From: Sasha Levin Date: Wed, 1 Jan 2020 02:27:33 +0000 (-0500) Subject: fixes for 4.4 X-Git-Tag: v4.4.208~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c9b0bf24bdb9a68b44ea40a1dc3e9b60ae66404f;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch b/queue-4.4/bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch new file mode 100644 index 00000000000..236cf6db95c --- /dev/null +++ b/queue-4.4/bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch @@ -0,0 +1,52 @@ +From 9de28cedfeaf725f51df179344195cd81fd2d387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 16:03:24 +0800 +Subject: bcache: at least try to shrink 1 node in bch_mca_scan() + +From: Coly Li + +[ Upstream commit 9fcc34b1a6dd4b8e5337e2b6ef45e428897eca6b ] + +In bch_mca_scan(), the number of shrinking btree node is calculated +by code like this, + unsigned long nr = sc->nr_to_scan; + + nr /= c->btree_pages; + nr = min_t(unsigned long, nr, mca_can_free(c)); +variable sc->nr_to_scan is number of objects (here is bcache B+tree +nodes' number) to shrink, and pointer variable sc is sent from memory +management code as parametr of a callback. + +If sc->nr_to_scan is smaller than c->btree_pages, after the above +calculation, variable 'nr' will be 0 and nothing will be shrunk. It is +frequeently observed that only 1 or 2 is set to sc->nr_to_scan and make +nr to be zero. Then bch_mca_scan() will do nothing more then acquiring +and releasing mutex c->bucket_lock. + +This patch checkes whether nr is 0 after the above calculation, if 0 +is the result then set 1 to variable 'n'. Then at least bch_mca_scan() +will try to shrink a single B+tree node. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/btree.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 05aa3ac1381b..5c93582c71cc 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -686,6 +686,8 @@ static unsigned long bch_mca_scan(struct shrinker *shrink, + * IO can always make forward progress: + */ + nr /= c->btree_pages; ++ if (nr == 0) ++ nr = 1; + nr = min_t(unsigned long, nr, mca_can_free(c)); + + i = 0; +-- +2.20.1 + diff --git a/queue-4.4/cdrom-respect-device-capabilities-during-opening-act.patch b/queue-4.4/cdrom-respect-device-capabilities-during-opening-act.patch new file mode 100644 index 00000000000..8ae610de041 --- /dev/null +++ b/queue-4.4/cdrom-respect-device-capabilities-during-opening-act.patch @@ -0,0 +1,69 @@ +From 206b86017671db03c03cf1ff582ca07cd5955354 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2019 21:37:08 +0000 +Subject: cdrom: respect device capabilities during opening action +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Diego Elio Pettenò + +[ Upstream commit 366ba7c71ef77c08d06b18ad61b26e2df7352338 ] + +Reading the TOC only works if the device can play audio, otherwise +these commands fail (and possibly bring the device to an unhealthy +state.) + +Similarly, cdrom_mmc3_profile() should only be called if the device +supports generic packet commands. + +To: Jens Axboe +Cc: linux-kernel@vger.kernel.org +Cc: linux-scsi@vger.kernel.org +Signed-off-by: Diego Elio Pettenò +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/cdrom/cdrom.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index aee23092f50e..2c5feb6b4a99 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -998,6 +998,12 @@ static void cdrom_count_tracks(struct cdrom_device_info *cdi, tracktype *tracks) + tracks->xa = 0; + tracks->error = 0; + cd_dbg(CD_COUNT_TRACKS, "entering cdrom_count_tracks\n"); ++ ++ if (!CDROM_CAN(CDC_PLAY_AUDIO)) { ++ tracks->error = CDS_NO_INFO; ++ return; ++ } ++ + /* Grab the TOC header so we can see how many tracks there are */ + ret = cdi->ops->audio_ioctl(cdi, CDROMREADTOCHDR, &header); + if (ret) { +@@ -1164,7 +1170,8 @@ int cdrom_open(struct cdrom_device_info *cdi, struct block_device *bdev, + ret = open_for_data(cdi); + if (ret) + goto err; +- cdrom_mmc3_profile(cdi); ++ if (CDROM_CAN(CDC_GENERIC_PACKET)) ++ cdrom_mmc3_profile(cdi); + if (mode & FMODE_WRITE) { + ret = -EROFS; + if (cdrom_open_write(cdi)) +@@ -2863,6 +2870,9 @@ int cdrom_get_last_written(struct cdrom_device_info *cdi, long *last_written) + it doesn't give enough information or fails. then we return + the toc contents. */ + use_toc: ++ if (!CDROM_CAN(CDC_PLAY_AUDIO)) ++ return -ENOSYS; ++ + toc.cdte_format = CDROM_MSF; + toc.cdte_track = CDROM_LEADOUT; + if ((ret = cdi->ops->audio_ioctl(cdi, CDROMREADTOCENTRY, &toc))) +-- +2.20.1 + diff --git a/queue-4.4/clk-pxa-fix-one-of-the-pxa-rtc-clocks.patch b/queue-4.4/clk-pxa-fix-one-of-the-pxa-rtc-clocks.patch new file mode 100644 index 00000000000..1e32fd4336a --- /dev/null +++ b/queue-4.4/clk-pxa-fix-one-of-the-pxa-rtc-clocks.patch @@ -0,0 +1,39 @@ +From c912b7aa310ed0dc22bdfb88022891d4c613b948 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Oct 2019 21:44:20 +0200 +Subject: clk: pxa: fix one of the pxa RTC clocks + +From: Robert Jarzmik + +[ Upstream commit 46acbcb4849b2ca2e6e975e7c8130c1d61c8fd0c ] + +The pxa27x platforms have a single IP with 2 drivers, sa1100-rtc and +rtc-pxa drivers. + +A previous patch fixed the sa1100-rtc case, but the pxa-rtc wasn't +fixed. This patch completes the previous one. + +Fixes: 8b6d10345e16 ("clk: pxa: add missing pxa27x clocks for Irda and sa1100-rtc") +Signed-off-by: Robert Jarzmik +Link: https://lkml.kernel.org/r/20191026194420.11918-1-robert.jarzmik@free.fr +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/pxa/clk-pxa27x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/pxa/clk-pxa27x.c b/drivers/clk/pxa/clk-pxa27x.c +index 5b82d30baf9f..bf47737b6672 100644 +--- a/drivers/clk/pxa/clk-pxa27x.c ++++ b/drivers/clk/pxa/clk-pxa27x.c +@@ -362,6 +362,7 @@ struct dummy_clk { + }; + static struct dummy_clk dummy_clks[] __initdata = { + DUMMY_CLK(NULL, "pxa27x-gpio", "osc_32_768khz"), ++ DUMMY_CLK(NULL, "pxa-rtc", "osc_32_768khz"), + DUMMY_CLK(NULL, "sa1100-rtc", "osc_32_768khz"), + DUMMY_CLK("UARTCLK", "pxa2xx-ir", "STUART"), + }; +-- +2.20.1 + diff --git a/queue-4.4/clk-qcom-allow-constant-ratio-freq-tables-for-rcg.patch b/queue-4.4/clk-qcom-allow-constant-ratio-freq-tables-for-rcg.patch new file mode 100644 index 00000000000..7252652cf2d --- /dev/null +++ b/queue-4.4/clk-qcom-allow-constant-ratio-freq-tables-for-rcg.patch @@ -0,0 +1,64 @@ +From f4c20523c510088df6ca8b0f3f87cb0c7ece4d03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 11:57:15 -0700 +Subject: clk: qcom: Allow constant ratio freq tables for rcg + +From: Jeffrey Hugo + +[ Upstream commit efd164b5520afd6fb2883b68e0d408a7de29c491 ] + +Some RCGs (the gfx_3d_src_clk in msm8998 for example) are basically just +some constant ratio from the input across the entire frequency range. It +would be great if we could specify the frequency table as a single entry +constant ratio instead of a long list, ie: + + { .src = P_GPUPLL0_OUT_EVEN, .pre_div = 3 }, + { } + +So, lets support that. + +We need to fix a corner case in qcom_find_freq() where if the freq table +is non-null, but has no frequencies, we end up returning an "entry" before +the table array, which is bad. Then, we need ignore the freq from the +table, and instead base everything on the requested freq. + +Suggested-by: Stephen Boyd +Signed-off-by: Jeffrey Hugo +Link: https://lkml.kernel.org/r/20191031185715.15504-1-jeffrey.l.hugo@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-rcg2.c | 2 ++ + drivers/clk/qcom/common.c | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c +index b544bb302f79..350a01f74870 100644 +--- a/drivers/clk/qcom/clk-rcg2.c ++++ b/drivers/clk/qcom/clk-rcg2.c +@@ -196,6 +196,8 @@ static int _freq_tbl_determine_rate(struct clk_hw *hw, + p = clk_hw_get_parent_by_index(hw, index); + if (clk_flags & CLK_SET_RATE_PARENT) { + if (f->pre_div) { ++ if (!rate) ++ rate = req->rate; + rate /= 2; + rate *= f->pre_div + 1; + } +diff --git a/drivers/clk/qcom/common.c b/drivers/clk/qcom/common.c +index 8fa477293ae0..d2f26577f5c0 100644 +--- a/drivers/clk/qcom/common.c ++++ b/drivers/clk/qcom/common.c +@@ -36,6 +36,9 @@ struct freq_tbl *qcom_find_freq(const struct freq_tbl *f, unsigned long rate) + if (!f) + return NULL; + ++ if (!f->freq) ++ return f; ++ + for (; f->freq; f++) + if (rate <= f->freq) + return f; +-- +2.20.1 + diff --git a/queue-4.4/clocksource-drivers-asm9260-add-a-check-for-of_clk_g.patch b/queue-4.4/clocksource-drivers-asm9260-add-a-check-for-of_clk_g.patch new file mode 100644 index 00000000000..d695f9c3b27 --- /dev/null +++ b/queue-4.4/clocksource-drivers-asm9260-add-a-check-for-of_clk_g.patch @@ -0,0 +1,38 @@ +From 85d5a37bd57ff28d5b0f72708024cf982eb9ccc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 20:43:30 +0800 +Subject: clocksource/drivers/asm9260: Add a check for of_clk_get + +From: Chuhong Yuan + +[ Upstream commit 6e001f6a4cc73cd06fc7b8c633bc4906c33dd8ad ] + +asm9260_timer_init misses a check for of_clk_get. +Add a check for it and print errors like other clocksource drivers. + +Signed-off-by: Chuhong Yuan +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20191016124330.22211-1-hslester96@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/asm9260_timer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/clocksource/asm9260_timer.c b/drivers/clocksource/asm9260_timer.c +index 217438d39eb3..38a28240f84f 100644 +--- a/drivers/clocksource/asm9260_timer.c ++++ b/drivers/clocksource/asm9260_timer.c +@@ -196,6 +196,10 @@ static void __init asm9260_timer_init(struct device_node *np) + panic("%s: unable to map resource", np->name); + + clk = of_clk_get(np, 0); ++ if (IS_ERR(clk)) { ++ pr_err("Failed to get clk!\n"); ++ return PTR_ERR(clk); ++ } + + ret = clk_prepare_enable(clk); + if (ret) +-- +2.20.1 + diff --git a/queue-4.4/dma-debug-add-a-schedule-point-in-debug_dma_dump_map.patch b/queue-4.4/dma-debug-add-a-schedule-point-in-debug_dma_dump_map.patch new file mode 100644 index 00000000000..cff5f6266ed --- /dev/null +++ b/queue-4.4/dma-debug-add-a-schedule-point-in-debug_dma_dump_map.patch @@ -0,0 +1,45 @@ +From 01361a0506b54a013ab2050bc63b6c444b8a6e88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Oct 2019 14:56:46 -0700 +Subject: dma-debug: add a schedule point in debug_dma_dump_mappings() + +From: Eric Dumazet + +[ Upstream commit 9ff6aa027dbb98755f0265695354f2dd07c0d1ce ] + +debug_dma_dump_mappings() can take a lot of cpu cycles : + +lpk43:/# time wc -l /sys/kernel/debug/dma-api/dump +163435 /sys/kernel/debug/dma-api/dump + +real 0m0.463s +user 0m0.003s +sys 0m0.459s + +Let's add a cond_resched() to avoid holding cpu for too long. + +Signed-off-by: Eric Dumazet +Cc: Corentin Labbe +Cc: Christoph Hellwig +Cc: Marek Szyprowski +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + lib/dma-debug.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/dma-debug.c b/lib/dma-debug.c +index 51a76af25c66..173013f5e41b 100644 +--- a/lib/dma-debug.c ++++ b/lib/dma-debug.c +@@ -427,6 +427,7 @@ void debug_dma_dump_mappings(struct device *dev) + } + + spin_unlock_irqrestore(&bucket->lock, flags); ++ cond_resched(); + } + } + EXPORT_SYMBOL(debug_dma_dump_mappings); +-- +2.20.1 + diff --git a/queue-4.4/ext4-work-around-deleting-a-file-with-i_nlink-0-safe.patch b/queue-4.4/ext4-work-around-deleting-a-file-with-i_nlink-0-safe.patch new file mode 100644 index 00000000000..f6f3546e226 --- /dev/null +++ b/queue-4.4/ext4-work-around-deleting-a-file-with-i_nlink-0-safe.patch @@ -0,0 +1,65 @@ +From f32ff790b2fa9807a541020c841beced452ab4b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 22:18:13 -0500 +Subject: ext4: work around deleting a file with i_nlink == 0 safely + +From: Theodore Ts'o + +[ Upstream commit c7df4a1ecb8579838ec8c56b2bb6a6716e974f37 ] + +If the file system is corrupted such that a file's i_links_count is +too small, then it's possible that when unlinking that file, i_nlink +will already be zero. Previously we were working around this kind of +corruption by forcing i_nlink to one; but we were doing this before +trying to delete the directory entry --- and if the file system is +corrupted enough that ext4_delete_entry() fails, then we exit with +i_nlink elevated, and this causes the orphan inode list handling to be +FUBAR'ed, such that when we unmount the file system, the orphan inode +list can get corrupted. + +A better way to fix this is to simply skip trying to call drop_nlink() +if i_nlink is already zero, thus moving the check to the place where +it makes the most sense. + +https://bugzilla.kernel.org/show_bug.cgi?id=205433 + +Link: https://lore.kernel.org/r/20191112032903.8828-1-tytso@mit.edu +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Reviewed-by: Andreas Dilger +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index aa08e129149d..712bf332e394 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3040,18 +3040,17 @@ static int ext4_unlink(struct inode *dir, struct dentry *dentry) + if (IS_DIRSYNC(dir)) + ext4_handle_sync(handle); + +- if (inode->i_nlink == 0) { +- ext4_warning_inode(inode, "Deleting file '%.*s' with no links", +- dentry->d_name.len, dentry->d_name.name); +- set_nlink(inode, 1); +- } + retval = ext4_delete_entry(handle, dir, de, bh); + if (retval) + goto end_unlink; + dir->i_ctime = dir->i_mtime = ext4_current_time(dir); + ext4_update_dx_flag(dir); + ext4_mark_inode_dirty(handle, dir); +- drop_nlink(inode); ++ if (inode->i_nlink == 0) ++ ext4_warning_inode(inode, "Deleting file '%.*s' with no links", ++ dentry->d_name.len, dentry->d_name.name); ++ else ++ drop_nlink(inode); + if (!inode->i_nlink) + ext4_orphan_add(handle, inode); + inode->i_ctime = ext4_current_time(inode); +-- +2.20.1 + diff --git a/queue-4.4/fs-quota-handle-overflows-of-sysctl-fs.quota.-and-re.patch b/queue-4.4/fs-quota-handle-overflows-of-sysctl-fs.quota.-and-re.patch new file mode 100644 index 00000000000..2a2c6402d37 --- /dev/null +++ b/queue-4.4/fs-quota-handle-overflows-of-sysctl-fs.quota.-and-re.patch @@ -0,0 +1,148 @@ +From a4d246b363b0e4e924e3bff2631e677c11a608b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Nov 2019 12:49:06 +0300 +Subject: fs/quota: handle overflows of sysctl fs.quota.* and report as + unsigned long + +From: Konstantin Khlebnikov + +[ Upstream commit 6fcbcec9cfc7b3c6a2c1f1a23ebacedff7073e0a ] + +Quota statistics counted as 64-bit per-cpu counter. Reading sums per-cpu +fractions as signed 64-bit int, filters negative values and then reports +lower half as signed 32-bit int. + +Result may looks like: + +fs.quota.allocated_dquots = 22327 +fs.quota.cache_hits = -489852115 +fs.quota.drops = -487288718 +fs.quota.free_dquots = 22083 +fs.quota.lookups = -486883485 +fs.quota.reads = 22327 +fs.quota.syncs = 335064 +fs.quota.writes = 3088689 + +Values bigger than 2^31-1 reported as negative. + +All counters except "allocated_dquots" and "free_dquots" are monotonic, +thus they should be reported as is without filtering negative values. + +Kernel doesn't have generic helper for 64-bit sysctl yet, +let's use at least unsigned long. + +Link: https://lore.kernel.org/r/157337934693.2078.9842146413181153727.stgit@buzz +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 29 +++++++++++++++++------------ + include/linux/quota.h | 2 +- + 2 files changed, 18 insertions(+), 13 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 7430cb0e21a7..b7d5e254792c 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2783,68 +2783,73 @@ EXPORT_SYMBOL(dquot_quotactl_sysfile_ops); + static int do_proc_dqstats(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +- unsigned int type = (int *)table->data - dqstats.stat; ++ unsigned int type = (unsigned long *)table->data - dqstats.stat; ++ s64 value = percpu_counter_sum(&dqstats.counter[type]); ++ ++ /* Filter negative values for non-monotonic counters */ ++ if (value < 0 && (type == DQST_ALLOC_DQUOTS || ++ type == DQST_FREE_DQUOTS)) ++ value = 0; + + /* Update global table */ +- dqstats.stat[type] = +- percpu_counter_sum_positive(&dqstats.counter[type]); +- return proc_dointvec(table, write, buffer, lenp, ppos); ++ dqstats.stat[type] = value; ++ return proc_doulongvec_minmax(table, write, buffer, lenp, ppos); + } + + static struct ctl_table fs_dqstats_table[] = { + { + .procname = "lookups", + .data = &dqstats.stat[DQST_LOOKUPS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "drops", + .data = &dqstats.stat[DQST_DROPS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "reads", + .data = &dqstats.stat[DQST_READS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "writes", + .data = &dqstats.stat[DQST_WRITES], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "cache_hits", + .data = &dqstats.stat[DQST_CACHE_HITS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "allocated_dquots", + .data = &dqstats.stat[DQST_ALLOC_DQUOTS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "free_dquots", + .data = &dqstats.stat[DQST_FREE_DQUOTS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "syncs", + .data = &dqstats.stat[DQST_SYNCS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, +diff --git a/include/linux/quota.h b/include/linux/quota.h +index b2505acfd3c0..b34412df1542 100644 +--- a/include/linux/quota.h ++++ b/include/linux/quota.h +@@ -253,7 +253,7 @@ enum { + }; + + struct dqstats { +- int stat[_DQST_DQSTAT_LAST]; ++ unsigned long stat[_DQST_DQSTAT_LAST]; + struct percpu_counter counter[_DQST_DQSTAT_LAST]; + }; + +-- +2.20.1 + diff --git a/queue-4.4/gpio-mpc8xxx-don-t-overwrite-default-irq_set_type-ca.patch b/queue-4.4/gpio-mpc8xxx-don-t-overwrite-default-irq_set_type-ca.patch new file mode 100644 index 00000000000..fb11dd6989a --- /dev/null +++ b/queue-4.4/gpio-mpc8xxx-don-t-overwrite-default-irq_set_type-ca.patch @@ -0,0 +1,56 @@ +From 2dd81dcf220f694f6cf4a570045b5303087c710f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 14:55:51 +0200 +Subject: gpio: mpc8xxx: Don't overwrite default irq_set_type callback + +From: Vladimir Oltean + +[ Upstream commit 4e50573f39229d5e9c985fa3b4923a8b29619ade ] + +The per-SoC devtype structures can contain their own callbacks that +overwrite mpc8xxx_gpio_devtype_default. + +The clear intention is that mpc8xxx_irq_set_type is used in case the SoC +does not specify a more specific callback. But what happens is that if +the SoC doesn't specify one, its .irq_set_type is de-facto NULL, and +this overwrites mpc8xxx_irq_set_type to a no-op. This means that the +following SoCs are affected: + +- fsl,mpc8572-gpio +- fsl,ls1028a-gpio +- fsl,ls1088a-gpio + +On these boards, the irq_set_type does exactly nothing, and the GPIO +controller keeps its GPICR register in the hardware-default state. On +the LS1028A, that is ACTIVE_BOTH, which means 2 interrupts are raised +even if the IRQ client requests LEVEL_HIGH. Another implication is that +the IRQs are not checked (e.g. level-triggered interrupts are not +rejected, although they are not supported). + +Fixes: 82e39b0d8566 ("gpio: mpc8xxx: handle differences between incarnations at a single place") +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20191115125551.31061-1-olteanv@gmail.com +Tested-by: Michael Walle +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mpc8xxx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c +index 9e02cb6afb0b..ce6e15167d0b 100644 +--- a/drivers/gpio/gpio-mpc8xxx.c ++++ b/drivers/gpio/gpio-mpc8xxx.c +@@ -409,7 +409,8 @@ static int mpc8xxx_probe(struct platform_device *pdev) + * It's assumed that only a single type of gpio controller is available + * on the current machine, so overwriting global data is fine. + */ +- mpc8xxx_irq_chip.irq_set_type = devtype->irq_set_type; ++ if (devtype->irq_set_type) ++ mpc8xxx_irq_chip.irq_set_type = devtype->irq_set_type; + + gc->direction_output = devtype->gpio_dir_out ?: mpc8xxx_gpio_dir_out; + gc->get = devtype->gpio_get ?: mpc8xxx_gpio_get; +-- +2.20.1 + diff --git a/queue-4.4/hid-improve-windows-precision-touchpad-detection.patch b/queue-4.4/hid-improve-windows-precision-touchpad-detection.patch new file mode 100644 index 00000000000..513e4d10c0f --- /dev/null +++ b/queue-4.4/hid-improve-windows-precision-touchpad-detection.patch @@ -0,0 +1,68 @@ +From b32cca2e43a852527fbf578518bbe16f73217333 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2019 20:02:46 +0900 +Subject: HID: Improve Windows Precision Touchpad detection. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Blaž Hrastnik + +[ Upstream commit 2dbc6f113acd74c66b04bf49fb027efd830b1c5a ] + +Per Microsoft spec, usage 0xC5 (page 0xFF) returns a blob containing +data used to verify the touchpad as a Windows Precision Touchpad. + + 0x85, REPORTID_PTPHQA, // REPORT_ID (PTPHQA) + 0x09, 0xC5, // USAGE (Vendor Usage 0xC5) + 0x15, 0x00, // LOGICAL_MINIMUM (0) + 0x26, 0xff, 0x00, // LOGICAL_MAXIMUM (0xff) + 0x75, 0x08, // REPORT_SIZE (8) + 0x96, 0x00, 0x01, // REPORT_COUNT (0x100 (256)) + 0xb1, 0x02, // FEATURE (Data,Var,Abs) + +However, some devices, namely Microsoft's Surface line of products +instead implement a "segmented device certification report" (usage 0xC6) +which returns the same report, but in smaller chunks. + + 0x06, 0x00, 0xff, // USAGE_PAGE (Vendor Defined) + 0x85, REPORTID_PTPHQA, // REPORT_ID (PTPHQA) + 0x09, 0xC6, // USAGE (Vendor usage for segment #) + 0x25, 0x08, // LOGICAL_MAXIMUM (8) + 0x75, 0x08, // REPORT_SIZE (8) + 0x95, 0x01, // REPORT_COUNT (1) + 0xb1, 0x02, // FEATURE (Data,Var,Abs) + 0x09, 0xC7, // USAGE (Vendor Usage) + 0x26, 0xff, 0x00, // LOGICAL_MAXIMUM (0xff) + 0x95, 0x20, // REPORT_COUNT (32) + 0xb1, 0x02, // FEATURE (Data,Var,Abs) + +By expanding Win8 touchpad detection to also look for the segmented +report, all Surface touchpads are now properly recognized by +hid-multitouch. + +Signed-off-by: Blaž Hrastnik +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index c60bb6f8eceb..7cd945575463 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -761,6 +761,10 @@ static void hid_scan_feature_usage(struct hid_parser *parser, u32 usage) + if (usage == 0xff0000c5 && parser->global.report_count == 256 && + parser->global.report_size == 8) + parser->scan_flags |= HID_SCAN_FLAG_MT_WIN_8; ++ ++ if (usage == 0xff0000c6 && parser->global.report_count == 1 && ++ parser->global.report_size == 8) ++ parser->scan_flags |= HID_SCAN_FLAG_MT_WIN_8; + } + + static void hid_scan_collection(struct hid_parser *parser, unsigned type) +-- +2.20.1 + diff --git a/queue-4.4/input-atmel_mxt_ts-disable-irq-across-suspend.patch b/queue-4.4/input-atmel_mxt_ts-disable-irq-across-suspend.patch new file mode 100644 index 00000000000..8b5f771a80b --- /dev/null +++ b/queue-4.4/input-atmel_mxt_ts-disable-irq-across-suspend.patch @@ -0,0 +1,54 @@ +From 40d54e3ee4abc683836e68fad183065c18fdee05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 14:00:21 -0700 +Subject: Input: atmel_mxt_ts - disable IRQ across suspend + +From: Evan Green + +[ Upstream commit 463fa44eec2fef50d111ed0199cf593235065c04 ] + +Across suspend and resume, we are seeing error messages like the following: + +atmel_mxt_ts i2c-PRP0001:00: __mxt_read_reg: i2c transfer failed (-121) +atmel_mxt_ts i2c-PRP0001:00: Failed to read T44 and T5 (-121) + +This occurs because the driver leaves its IRQ enabled. Upon resume, there +is an IRQ pending, but the interrupt is serviced before both the driver and +the underlying I2C bus have been resumed. This causes EREMOTEIO errors. + +Disable the IRQ in suspend, and re-enable it on resume. If there are cases +where the driver enters suspend with interrupts disabled, that's a bug we +should fix separately. + +Signed-off-by: Evan Green +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/atmel_mxt_ts.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c +index be2f2521c1c5..d955841da57d 100644 +--- a/drivers/input/touchscreen/atmel_mxt_ts.c ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c +@@ -2701,6 +2701,8 @@ static int __maybe_unused mxt_suspend(struct device *dev) + + mutex_unlock(&input_dev->mutex); + ++ disable_irq(data->irq); ++ + return 0; + } + +@@ -2713,6 +2715,8 @@ static int __maybe_unused mxt_resume(struct device *dev) + if (!input_dev) + return 0; + ++ enable_irq(data->irq); ++ + mutex_lock(&input_dev->mutex); + + if (input_dev->users) +-- +2.20.1 + diff --git a/queue-4.4/iommu-tegra-smmu-fix-page-tables-in-4-gib-memory.patch b/queue-4.4/iommu-tegra-smmu-fix-page-tables-in-4-gib-memory.patch new file mode 100644 index 00000000000..bd5b42c1dd1 --- /dev/null +++ b/queue-4.4/iommu-tegra-smmu-fix-page-tables-in-4-gib-memory.patch @@ -0,0 +1,79 @@ +From d5e9926128487d72e35b6a7b31d1e2c50cac52c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 13:50:26 +0200 +Subject: iommu/tegra-smmu: Fix page tables in > 4 GiB memory + +From: Thierry Reding + +[ Upstream commit 96d3ab802e4930a29a33934373157d6dff1b2c7e ] + +Page tables that reside in physical memory beyond the 4 GiB boundary are +currently not working properly. The reason is that when the physical +address for page directory entries is read, it gets truncated at 32 bits +and can cause crashes when passing that address to the DMA API. + +Fix this by first casting the PDE value to a dma_addr_t and then using +the page frame number mask for the SMMU instance to mask out the invalid +bits, which are typically used for mapping attributes, etc. + +Signed-off-by: Thierry Reding +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/tegra-smmu.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/iommu/tegra-smmu.c b/drivers/iommu/tegra-smmu.c +index c4eb293b1524..04cec050e42b 100644 +--- a/drivers/iommu/tegra-smmu.c ++++ b/drivers/iommu/tegra-smmu.c +@@ -153,9 +153,9 @@ static bool smmu_dma_addr_valid(struct tegra_smmu *smmu, dma_addr_t addr) + return (addr & smmu->pfn_mask) == addr; + } + +-static dma_addr_t smmu_pde_to_dma(u32 pde) ++static dma_addr_t smmu_pde_to_dma(struct tegra_smmu *smmu, u32 pde) + { +- return pde << 12; ++ return (dma_addr_t)(pde & smmu->pfn_mask) << 12; + } + + static void smmu_flush_ptc_all(struct tegra_smmu *smmu) +@@ -540,6 +540,7 @@ static u32 *tegra_smmu_pte_lookup(struct tegra_smmu_as *as, unsigned long iova, + dma_addr_t *dmap) + { + unsigned int pd_index = iova_pd_index(iova); ++ struct tegra_smmu *smmu = as->smmu; + struct page *pt_page; + u32 *pd; + +@@ -548,7 +549,7 @@ static u32 *tegra_smmu_pte_lookup(struct tegra_smmu_as *as, unsigned long iova, + return NULL; + + pd = page_address(as->pd); +- *dmap = smmu_pde_to_dma(pd[pd_index]); ++ *dmap = smmu_pde_to_dma(smmu, pd[pd_index]); + + return tegra_smmu_pte_offset(pt_page, iova); + } +@@ -590,7 +591,7 @@ static u32 *as_get_pte(struct tegra_smmu_as *as, dma_addr_t iova, + } else { + u32 *pd = page_address(as->pd); + +- *dmap = smmu_pde_to_dma(pd[pde]); ++ *dmap = smmu_pde_to_dma(smmu, pd[pde]); + } + + return tegra_smmu_pte_offset(as->pts[pde], iova); +@@ -615,7 +616,7 @@ static void tegra_smmu_pte_put_use(struct tegra_smmu_as *as, unsigned long iova) + if (--as->count[pde] == 0) { + struct tegra_smmu *smmu = as->smmu; + u32 *pd = page_address(as->pd); +- dma_addr_t pte_dma = smmu_pde_to_dma(pd[pde]); ++ dma_addr_t pte_dma = smmu_pde_to_dma(smmu, pd[pde]); + + tegra_smmu_set_pde(as, iova, 0); + +-- +2.20.1 + diff --git a/queue-4.4/irqchip-ingenic-error-out-if-irq-domain-creation-fai.patch b/queue-4.4/irqchip-ingenic-error-out-if-irq-domain-creation-fai.patch new file mode 100644 index 00000000000..4746b7f014e --- /dev/null +++ b/queue-4.4/irqchip-ingenic-error-out-if-irq-domain-creation-fai.patch @@ -0,0 +1,59 @@ +From c05a755b665115d35eabbf413a4abd1f4947e652 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 19:25:22 +0800 +Subject: irqchip: ingenic: Error out if IRQ domain creation failed + +From: Paul Cercueil + +[ Upstream commit 52ecc87642f273a599c9913b29fd179c13de457b ] + +If we cannot create the IRQ domain, the driver should fail to probe +instead of succeeding with just a warning message. + +Signed-off-by: Paul Cercueil +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/1570015525-27018-3-git-send-email-zhouyanjie@zoho.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-ingenic.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/irqchip/irq-ingenic.c b/drivers/irqchip/irq-ingenic.c +index fc5953dea509..b2e16dca76a6 100644 +--- a/drivers/irqchip/irq-ingenic.c ++++ b/drivers/irqchip/irq-ingenic.c +@@ -117,6 +117,14 @@ static int __init ingenic_intc_of_init(struct device_node *node, + goto out_unmap_irq; + } + ++ domain = irq_domain_add_legacy(node, num_chips * 32, ++ JZ4740_IRQ_BASE, 0, ++ &irq_domain_simple_ops, NULL); ++ if (!domain) { ++ err = -ENOMEM; ++ goto out_unmap_base; ++ } ++ + for (i = 0; i < num_chips; i++) { + /* Mask all irqs */ + writel(0xffffffff, intc->base + (i * CHIP_SIZE) + +@@ -143,14 +151,11 @@ static int __init ingenic_intc_of_init(struct device_node *node, + IRQ_NOPROBE | IRQ_LEVEL); + } + +- domain = irq_domain_add_legacy(node, num_chips * 32, JZ4740_IRQ_BASE, 0, +- &irq_domain_simple_ops, NULL); +- if (!domain) +- pr_warn("unable to register IRQ domain\n"); +- + setup_irq(parent_irq, &intc_cascade_action); + return 0; + ++out_unmap_base: ++ iounmap(intc->base); + out_unmap_irq: + irq_dispose_mapping(parent_irq); + out_free: +-- +2.20.1 + diff --git a/queue-4.4/irqchip-irq-bcm7038-l1-enable-parent-irq-if-necessar.patch b/queue-4.4/irqchip-irq-bcm7038-l1-enable-parent-irq-if-necessar.patch new file mode 100644 index 00000000000..3c8dbddc9ed --- /dev/null +++ b/queue-4.4/irqchip-irq-bcm7038-l1-enable-parent-irq-if-necessar.patch @@ -0,0 +1,38 @@ +From 5aefe5c29b7190c1b031f19aa1df25ac729abcf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 13:14:13 -0700 +Subject: irqchip/irq-bcm7038-l1: Enable parent IRQ if necessary + +From: Florian Fainelli + +[ Upstream commit 27eebb60357ed5aa6659442f92907c0f7368d6ae ] + +If the 'brcm,irq-can-wake' property is specified, make sure we also +enable the corresponding parent interrupt we are attached to. + +Signed-off-by: Florian Fainelli +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20191024201415.23454-4-f.fainelli@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-bcm7038-l1.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/irqchip/irq-bcm7038-l1.c b/drivers/irqchip/irq-bcm7038-l1.c +index 6fb34bf0f352..34e13623f29d 100644 +--- a/drivers/irqchip/irq-bcm7038-l1.c ++++ b/drivers/irqchip/irq-bcm7038-l1.c +@@ -283,6 +283,10 @@ static int __init bcm7038_l1_init_one(struct device_node *dn, + pr_err("failed to map parent interrupt %d\n", parent_irq); + return -EINVAL; + } ++ ++ if (of_property_read_bool(dn, "brcm,irq-can-wake")) ++ enable_irq_wake(parent_irq); ++ + irq_set_chained_handler_and_data(parent_irq, bcm7038_l1_irq_handle, + intc); + +-- +2.20.1 + diff --git a/queue-4.4/jbd2-fix-statistics-for-the-number-of-logged-blocks.patch b/queue-4.4/jbd2-fix-statistics-for-the-number-of-logged-blocks.patch new file mode 100644 index 00000000000..9997cccfe6f --- /dev/null +++ b/queue-4.4/jbd2-fix-statistics-for-the-number-of-logged-blocks.patch @@ -0,0 +1,61 @@ +From 97f6bdc8673833e26e41323bf37f7597bf535c92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 17:44:19 +0100 +Subject: jbd2: Fix statistics for the number of logged blocks + +From: Jan Kara + +[ Upstream commit 015c6033068208d6227612c878877919f3fcf6b6 ] + +jbd2 statistics counting number of blocks logged in a transaction was +wrong. It didn't count the commit block and more importantly it didn't +count revoke descriptor blocks. Make sure these get properly counted. + +Reviewed-by: Theodore Ts'o +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20191105164437.32602-13-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/commit.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index 2d964ce45606..ebbd7d054cab 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -740,7 +740,6 @@ start_journal_io: + submit_bh(WRITE_SYNC, bh); + } + cond_resched(); +- stats.run.rs_blocks_logged += bufs; + + /* Force a new descriptor to be generated next + time round the loop. */ +@@ -827,6 +826,7 @@ start_journal_io: + if (unlikely(!buffer_uptodate(bh))) + err = -EIO; + jbd2_unfile_log_bh(bh); ++ stats.run.rs_blocks_logged++; + + /* + * The list contains temporary buffer heads created by +@@ -872,6 +872,7 @@ start_journal_io: + BUFFER_TRACE(bh, "ph5: control buffer writeout done: unfile"); + clear_buffer_jwrite(bh); + jbd2_unfile_log_bh(bh); ++ stats.run.rs_blocks_logged++; + __brelse(bh); /* One for getblk */ + /* AKPM: bforget here */ + } +@@ -893,6 +894,7 @@ start_journal_io: + } + if (cbh) + err = journal_wait_on_commit_record(journal, cbh); ++ stats.run.rs_blocks_logged++; + if (jbd2_has_feature_async_commit(journal) && + journal->j_flags & JBD2_BARRIER) { + blkdev_issue_flush(journal->j_dev, GFP_NOFS, NULL); +-- +2.20.1 + diff --git a/queue-4.4/kernel-sysctl-make-drop_caches-write-only.patch b/queue-4.4/kernel-sysctl-make-drop_caches-write-only.patch new file mode 100644 index 00000000000..79f52e30f0b --- /dev/null +++ b/queue-4.4/kernel-sysctl-make-drop_caches-write-only.patch @@ -0,0 +1,53 @@ +From 0fb25d4c4d078691af8d938c1fce36c0306885e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2019 17:56:08 -0800 +Subject: kernel: sysctl: make drop_caches write-only + +From: Johannes Weiner + +[ Upstream commit 204cb79ad42f015312a5bbd7012d09c93d9b46fb ] + +Currently, the drop_caches proc file and sysctl read back the last value +written, suggesting this is somehow a stateful setting instead of a +one-time command. Make it write-only, like e.g. compact_memory. + +While mitigating a VM problem at scale in our fleet, there was confusion +about whether writing to this file will permanently switch the kernel into +a non-caching mode. This influences the decision making in a tense +situation, where tens of people are trying to fix tens of thousands of +affected machines: Do we need a rollback strategy? What are the +performance implications of operating in a non-caching state for several +days? It also caused confusion when the kernel team said we may need to +write the file several times to make sure it's effective ("But it already +reads back 3?"). + +Link: http://lkml.kernel.org/r/20191031221602.9375-1-hannes@cmpxchg.org +Signed-off-by: Johannes Weiner +Acked-by: Chris Down +Acked-by: Vlastimil Babka +Acked-by: David Hildenbrand +Acked-by: Michal Hocko +Acked-by: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 24c7fe8608d0..c2dddd335d06 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1357,7 +1357,7 @@ static struct ctl_table vm_table[] = { + .procname = "drop_caches", + .data = &sysctl_drop_caches, + .maxlen = sizeof(int), +- .mode = 0644, ++ .mode = 0200, + .proc_handler = drop_caches_sysctl_handler, + .extra1 = &one, + .extra2 = &four, +-- +2.20.1 + diff --git a/queue-4.4/libfdt-define-int32_max-and-uint32_max-in-libfdt_env.patch b/queue-4.4/libfdt-define-int32_max-and-uint32_max-in-libfdt_env.patch new file mode 100644 index 00000000000..a2cddb12eb9 --- /dev/null +++ b/queue-4.4/libfdt-define-int32_max-and-uint32_max-in-libfdt_env.patch @@ -0,0 +1,84 @@ +From aa248108df607ed82bd71353d0c59767b344bc71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 16:12:02 +0900 +Subject: libfdt: define INT32_MAX and UINT32_MAX in libfdt_env.h + +From: Masahiro Yamada + +[ Upstream commit a8de1304b7df30e3a14f2a8b9709bb4ff31a0385 ] + +The DTC v1.5.1 added references to (U)INT32_MAX. + +This is no problem for user-space programs since defines +(U)INT32_MAX along with (u)int32_t. + +For the kernel space, libfdt_env.h needs to be adjusted before we +pull in the changes. + +In the kernel, we usually use s/u32 instead of (u)int32_t for the +fixed-width types. + +Accordingly, we already have S/U32_MAX for their max values. +So, we should not add (U)INT32_MAX to any more. + +Instead, add them to the in-kernel libfdt_env.h to compile the +latest libfdt. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + arch/arm/boot/compressed/libfdt_env.h | 4 +++- + arch/powerpc/boot/libfdt_env.h | 2 ++ + include/linux/libfdt_env.h | 3 +++ + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/compressed/libfdt_env.h b/arch/arm/boot/compressed/libfdt_env.h +index 005bf4ff1b4c..f3ddd4f599e3 100644 +--- a/arch/arm/boot/compressed/libfdt_env.h ++++ b/arch/arm/boot/compressed/libfdt_env.h +@@ -1,11 +1,13 @@ + #ifndef _ARM_LIBFDT_ENV_H + #define _ARM_LIBFDT_ENV_H + ++#include + #include + #include + #include + +-#define INT_MAX ((int)(~0U>>1)) ++#define INT32_MAX S32_MAX ++#define UINT32_MAX U32_MAX + + typedef __be16 fdt16_t; + typedef __be32 fdt32_t; +diff --git a/arch/powerpc/boot/libfdt_env.h b/arch/powerpc/boot/libfdt_env.h +index 0b3db6322c79..5f2cb1c53e15 100644 +--- a/arch/powerpc/boot/libfdt_env.h ++++ b/arch/powerpc/boot/libfdt_env.h +@@ -5,6 +5,8 @@ + #include + + #define INT_MAX ((int)(~0U>>1)) ++#define UINT32_MAX ((u32)~0U) ++#define INT32_MAX ((s32)(UINT32_MAX >> 1)) + + #include "of.h" + +diff --git a/include/linux/libfdt_env.h b/include/linux/libfdt_env.h +index 8850e243c940..bd0a55821177 100644 +--- a/include/linux/libfdt_env.h ++++ b/include/linux/libfdt_env.h +@@ -6,6 +6,9 @@ + + #include + ++#define INT32_MAX S32_MAX ++#define UINT32_MAX U32_MAX ++ + typedef __be16 fdt16_t; + typedef __be32 fdt32_t; + typedef __be64 fdt64_t; +-- +2.20.1 + diff --git a/queue-4.4/mfd-mfd-core-honour-device-tree-s-request-to-disable.patch b/queue-4.4/mfd-mfd-core-honour-device-tree-s-request-to-disable.patch new file mode 100644 index 00000000000..c514800d543 --- /dev/null +++ b/queue-4.4/mfd-mfd-core-honour-device-tree-s-request-to-disable.patch @@ -0,0 +1,49 @@ +From 6ebc41f96e8756fa51c46ebe291c092b99253905 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 11:19:50 +0000 +Subject: mfd: mfd-core: Honour Device Tree's request to disable a child-device + +From: Lee Jones + +[ Upstream commit 6b5c350648b857047b47acf74a57087ad27d6183 ] + +Until now, MFD has assumed all child devices passed to it (via +mfd_cells) are to be registered. It does not take into account +requests from Device Tree and the like to disable child devices +on a per-platform basis. + +Well now it does. + +Link: https://www.spinics.net/lists/arm-kernel/msg366309.html +Link: https://lkml.org/lkml/2019/8/22/1350 + +Reported-by: Barry Song +Reported-by: Stephan Gerhold +Reviewed-by: Daniel Thompson +Reviewed-by: Mark Brown +Tested-by: Stephan Gerhold +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/mfd-core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c +index 215bb5eeb5ac..85f4e5582371 100644 +--- a/drivers/mfd/mfd-core.c ++++ b/drivers/mfd/mfd-core.c +@@ -177,6 +177,11 @@ static int mfd_add_device(struct device *parent, int id, + if (parent->of_node && cell->of_compatible) { + for_each_child_of_node(parent->of_node, np) { + if (of_device_is_compatible(np, cell->of_compatible)) { ++ if (!of_device_is_available(np)) { ++ /* Ignore disabled devices error free */ ++ ret = 0; ++ goto fail_alias; ++ } + pdev->dev.of_node = np; + pdev->dev.fwnode = &np->fwnode; + break; +-- +2.20.1 + diff --git a/queue-4.4/ocfs2-fix-passing-zero-to-ptr_err-warning.patch b/queue-4.4/ocfs2-fix-passing-zero-to-ptr_err-warning.patch new file mode 100644 index 00000000000..3be0a06b55e --- /dev/null +++ b/queue-4.4/ocfs2-fix-passing-zero-to-ptr_err-warning.patch @@ -0,0 +1,48 @@ +From 86293cef680b71245889dfce8c80f7924e234645 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2019 17:49:12 -0800 +Subject: ocfs2: fix passing zero to 'PTR_ERR' warning + +From: Ding Xiang + +[ Upstream commit 188c523e1c271d537f3c9f55b6b65bf4476de32f ] + +Fix a static code checker warning: +fs/ocfs2/acl.c:331 + ocfs2_acl_chmod() warn: passing zero to 'PTR_ERR' + +Link: http://lkml.kernel.org/r/1dee278b-6c96-eec2-ce76-fe6e07c6e20f@linux.alibaba.com +Fixes: 5ee0fbd50fd ("ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang") +Signed-off-by: Ding Xiang +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/acl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c +index 1e0d8da0d3cd..80b92120c812 100644 +--- a/fs/ocfs2/acl.c ++++ b/fs/ocfs2/acl.c +@@ -338,8 +338,8 @@ int ocfs2_acl_chmod(struct inode *inode, struct buffer_head *bh) + down_read(&OCFS2_I(inode)->ip_xattr_sem); + acl = ocfs2_get_acl_nolock(inode, ACL_TYPE_ACCESS, bh); + up_read(&OCFS2_I(inode)->ip_xattr_sem); +- if (IS_ERR(acl) || !acl) +- return PTR_ERR(acl); ++ if (IS_ERR_OR_NULL(acl)) ++ return PTR_ERR_OR_ZERO(acl); + ret = __posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode); + if (ret) + return ret; +-- +2.20.1 + diff --git a/queue-4.4/perf-regs-make-perf_reg_name-return-unknown-instead-.patch b/queue-4.4/perf-regs-make-perf_reg_name-return-unknown-instead-.patch new file mode 100644 index 00000000000..c3d457eb7a5 --- /dev/null +++ b/queue-4.4/perf-regs-make-perf_reg_name-return-unknown-instead-.patch @@ -0,0 +1,86 @@ +From 97359b809195c2fa912bc50530a466fa25525b18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 10:13:34 -0300 +Subject: perf regs: Make perf_reg_name() return "unknown" instead of NULL + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 5b596e0ff0e1852197d4c82d3314db5e43126bf7 ] + +To avoid breaking the build on arches where this is not wired up, at +least all the other features should be made available and when using +this specific routine, the "unknown" should point the user/developer to +the need to wire this up on this particular hardware architecture. + +Detected in a container mipsel debian cross build environment, where it +shows up as: + + In file included from /usr/mipsel-linux-gnu/include/stdio.h:867, + from /git/linux/tools/perf/lib/include/perf/cpumap.h:6, + from util/session.c:13: + In function 'printf', + inlined from 'regs_dump__printf' at util/session.c:1103:3, + inlined from 'regs__printf' at util/session.c:1131:2: + /usr/mipsel-linux-gnu/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=] + 107 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +cross compiler details: + + mipsel-linux-gnu-gcc (Debian 9.2.1-8) 9.2.1 20190909 + +Also on mips64: + + In file included from /usr/mips64-linux-gnuabi64/include/stdio.h:867, + from /git/linux/tools/perf/lib/include/perf/cpumap.h:6, + from util/session.c:13: + In function 'printf', + inlined from 'regs_dump__printf' at util/session.c:1103:3, + inlined from 'regs__printf' at util/session.c:1131:2, + inlined from 'regs_user__printf' at util/session.c:1139:3, + inlined from 'dump_sample' at util/session.c:1246:3, + inlined from 'machines__deliver_event' at util/session.c:1421:3: + /usr/mips64-linux-gnuabi64/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=] + 107 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In function 'printf', + inlined from 'regs_dump__printf' at util/session.c:1103:3, + inlined from 'regs__printf' at util/session.c:1131:2, + inlined from 'regs_intr__printf' at util/session.c:1147:3, + inlined from 'dump_sample' at util/session.c:1249:3, + inlined from 'machines__deliver_event' at util/session.c:1421:3: + /usr/mips64-linux-gnuabi64/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=] + 107 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +cross compiler details: + + mips64-linux-gnuabi64-gcc (Debian 9.2.1-8) 9.2.1 20190909 + +Fixes: 2bcd355b71da ("perf tools: Add interface to arch registers sets") +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-95wjyv4o65nuaeweq31t7l1s@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/perf_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/perf_regs.h b/tools/perf/util/perf_regs.h +index 679d6e493962..e6324397b295 100644 +--- a/tools/perf/util/perf_regs.h ++++ b/tools/perf/util/perf_regs.h +@@ -26,7 +26,7 @@ int perf_reg_value(u64 *valp, struct regs_dump *regs, int id); + + static inline const char *perf_reg_name(int id __maybe_unused) + { +- return NULL; ++ return "unknown"; + } + + static inline int perf_reg_value(u64 *valp __maybe_unused, +-- +2.20.1 + diff --git a/queue-4.4/powerpc-pseries-cmm-implement-release-function-for-s.patch b/queue-4.4/powerpc-pseries-cmm-implement-release-function-for-s.patch new file mode 100644 index 00000000000..04e55db115b --- /dev/null +++ b/queue-4.4/powerpc-pseries-cmm-implement-release-function-for-s.patch @@ -0,0 +1,52 @@ +From be18a0e8f3eb05d8cc191fe4391f0e921e77dc4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 15:29:22 +0100 +Subject: powerpc/pseries/cmm: Implement release() function for sysfs device + +From: David Hildenbrand + +[ Upstream commit 7d8212747435c534c8d564fbef4541a463c976ff ] + +When unloading the module, one gets + ------------[ cut here ]------------ + Device 'cmm0' does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt. + WARNING: CPU: 0 PID: 19308 at drivers/base/core.c:1244 .device_release+0xcc/0xf0 + ... + +We only have one static fake device. There is nothing to do when +releasing the device (via cmm_exit()). + +Signed-off-by: David Hildenbrand +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191031142933.10779-2-david@redhat.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/cmm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/cmm.c b/arch/powerpc/platforms/pseries/cmm.c +index fc44ad0475f8..b126ce49ae7b 100644 +--- a/arch/powerpc/platforms/pseries/cmm.c ++++ b/arch/powerpc/platforms/pseries/cmm.c +@@ -391,6 +391,10 @@ static struct bus_type cmm_subsys = { + .dev_name = "cmm", + }; + ++static void cmm_release_device(struct device *dev) ++{ ++} ++ + /** + * cmm_sysfs_register - Register with sysfs + * +@@ -406,6 +410,7 @@ static int cmm_sysfs_register(struct device *dev) + + dev->id = 0; + dev->bus = &cmm_subsys; ++ dev->release = cmm_release_device; + + if ((rc = device_register(dev))) + goto subsys_unregister; +-- +2.20.1 + diff --git a/queue-4.4/powerpc-pseries-mark-accumulate_stolen_time-as-notra.patch b/queue-4.4/powerpc-pseries-mark-accumulate_stolen_time-as-notra.patch new file mode 100644 index 00000000000..b0a3cd3e7de --- /dev/null +++ b/queue-4.4/powerpc-pseries-mark-accumulate_stolen_time-as-notra.patch @@ -0,0 +1,52 @@ +From 337db7b4c19e29d379d0ae789f49224f6079d494 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2019 21:23:51 +1100 +Subject: powerpc/pseries: Mark accumulate_stolen_time() as notrace + +From: Michael Ellerman + +[ Upstream commit eb8e20f89093b64f48975c74ccb114e6775cee22 ] + +accumulate_stolen_time() is called prior to interrupt state being +reconciled, which can trip the warning in arch_local_irq_restore(): + + WARNING: CPU: 5 PID: 1017 at arch/powerpc/kernel/irq.c:258 .arch_local_irq_restore+0x9c/0x130 + ... + NIP .arch_local_irq_restore+0x9c/0x130 + LR .rb_start_commit+0x38/0x80 + Call Trace: + .ring_buffer_lock_reserve+0xe4/0x620 + .trace_function+0x44/0x210 + .function_trace_call+0x148/0x170 + .ftrace_ops_no_ops+0x180/0x1d0 + ftrace_call+0x4/0x8 + .accumulate_stolen_time+0x1c/0xb0 + decrementer_common+0x124/0x160 + +For now just mark it as notrace. We may change the ordering to call it +after interrupt state has been reconciled, but that is a larger +change. + +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191024055932.27940-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c +index 2e9cae5f8d17..397076474a71 100644 +--- a/arch/powerpc/kernel/time.c ++++ b/arch/powerpc/kernel/time.c +@@ -245,7 +245,7 @@ static u64 scan_dispatch_log(u64 stop_tb) + * Accumulate stolen time by scanning the dispatch trace log. + * Called on entry from user mode. + */ +-void accumulate_stolen_time(void) ++void notrace accumulate_stolen_time(void) + { + u64 sst, ust; + +-- +2.20.1 + diff --git a/queue-4.4/powerpc-security-book3s64-report-l1tf-status-in-sysf.patch b/queue-4.4/powerpc-security-book3s64-report-l1tf-status-in-sysf.patch new file mode 100644 index 00000000000..48323fca0c1 --- /dev/null +++ b/queue-4.4/powerpc-security-book3s64-report-l1tf-status-in-sysf.patch @@ -0,0 +1,45 @@ +From bcf74637b1386e9db48dca85d42ab9a33567f1ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 12:07:59 -0700 +Subject: powerpc/security/book3s64: Report L1TF status in sysfs + +From: Anthony Steinhauser + +[ Upstream commit 8e6b6da91ac9b9ec5a925b6cb13f287a54bd547d ] + +Some PowerPC CPUs are vulnerable to L1TF to the same extent as to +Meltdown. It is also mitigated by flushing the L1D on privilege +transition. + +Currently the sysfs gives a false negative on L1TF on CPUs that I +verified to be vulnerable, a Power9 Talos II Boston 004e 1202, PowerNV +T2P9D01. + +Signed-off-by: Anthony Steinhauser +Signed-off-by: Michael Ellerman +[mpe: Just have cpu_show_l1tf() call cpu_show_meltdown() directly] +Link: https://lore.kernel.org/r/20191029190759.84821-1-asteinhauser@google.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/security.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c +index 156cfe6d23b0..fc5c49046aa7 100644 +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -161,6 +161,11 @@ ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, cha + + return sprintf(buf, "Vulnerable\n"); + } ++ ++ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ return cpu_show_meltdown(dev, attr, buf); ++} + #endif + + ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf) +-- +2.20.1 + diff --git a/queue-4.4/powerpc-security-fix-wrong-message-when-rfi-flush-is.patch b/queue-4.4/powerpc-security-fix-wrong-message-when-rfi-flush-is.patch new file mode 100644 index 00000000000..233463d20aa --- /dev/null +++ b/queue-4.4/powerpc-security-fix-wrong-message-when-rfi-flush-is.patch @@ -0,0 +1,95 @@ +From b9d5ef58cb6edc4d02d9dfe6222a2603aa8461f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2019 18:09:07 -0300 +Subject: powerpc/security: Fix wrong message when RFI Flush is disable + +From: Gustavo L. F. Walbon + +[ Upstream commit 4e706af3cd8e1d0503c25332b30cad33c97ed442 ] + +The issue was showing "Mitigation" message via sysfs whatever the +state of "RFI Flush", but it should show "Vulnerable" when it is +disabled. + +If you have "L1D private" feature enabled and not "RFI Flush" you are +vulnerable to meltdown attacks. + +"RFI Flush" is the key feature to mitigate the meltdown whatever the +"L1D private" state. + +SEC_FTR_L1D_THREAD_PRIV is a feature for Power9 only. + +So the message should be as the truth table shows: + + CPU | L1D private | RFI Flush | sysfs + ----|-------------|-----------|------------------------------------- + P9 | False | False | Vulnerable + P9 | False | True | Mitigation: RFI Flush + P9 | True | False | Vulnerable: L1D private per thread + P9 | True | True | Mitigation: RFI Flush, L1D private per thread + P8 | False | False | Vulnerable + P8 | False | True | Mitigation: RFI Flush + +Output before this fix: + # cat /sys/devices/system/cpu/vulnerabilities/meltdown + Mitigation: RFI Flush, L1D private per thread + # echo 0 > /sys/kernel/debug/powerpc/rfi_flush + # cat /sys/devices/system/cpu/vulnerabilities/meltdown + Mitigation: L1D private per thread + +Output after fix: + # cat /sys/devices/system/cpu/vulnerabilities/meltdown + Mitigation: RFI Flush, L1D private per thread + # echo 0 > /sys/kernel/debug/powerpc/rfi_flush + # cat /sys/devices/system/cpu/vulnerabilities/meltdown + Vulnerable: L1D private per thread + +Signed-off-by: Gustavo L. F. Walbon +Signed-off-by: Mauro S. M. Rodrigues +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190502210907.42375-1-gwalbon@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/security.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c +index fc5c49046aa7..45778c83038f 100644 +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -135,26 +135,22 @@ ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, cha + + thread_priv = security_ftr_enabled(SEC_FTR_L1D_THREAD_PRIV); + +- if (rfi_flush || thread_priv) { ++ if (rfi_flush) { + struct seq_buf s; + seq_buf_init(&s, buf, PAGE_SIZE - 1); + +- seq_buf_printf(&s, "Mitigation: "); +- +- if (rfi_flush) +- seq_buf_printf(&s, "RFI Flush"); +- +- if (rfi_flush && thread_priv) +- seq_buf_printf(&s, ", "); +- ++ seq_buf_printf(&s, "Mitigation: RFI Flush"); + if (thread_priv) +- seq_buf_printf(&s, "L1D private per thread"); ++ seq_buf_printf(&s, ", L1D private per thread"); + + seq_buf_printf(&s, "\n"); + + return s.len; + } + ++ if (thread_priv) ++ return sprintf(buf, "Vulnerable: L1D private per thread\n"); ++ + if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && + !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR)) + return sprintf(buf, "Not affected\n"); +-- +2.20.1 + diff --git a/queue-4.4/s390-cpum_sf-check-for-sdbt-and-sdb-consistency.patch b/queue-4.4/s390-cpum_sf-check-for-sdbt-and-sdb-consistency.patch new file mode 100644 index 00000000000..88459aefbcc --- /dev/null +++ b/queue-4.4/s390-cpum_sf-check-for-sdbt-and-sdb-consistency.patch @@ -0,0 +1,107 @@ +From 7f0f616b10607cff76d9c413ef46f6dce4c888c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2019 16:43:15 +0100 +Subject: s390/cpum_sf: Check for SDBT and SDB consistency + +From: Thomas Richter + +[ Upstream commit 247f265fa502e7b17a0cb0cc330e055a36aafce4 ] + +Each SBDT is located at a 4KB page and contains 512 entries. +Each entry of a SDBT points to a SDB, a 4KB page containing +sampled data. The last entry is a link to another SDBT page. + +When an event is created the function sequence executed is: + + __hw_perf_event_init() + +--> allocate_buffers() + +--> realloc_sampling_buffers() + +---> alloc_sample_data_block() + +Both functions realloc_sampling_buffers() and +alloc_sample_data_block() allocate pages and the allocation +can fail. This is handled correctly and all allocated +pages are freed and error -ENOMEM is returned to the +top calling function. Finally the event is not created. + +Once the event has been created, the amount of initially +allocated SDBT and SDB can be too low. This is detected +during measurement interrupt handling, where the amount +of lost samples is calculated. If the number of lost samples +is too high considering sampling frequency and already allocated +SBDs, the number of SDBs is enlarged during the next execution +of cpumsf_pmu_enable(). + +If more SBDs need to be allocated, functions + + realloc_sampling_buffers() + +---> alloc-sample_data_block() + +are called to allocate more pages. Page allocation may fail +and the returned error is ignored. A SDBT and SDB setup +already exists. + +However the modified SDBTs and SDBs might end up in a situation +where the first entry of an SDBT does not point to an SDB, +but another SDBT, basicly an SBDT without payload. +This can not be handled by the interrupt handler, where an SDBT +must have at least one entry pointing to an SBD. + +Add a check to avoid SDBTs with out payload (SDBs) when enlarging +the buffer setup. + +Signed-off-by: Thomas Richter +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index 874762a51c54..7490c52b2715 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -185,7 +185,7 @@ static int realloc_sampling_buffer(struct sf_buffer *sfb, + unsigned long num_sdb, gfp_t gfp_flags) + { + int i, rc; +- unsigned long *new, *tail; ++ unsigned long *new, *tail, *tail_prev = NULL; + + if (!sfb->sdbt || !sfb->tail) + return -EINVAL; +@@ -224,6 +224,7 @@ static int realloc_sampling_buffer(struct sf_buffer *sfb, + sfb->num_sdbt++; + /* Link current page to tail of chain */ + *tail = (unsigned long)(void *) new + 1; ++ tail_prev = tail; + tail = new; + } + +@@ -233,10 +234,22 @@ static int realloc_sampling_buffer(struct sf_buffer *sfb, + * issue, a new realloc call (if required) might succeed. + */ + rc = alloc_sample_data_block(tail, gfp_flags); +- if (rc) ++ if (rc) { ++ /* Undo last SDBT. An SDBT with no SDB at its first ++ * entry but with an SDBT entry instead can not be ++ * handled by the interrupt handler code. ++ * Avoid this situation. ++ */ ++ if (tail_prev) { ++ sfb->num_sdbt--; ++ free_page((unsigned long) new); ++ tail = tail_prev; ++ } + break; ++ } + sfb->num_sdb++; + tail++; ++ tail_prev = new = NULL; /* Allocated at least one SBD */ + } + + /* Link sampling buffer to its origin */ +-- +2.20.1 + diff --git a/queue-4.4/scripts-kallsyms-fix-definitely-lost-memory-leak.patch b/queue-4.4/scripts-kallsyms-fix-definitely-lost-memory-leak.patch new file mode 100644 index 00000000000..1441f73908c --- /dev/null +++ b/queue-4.4/scripts-kallsyms-fix-definitely-lost-memory-leak.patch @@ -0,0 +1,48 @@ +From 530a9a462b890edccfb63d68f94ffb43139bcdb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Nov 2019 01:04:30 +0900 +Subject: scripts/kallsyms: fix definitely-lost memory leak + +From: Masahiro Yamada + +[ Upstream commit 21915eca088dc271c970e8351290e83d938114ac ] + +build_initial_tok_table() overwrites unused sym_entry to shrink the +table size. Before the entry is overwritten, table[i].sym must be freed +since it is malloc'ed data. + +This fixes the 'definitely lost' report from valgrind. I ran valgrind +against x86_64_defconfig of v5.4-rc8 kernel, and here is the summary: + +[Before the fix] + + LEAK SUMMARY: + definitely lost: 53,184 bytes in 2,874 blocks + +[After the fix] + + LEAK SUMMARY: + definitely lost: 0 bytes in 0 blocks + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kallsyms.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c +index d117c68d1607..b92b704e7ace 100644 +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -455,6 +455,8 @@ static void build_initial_tok_table(void) + table[pos] = table[i]; + learn_symbol(table[pos].sym, table[pos].len); + pos++; ++ } else { ++ free(table[i].sym); + } + } + table_cnt = pos; +-- +2.20.1 + diff --git a/queue-4.4/scsi-csiostor-don-t-enable-irqs-too-early.patch b/queue-4.4/scsi-csiostor-don-t-enable-irqs-too-early.patch new file mode 100644 index 00000000000..87f3d1ac70f --- /dev/null +++ b/queue-4.4/scsi-csiostor-don-t-enable-irqs-too-early.patch @@ -0,0 +1,100 @@ +From 36f8e259c34f4305a19bff58245ba726fcf398d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Oct 2019 11:59:13 +0300 +Subject: scsi: csiostor: Don't enable IRQs too early + +From: Dan Carpenter + +[ Upstream commit d6c9b31ac3064fbedf8961f120a4c117daa59932 ] + +These are called with IRQs disabled from csio_mgmt_tmo_handler() so we +can't call spin_unlock_irq() or it will enable IRQs prematurely. + +Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver") +Link: https://lore.kernel.org/r/20191019085913.GA14245@mwanda +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_lnode.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c +index be5ee2d37815..957767d38361 100644 +--- a/drivers/scsi/csiostor/csio_lnode.c ++++ b/drivers/scsi/csiostor/csio_lnode.c +@@ -301,6 +301,7 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req) + struct fc_fdmi_port_name *port_name; + uint8_t buf[64]; + uint8_t *fc4_type; ++ unsigned long flags; + + if (fdmi_req->wr_status != FW_SUCCESS) { + csio_ln_dbg(ln, "WR error:%x in processing fdmi rhba cmd\n", +@@ -377,13 +378,13 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req) + len = (uint32_t)(pld - (uint8_t *)cmd); + + /* Submit FDMI RPA request */ +- spin_lock_irq(&hw->lock); ++ spin_lock_irqsave(&hw->lock, flags); + if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_done, + FCOE_CT, &fdmi_req->dma_buf, len)) { + CSIO_INC_STATS(ln, n_fdmi_err); + csio_ln_dbg(ln, "Failed to issue fdmi rpa req\n"); + } +- spin_unlock_irq(&hw->lock); ++ spin_unlock_irqrestore(&hw->lock, flags); + } + + /* +@@ -404,6 +405,7 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req) + struct fc_fdmi_rpl *reg_pl; + struct fs_fdmi_attrs *attrib_blk; + uint8_t buf[64]; ++ unsigned long flags; + + if (fdmi_req->wr_status != FW_SUCCESS) { + csio_ln_dbg(ln, "WR error:%x in processing fdmi dprt cmd\n", +@@ -483,13 +485,13 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req) + attrib_blk->numattrs = htonl(numattrs); + + /* Submit FDMI RHBA request */ +- spin_lock_irq(&hw->lock); ++ spin_lock_irqsave(&hw->lock, flags); + if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_rhba_cbfn, + FCOE_CT, &fdmi_req->dma_buf, len)) { + CSIO_INC_STATS(ln, n_fdmi_err); + csio_ln_dbg(ln, "Failed to issue fdmi rhba req\n"); + } +- spin_unlock_irq(&hw->lock); ++ spin_unlock_irqrestore(&hw->lock, flags); + } + + /* +@@ -504,6 +506,7 @@ csio_ln_fdmi_dhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req) + void *cmd; + struct fc_fdmi_port_name *port_name; + uint32_t len; ++ unsigned long flags; + + if (fdmi_req->wr_status != FW_SUCCESS) { + csio_ln_dbg(ln, "WR error:%x in processing fdmi dhba cmd\n", +@@ -534,13 +537,13 @@ csio_ln_fdmi_dhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req) + len += sizeof(*port_name); + + /* Submit FDMI request */ +- spin_lock_irq(&hw->lock); ++ spin_lock_irqsave(&hw->lock, flags); + if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_dprt_cbfn, + FCOE_CT, &fdmi_req->dma_buf, len)) { + CSIO_INC_STATS(ln, n_fdmi_err); + csio_ln_dbg(ln, "Failed to issue fdmi dprt req\n"); + } +- spin_unlock_irq(&hw->lock); ++ spin_unlock_irqrestore(&hw->lock, flags); + } + + /** +-- +2.20.1 + diff --git a/queue-4.4/scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointe.patch b/queue-4.4/scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointe.patch new file mode 100644 index 00000000000..05153880c43 --- /dev/null +++ b/queue-4.4/scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointe.patch @@ -0,0 +1,67 @@ +From 6f4c3f85450e614e154a9e62fa00cf302f26318a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 15:03:57 -0800 +Subject: scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer + dereferences + +From: James Smart + +[ Upstream commit 6c6d59e0fe5b86cf273d6d744a6a9768c4ecc756 ] + +Coverity reported the following: + +*** CID 101747: Null pointer dereferences (FORWARD_NULL) +/drivers/scsi/lpfc/lpfc_els.c: 4439 in lpfc_cmpl_els_rsp() +4433 kfree(mp); +4434 } +4435 mempool_free(mbox, phba->mbox_mem_pool); +4436 } +4437 out: +4438 if (ndlp && NLP_CHK_NODE_ACT(ndlp)) { +vvv CID 101747: Null pointer dereferences (FORWARD_NULL) +vvv Dereferencing null pointer "shost". +4439 spin_lock_irq(shost->host_lock); +4440 ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI); +4441 spin_unlock_irq(shost->host_lock); +4442 +4443 /* If the node is not being used by another discovery thread, +4444 * and we are sending a reject, we are done with it. + +Fix by adding a check for non-null shost in line 4438. +The scenario when shost is set to null is when ndlp is null. +As such, the ndlp check present was sufficient. But better safe +than sorry so add the shost check. + +Reported-by: coverity-bot +Addresses-Coverity-ID: 101747 ("Null pointer dereferences") +Fixes: 2e0fef85e098 ("[SCSI] lpfc: NPIV: split ports") + +CC: James Bottomley +CC: "Gustavo A. R. Silva" +CC: linux-next@vger.kernel.org +Link: https://lore.kernel.org/r/20191111230401.12958-3-jsmart2021@gmail.com +Reviewed-by: Ewan D. Milne +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 7ca8c2522c92..530b7df21322 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -3839,7 +3839,7 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + mempool_free(mbox, phba->mbox_mem_pool); + } + out: +- if (ndlp && NLP_CHK_NODE_ACT(ndlp)) { ++ if (ndlp && NLP_CHK_NODE_ACT(ndlp) && shost) { + spin_lock_irq(shost->host_lock); + ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI); + spin_unlock_irq(shost->host_lock); +-- +2.20.1 + diff --git a/queue-4.4/scsi-lpfc-fix-duplicate-unreg_rpi-error-in-port-offl.patch b/queue-4.4/scsi-lpfc-fix-duplicate-unreg_rpi-error-in-port-offl.patch new file mode 100644 index 00000000000..253851bd53a --- /dev/null +++ b/queue-4.4/scsi-lpfc-fix-duplicate-unreg_rpi-error-in-port-offl.patch @@ -0,0 +1,54 @@ +From 640b5f42dee6e640d1ae524905f78f02db82635d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2019 16:56:58 -0800 +Subject: scsi: lpfc: Fix duplicate unreg_rpi error in port offline flow + +From: James Smart + +[ Upstream commit 7cfd5639d99bec0d27af089d0c8c114330e43a72 ] + +If the driver receives a login that is later then LOGO'd by the remote port +(aka ndlp), the driver, upon the completion of the LOGO ACC transmission, +will logout the node and unregister the rpi that is being used for the +node. As part of the unreg, the node's rpi value is replaced by the +LPFC_RPI_ALLOC_ERROR value. If the port is subsequently offlined, the +offline walks the nodes and ensures they are logged out, which possibly +entails unreg'ing their rpi values. This path does not validate the node's +rpi value, thus doesn't detect that it has been unreg'd already. The +replaced rpi value is then used when accessing the rpi bitmask array which +tracks active rpi values. As the LPFC_RPI_ALLOC_ERROR value is not a valid +index for the bitmask, it may fault the system. + +Revise the rpi release code to detect when the rpi value is the replaced +RPI_ALLOC_ERROR value and ignore further release steps. + +Link: https://lore.kernel.org/r/20191105005708.7399-2-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 9b8867c023b9..065fdc17bbfb 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -15792,6 +15792,13 @@ lpfc_sli4_alloc_rpi(struct lpfc_hba *phba) + static void + __lpfc_sli4_free_rpi(struct lpfc_hba *phba, int rpi) + { ++ /* ++ * if the rpi value indicates a prior unreg has already ++ * been done, skip the unreg. ++ */ ++ if (rpi == LPFC_RPI_ALLOC_ERROR) ++ return; ++ + if (test_and_clear_bit(rpi, phba->sli4_hba.rpi_bmask)) { + phba->sli4_hba.rpi_count--; + phba->sli4_hba.max_cfg_param.rpi_used--; +-- +2.20.1 + diff --git a/queue-4.4/scsi-lpfc-fix-locking-on-mailbox-command-completion.patch b/queue-4.4/scsi-lpfc-fix-locking-on-mailbox-command-completion.patch new file mode 100644 index 00000000000..3f96cab648f --- /dev/null +++ b/queue-4.4/scsi-lpfc-fix-locking-on-mailbox-command-completion.patch @@ -0,0 +1,68 @@ +From 78c21b640218845760601edf10bc62d215cf854d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Sep 2019 20:58:53 -0700 +Subject: scsi: lpfc: Fix locking on mailbox command completion + +From: James Smart + +[ Upstream commit 07b8582430370097238b589f4e24da7613ca6dd3 ] + +Symptoms were seen of the driver not having valid data for mailbox +commands. After debugging, the following sequence was found: + +The driver maintains a port-wide pointer of the mailbox command that is +currently in execution. Once finished, the port-wide pointer is cleared +(done in lpfc_sli4_mq_release()). The next mailbox command issued will set +the next pointer and so on. + +The mailbox response data is only copied if there is a valid port-wide +pointer. + +In the failing case, it was seen that a new mailbox command was being +attempted in parallel with the completion. The parallel path was seeing +the mailbox no long in use (flag check under lock) and thus set the port +pointer. The completion path had cleared the active flag under lock, but +had not touched the port pointer. The port pointer is cleared after the +lock is released. In this case, the completion path cleared the just-set +value by the parallel path. + +Fix by making the calls that clear mbox state/port pointer while under +lock. Also slightly cleaned up the error path. + +Link: https://lore.kernel.org/r/20190922035906.10977-8-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 523a1058078a..9b8867c023b9 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -11759,13 +11759,19 @@ send_current_mbox: + phba->sli.sli_flag &= ~LPFC_SLI_MBOX_ACTIVE; + /* Setting active mailbox pointer need to be in sync to flag clear */ + phba->sli.mbox_active = NULL; ++ if (bf_get(lpfc_trailer_consumed, mcqe)) ++ lpfc_sli4_mq_release(phba->sli4_hba.mbx_wq); + spin_unlock_irqrestore(&phba->hbalock, iflags); + /* Wake up worker thread to post the next pending mailbox command */ + lpfc_worker_wake_up(phba); ++ return workposted; ++ + out_no_mqe_complete: ++ spin_lock_irqsave(&phba->hbalock, iflags); + if (bf_get(lpfc_trailer_consumed, mcqe)) + lpfc_sli4_mq_release(phba->sli4_hba.mbx_wq); +- return workposted; ++ spin_unlock_irqrestore(&phba->hbalock, iflags); ++ return false; + } + + /** +-- +2.20.1 + diff --git a/queue-4.4/scsi-lpfc-fix-sli3-hba-in-loop-mode-not-discovering-.patch b/queue-4.4/scsi-lpfc-fix-sli3-hba-in-loop-mode-not-discovering-.patch new file mode 100644 index 00000000000..2108f25f6f6 --- /dev/null +++ b/queue-4.4/scsi-lpfc-fix-sli3-hba-in-loop-mode-not-discovering-.patch @@ -0,0 +1,45 @@ +From 6d9cc6fd79903960e667dc3e1c68bd4bc39f9ed6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 14:18:20 -0700 +Subject: scsi: lpfc: Fix SLI3 hba in loop mode not discovering devices + +From: James Smart + +[ Upstream commit feff8b3d84d3d9570f893b4d83e5eab6693d6a52 ] + +When operating in private loop mode, PLOGI exchanges are racing and the +driver tries to abort it's PLOGI. But the PLOGI abort ends up terminating +the login with the other end causing the other end to abort its PLOGI as +well. Discovery never fully completes. + +Fix by disabling the PLOGI abort when private loop and letting the state +machine play out. + +Link: https://lore.kernel.org/r/20191018211832.7917-5-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index 3a4613f9fb9f..6aa0698925da 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -454,8 +454,10 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + * single discovery thread, this will cause a huge delay in + * discovery. Also this will cause multiple state machines + * running in parallel for this node. ++ * This only applies to a fabric environment. + */ +- if (ndlp->nlp_state == NLP_STE_PLOGI_ISSUE) { ++ if ((ndlp->nlp_state == NLP_STE_PLOGI_ISSUE) && ++ (vport->fc_flag & FC_FABRIC)) { + /* software abort outstanding PLOGI */ + lpfc_els_abort(phba, ndlp); + } +-- +2.20.1 + diff --git a/queue-4.4/scsi-mpt3sas-fix-clear-pending-bit-in-ioctl-status.patch b/queue-4.4/scsi-mpt3sas-fix-clear-pending-bit-in-ioctl-status.patch new file mode 100644 index 00000000000..f446b037c7b --- /dev/null +++ b/queue-4.4/scsi-mpt3sas-fix-clear-pending-bit-in-ioctl-status.patch @@ -0,0 +1,45 @@ +From 462e011c77973b04f0fa645eb8524d7b6658234e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2019 09:04:40 -0400 +Subject: scsi: mpt3sas: Fix clear pending bit in ioctl status + +From: Sreekanth Reddy + +[ Upstream commit 782b281883caf70289ba6a186af29441a117d23e ] + +When user issues diag register command from application with required size, +and if driver unable to allocate the memory, then it will fail the register +command. While failing the register command, driver is not currently +clearing MPT3_CMD_PENDING bit in ctl_cmds.status variable which was set +before trying to allocate the memory. As this bit is set, subsequent +register command will be failed with BUSY status even when user wants to +register the trace buffer will less memory. + +Clear MPT3_CMD_PENDING bit in ctl_cmds.status before returning the diag +register command with no memory status. + +Link: https://lore.kernel.org/r/1568379890-18347-4-git-send-email-sreekanth.reddy@broadcom.com +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_ctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +index 4ccde5a05b70..7874b989d2f4 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +@@ -1456,7 +1456,8 @@ _ctl_diag_register_2(struct MPT3SAS_ADAPTER *ioc, + " for diag buffers, requested size(%d)\n", + ioc->name, __func__, request_data_sz); + mpt3sas_base_free_smid(ioc, smid); +- return -ENOMEM; ++ rc = -ENOMEM; ++ goto out; + } + ioc->diag_buffer[buffer_type] = request_data; + ioc->diag_buffer_sz[buffer_type] = request_data_sz; +-- +2.20.1 + diff --git a/queue-4.4/scsi-pm80xx-fix-for-sata-device-discovery.patch b/queue-4.4/scsi-pm80xx-fix-for-sata-device-discovery.patch new file mode 100644 index 00000000000..fe6f885eb95 --- /dev/null +++ b/queue-4.4/scsi-pm80xx-fix-for-sata-device-discovery.patch @@ -0,0 +1,41 @@ +From c0229757bbd6a31218349c02d878a32eff769ad3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 15:38:58 +0530 +Subject: scsi: pm80xx: Fix for SATA device discovery + +From: peter chang + +[ Upstream commit ce21c63ee995b7a8b7b81245f2cee521f8c3c220 ] + +Driver was missing complete() call in mpi_sata_completion which result in +SATA abort error handling timing out. That causes the device to be left in +the in_recovery state so subsequent commands sent to the device fail and +the OS removes access to it. + +Link: https://lore.kernel.org/r/20191114100910.6153-2-deepak.ukey@microchip.com +Acked-by: Jack Wang +Signed-off-by: peter chang +Signed-off-by: Deepak Ukey +Signed-off-by: Viswas G +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm80xx_hwi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_hwi.c +index 9edd61c063a1..df5f0bc29587 100644 +--- a/drivers/scsi/pm8001/pm80xx_hwi.c ++++ b/drivers/scsi/pm8001/pm80xx_hwi.c +@@ -2368,6 +2368,8 @@ mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + pm8001_printk("task 0x%p done with io_status 0x%x" + " resp 0x%x stat 0x%x but aborted by upper layer!\n", + t, status, ts->resp, ts->stat)); ++ if (t->slow_task) ++ complete(&t->slow_task->completion); + pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); + } else { + spin_unlock_irqrestore(&t->task_state_lock, flags); +-- +2.20.1 + diff --git a/queue-4.4/scsi-target-compare-full-chap_a-algorithm-strings.patch b/queue-4.4/scsi-target-compare-full-chap_a-algorithm-strings.patch new file mode 100644 index 00000000000..be939798194 --- /dev/null +++ b/queue-4.4/scsi-target-compare-full-chap_a-algorithm-strings.patch @@ -0,0 +1,53 @@ +From 184bf55451b56befd29c6162aaaf8f00680268b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2019 11:55:45 +0200 +Subject: scsi: target: compare full CHAP_A Algorithm strings + +From: David Disseldorp + +[ Upstream commit 9cef2a7955f2754257a7cddedec16edae7b587d0 ] + +RFC 2307 states: + + For CHAP [RFC1994], in the first step, the initiator MUST send: + + CHAP_A= + + Where A1,A2... are proposed algorithms, in order of preference. +... + For the Algorithm, as stated in [RFC1994], one value is required to + be implemented: + + 5 (CHAP with MD5) + +LIO currently checks for this value by only comparing a single byte in +the tokenized Algorithm string, which means that any value starting with +a '5' (e.g. "55") is interpreted as "CHAP with MD5". Fix this by +comparing the entire tokenized string. + +Reviewed-by: Lee Duncan +Reviewed-by: Mike Christie +Signed-off-by: David Disseldorp +Link: https://lore.kernel.org/r/20190912095547.22427-2-ddiss@suse.de +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c +index 3184e023a052..1dd6028eccb9 100644 +--- a/drivers/target/iscsi/iscsi_target_auth.c ++++ b/drivers/target/iscsi/iscsi_target_auth.c +@@ -74,7 +74,7 @@ static int chap_check_algorithm(const char *a_str) + if (!token) + goto out; + +- if (!strncmp(token, "5", 1)) { ++ if (!strcmp(token, "5")) { + pr_debug("Selected MD5 Algorithm\n"); + kfree(orig); + return CHAP_DIGEST_MD5; +-- +2.20.1 + diff --git a/queue-4.4/scsi-target-iscsi-wait-for-all-commands-to-finish-be.patch b/queue-4.4/scsi-target-iscsi-wait-for-all-commands-to-finish-be.patch new file mode 100644 index 00000000000..da4337331bb --- /dev/null +++ b/queue-4.4/scsi-target-iscsi-wait-for-all-commands-to-finish-be.patch @@ -0,0 +1,144 @@ +From 46277868495d4a1241f88af1d5945a0befa181db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 14:05:08 -0800 +Subject: scsi: target: iscsi: Wait for all commands to finish before freeing a + session + +From: Bart Van Assche + +[ Upstream commit e9d3009cb936bd0faf0719f68d98ad8afb1e613b ] + +The iSCSI target driver is the only target driver that does not wait for +ongoing commands to finish before freeing a session. Make the iSCSI target +driver wait for ongoing commands to finish before freeing a session. This +patch fixes the following KASAN complaint: + +BUG: KASAN: use-after-free in __lock_acquire+0xb1a/0x2710 +Read of size 8 at addr ffff8881154eca70 by task kworker/0:2/247 + +CPU: 0 PID: 247 Comm: kworker/0:2 Not tainted 5.4.0-rc1-dbg+ #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +Workqueue: target_completion target_complete_ok_work [target_core_mod] +Call Trace: + dump_stack+0x8a/0xd6 + print_address_description.constprop.0+0x40/0x60 + __kasan_report.cold+0x1b/0x33 + kasan_report+0x16/0x20 + __asan_load8+0x58/0x90 + __lock_acquire+0xb1a/0x2710 + lock_acquire+0xd3/0x200 + _raw_spin_lock_irqsave+0x43/0x60 + target_release_cmd_kref+0x162/0x7f0 [target_core_mod] + target_put_sess_cmd+0x2e/0x40 [target_core_mod] + lio_check_stop_free+0x12/0x20 [iscsi_target_mod] + transport_cmd_check_stop_to_fabric+0xd8/0xe0 [target_core_mod] + target_complete_ok_work+0x1b0/0x790 [target_core_mod] + process_one_work+0x549/0xa40 + worker_thread+0x7a/0x5d0 + kthread+0x1bc/0x210 + ret_from_fork+0x24/0x30 + +Allocated by task 889: + save_stack+0x23/0x90 + __kasan_kmalloc.constprop.0+0xcf/0xe0 + kasan_slab_alloc+0x12/0x20 + kmem_cache_alloc+0xf6/0x360 + transport_alloc_session+0x29/0x80 [target_core_mod] + iscsi_target_login_thread+0xcd6/0x18f0 [iscsi_target_mod] + kthread+0x1bc/0x210 + ret_from_fork+0x24/0x30 + +Freed by task 1025: + save_stack+0x23/0x90 + __kasan_slab_free+0x13a/0x190 + kasan_slab_free+0x12/0x20 + kmem_cache_free+0x146/0x400 + transport_free_session+0x179/0x2f0 [target_core_mod] + transport_deregister_session+0x130/0x180 [target_core_mod] + iscsit_close_session+0x12c/0x350 [iscsi_target_mod] + iscsit_logout_post_handler+0x136/0x380 [iscsi_target_mod] + iscsit_response_queue+0x8de/0xbe0 [iscsi_target_mod] + iscsi_target_tx_thread+0x27f/0x370 [iscsi_target_mod] + kthread+0x1bc/0x210 + ret_from_fork+0x24/0x30 + +The buggy address belongs to the object at ffff8881154ec9c0 + which belongs to the cache se_sess_cache of size 352 +The buggy address is located 176 bytes inside of + 352-byte region [ffff8881154ec9c0, ffff8881154ecb20) +The buggy address belongs to the page: +page:ffffea0004553b00 refcount:1 mapcount:0 mapping:ffff888101755400 index:0x0 compound_mapcount: 0 +flags: 0x2fff000000010200(slab|head) +raw: 2fff000000010200 dead000000000100 dead000000000122 ffff888101755400 +raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881154ec900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8881154ec980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb +>ffff8881154eca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8881154eca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8881154ecb00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc + +Cc: Mike Christie +Link: https://lore.kernel.org/r/20191113220508.198257-3-bvanassche@acm.org +Reviewed-by: Roman Bolshakov +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target.c | 10 ++++++++-- + include/scsi/iscsi_proto.h | 1 + + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index cbb4414edd71..564828554ca0 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -993,7 +993,9 @@ int iscsit_setup_scsi_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, + hdr->cmdsn, be32_to_cpu(hdr->data_length), payload_length, + conn->cid); + +- target_get_sess_cmd(&cmd->se_cmd, true); ++ if (target_get_sess_cmd(&cmd->se_cmd, true) < 0) ++ return iscsit_add_reject_cmd(cmd, ++ ISCSI_REASON_WAITING_FOR_LOGOUT, buf); + + cmd->sense_reason = transport_lookup_cmd_lun(&cmd->se_cmd, + scsilun_to_int(&hdr->lun)); +@@ -1804,7 +1806,9 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, + conn->sess->se_sess, 0, DMA_NONE, + TCM_SIMPLE_TAG, cmd->sense_buffer + 2); + +- target_get_sess_cmd(&cmd->se_cmd, true); ++ if (target_get_sess_cmd(&cmd->se_cmd, true) < 0) ++ return iscsit_add_reject_cmd(cmd, ++ ISCSI_REASON_WAITING_FOR_LOGOUT, buf); + + /* + * TASK_REASSIGN for ERL=2 / connection stays inside of +@@ -4390,6 +4394,8 @@ int iscsit_close_connection( + * must wait until they have completed. + */ + iscsit_check_conn_usage_count(conn); ++ target_sess_cmd_list_set_waiting(sess->se_sess); ++ target_wait_for_sess_cmds(sess->se_sess); + + if (conn->conn_rx_hash.tfm) + crypto_free_hash(conn->conn_rx_hash.tfm); +diff --git a/include/scsi/iscsi_proto.h b/include/scsi/iscsi_proto.h +index c1260d80ef30..1a2ae0862e23 100644 +--- a/include/scsi/iscsi_proto.h ++++ b/include/scsi/iscsi_proto.h +@@ -638,6 +638,7 @@ struct iscsi_reject { + #define ISCSI_REASON_BOOKMARK_INVALID 9 + #define ISCSI_REASON_BOOKMARK_NO_RESOURCES 10 + #define ISCSI_REASON_NEGOTIATION_RESET 11 ++#define ISCSI_REASON_WAITING_FOR_LOGOUT 12 + + /* Max. number of Key=Value pairs in a text message */ + #define MAX_KEY_VALUE_PAIRS 8192 +-- +2.20.1 + diff --git a/queue-4.4/scsi-tracing-fix-handling-of-transfer-length-0-for-r.patch b/queue-4.4/scsi-tracing-fix-handling-of-transfer-length-0-for-r.patch new file mode 100644 index 00000000000..8cdb5d548f6 --- /dev/null +++ b/queue-4.4/scsi-tracing-fix-handling-of-transfer-length-0-for-r.patch @@ -0,0 +1,55 @@ +From 6cc4827ebb9adcadb10e3e68e5bdf4e85f9e2eb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 13:55:53 -0800 +Subject: scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and + WRITE(6) + +From: Bart Van Assche + +[ Upstream commit f6b8540f40201bff91062dd64db8e29e4ddaaa9d ] + +According to SBC-2 a TRANSFER LENGTH field of zero means that 256 logical +blocks must be transferred. Make the SCSI tracing code follow SBC-2. + +Fixes: bf8162354233 ("[SCSI] add scsi trace core functions and put trace points") +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Cc: Douglas Gilbert +Link: https://lore.kernel.org/r/20191105215553.185018-1-bvanassche@acm.org +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_trace.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/scsi_trace.c b/drivers/scsi/scsi_trace.c +index 08bb47b53bc3..551fd0329bca 100644 +--- a/drivers/scsi/scsi_trace.c ++++ b/drivers/scsi/scsi_trace.c +@@ -29,15 +29,18 @@ static const char * + scsi_trace_rw6(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p); +- sector_t lba = 0, txlen = 0; ++ u32 lba = 0, txlen; + + lba |= ((cdb[1] & 0x1F) << 16); + lba |= (cdb[2] << 8); + lba |= cdb[3]; +- txlen = cdb[4]; ++ /* ++ * From SBC-2: a TRANSFER LENGTH field set to zero specifies that 256 ++ * logical blocks shall be read (READ(6)) or written (WRITE(6)). ++ */ ++ txlen = cdb[4] ? cdb[4] : 256; + +- trace_seq_printf(p, "lba=%llu txlen=%llu", +- (unsigned long long)lba, (unsigned long long)txlen); ++ trace_seq_printf(p, "lba=%u txlen=%u", lba, txlen); + trace_seq_putc(p, 0); + + return ret; +-- +2.20.1 + diff --git a/queue-4.4/scsi-ufs-fix-potential-bug-which-ends-in-system-hang.patch b/queue-4.4/scsi-ufs-fix-potential-bug-which-ends-in-system-hang.patch new file mode 100644 index 00000000000..0a922be80d5 --- /dev/null +++ b/queue-4.4/scsi-ufs-fix-potential-bug-which-ends-in-system-hang.patch @@ -0,0 +1,82 @@ +From 348ca002a3297e539829c313b7e7ee97737c8e6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2019 23:34:36 +0100 +Subject: scsi: ufs: fix potential bug which ends in system hang + +From: Bean Huo + +[ Upstream commit cfcbae3895b86c390ede57b2a8f601dd5972b47b ] + +In function __ufshcd_query_descriptor(), in the event of an error +happening, we directly goto out_unlock and forget to invaliate +hba->dev_cmd.query.descriptor pointer. This results in this pointer still +valid in ufshcd_copy_query_response() for other query requests which go +through ufshcd_exec_raw_upiu_cmd(). This will cause __memcpy() crash and +system hangs. Log as shown below: + +Unable to handle kernel paging request at virtual address +ffff000012233c40 +Mem abort info: + ESR = 0x96000047 + Exception class = DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 +Data abort info: + ISV = 0, ISS = 0x00000047 + CM = 0, WnR = 1 +swapper pgtable: 4k pages, 48-bit VAs, pgdp = 0000000028cc735c +[ffff000012233c40] pgd=00000000bffff003, pud=00000000bfffe003, +pmd=00000000ba8b8003, pte=0000000000000000 + Internal error: Oops: 96000047 [#2] PREEMPT SMP + ... + Call trace: + __memcpy+0x74/0x180 + ufshcd_issue_devman_upiu_cmd+0x250/0x3c0 + ufshcd_exec_raw_upiu_cmd+0xfc/0x1a8 + ufs_bsg_request+0x178/0x3b0 + bsg_queue_rq+0xc0/0x118 + blk_mq_dispatch_rq_list+0xb0/0x538 + blk_mq_sched_dispatch_requests+0x18c/0x1d8 + __blk_mq_run_hw_queue+0xb4/0x118 + blk_mq_run_work_fn+0x28/0x38 + process_one_work+0x1ec/0x470 + worker_thread+0x48/0x458 + kthread+0x130/0x138 + ret_from_fork+0x10/0x1c + Code: 540000ab a8c12027 a88120c7 a8c12027 (a88120c7) + ---[ end trace 793e1eb5dff69f2d ]--- + note: kworker/0:2H[2054] exited with preempt_count 1 + +This patch is to move "descriptor = NULL" down to below the label +"out_unlock". + +Fixes: d44a5f98bb49b2(ufs: query descriptor API) +Link: https://lore.kernel.org/r/20191112223436.27449-3-huobean@gmail.com +Reviewed-by: Alim Akhtar +Reviewed-by: Bart Van Assche +Signed-off-by: Bean Huo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 504d36796152..fcf5141bf950 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -1809,10 +1809,10 @@ static int ufshcd_query_descriptor(struct ufs_hba *hba, + goto out_unlock; + } + +- hba->dev_cmd.query.descriptor = NULL; + *buf_len = be16_to_cpu(response->upiu_res.length); + + out_unlock: ++ hba->dev_cmd.query.descriptor = NULL; + mutex_unlock(&hba->dev_cmd.lock); + out: + ufshcd_release(hba); +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series index a4e5cb2cbd6..c16c836ce79 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -87,3 +87,40 @@ ext4-check-for-directory-entries-too-close-to-block-end.patch powerpc-irq-fix-stack-overflow-verification.patch mmc-sdhci-of-esdhc-fix-p2020-errata-handling.patch perf-probe-fix-to-show-function-entry-line-as-probe-able.patch +scsi-mpt3sas-fix-clear-pending-bit-in-ioctl-status.patch +scsi-lpfc-fix-locking-on-mailbox-command-completion.patch +input-atmel_mxt_ts-disable-irq-across-suspend.patch +iommu-tegra-smmu-fix-page-tables-in-4-gib-memory.patch +scsi-target-compare-full-chap_a-algorithm-strings.patch +scsi-lpfc-fix-sli3-hba-in-loop-mode-not-discovering-.patch +scsi-csiostor-don-t-enable-irqs-too-early.patch +powerpc-pseries-mark-accumulate_stolen_time-as-notra.patch +dma-debug-add-a-schedule-point-in-debug_dma_dump_map.patch +clocksource-drivers-asm9260-add-a-check-for-of_clk_g.patch +powerpc-security-book3s64-report-l1tf-status-in-sysf.patch +jbd2-fix-statistics-for-the-number-of-logged-blocks.patch +scsi-tracing-fix-handling-of-transfer-length-0-for-r.patch +scsi-lpfc-fix-duplicate-unreg_rpi-error-in-port-offl.patch +clk-qcom-allow-constant-ratio-freq-tables-for-rcg.patch +irqchip-irq-bcm7038-l1-enable-parent-irq-if-necessar.patch +irqchip-ingenic-error-out-if-irq-domain-creation-fai.patch +mfd-mfd-core-honour-device-tree-s-request-to-disable.patch +fs-quota-handle-overflows-of-sysctl-fs.quota.-and-re.patch +scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointe.patch +scsi-ufs-fix-potential-bug-which-ends-in-system-hang.patch +powerpc-pseries-cmm-implement-release-function-for-s.patch +powerpc-security-fix-wrong-message-when-rfi-flush-is.patch +clk-pxa-fix-one-of-the-pxa-rtc-clocks.patch +bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch +hid-improve-windows-precision-touchpad-detection.patch +ext4-work-around-deleting-a-file-with-i_nlink-0-safe.patch +scsi-pm80xx-fix-for-sata-device-discovery.patch +scsi-target-iscsi-wait-for-all-commands-to-finish-be.patch +gpio-mpc8xxx-don-t-overwrite-default-irq_set_type-ca.patch +scripts-kallsyms-fix-definitely-lost-memory-leak.patch +cdrom-respect-device-capabilities-during-opening-act.patch +perf-regs-make-perf_reg_name-return-unknown-instead-.patch +libfdt-define-int32_max-and-uint32_max-in-libfdt_env.patch +s390-cpum_sf-check-for-sdbt-and-sdb-consistency.patch +ocfs2-fix-passing-zero-to-ptr_err-warning.patch +kernel-sysctl-make-drop_caches-write-only.patch