ARM: dts: rockchip: temporarily remove emmc hs200 speed +from rk3288 minnie"). Although I didn't track down exactly when it +started working, it seems to work OK now, so let's turn it back on. + +To test this, I booted from SD card and then used this script to +stress the enumeration process after fixing a memory leak [1]: + cd /sys/bus/platform/drivers/dwmmc_rockchip + for i in $(seq 1 3000); do + echo "========================" $i + echo ff0f0000.dwmmc > unbind + sleep .5 + echo ff0f0000.dwmmc > bind + while true; do + if [ -e /dev/mmcblk2 ]; then + break; + fi + sleep .1 + done + done + +It worked fine. + +[1] https://lkml.kernel.org/r/20190503233526.226272-1-dianders@chromium.org + +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288-veyron-minnie.dts | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/arm/boot/dts/rk3288-veyron-minnie.dts b/arch/arm/boot/dts/rk3288-veyron-minnie.dts +index 468a1818545d1..ce57881625eca 100644 +--- a/arch/arm/boot/dts/rk3288-veyron-minnie.dts ++++ b/arch/arm/boot/dts/rk3288-veyron-minnie.dts +@@ -90,10 +90,6 @@ + pwm-off-delay-ms = <200>; + }; + +-&emmc { +- /delete-property/mmc-hs200-1_8v; +-}; +- + &gpio_keys { + pinctrl-0 = <&pwr_key_l &ap_lid_int_l &volum_down_l &volum_up_l>; + +-- +2.20.1 + diff --git a/queue-5.2/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch b/queue-5.2/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch new file mode 100644 index 00000000000..e6e8bddff5e --- /dev/null +++ b/queue-5.2/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch @@ -0,0 +1,48 @@ +From 19ceb8defa3a8000562a22894e809ccfd9356039 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 21 May 2019 16:49:33 -0700 +Subject: ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend + +[ Upstream commit 8ef1ba39a9fa53d2205e633bc9b21840a275908e ] + +This is similar to commit e6186820a745 ("arm64: dts: rockchip: Arch +counter doesn't tick in system suspend"). Specifically on the rk3288 +it can be seen that the timer stops ticking in suspend if we end up +running through the "osc_disable" path in rk3288_slp_mode_set(). In +that path the 24 MHz clock will turn off and the timer stops. + +To test this, I ran this on a Chrome OS filesystem: + before=$(date); \ + suspend_stress_test -c1 --suspend_min=30 --suspend_max=31; \ + echo ${before}; date + +...and I found that unless I plug in a device that requests USB wakeup +to be active that the two calls to "date" would show that fewer than +30 seconds passed. + +NOTE: deep suspend (where the 24 MHz clock gets disabled) isn't +supported yet on upstream Linux so this was tested on a downstream +kernel. + +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi +index aa017abf4f421..f7bc886a4b513 100644 +--- a/arch/arm/boot/dts/rk3288.dtsi ++++ b/arch/arm/boot/dts/rk3288.dtsi +@@ -231,6 +231,7 @@ + , + ; + clock-frequency = <24000000>; ++ arm,no-tick-in-suspend; + }; + + timer: timer@ff810000 { +-- +2.20.1 + diff --git a/queue-5.2/arm-exynos-only-build-mcpm-support-if-used.patch b/queue-5.2/arm-exynos-only-build-mcpm-support-if-used.patch new file mode 100644 index 00000000000..55d7c7e97e0 --- /dev/null +++ b/queue-5.2/arm-exynos-only-build-mcpm-support-if-used.patch @@ -0,0 +1,97 @@ +From a3719ec174a4f4d8c85a687b12351cbf21c07d5c Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 19 Jun 2019 14:55:29 +0200 +Subject: ARM: exynos: Only build MCPM support if used + +[ Upstream commit 24d2c73ff28bcda48607eacc4bc804002dbf78d9 ] + +We get a link error for configurations that enable an Exynos +SoC that does not require MCPM, but then manually enable +MCPM anyway without also turning on the arm-cci: + +arch/arm/mach-exynos/mcpm-exynos.o: In function `exynos_pm_power_up_setup': +mcpm-exynos.c:(.text+0x8): undefined reference to `cci_enable_port_for_self' + +Change it back to only build the code we actually need, by +introducing a CONFIG_EXYNOS_MCPM that serves the same purpose +as the older CONFIG_EXYNOS5420_MCPM. + +Fixes: 2997520c2d4e ("ARM: exynos: Set MCPM as mandatory for Exynos542x/5800 SoCs") +Signed-off-by: Arnd Bergmann +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/mach-exynos/Kconfig | 6 +++++- + arch/arm/mach-exynos/Makefile | 2 +- + arch/arm/mach-exynos/suspend.c | 6 +++--- + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/mach-exynos/Kconfig b/arch/arm/mach-exynos/Kconfig +index 1c518b8ee520c..21a59efd1a2c4 100644 +--- a/arch/arm/mach-exynos/Kconfig ++++ b/arch/arm/mach-exynos/Kconfig +@@ -106,7 +106,7 @@ config SOC_EXYNOS5420 + bool "SAMSUNG EXYNOS5420" + default y + depends on ARCH_EXYNOS5 +- select MCPM if SMP ++ select EXYNOS_MCPM if SMP + select ARM_CCI400_PORT_CTRL + select ARM_CPU_SUSPEND + +@@ -115,6 +115,10 @@ config SOC_EXYNOS5800 + default y + depends on SOC_EXYNOS5420 + ++config EXYNOS_MCPM ++ bool ++ select MCPM ++ + config EXYNOS_CPU_SUSPEND + bool + select ARM_CPU_SUSPEND +diff --git a/arch/arm/mach-exynos/Makefile b/arch/arm/mach-exynos/Makefile +index 264dbaa89c3db..5abf3db23912b 100644 +--- a/arch/arm/mach-exynos/Makefile ++++ b/arch/arm/mach-exynos/Makefile +@@ -18,5 +18,5 @@ plus_sec := $(call as-instr,.arch_extension sec,+sec) + AFLAGS_exynos-smc.o :=-Wa,-march=armv7-a$(plus_sec) + AFLAGS_sleep.o :=-Wa,-march=armv7-a$(plus_sec) + +-obj-$(CONFIG_MCPM) += mcpm-exynos.o ++obj-$(CONFIG_EXYNOS_MCPM) += mcpm-exynos.o + CFLAGS_mcpm-exynos.o += -march=armv7-a +diff --git a/arch/arm/mach-exynos/suspend.c b/arch/arm/mach-exynos/suspend.c +index be122af0de8f8..8b1e6ab8504f0 100644 +--- a/arch/arm/mach-exynos/suspend.c ++++ b/arch/arm/mach-exynos/suspend.c +@@ -268,7 +268,7 @@ static int exynos5420_cpu_suspend(unsigned long arg) + unsigned int cluster = MPIDR_AFFINITY_LEVEL(mpidr, 1); + unsigned int cpu = MPIDR_AFFINITY_LEVEL(mpidr, 0); + +- if (IS_ENABLED(CONFIG_MCPM)) { ++ if (IS_ENABLED(CONFIG_EXYNOS_MCPM)) { + mcpm_set_entry_vector(cpu, cluster, exynos_cpu_resume); + mcpm_cpu_suspend(); + } +@@ -351,7 +351,7 @@ static void exynos5420_pm_prepare(void) + exynos_pm_enter_sleep_mode(); + + /* ensure at least INFORM0 has the resume address */ +- if (IS_ENABLED(CONFIG_MCPM)) ++ if (IS_ENABLED(CONFIG_EXYNOS_MCPM)) + pmu_raw_writel(__pa_symbol(mcpm_entry_point), S5P_INFORM0); + + tmp = pmu_raw_readl(EXYNOS_L2_OPTION(0)); +@@ -455,7 +455,7 @@ static void exynos5420_prepare_pm_resume(void) + mpidr = read_cpuid_mpidr(); + cluster = MPIDR_AFFINITY_LEVEL(mpidr, 1); + +- if (IS_ENABLED(CONFIG_MCPM)) ++ if (IS_ENABLED(CONFIG_EXYNOS_MCPM)) + WARN_ON(mcpm_cpu_powered_up()); + + if (IS_ENABLED(CONFIG_HW_PERF_EVENTS) && cluster != 0) { +-- +2.20.1 + diff --git a/queue-5.2/arm-riscpc-fix-dma.patch b/queue-5.2/arm-riscpc-fix-dma.patch new file mode 100644 index 00000000000..13d8f86bb7f --- /dev/null +++ b/queue-5.2/arm-riscpc-fix-dma.patch @@ -0,0 +1,48 @@ +From 4cea2a5d928fb6025801a843734d6bf0d85bfc6e Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Thu, 2 May 2019 17:19:18 +0100 +Subject: ARM: riscpc: fix DMA + +[ Upstream commit ffd9a1ba9fdb7f2bd1d1ad9b9243d34e96756ba2 ] + +DMA got broken a while back in two different ways: +1) a change in the behaviour of disable_irq() to wait for the interrupt + to finish executing causes us to deadlock at the end of DMA. +2) a change to avoid modifying the scatterlist left the first transfer + uninitialised. + +DMA is only used with expansion cards, so has gone unnoticed. + +Fixes: fa4e99899932 ("[ARM] dma: RiscPC: don't modify DMA SG entries") +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mach-rpc/dma.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-rpc/dma.c b/arch/arm/mach-rpc/dma.c +index 488d5c3b37f44..799e0b016b622 100644 +--- a/arch/arm/mach-rpc/dma.c ++++ b/arch/arm/mach-rpc/dma.c +@@ -128,7 +128,7 @@ static irqreturn_t iomd_dma_handle(int irq, void *dev_id) + } while (1); + + idma->state = ~DMA_ST_AB; +- disable_irq(irq); ++ disable_irq_nosync(irq); + + return IRQ_HANDLED; + } +@@ -177,6 +177,9 @@ static void iomd_enable_dma(unsigned int chan, dma_t *dma) + DMA_FROM_DEVICE : DMA_TO_DEVICE); + } + ++ idma->dma_addr = idma->dma.sg->dma_address; ++ idma->dma_len = idma->dma.sg->length; ++ + iomd_writeb(DMA_CR_C, dma_base + CR); + idma->state = DMA_ST_AB; + } +-- +2.20.1 + diff --git a/queue-5.2/arm64-dts-marvell-mcbin-enlarge-pci-memory-window.patch b/queue-5.2/arm64-dts-marvell-mcbin-enlarge-pci-memory-window.patch new file mode 100644 index 00000000000..ca98ddcb241 --- /dev/null +++ b/queue-5.2/arm64-dts-marvell-mcbin-enlarge-pci-memory-window.patch @@ -0,0 +1,47 @@ +From 6f13501d59cd37c8a75b64ee040e7613c41539d3 Mon Sep 17 00:00:00 2001 +From: Heinrich Schuchardt +Date: Fri, 17 May 2019 18:11:23 +0200 +Subject: arm64: dts: marvell: mcbin: enlarge PCI memory window + +[ Upstream commit d3446b266a8c72a7bbc94b65f5fc6d206be77d24 ] + +Running a graphics adapter on the MACCHIATObin fails due to an +insufficiently sized memory window. + +Enlarge the memory window for the PCIe slot to 512 MiB. + +With the patch I am able to use a GT710 graphics adapter with 1 GB onboard +memory. + +These are the mapped memory areas that the graphics adapter is actually +using: + +Region 0: Memory at cc000000 (32-bit, non-prefetchable) [size=16M] +Region 1: Memory at c0000000 (64-bit, prefetchable) [size=128M] +Region 3: Memory at c8000000 (64-bit, prefetchable) [size=32M] +Region 5: I/O ports at 1000 [size=128] +Expansion ROM at ca000000 [disabled] [size=512K] + +Signed-off-by: Heinrich Schuchardt +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/marvell/armada-8040-mcbin.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/marvell/armada-8040-mcbin.dtsi b/arch/arm64/boot/dts/marvell/armada-8040-mcbin.dtsi +index 329f8ceeebea1..205071b45a324 100644 +--- a/arch/arm64/boot/dts/marvell/armada-8040-mcbin.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-8040-mcbin.dtsi +@@ -184,6 +184,8 @@ + num-lanes = <4>; + num-viewport = <8>; + reset-gpios = <&cp0_gpio2 20 GPIO_ACTIVE_LOW>; ++ ranges = <0x81000000 0x0 0xf9010000 0x0 0xf9010000 0x0 0x10000 ++ 0x82000000 0x0 0xc0000000 0x0 0xc0000000 0x0 0x20000000>; + status = "okay"; + }; + +-- +2.20.1 + diff --git a/queue-5.2/arm64-dts-qcom-qcs404-evb-fix-l3-min-voltage.patch b/queue-5.2/arm64-dts-qcom-qcs404-evb-fix-l3-min-voltage.patch new file mode 100644 index 00000000000..b620654ea54 --- /dev/null +++ b/queue-5.2/arm64-dts-qcom-qcs404-evb-fix-l3-min-voltage.patch @@ -0,0 +1,45 @@ +From f0dbc8bc45b9a47bbf3145d06816dad4f62a2847 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Thu, 25 Apr 2019 14:34:01 +0200 +Subject: arm64: dts: qcom: qcs404-evb: fix l3 min voltage + +[ Upstream commit 887b528c958f40b064d53edd0bfa9fea3a69eccd ] + +The current l3 min voltage level is not supported by +the regulator (the voltage is not a multiple of the regulator step size), +so a driver requesting this exact voltage would fail, see discussion in: +https://patchwork.kernel.org/comment/22461199/ + +It was agreed upon to set a min voltage level that is a multiple of the +regulator step size. + +There was actually a patch sent that did this: +https://patchwork.kernel.org/patch/10819313/ + +However, the commit 331ab98f8c4a ("arm64: dts: qcom: qcs404: +Fix voltages l3") that was applied is not identical to that patch. + +Signed-off-by: Niklas Cassel +Signed-off-by: Bjorn Andersson +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/qcs404-evb.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/qcs404-evb.dtsi b/arch/arm64/boot/dts/qcom/qcs404-evb.dtsi +index 2c3127167e3c2..d987d6741e40b 100644 +--- a/arch/arm64/boot/dts/qcom/qcs404-evb.dtsi ++++ b/arch/arm64/boot/dts/qcom/qcs404-evb.dtsi +@@ -118,7 +118,7 @@ + }; + + vreg_l3_1p05: l3 { +- regulator-min-microvolt = <1050000>; ++ regulator-min-microvolt = <1048000>; + regulator-max-microvolt = <1160000>; + }; + +-- +2.20.1 + diff --git a/queue-5.2/arm64-dts-rockchip-fix-isp-iommu-clocks-and-power-do.patch b/queue-5.2/arm64-dts-rockchip-fix-isp-iommu-clocks-and-power-do.patch new file mode 100644 index 00000000000..b1655fcbedc --- /dev/null +++ b/queue-5.2/arm64-dts-rockchip-fix-isp-iommu-clocks-and-power-do.patch @@ -0,0 +1,63 @@ +From bc56883c05042cc6b3325399ada32993ab5aba6e Mon Sep 17 00:00:00 2001 +From: Helen Koike +Date: Mon, 3 Jun 2019 11:22:15 -0300 +Subject: arm64: dts: rockchip: fix isp iommu clocks and power domain + +[ Upstream commit c432a29d3fc9ee928caeca2f5cf68b3aebfa6817 ] + +isp iommu requires wrapper variants of the clocks. +noc variants are always on and using the wrapper variants will activate +{A,H}CLK_ISP{0,1} due to the hierarchy. + +Tested using the pending isp patch set (which is not upstream +yet). Without this patch, streaming from the isp stalls. + +Also add the respective power domain and remove the "disabled" status. + +Refer: + RK3399 TRM v1.4 Fig. 2-4 RK3399 Clock Architecture Diagram + RK3399 TRM v1.4 Fig. 8-1 RK3399 Power Domain Partition + +Signed-off-by: Helen Koike +Tested-by: Manivannan Sadhasivam +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +index 196ac9b780768..89594a7276f40 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +@@ -1706,11 +1706,11 @@ + reg = <0x0 0xff914000 0x0 0x100>, <0x0 0xff915000 0x0 0x100>; + interrupts = ; + interrupt-names = "isp0_mmu"; +- clocks = <&cru ACLK_ISP0_NOC>, <&cru HCLK_ISP0_NOC>; ++ clocks = <&cru ACLK_ISP0_WRAPPER>, <&cru HCLK_ISP0_WRAPPER>; + clock-names = "aclk", "iface"; + #iommu-cells = <0>; ++ power-domains = <&power RK3399_PD_ISP0>; + rockchip,disable-mmu-reset; +- status = "disabled"; + }; + + isp1_mmu: iommu@ff924000 { +@@ -1718,11 +1718,11 @@ + reg = <0x0 0xff924000 0x0 0x100>, <0x0 0xff925000 0x0 0x100>; + interrupts = ; + interrupt-names = "isp1_mmu"; +- clocks = <&cru ACLK_ISP1_NOC>, <&cru HCLK_ISP1_NOC>; ++ clocks = <&cru ACLK_ISP1_WRAPPER>, <&cru HCLK_ISP1_WRAPPER>; + clock-names = "aclk", "iface"; + #iommu-cells = <0>; ++ power-domains = <&power RK3399_PD_ISP1>; + rockchip,disable-mmu-reset; +- status = "disabled"; + }; + + hdmi_sound: hdmi-sound { +-- +2.20.1 + diff --git a/queue-5.2/arm64-dts-rockchip-fix-usb3-type-c-on-rk3399-sapphir.patch b/queue-5.2/arm64-dts-rockchip-fix-usb3-type-c-on-rk3399-sapphir.patch new file mode 100644 index 00000000000..a1378df8aa7 --- /dev/null +++ b/queue-5.2/arm64-dts-rockchip-fix-usb3-type-c-on-rk3399-sapphir.patch @@ -0,0 +1,66 @@ +From cfed18be90113f91474ae3da0911ea0190e33f66 Mon Sep 17 00:00:00 2001 +From: Vicente Bergas +Date: Thu, 27 Jun 2019 15:12:28 +0200 +Subject: arm64: dts: rockchip: Fix USB3 Type-C on rk3399-sapphire + +[ Upstream commit e1d9149e8389f1690cdd4e4056766dd26488a0fe ] + +Before this patch, the Type-C port on the Sapphire board is dead. +If setting the 'regulator-always-on' property to 'vcc5v0_typec0' +then the port works for about 4 seconds at start-up. This is a +sample trace with a memory stick plugged in: +1.- The memory stick LED lights on and kernel reports: +[ 4.782999] scsi 0:0:0:0: Direct-Access USB DISK PMAP PQ: 0 ANSI: 4 +[ 5.904580] sd 0:0:0:0: [sdb] 3913344 512-byte logical blocks: (2.00 GB/1.87 GiB) +[ 5.906860] sd 0:0:0:0: [sdb] Write Protect is off +[ 5.908973] sd 0:0:0:0: [sdb] Mode Sense: 23 00 00 00 +[ 5.909122] sd 0:0:0:0: [sdb] No Caching mode page found +[ 5.911214] sd 0:0:0:0: [sdb] Assuming drive cache: write through +[ 5.951585] sdb: sdb1 +[ 5.954816] sd 0:0:0:0: [sdb] Attached SCSI removable disk +2.- 4 seconds later the memory stick LED lights off and kernel reports: +[ 9.082822] phy phy-ff770000.syscon:usb2-phy@e450.2: charger = USB_DCP_CHARGER +3.- After a minute the kernel reports: +[ 71.666761] usb 5-1: USB disconnect, device number 2 +It has been checked that, although the LED is off, VBUS is present. + +If, instead, the dr_mode is changed to host and the phy-supply changed +accordingly, then it works. It has only been tested in host mode. + +Signed-off-by: Vicente Bergas +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-sapphire.dtsi | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-sapphire.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-sapphire.dtsi +index 04623e52ac5db..1bc1579674e57 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-sapphire.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-sapphire.dtsi +@@ -565,12 +565,11 @@ + status = "okay"; + + u2phy0_otg: otg-port { +- phy-supply = <&vcc5v0_typec0>; + status = "okay"; + }; + + u2phy0_host: host-port { +- phy-supply = <&vcc5v0_host>; ++ phy-supply = <&vcc5v0_typec0>; + status = "okay"; + }; + }; +@@ -620,7 +619,7 @@ + + &usbdrd_dwc3_0 { + status = "okay"; +- dr_mode = "otg"; ++ dr_mode = "host"; + }; + + &usbdrd3_1 { +-- +2.20.1 + diff --git a/queue-5.2/arm64-qcom-qcs404-add-reset-cells-to-gcc-node.patch b/queue-5.2/arm64-qcom-qcs404-add-reset-cells-to-gcc-node.patch new file mode 100644 index 00000000000..4bd1d79750d --- /dev/null +++ b/queue-5.2/arm64-qcom-qcs404-add-reset-cells-to-gcc-node.patch @@ -0,0 +1,45 @@ +From 5d51a8e920aad05fd02436ca93d58f72b023a7d9 Mon Sep 17 00:00:00 2001 +From: Andy Gross +Date: Sat, 8 Jun 2019 23:19:32 -0500 +Subject: arm64: qcom: qcs404: Add reset-cells to GCC node + +[ Upstream commit 0763d0c2273a3c72247d325c48fbac3d918d6b87 ] + +This patch adds a reset-cells property to the gcc controller on the QCS404. +Without this in place, we get warnings like the following if nodes reference +a gcc reset: + +arch/arm64/boot/dts/qcom/qcs404.dtsi:261.38-310.5: Warning (resets_property): +/soc@0/remoteproc@b00000: Missing property '#reset-cells' in node +/soc@0/clock-controller@1800000 or bad phandle (referred from resets[0]) + also defined at arch/arm64/boot/dts/qcom/qcs404-evb.dtsi:82.18-84.3 + DTC arch/arm64/boot/dts/qcom/qcs404-evb-4000.dtb +arch/arm64/boot/dts/qcom/qcs404.dtsi:261.38-310.5: Warning (resets_property): +/soc@0/remoteproc@b00000: Missing property '#reset-cells' in node +/soc@0/clock-controller@1800000 or bad phandle (referred from resets[0]) + also defined at arch/arm64/boot/dts/qcom/qcs404-evb.dtsi:82.18-84.3 + +Signed-off-by: Andy Gross +Reviewed-by: Niklas Cassel +Reviewed-by: Vinod Koul +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/qcs404.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/qcom/qcs404.dtsi b/arch/arm64/boot/dts/qcom/qcs404.dtsi +index ffedf9640af7d..65a2cbeb28bec 100644 +--- a/arch/arm64/boot/dts/qcom/qcs404.dtsi ++++ b/arch/arm64/boot/dts/qcom/qcs404.dtsi +@@ -383,6 +383,7 @@ + compatible = "qcom,gcc-qcs404"; + reg = <0x01800000 0x80000>; + #clock-cells = <1>; ++ #reset-cells = <1>; + + assigned-clocks = <&gcc GCC_APSS_AHB_CLK_SRC>; + assigned-clock-rates = <19200000>; +-- +2.20.1 + diff --git a/queue-5.2/be2net-signal-that-the-device-cannot-transmit-during.patch b/queue-5.2/be2net-signal-that-the-device-cannot-transmit-during.patch new file mode 100644 index 00000000000..8f5833fb68d --- /dev/null +++ b/queue-5.2/be2net-signal-that-the-device-cannot-transmit-during.patch @@ -0,0 +1,44 @@ +From 6a3a40b66086b70f6b8813f1805e4ca74c819715 Mon Sep 17 00:00:00 2001 +From: Benjamin Poirier +Date: Tue, 16 Jul 2019 17:16:55 +0900 +Subject: be2net: Signal that the device cannot transmit during reconfiguration + +[ Upstream commit 7429c6c0d9cb086d8e79f0d2a48ae14851d2115e ] + +While changing the number of interrupt channels, be2net stops adapter +operation (including netif_tx_disable()) but it doesn't signal that it +cannot transmit. This may lead dev_watchdog() to falsely trigger during +that time. + +Add the missing call to netif_carrier_off(), following the pattern used in +many other drivers. netif_carrier_on() is already taken care of in +be_open(). + +Signed-off-by: Benjamin Poirier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 82015c8a5ed73..b7a246b335990 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -4697,8 +4697,12 @@ int be_update_queues(struct be_adapter *adapter) + struct net_device *netdev = adapter->netdev; + int status; + +- if (netif_running(netdev)) ++ if (netif_running(netdev)) { ++ /* device cannot transmit now, avoid dev_watchdog timeouts */ ++ netif_carrier_off(netdev); ++ + be_close(netdev); ++ } + + be_cancel_worker(adapter); + +-- +2.20.1 + diff --git a/queue-5.2/bpf-disable-gcc-fgcse-optimization-for-___bpf_prog_r.patch b/queue-5.2/bpf-disable-gcc-fgcse-optimization-for-___bpf_prog_r.patch new file mode 100644 index 00000000000..5e4d6ed2fc2 --- /dev/null +++ b/queue-5.2/bpf-disable-gcc-fgcse-optimization-for-___bpf_prog_r.patch @@ -0,0 +1,110 @@ +From 39d2fd68efe742a2ce5bca00b4e5c1aae6cd9832 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Wed, 17 Jul 2019 20:36:45 -0500 +Subject: bpf: Disable GCC -fgcse optimization for ___bpf_prog_run() + +[ Upstream commit 3193c0836f203a91bef96d88c64cccf0be090d9c ] + +On x86-64, with CONFIG_RETPOLINE=n, GCC's "global common subexpression +elimination" optimization results in ___bpf_prog_run()'s jumptable code +changing from this: + + select_insn: + jmp *jumptable(, %rax, 8) + ... + ALU64_ADD_X: + ... + jmp *jumptable(, %rax, 8) + ALU_ADD_X: + ... + jmp *jumptable(, %rax, 8) + +to this: + + select_insn: + mov jumptable, %r12 + jmp *(%r12, %rax, 8) + ... + ALU64_ADD_X: + ... + jmp *(%r12, %rax, 8) + ALU_ADD_X: + ... + jmp *(%r12, %rax, 8) + +The jumptable address is placed in a register once, at the beginning of +the function. The function execution can then go through multiple +indirect jumps which rely on that same register value. This has a few +issues: + +1) Objtool isn't smart enough to be able to track such a register value + across multiple recursive indirect jumps through the jump table. + +2) With CONFIG_RETPOLINE enabled, this optimization actually results in + a small slowdown. I measured a ~4.7% slowdown in the test_bpf + "tcpdump port 22" selftest. + + This slowdown is actually predicted by the GCC manual: + + Note: When compiling a program using computed gotos, a GCC + extension, you may get better run-time performance if you + disable the global common subexpression elimination pass by + adding -fno-gcse to the command line. + +So just disable the optimization for this function. + +Fixes: e55a73251da3 ("bpf: Fix ORC unwinding in non-JIT BPF code") +Reported-by: Randy Dunlap +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Acked-by: Alexei Starovoitov +Acked-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/30c3ca29ba037afcbd860a8672eef0021addf9fe.1563413318.git.jpoimboe@redhat.com +Signed-off-by: Sasha Levin +--- + include/linux/compiler-gcc.h | 2 ++ + include/linux/compiler_types.h | 4 ++++ + kernel/bpf/core.c | 2 +- + 3 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h +index e8579412ad214..d7ee4c6bad482 100644 +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -170,3 +170,5 @@ + #else + #define __diag_GCC_8(s) + #endif ++ ++#define __no_fgcse __attribute__((optimize("-fno-gcse"))) +diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h +index 19e58b9138a04..0454d82f8bd82 100644 +--- a/include/linux/compiler_types.h ++++ b/include/linux/compiler_types.h +@@ -187,6 +187,10 @@ struct ftrace_likely_data { + #define asm_volatile_goto(x...) asm goto(x) + #endif + ++#ifndef __no_fgcse ++# define __no_fgcse ++#endif ++ + /* Are two types/vars the same type (ignoring qualifiers)? */ + #define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b)) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index f2148db91439e..ceee0730fba58 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -1295,7 +1295,7 @@ bool bpf_opcode_in_insntable(u8 code) + * + * Decode and execute eBPF instructions. + */ +-static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack) ++static u64 __no_fgcse ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack) + { + #define BPF_INSN_2_LBL(x, y) [BPF_##x | BPF_##y] = &&x##_##y + #define BPF_INSN_3_LBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = &&x##_##y##_##z +-- +2.20.1 + diff --git a/queue-5.2/bpf-fix-btf-verifier-size-resolution-logic.patch b/queue-5.2/bpf-fix-btf-verifier-size-resolution-logic.patch new file mode 100644 index 00000000000..198510ea6d7 --- /dev/null +++ b/queue-5.2/bpf-fix-btf-verifier-size-resolution-logic.patch @@ -0,0 +1,125 @@ +From 72b9a023ddce43367cf9c199521845cad1f293d4 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Fri, 12 Jul 2019 10:25:55 -0700 +Subject: bpf: fix BTF verifier size resolution logic + +[ Upstream commit 1acc5d5c5832da9a98b22374a8fae08ffe31b3f8 ] + +BTF verifier has a size resolution bug which in some circumstances leads to +invalid size resolution for, e.g., TYPEDEF modifier. This happens if we have +[1] PTR -> [2] TYPEDEF -> [3] ARRAY, in which case due to being in pointer +context ARRAY size won't be resolved (because for pointer it doesn't matter, so +it's a sink in pointer context), but it will be permanently remembered as zero +for TYPEDEF and TYPEDEF will be marked as RESOLVED. Eventually ARRAY size will +be resolved correctly, but TYPEDEF resolved_size won't be updated anymore. +This, subsequently, will lead to erroneous map creation failure, if that +TYPEDEF is specified as either key or value, as key_size/value_size won't +correspond to resolved size of TYPEDEF (kernel will believe it's zero). + +Note, that if BTF was ordered as [1] ARRAY <- [2] TYPEDEF <- [3] PTR, this +won't be a problem, as by the time we get to TYPEDEF, ARRAY's size is already +calculated and stored. + +This bug manifests itself in rejecting BTF-defined maps that use array +typedef as a value type: + +typedef int array_t[16]; + +struct { + __uint(type, BPF_MAP_TYPE_ARRAY); + __type(value, array_t); /* i.e., array_t *value; */ +} test_map SEC(".maps"); + +The fix consists on not relying on modifier's resolved_size and instead using +modifier's resolved_id (type ID for "concrete" type to which modifier +eventually resolves) and doing size determination for that resolved type. This +allow to preserve existing "early DFS termination" logic for PTR or +STRUCT_OR_ARRAY contexts, but still do correct size determination for modifier +types. + +Fixes: eb3f595dab40 ("bpf: btf: Validate type reference") +Cc: Martin KaFai Lau +Signed-off-by: Andrii Nakryiko +Acked-by: Martin KaFai Lau +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index 546ebee39e2af..5fcc7a17eb5a4 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -1073,11 +1073,18 @@ const struct btf_type *btf_type_id_size(const struct btf *btf, + !btf_type_is_var(size_type))) + return NULL; + +- size = btf->resolved_sizes[size_type_id]; + size_type_id = btf->resolved_ids[size_type_id]; + size_type = btf_type_by_id(btf, size_type_id); + if (btf_type_nosize_or_null(size_type)) + return NULL; ++ else if (btf_type_has_size(size_type)) ++ size = size_type->size; ++ else if (btf_type_is_array(size_type)) ++ size = btf->resolved_sizes[size_type_id]; ++ else if (btf_type_is_ptr(size_type)) ++ size = sizeof(void *); ++ else ++ return NULL; + } + + *type_id = size_type_id; +@@ -1602,7 +1609,6 @@ static int btf_modifier_resolve(struct btf_verifier_env *env, + const struct btf_type *next_type; + u32 next_type_id = t->type; + struct btf *btf = env->btf; +- u32 next_type_size = 0; + + next_type = btf_type_by_id(btf, next_type_id); + if (!next_type || btf_type_is_resolve_source_only(next_type)) { +@@ -1620,7 +1626,7 @@ static int btf_modifier_resolve(struct btf_verifier_env *env, + * save us a few type-following when we use it later (e.g. in + * pretty print). + */ +- if (!btf_type_id_size(btf, &next_type_id, &next_type_size)) { ++ if (!btf_type_id_size(btf, &next_type_id, NULL)) { + if (env_type_is_resolved(env, next_type_id)) + next_type = btf_type_id_resolve(btf, &next_type_id); + +@@ -1633,7 +1639,7 @@ static int btf_modifier_resolve(struct btf_verifier_env *env, + } + } + +- env_stack_pop_resolved(env, next_type_id, next_type_size); ++ env_stack_pop_resolved(env, next_type_id, 0); + + return 0; + } +@@ -1645,7 +1651,6 @@ static int btf_var_resolve(struct btf_verifier_env *env, + const struct btf_type *t = v->t; + u32 next_type_id = t->type; + struct btf *btf = env->btf; +- u32 next_type_size; + + next_type = btf_type_by_id(btf, next_type_id); + if (!next_type || btf_type_is_resolve_source_only(next_type)) { +@@ -1675,12 +1680,12 @@ static int btf_var_resolve(struct btf_verifier_env *env, + * forward types or similar that would resolve to size of + * zero is allowed. + */ +- if (!btf_type_id_size(btf, &next_type_id, &next_type_size)) { ++ if (!btf_type_id_size(btf, &next_type_id, NULL)) { + btf_verifier_log_type(env, v->t, "Invalid type_id"); + return -EINVAL; + } + +- env_stack_pop_resolved(env, next_type_id, next_type_size); ++ env_stack_pop_resolved(env, next_type_id, 0); + + return 0; + } +-- +2.20.1 + diff --git a/queue-5.2/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch b/queue-5.2/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch new file mode 100644 index 00000000000..62a4f8cc124 --- /dev/null +++ b/queue-5.2/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch @@ -0,0 +1,48 @@ +From e2d8a6031a44caa1ef5651936e1faddd0df0c582 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Fri, 17 May 2019 11:43:13 +0200 +Subject: btrfs: fix minimum number of chunk errors for DUP + +[ Upstream commit 0ee5f8ae082e1f675a2fb6db601c31ac9958a134 ] + +The list of profiles in btrfs_chunk_max_errors lists DUP as a profile +DUP able to tolerate 1 device missing. Though this profile is special +with 2 copies, it still needs the device, unlike the others. + +Looking at the history of changes, thre's no clear reason why DUP is +there, functions were refactored and blocks of code merged to one +helper. + +d20983b40e828 Btrfs: fix writing data into the seed filesystem + - factor code to a helper + +de11cc12df173 Btrfs: don't pre-allocate btrfs bio + - unrelated change, DUP still in the list with max errors 1 + +a236aed14ccb0 Btrfs: Deal with failed writes in mirrored configurations + - introduced the max errors, leaves DUP and RAID1 in the same group + +Reviewed-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 1c2a6e4b39da7..8508f6028c8d2 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -5328,8 +5328,7 @@ static inline int btrfs_chunk_max_errors(struct map_lookup *map) + + if (map->type & (BTRFS_BLOCK_GROUP_RAID1 | + BTRFS_BLOCK_GROUP_RAID10 | +- BTRFS_BLOCK_GROUP_RAID5 | +- BTRFS_BLOCK_GROUP_DUP)) { ++ BTRFS_BLOCK_GROUP_RAID5)) { + max_errors = 1; + } else if (map->type & BTRFS_BLOCK_GROUP_RAID6) { + max_errors = 2; +-- +2.20.1 + diff --git a/queue-5.2/btrfs-flush-before-reflinking-any-extent-to-prevent-.patch b/queue-5.2/btrfs-flush-before-reflinking-any-extent-to-prevent-.patch new file mode 100644 index 00000000000..fc6711da087 --- /dev/null +++ b/queue-5.2/btrfs-flush-before-reflinking-any-extent-to-prevent-.patch @@ -0,0 +1,112 @@ +From 68a2dc99193ce03330a7f81e9dcad54e5d42d982 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 8 May 2019 18:49:58 +0800 +Subject: btrfs: Flush before reflinking any extent to prevent NOCOW write + falling back to COW without data reservation + +[ Upstream commit a94d1d0cb3bf1983fcdf05b59d914dbff4f1f52c ] + +[BUG] +The following script can cause unexpected fsync failure: + + #!/bin/bash + + dev=/dev/test/test + mnt=/mnt/btrfs + + mkfs.btrfs -f $dev -b 512M > /dev/null + mount $dev $mnt -o nospace_cache + + # Prealloc one extent + xfs_io -f -c "falloc 8k 64m" $mnt/file1 + # Fill the remaining data space + xfs_io -f -c "pwrite 0 -b 4k 512M" $mnt/padding + sync + + # Write into the prealloc extent + xfs_io -c "pwrite 1m 16m" $mnt/file1 + + # Reflink then fsync, fsync would fail due to ENOSPC + xfs_io -c "reflink $mnt/file1 8k 0 4k" -c "fsync" $mnt/file1 + umount $dev + +The fsync fails with ENOSPC, and the last page of the buffered write is +lost. + +[CAUSE] +This is caused by: +- Btrfs' back reference only has extent level granularity + So write into shared extent must be COWed even only part of the extent + is shared. + +So for above script we have: +- fallocate + Create a preallocated extent where we can do NOCOW write. + +- fill all the remaining data and unallocated space + +- buffered write into preallocated space + As we have not enough space available for data and the extent is not + shared (yet) we fall into NOCOW mode. + +- reflink + Now part of the large preallocated extent is shared, later write + into that extent must be COWed. + +- fsync triggers writeback + But now the extent is shared and therefore we must fallback into COW + mode, which fails with ENOSPC since there's not enough space to + allocate data extents. + +[WORKAROUND] +The workaround is to ensure any buffered write in the related extents +(not just the reflink source range) get flushed before reflink/dedupe, +so that NOCOW writes succeed that happened before reflinking succeed. + +The workaround is expensive, we could do it better by only flushing +NOCOW range, but that needs extra accounting for NOCOW range. +For now, fix the possible data loss first. + +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ioctl.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 2a1be0d1a6986..5b4beebf138ce 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3999,6 +3999,27 @@ static int btrfs_remap_file_range_prep(struct file *file_in, loff_t pos_in, + if (!same_inode) + inode_dio_wait(inode_out); + ++ /* ++ * Workaround to make sure NOCOW buffered write reach disk as NOCOW. ++ * ++ * Btrfs' back references do not have a block level granularity, they ++ * work at the whole extent level. ++ * NOCOW buffered write without data space reserved may not be able ++ * to fall back to CoW due to lack of data space, thus could cause ++ * data loss. ++ * ++ * Here we take a shortcut by flushing the whole inode, so that all ++ * nocow write should reach disk as nocow before we increase the ++ * reference of the extent. We could do better by only flushing NOCOW ++ * data, but that needs extra accounting. ++ * ++ * Also we don't need to check ASYNC_EXTENT, as async extent will be ++ * CoWed anyway, not affecting nocow part. ++ */ ++ ret = filemap_flush(inode_in->i_mapping); ++ if (ret < 0) ++ return ret; ++ + ret = btrfs_wait_ordered_range(inode_in, ALIGN_DOWN(pos_in, bs), + wb_len); + if (ret < 0) +-- +2.20.1 + diff --git a/queue-5.2/btrfs-qgroup-don-t-hold-qgroup_ioctl_lock-in-btrfs_q.patch b/queue-5.2/btrfs-qgroup-don-t-hold-qgroup_ioctl_lock-in-btrfs_q.patch new file mode 100644 index 00000000000..983eb35c379 --- /dev/null +++ b/queue-5.2/btrfs-qgroup-don-t-hold-qgroup_ioctl_lock-in-btrfs_q.patch @@ -0,0 +1,192 @@ +From a378c87f9e5d5d69a7d9494cc6d50e275fa563d3 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Thu, 13 Jun 2019 17:31:24 +0800 +Subject: btrfs: qgroup: Don't hold qgroup_ioctl_lock in btrfs_qgroup_inherit() + +[ Upstream commit e88439debd0a7f969b3ddba6f147152cd0732676 ] + +[BUG] +Lockdep will report the following circular locking dependency: + + WARNING: possible circular locking dependency detected + 5.2.0-rc2-custom #24 Tainted: G O + ------------------------------------------------------ + btrfs/8631 is trying to acquire lock: + 000000002536438c (&fs_info->qgroup_ioctl_lock#2){+.+.}, at: btrfs_qgroup_inherit+0x40/0x620 [btrfs] + + but task is already holding lock: + 000000003d52cc23 (&fs_info->tree_log_mutex){+.+.}, at: create_pending_snapshot+0x8b6/0xe60 [btrfs] + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #2 (&fs_info->tree_log_mutex){+.+.}: + __mutex_lock+0x76/0x940 + mutex_lock_nested+0x1b/0x20 + btrfs_commit_transaction+0x475/0xa00 [btrfs] + btrfs_commit_super+0x71/0x80 [btrfs] + close_ctree+0x2bd/0x320 [btrfs] + btrfs_put_super+0x15/0x20 [btrfs] + generic_shutdown_super+0x72/0x110 + kill_anon_super+0x18/0x30 + btrfs_kill_super+0x16/0xa0 [btrfs] + deactivate_locked_super+0x3a/0x80 + deactivate_super+0x51/0x60 + cleanup_mnt+0x3f/0x80 + __cleanup_mnt+0x12/0x20 + task_work_run+0x94/0xb0 + exit_to_usermode_loop+0xd8/0xe0 + do_syscall_64+0x210/0x240 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + -> #1 (&fs_info->reloc_mutex){+.+.}: + __mutex_lock+0x76/0x940 + mutex_lock_nested+0x1b/0x20 + btrfs_commit_transaction+0x40d/0xa00 [btrfs] + btrfs_quota_enable+0x2da/0x730 [btrfs] + btrfs_ioctl+0x2691/0x2b40 [btrfs] + do_vfs_ioctl+0xa9/0x6d0 + ksys_ioctl+0x67/0x90 + __x64_sys_ioctl+0x1a/0x20 + do_syscall_64+0x65/0x240 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + -> #0 (&fs_info->qgroup_ioctl_lock#2){+.+.}: + lock_acquire+0xa7/0x190 + __mutex_lock+0x76/0x940 + mutex_lock_nested+0x1b/0x20 + btrfs_qgroup_inherit+0x40/0x620 [btrfs] + create_pending_snapshot+0x9d7/0xe60 [btrfs] + create_pending_snapshots+0x94/0xb0 [btrfs] + btrfs_commit_transaction+0x415/0xa00 [btrfs] + btrfs_mksubvol+0x496/0x4e0 [btrfs] + btrfs_ioctl_snap_create_transid+0x174/0x180 [btrfs] + btrfs_ioctl_snap_create_v2+0x11c/0x180 [btrfs] + btrfs_ioctl+0xa90/0x2b40 [btrfs] + do_vfs_ioctl+0xa9/0x6d0 + ksys_ioctl+0x67/0x90 + __x64_sys_ioctl+0x1a/0x20 + do_syscall_64+0x65/0x240 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + other info that might help us debug this: + + Chain exists of: + &fs_info->qgroup_ioctl_lock#2 --> &fs_info->reloc_mutex --> &fs_info->tree_log_mutex + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&fs_info->tree_log_mutex); + lock(&fs_info->reloc_mutex); + lock(&fs_info->tree_log_mutex); + lock(&fs_info->qgroup_ioctl_lock#2); + + *** DEADLOCK *** + + 6 locks held by btrfs/8631: + #0: 00000000ed8f23f6 (sb_writers#12){.+.+}, at: mnt_want_write_file+0x28/0x60 + #1: 000000009fb1597a (&type->i_mutex_dir_key#10/1){+.+.}, at: btrfs_mksubvol+0x70/0x4e0 [btrfs] + #2: 0000000088c5ad88 (&fs_info->subvol_sem){++++}, at: btrfs_mksubvol+0x128/0x4e0 [btrfs] + #3: 000000009606fc3e (sb_internal#2){.+.+}, at: start_transaction+0x37a/0x520 [btrfs] + #4: 00000000f82bbdf5 (&fs_info->reloc_mutex){+.+.}, at: btrfs_commit_transaction+0x40d/0xa00 [btrfs] + #5: 000000003d52cc23 (&fs_info->tree_log_mutex){+.+.}, at: create_pending_snapshot+0x8b6/0xe60 [btrfs] + +[CAUSE] +Due to the delayed subvolume creation, we need to call +btrfs_qgroup_inherit() inside commit transaction code, with a lot of +other mutex hold. +This hell of lock chain can lead to above problem. + +[FIX] +On the other hand, we don't really need to hold qgroup_ioctl_lock if +we're in the context of create_pending_snapshot(). +As in that context, we're the only one being able to modify qgroup. + +All other qgroup functions which needs qgroup_ioctl_lock are either +holding a transaction handle, or will start a new transaction: + Functions will start a new transaction(): + * btrfs_quota_enable() + * btrfs_quota_disable() + Functions hold a transaction handler: + * btrfs_add_qgroup_relation() + * btrfs_del_qgroup_relation() + * btrfs_create_qgroup() + * btrfs_remove_qgroup() + * btrfs_limit_qgroup() + * btrfs_qgroup_inherit() call inside create_subvol() + +So we have a higher level protection provided by transaction, thus we +don't need to always hold qgroup_ioctl_lock in btrfs_qgroup_inherit(). + +Only the btrfs_qgroup_inherit() call in create_subvol() needs to hold +qgroup_ioctl_lock, while the btrfs_qgroup_inherit() call in +create_pending_snapshot() is already protected by transaction. + +So the fix is to detect the context by checking +trans->transaction->state. +If we're at TRANS_STATE_COMMIT_DOING, then we're in commit transaction +context and no need to get the mutex. + +Reported-by: Nikolay Borisov +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index 3e6ffbbd8b0af..f8a3c1b0a15a8 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2614,6 +2614,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + int ret = 0; + int i; + u64 *i_qgroups; ++ bool committing = false; + struct btrfs_fs_info *fs_info = trans->fs_info; + struct btrfs_root *quota_root; + struct btrfs_qgroup *srcgroup; +@@ -2621,7 +2622,25 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + u32 level_size = 0; + u64 nums; + +- mutex_lock(&fs_info->qgroup_ioctl_lock); ++ /* ++ * There are only two callers of this function. ++ * ++ * One in create_subvol() in the ioctl context, which needs to hold ++ * the qgroup_ioctl_lock. ++ * ++ * The other one in create_pending_snapshot() where no other qgroup ++ * code can modify the fs as they all need to either start a new trans ++ * or hold a trans handler, thus we don't need to hold ++ * qgroup_ioctl_lock. ++ * This would avoid long and complex lock chain and make lockdep happy. ++ */ ++ spin_lock(&fs_info->trans_lock); ++ if (trans->transaction->state == TRANS_STATE_COMMIT_DOING) ++ committing = true; ++ spin_unlock(&fs_info->trans_lock); ++ ++ if (!committing) ++ mutex_lock(&fs_info->qgroup_ioctl_lock); + if (!test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags)) + goto out; + +@@ -2785,7 +2804,8 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + unlock: + spin_unlock(&fs_info->qgroup_lock); + out: +- mutex_unlock(&fs_info->qgroup_ioctl_lock); ++ if (!committing) ++ mutex_unlock(&fs_info->qgroup_ioctl_lock); + return ret; + } + +-- +2.20.1 + diff --git a/queue-5.2/btrfs-tree-checker-check-if-the-file-extent-end-over.patch b/queue-5.2/btrfs-tree-checker-check-if-the-file-extent-end-over.patch new file mode 100644 index 00000000000..51af7295090 --- /dev/null +++ b/queue-5.2/btrfs-tree-checker-check-if-the-file-extent-end-over.patch @@ -0,0 +1,66 @@ +From af6d792ab232eee78a651ec4f14de59d1b8c7a59 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 3 May 2019 08:30:54 +0800 +Subject: btrfs: tree-checker: Check if the file extent end overflows + +[ Upstream commit 4c094c33c9ed4b8d0d814bd1d7ff78e123d15d00 ] + +Under certain conditions, we could have strange file extent item in log +tree like: + + item 18 key (69599 108 397312) itemoff 15208 itemsize 53 + extent data disk bytenr 0 nr 0 + extent data offset 0 nr 18446744073709547520 ram 18446744073709547520 + +The num_bytes + ram_bytes overflow 64 bit type. + +For num_bytes part, we can detect such overflow along with file offset +(key->offset), as file_offset + num_bytes should never go beyond u64. + +For ram_bytes part, it's about the decompressed size of the extent, not +directly related to the size. +In theory it is OK to have a large value, and put extra limitation +on RAM bytes may cause unexpected false alerts. + +So in tree-checker, we only check if the file offset and num bytes +overflow. + +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 96fce4bef4e7d..ccd5706199d76 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -132,6 +132,7 @@ static int check_extent_data_item(struct extent_buffer *leaf, + struct btrfs_file_extent_item *fi; + u32 sectorsize = fs_info->sectorsize; + u32 item_size = btrfs_item_size_nr(leaf, slot); ++ u64 extent_end; + + if (!IS_ALIGNED(key->offset, sectorsize)) { + file_extent_err(leaf, slot, +@@ -207,6 +208,16 @@ static int check_extent_data_item(struct extent_buffer *leaf, + CHECK_FE_ALIGNED(leaf, slot, fi, num_bytes, sectorsize)) + return -EUCLEAN; + ++ /* Catch extent end overflow */ ++ if (check_add_overflow(btrfs_file_extent_num_bytes(leaf, fi), ++ key->offset, &extent_end)) { ++ file_extent_err(leaf, slot, ++ "extent end overflow, have file offset %llu extent num bytes %llu", ++ key->offset, ++ btrfs_file_extent_num_bytes(leaf, fi)); ++ return -EUCLEAN; ++ } ++ + /* + * Check that no two consecutive file extent items, in the same leaf, + * present ranges that overlap each other. +-- +2.20.1 + diff --git a/queue-5.2/ceph-fix-dir_lease_is_valid.patch b/queue-5.2/ceph-fix-dir_lease_is_valid.patch new file mode 100644 index 00000000000..b7b2b6c2ecb --- /dev/null +++ b/queue-5.2/ceph-fix-dir_lease_is_valid.patch @@ -0,0 +1,62 @@ +From 3af777d89e49b4e948dda67cf1c55d89e898eafe Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" +Date: Wed, 22 May 2019 17:26:27 +0800 +Subject: ceph: fix dir_lease_is_valid() + +[ Upstream commit feab6ac25dbfe3ab96299cb741925dc8d2da0caf ] + +It should call __ceph_dentry_dir_lease_touch() under dentry->d_lock. +Besides, ceph_dentry(dentry) can be NULL when called by LOOKUP_RCU +d_revalidate() + +Signed-off-by: "Yan, Zheng" +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/dir.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c +index 0637149fb9f9a..1271024a3797a 100644 +--- a/fs/ceph/dir.c ++++ b/fs/ceph/dir.c +@@ -1512,18 +1512,26 @@ static int __dir_lease_try_check(const struct dentry *dentry) + static int dir_lease_is_valid(struct inode *dir, struct dentry *dentry) + { + struct ceph_inode_info *ci = ceph_inode(dir); +- struct ceph_dentry_info *di = ceph_dentry(dentry); +- int valid = 0; ++ int valid; ++ int shared_gen; + + spin_lock(&ci->i_ceph_lock); +- if (atomic_read(&ci->i_shared_gen) == di->lease_shared_gen) +- valid = __ceph_caps_issued_mask(ci, CEPH_CAP_FILE_SHARED, 1); ++ valid = __ceph_caps_issued_mask(ci, CEPH_CAP_FILE_SHARED, 1); ++ shared_gen = atomic_read(&ci->i_shared_gen); + spin_unlock(&ci->i_ceph_lock); +- if (valid) +- __ceph_dentry_dir_lease_touch(di); +- dout("dir_lease_is_valid dir %p v%u dentry %p v%u = %d\n", +- dir, (unsigned)atomic_read(&ci->i_shared_gen), +- dentry, (unsigned)di->lease_shared_gen, valid); ++ if (valid) { ++ struct ceph_dentry_info *di; ++ spin_lock(&dentry->d_lock); ++ di = ceph_dentry(dentry); ++ if (dir == d_inode(dentry->d_parent) && ++ di && di->lease_shared_gen == shared_gen) ++ __ceph_dentry_dir_lease_touch(di); ++ else ++ valid = 0; ++ spin_unlock(&dentry->d_lock); ++ } ++ dout("dir_lease_is_valid dir %p v%u dentry %p = %d\n", ++ dir, (unsigned)atomic_read(&ci->i_shared_gen), dentry, valid); + return valid; + } + +-- +2.20.1 + diff --git a/queue-5.2/ceph-fix-improper-use-of-smp_mb__before_atomic.patch b/queue-5.2/ceph-fix-improper-use-of-smp_mb__before_atomic.patch new file mode 100644 index 00000000000..0e4f27abb4e --- /dev/null +++ b/queue-5.2/ceph-fix-improper-use-of-smp_mb__before_atomic.patch @@ -0,0 +1,44 @@ +From 50e7b7eecc79f45428f31d5f68eed7086918a52d Mon Sep 17 00:00:00 2001 +From: Andrea Parri +Date: Mon, 20 May 2019 19:23:58 +0200 +Subject: ceph: fix improper use of smp_mb__before_atomic() + +[ Upstream commit 749607731e26dfb2558118038c40e9c0c80d23b5 ] + +This barrier only applies to the read-modify-write operations; in +particular, it does not apply to the atomic64_set() primitive. + +Replace the barrier with an smp_mb(). + +Fixes: fdd4e15838e59 ("ceph: rework dcache readdir") +Reported-by: "Paul E. McKenney" +Reported-by: Peter Zijlstra +Signed-off-by: Andrea Parri +Reviewed-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/super.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/super.h b/fs/ceph/super.h +index edec39aa5ce20..1d313d0536f9d 100644 +--- a/fs/ceph/super.h ++++ b/fs/ceph/super.h +@@ -544,7 +544,12 @@ static inline void __ceph_dir_set_complete(struct ceph_inode_info *ci, + long long release_count, + long long ordered_count) + { +- smp_mb__before_atomic(); ++ /* ++ * Makes sure operations that setup readdir cache (update page ++ * cache and i_size) are strongly ordered w.r.t. the following ++ * atomic64_set() operations. ++ */ ++ smp_mb(); + atomic64_set(&ci->i_complete_seq[0], release_count); + atomic64_set(&ci->i_complete_seq[1], ordered_count); + } +-- +2.20.1 + diff --git a/queue-5.2/ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch b/queue-5.2/ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch new file mode 100644 index 00000000000..1cf928d647d --- /dev/null +++ b/queue-5.2/ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch @@ -0,0 +1,69 @@ +From 0f73169c815c91d7f3020617137b26b396617a26 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Thu, 13 Jun 2019 15:17:00 -0400 +Subject: ceph: return -ERANGE if virtual xattr value didn't fit in buffer + +[ Upstream commit 3b421018f48c482bdc9650f894aa1747cf90e51d ] + +The getxattr manpage states that we should return ERANGE if the +destination buffer size is too small to hold the value. +ceph_vxattrcb_layout does this internally, but we should be doing +this for all vxattrs. + +Fix the only caller of getxattr_cb to check the returned size +against the buffer length and return -ERANGE if it doesn't fit. +Drop the same check in ceph_vxattrcb_layout and just rely on the +caller to handle it. + +Signed-off-by: Jeff Layton +Reviewed-by: "Yan, Zheng" +Acked-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/xattr.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c +index 0cc42c8879e9a..0619adbcbe14c 100644 +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -79,7 +79,7 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val, + const char *ns_field = " pool_namespace="; + char buf[128]; + size_t len, total_len = 0; +- int ret; ++ ssize_t ret; + + pool_ns = ceph_try_get_string(ci->i_layout.pool_ns); + +@@ -103,11 +103,8 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val, + if (pool_ns) + total_len += strlen(ns_field) + pool_ns->len; + +- if (!size) { +- ret = total_len; +- } else if (total_len > size) { +- ret = -ERANGE; +- } else { ++ ret = total_len; ++ if (size >= total_len) { + memcpy(val, buf, len); + ret = len; + if (pool_name) { +@@ -835,8 +832,11 @@ ssize_t __ceph_getxattr(struct inode *inode, const char *name, void *value, + if (err) + return err; + err = -ENODATA; +- if (!(vxattr->exists_cb && !vxattr->exists_cb(ci))) ++ if (!(vxattr->exists_cb && !vxattr->exists_cb(ci))) { + err = vxattr->getxattr_cb(ci, value, size); ++ if (size && size < err) ++ err = -ERANGE; ++ } + return err; + } + +-- +2.20.1 + diff --git a/queue-5.2/cifs-fix-a-race-condition-with-cifs_echo_request.patch b/queue-5.2/cifs-fix-a-race-condition-with-cifs_echo_request.patch new file mode 100644 index 00000000000..231d2ed0f11 --- /dev/null +++ b/queue-5.2/cifs-fix-a-race-condition-with-cifs_echo_request.patch @@ -0,0 +1,63 @@ +From 1faa89c5eafb208d0f891f191acb8fa830a4116e Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Sat, 6 Jul 2019 06:52:46 +1000 +Subject: cifs: Fix a race condition with cifs_echo_request + +[ Upstream commit f2caf901c1b7ce65f9e6aef4217e3241039db768 ] + +There is a race condition with how we send (or supress and don't send) +smb echos that will cause the client to incorrectly think the +server is unresponsive and thus needs to be reconnected. + +Summary of the race condition: + 1) Daisy chaining scheduling creates a gap. + 2) If traffic comes unfortunate shortly after + the last echo, the planned echo is suppressed. + 3) Due to the gap, the next echo transmission is delayed + until after the timeout, which is set hard to twice + the echo interval. + +This is fixed by changing the timeouts from 2 to three times the echo interval. + +Detailed description of the bug: https://lutz.donnerhacke.de/eng/Blog/Groundhog-Day-with-SMB-remount + +Signed-off-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 59380dd546a1e..6ad43ac129d2f 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -706,10 +706,10 @@ static bool + server_unresponsive(struct TCP_Server_Info *server) + { + /* +- * We need to wait 2 echo intervals to make sure we handle such ++ * We need to wait 3 echo intervals to make sure we handle such + * situations right: + * 1s client sends a normal SMB request +- * 2s client gets a response ++ * 3s client gets a response + * 30s echo workqueue job pops, and decides we got a response recently + * and don't need to send another + * ... +@@ -718,9 +718,9 @@ server_unresponsive(struct TCP_Server_Info *server) + */ + if ((server->tcpStatus == CifsGood || + server->tcpStatus == CifsNeedNegotiate) && +- time_after(jiffies, server->lstrp + 2 * server->echo_interval)) { ++ time_after(jiffies, server->lstrp + 3 * server->echo_interval)) { + cifs_dbg(VFS, "Server %s has not responded in %lu seconds. Reconnecting...\n", +- server->hostname, (2 * server->echo_interval) / HZ); ++ server->hostname, (3 * server->echo_interval) / HZ); + cifs_reconnect(server); + wake_up(&server->response_q); + return true; +-- +2.20.1 + diff --git a/queue-5.2/cifs-fix-crash-in-cifs_dfs_do_automount.patch b/queue-5.2/cifs-fix-crash-in-cifs_dfs_do_automount.patch new file mode 100644 index 00000000000..03a0fb73fe5 --- /dev/null +++ b/queue-5.2/cifs-fix-crash-in-cifs_dfs_do_automount.patch @@ -0,0 +1,66 @@ +From fe9d96a6d4e408319d9d45280dd74af9743930e5 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Thu, 11 Jul 2019 13:46:58 +1000 +Subject: cifs: fix crash in cifs_dfs_do_automount + +[ Upstream commit ce465bf94b70f03136171a62b607864f00093b19 ] + +RHBZ: 1649907 + +Fix a crash that happens while attempting to mount a DFS referral from the same server on the root of a filesystem. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 6ad43ac129d2f..18c7c6b2fe08a 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -4463,11 +4463,13 @@ cifs_are_all_path_components_accessible(struct TCP_Server_Info *server, + unsigned int xid, + struct cifs_tcon *tcon, + struct cifs_sb_info *cifs_sb, +- char *full_path) ++ char *full_path, ++ int added_treename) + { + int rc; + char *s; + char sep, tmp; ++ int skip = added_treename ? 1 : 0; + + sep = CIFS_DIR_SEP(cifs_sb); + s = full_path; +@@ -4482,7 +4484,14 @@ cifs_are_all_path_components_accessible(struct TCP_Server_Info *server, + /* next separator */ + while (*s && *s != sep) + s++; +- ++ /* ++ * if the treename is added, we then have to skip the first ++ * part within the separators ++ */ ++ if (skip) { ++ skip = 0; ++ continue; ++ } + /* + * temporarily null-terminate the path at the end of + * the current component +@@ -4530,8 +4539,7 @@ static int is_path_remote(struct cifs_sb_info *cifs_sb, struct smb_vol *vol, + + if (rc != -EREMOTE) { + rc = cifs_are_all_path_components_accessible(server, xid, tcon, +- cifs_sb, +- full_path); ++ cifs_sb, full_path, tcon->Flags & SMB_SHARE_IS_IN_DFS); + if (rc != 0) { + cifs_dbg(VFS, "cannot query dirs between root and final path, " + "enabling CIFS_MOUNT_USE_PREFIX_PATH\n"); +-- +2.20.1 + diff --git a/queue-5.2/clk-meson-mpll-properly-handle-spread-spectrum.patch b/queue-5.2/clk-meson-mpll-properly-handle-spread-spectrum.patch new file mode 100644 index 00000000000..1f6adfeb1e7 --- /dev/null +++ b/queue-5.2/clk-meson-mpll-properly-handle-spread-spectrum.patch @@ -0,0 +1,64 @@ +From 75fd777d34f1a3800a6e0538d8453b1ace4efdea Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Mon, 13 May 2019 14:31:09 +0200 +Subject: clk: meson: mpll: properly handle spread spectrum + +[ Upstream commit f9b3eeebef6aabaa37a351715374de53b6da860c ] + +The bit 'SSEN' available on some MPLL DSS outputs is not related to the +fractional part of the divider but to the function called +'Spread Spectrum'. + +This function might be used to solve EM issues by adding a jitter on +clock signal. This widens the signal spectrum and weakens the peaks in it. + +While spread spectrum might be useful for some application, it is +problematic for others, such as audio. + +This patch introduce a new flag to the MPLL driver to enable (or not) the +spread spectrum function. + +Fixes: 1f737ffa13ef ("clk: meson: mpll: fix mpll0 fractional part ignored") +Tested-by: Martin Blumenstingl +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/clk-mpll.c | 9 ++++++--- + drivers/clk/meson/clk-mpll.h | 1 + + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/meson/clk-mpll.c b/drivers/clk/meson/clk-mpll.c +index f76850d99e591..d3f42e0864313 100644 +--- a/drivers/clk/meson/clk-mpll.c ++++ b/drivers/clk/meson/clk-mpll.c +@@ -119,9 +119,12 @@ static int mpll_set_rate(struct clk_hw *hw, + meson_parm_write(clk->map, &mpll->sdm, sdm); + meson_parm_write(clk->map, &mpll->sdm_en, 1); + +- /* Set additional fractional part enable if required */ +- if (MESON_PARM_APPLICABLE(&mpll->ssen)) +- meson_parm_write(clk->map, &mpll->ssen, 1); ++ /* Set spread spectrum if possible */ ++ if (MESON_PARM_APPLICABLE(&mpll->ssen)) { ++ unsigned int ss = ++ mpll->flags & CLK_MESON_MPLL_SPREAD_SPECTRUM ? 1 : 0; ++ meson_parm_write(clk->map, &mpll->ssen, ss); ++ } + + /* Set the integer divider part */ + meson_parm_write(clk->map, &mpll->n2, n2); +diff --git a/drivers/clk/meson/clk-mpll.h b/drivers/clk/meson/clk-mpll.h +index cf79340006dd7..0f948430fed48 100644 +--- a/drivers/clk/meson/clk-mpll.h ++++ b/drivers/clk/meson/clk-mpll.h +@@ -23,6 +23,7 @@ struct meson_clk_mpll_data { + }; + + #define CLK_MESON_MPLL_ROUND_CLOSEST BIT(0) ++#define CLK_MESON_MPLL_SPREAD_SPECTRUM BIT(1) + + extern const struct clk_ops meson_clk_mpll_ro_ops; + extern const struct clk_ops meson_clk_mpll_ops; +-- +2.20.1 + diff --git a/queue-5.2/clk-sprd-add-check-for-return-value-of-sprd_clk_regm.patch b/queue-5.2/clk-sprd-add-check-for-return-value-of-sprd_clk_regm.patch new file mode 100644 index 00000000000..15c861e82d5 --- /dev/null +++ b/queue-5.2/clk-sprd-add-check-for-return-value-of-sprd_clk_regm.patch @@ -0,0 +1,45 @@ +From eff801fc51f90cd20e9575c651356050906cc657 Mon Sep 17 00:00:00 2001 +From: Chunyan Zhang +Date: Wed, 22 May 2019 09:15:03 +0800 +Subject: clk: sprd: Add check for return value of sprd_clk_regmap_init() + +[ Upstream commit c974c48deeb969c5e4250e4f06af91edd84b1f10 ] + +sprd_clk_regmap_init() doesn't always return success, adding check +for its return value should make the code more strong. + +Signed-off-by: Chunyan Zhang +Reviewed-by: Baolin Wang +[sboyd@kernel.org: Add a missing int ret] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/sprd/sc9860-clk.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/sprd/sc9860-clk.c b/drivers/clk/sprd/sc9860-clk.c +index 9980ab55271ba..f76305b4bc8df 100644 +--- a/drivers/clk/sprd/sc9860-clk.c ++++ b/drivers/clk/sprd/sc9860-clk.c +@@ -2023,6 +2023,7 @@ static int sc9860_clk_probe(struct platform_device *pdev) + { + const struct of_device_id *match; + const struct sprd_clk_desc *desc; ++ int ret; + + match = of_match_node(sprd_sc9860_clk_ids, pdev->dev.of_node); + if (!match) { +@@ -2031,7 +2032,9 @@ static int sc9860_clk_probe(struct platform_device *pdev) + } + + desc = match->data; +- sprd_clk_regmap_init(pdev, desc); ++ ret = sprd_clk_regmap_init(pdev, desc); ++ if (ret) ++ return ret; + + return sprd_clk_probe(&pdev->dev, desc->hw_clks); + } +-- +2.20.1 + diff --git a/queue-5.2/clk-tegra210-fix-pllu-and-pllu_out1.patch b/queue-5.2/clk-tegra210-fix-pllu-and-pllu_out1.patch new file mode 100644 index 00000000000..9fb1f1f959c --- /dev/null +++ b/queue-5.2/clk-tegra210-fix-pllu-and-pllu_out1.patch @@ -0,0 +1,75 @@ +From 75e170cb4176182bf5a19e01265e4925b72081ed Mon Sep 17 00:00:00 2001 +From: JC Kuo +Date: Wed, 12 Jun 2019 11:14:34 +0800 +Subject: clk: tegra210: fix PLLU and PLLU_OUT1 + +[ Upstream commit 0d34dfbf3023cf119b83f6470692c0b10c832495 ] + +Full-speed and low-speed USB devices do not work with Tegra210 +platforms because of incorrect PLLU/PLLU_OUT1 clock settings. + +When full-speed device is connected: +[ 14.059886] usb 1-3: new full-speed USB device number 2 using tegra-xusb +[ 14.196295] usb 1-3: device descriptor read/64, error -71 +[ 14.436311] usb 1-3: device descriptor read/64, error -71 +[ 14.675749] usb 1-3: new full-speed USB device number 3 using tegra-xusb +[ 14.812335] usb 1-3: device descriptor read/64, error -71 +[ 15.052316] usb 1-3: device descriptor read/64, error -71 +[ 15.164799] usb usb1-port3: attempt power cycle + +When low-speed device is connected: +[ 37.610949] usb usb1-port3: Cannot enable. Maybe the USB cable is bad? +[ 38.557376] usb usb1-port3: Cannot enable. Maybe the USB cable is bad? +[ 38.564977] usb usb1-port3: attempt power cycle + +This commit fixes the issue by: + 1. initializing PLLU_OUT1 before initializing XUSB_FS_SRC clock + because PLLU_OUT1 is parent of XUSB_FS_SRC. + 2. changing PLLU post-divider to /2 (DIVP=1) according to Technical + Reference Manual. + +Fixes: e745f992cf4b ("clk: tegra: Rework pll_u") +Signed-off-by: JC Kuo +Acked-By: Peter De Schrijver +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra210.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c +index ac1d27a8c650a..e5470a6bbf550 100644 +--- a/drivers/clk/tegra/clk-tegra210.c ++++ b/drivers/clk/tegra/clk-tegra210.c +@@ -2204,9 +2204,9 @@ static struct div_nmp pllu_nmp = { + }; + + static struct tegra_clk_pll_freq_table pll_u_freq_table[] = { +- { 12000000, 480000000, 40, 1, 0, 0 }, +- { 13000000, 480000000, 36, 1, 0, 0 }, /* actual: 468.0 MHz */ +- { 38400000, 480000000, 25, 2, 0, 0 }, ++ { 12000000, 480000000, 40, 1, 1, 0 }, ++ { 13000000, 480000000, 36, 1, 1, 0 }, /* actual: 468.0 MHz */ ++ { 38400000, 480000000, 25, 2, 1, 0 }, + { 0, 0, 0, 0, 0, 0 }, + }; + +@@ -3333,6 +3333,7 @@ static struct tegra_clk_init_table init_table[] __initdata = { + { TEGRA210_CLK_DFLL_REF, TEGRA210_CLK_PLL_P, 51000000, 1 }, + { TEGRA210_CLK_SBC4, TEGRA210_CLK_PLL_P, 12000000, 1 }, + { TEGRA210_CLK_PLL_RE_VCO, TEGRA210_CLK_CLK_MAX, 672000000, 1 }, ++ { TEGRA210_CLK_PLL_U_OUT1, TEGRA210_CLK_CLK_MAX, 48000000, 1 }, + { TEGRA210_CLK_XUSB_GATE, TEGRA210_CLK_CLK_MAX, 0, 1 }, + { TEGRA210_CLK_XUSB_SS_SRC, TEGRA210_CLK_PLL_U_480M, 120000000, 0 }, + { TEGRA210_CLK_XUSB_FS_SRC, TEGRA210_CLK_PLL_U_48M, 48000000, 0 }, +@@ -3357,7 +3358,6 @@ static struct tegra_clk_init_table init_table[] __initdata = { + { TEGRA210_CLK_PLL_DP, TEGRA210_CLK_CLK_MAX, 270000000, 0 }, + { TEGRA210_CLK_SOC_THERM, TEGRA210_CLK_PLL_P, 51000000, 0 }, + { TEGRA210_CLK_CCLK_G, TEGRA210_CLK_CLK_MAX, 0, 1 }, +- { TEGRA210_CLK_PLL_U_OUT1, TEGRA210_CLK_CLK_MAX, 48000000, 1 }, + { TEGRA210_CLK_PLL_U_OUT2, TEGRA210_CLK_CLK_MAX, 60000000, 1 }, + { TEGRA210_CLK_SPDIF_IN_SYNC, TEGRA210_CLK_CLK_MAX, 24576000, 0 }, + { TEGRA210_CLK_I2S0_SYNC, TEGRA210_CLK_CLK_MAX, 24576000, 0 }, +-- +2.20.1 + diff --git a/queue-5.2/coda-add-error-handling-for-fget.patch b/queue-5.2/coda-add-error-handling-for-fget.patch new file mode 100644 index 00000000000..50698a482aa --- /dev/null +++ b/queue-5.2/coda-add-error-handling-for-fget.patch @@ -0,0 +1,50 @@ +From 15bc754f4068aea717fdc8e9329685a048cd0766 Mon Sep 17 00:00:00 2001 +From: Zhouyang Jia +Date: Tue, 16 Jul 2019 16:28:13 -0700 +Subject: coda: add error handling for fget + +[ Upstream commit 02551c23bcd85f0c68a8259c7b953d49d44f86af ] + +When fget fails, the lack of error-handling code may cause unexpected +results. + +This patch adds error-handling code after calling fget. + +Link: http://lkml.kernel.org/r/2514ec03df9c33b86e56748513267a80dd8004d9.1558117389.git.jaharkes@cs.cmu.edu +Signed-off-by: Zhouyang Jia +Signed-off-by: Jan Harkes +Cc: Arnd Bergmann +Cc: Colin Ian King +Cc: Dan Carpenter +Cc: David Howells +Cc: Fabian Frederick +Cc: Mikko Rapeli +Cc: Sam Protsenko +Cc: Yann Droneaud +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/coda/psdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c +index 0ceef32e6fae0..241f7e04ad04d 100644 +--- a/fs/coda/psdev.c ++++ b/fs/coda/psdev.c +@@ -182,8 +182,11 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf, + if (req->uc_opcode == CODA_OPEN_BY_FD) { + struct coda_open_by_fd_out *outp = + (struct coda_open_by_fd_out *)req->uc_data; +- if (!outp->oh.result) ++ if (!outp->oh.result) { + outp->fh = fget(outp->fd); ++ if (!outp->fh) ++ return -EBADF; ++ } + } + + wake_up(&req->uc_sleep); +-- +2.20.1 + diff --git a/queue-5.2/coda-fix-build-using-bare-metal-toolchain.patch b/queue-5.2/coda-fix-build-using-bare-metal-toolchain.patch new file mode 100644 index 00000000000..a53300c2332 --- /dev/null +++ b/queue-5.2/coda-fix-build-using-bare-metal-toolchain.patch @@ -0,0 +1,48 @@ +From 9298619b7db489504658e3c822064b8e997d3d5f Mon Sep 17 00:00:00 2001 +From: Sam Protsenko +Date: Tue, 16 Jul 2019 16:28:20 -0700 +Subject: coda: fix build using bare-metal toolchain + +[ Upstream commit b2a57e334086602be56b74958d9f29b955cd157f ] + +The kernel is self-contained project and can be built with bare-metal +toolchain. But bare-metal toolchain doesn't define __linux__. Because +of this u_quad_t type is not defined when using bare-metal toolchain and +codafs build fails. This patch fixes it by defining u_quad_t type +unconditionally. + +Link: http://lkml.kernel.org/r/3cbb40b0a57b6f9923a9d67b53473c0b691a3eaa.1558117389.git.jaharkes@cs.cmu.edu +Signed-off-by: Sam Protsenko +Signed-off-by: Jan Harkes +Cc: Arnd Bergmann +Cc: Colin Ian King +Cc: Dan Carpenter +Cc: David Howells +Cc: Fabian Frederick +Cc: Mikko Rapeli +Cc: Yann Droneaud +Cc: Zhouyang Jia +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/coda.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/include/linux/coda.h b/include/linux/coda.h +index d30209b9cef81..0ca0c83fdb1c4 100644 +--- a/include/linux/coda.h ++++ b/include/linux/coda.h +@@ -58,8 +58,7 @@ Mellon the rights to redistribute these changes without encumbrance. + #ifndef _CODA_HEADER_ + #define _CODA_HEADER_ + +-#if defined(__linux__) + typedef unsigned long long u_quad_t; +-#endif ++ + #include + #endif +-- +2.20.1 + diff --git a/queue-5.2/crypto-ccp-fix-sev_version_greater_or_equal.patch b/queue-5.2/crypto-ccp-fix-sev_version_greater_or_equal.patch new file mode 100644 index 00000000000..8e2c2b97dfd --- /dev/null +++ b/queue-5.2/crypto-ccp-fix-sev_version_greater_or_equal.patch @@ -0,0 +1,86 @@ +From dfa0a23f82d3d36a9de0e4950ce5ffe10c8a67f4 Mon Sep 17 00:00:00 2001 +From: David Rientjes +Date: Fri, 12 Jul 2019 13:41:58 -0700 +Subject: crypto: ccp - Fix SEV_VERSION_GREATER_OR_EQUAL + +[ Upstream commit 83bf42510d7f7e1daa692c096e8e9919334d7b57 ] + +SEV_VERSION_GREATER_OR_EQUAL() will fail if upgrading from 2.2 to 3.1, for +example, because the minor version is not equal to or greater than the +major. + +Fix this and move to a static inline function for appropriate type +checking. + +Fixes: edd303ff0e9e ("crypto: ccp - Add DOWNLOAD_FIRMWARE SEV command") +Reported-by: Cfir Cohen +Signed-off-by: David Rientjes +Acked-by: Tom Lendacky +Acked-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/psp-dev.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c +index de5a8ca70d3da..6b17d179ef8a0 100644 +--- a/drivers/crypto/ccp/psp-dev.c ++++ b/drivers/crypto/ccp/psp-dev.c +@@ -24,10 +24,6 @@ + #include "sp-dev.h" + #include "psp-dev.h" + +-#define SEV_VERSION_GREATER_OR_EQUAL(_maj, _min) \ +- ((psp_master->api_major) >= _maj && \ +- (psp_master->api_minor) >= _min) +- + #define DEVICE_NAME "sev" + #define SEV_FW_FILE "amd/sev.fw" + #define SEV_FW_NAME_SIZE 64 +@@ -47,6 +43,15 @@ MODULE_PARM_DESC(psp_probe_timeout, " default timeout value, in seconds, during + static bool psp_dead; + static int psp_timeout; + ++static inline bool sev_version_greater_or_equal(u8 maj, u8 min) ++{ ++ if (psp_master->api_major > maj) ++ return true; ++ if (psp_master->api_major == maj && psp_master->api_minor >= min) ++ return true; ++ return false; ++} ++ + static struct psp_device *psp_alloc_struct(struct sp_device *sp) + { + struct device *dev = sp->dev; +@@ -588,7 +593,7 @@ static int sev_ioctl_do_get_id2(struct sev_issue_cmd *argp) + int ret; + + /* SEV GET_ID is available from SEV API v0.16 and up */ +- if (!SEV_VERSION_GREATER_OR_EQUAL(0, 16)) ++ if (!sev_version_greater_or_equal(0, 16)) + return -ENOTSUPP; + + if (copy_from_user(&input, (void __user *)argp->data, sizeof(input))) +@@ -651,7 +656,7 @@ static int sev_ioctl_do_get_id(struct sev_issue_cmd *argp) + int ret; + + /* SEV GET_ID available from SEV API v0.16 and up */ +- if (!SEV_VERSION_GREATER_OR_EQUAL(0, 16)) ++ if (!sev_version_greater_or_equal(0, 16)) + return -ENOTSUPP; + + /* SEV FW expects the buffer it fills with the ID to be +@@ -1053,7 +1058,7 @@ void psp_pci_init(void) + psp_master->sev_state = SEV_STATE_UNINIT; + } + +- if (SEV_VERSION_GREATER_OR_EQUAL(0, 15) && ++ if (sev_version_greater_or_equal(0, 15) && + sev_update_firmware(psp_master->dev) == 0) + sev_get_api_version(); + +-- +2.20.1 + diff --git a/queue-5.2/device-dax-fix-memory-and-resource-leak-if-hotplug-f.patch b/queue-5.2/device-dax-fix-memory-and-resource-leak-if-hotplug-f.patch new file mode 100644 index 00000000000..dfdfcdae5e9 --- /dev/null +++ b/queue-5.2/device-dax-fix-memory-and-resource-leak-if-hotplug-f.patch @@ -0,0 +1,104 @@ +From 417630fad1d4713d76460699e44c6fc24cc8ea9c Mon Sep 17 00:00:00 2001 +From: Pavel Tatashin +Date: Tue, 16 Jul 2019 16:30:27 -0700 +Subject: device-dax: fix memory and resource leak if hotplug fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 31e4ca92a7dd4cdebd7fe1456b3b0b6ace9a816f ] + +Patch series ""Hotremove" persistent memory", v6. + +Recently, adding a persistent memory to be used like a regular RAM was +added to Linux. This work extends this functionality to also allow hot +removing persistent memory. + +We (Microsoft) have an important use case for this functionality. + +The requirement is for physical machines with small amount of RAM (~8G) +to be able to reboot in a very short period of time (<1s). Yet, there +is a userland state that is expensive to recreate (~2G). + +The solution is to boot machines with 2G preserved for persistent +memory. + +Copy the state, and hotadd the persistent memory so machine still has +all 8G available for runtime. Before reboot, offline and hotremove +device-dax 2G, copy the memory that is needed to be preserved to pmem0 +device, and reboot. + +The series of operations look like this: + +1. After boot restore /dev/pmem0 to ramdisk to be consumed by apps. + and free ramdisk. +2. Convert raw pmem0 to devdax + ndctl create-namespace --mode devdax --map mem -e namespace0.0 -f +3. Hotadd to System RAM + echo dax0.0 > /sys/bus/dax/drivers/device_dax/unbind + echo dax0.0 > /sys/bus/dax/drivers/kmem/new_id + echo online_movable > /sys/devices/system/memoryXXX/state +4. Before reboot hotremove device-dax memory from System RAM + echo offline > /sys/devices/system/memoryXXX/state + echo dax0.0 > /sys/bus/dax/drivers/kmem/unbind +5. Create raw pmem0 device + ndctl create-namespace --mode raw -e namespace0.0 -f +6. Copy the state that was stored by apps to ramdisk to pmem device +7. Do kexec reboot or reboot through firmware if firmware does not + zero memory in pmem0 region (These machines have only regular + volatile memory). So to have pmem0 device either memmap kernel + parameter is used, or devices nodes in dtb are specified. + +This patch (of 3): + +When add_memory() fails, the resource and the memory should be freed. + +Link: http://lkml.kernel.org/r/20190517215438.6487-2-pasha.tatashin@soleen.com +Fixes: c221c0b0308f ("device-dax: "Hotplug" persistent memory for use like normal RAM") +Signed-off-by: Pavel Tatashin +Reviewed-by: Dave Hansen +Cc: Bjorn Helgaas +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: Dave Jiang +Cc: David Hildenbrand +Cc: Fengguang Wu +Cc: Huang Ying +Cc: James Morris +Cc: Jérôme Glisse +Cc: Keith Busch +Cc: Michal Hocko +Cc: Ross Zwisler +Cc: Sasha Levin +Cc: Takashi Iwai +Cc: Tom Lendacky +Cc: Vishal Verma +Cc: Yaowei Bai +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/dax/kmem.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/dax/kmem.c b/drivers/dax/kmem.c +index a02318c6d28ab..4c0131857133d 100644 +--- a/drivers/dax/kmem.c ++++ b/drivers/dax/kmem.c +@@ -66,8 +66,11 @@ int dev_dax_kmem_probe(struct device *dev) + new_res->name = dev_name(dev); + + rc = add_memory(numa_node, new_res->start, resource_size(new_res)); +- if (rc) ++ if (rc) { ++ release_resource(new_res); ++ kfree(new_res); + return rc; ++ } + + return 0; + } +-- +2.20.1 + diff --git a/queue-5.2/dma-direct-correct-the-physical-addr-in-dma_direct_s.patch b/queue-5.2/dma-direct-correct-the-physical-addr-in-dma_direct_s.patch new file mode 100644 index 00000000000..dbdecd0f0f8 --- /dev/null +++ b/queue-5.2/dma-direct-correct-the-physical-addr-in-dma_direct_s.patch @@ -0,0 +1,72 @@ +From 039511af8a45e8d8ca0e851dae8652199d23721c Mon Sep 17 00:00:00 2001 +From: Fugang Duan +Date: Fri, 19 Jul 2019 17:26:48 +0800 +Subject: dma-direct: correct the physical addr in + dma_direct_sync_sg_for_cpu/device + +[ Upstream commit 449fa54d6815be8c2c1f68fa9dbbae9384a7c03e ] + +dma_map_sg() may use swiotlb buffer when the kernel command line includes +"swiotlb=force" or the dma_addr is out of dev->dma_mask range. After +DMA complete the memory moving from device to memory, then user call +dma_sync_sg_for_cpu() to sync with DMA buffer, and copy the original +virtual buffer to other space. + +So dma_direct_sync_sg_for_cpu() should use swiotlb physical addr, not +the original physical addr from sg_phys(sg). + +dma_direct_sync_sg_for_device() also has the same issue, correct it as +well. + +Fixes: 55897af63091("dma-direct: merge swiotlb_dma_ops into the dma_direct code") +Signed-off-by: Fugang Duan +Reviewed-by: Robin Murphy +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/direct.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c +index 2c2772e9702ab..2c6d51a62251d 100644 +--- a/kernel/dma/direct.c ++++ b/kernel/dma/direct.c +@@ -231,12 +231,14 @@ void dma_direct_sync_sg_for_device(struct device *dev, + int i; + + for_each_sg(sgl, sg, nents, i) { +- if (unlikely(is_swiotlb_buffer(sg_phys(sg)))) +- swiotlb_tbl_sync_single(dev, sg_phys(sg), sg->length, ++ phys_addr_t paddr = dma_to_phys(dev, sg_dma_address(sg)); ++ ++ if (unlikely(is_swiotlb_buffer(paddr))) ++ swiotlb_tbl_sync_single(dev, paddr, sg->length, + dir, SYNC_FOR_DEVICE); + + if (!dev_is_dma_coherent(dev)) +- arch_sync_dma_for_device(dev, sg_phys(sg), sg->length, ++ arch_sync_dma_for_device(dev, paddr, sg->length, + dir); + } + } +@@ -268,11 +270,13 @@ void dma_direct_sync_sg_for_cpu(struct device *dev, + int i; + + for_each_sg(sgl, sg, nents, i) { ++ phys_addr_t paddr = dma_to_phys(dev, sg_dma_address(sg)); ++ + if (!dev_is_dma_coherent(dev)) +- arch_sync_dma_for_cpu(dev, sg_phys(sg), sg->length, dir); +- +- if (unlikely(is_swiotlb_buffer(sg_phys(sg)))) +- swiotlb_tbl_sync_single(dev, sg_phys(sg), sg->length, dir, ++ arch_sync_dma_for_cpu(dev, paddr, sg->length, dir); ++ ++ if (unlikely(is_swiotlb_buffer(paddr))) ++ swiotlb_tbl_sync_single(dev, paddr, sg->length, dir, + SYNC_FOR_CPU); + } + +-- +2.20.1 + diff --git a/queue-5.2/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch b/queue-5.2/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch new file mode 100644 index 00000000000..43aa3a6a14e --- /dev/null +++ b/queue-5.2/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch @@ -0,0 +1,46 @@ +From ce06ad2bafcdf86186b595d31f347ad8c5dc76cb Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 24 Jun 2019 14:38:18 +0200 +Subject: dmaengine: rcar-dmac: Reject zero-length slave DMA requests + +[ Upstream commit 78efb76ab4dfb8f74f290ae743f34162cd627f19 ] + +While the .device_prep_slave_sg() callback rejects empty scatterlists, +it still accepts single-entry scatterlists with a zero-length segment. +These may happen if a driver calls dmaengine_prep_slave_single() with a +zero len parameter. The corresponding DMA request will never complete, +leading to messages like: + + rcar-dmac e7300000.dma-controller: Channel Address Error happen + +and DMA timeouts. + +Although requesting a zero-length DMA request is a driver bug, rejecting +it early eases debugging. Note that the .device_prep_dma_memcpy() +callback already rejects requests to copy zero bytes. + +Reported-by: Eugeniu Rosca +Analyzed-by: Yoshihiro Shimoda +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sh/rcar-dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c +index 33ab1b607e2b0..54de669c38b84 100644 +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1165,7 +1165,7 @@ rcar_dmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, + struct rcar_dmac_chan *rchan = to_rcar_dmac_chan(chan); + + /* Someone calling slave DMA on a generic channel? */ +- if (rchan->mid_rid < 0 || !sg_len) { ++ if (rchan->mid_rid < 0 || !sg_len || !sg_dma_len(sgl)) { + dev_warn(chan->device->dev, + "%s: bad parameter: len=%d, id=%d\n", + __func__, sg_len, rchan->mid_rid); +-- +2.20.1 + diff --git a/queue-5.2/dmaengine-tegra-apb-error-out-if-dma_prep_interrupt-.patch b/queue-5.2/dmaengine-tegra-apb-error-out-if-dma_prep_interrupt-.patch new file mode 100644 index 00000000000..c7c5b3b6e1c --- /dev/null +++ b/queue-5.2/dmaengine-tegra-apb-error-out-if-dma_prep_interrupt-.patch @@ -0,0 +1,58 @@ +From 6cc85502f71f3babd1403697f27b9095cb95aa44 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 30 May 2019 00:43:55 +0300 +Subject: dmaengine: tegra-apb: Error out if DMA_PREP_INTERRUPT flag is unset + +[ Upstream commit dc161064beb83c668e0f85766b92b1e7ed186e58 ] + +Apparently driver was never tested with DMA_PREP_INTERRUPT flag being +unset since it completely disables interrupt handling instead of skipping +the callbacks invocations, hence putting channel into unusable state. + +The flag is always set by all of kernel drivers that use APB DMA, so let's +error out in otherwise case for consistency. It won't be difficult to +support that case properly if ever will be needed. + +Signed-off-by: Dmitry Osipenko +Acked-by: Jon Hunter +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra20-apb-dma.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c +index ef317c90fbe1e..79e9593815f12 100644 +--- a/drivers/dma/tegra20-apb-dma.c ++++ b/drivers/dma/tegra20-apb-dma.c +@@ -977,8 +977,12 @@ static struct dma_async_tx_descriptor *tegra_dma_prep_slave_sg( + csr |= tdc->slave_id << TEGRA_APBDMA_CSR_REQ_SEL_SHIFT; + } + +- if (flags & DMA_PREP_INTERRUPT) ++ if (flags & DMA_PREP_INTERRUPT) { + csr |= TEGRA_APBDMA_CSR_IE_EOC; ++ } else { ++ WARN_ON_ONCE(1); ++ return NULL; ++ } + + apb_seq |= TEGRA_APBDMA_APBSEQ_WRAP_WORD_1; + +@@ -1120,8 +1124,12 @@ static struct dma_async_tx_descriptor *tegra_dma_prep_dma_cyclic( + csr |= tdc->slave_id << TEGRA_APBDMA_CSR_REQ_SEL_SHIFT; + } + +- if (flags & DMA_PREP_INTERRUPT) ++ if (flags & DMA_PREP_INTERRUPT) { + csr |= TEGRA_APBDMA_CSR_IE_EOC; ++ } else { ++ WARN_ON_ONCE(1); ++ return NULL; ++ } + + apb_seq |= TEGRA_APBDMA_APBSEQ_WRAP_WORD_1; + +-- +2.20.1 + diff --git a/queue-5.2/drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch b/queue-5.2/drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch new file mode 100644 index 00000000000..d697cd36164 --- /dev/null +++ b/queue-5.2/drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch @@ -0,0 +1,47 @@ +From 19ce420d7089ef6021c3bc00c572d44a16488f20 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 16 Jul 2019 16:30:03 -0700 +Subject: drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings + +[ Upstream commit 156e0b1a8112b76e351684ac948c59757037ac36 ] + +The dev_info.name[] array has space for RIO_MAX_DEVNAME_SZ + 1 +characters. But the problem here is that we don't ensure that the user +put a NUL terminator on the end of the string. It could lead to an out +of bounds read. + +Link: http://lkml.kernel.org/r/20190529110601.GB19119@mwanda +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Signed-off-by: Dan Carpenter +Acked-by: Alexandre Bounine +Cc: Ira Weiny +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index ce7a90e680422..8155f59ece38d 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1686,6 +1686,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, + + if (copy_from_user(&dev_info, arg, sizeof(dev_info))) + return -EFAULT; ++ dev_info.name[sizeof(dev_info.name) - 1] = '\0'; + + rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name, + dev_info.comptag, dev_info.destid, dev_info.hopcount); +@@ -1817,6 +1818,7 @@ static int rio_mport_del_riodev(struct mport_cdev_priv *priv, void __user *arg) + + if (copy_from_user(&dev_info, arg, sizeof(dev_info))) + return -EFAULT; ++ dev_info.name[sizeof(dev_info.name) - 1] = '\0'; + + mport = priv->md->mport; + +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-expose-audio-inst-from-dc-to-dm.patch b/queue-5.2/drm-amd-display-expose-audio-inst-from-dc-to-dm.patch new file mode 100644 index 00000000000..0a9be4168a4 --- /dev/null +++ b/queue-5.2/drm-amd-display-expose-audio-inst-from-dc-to-dm.patch @@ -0,0 +1,56 @@ +From 005f18b0666e3384d3d9d138475a432d7f72b94d Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Fri, 28 Jun 2019 13:39:41 -0400 +Subject: drm/amd/display: Expose audio inst from DC to DM + +[ Upstream commit 5fdb7c4c7f2691efd760b0b0dc00da4a3699f1a6 ] + +[Why] +In order to give pin notifications to the sound driver from DM we need +to know whether audio is enabled on a stream and what pin it's using +from DC. + +[How] +Expose the instance via stream status if it's a mapped resource for +the stream. It will be -1 if there's no audio mapped. + +Cc: Leo Li +Cc: Harry Wentland +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 +++ + drivers/gpu/drm/amd/display/dc/dc_stream.h | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index eac7186e4f084..12142d13f22f2 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -2034,6 +2034,9 @@ enum dc_status resource_map_pool_resources( + if (context->streams[i] == stream) { + context->stream_status[i].primary_otg_inst = pipe_ctx->stream_res.tg->inst; + context->stream_status[i].stream_enc_inst = pipe_ctx->stream_res.stream_enc->id; ++ context->stream_status[i].audio_inst = ++ pipe_ctx->stream_res.audio ? pipe_ctx->stream_res.audio->inst : -1; ++ + return DC_OK; + } + +diff --git a/drivers/gpu/drm/amd/display/dc/dc_stream.h b/drivers/gpu/drm/amd/display/dc/dc_stream.h +index 189bdab929a55..c20803b71fa52 100644 +--- a/drivers/gpu/drm/amd/display/dc/dc_stream.h ++++ b/drivers/gpu/drm/amd/display/dc/dc_stream.h +@@ -42,6 +42,7 @@ struct dc_stream_status { + int primary_otg_inst; + int stream_enc_inst; + int plane_count; ++ int audio_inst; + struct timing_sync_info timing_sync_info; + struct dc_plane_state *plane_states[MAX_SURFACE_NUM]; + }; +-- +2.20.1 + diff --git a/queue-5.2/drm-nouveau-dmem-missing-mutex_lock-in-error-path.patch b/queue-5.2/drm-nouveau-dmem-missing-mutex_lock-in-error-path.patch new file mode 100644 index 00000000000..5685b7b6cbc --- /dev/null +++ b/queue-5.2/drm-nouveau-dmem-missing-mutex_lock-in-error-path.patch @@ -0,0 +1,109 @@ +From c56893d0d7faeeae567ccbca0b311731440848d0 Mon Sep 17 00:00:00 2001 +From: Ralph Campbell +Date: Fri, 14 Jun 2019 13:20:03 -0700 +Subject: drm/nouveau/dmem: missing mutex_lock in error path + +[ Upstream commit d304654bd79332ace9ac46b9a3d8de60acb15da3 ] + +In nouveau_dmem_pages_alloc(), the drm->dmem->mutex is unlocked before +calling nouveau_dmem_chunk_alloc() as shown when CONFIG_PROVE_LOCKING +is enabled: + +[ 1294.871933] ===================================== +[ 1294.876656] WARNING: bad unlock balance detected! +[ 1294.881375] 5.2.0-rc3+ #5 Not tainted +[ 1294.885048] ------------------------------------- +[ 1294.889773] test-malloc-vra/6299 is trying to release lock (&drm->dmem->mutex) at: +[ 1294.897482] [] nouveau_dmem_migrate_alloc_and_copy+0x79f/0xbf0 [nouveau] +[ 1294.905782] but there are no more locks to release! +[ 1294.910690] +[ 1294.910690] other info that might help us debug this: +[ 1294.917249] 1 lock held by test-malloc-vra/6299: +[ 1294.921881] #0: 0000000016e10454 (&mm->mmap_sem#2){++++}, at: nouveau_svmm_bind+0x142/0x210 [nouveau] +[ 1294.931313] +[ 1294.931313] stack backtrace: +[ 1294.935702] CPU: 4 PID: 6299 Comm: test-malloc-vra Not tainted 5.2.0-rc3+ #5 +[ 1294.942786] Hardware name: ASUS X299-A/PRIME X299-A, BIOS 1401 05/21/2018 +[ 1294.949590] Call Trace: +[ 1294.952059] dump_stack+0x7c/0xc0 +[ 1294.955469] ? nouveau_dmem_migrate_alloc_and_copy+0x79f/0xbf0 [nouveau] +[ 1294.962213] print_unlock_imbalance_bug.cold.52+0xca/0xcf +[ 1294.967641] lock_release+0x306/0x380 +[ 1294.971383] ? nouveau_dmem_migrate_alloc_and_copy+0x79f/0xbf0 [nouveau] +[ 1294.978089] ? lock_downgrade+0x2d0/0x2d0 +[ 1294.982121] ? find_held_lock+0xac/0xd0 +[ 1294.985979] __mutex_unlock_slowpath+0x8f/0x3f0 +[ 1294.990540] ? wait_for_completion+0x230/0x230 +[ 1294.995002] ? rwlock_bug.part.2+0x60/0x60 +[ 1294.999197] nouveau_dmem_migrate_alloc_and_copy+0x79f/0xbf0 [nouveau] +[ 1295.005751] ? page_mapping+0x98/0x110 +[ 1295.009511] migrate_vma+0xa74/0x1090 +[ 1295.013186] ? move_to_new_page+0x480/0x480 +[ 1295.017400] ? __kmalloc+0x153/0x300 +[ 1295.021052] ? nouveau_dmem_migrate_vma+0xd8/0x1e0 [nouveau] +[ 1295.026796] nouveau_dmem_migrate_vma+0x157/0x1e0 [nouveau] +[ 1295.032466] ? nouveau_dmem_init+0x490/0x490 [nouveau] +[ 1295.037612] ? vmacache_find+0xc2/0x110 +[ 1295.041537] nouveau_svmm_bind+0x1b4/0x210 [nouveau] +[ 1295.046583] ? nouveau_svm_fault+0x13e0/0x13e0 [nouveau] +[ 1295.051912] drm_ioctl_kernel+0x14d/0x1a0 +[ 1295.055930] ? drm_setversion+0x330/0x330 +[ 1295.059971] drm_ioctl+0x308/0x530 +[ 1295.063384] ? drm_version+0x150/0x150 +[ 1295.067153] ? find_held_lock+0xac/0xd0 +[ 1295.070996] ? __pm_runtime_resume+0x3f/0xa0 +[ 1295.075285] ? mark_held_locks+0x29/0xa0 +[ 1295.079230] ? _raw_spin_unlock_irqrestore+0x3c/0x50 +[ 1295.084232] ? lockdep_hardirqs_on+0x17d/0x250 +[ 1295.088768] nouveau_drm_ioctl+0x9a/0x100 [nouveau] +[ 1295.093661] do_vfs_ioctl+0x137/0x9a0 +[ 1295.097341] ? ioctl_preallocate+0x140/0x140 +[ 1295.101623] ? match_held_lock+0x1b/0x230 +[ 1295.105646] ? match_held_lock+0x1b/0x230 +[ 1295.109660] ? find_held_lock+0xac/0xd0 +[ 1295.113512] ? __do_page_fault+0x324/0x630 +[ 1295.117617] ? lock_downgrade+0x2d0/0x2d0 +[ 1295.121648] ? mark_held_locks+0x79/0xa0 +[ 1295.125583] ? handle_mm_fault+0x352/0x430 +[ 1295.129687] ksys_ioctl+0x60/0x90 +[ 1295.133020] ? mark_held_locks+0x29/0xa0 +[ 1295.136964] __x64_sys_ioctl+0x3d/0x50 +[ 1295.140726] do_syscall_64+0x68/0x250 +[ 1295.144400] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 1295.149465] RIP: 0033:0x7f1a3495809b +[ 1295.153053] Code: 0f 1e fa 48 8b 05 ed bd 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d bd bd 0c 00 f7 d8 64 89 01 48 +[ 1295.171850] RSP: 002b:00007ffef7ed1358 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 1295.179451] RAX: ffffffffffffffda RBX: 00007ffef7ed1628 RCX: 00007f1a3495809b +[ 1295.186601] RDX: 00007ffef7ed13b0 RSI: 0000000040406449 RDI: 0000000000000004 +[ 1295.193759] RBP: 00007ffef7ed13b0 R08: 0000000000000000 R09: 000000000157e770 +[ 1295.200917] R10: 000000000151c010 R11: 0000000000000246 R12: 0000000040406449 +[ 1295.208083] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 + +Reacquire the lock before continuing to the next page. + +Signed-off-by: Ralph Campbell +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_dmem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_dmem.c b/drivers/gpu/drm/nouveau/nouveau_dmem.c +index 40c47d6a7d783..745e197a47751 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_dmem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_dmem.c +@@ -385,9 +385,10 @@ nouveau_dmem_pages_alloc(struct nouveau_drm *drm, + ret = nouveau_dmem_chunk_alloc(drm); + if (ret) { + if (c) +- break; ++ return 0; + return ret; + } ++ mutex_lock(&drm->dmem->mutex); + continue; + } + +-- +2.20.1 + diff --git a/queue-5.2/drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch b/queue-5.2/drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch new file mode 100644 index 00000000000..c8d249e37ce --- /dev/null +++ b/queue-5.2/drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch @@ -0,0 +1,61 @@ +From f10226f4288c32e2595d3dc4847eece22241feb0 Mon Sep 17 00:00:00 2001 +From: Yongxin Liu +Date: Mon, 1 Jul 2019 09:46:22 +0800 +Subject: drm/nouveau: fix memory leak in nouveau_conn_reset() + +[ Upstream commit 09b90e2fe35faeace2488234e2a7728f2ea8ba26 ] + +In nouveau_conn_reset(), if connector->state is true, +__drm_atomic_helper_connector_destroy_state() will be called, +but the memory pointed by asyc isn't freed. Memory leak happens +in the following function __drm_atomic_helper_connector_reset(), +where newly allocated asyc->state will be assigned to connector->state. + +So using nouveau_conn_atomic_destroy_state() instead of +__drm_atomic_helper_connector_destroy_state to free the "old" asyc. + +Here the is the log showing memory leak. + +unreferenced object 0xffff8c5480483c80 (size 192): + comm "kworker/0:2", pid 188, jiffies 4294695279 (age 53.179s) + hex dump (first 32 bytes): + 00 f0 ba 7b 54 8c ff ff 00 00 00 00 00 00 00 00 ...{T........... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000005005c0d0>] kmem_cache_alloc_trace+0x195/0x2c0 + [<00000000a122baed>] nouveau_conn_reset+0x25/0xc0 [nouveau] + [<000000004fd189a2>] nouveau_connector_create+0x3a7/0x610 [nouveau] + [<00000000c73343a8>] nv50_display_create+0x343/0x980 [nouveau] + [<000000002e2b03c3>] nouveau_display_create+0x51f/0x660 [nouveau] + [<00000000c924699b>] nouveau_drm_device_init+0x182/0x7f0 [nouveau] + [<00000000cc029436>] nouveau_drm_probe+0x20c/0x2c0 [nouveau] + [<000000007e961c3e>] local_pci_probe+0x47/0xa0 + [<00000000da14d569>] work_for_cpu_fn+0x1a/0x30 + [<0000000028da4805>] process_one_work+0x27c/0x660 + [<000000001d415b04>] worker_thread+0x22b/0x3f0 + [<0000000003b69f1f>] kthread+0x12f/0x150 + [<00000000c94c29b7>] ret_from_fork+0x3a/0x50 + +Signed-off-by: Yongxin Liu +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c +index 4116ee62adafe..f69ff22beee03 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -252,7 +252,7 @@ nouveau_conn_reset(struct drm_connector *connector) + return; + + if (connector->state) +- __drm_atomic_helper_connector_destroy_state(connector->state); ++ nouveau_conn_atomic_destroy_state(connector, connector->state); + __drm_atomic_helper_connector_reset(connector, &asyc->state); + asyc->dither.mode = DITHERING_MODE_AUTO; + asyc->dither.depth = DITHERING_DEPTH_AUTO; +-- +2.20.1 + diff --git a/queue-5.2/firmware-psci-psci_checker-park-kthreads-before-stop.patch b/queue-5.2/firmware-psci-psci_checker-park-kthreads-before-stop.patch new file mode 100644 index 00000000000..fe0a6f84f89 --- /dev/null +++ b/queue-5.2/firmware-psci-psci_checker-park-kthreads-before-stop.patch @@ -0,0 +1,79 @@ +From 483aea1975d10d94a74933799599d1ba9acd7a01 Mon Sep 17 00:00:00 2001 +From: Jean-Philippe Brucker +Date: Mon, 10 Jun 2019 18:38:29 +0100 +Subject: firmware/psci: psci_checker: Park kthreads before stopping them + +[ Upstream commit 92e074acf6f7694e96204265eb18ac113f546e80 ] + +Since commit 85f1abe0019f ("kthread, sched/wait: Fix kthread_parkme() +completion issue"), kthreads that are bound to a CPU must be parked +before being stopped. At the moment the PSCI checker calls +kthread_stop() directly on the suspend kthread, which triggers the +following warning: + +[ 6.068288] WARNING: CPU: 1 PID: 1 at kernel/kthread.c:398 __kthread_bind_mask+0x20/0x78 + ... +[ 6.190151] Call trace: +[ 6.192566] __kthread_bind_mask+0x20/0x78 +[ 6.196615] kthread_unpark+0x74/0x80 +[ 6.200235] kthread_stop+0x44/0x1d8 +[ 6.203769] psci_checker+0x3bc/0x484 +[ 6.207389] do_one_initcall+0x48/0x260 +[ 6.211180] kernel_init_freeable+0x2c8/0x368 +[ 6.215488] kernel_init+0x10/0x100 +[ 6.218935] ret_from_fork+0x10/0x1c +[ 6.222467] ---[ end trace e05e22863d043cd3 ]--- + +kthread_unpark() tries to bind the thread to its CPU and aborts with a +WARN() if the thread wasn't in TASK_PARKED state. Park the kthreads +before stopping them. + +Fixes: 85f1abe0019f ("kthread, sched/wait: Fix kthread_parkme() completion issue") +Signed-off-by: Jean-Philippe Brucker +Reviewed-by: Sudeep Holla +Acked-by: Lorenzo Pieralisi +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + drivers/firmware/psci/psci_checker.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/firmware/psci/psci_checker.c b/drivers/firmware/psci/psci_checker.c +index 08c85099d4d0c..f3659443f8c2c 100644 +--- a/drivers/firmware/psci/psci_checker.c ++++ b/drivers/firmware/psci/psci_checker.c +@@ -359,16 +359,16 @@ static int suspend_test_thread(void *arg) + for (;;) { + /* Needs to be set first to avoid missing a wakeup. */ + set_current_state(TASK_INTERRUPTIBLE); +- if (kthread_should_stop()) { +- __set_current_state(TASK_RUNNING); ++ if (kthread_should_park()) + break; +- } + schedule(); + } + + pr_info("CPU %d suspend test results: success %d, shallow states %d, errors %d\n", + cpu, nb_suspend, nb_shallow_sleep, nb_err); + ++ kthread_parkme(); ++ + return nb_err; + } + +@@ -433,8 +433,10 @@ static int suspend_tests(void) + + + /* Stop and destroy all threads, get return status. */ +- for (i = 0; i < nb_threads; ++i) ++ for (i = 0; i < nb_threads; ++i) { ++ err += kthread_park(threads[i]); + err += kthread_stop(threads[i]); ++ } + out: + cpuidle_resume_and_unlock(); + kfree(threads); +-- +2.20.1 + diff --git a/queue-5.2/fs-adfs-super-fix-use-after-free-bug.patch b/queue-5.2/fs-adfs-super-fix-use-after-free-bug.patch new file mode 100644 index 00000000000..c107e1c5b5a --- /dev/null +++ b/queue-5.2/fs-adfs-super-fix-use-after-free-bug.patch @@ -0,0 +1,45 @@ +From 1a8239b2e7eb3ba681a73fb1696c2aac32c2b6df Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 4 Jun 2019 14:50:14 +0100 +Subject: fs/adfs: super: fix use-after-free bug + +[ Upstream commit 5808b14a1f52554de612fee85ef517199855e310 ] + +Fix a use-after-free bug during filesystem initialisation, where we +access the disc record (which is stored in a buffer) after we have +released the buffer. + +Signed-off-by: Russell King +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/adfs/super.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/adfs/super.c b/fs/adfs/super.c +index ffb669f9bba78..ce0fbbe002bf3 100644 +--- a/fs/adfs/super.c ++++ b/fs/adfs/super.c +@@ -360,6 +360,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) + struct buffer_head *bh; + struct object_info root_obj; + unsigned char *b_data; ++ unsigned int blocksize; + struct adfs_sb_info *asb; + struct inode *root; + int ret = -EINVAL; +@@ -411,8 +412,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) + goto error_free_bh; + } + ++ blocksize = 1 << dr->log2secsize; + brelse(bh); +- if (sb_set_blocksize(sb, 1 << dr->log2secsize)) { ++ ++ if (sb_set_blocksize(sb, blocksize)) { + bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize); + if (!bh) { + adfs_error(sb, "couldn't read superblock on " +-- +2.20.1 + diff --git a/queue-5.2/ftrace-enable-trampoline-when-rec-count-returns-back.patch b/queue-5.2/ftrace-enable-trampoline-when-rec-count-returns-back.patch new file mode 100644 index 00000000000..eb46f50b5d5 --- /dev/null +++ b/queue-5.2/ftrace-enable-trampoline-when-rec-count-returns-back.patch @@ -0,0 +1,105 @@ +From 100cadc13e5e204701bbdc7b04e2a8145a76b250 Mon Sep 17 00:00:00 2001 +From: Cheng Jian +Date: Sat, 4 May 2019 19:39:39 +0800 +Subject: ftrace: Enable trampoline when rec count returns back to one + +[ Upstream commit a124692b698b00026a58d89831ceda2331b2e1d0 ] + +Custom trampolines can only be enabled if there is only a single ops +attached to it. If there's only a single callback registered to a function, +and the ops has a trampoline registered for it, then we can call the +trampoline directly. This is very useful for improving the performance of +ftrace and livepatch. + +If more than one callback is registered to a function, the general +trampoline is used, and the custom trampoline is not restored back to the +direct call even if all the other callbacks were unregistered and we are +back to one callback for the function. + +To fix this, set FTRACE_FL_TRAMP flag if rec count is decremented +to one, and the ops that left has a trampoline. + +Testing After this patch : + +insmod livepatch_unshare_files.ko +cat /sys/kernel/debug/tracing/enabled_functions + + unshare_files (1) R I tramp: 0xffffffffc0000000(klp_ftrace_handler+0x0/0xa0) ->ftrace_ops_assist_func+0x0/0xf0 + +echo unshare_files > /sys/kernel/debug/tracing/set_ftrace_filter +echo function > /sys/kernel/debug/tracing/current_tracer +cat /sys/kernel/debug/tracing/enabled_functions + + unshare_files (2) R I ->ftrace_ops_list_func+0x0/0x150 + +echo nop > /sys/kernel/debug/tracing/current_tracer +cat /sys/kernel/debug/tracing/enabled_functions + + unshare_files (1) R I tramp: 0xffffffffc0000000(klp_ftrace_handler+0x0/0xa0) ->ftrace_ops_assist_func+0x0/0xf0 + +Link: http://lkml.kernel.org/r/1556969979-111047-1-git-send-email-cj.chengjian@huawei.com + +Signed-off-by: Cheng Jian +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/ftrace.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 576c41644e77c..208220d526e83 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1622,6 +1622,11 @@ static bool test_rec_ops_needs_regs(struct dyn_ftrace *rec) + return keep_regs; + } + ++static struct ftrace_ops * ++ftrace_find_tramp_ops_any(struct dyn_ftrace *rec); ++static struct ftrace_ops * ++ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops); ++ + static bool __ftrace_hash_rec_update(struct ftrace_ops *ops, + int filter_hash, + bool inc) +@@ -1750,15 +1755,17 @@ static bool __ftrace_hash_rec_update(struct ftrace_ops *ops, + } + + /* +- * If the rec had TRAMP enabled, then it needs to +- * be cleared. As TRAMP can only be enabled iff +- * there is only a single ops attached to it. +- * In otherwords, always disable it on decrementing. +- * In the future, we may set it if rec count is +- * decremented to one, and the ops that is left +- * has a trampoline. ++ * The TRAMP needs to be set only if rec count ++ * is decremented to one, and the ops that is ++ * left has a trampoline. As TRAMP can only be ++ * enabled if there is only a single ops attached ++ * to it. + */ +- rec->flags &= ~FTRACE_FL_TRAMP; ++ if (ftrace_rec_count(rec) == 1 && ++ ftrace_find_tramp_ops_any(rec)) ++ rec->flags |= FTRACE_FL_TRAMP; ++ else ++ rec->flags &= ~FTRACE_FL_TRAMP; + + /* + * flags will be cleared in ftrace_check_record() +@@ -1951,11 +1958,6 @@ static void print_ip_ins(const char *fmt, const unsigned char *p) + printk(KERN_CONT "%s%02x", i ? ":" : "", p[i]); + } + +-static struct ftrace_ops * +-ftrace_find_tramp_ops_any(struct dyn_ftrace *rec); +-static struct ftrace_ops * +-ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops); +- + enum ftrace_bug_type ftrace_bug_type; + const void *ftrace_expected; + +-- +2.20.1 + diff --git a/queue-5.2/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch b/queue-5.2/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch new file mode 100644 index 00000000000..f7feab9a50e --- /dev/null +++ b/queue-5.2/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch @@ -0,0 +1,103 @@ +From a61ca98ac7d339aa7b2b598e4213f0b4e53b75ae Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 16 Jul 2019 16:30:21 -0700 +Subject: ipc/mqueue.c: only perform resource calculation if user valid + +[ Upstream commit a318f12ed8843cfac53198390c74a565c632f417 ] + +Andreas Christoforou reported: + + UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow: + 9 * 2305843009213693951 cannot be represented in type 'long int' + ... + Call Trace: + mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414 + evict+0x472/0x8c0 fs/inode.c:558 + iput_final fs/inode.c:1547 [inline] + iput+0x51d/0x8c0 fs/inode.c:1573 + mqueue_get_inode+0x8eb/0x1070 ipc/mqueue.c:320 + mqueue_create_attr+0x198/0x440 ipc/mqueue.c:459 + vfs_mkobj+0x39e/0x580 fs/namei.c:2892 + prepare_open ipc/mqueue.c:731 [inline] + do_mq_open+0x6da/0x8e0 ipc/mqueue.c:771 + +Which could be triggered by: + + struct mq_attr attr = { + .mq_flags = 0, + .mq_maxmsg = 9, + .mq_msgsize = 0x1fffffffffffffff, + .mq_curmsgs = 0, + }; + + if (mq_open("/testing", 0x40, 3, &attr) == (mqd_t) -1) + perror("mq_open"); + +mqueue_get_inode() was correctly rejecting the giant mq_msgsize, and +preparing to return -EINVAL. During the cleanup, it calls +mqueue_evict_inode() which performed resource usage tracking math for +updating "user", before checking if there was a valid "user" at all +(which would indicate that the calculations would be sane). Instead, +delay this check to after seeing a valid "user". + +The overflow was real, but the results went unused, so while the flaw is +harmless, it's noisy for kernel fuzzers, so just fix it by moving the +calculation under the non-NULL "user" where it actually gets used. + +Link: http://lkml.kernel.org/r/201906072207.ECB65450@keescook +Signed-off-by: Kees Cook +Reported-by: Andreas Christoforou +Acked-by: "Eric W. Biederman" +Cc: Al Viro +Cc: Arnd Bergmann +Cc: Davidlohr Bueso +Cc: Manfred Spraul +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + ipc/mqueue.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/ipc/mqueue.c b/ipc/mqueue.c +index 216cad1ff0d0c..65c351564ad08 100644 +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -438,7 +438,6 @@ static void mqueue_evict_inode(struct inode *inode) + { + struct mqueue_inode_info *info; + struct user_struct *user; +- unsigned long mq_bytes, mq_treesize; + struct ipc_namespace *ipc_ns; + struct msg_msg *msg, *nmsg; + LIST_HEAD(tmp_msg); +@@ -461,16 +460,18 @@ static void mqueue_evict_inode(struct inode *inode) + free_msg(msg); + } + +- /* Total amount of bytes accounted for the mqueue */ +- mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + +- min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * +- sizeof(struct posix_msg_tree_node); +- +- mq_bytes = mq_treesize + (info->attr.mq_maxmsg * +- info->attr.mq_msgsize); +- + user = info->user; + if (user) { ++ unsigned long mq_bytes, mq_treesize; ++ ++ /* Total amount of bytes accounted for the mqueue */ ++ mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + ++ min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * ++ sizeof(struct posix_msg_tree_node); ++ ++ mq_bytes = mq_treesize + (info->attr.mq_maxmsg * ++ info->attr.mq_msgsize); ++ + spin_lock(&mq_lock); + user->mq_bytes -= mq_bytes; + /* +-- +2.20.1 + diff --git a/queue-5.2/kernel-module.c-only-return-eexist-for-modules-that-.patch b/queue-5.2/kernel-module.c-only-return-eexist-for-modules-that-.patch new file mode 100644 index 00000000000..62b7ad30aa9 --- /dev/null +++ b/queue-5.2/kernel-module.c-only-return-eexist-for-modules-that-.patch @@ -0,0 +1,74 @@ +From 3ab4e9addea88b9e0fd9099595242c90169675f8 Mon Sep 17 00:00:00 2001 +From: Prarit Bhargava +Date: Wed, 29 May 2019 07:26:25 -0400 +Subject: kernel/module.c: Only return -EEXIST for modules that have finished + loading + +[ Upstream commit 6e6de3dee51a439f76eb73c22ae2ffd2c9384712 ] + +Microsoft HyperV disables the X86_FEATURE_SMCA bit on AMD systems, and +linux guests boot with repeated errors: + +amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2) +amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2) + +The warnings occur because the module code erroneously returns -EEXIST +for modules that have failed to load and are in the process of being +removed from the module list. + +module amd64_edac_mod has a dependency on module edac_mce_amd. Using +modules.dep, systemd will load edac_mce_amd for every request of +amd64_edac_mod. When the edac_mce_amd module loads, the module has +state MODULE_STATE_UNFORMED and once the module load fails and the state +becomes MODULE_STATE_GOING. Another request for edac_mce_amd module +executes and add_unformed_module() will erroneously return -EEXIST even +though the previous instance of edac_mce_amd has MODULE_STATE_GOING. +Upon receiving -EEXIST, systemd attempts to load amd64_edac_mod, which +fails because of unknown symbols from edac_mce_amd. + +add_unformed_module() must wait to return for any case other than +MODULE_STATE_LIVE to prevent a race between multiple loads of +dependent modules. + +Signed-off-by: Prarit Bhargava +Signed-off-by: Barret Rhoden +Cc: David Arcari +Cc: Jessica Yu +Cc: Heiko Carstens +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +--- + kernel/module.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/kernel/module.c b/kernel/module.c +index 80c7c09584cf9..8431c3d47c97b 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3385,8 +3385,7 @@ static bool finished_loading(const char *name) + sched_annotate_sleep(); + mutex_lock(&module_mutex); + mod = find_module_all(name, strlen(name), true); +- ret = !mod || mod->state == MODULE_STATE_LIVE +- || mod->state == MODULE_STATE_GOING; ++ ret = !mod || mod->state == MODULE_STATE_LIVE; + mutex_unlock(&module_mutex); + + return ret; +@@ -3576,8 +3575,7 @@ again: + mutex_lock(&module_mutex); + old = find_module_all(mod->name, strlen(mod->name), true); + if (old != NULL) { +- if (old->state == MODULE_STATE_COMING +- || old->state == MODULE_STATE_UNFORMED) { ++ if (old->state != MODULE_STATE_LIVE) { + /* Wait in case it fails to load. */ + mutex_unlock(&module_mutex); + err = wait_event_interruptible(module_wq, +-- +2.20.1 + diff --git a/queue-5.2/kvm-nvmx-ignore-segment-base-for-vmx-memory-operand-.patch b/queue-5.2/kvm-nvmx-ignore-segment-base-for-vmx-memory-operand-.patch new file mode 100644 index 00000000000..f2970118a43 --- /dev/null +++ b/queue-5.2/kvm-nvmx-ignore-segment-base-for-vmx-memory-operand-.patch @@ -0,0 +1,48 @@ +From 2542e0ed6c0861f97eb16170429b0d822e44ce28 Mon Sep 17 00:00:00 2001 +From: Liran Alon +Date: Mon, 15 Jul 2019 18:47:44 +0300 +Subject: KVM: nVMX: Ignore segment base for VMX memory operand when segment + not FS or GS + +[ Upstream commit 6694e48012826351036fd10fc506ca880023e25f ] + +As reported by Maxime at +https://bugzilla.kernel.org/show_bug.cgi?id=204175: + +In vmx/nested.c::get_vmx_mem_address(), when the guest runs in long mode, +the base address of the memory operand is computed with a simple: + *ret = s.base + off; + +This is incorrect, the base applies only to FS and GS, not to the others. +Because of that, if the guest uses a VMX instruction based on DS and has +a DS.base that is non-zero, KVM wrongfully adds the base to the +resulting address. + +Reported-by: Maxime Villard +Reviewed-by: Joao Martins +Signed-off-by: Liran Alon +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/nested.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index ef6575ab60edc..b96723294b2f3 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -4087,7 +4087,10 @@ int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification, + * mode, e.g. a 32-bit address size can yield a 64-bit virtual + * address when using FS/GS with a non-zero base. + */ +- *ret = s.base + off; ++ if (seg_reg == VCPU_SREG_FS || seg_reg == VCPU_SREG_GS) ++ *ret = s.base + off; ++ else ++ *ret = off; + + /* Long mode: #GP(0)/#SS(0) if the memory address is in a + * non-canonical form. This is the only check on the memory +-- +2.20.1 + diff --git a/queue-5.2/lib-test_overflow.c-avoid-tainting-the-kernel-and-fi.patch b/queue-5.2/lib-test_overflow.c-avoid-tainting-the-kernel-and-fi.patch new file mode 100644 index 00000000000..f95af093804 --- /dev/null +++ b/queue-5.2/lib-test_overflow.c-avoid-tainting-the-kernel-and-fi.patch @@ -0,0 +1,54 @@ +From 0d417228e3b0d9d7d3e160b35c6433b317a7376b Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 16 Jul 2019 16:27:24 -0700 +Subject: lib/test_overflow.c: avoid tainting the kernel and fix wrap size + +[ Upstream commit 8e060c21ae2c265a2b596e9e7f9f97ec274151a4 ] + +This adds __GFP_NOWARN to the kmalloc()-portions of the overflow test to +avoid tainting the kernel. Additionally fixes up the math on wrap size +to be architecture and page size agnostic. + +Link: http://lkml.kernel.org/r/201905282012.0A8767E24@keescook +Fixes: ca90800a91ba ("test_overflow: Add memory allocation overflow tests") +Signed-off-by: Kees Cook +Reported-by: Randy Dunlap +Suggested-by: Rasmus Villemoes +Cc: Joe Perches +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/test_overflow.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/test_overflow.c b/lib/test_overflow.c +index fc680562d8b69..7a4b6f6c5473c 100644 +--- a/lib/test_overflow.c ++++ b/lib/test_overflow.c +@@ -486,16 +486,17 @@ static int __init test_overflow_shift(void) + * Deal with the various forms of allocator arguments. See comments above + * the DEFINE_TEST_ALLOC() instances for mapping of the "bits". + */ +-#define alloc010(alloc, arg, sz) alloc(sz, GFP_KERNEL) +-#define alloc011(alloc, arg, sz) alloc(sz, GFP_KERNEL, NUMA_NO_NODE) ++#define alloc_GFP (GFP_KERNEL | __GFP_NOWARN) ++#define alloc010(alloc, arg, sz) alloc(sz, alloc_GFP) ++#define alloc011(alloc, arg, sz) alloc(sz, alloc_GFP, NUMA_NO_NODE) + #define alloc000(alloc, arg, sz) alloc(sz) + #define alloc001(alloc, arg, sz) alloc(sz, NUMA_NO_NODE) +-#define alloc110(alloc, arg, sz) alloc(arg, sz, GFP_KERNEL) ++#define alloc110(alloc, arg, sz) alloc(arg, sz, alloc_GFP) + #define free0(free, arg, ptr) free(ptr) + #define free1(free, arg, ptr) free(arg, ptr) + +-/* Wrap around to 8K */ +-#define TEST_SIZE (9 << PAGE_SHIFT) ++/* Wrap around to 16K */ ++#define TEST_SIZE (5 * 4096) + + #define DEFINE_TEST_ALLOC(func, free_func, want_arg, want_gfp, want_node)\ + static int __init test_ ## func (void *arg) \ +-- +2.20.1 + diff --git a/queue-5.2/lib-test_string.c-avoid-masking-memset16-32-64-failu.patch b/queue-5.2/lib-test_string.c-avoid-masking-memset16-32-64-failu.patch new file mode 100644 index 00000000000..71bcddd2ee2 --- /dev/null +++ b/queue-5.2/lib-test_string.c-avoid-masking-memset16-32-64-failu.patch @@ -0,0 +1,58 @@ +From 9b3a96958a681a0b5fce1fca41a81e8382fb5e5a Mon Sep 17 00:00:00 2001 +From: Peter Rosin +Date: Tue, 16 Jul 2019 16:27:18 -0700 +Subject: lib/test_string.c: avoid masking memset16/32/64 failures + +[ Upstream commit 33d6e0ff68af74be0c846c8e042e84a9a1a0561e ] + +If a memsetXX implementation is completely broken and fails in the first +iteration, when i, j, and k are all zero, the failure is masked as zero +is returned. Failing in the first iteration is perhaps the most likely +failure, so this makes the tests pretty much useless. Avoid the +situation by always setting a random unused bit in the result on +failure. + +Link: http://lkml.kernel.org/r/20190506124634.6807-3-peda@axentia.se +Fixes: 03270c13c5ff ("lib/string.c: add testcases for memset16/32/64") +Signed-off-by: Peter Rosin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/test_string.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/test_string.c b/lib/test_string.c +index bf8def01ed204..b5117ae596931 100644 +--- a/lib/test_string.c ++++ b/lib/test_string.c +@@ -36,7 +36,7 @@ static __init int memset16_selftest(void) + fail: + kfree(p); + if (i < 256) +- return (i << 24) | (j << 16) | k; ++ return (i << 24) | (j << 16) | k | 0x8000; + return 0; + } + +@@ -72,7 +72,7 @@ static __init int memset32_selftest(void) + fail: + kfree(p); + if (i < 256) +- return (i << 24) | (j << 16) | k; ++ return (i << 24) | (j << 16) | k | 0x8000; + return 0; + } + +@@ -108,7 +108,7 @@ static __init int memset64_selftest(void) + fail: + kfree(p); + if (i < 256) +- return (i << 24) | (j << 16) | k; ++ return (i << 24) | (j << 16) | k | 0x8000; + return 0; + } + +-- +2.20.1 + diff --git a/queue-5.2/mips-lantiq-fix-bitfield-masking.patch b/queue-5.2/mips-lantiq-fix-bitfield-masking.patch new file mode 100644 index 00000000000..9b0ba7150a5 --- /dev/null +++ b/queue-5.2/mips-lantiq-fix-bitfield-masking.patch @@ -0,0 +1,42 @@ +From 470f63e3028937f2328cb13d5ab8d46359ea5f57 Mon Sep 17 00:00:00 2001 +From: Petr Cvek +Date: Thu, 20 Jun 2019 23:39:37 +0200 +Subject: MIPS: lantiq: Fix bitfield masking + +[ Upstream commit ba1bc0fcdeaf3bf583c1517bd2e3e29cf223c969 ] + +The modification of EXIN register doesn't clean the bitfield before +the writing of a new value. After a few modifications the bitfield would +accumulate only '1's. + +Signed-off-by: Petr Cvek +Signed-off-by: Paul Burton +Cc: hauke@hauke-m.de +Cc: john@phrozen.org +Cc: linux-mips@vger.kernel.org +Cc: openwrt-devel@lists.openwrt.org +Cc: pakahmar@hotmail.com +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/irq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c +index cfd87e662fcf4..9c95097557c75 100644 +--- a/arch/mips/lantiq/irq.c ++++ b/arch/mips/lantiq/irq.c +@@ -154,8 +154,9 @@ static int ltq_eiu_settype(struct irq_data *d, unsigned int type) + if (edge) + irq_set_handler(d->hwirq, handle_edge_irq); + +- ltq_eiu_w32(ltq_eiu_r32(LTQ_EIU_EXIN_C) | +- (val << (i * 4)), LTQ_EIU_EXIN_C); ++ ltq_eiu_w32((ltq_eiu_r32(LTQ_EIU_EXIN_C) & ++ (~(7 << (i * 4)))) | (val << (i * 4)), ++ LTQ_EIU_EXIN_C); + } + } + +-- +2.20.1 + diff --git a/queue-5.2/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch b/queue-5.2/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch new file mode 100644 index 00000000000..61932e3247a --- /dev/null +++ b/queue-5.2/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch @@ -0,0 +1,68 @@ +From d8254a9deb45cdd9c3c4b49f09f562d63a9ab272 Mon Sep 17 00:00:00 2001 +From: Doug Berger +Date: Tue, 16 Jul 2019 16:26:24 -0700 +Subject: mm/cma.c: fail if fixed declaration can't be honored + +[ Upstream commit c633324e311243586675e732249339685e5d6faa ] + +The description of cma_declare_contiguous() indicates that if the +'fixed' argument is true the reserved contiguous area must be exactly at +the address of the 'base' argument. + +However, the function currently allows the 'base', 'size', and 'limit' +arguments to be silently adjusted to meet alignment constraints. This +commit enforces the documented behavior through explicit checks that +return an error if the region does not fit within a specified region. + +Link: http://lkml.kernel.org/r/1561422051-16142-1-git-send-email-opendmb@gmail.com +Fixes: 5ea3b1b2f8ad ("cma: add placement specifier for "cma=" kernel parameter") +Signed-off-by: Doug Berger +Acked-by: Michal Nazarewicz +Cc: Yue Hu +Cc: Mike Rapoport +Cc: Laura Abbott +Cc: Peng Fan +Cc: Thomas Gleixner +Cc: Marek Szyprowski +Cc: Andrey Konovalov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/cma.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/mm/cma.c b/mm/cma.c +index 3340ef34c154a..4973d253dc83a 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -278,6 +278,12 @@ int __init cma_declare_contiguous(phys_addr_t base, + */ + alignment = max(alignment, (phys_addr_t)PAGE_SIZE << + max_t(unsigned long, MAX_ORDER - 1, pageblock_order)); ++ if (fixed && base & (alignment - 1)) { ++ ret = -EINVAL; ++ pr_err("Region at %pa must be aligned to %pa bytes\n", ++ &base, &alignment); ++ goto err; ++ } + base = ALIGN(base, alignment); + size = ALIGN(size, alignment); + limit &= ~(alignment - 1); +@@ -308,6 +314,13 @@ int __init cma_declare_contiguous(phys_addr_t base, + if (limit == 0 || limit > memblock_end) + limit = memblock_end; + ++ if (base + size > limit) { ++ ret = -EINVAL; ++ pr_err("Size (%pa) of region at %pa exceeds limit (%pa)\n", ++ &size, &base, &limit); ++ goto err; ++ } ++ + /* Reserve memory */ + if (fixed) { + if (memblock_is_region_reserved(base, size) || +-- +2.20.1 + diff --git a/queue-5.2/mm-hotplug-make-remove_memory-interface-usable.patch b/queue-5.2/mm-hotplug-make-remove_memory-interface-usable.patch new file mode 100644 index 00000000000..55d695c3a89 --- /dev/null +++ b/queue-5.2/mm-hotplug-make-remove_memory-interface-usable.patch @@ -0,0 +1,188 @@ +From 947d12dc0a54c69317389115eb20d8b924f24850 Mon Sep 17 00:00:00 2001 +From: Pavel Tatashin +Date: Tue, 16 Jul 2019 16:30:31 -0700 +Subject: mm/hotplug: make remove_memory() interface usable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit eca499ab3749a4537dee77ffead47a1a2c0dee19 ] + +Presently the remove_memory() interface is inherently broken. It tries +to remove memory but panics if some memory is not offline. The problem +is that it is impossible to ensure that all memory blocks are offline as +this function also takes lock_device_hotplug that is required to change +memory state via sysfs. + +So, between calling this function and offlining all memory blocks there +is always a window when lock_device_hotplug is released, and therefore, +there is always a chance for a panic during this window. + +Make this interface to return an error if memory removal fails. This +way it is safe to call this function without panicking machine, and also +makes it symmetric to add_memory() which already returns an error. + +Link: http://lkml.kernel.org/r/20190517215438.6487-3-pasha.tatashin@soleen.com +Signed-off-by: Pavel Tatashin +Reviewed-by: David Hildenbrand +Acked-by: Michal Hocko +Cc: Bjorn Helgaas +Cc: Borislav Petkov +Cc: Dan Williams +Cc: Dave Hansen +Cc: Dave Hansen +Cc: Dave Jiang +Cc: Fengguang Wu +Cc: Huang Ying +Cc: James Morris +Cc: Jérôme Glisse +Cc: Keith Busch +Cc: Ross Zwisler +Cc: Sasha Levin +Cc: Takashi Iwai +Cc: Tom Lendacky +Cc: Vishal Verma +Cc: Yaowei Bai +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/memory_hotplug.h | 8 +++-- + mm/memory_hotplug.c | 64 +++++++++++++++++++++++----------- + 2 files changed, 49 insertions(+), 23 deletions(-) + +diff --git a/include/linux/memory_hotplug.h b/include/linux/memory_hotplug.h +index ae892eef8b825..988fde33cd7f5 100644 +--- a/include/linux/memory_hotplug.h ++++ b/include/linux/memory_hotplug.h +@@ -324,7 +324,7 @@ static inline void pgdat_resize_init(struct pglist_data *pgdat) {} + extern bool is_mem_section_removable(unsigned long pfn, unsigned long nr_pages); + extern void try_offline_node(int nid); + extern int offline_pages(unsigned long start_pfn, unsigned long nr_pages); +-extern void remove_memory(int nid, u64 start, u64 size); ++extern int remove_memory(int nid, u64 start, u64 size); + extern void __remove_memory(int nid, u64 start, u64 size); + + #else +@@ -341,7 +341,11 @@ static inline int offline_pages(unsigned long start_pfn, unsigned long nr_pages) + return -EINVAL; + } + +-static inline void remove_memory(int nid, u64 start, u64 size) {} ++static inline int remove_memory(int nid, u64 start, u64 size) ++{ ++ return -EBUSY; ++} ++ + static inline void __remove_memory(int nid, u64 start, u64 size) {} + #endif /* CONFIG_MEMORY_HOTREMOVE */ + +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index e096c987d2614..77d1f69cdeadd 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1736,9 +1736,10 @@ static int check_memblock_offlined_cb(struct memory_block *mem, void *arg) + endpa = PFN_PHYS(section_nr_to_pfn(mem->end_section_nr + 1))-1; + pr_warn("removing memory fails, because memory [%pa-%pa] is onlined\n", + &beginpa, &endpa); +- } + +- return ret; ++ return -EBUSY; ++ } ++ return 0; + } + + static int check_cpu_on_node(pg_data_t *pgdat) +@@ -1821,19 +1822,9 @@ static void __release_memory_resource(resource_size_t start, + } + } + +-/** +- * remove_memory +- * @nid: the node ID +- * @start: physical address of the region to remove +- * @size: size of the region to remove +- * +- * NOTE: The caller must call lock_device_hotplug() to serialize hotplug +- * and online/offline operations before this call, as required by +- * try_offline_node(). +- */ +-void __ref __remove_memory(int nid, u64 start, u64 size) ++static int __ref try_remove_memory(int nid, u64 start, u64 size) + { +- int ret; ++ int rc = 0; + + BUG_ON(check_hotplug_memory_range(start, size)); + +@@ -1841,13 +1832,13 @@ void __ref __remove_memory(int nid, u64 start, u64 size) + + /* + * All memory blocks must be offlined before removing memory. Check +- * whether all memory blocks in question are offline and trigger a BUG() ++ * whether all memory blocks in question are offline and return error + * if this is not the case. + */ +- ret = walk_memory_range(PFN_DOWN(start), PFN_UP(start + size - 1), NULL, +- check_memblock_offlined_cb); +- if (ret) +- BUG(); ++ rc = walk_memory_range(PFN_DOWN(start), PFN_UP(start + size - 1), NULL, ++ check_memblock_offlined_cb); ++ if (rc) ++ goto done; + + /* remove memmap entry */ + firmware_map_remove(start, start + size, "System RAM"); +@@ -1859,14 +1850,45 @@ void __ref __remove_memory(int nid, u64 start, u64 size) + + try_offline_node(nid); + ++done: + mem_hotplug_done(); ++ return rc; + } + +-void remove_memory(int nid, u64 start, u64 size) ++/** ++ * remove_memory ++ * @nid: the node ID ++ * @start: physical address of the region to remove ++ * @size: size of the region to remove ++ * ++ * NOTE: The caller must call lock_device_hotplug() to serialize hotplug ++ * and online/offline operations before this call, as required by ++ * try_offline_node(). ++ */ ++void __remove_memory(int nid, u64 start, u64 size) ++{ ++ ++ /* ++ * trigger BUG() is some memory is not offlined prior to calling this ++ * function ++ */ ++ if (try_remove_memory(nid, start, size)) ++ BUG(); ++} ++ ++/* ++ * Remove memory if every memory block is offline, otherwise return -EBUSY is ++ * some memory is not offline ++ */ ++int remove_memory(int nid, u64 start, u64 size) + { ++ int rc; ++ + lock_device_hotplug(); +- __remove_memory(nid, start, size); ++ rc = try_remove_memory(nid, start, size); + unlock_device_hotplug(); ++ ++ return rc; + } + EXPORT_SYMBOL_GPL(remove_memory); + #endif /* CONFIG_MEMORY_HOTREMOVE */ +-- +2.20.1 + diff --git a/queue-5.2/mm-ioremap-check-virtual-address-alignment-while-cre.patch b/queue-5.2/mm-ioremap-check-virtual-address-alignment-while-cre.patch new file mode 100644 index 00000000000..d24f19ad2f5 --- /dev/null +++ b/queue-5.2/mm-ioremap-check-virtual-address-alignment-while-cre.patch @@ -0,0 +1,64 @@ +From bedab904e44813eaa987ca6461c2de63a567bfe9 Mon Sep 17 00:00:00 2001 +From: Anshuman Khandual +Date: Tue, 16 Jul 2019 16:27:30 -0700 +Subject: mm/ioremap: check virtual address alignment while creating huge + mappings + +[ Upstream commit 6b95ab4218bfa59bc315105127ffe03aef3b5742 ] + +Virtual address alignment is essential in ensuring correct clearing for +all intermediate level pgtable entries and freeing associated pgtable +pages. An unaligned address can end up randomly freeing pgtable page +that potentially still contains valid mappings. Hence also check it's +alignment along with existing phys_addr check. + +Signed-off-by: Anshuman Khandual +Reviewed-by: Catalin Marinas +Cc: Toshi Kani +Cc: Will Deacon +Cc: Chintan Pandya +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/ioremap.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/ioremap.c b/lib/ioremap.c +index 063213685563c..a95161d9c883c 100644 +--- a/lib/ioremap.c ++++ b/lib/ioremap.c +@@ -86,6 +86,9 @@ static int ioremap_try_huge_pmd(pmd_t *pmd, unsigned long addr, + if ((end - addr) != PMD_SIZE) + return 0; + ++ if (!IS_ALIGNED(addr, PMD_SIZE)) ++ return 0; ++ + if (!IS_ALIGNED(phys_addr, PMD_SIZE)) + return 0; + +@@ -126,6 +129,9 @@ static int ioremap_try_huge_pud(pud_t *pud, unsigned long addr, + if ((end - addr) != PUD_SIZE) + return 0; + ++ if (!IS_ALIGNED(addr, PUD_SIZE)) ++ return 0; ++ + if (!IS_ALIGNED(phys_addr, PUD_SIZE)) + return 0; + +@@ -166,6 +172,9 @@ static int ioremap_try_huge_p4d(p4d_t *p4d, unsigned long addr, + if ((end - addr) != P4D_SIZE) + return 0; + ++ if (!IS_ALIGNED(addr, P4D_SIZE)) ++ return 0; ++ + if (!IS_ALIGNED(phys_addr, P4D_SIZE)) + return 0; + +-- +2.20.1 + diff --git a/queue-5.2/mm-memcontrol.c-keep-local-vm-counters-in-sync-with-.patch b/queue-5.2/mm-memcontrol.c-keep-local-vm-counters-in-sync-with-.patch new file mode 100644 index 00000000000..ded1465047b --- /dev/null +++ b/queue-5.2/mm-memcontrol.c-keep-local-vm-counters-in-sync-with-.patch @@ -0,0 +1,104 @@ +From 37126d9cac2896a307825cc818cbbf8ca071caa5 Mon Sep 17 00:00:00 2001 +From: Yafang Shao +Date: Tue, 16 Jul 2019 16:26:06 -0700 +Subject: mm/memcontrol.c: keep local VM counters in sync with the hierarchical + ones + +[ Upstream commit 766a4c19d880887c457811b86f1f68525e416965 ] + +After commit 815744d75152 ("mm: memcontrol: don't batch updates of local +VM stats and events"), the local VM counter are not in sync with the +hierarchical ones. + +Below is one example in a leaf memcg on my server (with 8 CPUs): + + inactive_file 3567570944 + total_inactive_file 3568029696 + +We find that the deviation is very great because the 'val' in +__mod_memcg_state() is in pages while the effective value in +memcg_stat_show() is in bytes. + +So the maximum of this deviation between local VM stats and total VM +stats can be (32 * number_of_cpu * PAGE_SIZE), that may be an +unacceptably great value. + +We should keep the local VM stats in sync with the total stats. In +order to keep this behavior the same across counters, this patch updates +__mod_lruvec_state() and __count_memcg_events() as well. + +Link: http://lkml.kernel.org/r/1562851979-10610-1-git-send-email-laoar.shao@gmail.com +Signed-off-by: Yafang Shao +Acked-by: Johannes Weiner +Cc: Michal Hocko +Cc: Vladimir Davydov +Cc: Yafang Shao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memcontrol.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 591eafafbd8cb..902d020aa70e5 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -691,12 +691,15 @@ void __mod_memcg_state(struct mem_cgroup *memcg, int idx, int val) + if (mem_cgroup_disabled()) + return; + +- __this_cpu_add(memcg->vmstats_local->stat[idx], val); +- + x = val + __this_cpu_read(memcg->vmstats_percpu->stat[idx]); + if (unlikely(abs(x) > MEMCG_CHARGE_BATCH)) { + struct mem_cgroup *mi; + ++ /* ++ * Batch local counters to keep them in sync with ++ * the hierarchical ones. ++ */ ++ __this_cpu_add(memcg->vmstats_local->stat[idx], x); + for (mi = memcg; mi; mi = parent_mem_cgroup(mi)) + atomic_long_add(x, &mi->vmstats[idx]); + x = 0; +@@ -745,13 +748,15 @@ void __mod_lruvec_state(struct lruvec *lruvec, enum node_stat_item idx, + /* Update memcg */ + __mod_memcg_state(memcg, idx, val); + +- /* Update lruvec */ +- __this_cpu_add(pn->lruvec_stat_local->count[idx], val); +- + x = val + __this_cpu_read(pn->lruvec_stat_cpu->count[idx]); + if (unlikely(abs(x) > MEMCG_CHARGE_BATCH)) { + struct mem_cgroup_per_node *pi; + ++ /* ++ * Batch local counters to keep them in sync with ++ * the hierarchical ones. ++ */ ++ __this_cpu_add(pn->lruvec_stat_local->count[idx], x); + for (pi = pn; pi; pi = parent_nodeinfo(pi, pgdat->node_id)) + atomic_long_add(x, &pi->lruvec_stat[idx]); + x = 0; +@@ -773,12 +778,15 @@ void __count_memcg_events(struct mem_cgroup *memcg, enum vm_event_item idx, + if (mem_cgroup_disabled()) + return; + +- __this_cpu_add(memcg->vmstats_local->events[idx], count); +- + x = count + __this_cpu_read(memcg->vmstats_percpu->events[idx]); + if (unlikely(x > MEMCG_CHARGE_BATCH)) { + struct mem_cgroup *mi; + ++ /* ++ * Batch local counters to keep them in sync with ++ * the hierarchical ones. ++ */ ++ __this_cpu_add(memcg->vmstats_local->events[idx], x); + for (mi = memcg; mi; mi = parent_mem_cgroup(mi)) + atomic_long_add(x, &mi->vmevents[idx]); + x = 0; +-- +2.20.1 + diff --git a/queue-5.2/mm-slab_common.c-work-around-clang-bug-42570.patch b/queue-5.2/mm-slab_common.c-work-around-clang-bug-42570.patch new file mode 100644 index 00000000000..38d707e5085 --- /dev/null +++ b/queue-5.2/mm-slab_common.c-work-around-clang-bug-42570.patch @@ -0,0 +1,54 @@ +From 9fabfbb0ab25ffddb27d1b60bfb8d02369d5ef67 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 16 Jul 2019 16:25:57 -0700 +Subject: mm/slab_common.c: work around clang bug #42570 + +[ Upstream commit a07057dce2823e10d64a2b73cefbf09d8645efe9 ] + +Clang gets rather confused about two variables in the same special +section when one of them is not initialized, leading to an assembler +warning later: + + /tmp/slab_common-18f869.s: Assembler messages: + /tmp/slab_common-18f869.s:7526: Warning: ignoring changed section attributes for .data..ro_after_init + +Adding an initialization to kmalloc_caches is rather silly here +but does avoid the issue. + +Link: https://bugs.llvm.org/show_bug.cgi?id=42570 +Link: http://lkml.kernel.org/r/20190712090455.266021-1-arnd@arndb.de +Signed-off-by: Arnd Bergmann +Acked-by: David Rientjes +Reviewed-by: Andrew Morton +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: Joonsoo Kim +Cc: Stephen Rothwell +Cc: Roman Gushchin +Cc: Shakeel Butt +Cc: Vladimir Davydov +Cc: Andrey Konovalov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/slab_common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index 58251ba63e4a1..cbd3411f644e4 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -1003,7 +1003,8 @@ struct kmem_cache *__init create_kmalloc_cache(const char *name, + } + + struct kmem_cache * +-kmalloc_caches[NR_KMALLOC_TYPES][KMALLOC_SHIFT_HIGH + 1] __ro_after_init; ++kmalloc_caches[NR_KMALLOC_TYPES][KMALLOC_SHIFT_HIGH + 1] __ro_after_init = ++{ /* initialization for https://bugs.llvm.org/show_bug.cgi?id=42570 */ }; + EXPORT_SYMBOL(kmalloc_caches); + + /* +-- +2.20.1 + diff --git a/queue-5.2/mm-z3fold-don-t-try-to-use-buddy-slots-after-free.patch b/queue-5.2/mm-z3fold-don-t-try-to-use-buddy-slots-after-free.patch new file mode 100644 index 00000000000..a3394b639c0 --- /dev/null +++ b/queue-5.2/mm-z3fold-don-t-try-to-use-buddy-slots-after-free.patch @@ -0,0 +1,76 @@ +From a93208d8e4c934f0d3965ff6b9e6fa1b2423c075 Mon Sep 17 00:00:00 2001 +From: Vitaly Wool +Date: Tue, 16 Jul 2019 16:25:48 -0700 +Subject: mm/z3fold: don't try to use buddy slots after free + +[ Upstream commit bb9a374dfa3a2f46581455ab66cd1d24c5e3d183 ] + +As reported by Henry Burns: + +Running z3fold stress testing with address sanitization showed zhdr->slots +was being used after it was freed. + + z3fold_free(z3fold_pool, handle) + free_handle(handle) + kmem_cache_free(pool->c_handle, zhdr->slots) + release_z3fold_page_locked_list(kref) + __release_z3fold_page(zhdr, true) + zhdr_to_pool(zhdr) + slots_to_pool(zhdr->slots) *BOOM* + +To fix this, add pointer to the pool back to z3fold_header and modify +zhdr_to_pool to return zhdr->pool. + +Link: http://lkml.kernel.org/r/20190708134808.e89f3bfadd9f6ffd7eff9ba9@gmail.com +Fixes: 7c2b8baa61fe ("mm/z3fold.c: add structure for buddy handles") +Signed-off-by: Vitaly Wool +Reported-by: Henry Burns +Reviewed-by: Shakeel Butt +Cc: Jonathan Adams +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/z3fold.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/mm/z3fold.c b/mm/z3fold.c +index dfcd69d08c1e9..304f2883cdb93 100644 +--- a/mm/z3fold.c ++++ b/mm/z3fold.c +@@ -101,6 +101,7 @@ struct z3fold_buddy_slots { + * @refcount: reference count for the z3fold page + * @work: work_struct for page layout optimization + * @slots: pointer to the structure holding buddy slots ++ * @pool: pointer to the containing pool + * @cpu: CPU which this page "belongs" to + * @first_chunks: the size of the first buddy in chunks, 0 if free + * @middle_chunks: the size of the middle buddy in chunks, 0 if free +@@ -114,6 +115,7 @@ struct z3fold_header { + struct kref refcount; + struct work_struct work; + struct z3fold_buddy_slots *slots; ++ struct z3fold_pool *pool; + short cpu; + unsigned short first_chunks; + unsigned short middle_chunks; +@@ -320,6 +322,7 @@ static struct z3fold_header *init_z3fold_page(struct page *page, + zhdr->start_middle = 0; + zhdr->cpu = -1; + zhdr->slots = slots; ++ zhdr->pool = pool; + INIT_LIST_HEAD(&zhdr->buddy); + INIT_WORK(&zhdr->work, compact_page_work); + return zhdr; +@@ -426,7 +429,7 @@ static enum buddy handle_to_buddy(unsigned long handle) + + static inline struct z3fold_pool *zhdr_to_pool(struct z3fold_header *zhdr) + { +- return slots_to_pool(zhdr->slots); ++ return zhdr->pool; + } + + static void __release_z3fold_page(struct z3fold_header *zhdr, bool locked) +-- +2.20.1 + diff --git a/queue-5.2/mm-z3fold.c-reinitialize-zhdr-structs-after-migratio.patch b/queue-5.2/mm-z3fold.c-reinitialize-zhdr-structs-after-migratio.patch new file mode 100644 index 00000000000..36d19a6d77e --- /dev/null +++ b/queue-5.2/mm-z3fold.c-reinitialize-zhdr-structs-after-migratio.patch @@ -0,0 +1,61 @@ +From 76ba197ec60f2c8f31c1422e4bd2a8807937d949 Mon Sep 17 00:00:00 2001 +From: Henry Burns +Date: Tue, 16 Jul 2019 16:26:21 -0700 +Subject: mm/z3fold.c: reinitialize zhdr structs after migration + +[ Upstream commit c92d2f38563db20c20c8db2f98fa1349290477d5 ] + +z3fold_page_migration() calls memcpy(new_zhdr, zhdr, PAGE_SIZE). +However, zhdr contains fields that can't be directly coppied over (ex: +list_head, a circular linked list). We only need to initialize the +linked lists in new_zhdr, as z3fold_isolate_page() already ensures that +these lists are empty + +Additionally it is possible that zhdr->work has been placed in a +workqueue. In this case we shouldn't migrate the page, as zhdr->work +references zhdr as opposed to new_zhdr. + +Link: http://lkml.kernel.org/r/20190716000520.230595-1-henryburns@google.com +Fixes: 1f862989b04ade61d3 ("mm/z3fold.c: support page migration") +Signed-off-by: Henry Burns +Reviewed-by: Shakeel Butt +Cc: Vitaly Vul +Cc: Vitaly Wool +Cc: Jonathan Adams +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/z3fold.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/mm/z3fold.c b/mm/z3fold.c +index 304f2883cdb93..3b27094dc42e1 100644 +--- a/mm/z3fold.c ++++ b/mm/z3fold.c +@@ -1360,12 +1360,22 @@ static int z3fold_page_migrate(struct address_space *mapping, struct page *newpa + unlock_page(page); + return -EBUSY; + } ++ if (work_pending(&zhdr->work)) { ++ z3fold_page_unlock(zhdr); ++ return -EAGAIN; ++ } + new_zhdr = page_address(newpage); + memcpy(new_zhdr, zhdr, PAGE_SIZE); + newpage->private = page->private; + page->private = 0; + z3fold_page_unlock(zhdr); + spin_lock_init(&new_zhdr->page_lock); ++ INIT_WORK(&new_zhdr->work, compact_page_work); ++ /* ++ * z3fold_page_isolate() ensures that new_zhdr->buddy is empty, ++ * so we only have to reinitialize it. ++ */ ++ INIT_LIST_HEAD(&new_zhdr->buddy); + new_mapping = page_mapping(page); + __ClearPageMovable(page); + ClearPagePrivate(page); +-- +2.20.1 + diff --git a/queue-5.2/nds32-fix-asm-syscall.h.patch b/queue-5.2/nds32-fix-asm-syscall.h.patch new file mode 100644 index 00000000000..37d9c427d43 --- /dev/null +++ b/queue-5.2/nds32-fix-asm-syscall.h.patch @@ -0,0 +1,213 @@ +From c9e9f2cb2a26492fc364d9a6d2f0e392942765b8 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Tue, 16 Jul 2019 16:29:24 -0700 +Subject: nds32: fix asm/syscall.h + +[ Upstream commit 33644b95eb342201511fc951d8fcd10362bd435b ] + +PTRACE_GET_SYSCALL_INFO is a generic ptrace API that lets ptracer obtain +details of the syscall the tracee is blocked in. + +There are two reasons for a special syscall-related ptrace request. + +Firstly, with the current ptrace API there are cases when ptracer cannot +retrieve necessary information about syscalls. Some examples include: + + * The notorious int-0x80-from-64-bit-task issue. See [1] for details. + In short, if a 64-bit task performs a syscall through int 0x80, its + tracer has no reliable means to find out that the syscall was, in + fact, a compat syscall, and misidentifies it. + + * Syscall-enter-stop and syscall-exit-stop look the same for the + tracer. Common practice is to keep track of the sequence of + ptrace-stops in order not to mix the two syscall-stops up. But it is + not as simple as it looks; for example, strace had a (just recently + fixed) long-standing bug where attaching strace to a tracee that is + performing the execve system call led to the tracer identifying the + following syscall-exit-stop as syscall-enter-stop, which messed up + all the state tracking. + + * Since the introduction of commit 84d77d3f06e7 ("ptrace: Don't allow + accessing an undumpable mm"), both PTRACE_PEEKDATA and + process_vm_readv become unavailable when the process dumpable flag is + cleared. On such architectures as ia64 this results in all syscall + arguments being unavailable for the tracer. + +Secondly, ptracers also have to support a lot of arch-specific code for +obtaining information about the tracee. For some architectures, this +requires a ptrace(PTRACE_PEEKUSER, ...) invocation for every syscall +argument and return value. + +PTRACE_GET_SYSCALL_INFO returns the following structure: + +struct ptrace_syscall_info { + __u8 op; /* PTRACE_SYSCALL_INFO_* */ + __u32 arch __attribute__((__aligned__(sizeof(__u32)))); + __u64 instruction_pointer; + __u64 stack_pointer; + union { + struct { + __u64 nr; + __u64 args[6]; + } entry; + struct { + __s64 rval; + __u8 is_error; + } exit; + struct { + __u64 nr; + __u64 args[6]; + __u32 ret_data; + } seccomp; + }; +}; + +The structure was chosen according to [2], except for the following +changes: + + * seccomp substructure was added as a superset of entry substructure + + * the type of nr field was changed from int to __u64 because syscall + numbers are, as a practical matter, 64 bits + + * stack_pointer field was added along with instruction_pointer field + since it is readily available and can save the tracer from extra + PTRACE_GETREGS/PTRACE_GETREGSET calls + + * arch is always initialized to aid with tracing system calls such as + execve() + + * instruction_pointer and stack_pointer are always initialized so they + could be easily obtained for non-syscall stops + + * a boolean is_error field was added along with rval field, this way + the tracer can more reliably distinguish a return value from an error + value + +strace has been ported to PTRACE_GET_SYSCALL_INFO. Starting with +release 4.26, strace uses PTRACE_GET_SYSCALL_INFO API as the preferred +mechanism of obtaining syscall information. + +[1] https://lore.kernel.org/lkml/CA+55aFzcSVmdDj9Lh_gdbz1OzHyEm6ZrGPBDAJnywm2LF_eVyg@mail.gmail.com/ +[2] https://lore.kernel.org/lkml/CAObL_7GM0n80N7J_DFw_eQyfLyzq+sf4y2AvsCCV88Tb3AwEHA@mail.gmail.com/ + +This patch (of 7): + +All syscall_get_*() and syscall_set_*() functions must be defined as +static inline as on all other architectures, otherwise asm/syscall.h +cannot be included in more than one compilation unit. + +This bug has to be fixed in order to extend the generic +ptrace API with PTRACE_GET_SYSCALL_INFO request. + +Link: http://lkml.kernel.org/r/20190510152749.GA28558@altlinux.org +Fixes: 1932fbe36e02 ("nds32: System calls handling") +Signed-off-by: Dmitry V. Levin +Reported-by: kbuild test robot +Acked-by: Greentime Hu +Cc: Vincent Chen +Cc: Elvira Khabirova +Cc: Eugene Syromyatnikov +Cc: Oleg Nesterov +Cc: Andy Lutomirski +Cc: Benjamin Herrenschmidt +Cc: Helge Deller [parisc] +Cc: James E.J. Bottomley +Cc: James Hogan +Cc: Kees Cook +Cc: Michael Ellerman +Cc: Paul Burton +Cc: Paul Mackerras +Cc: Ralf Baechle +Cc: Richard Kuo +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/nds32/include/asm/syscall.h | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/arch/nds32/include/asm/syscall.h b/arch/nds32/include/asm/syscall.h +index 899b2fb4b52f7..7b5180d78e200 100644 +--- a/arch/nds32/include/asm/syscall.h ++++ b/arch/nds32/include/asm/syscall.h +@@ -26,7 +26,8 @@ struct pt_regs; + * + * It's only valid to call this when @task is known to be blocked. + */ +-int syscall_get_nr(struct task_struct *task, struct pt_regs *regs) ++static inline int ++syscall_get_nr(struct task_struct *task, struct pt_regs *regs) + { + return regs->syscallno; + } +@@ -47,7 +48,8 @@ int syscall_get_nr(struct task_struct *task, struct pt_regs *regs) + * system call instruction. This may not be the same as what the + * register state looked like at system call entry tracing. + */ +-void syscall_rollback(struct task_struct *task, struct pt_regs *regs) ++static inline void ++syscall_rollback(struct task_struct *task, struct pt_regs *regs) + { + regs->uregs[0] = regs->orig_r0; + } +@@ -62,7 +64,8 @@ void syscall_rollback(struct task_struct *task, struct pt_regs *regs) + * It's only valid to call this when @task is stopped for tracing on exit + * from a system call, due to %TIF_SYSCALL_TRACE or %TIF_SYSCALL_AUDIT. + */ +-long syscall_get_error(struct task_struct *task, struct pt_regs *regs) ++static inline long ++syscall_get_error(struct task_struct *task, struct pt_regs *regs) + { + unsigned long error = regs->uregs[0]; + return IS_ERR_VALUE(error) ? error : 0; +@@ -79,7 +82,8 @@ long syscall_get_error(struct task_struct *task, struct pt_regs *regs) + * It's only valid to call this when @task is stopped for tracing on exit + * from a system call, due to %TIF_SYSCALL_TRACE or %TIF_SYSCALL_AUDIT. + */ +-long syscall_get_return_value(struct task_struct *task, struct pt_regs *regs) ++static inline long ++syscall_get_return_value(struct task_struct *task, struct pt_regs *regs) + { + return regs->uregs[0]; + } +@@ -99,8 +103,9 @@ long syscall_get_return_value(struct task_struct *task, struct pt_regs *regs) + * It's only valid to call this when @task is stopped for tracing on exit + * from a system call, due to %TIF_SYSCALL_TRACE or %TIF_SYSCALL_AUDIT. + */ +-void syscall_set_return_value(struct task_struct *task, struct pt_regs *regs, +- int error, long val) ++static inline void ++syscall_set_return_value(struct task_struct *task, struct pt_regs *regs, ++ int error, long val) + { + regs->uregs[0] = (long)error ? error : val; + } +@@ -118,8 +123,9 @@ void syscall_set_return_value(struct task_struct *task, struct pt_regs *regs, + * entry to a system call, due to %TIF_SYSCALL_TRACE or %TIF_SYSCALL_AUDIT. + */ + #define SYSCALL_MAX_ARGS 6 +-void syscall_get_arguments(struct task_struct *task, struct pt_regs *regs, +- unsigned long *args) ++static inline void ++syscall_get_arguments(struct task_struct *task, struct pt_regs *regs, ++ unsigned long *args) + { + args[0] = regs->orig_r0; + args++; +@@ -138,8 +144,9 @@ void syscall_get_arguments(struct task_struct *task, struct pt_regs *regs, + * It's only valid to call this when @task is stopped for tracing on + * entry to a system call, due to %TIF_SYSCALL_TRACE or %TIF_SYSCALL_AUDIT. + */ +-void syscall_set_arguments(struct task_struct *task, struct pt_regs *regs, +- const unsigned long *args) ++static inline void ++syscall_set_arguments(struct task_struct *task, struct pt_regs *regs, ++ const unsigned long *args) + { + regs->orig_r0 = args[0]; + args++; +-- +2.20.1 + diff --git a/queue-5.2/pci-of-initialize-dev-fwnode-appropriately.patch b/queue-5.2/pci-of-initialize-dev-fwnode-appropriately.patch new file mode 100644 index 00000000000..0c6ee53cf4f --- /dev/null +++ b/queue-5.2/pci-of-initialize-dev-fwnode-appropriately.patch @@ -0,0 +1,61 @@ +From 447114d1140a99178313632b5c022aa461a6db74 Mon Sep 17 00:00:00 2001 +From: Jean-Philippe Brucker +Date: Tue, 15 Jan 2019 12:19:56 +0000 +Subject: PCI: OF: Initialize dev->fwnode appropriately + +[ Upstream commit 59b099a6c75e4ddceeaf9676422d8d91d0049755 ] + +For PCI devices that have an OF node, set the fwnode as well. This way +drivers that rely on fwnode don't need the special case described by +commit f94277af03ea ("of/platform: Initialise dev->fwnode appropriately"). + +Acked-by: Bjorn Helgaas +Signed-off-by: Jean-Philippe Brucker +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/pci/of.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pci/of.c b/drivers/pci/of.c +index 73d5adec0a28d..bc7b27a28795d 100644 +--- a/drivers/pci/of.c ++++ b/drivers/pci/of.c +@@ -22,12 +22,15 @@ void pci_set_of_node(struct pci_dev *dev) + return; + dev->dev.of_node = of_pci_find_child_device(dev->bus->dev.of_node, + dev->devfn); ++ if (dev->dev.of_node) ++ dev->dev.fwnode = &dev->dev.of_node->fwnode; + } + + void pci_release_of_node(struct pci_dev *dev) + { + of_node_put(dev->dev.of_node); + dev->dev.of_node = NULL; ++ dev->dev.fwnode = NULL; + } + + void pci_set_bus_of_node(struct pci_bus *bus) +@@ -41,13 +44,18 @@ void pci_set_bus_of_node(struct pci_bus *bus) + if (node && of_property_read_bool(node, "external-facing")) + bus->self->untrusted = true; + } ++ + bus->dev.of_node = node; ++ ++ if (bus->dev.of_node) ++ bus->dev.fwnode = &bus->dev.of_node->fwnode; + } + + void pci_release_bus_of_node(struct pci_bus *bus) + { + of_node_put(bus->dev.of_node); + bus->dev.of_node = NULL; ++ bus->dev.fwnode = NULL; + } + + struct device_node * __weak pcibios_get_phb_of_node(struct pci_bus *bus) +-- +2.20.1 + diff --git a/queue-5.2/perf-version-fix-segfault-due-to-missing-opt_end.patch b/queue-5.2/perf-version-fix-segfault-due-to-missing-opt_end.patch new file mode 100644 index 00000000000..5fbb836583a --- /dev/null +++ b/queue-5.2/perf-version-fix-segfault-due-to-missing-opt_end.patch @@ -0,0 +1,41 @@ +From 33558e639d25d8b2240cc0c716c4a11c3a8bcf4a Mon Sep 17 00:00:00 2001 +From: Ravi Bangoria +Date: Tue, 11 Jun 2019 08:31:09 +0530 +Subject: perf version: Fix segfault due to missing OPT_END() + +[ Upstream commit 916c31fff946fae0e05862f9b2435fdb29fd5090 ] + +'perf version' on powerpc segfaults when used with non-supported +option: + # perf version -a + Segmentation fault (core dumped) + +Fix this. + +Signed-off-by: Ravi Bangoria +Reviewed-by: Kamalesh Babulal +Tested-by: Mamatha Inamdar +Cc: Jiri Olsa +Cc: Kamalesh Babulal +Link: http://lkml.kernel.org/r/20190611030109.20228-1-ravi.bangoria@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-version.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/builtin-version.c b/tools/perf/builtin-version.c +index f470144d1a704..bf114ca9ca870 100644 +--- a/tools/perf/builtin-version.c ++++ b/tools/perf/builtin-version.c +@@ -19,6 +19,7 @@ static struct version version; + static struct option version_options[] = { + OPT_BOOLEAN(0, "build-options", &version.build_options, + "display the build options"), ++ OPT_END(), + }; + + static const char * const version_usage[] = { +-- +2.20.1 + diff --git a/queue-5.2/remoteproc-copy-parent-dma_pfn_offset-for-vdev.patch b/queue-5.2/remoteproc-copy-parent-dma_pfn_offset-for-vdev.patch new file mode 100644 index 00000000000..c1bbf5fa1ea --- /dev/null +++ b/queue-5.2/remoteproc-copy-parent-dma_pfn_offset-for-vdev.patch @@ -0,0 +1,37 @@ +From 27cd17c07b492cf70a494fcdc0f9b2421b92c367 Mon Sep 17 00:00:00 2001 +From: Clement Leger +Date: Mon, 1 Jul 2019 09:02:45 +0200 +Subject: remoteproc: copy parent dma_pfn_offset for vdev + +[ Upstream commit 72f64cabc4bd6985c7355f5547bd3637c82762ac ] + +When preparing the subdevice for the vdev, also copy dma_pfn_offset +since this is used for sub device dma allocations. Without that, there +is incoherency between the parent dma settings and the childs one, +potentially leading to dma_alloc_coherent failure (due to phys_to_dma +using dma_pfn_offset for translation). + +Fixes: 086d08725d34 ("remoteproc: create vdev subdevice with specific dma memory pool") +Signed-off-by: Clement Leger +Acked-by: Loic Pallardy +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/remoteproc_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c +index 8b5363223eaab..5031c68069083 100644 +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -512,6 +512,7 @@ static int rproc_handle_vdev(struct rproc *rproc, struct fw_rsc_vdev *rsc, + /* Initialise vdev subdevice */ + snprintf(name, sizeof(name), "vdev%dbuffer", rvdev->index); + rvdev->dev.parent = rproc->dev.parent; ++ rvdev->dev.dma_pfn_offset = rproc->dev.parent->dma_pfn_offset; + rvdev->dev.release = rproc_rvdev_release; + dev_set_name(&rvdev->dev, "%s#%s", dev_name(rvdev->dev.parent), name); + dev_set_drvdata(&rvdev->dev, rvdev); +-- +2.20.1 + diff --git a/queue-5.2/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch b/queue-5.2/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch new file mode 100644 index 00000000000..723ab95f084 --- /dev/null +++ b/queue-5.2/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch @@ -0,0 +1,117 @@ +From 28e78427fe10ba5d10c8204a0f10d86225e999a7 Mon Sep 17 00:00:00 2001 +From: Benjamin Block +Date: Tue, 2 Jul 2019 23:02:02 +0200 +Subject: scsi: zfcp: fix GCC compiler warning emitted with + -Wmaybe-uninitialized + +[ Upstream commit 484647088826f2f651acbda6bcf9536b8a466703 ] + +GCC v9 emits this warning: + CC drivers/s390/scsi/zfcp_erp.o + drivers/s390/scsi/zfcp_erp.c: In function 'zfcp_erp_action_enqueue': + drivers/s390/scsi/zfcp_erp.c:217:26: warning: 'erp_action' may be used uninitialized in this function [-Wmaybe-uninitialized] + 217 | struct zfcp_erp_action *erp_action; + | ^~~~~~~~~~ + +This is a possible false positive case, as also documented in the GCC +documentations: + https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wmaybe-uninitialized + +The actual code-sequence is like this: + Various callers can invoke the function below with the argument "want" + being one of: + ZFCP_ERP_ACTION_REOPEN_ADAPTER, + ZFCP_ERP_ACTION_REOPEN_PORT_FORCED, + ZFCP_ERP_ACTION_REOPEN_PORT, or + ZFCP_ERP_ACTION_REOPEN_LUN. + + zfcp_erp_action_enqueue(want, ...) + ... + need = zfcp_erp_required_act(want, ...) + need = want + ... + maybe: need = ZFCP_ERP_ACTION_REOPEN_PORT + maybe: need = ZFCP_ERP_ACTION_REOPEN_ADAPTER + ... + return need + ... + zfcp_erp_setup_act(need, ...) + struct zfcp_erp_action *erp_action; // <== line 217 + ... + switch(need) { + case ZFCP_ERP_ACTION_REOPEN_LUN: + ... + erp_action = &zfcp_sdev->erp_action; + WARN_ON_ONCE(erp_action->port != port); // <== access + ... + break; + case ZFCP_ERP_ACTION_REOPEN_PORT: + case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: + ... + erp_action = &port->erp_action; + WARN_ON_ONCE(erp_action->port != port); // <== access + ... + break; + case ZFCP_ERP_ACTION_REOPEN_ADAPTER: + ... + erp_action = &adapter->erp_action; + WARN_ON_ONCE(erp_action->port != NULL); // <== access + ... + break; + } + ... + WARN_ON_ONCE(erp_action->adapter != adapter); // <== access + +When zfcp_erp_setup_act() is called, 'need' will never be anything else +than one of the 4 possible enumeration-names that are used in the +switch-case, and 'erp_action' is initialized for every one of them, before +it is used. Thus the warning is a false positive, as documented. + +We introduce the extra if{} in the beginning to create an extra code-flow, +so the compiler can be convinced that the switch-case will never see any +other value. + +BUG_ON()/BUG() is intentionally not used to not crash anything, should +this ever happen anyway - right now it's impossible, as argued above; and +it doesn't introduce a 'default:' switch-case to retain warnings should +'enum zfcp_erp_act_type' ever be extended and no explicit case be +introduced. See also v5.0 commit 399b6c8bc9f7 ("scsi: zfcp: drop old +default switch case which might paper over missing case"). + +Signed-off-by: Benjamin Block +Reviewed-by: Jens Remus +Reviewed-by: Steffen Maier +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/s390/scsi/zfcp_erp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c +index e8fc28dba8dfc..96f0d34e94593 100644 +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -11,6 +11,7 @@ + #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt + + #include ++#include + #include "zfcp_ext.h" + #include "zfcp_reqlist.h" + +@@ -217,6 +218,12 @@ static struct zfcp_erp_action *zfcp_erp_setup_act(enum zfcp_erp_act_type need, + struct zfcp_erp_action *erp_action; + struct zfcp_scsi_dev *zfcp_sdev; + ++ if (WARN_ON_ONCE(need != ZFCP_ERP_ACTION_REOPEN_LUN && ++ need != ZFCP_ERP_ACTION_REOPEN_PORT && ++ need != ZFCP_ERP_ACTION_REOPEN_PORT_FORCED && ++ need != ZFCP_ERP_ACTION_REOPEN_ADAPTER)) ++ return NULL; ++ + switch (need) { + case ZFCP_ERP_ACTION_REOPEN_LUN: + zfcp_sdev = sdev_to_zfcp(sdev); +-- +2.20.1 + diff --git a/queue-5.2/selftests-bpf-do-not-ignore-clang-failures.patch b/queue-5.2/selftests-bpf-do-not-ignore-clang-failures.patch new file mode 100644 index 00000000000..65a2f6414fe --- /dev/null +++ b/queue-5.2/selftests-bpf-do-not-ignore-clang-failures.patch @@ -0,0 +1,72 @@ +From cd594afe2188295e932cbf331e12e05ca96a863c Mon Sep 17 00:00:00 2001 +From: Ilya Leoshkevich +Date: Thu, 11 Jul 2019 11:12:49 +0200 +Subject: selftests/bpf: do not ignore clang failures + +[ Upstream commit 9cae4ace80ef39005da106fbb89c952b27d7b89e ] + +When compiling an eBPF prog fails, make still returns 0, because +failing clang command's output is piped to llc and therefore its +exit status is ignored. + +When clang fails, pipe the string "clang failed" to llc. This will make +llc fail with an informative error message. This solution was chosen +over using pipefail, having separate targets or getting rid of llc +invocation due to its simplicity. + +In addition, pull Kbuild.include in order to get .DELETE_ON_ERROR target, +which would cause partial .o files to be removed. + +Signed-off-by: Ilya Leoshkevich +Acked-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/Makefile | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index 1c95112629477..f1573a11d3e41 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -1,4 +1,5 @@ + # SPDX-License-Identifier: GPL-2.0 ++include ../../../../scripts/Kbuild.include + + LIBDIR := ../../../lib + BPFDIR := $(LIBDIR)/bpf +@@ -185,8 +186,8 @@ $(ALU32_BUILD_DIR)/test_progs_32: prog_tests/*.c + + $(ALU32_BUILD_DIR)/%.o: progs/%.c $(ALU32_BUILD_DIR) \ + $(ALU32_BUILD_DIR)/test_progs_32 +- $(CLANG) $(CLANG_FLAGS) \ +- -O2 -target bpf -emit-llvm -c $< -o - | \ ++ ($(CLANG) $(CLANG_FLAGS) -O2 -target bpf -emit-llvm -c $< -o - || \ ++ echo "clang failed") | \ + $(LLC) -march=bpf -mattr=+alu32 -mcpu=$(CPU) $(LLC_FLAGS) \ + -filetype=obj -o $@ + ifeq ($(DWARF2BTF),y) +@@ -197,16 +198,16 @@ endif + # Have one program compiled without "-target bpf" to test whether libbpf loads + # it successfully + $(OUTPUT)/test_xdp.o: progs/test_xdp.c +- $(CLANG) $(CLANG_FLAGS) \ +- -O2 -emit-llvm -c $< -o - | \ ++ ($(CLANG) $(CLANG_FLAGS) -O2 -emit-llvm -c $< -o - || \ ++ echo "clang failed") | \ + $(LLC) -march=bpf -mcpu=$(CPU) $(LLC_FLAGS) -filetype=obj -o $@ + ifeq ($(DWARF2BTF),y) + $(BTF_PAHOLE) -J $@ + endif + + $(OUTPUT)/%.o: progs/%.c +- $(CLANG) $(CLANG_FLAGS) \ +- -O2 -target bpf -emit-llvm -c $< -o - | \ ++ ($(CLANG) $(CLANG_FLAGS) -O2 -target bpf -emit-llvm -c $< -o - || \ ++ echo "clang failed") | \ + $(LLC) -march=bpf -mcpu=$(CPU) $(LLC_FLAGS) -filetype=obj -o $@ + ifeq ($(DWARF2BTF),y) + $(BTF_PAHOLE) -J $@ +-- +2.20.1 + diff --git a/queue-5.2/series b/queue-5.2/series new file mode 100644 index 00000000000..dbced896f2f --- /dev/null +++ b/queue-5.2/series @@ -0,0 +1,74 @@ +arm-riscpc-fix-dma.patch +arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch +arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch +clk-meson-mpll-properly-handle-spread-spectrum.patch +arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch +ftrace-enable-trampoline-when-rec-count-returns-back.patch +arm64-dts-qcom-qcs404-evb-fix-l3-min-voltage.patch +soc-qcom-rpmpd-fixup-rpmpd-set-performance-state.patch +arm64-dts-marvell-mcbin-enlarge-pci-memory-window.patch +soc-imx-soc-imx8-correct-return-value-of-error-handl.patch +dmaengine-tegra-apb-error-out-if-dma_prep_interrupt-.patch +arm64-dts-rockchip-fix-isp-iommu-clocks-and-power-do.patch +kernel-module.c-only-return-eexist-for-modules-that-.patch +pci-of-initialize-dev-fwnode-appropriately.patch +firmware-psci-psci_checker-park-kthreads-before-stop.patch +soc-imx8-fix-potential-kernel-dump-in-error-path.patch +arm64-qcom-qcs404-add-reset-cells-to-gcc-node.patch +swiotlb-fix-phys_addr_t-overflow-warning.patch +mips-lantiq-fix-bitfield-masking.patch +dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch +arm-exynos-only-build-mcpm-support-if-used.patch +clk-tegra210-fix-pllu-and-pllu_out1.patch +fs-adfs-super-fix-use-after-free-bug.patch +clk-sprd-add-check-for-return-value-of-sprd_clk_regm.patch +arm64-dts-rockchip-fix-usb3-type-c-on-rk3399-sapphir.patch +btrfs-tree-checker-check-if-the-file-extent-end-over.patch +btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch +btrfs-flush-before-reflinking-any-extent-to-prevent-.patch +remoteproc-copy-parent-dma_pfn_offset-for-vdev.patch +btrfs-qgroup-don-t-hold-qgroup_ioctl_lock-in-btrfs_q.patch +cifs-fix-a-race-condition-with-cifs_echo_request.patch +ceph-fix-improper-use-of-smp_mb__before_atomic.patch +ceph-fix-dir_lease_is_valid.patch +ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch +virtio-mmio-add-error-check-for-platform_get_irq.patch +acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch +scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch +selftests-bpf-do-not-ignore-clang-failures.patch +drm-amd-display-expose-audio-inst-from-dc-to-dm.patch +cifs-fix-crash-in-cifs_dfs_do_automount.patch +perf-version-fix-segfault-due-to-missing-opt_end.patch +x86-kvm-avoid-constant-conversion-warning.patch +acpi-fix-false-positive-wuninitialized-warning.patch +kvm-nvmx-ignore-segment-base-for-vmx-memory-operand-.patch +bpf-fix-btf-verifier-size-resolution-logic.patch +be2net-signal-that-the-device-cannot-transmit-during.patch +mm-z3fold-don-t-try-to-use-buddy-slots-after-free.patch +mm-slab_common.c-work-around-clang-bug-42570.patch +mm-memcontrol.c-keep-local-vm-counters-in-sync-with-.patch +mm-z3fold.c-reinitialize-zhdr-structs-after-migratio.patch +x86-apic-silence-wtype-limits-compiler-warnings.patch +x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch +mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch +lib-test_overflow.c-avoid-tainting-the-kernel-and-fi.patch +lib-test_string.c-avoid-masking-memset16-32-64-failu.patch +mm-ioremap-check-virtual-address-alignment-while-cre.patch +coda-add-error-handling-for-fget.patch +coda-fix-build-using-bare-metal-toolchain.patch +uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch +drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch +ipc-mqueue.c-only-perform-resource-calculation-if-us.patch +nds32-fix-asm-syscall.h.patch +device-dax-fix-memory-and-resource-leak-if-hotplug-f.patch +mm-hotplug-make-remove_memory-interface-usable.patch +stacktrace-force-user_ds-for-stack_trace_save_user.patch +crypto-ccp-fix-sev_version_greater_or_equal.patch +xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch +x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch +x86-paravirt-fix-callee-saved-function-elf-sizes.patch +x86-boot-remove-multiple-copy-of-static-function-san.patch +bpf-disable-gcc-fgcse-optimization-for-___bpf_prog_r.patch +drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch +dma-direct-correct-the-physical-addr-in-dma_direct_s.patch +drm-nouveau-dmem-missing-mutex_lock-in-error-path.patch diff --git a/queue-5.2/soc-imx-soc-imx8-correct-return-value-of-error-handl.patch b/queue-5.2/soc-imx-soc-imx8-correct-return-value-of-error-handl.patch new file mode 100644 index 00000000000..359cebf2de4 --- /dev/null +++ b/queue-5.2/soc-imx-soc-imx8-correct-return-value-of-error-handl.patch @@ -0,0 +1,75 @@ +From efdeccc2b7567826fe5219397aaa3ac6f614ef53 Mon Sep 17 00:00:00 2001 +From: Anson Huang +Date: Fri, 24 May 2019 13:51:01 +0800 +Subject: soc: imx: soc-imx8: Correct return value of error handle + +[ Upstream commit 4c396a604a57da8f883a8b3368d83181680d6907 ] + +Current implementation of i.MX8 SoC driver returns -ENODEV +for all cases of error during initialization, this is incorrect. +This patch fixes them using correct return value according +to different errors. + +Signed-off-by: Anson Huang +Reviewed-by: Leonard Crestez +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/soc/imx/soc-imx8.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/soc/imx/soc-imx8.c b/drivers/soc/imx/soc-imx8.c +index fc6429f9170a6..e567d866a9d31 100644 +--- a/drivers/soc/imx/soc-imx8.c ++++ b/drivers/soc/imx/soc-imx8.c +@@ -73,7 +73,7 @@ static int __init imx8_soc_init(void) + + soc_dev_attr = kzalloc(sizeof(*soc_dev_attr), GFP_KERNEL); + if (!soc_dev_attr) +- return -ENODEV; ++ return -ENOMEM; + + soc_dev_attr->family = "Freescale i.MX"; + +@@ -83,8 +83,10 @@ static int __init imx8_soc_init(void) + goto free_soc; + + id = of_match_node(imx8_soc_match, root); +- if (!id) ++ if (!id) { ++ ret = -ENODEV; + goto free_soc; ++ } + + of_node_put(root); + +@@ -96,12 +98,16 @@ static int __init imx8_soc_init(void) + } + + soc_dev_attr->revision = imx8_revision(soc_rev); +- if (!soc_dev_attr->revision) ++ if (!soc_dev_attr->revision) { ++ ret = -ENOMEM; + goto free_soc; ++ } + + soc_dev = soc_device_register(soc_dev_attr); +- if (IS_ERR(soc_dev)) ++ if (IS_ERR(soc_dev)) { ++ ret = PTR_ERR(soc_dev); + goto free_rev; ++ } + + return 0; + +@@ -110,6 +116,6 @@ free_rev: + free_soc: + kfree(soc_dev_attr); + of_node_put(root); +- return -ENODEV; ++ return ret; + } + device_initcall(imx8_soc_init); +-- +2.20.1 + diff --git a/queue-5.2/soc-imx8-fix-potential-kernel-dump-in-error-path.patch b/queue-5.2/soc-imx8-fix-potential-kernel-dump-in-error-path.patch new file mode 100644 index 00000000000..b1c71c5cce5 --- /dev/null +++ b/queue-5.2/soc-imx8-fix-potential-kernel-dump-in-error-path.patch @@ -0,0 +1,73 @@ +From 293088d1b2e591a9dffe48e4c06ad2371f26a82a Mon Sep 17 00:00:00 2001 +From: Anson Huang +Date: Fri, 14 Jun 2019 16:07:47 +0800 +Subject: soc: imx8: Fix potential kernel dump in error path + +[ Upstream commit 1bcbe7300815e91fef18ee905b04f65490ad38c9 ] + +When SoC's revision value is 0, SoC driver will print out +"unknown" in sysfs's revision node, this "unknown" is a +static string which can NOT be freed, this will caused below +kernel dump in later error path which calls kfree: + +kernel BUG at mm/slub.c:3942! +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +Modules linked in: +CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.2.0-rc4-next-20190611-00023-g705146c-dirty #2197 +Hardware name: NXP i.MX8MQ EVK (DT) +pstate: 60000005 (nZCv daif -PAN -UAO) +pc : kfree+0x170/0x1b0 +lr : imx8_soc_init+0xc0/0xe4 +sp : ffff00001003bd10 +x29: ffff00001003bd10 x28: ffff00001121e0a0 +x27: ffff000011482000 x26: ffff00001117068c +x25: ffff00001121e100 x24: ffff000011482000 +x23: ffff000010fe2b58 x22: ffff0000111b9ab0 +x21: ffff8000bd9dfba0 x20: ffff0000111b9b70 +x19: ffff7e000043f880 x18: 0000000000001000 +x17: ffff000010d05fa0 x16: ffff0000122e0000 +x15: 0140000000000000 x14: 0000000030360000 +x13: ffff8000b94b5bb0 x12: 0000000000000038 +x11: ffffffffffffffff x10: ffffffffffffffff +x9 : 0000000000000003 x8 : ffff8000b9488147 +x7 : ffff00001003bc00 x6 : 0000000000000000 +x5 : 0000000000000003 x4 : 0000000000000003 +x3 : 0000000000000003 x2 : b8793acd604edf00 +x1 : ffff7e000043f880 x0 : ffff7e000043f888 +Call trace: + kfree+0x170/0x1b0 + imx8_soc_init+0xc0/0xe4 + do_one_initcall+0x58/0x1b8 + kernel_init_freeable+0x1cc/0x288 + kernel_init+0x10/0x100 + ret_from_fork+0x10/0x18 + +This patch fixes this potential kernel dump when a chip's +revision is "unknown", it is done by checking whether the +revision space can be freed. + +Fixes: a7e26f356ca1 ("soc: imx: Add generic i.MX8 SoC driver") +Signed-off-by: Anson Huang +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/soc/imx/soc-imx8.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/soc/imx/soc-imx8.c b/drivers/soc/imx/soc-imx8.c +index e567d866a9d31..79a3d922a4a9b 100644 +--- a/drivers/soc/imx/soc-imx8.c ++++ b/drivers/soc/imx/soc-imx8.c +@@ -112,7 +112,8 @@ static int __init imx8_soc_init(void) + return 0; + + free_rev: +- kfree(soc_dev_attr->revision); ++ if (strcmp(soc_dev_attr->revision, "unknown")) ++ kfree(soc_dev_attr->revision); + free_soc: + kfree(soc_dev_attr); + of_node_put(root); +-- +2.20.1 + diff --git a/queue-5.2/soc-qcom-rpmpd-fixup-rpmpd-set-performance-state.patch b/queue-5.2/soc-qcom-rpmpd-fixup-rpmpd-set-performance-state.patch new file mode 100644 index 00000000000..12fbec870f0 --- /dev/null +++ b/queue-5.2/soc-qcom-rpmpd-fixup-rpmpd-set-performance-state.patch @@ -0,0 +1,40 @@ +From 165f8c5f378d90edcd0d09ae2f4ff464a18b05a0 Mon Sep 17 00:00:00 2001 +From: Sibi Sankar +Date: Mon, 13 May 2019 15:50:07 +0530 +Subject: soc: qcom: rpmpd: fixup rpmpd set performance state + +[ Upstream commit 8b3344422f097debe52296b87a39707d56ca3abe ] + +Remoteproc q6v5-mss calls set_performance_state with INT_MAX on +rpmpd. This is currently ignored since it is greater than the +max supported state. Fixup rpmpd state to max if the required +state is greater than all the supported states. + +Fixes: 075d3db8d10d ("soc: qcom: rpmpd: Add support for get/set performance state") +Reviewed-by: Marc Gonzalez +Reviewed-by: Vinod Koul +Reviewed-by: Jeffrey Hugo +Signed-off-by: Sibi Sankar +Signed-off-by: Bjorn Andersson +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/rpmpd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/rpmpd.c b/drivers/soc/qcom/rpmpd.c +index 005326050c236..235d01870dd8c 100644 +--- a/drivers/soc/qcom/rpmpd.c ++++ b/drivers/soc/qcom/rpmpd.c +@@ -226,7 +226,7 @@ static int rpmpd_set_performance(struct generic_pm_domain *domain, + struct rpmpd *pd = domain_to_rpmpd(domain); + + if (state > MAX_RPMPD_STATE) +- goto out; ++ state = MAX_RPMPD_STATE; + + mutex_lock(&rpmpd_lock); + +-- +2.20.1 + diff --git a/queue-5.2/stacktrace-force-user_ds-for-stack_trace_save_user.patch b/queue-5.2/stacktrace-force-user_ds-for-stack_trace_save_user.patch new file mode 100644 index 00000000000..f584df14c62 --- /dev/null +++ b/queue-5.2/stacktrace-force-user_ds-for-stack_trace_save_user.patch @@ -0,0 +1,47 @@ +From 3c8153b869e1b3c1ecc6dba1b59c6c3a14ad03cf Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 18 Jul 2019 10:47:47 +0200 +Subject: stacktrace: Force USER_DS for stack_trace_save_user() + +[ Upstream commit cac9b9a4b08304f11daace03b8b48659355e44c1 ] + +When walking userspace stacks, USER_DS needs to be set, otherwise +access_ok() will not function as expected. + +Reported-by: Vegard Nossum +Reported-by: Eiichi Tsukata +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Thomas Gleixner +Tested-by: Vegard Nossum +Reviewed-by: Joel Fernandes (Google) +Link: https://lkml.kernel.org/r/20190718085754.GM3402@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/stacktrace.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/stacktrace.c b/kernel/stacktrace.c +index 36139de0a3c4b..899b726c9e98f 100644 +--- a/kernel/stacktrace.c ++++ b/kernel/stacktrace.c +@@ -226,12 +226,17 @@ unsigned int stack_trace_save_user(unsigned long *store, unsigned int size) + .store = store, + .size = size, + }; ++ mm_segment_t fs; + + /* Trace user stack if not a kernel thread */ + if (!current->mm) + return 0; + ++ fs = get_fs(); ++ set_fs(USER_DS); + arch_stack_walk_user(consume_entry, &c, task_pt_regs(current)); ++ set_fs(fs); ++ + return c.len; + } + #endif +-- +2.20.1 + diff --git a/queue-5.2/swiotlb-fix-phys_addr_t-overflow-warning.patch b/queue-5.2/swiotlb-fix-phys_addr_t-overflow-warning.patch new file mode 100644 index 00000000000..9b3fb427d1d --- /dev/null +++ b/queue-5.2/swiotlb-fix-phys_addr_t-overflow-warning.patch @@ -0,0 +1,66 @@ +From c6ce95e3d3d0ac546787e4a99f93663266c665ac Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 17 Jun 2019 15:28:43 +0200 +Subject: swiotlb: fix phys_addr_t overflow warning + +[ Upstream commit 9c106119f6538f65bdddb7948a157d90625effa7 ] + +On architectures that have a larger dma_addr_t than phys_addr_t, +the swiotlb_tbl_map_single() function truncates its return code +in the failure path, making it impossible to identify the error +later, as we compare to the original value: + +kernel/dma/swiotlb.c:551:9: error: implicit conversion from 'dma_addr_t' (aka 'unsigned long long') to 'phys_addr_t' (aka 'unsigned int') changes value from 18446744073709551615 to 4294967295 [-Werror,-Wconstant-conversion] + return DMA_MAPPING_ERROR; + +Use an explicit typecast here to convert it to the narrower type, +and use the same expression in the error handling later. + +Fixes: b907e20508d0 ("swiotlb: remove SWIOTLB_MAP_ERROR") +Acked-by: Stefano Stabellini +Signed-off-by: Arnd Bergmann +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Sasha Levin +--- + drivers/xen/swiotlb-xen.c | 2 +- + kernel/dma/swiotlb.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c +index d53f3493a6b98..cfbe46785a3b3 100644 +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -402,7 +402,7 @@ static dma_addr_t xen_swiotlb_map_page(struct device *dev, struct page *page, + + map = swiotlb_tbl_map_single(dev, start_dma_addr, phys, size, dir, + attrs); +- if (map == DMA_MAPPING_ERROR) ++ if (map == (phys_addr_t)DMA_MAPPING_ERROR) + return DMA_MAPPING_ERROR; + + dev_addr = xen_phys_to_bus(map); +diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c +index 13f0cb080a4dc..5f4e1b78babb5 100644 +--- a/kernel/dma/swiotlb.c ++++ b/kernel/dma/swiotlb.c +@@ -546,7 +546,7 @@ not_found: + if (!(attrs & DMA_ATTR_NO_WARN) && printk_ratelimit()) + dev_warn(hwdev, "swiotlb buffer is full (sz: %zd bytes), total %lu (slots), used %lu (slots)\n", + size, io_tlb_nslabs, tmp_io_tlb_used); +- return DMA_MAPPING_ERROR; ++ return (phys_addr_t)DMA_MAPPING_ERROR; + found: + io_tlb_used += nslots; + spin_unlock_irqrestore(&io_tlb_lock, flags); +@@ -664,7 +664,7 @@ bool swiotlb_map(struct device *dev, phys_addr_t *phys, dma_addr_t *dma_addr, + /* Oh well, have to allocate and map a bounce buffer. */ + *phys = swiotlb_tbl_map_single(dev, __phys_to_dma(dev, io_tlb_start), + *phys, size, dir, attrs); +- if (*phys == DMA_MAPPING_ERROR) ++ if (*phys == (phys_addr_t)DMA_MAPPING_ERROR) + return false; + + /* Ensure that the address returned is DMA'ble */ +-- +2.20.1 + diff --git a/queue-5.2/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch b/queue-5.2/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch new file mode 100644 index 00000000000..43c64d07193 --- /dev/null +++ b/queue-5.2/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch @@ -0,0 +1,106 @@ +From b72c358730b6ddd6403de1d991a9ed2dff0e8c07 Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli +Date: Tue, 16 Jul 2019 16:28:10 -0700 +Subject: uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel + side headers + +[ Upstream commit f90fb3c7e2c13ae829db2274b88b845a75038b8a ] + +Only users of upc_req in kernel side fs/coda/psdev.c and +fs/coda/upcall.c already include linux/coda_psdev.h. + +Suggested by Jan Harkes in + https://lore.kernel.org/lkml/20150531111913.GA23377@cs.cmu.edu/ + +Fixes these include/uapi/linux/coda_psdev.h compilation errors in userspace: + + linux/coda_psdev.h:12:19: error: field `uc_chain' has incomplete type + struct list_head uc_chain; + ^ + linux/coda_psdev.h:13:2: error: unknown type name `caddr_t' + caddr_t uc_data; + ^ + linux/coda_psdev.h:14:2: error: unknown type name `u_short' + u_short uc_flags; + ^ + linux/coda_psdev.h:15:2: error: unknown type name `u_short' + u_short uc_inSize; /* Size is at most 5000 bytes */ + ^ + linux/coda_psdev.h:16:2: error: unknown type name `u_short' + u_short uc_outSize; + ^ + linux/coda_psdev.h:17:2: error: unknown type name `u_short' + u_short uc_opcode; /* copied from data to save lookup */ + ^ + linux/coda_psdev.h:19:2: error: unknown type name `wait_queue_head_t' + wait_queue_head_t uc_sleep; /* process' wait queue */ + ^ + +Link: http://lkml.kernel.org/r/9f99f5ce6a0563d5266e6cf7aa9585aac2cae971.1558117389.git.jaharkes@cs.cmu.edu +Signed-off-by: Mikko Rapeli +Signed-off-by: Jan Harkes +Cc: Arnd Bergmann +Cc: Colin Ian King +Cc: Dan Carpenter +Cc: David Howells +Cc: Fabian Frederick +Cc: Sam Protsenko +Cc: Yann Droneaud +Cc: Zhouyang Jia +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/coda_psdev.h | 11 +++++++++++ + include/uapi/linux/coda_psdev.h | 13 ------------- + 2 files changed, 11 insertions(+), 13 deletions(-) + +diff --git a/include/linux/coda_psdev.h b/include/linux/coda_psdev.h +index 15170954aa2b3..57d2b2faf6a3e 100644 +--- a/include/linux/coda_psdev.h ++++ b/include/linux/coda_psdev.h +@@ -19,6 +19,17 @@ struct venus_comm { + struct mutex vc_mutex; + }; + ++/* messages between coda filesystem in kernel and Venus */ ++struct upc_req { ++ struct list_head uc_chain; ++ caddr_t uc_data; ++ u_short uc_flags; ++ u_short uc_inSize; /* Size is at most 5000 bytes */ ++ u_short uc_outSize; ++ u_short uc_opcode; /* copied from data to save lookup */ ++ int uc_unique; ++ wait_queue_head_t uc_sleep; /* process' wait queue */ ++}; + + static inline struct venus_comm *coda_vcp(struct super_block *sb) + { +diff --git a/include/uapi/linux/coda_psdev.h b/include/uapi/linux/coda_psdev.h +index aa6623efd2dd0..d50d51a57fe4e 100644 +--- a/include/uapi/linux/coda_psdev.h ++++ b/include/uapi/linux/coda_psdev.h +@@ -7,19 +7,6 @@ + #define CODA_PSDEV_MAJOR 67 + #define MAX_CODADEVS 5 /* how many do we allow */ + +- +-/* messages between coda filesystem in kernel and Venus */ +-struct upc_req { +- struct list_head uc_chain; +- caddr_t uc_data; +- u_short uc_flags; +- u_short uc_inSize; /* Size is at most 5000 bytes */ +- u_short uc_outSize; +- u_short uc_opcode; /* copied from data to save lookup */ +- int uc_unique; +- wait_queue_head_t uc_sleep; /* process' wait queue */ +-}; +- + #define CODA_REQ_ASYNC 0x1 + #define CODA_REQ_READ 0x2 + #define CODA_REQ_WRITE 0x4 +-- +2.20.1 + diff --git a/queue-5.2/virtio-mmio-add-error-check-for-platform_get_irq.patch b/queue-5.2/virtio-mmio-add-error-check-for-platform_get_irq.patch new file mode 100644 index 00000000000..ed5edffe206 --- /dev/null +++ b/queue-5.2/virtio-mmio-add-error-check-for-platform_get_irq.patch @@ -0,0 +1,42 @@ +From 8cd6f075cb5a5bb79d76cf3685091037ae82a65b Mon Sep 17 00:00:00 2001 +From: Ihor Matushchak +Date: Tue, 2 Jul 2019 17:48:18 +0300 +Subject: virtio-mmio: add error check for platform_get_irq + +[ Upstream commit 5e663f0410fa2f355042209154029842ba1abd43 ] + +in vm_find_vqs() irq has a wrong type +so, in case of no IRQ resource defined, +wrong parameter will be passed to request_irq() + +Signed-off-by: Ihor Matushchak +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Ivan T. Ivanov +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_mmio.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c +index f363fbeb5ab0c..e09edb5c5e065 100644 +--- a/drivers/virtio/virtio_mmio.c ++++ b/drivers/virtio/virtio_mmio.c +@@ -463,9 +463,14 @@ static int vm_find_vqs(struct virtio_device *vdev, unsigned nvqs, + struct irq_affinity *desc) + { + struct virtio_mmio_device *vm_dev = to_virtio_mmio_device(vdev); +- unsigned int irq = platform_get_irq(vm_dev->pdev, 0); ++ int irq = platform_get_irq(vm_dev->pdev, 0); + int i, err, queue_idx = 0; + ++ if (irq < 0) { ++ dev_err(&vdev->dev, "Cannot get IRQ resource\n"); ++ return irq; ++ } ++ + err = request_irq(irq, vm_interrupt, IRQF_SHARED, + dev_name(&vdev->dev), vm_dev); + if (err) +-- +2.20.1 + diff --git a/queue-5.2/x86-apic-silence-wtype-limits-compiler-warnings.patch b/queue-5.2/x86-apic-silence-wtype-limits-compiler-warnings.patch new file mode 100644 index 00000000000..a8c8db0bd11 --- /dev/null +++ b/queue-5.2/x86-apic-silence-wtype-limits-compiler-warnings.patch @@ -0,0 +1,74 @@ +From a37e62ccdf34eebd62b77a9a4484f52cb2572fa4 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Mon, 8 Jul 2019 17:36:45 -0400 +Subject: x86/apic: Silence -Wtype-limits compiler warnings + +[ Upstream commit ec6335586953b0df32f83ef696002063090c7aef ] + +There are many compiler warnings like this, + +In file included from ./arch/x86/include/asm/smp.h:13, + from ./arch/x86/include/asm/mmzone_64.h:11, + from ./arch/x86/include/asm/mmzone.h:5, + from ./include/linux/mmzone.h:969, + from ./include/linux/gfp.h:6, + from ./include/linux/mm.h:10, + from arch/x86/kernel/apic/io_apic.c:34: +arch/x86/kernel/apic/io_apic.c: In function 'check_timer': +./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned +expression >= 0 is always true [-Wtype-limits] + if ((v) <= apic_verbosity) \ + ^~ +arch/x86/kernel/apic/io_apic.c:2160:2: note: in expansion of macro +'apic_printk' + apic_printk(APIC_QUIET, KERN_INFO "..TIMER: vector=0x%02X " + ^~~~~~~~~~~ +./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned +expression >= 0 is always true [-Wtype-limits] + if ((v) <= apic_verbosity) \ + ^~ +arch/x86/kernel/apic/io_apic.c:2207:4: note: in expansion of macro +'apic_printk' + apic_printk(APIC_QUIET, KERN_ERR "..MP-BIOS bug: " + ^~~~~~~~~~~ + +APIC_QUIET is 0, so silence them by making apic_verbosity type int. + +Signed-off-by: Qian Cai +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/1562621805-24789-1-git-send-email-cai@lca.pw +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/kernel/apic/apic.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h +index 1340fa53b575b..2e599384abd8c 100644 +--- a/arch/x86/include/asm/apic.h ++++ b/arch/x86/include/asm/apic.h +@@ -49,7 +49,7 @@ static inline void generic_apic_probe(void) + + #ifdef CONFIG_X86_LOCAL_APIC + +-extern unsigned int apic_verbosity; ++extern int apic_verbosity; + extern int local_apic_timer_c2_ok; + + extern int disable_apic; +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 16c21ed97cb23..530cf1fd68a2f 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -183,7 +183,7 @@ EXPORT_SYMBOL_GPL(local_apic_timer_c2_ok); + /* + * Debug level, exported for io_apic.c + */ +-unsigned int apic_verbosity; ++int apic_verbosity; + + int pic_mode; + +-- +2.20.1 + diff --git a/queue-5.2/x86-boot-remove-multiple-copy-of-static-function-san.patch b/queue-5.2/x86-boot-remove-multiple-copy-of-static-function-san.patch new file mode 100644 index 00000000000..46598868829 --- /dev/null +++ b/queue-5.2/x86-boot-remove-multiple-copy-of-static-function-san.patch @@ -0,0 +1,59 @@ +From b99f578de19ada31ad88625f86dedd4b8946bbd8 Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan +Date: Tue, 16 Jul 2019 21:18:12 +0800 +Subject: x86, boot: Remove multiple copy of static function + sanitize_boot_params() + +[ Upstream commit 8c5477e8046ca139bac250386c08453da37ec1ae ] + +Kernel build warns: + 'sanitize_boot_params' defined but not used [-Wunused-function] + +at below files: + arch/x86/boot/compressed/cmdline.c + arch/x86/boot/compressed/error.c + arch/x86/boot/compressed/early_serial_console.c + arch/x86/boot/compressed/acpi.c + +That's becausethey each include misc.h which includes a definition of +sanitize_boot_params() via bootparam_utils.h. + +Remove the inclusion from misc.h and have the c file including +bootparam_utils.h directly. + +Signed-off-by: Zhenzhong Duan +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/1563283092-1189-1-git-send-email-zhenzhong.duan@oracle.com +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/misc.c | 1 + + arch/x86/boot/compressed/misc.h | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c +index 5a237e8dbf8d5..0de54a1d25c0a 100644 +--- a/arch/x86/boot/compressed/misc.c ++++ b/arch/x86/boot/compressed/misc.c +@@ -17,6 +17,7 @@ + #include "pgtable.h" + #include "../string.h" + #include "../voffset.h" ++#include + + /* + * WARNING!! +diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h +index d2f184165934c..c8181392f70d7 100644 +--- a/arch/x86/boot/compressed/misc.h ++++ b/arch/x86/boot/compressed/misc.h +@@ -23,7 +23,6 @@ + #include + #include + #include +-#include + + #define BOOT_CTYPE_H + #include +-- +2.20.1 + diff --git a/queue-5.2/x86-kvm-avoid-constant-conversion-warning.patch b/queue-5.2/x86-kvm-avoid-constant-conversion-warning.patch new file mode 100644 index 00000000000..26b4cbc5cab --- /dev/null +++ b/queue-5.2/x86-kvm-avoid-constant-conversion-warning.patch @@ -0,0 +1,53 @@ +From d336495e93f8ba3bc7862a7c0f482f6a37162cfe Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:12:30 +0200 +Subject: x86: kvm: avoid constant-conversion warning + +[ Upstream commit a6a6d3b1f867d34ba5bd61aa7bb056b48ca67cff ] + +clang finds a contruct suspicious that converts an unsigned +character to a signed integer and back, causing an overflow: + +arch/x86/kvm/mmu.c:4605:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -205 to 51 [-Werror,-Wconstant-conversion] + u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0; + ~~ ^~ +arch/x86/kvm/mmu.c:4607:38: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -241 to 15 [-Werror,-Wconstant-conversion] + u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0; + ~~ ^~ +arch/x86/kvm/mmu.c:4609:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -171 to 85 [-Werror,-Wconstant-conversion] + u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0; + ~~ ^~ + +Add an explicit cast to tell clang that everything works as +intended here. + +Signed-off-by: Arnd Bergmann +Link: https://github.com/ClangBuiltLinux/linux/issues/95 +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/mmu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c +index 98f6e4f88b04c..8d95c81b2c821 100644 +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4593,11 +4593,11 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu, + */ + + /* Faults from writes to non-writable pages */ +- u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0; ++ u8 wf = (pfec & PFERR_WRITE_MASK) ? (u8)~w : 0; + /* Faults from user mode accesses to supervisor pages */ +- u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0; ++ u8 uf = (pfec & PFERR_USER_MASK) ? (u8)~u : 0; + /* Faults from fetches of non-executable pages*/ +- u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0; ++ u8 ff = (pfec & PFERR_FETCH_MASK) ? (u8)~x : 0; + /* Faults from kernel mode fetches of user pages */ + u8 smepf = 0; + /* Faults from kernel mode accesses of user pages */ +-- +2.20.1 + diff --git a/queue-5.2/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch b/queue-5.2/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch new file mode 100644 index 00000000000..515d112b6c4 --- /dev/null +++ b/queue-5.2/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch @@ -0,0 +1,122 @@ +From af71732fb3884336fe9f7910125a78c54a66d795 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Wed, 17 Jul 2019 20:36:39 -0500 +Subject: x86/kvm: Don't call kvm_spurious_fault() from .fixup + +[ Upstream commit 3901336ed9887b075531bffaeef7742ba614058b ] + +After making a change to improve objtool's sibling call detection, it +started showing the following warning: + + arch/x86/kvm/vmx/nested.o: warning: objtool: .fixup+0x15: sibling call from callable instruction with modified stack frame + +The problem is the ____kvm_handle_fault_on_reboot() macro. It does a +fake call by pushing a fake RIP and doing a jump. That tricks the +unwinder into printing the function which triggered the exception, +rather than the .fixup code. + +Instead of the hack to make it look like the original function made the +call, just change the macro so that the original function actually does +make the call. This allows removal of the hack, and also makes objtool +happy. + +I triggered a vmx instruction exception and verified that the stack +trace is still sane: + + kernel BUG at arch/x86/kvm/x86.c:358! + invalid opcode: 0000 [#1] SMP PTI + CPU: 28 PID: 4096 Comm: qemu-kvm Not tainted 5.2.0+ #16 + Hardware name: Lenovo THINKSYSTEM SD530 -[7X2106Z000]-/-[7X2106Z000]-, BIOS -[TEE113Z-1.00]- 07/17/2017 + RIP: 0010:kvm_spurious_fault+0x5/0x10 + Code: 00 00 00 00 00 8b 44 24 10 89 d2 45 89 c9 48 89 44 24 10 8b 44 24 08 48 89 44 24 08 e9 d4 40 22 00 0f 1f 40 00 0f 1f 44 00 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41 + RSP: 0018:ffffbf91c683bd00 EFLAGS: 00010246 + RAX: 000061f040000000 RBX: ffff9e159c77bba0 RCX: ffff9e15a5c87000 + RDX: 0000000665c87000 RSI: ffff9e15a5c87000 RDI: ffff9e159c77bba0 + RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9e15a5c87000 + R10: 0000000000000000 R11: fffff8f2d99721c0 R12: ffff9e159c77bba0 + R13: ffffbf91c671d960 R14: ffff9e159c778000 R15: 0000000000000000 + FS: 00007fa341cbe700(0000) GS:ffff9e15b7400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fdd38356804 CR3: 00000006759de003 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + loaded_vmcs_init+0x4f/0xe0 + alloc_loaded_vmcs+0x38/0xd0 + vmx_create_vcpu+0xf7/0x600 + kvm_vm_ioctl+0x5e9/0x980 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? free_one_page+0x13f/0x4e0 + do_vfs_ioctl+0xa4/0x630 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x55/0x1c0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7fa349b1ee5b + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Acked-by: Paolo Bonzini +Acked-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/64a9b64d127e87b6920a97afde8e96ea76f6524e.1563413318.git.jpoimboe@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/kvm_host.h | 34 ++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index 08f46951c4306..8253925c5e8cc 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1491,25 +1491,29 @@ enum { + #define kvm_arch_vcpu_memslots_id(vcpu) ((vcpu)->arch.hflags & HF_SMM_MASK ? 1 : 0) + #define kvm_memslots_for_spte_role(kvm, role) __kvm_memslots(kvm, (role).smm) + ++asmlinkage void __noreturn kvm_spurious_fault(void); ++ + /* + * Hardware virtualization extension instructions may fault if a + * reboot turns off virtualization while processes are running. +- * Trap the fault and ignore the instruction if that happens. ++ * Usually after catching the fault we just panic; during reboot ++ * instead the instruction is ignored. + */ +-asmlinkage void kvm_spurious_fault(void); +- +-#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ +- "666: " insn "\n\t" \ +- "668: \n\t" \ +- ".pushsection .fixup, \"ax\" \n" \ +- "667: \n\t" \ +- cleanup_insn "\n\t" \ +- "cmpb $0, kvm_rebooting \n\t" \ +- "jne 668b \n\t" \ +- __ASM_SIZE(push) " $666b \n\t" \ +- "jmp kvm_spurious_fault \n\t" \ +- ".popsection \n\t" \ +- _ASM_EXTABLE(666b, 667b) ++#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ ++ "666: \n\t" \ ++ insn "\n\t" \ ++ "jmp 668f \n\t" \ ++ "667: \n\t" \ ++ "call kvm_spurious_fault \n\t" \ ++ "668: \n\t" \ ++ ".pushsection .fixup, \"ax\" \n\t" \ ++ "700: \n\t" \ ++ cleanup_insn "\n\t" \ ++ "cmpb $0, kvm_rebooting\n\t" \ ++ "je 667b \n\t" \ ++ "jmp 668b \n\t" \ ++ ".popsection \n\t" \ ++ _ASM_EXTABLE(666b, 700b) + + #define __kvm_handle_fault_on_reboot(insn) \ + ____kvm_handle_fault_on_reboot(insn, "") +-- +2.20.1 + diff --git a/queue-5.2/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch b/queue-5.2/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch new file mode 100644 index 00000000000..ea5f569de15 --- /dev/null +++ b/queue-5.2/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch @@ -0,0 +1,69 @@ +From 9f86df8f8df5d37bf093b73b1abedff4eee5f7bd Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:08:05 +0200 +Subject: x86: math-emu: Hide clang warnings for 16-bit overflow + +[ Upstream commit 29e7e9664aec17b94a9c8c5a75f8d216a206aa3a ] + +clang warns about a few parts of the math-emu implementation +where a 16-bit integer becomes negative during assignment: + +arch/x86/math-emu/poly_tan.c:88:35: error: implicit conversion from 'int' to 'short' changes value from 49216 to -16320 [-Werror,-Wconstant-conversion] + (0x41 + EXTENDED_Ebias) | SIGN_Negative); + ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~ +arch/x86/math-emu/fpu_emu.h:180:58: note: expanded from macro 'setexponent16' + #define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); } + ~ ^ +arch/x86/math-emu/reg_constant.c:37:32: error: implicit conversion from 'int' to 'short' changes value from 49085 to -16451 [-Werror,-Wconstant-conversion] +FPU_REG const CONST_PI2extra = MAKE_REG(NEG, -66, + ^~~~~~~~~~~~~~~~~~ +arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG' + ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } + ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/x86/math-emu/reg_constant.c:48:28: error: implicit conversion from 'int' to 'short' changes value from 65535 to -1 [-Werror,-Wconstant-conversion] +FPU_REG const CONST_QNaN = MAKE_REG(NEG, EXP_OVER, 0x00000000, 0xC0000000); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG' + ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } + ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ + +The code is correct as is, so add a typecast to shut up the warnings. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190712090816.350668-1-arnd@arndb.de +Signed-off-by: Sasha Levin +--- + arch/x86/math-emu/fpu_emu.h | 2 +- + arch/x86/math-emu/reg_constant.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/math-emu/fpu_emu.h b/arch/x86/math-emu/fpu_emu.h +index a5a41ec580721..0c122226ca56f 100644 +--- a/arch/x86/math-emu/fpu_emu.h ++++ b/arch/x86/math-emu/fpu_emu.h +@@ -177,7 +177,7 @@ static inline void reg_copy(FPU_REG const *x, FPU_REG *y) + #define setexponentpos(x,y) { (*(short *)&((x)->exp)) = \ + ((y) + EXTENDED_Ebias) & 0x7fff; } + #define exponent16(x) (*(short *)&((x)->exp)) +-#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); } ++#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (u16)(y); } + #define addexponent(x,y) { (*(short *)&((x)->exp)) += (y); } + #define stdexp(x) { (*(short *)&((x)->exp)) += EXTENDED_Ebias; } + +diff --git a/arch/x86/math-emu/reg_constant.c b/arch/x86/math-emu/reg_constant.c +index 8dc9095bab224..742619e94bdf2 100644 +--- a/arch/x86/math-emu/reg_constant.c ++++ b/arch/x86/math-emu/reg_constant.c +@@ -18,7 +18,7 @@ + #include "control_w.h" + + #define MAKE_REG(s, e, l, h) { l, h, \ +- ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } ++ (u16)((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } + + FPU_REG const CONST_1 = MAKE_REG(POS, 0, 0x00000000, 0x80000000); + #if 0 +-- +2.20.1 + diff --git a/queue-5.2/x86-paravirt-fix-callee-saved-function-elf-sizes.patch b/queue-5.2/x86-paravirt-fix-callee-saved-function-elf-sizes.patch new file mode 100644 index 00000000000..7c3ffcf1aaa --- /dev/null +++ b/queue-5.2/x86-paravirt-fix-callee-saved-function-elf-sizes.patch @@ -0,0 +1,55 @@ +From 458a8c5376829d4bd163bc1c300e8e13fb7a572e Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Wed, 17 Jul 2019 20:36:36 -0500 +Subject: x86/paravirt: Fix callee-saved function ELF sizes + +[ Upstream commit 083db6764821996526970e42d09c1ab2f4155dd4 ] + +The __raw_callee_save_*() functions have an ELF symbol size of zero, +which confuses objtool and other tools. + +Fixes a bunch of warnings like the following: + + arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_pte_val() is missing an ELF size annotation + arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_pgd_val() is missing an ELF size annotation + arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_make_pte() is missing an ELF size annotation + arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_make_pgd() is missing an ELF size annotation + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Reviewed-by: Juergen Gross +Acked-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/afa6d49bb07497ca62e4fc3b27a2d0cece545b4e.1563413318.git.jpoimboe@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/paravirt.h | 1 + + arch/x86/kernel/kvm.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h +index c25c38a05c1c9..d6f5ae2c79ab9 100644 +--- a/arch/x86/include/asm/paravirt.h ++++ b/arch/x86/include/asm/paravirt.h +@@ -746,6 +746,7 @@ bool __raw_callee_save___native_vcpu_is_preempted(long cpu); + PV_RESTORE_ALL_CALLER_REGS \ + FRAME_END \ + "ret;" \ ++ ".size " PV_THUNK_NAME(func) ", .-" PV_THUNK_NAME(func) ";" \ + ".popsection") + + /* Get a reference to a callee-save function */ +diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c +index 5169b8cc35bb2..320b70acb2119 100644 +--- a/arch/x86/kernel/kvm.c ++++ b/arch/x86/kernel/kvm.c +@@ -817,6 +817,7 @@ asm( + "cmpb $0, " __stringify(KVM_STEAL_TIME_preempted) "+steal_time(%rax);" + "setne %al;" + "ret;" ++".size __raw_callee_save___kvm_vcpu_is_preempted, .-__raw_callee_save___kvm_vcpu_is_preempted;" + ".popsection"); + + #endif +-- +2.20.1 + diff --git a/queue-5.2/xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch b/queue-5.2/xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch new file mode 100644 index 00000000000..ad0ea1e7ee3 --- /dev/null +++ b/queue-5.2/xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch @@ -0,0 +1,117 @@ +From 16b85378c455e552ac796544ee0667880f7c6619 Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan +Date: Sun, 14 Jul 2019 17:15:32 +0800 +Subject: xen/pv: Fix a boot up hang revealed by int3 self test + +[ Upstream commit b23e5844dfe78a80ba672793187d3f52e4b528d7 ] + +Commit 7457c0da024b ("x86/alternatives: Add int3_emulate_call() +selftest") is used to ensure there is a gap setup in int3 exception stack +which could be used for inserting call return address. + +This gap is missed in XEN PV int3 exception entry path, then below panic +triggered: + +[ 0.772876] general protection fault: 0000 [#1] SMP NOPTI +[ 0.772886] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.2.0+ #11 +[ 0.772893] RIP: e030:int3_magic+0x0/0x7 +[ 0.772905] RSP: 3507:ffffffff82203e98 EFLAGS: 00000246 +[ 0.773334] Call Trace: +[ 0.773334] alternative_instructions+0x3d/0x12e +[ 0.773334] check_bugs+0x7c9/0x887 +[ 0.773334] ? __get_locked_pte+0x178/0x1f0 +[ 0.773334] start_kernel+0x4ff/0x535 +[ 0.773334] ? set_init_arg+0x55/0x55 +[ 0.773334] xen_start_kernel+0x571/0x57a + +For 64bit PV guests, Xen's ABI enters the kernel with using SYSRET, with +%rcx/%r11 on the stack. To convert back to "normal" looking exceptions, +the xen thunks do 'xen_*: pop %rcx; pop %r11; jmp *'. + +E.g. Extracting 'xen_pv_trap xenint3' we have: +xen_xenint3: + pop %rcx; + pop %r11; + jmp xenint3 + +As xenint3 and int3 entry code are same except xenint3 doesn't generate +a gap, we can fix it by using int3 and drop useless xenint3. + +Signed-off-by: Zhenzhong Duan +Reviewed-by: Juergen Gross +Cc: Boris Ostrovsky +Cc: Juergen Gross +Cc: Stefano Stabellini +Cc: Andy Lutomirski +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: Andrew Cooper +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/entry/entry_64.S | 1 - + arch/x86/include/asm/traps.h | 2 +- + arch/x86/xen/enlighten_pv.c | 2 +- + arch/x86/xen/xen-asm_64.S | 1 - + 4 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S +index 8dbca86c249b8..5c033dc0c2c77 100644 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -1171,7 +1171,6 @@ idtentry stack_segment do_stack_segment has_error_code=1 + #ifdef CONFIG_XEN_PV + idtentry xennmi do_nmi has_error_code=0 + idtentry xendebug do_debug has_error_code=0 +-idtentry xenint3 do_int3 has_error_code=0 + #endif + + idtentry general_protection do_general_protection has_error_code=1 +diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h +index 7d6f3f3fad786..f2bd284abc16d 100644 +--- a/arch/x86/include/asm/traps.h ++++ b/arch/x86/include/asm/traps.h +@@ -40,7 +40,7 @@ asmlinkage void simd_coprocessor_error(void); + asmlinkage void xen_divide_error(void); + asmlinkage void xen_xennmi(void); + asmlinkage void xen_xendebug(void); +-asmlinkage void xen_xenint3(void); ++asmlinkage void xen_int3(void); + asmlinkage void xen_overflow(void); + asmlinkage void xen_bounds(void); + asmlinkage void xen_invalid_op(void); +diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c +index 4722ba2966ac4..30c14cb343fc3 100644 +--- a/arch/x86/xen/enlighten_pv.c ++++ b/arch/x86/xen/enlighten_pv.c +@@ -596,12 +596,12 @@ struct trap_array_entry { + + static struct trap_array_entry trap_array[] = { + { debug, xen_xendebug, true }, +- { int3, xen_xenint3, true }, + { double_fault, xen_double_fault, true }, + #ifdef CONFIG_X86_MCE + { machine_check, xen_machine_check, true }, + #endif + { nmi, xen_xennmi, true }, ++ { int3, xen_int3, false }, + { overflow, xen_overflow, false }, + #ifdef CONFIG_IA32_EMULATION + { entry_INT80_compat, xen_entry_INT80_compat, false }, +diff --git a/arch/x86/xen/xen-asm_64.S b/arch/x86/xen/xen-asm_64.S +index 1e9ef0ba30a58..ebf610b49c068 100644 +--- a/arch/x86/xen/xen-asm_64.S ++++ b/arch/x86/xen/xen-asm_64.S +@@ -32,7 +32,6 @@ xen_pv_trap divide_error + xen_pv_trap debug + xen_pv_trap xendebug + xen_pv_trap int3 +-xen_pv_trap xenint3 + xen_pv_trap xennmi + xen_pv_trap overflow + xen_pv_trap bounds +-- +2.20.1 +