From: Sasha Levin Date: Sun, 28 Jul 2019 19:12:23 +0000 (-0400) Subject: fixes for 4.4 X-Git-Tag: v5.2.5~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cceba3756e772801507b3d071a6b3dda939dfd7f;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/9p-pass-the-correct-prototype-to-read_cache_page.patch b/queue-4.4/9p-pass-the-correct-prototype-to-read_cache_page.patch new file mode 100644 index 00000000000..6462705ef46 --- /dev/null +++ b/queue-4.4/9p-pass-the-correct-prototype-to-read_cache_page.patch @@ -0,0 +1,51 @@ +From c561c8b94b1564fa438a4b4ce1c1cc25493c6a9e Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 11 Jul 2019 20:55:26 -0700 +Subject: 9p: pass the correct prototype to read_cache_page + +[ Upstream commit f053cbd4366051d7eb6ba1b8d529d20f719c2963 ] + +Fix the callback 9p passes to read_cache_page to actually have the +proper type expected. Casting around function pointers can easily +hide typing bugs, and defeats control flow protection. + +Link: http://lkml.kernel.org/r/20190520055731.24538-5-hch@lst.de +Signed-off-by: Christoph Hellwig +Reviewed-by: Kees Cook +Cc: Sami Tolvanen +Cc: Nick Desaulniers +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/9p/vfs_addr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c +index e9e04376c52c..e80ad0c7c2a9 100644 +--- a/fs/9p/vfs_addr.c ++++ b/fs/9p/vfs_addr.c +@@ -49,8 +49,9 @@ + * @page: structure to page + * + */ +-static int v9fs_fid_readpage(struct p9_fid *fid, struct page *page) ++static int v9fs_fid_readpage(void *data, struct page *page) + { ++ struct p9_fid *fid = data; + struct inode *inode = page->mapping->host; + struct bio_vec bvec = {.bv_page = page, .bv_len = PAGE_SIZE}; + struct iov_iter to; +@@ -121,7 +122,8 @@ static int v9fs_vfs_readpages(struct file *filp, struct address_space *mapping, + if (ret == 0) + return ret; + +- ret = read_cache_pages(mapping, pages, (void *)v9fs_vfs_readpage, filp); ++ ret = read_cache_pages(mapping, pages, v9fs_fid_readpage, ++ filp->private_data); + p9_debug(P9_DEBUG_VFS, " = %d\n", ret); + return ret; + } +-- +2.20.1 + diff --git a/queue-4.4/drm-panel-simple-fix-panel_simple_dsi_probe.patch b/queue-4.4/drm-panel-simple-fix-panel_simple_dsi_probe.patch new file mode 100644 index 00000000000..f2bacf5cea3 --- /dev/null +++ b/queue-4.4/drm-panel-simple-fix-panel_simple_dsi_probe.patch @@ -0,0 +1,41 @@ +From d7a9b206f63ad7fab22d83143d0479a049c28c8e Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Tue, 26 Feb 2019 10:11:53 +0200 +Subject: drm/panel: simple: Fix panel_simple_dsi_probe + +[ Upstream commit 7ad9db66fafb0f0ad53fd2a66217105da5ddeffe ] + +In case mipi_dsi_attach() fails remove the registered panel to avoid added +panel without corresponding device. + +Signed-off-by: Peter Ujfalusi +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20190226081153.31334-1-peter.ujfalusi@ti.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index f418c002d323..ecad4d7c6cd1 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -1389,7 +1389,14 @@ static int panel_simple_dsi_probe(struct mipi_dsi_device *dsi) + dsi->format = desc->format; + dsi->lanes = desc->lanes; + +- return mipi_dsi_attach(dsi); ++ err = mipi_dsi_attach(dsi); ++ if (err) { ++ struct panel_simple *panel = dev_get_drvdata(&dsi->dev); ++ ++ drm_panel_remove(&panel->base); ++ } ++ ++ return err; + } + + static int panel_simple_dsi_remove(struct mipi_dsi_device *dsi) +-- +2.20.1 + diff --git a/queue-4.4/drm-virtio-add-memory-barriers-for-capset-cache.patch b/queue-4.4/drm-virtio-add-memory-barriers-for-capset-cache.patch new file mode 100644 index 00000000000..9b7967ed16e --- /dev/null +++ b/queue-4.4/drm-virtio-add-memory-barriers-for-capset-cache.patch @@ -0,0 +1,50 @@ +From 167f64b4572865f28037509156263c8a34d484eb Mon Sep 17 00:00:00 2001 +From: David Riley +Date: Mon, 10 Jun 2019 14:18:10 -0700 +Subject: drm/virtio: Add memory barriers for capset cache. + +[ Upstream commit 9ff3a5c88e1f1ab17a31402b96d45abe14aab9d7 ] + +After data is copied to the cache entry, atomic_set is used indicate +that the data is the entry is valid without appropriate memory barriers. +Similarly the read side was missing the corresponding memory barriers. + +Signed-off-by: David Riley +Link: http://patchwork.freedesktop.org/patch/msgid/20190610211810.253227-5-davidriley@chromium.org +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_ioctl.c | 3 +++ + drivers/gpu/drm/virtio/virtgpu_vq.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_ioctl.c b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +index 6296e9f270ca..0b8f8c10f2ed 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c ++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +@@ -535,6 +535,9 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev, + ret = wait_event_timeout(vgdev->resp_wq, + atomic_read(&cache_ent->is_valid), 5 * HZ); + ++ /* is_valid check must proceed before copy of the cache entry. */ ++ smp_rmb(); ++ + ptr = cache_ent->caps_cache; + + copy_exit: +diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c +index 52436b3c01bb..a1b3ea1ccb65 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c +@@ -618,6 +618,8 @@ static void virtio_gpu_cmd_capset_cb(struct virtio_gpu_device *vgdev, + cache_ent->id == le32_to_cpu(cmd->capset_id)) { + memcpy(cache_ent->caps_cache, resp->capset_data, + cache_ent->size); ++ /* Copy must occur before is_valid is signalled. */ ++ smp_wmb(); + atomic_set(&cache_ent->is_valid, 1); + break; + } +-- +2.20.1 + diff --git a/queue-4.4/f2fs-avoid-out-of-range-memory-access.patch b/queue-4.4/f2fs-avoid-out-of-range-memory-access.patch new file mode 100644 index 00000000000..051e550182a --- /dev/null +++ b/queue-4.4/f2fs-avoid-out-of-range-memory-access.patch @@ -0,0 +1,39 @@ +From bd9d9c644f91a5caa32f480480d878ba974a29d0 Mon Sep 17 00:00:00 2001 +From: Ocean Chen +Date: Mon, 8 Jul 2019 12:34:56 +0800 +Subject: f2fs: avoid out-of-range memory access + +[ Upstream commit 56f3ce675103e3fb9e631cfb4131fc768bc23e9a ] + +blkoff_off might over 512 due to fs corrupt or security +vulnerability. That should be checked before being using. + +Use ENTRIES_IN_SUM to protect invalid value in cur_data_blkoff. + +Signed-off-by: Ocean Chen +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 6802cd754eda..014bee5c0e75 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -1510,6 +1510,11 @@ static int read_compacted_summaries(struct f2fs_sb_info *sbi) + seg_i = CURSEG_I(sbi, i); + segno = le32_to_cpu(ckpt->cur_data_segno[i]); + blk_off = le16_to_cpu(ckpt->cur_data_blkoff[i]); ++ if (blk_off > ENTRIES_IN_SUM) { ++ f2fs_bug_on(sbi, 1); ++ f2fs_put_page(page, 1); ++ return -EFAULT; ++ } + seg_i->next_segno = segno; + reset_curseg(sbi, i, 0); + seg_i->alloc_type = ckpt->alloc_type[i]; +-- +2.20.1 + diff --git a/queue-4.4/iio-iio-utils-fix-possible-incorrect-mask-calculatio.patch b/queue-4.4/iio-iio-utils-fix-possible-incorrect-mask-calculatio.patch new file mode 100644 index 00000000000..f0388dc6e1d --- /dev/null +++ b/queue-4.4/iio-iio-utils-fix-possible-incorrect-mask-calculatio.patch @@ -0,0 +1,53 @@ +From fa68a9c587118c019e95ce3a4ed9730548d0b6b5 Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Thu, 27 Jun 2019 09:20:45 +0200 +Subject: iio: iio-utils: Fix possible incorrect mask calculation + +[ Upstream commit 208a68c8393d6041a90862992222f3d7943d44d6 ] + +On some machines, iio-sensor-proxy was returning all 0's for IIO sensor +values. It turns out that the bits_used for this sensor is 32, which makes +the mask calculation: + +*mask = (1 << 32) - 1; + +If the compiler interprets the 1 literals as 32-bit ints, it generates +undefined behavior depending on compiler version and optimization level. +On my system, it optimizes out the shift, so the mask value becomes + +*mask = (1) - 1; + +With a mask value of 0, iio-sensor-proxy will always return 0 for every axis. + +Avoid incorrect 0 values caused by compiler optimization. + +See original fix by Brett Dutro in +iio-sensor-proxy: +https://github.com/hadess/iio-sensor-proxy/commit/9615ceac7c134d838660e209726cd86aa2064fd3 + +Signed-off-by: Bastien Nocera +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + tools/iio/iio_utils.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/iio/iio_utils.c b/tools/iio/iio_utils.c +index 5eb6793f3972..2d0dcd6fc64c 100644 +--- a/tools/iio/iio_utils.c ++++ b/tools/iio/iio_utils.c +@@ -163,9 +163,9 @@ int iioutils_get_type(unsigned *is_signed, unsigned *bytes, unsigned *bits_used, + *be = (endianchar == 'b'); + *bytes = padint / 8; + if (*bits_used == 64) +- *mask = ~0; ++ *mask = ~(0ULL); + else +- *mask = (1ULL << *bits_used) - 1; ++ *mask = (1ULL << *bits_used) - 1ULL; + + *is_signed = (signchar == 's'); + if (fclose(sysfsfp)) { +-- +2.20.1 + diff --git a/queue-4.4/kallsyms-exclude-kasan-local-symbols-on-s390.patch b/queue-4.4/kallsyms-exclude-kasan-local-symbols-on-s390.patch new file mode 100644 index 00000000000..7159f1e7db3 --- /dev/null +++ b/queue-4.4/kallsyms-exclude-kasan-local-symbols-on-s390.patch @@ -0,0 +1,68 @@ +From 7ef6bb3beafe785d669a60b1c3ebd2a679ba1212 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Fri, 28 Jun 2019 19:22:47 +0200 +Subject: kallsyms: exclude kasan local symbols on s390 + +[ Upstream commit 33177f01ca3fe550146bb9001bec2fd806b2f40c ] + +gcc asan instrumentation emits the following sequence to store frame pc +when the kernel is built with CONFIG_RELOCATABLE: +debug/vsprintf.s: + .section .data.rel.ro.local,"aw" + .align 8 +.LC3: + .quad .LASANPC4826@GOTOFF +.text + .align 8 + .type number, @function +number: +.LASANPC4826: + +and in case reloc is issued for LASANPC label it also gets into .symtab +with the same address as actual function symbol: +$ nm -n vmlinux | grep 0000000001397150 +0000000001397150 t .LASANPC4826 +0000000001397150 t number + +In the end kernel backtraces are almost unreadable: +[ 143.748476] Call Trace: +[ 143.748484] ([<000000002da3e62c>] .LASANPC2671+0x114/0x190) +[ 143.748492] [<000000002eca1a58>] .LASANPC2612+0x110/0x160 +[ 143.748502] [<000000002de9d830>] print_address_description+0x80/0x3b0 +[ 143.748511] [<000000002de9dd64>] __kasan_report+0x15c/0x1c8 +[ 143.748521] [<000000002ecb56d4>] strrchr+0x34/0x60 +[ 143.748534] [<000003ff800a9a40>] kasan_strings+0xb0/0x148 [test_kasan] +[ 143.748547] [<000003ff800a9bba>] kmalloc_tests_init+0xe2/0x528 [test_kasan] +[ 143.748555] [<000000002da2117c>] .LASANPC4069+0x354/0x748 +[ 143.748563] [<000000002dbfbb16>] do_init_module+0x136/0x3b0 +[ 143.748571] [<000000002dbff3f4>] .LASANPC3191+0x2164/0x25d0 +[ 143.748580] [<000000002dbffc4c>] .LASANPC3196+0x184/0x1b8 +[ 143.748587] [<000000002ecdf2ec>] system_call+0xd8/0x2d8 + +Since LASANPC labels are not even unique and get into .symtab only due +to relocs filter them out in kallsyms. + +Signed-off-by: Vasily Gorbik +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kallsyms.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c +index 8fa81e84e295..d117c68d1607 100644 +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -158,6 +158,9 @@ static int read_symbol(FILE *in, struct sym_entry *s) + /* exclude debugging symbols */ + else if (stype == 'N') + return -1; ++ /* exclude s390 kasan local symbols */ ++ else if (!strncmp(sym, ".LASANPC", 8)) ++ return -1; + + /* include the type field in the symbol name, so that it gets + * compressed together */ +-- +2.20.1 + diff --git a/queue-4.4/locking-lockdep-fix-lock-used-or-unused-stats-error.patch b/queue-4.4/locking-lockdep-fix-lock-used-or-unused-stats-error.patch new file mode 100644 index 00000000000..7b8d9bd1a00 --- /dev/null +++ b/queue-4.4/locking-lockdep-fix-lock-used-or-unused-stats-error.patch @@ -0,0 +1,77 @@ +From 1cecdebf081cebae9cf2b9fae056e08901d7200c Mon Sep 17 00:00:00 2001 +From: Yuyang Du +Date: Tue, 9 Jul 2019 18:15:22 +0800 +Subject: locking/lockdep: Fix lock used or unused stats error + +[ Upstream commit 68d41d8c94a31dfb8233ab90b9baf41a2ed2da68 ] + +The stats variable nr_unused_locks is incremented every time a new lock +class is register and decremented when the lock is first used in +__lock_acquire(). And after all, it is shown and checked in lockdep_stats. + +However, under configurations that either CONFIG_TRACE_IRQFLAGS or +CONFIG_PROVE_LOCKING is not defined: + +The commit: + + 091806515124b20 ("locking/lockdep: Consolidate lock usage bit initialization") + +missed marking the LOCK_USED flag at IRQ usage initialization because +as mark_usage() is not called. And the commit: + + 886532aee3cd42d ("locking/lockdep: Move mark_lock() inside CONFIG_TRACE_IRQFLAGS && CONFIG_PROVE_LOCKING") + +further made mark_lock() not defined such that the LOCK_USED cannot be +marked at all when the lock is first acquired. + +As a result, we fix this by not showing and checking the stats under such +configurations for lockdep_stats. + +Reported-by: Qian Cai +Signed-off-by: Yuyang Du +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: arnd@arndb.de +Cc: frederic@kernel.org +Link: https://lkml.kernel.org/r/20190709101522.9117-1-duyuyang@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep_proc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/locking/lockdep_proc.c b/kernel/locking/lockdep_proc.c +index dbb61a302548..9778b6701019 100644 +--- a/kernel/locking/lockdep_proc.c ++++ b/kernel/locking/lockdep_proc.c +@@ -227,6 +227,7 @@ static int lockdep_stats_show(struct seq_file *m, void *v) + nr_hardirq_read_safe = 0, nr_hardirq_read_unsafe = 0, + sum_forward_deps = 0; + ++#ifdef CONFIG_PROVE_LOCKING + list_for_each_entry(class, &all_lock_classes, lock_entry) { + + if (class->usage_mask == 0) +@@ -258,12 +259,12 @@ static int lockdep_stats_show(struct seq_file *m, void *v) + if (class->usage_mask & LOCKF_ENABLED_HARDIRQ_READ) + nr_hardirq_read_unsafe++; + +-#ifdef CONFIG_PROVE_LOCKING + sum_forward_deps += lockdep_count_forward_deps(class); +-#endif + } + #ifdef CONFIG_DEBUG_LOCKDEP + DEBUG_LOCKS_WARN_ON(debug_atomic_read(nr_unused_locks) != nr_unused); ++#endif ++ + #endif + seq_printf(m, " lock-classes: %11lu [max: %lu]\n", + nr_lock_classes, MAX_LOCKDEP_KEYS); +-- +2.20.1 + diff --git a/queue-4.4/locking-lockdep-hide-unused-class-variable.patch b/queue-4.4/locking-lockdep-hide-unused-class-variable.patch new file mode 100644 index 00000000000..afeb58fb971 --- /dev/null +++ b/queue-4.4/locking-lockdep-hide-unused-class-variable.patch @@ -0,0 +1,58 @@ +From 18fef0a20c9980304914e3928c73a9206a3bce53 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 15 Jul 2019 11:27:49 +0200 +Subject: locking/lockdep: Hide unused 'class' variable + +[ Upstream commit 68037aa78208f34bda4e5cd76c357f718b838cbb ] + +The usage is now hidden in an #ifdef, so we need to move +the variable itself in there as well to avoid this warning: + + kernel/locking/lockdep_proc.c:203:21: error: unused variable 'class' [-Werror,-Wunused-variable] + +Signed-off-by: Arnd Bergmann +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andrew Morton +Cc: Bart Van Assche +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Qian Cai +Cc: Thomas Gleixner +Cc: Waiman Long +Cc: Will Deacon +Cc: Will Deacon +Cc: Yuyang Du +Cc: frederic@kernel.org +Fixes: 68d41d8c94a3 ("locking/lockdep: Fix lock used or unused stats error") +Link: https://lkml.kernel.org/r/20190715092809.736834-1-arnd@arndb.de +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep_proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/locking/lockdep_proc.c b/kernel/locking/lockdep_proc.c +index 9778b6701019..35b34eccdd10 100644 +--- a/kernel/locking/lockdep_proc.c ++++ b/kernel/locking/lockdep_proc.c +@@ -217,7 +217,6 @@ static void lockdep_stats_debug_show(struct seq_file *m) + + static int lockdep_stats_show(struct seq_file *m, void *v) + { +- struct lock_class *class; + unsigned long nr_unused = 0, nr_uncategorized = 0, + nr_irq_safe = 0, nr_irq_unsafe = 0, + nr_softirq_safe = 0, nr_softirq_unsafe = 0, +@@ -228,6 +227,8 @@ static int lockdep_stats_show(struct seq_file *m, void *v) + sum_forward_deps = 0; + + #ifdef CONFIG_PROVE_LOCKING ++ struct lock_class *class; ++ + list_for_each_entry(class, &all_lock_classes, lock_entry) { + + if (class->usage_mask == 0) +-- +2.20.1 + diff --git a/queue-4.4/mailbox-handle-failed-named-mailbox-channel-request.patch b/queue-4.4/mailbox-handle-failed-named-mailbox-channel-request.patch new file mode 100644 index 00000000000..7ac5d4703b9 --- /dev/null +++ b/queue-4.4/mailbox-handle-failed-named-mailbox-channel-request.patch @@ -0,0 +1,44 @@ +From 1afa1383baae79e642ed8c44bdd4c258fdf17f8f Mon Sep 17 00:00:00 2001 +From: morten petersen +Date: Mon, 8 Jul 2019 11:41:54 +0000 +Subject: mailbox: handle failed named mailbox channel request + +[ Upstream commit 25777e5784a7b417967460d4fcf9660d05a0c320 ] + +Previously, if mbox_request_channel_byname was used with a name +which did not exist in the "mbox-names" property of a mailbox +client, the mailbox corresponding to the last entry in the +"mbox-names" list would be incorrectly selected. +With this patch, -EINVAL is returned if the named mailbox is +not found. + +Signed-off-by: Morten Borup Petersen +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mailbox.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c +index 9cf826df89b1..b4ad85251cf7 100644 +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -389,11 +389,13 @@ struct mbox_chan *mbox_request_channel_byname(struct mbox_client *cl, + + of_property_for_each_string(np, "mbox-names", prop, mbox_name) { + if (!strncmp(name, mbox_name, strlen(name))) +- break; ++ return mbox_request_channel(cl, index); + index++; + } + +- return mbox_request_channel(cl, index); ++ dev_err(cl->dev, "%s() could not locate channel named \"%s\"\n", ++ __func__, name); ++ return ERR_PTR(-EINVAL); + } + EXPORT_SYMBOL_GPL(mbox_request_channel_byname); + +-- +2.20.1 + diff --git a/queue-4.4/memstick-fix-error-cleanup-path-of-memstick_init.patch b/queue-4.4/memstick-fix-error-cleanup-path-of-memstick_init.patch new file mode 100644 index 00000000000..e0dc2615237 --- /dev/null +++ b/queue-4.4/memstick-fix-error-cleanup-path-of-memstick_init.patch @@ -0,0 +1,75 @@ +From 8b9925bafa84e8e9cd2ac67fde3b598010a6c6b8 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Wed, 15 May 2019 22:37:25 +0800 +Subject: memstick: Fix error cleanup path of memstick_init + +[ Upstream commit 65f1a0d39c289bb6fc85635528cd36c4b07f560e ] + +If bus_register fails. On its error handling path, it has cleaned up +what it has done. There is no need to call bus_unregister again. +Otherwise, if bus_unregister is called, issues such as null-ptr-deref +will arise. + +Syzkaller report this: + +kobject_add_internal failed for memstick (error: -12 parent: bus) +BUG: KASAN: null-ptr-deref in sysfs_remove_file_ns+0x1b/0x40 fs/sysfs/file.c:467 +Read of size 8 at addr 0000000000000078 by task syz-executor.0/4460 + +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xa9/0x10e lib/dump_stack.c:113 + __kasan_report+0x171/0x18d mm/kasan/report.c:321 + kasan_report+0xe/0x20 mm/kasan/common.c:614 + sysfs_remove_file_ns+0x1b/0x40 fs/sysfs/file.c:467 + sysfs_remove_file include/linux/sysfs.h:519 [inline] + bus_remove_file+0x6c/0x90 drivers/base/bus.c:145 + remove_probe_files drivers/base/bus.c:599 [inline] + bus_unregister+0x6e/0x100 drivers/base/bus.c:916 ? 0xffffffffc1590000 + memstick_init+0x7a/0x1000 [memstick] + do_one_initcall+0xb9/0x3b5 init/main.c:914 + do_init_module+0xe0/0x330 kernel/module.c:3468 + load_module+0x38eb/0x4270 kernel/module.c:3819 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3909 + do_syscall_64+0x72/0x2a0 arch/x86/entry/common.c:298 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: baf8532a147d ("memstick: initial commit for Sony MemoryStick support") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/core/memstick.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c +index 4d673a626db4..1041eb7a6167 100644 +--- a/drivers/memstick/core/memstick.c ++++ b/drivers/memstick/core/memstick.c +@@ -629,13 +629,18 @@ static int __init memstick_init(void) + return -ENOMEM; + + rc = bus_register(&memstick_bus_type); +- if (!rc) +- rc = class_register(&memstick_host_class); ++ if (rc) ++ goto error_destroy_workqueue; + +- if (!rc) +- return 0; ++ rc = class_register(&memstick_host_class); ++ if (rc) ++ goto error_bus_unregister; ++ ++ return 0; + ++error_bus_unregister: + bus_unregister(&memstick_bus_type); ++error_destroy_workqueue: + destroy_workqueue(workqueue); + + return rc; +-- +2.20.1 + diff --git a/queue-4.4/mfd-arizona-fix-undefined-behavior.patch b/queue-4.4/mfd-arizona-fix-undefined-behavior.patch new file mode 100644 index 00000000000..eaea19afcc9 --- /dev/null +++ b/queue-4.4/mfd-arizona-fix-undefined-behavior.patch @@ -0,0 +1,52 @@ +From 94d6da8342cc31ff0b059dc4f40b99adf6c2a986 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 20 May 2019 10:06:25 +0100 +Subject: mfd: arizona: Fix undefined behavior + +[ Upstream commit 5da6cbcd2f395981aa9bfc571ace99f1c786c985 ] + +When the driver is used with a subdevice that is disabled in the +kernel configuration, clang gets a little confused about the +control flow and fails to notice that n_subdevs is only +uninitialized when subdevs is NULL, and we check for that, +leading to a false-positive warning: + +drivers/mfd/arizona-core.c:1423:19: error: variable 'n_subdevs' is uninitialized when used here + [-Werror,-Wuninitialized] + subdevs, n_subdevs, NULL, 0, NULL); + ^~~~~~~~~ +drivers/mfd/arizona-core.c:999:15: note: initialize the variable 'n_subdevs' to silence this warning + int n_subdevs, ret, i; + ^ + = 0 + +Ideally, we would rearrange the code to avoid all those early +initializations and have an explicit exit in each disabled case, +but it's much easier to chicken out and add one more initialization +here to shut up the warning. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Signed-off-by: Charles Keepax +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/arizona-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/arizona-core.c b/drivers/mfd/arizona-core.c +index d474732cc65c..fb54de5c1aba 100644 +--- a/drivers/mfd/arizona-core.c ++++ b/drivers/mfd/arizona-core.c +@@ -967,7 +967,7 @@ int arizona_dev_init(struct arizona *arizona) + unsigned int reg, val, mask; + int (*apply_patch)(struct arizona *) = NULL; + const struct mfd_cell *subdevs = NULL; +- int n_subdevs, ret, i; ++ int n_subdevs = 0, ret, i; + + dev_set_drvdata(arizona->dev, arizona); + mutex_init(&arizona->clk_lock); +-- +2.20.1 + diff --git a/queue-4.4/mfd-core-set-fwnode-for-created-devices.patch b/queue-4.4/mfd-core-set-fwnode-for-created-devices.patch new file mode 100644 index 00000000000..3132943ddc4 --- /dev/null +++ b/queue-4.4/mfd-core-set-fwnode-for-created-devices.patch @@ -0,0 +1,34 @@ +From 60805ac426436d90225abfb5424c8f4182510b6a Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Tue, 4 Jun 2019 16:35:43 -0600 +Subject: mfd: core: Set fwnode for created devices + +[ Upstream commit c176c6d7e932662668bcaec2d763657096589d85 ] + +The logic for setting the of_node on devices created by mfd did not set +the fwnode pointer to match, which caused fwnode-based APIs to +malfunction on these devices since the fwnode pointer was null. Fix +this. + +Signed-off-by: Robert Hancock +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/mfd-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c +index 022c9374ce8b..215bb5eeb5ac 100644 +--- a/drivers/mfd/mfd-core.c ++++ b/drivers/mfd/mfd-core.c +@@ -178,6 +178,7 @@ static int mfd_add_device(struct device *parent, int id, + for_each_child_of_node(parent->of_node, np) { + if (of_device_is_compatible(np, cell->of_compatible)) { + pdev->dev.of_node = np; ++ pdev->dev.fwnode = &np->fwnode; + break; + } + } +-- +2.20.1 + diff --git a/queue-4.4/mm-kmemleak.c-fix-check-for-softirq-context.patch b/queue-4.4/mm-kmemleak.c-fix-check-for-softirq-context.patch new file mode 100644 index 00000000000..fc949c4465f --- /dev/null +++ b/queue-4.4/mm-kmemleak.c-fix-check-for-softirq-context.patch @@ -0,0 +1,96 @@ +From 7dc90c4785e94da2f8447f956cd61529e0a7bd8e Mon Sep 17 00:00:00 2001 +From: Dmitry Vyukov +Date: Thu, 11 Jul 2019 20:53:39 -0700 +Subject: mm/kmemleak.c: fix check for softirq context + +[ Upstream commit 6ef9056952532c3b746de46aa10d45b4d7797bd8 ] + +in_softirq() is a wrong predicate to check if we are in a softirq +context. It also returns true if we have BH disabled, so objects are +falsely stamped with "softirq" comm. The correct predicate is +in_serving_softirq(). + +If user does cat from /sys/kernel/debug/kmemleak previously they would +see this, which is clearly wrong, this is system call context (see the +comm): + +unreferenced object 0xffff88805bd661c0 (size 64): + comm "softirq", pid 0, jiffies 4294942959 (age 12.400s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000007dcb30c>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<0000000007dcb30c>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<0000000007dcb30c>] slab_alloc mm/slab.c:3326 [inline] + [<0000000007dcb30c>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 + [<00000000969722b7>] kmalloc include/linux/slab.h:547 [inline] + [<00000000969722b7>] kzalloc include/linux/slab.h:742 [inline] + [<00000000969722b7>] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline] + [<00000000969722b7>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085 + [<00000000a4134b5f>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475 + [<00000000d20248ad>] do_ip_setsockopt.isra.0+0x19fe/0x1c00 net/ipv4/ip_sockglue.c:957 + [<000000003d367be7>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246 + [<000000003c7c76af>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616 + [<000000000c1aeb23>] sock_common_setsockopt+0x3e/0x50 net/core/sock.c:3130 + [<000000000157b92b>] __sys_setsockopt+0x9e/0x120 net/socket.c:2078 + [<00000000a9f3d058>] __do_sys_setsockopt net/socket.c:2089 [inline] + [<00000000a9f3d058>] __se_sys_setsockopt net/socket.c:2086 [inline] + [<00000000a9f3d058>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086 + [<000000001b8da885>] do_syscall_64+0x7c/0x1a0 arch/x86/entry/common.c:301 + [<00000000ba770c62>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +now they will see this: + +unreferenced object 0xffff88805413c800 (size 64): + comm "syz-executor.4", pid 8960, jiffies 4294994003 (age 14.350s) + hex dump (first 32 bytes): + 00 7a 8a 57 80 88 ff ff e0 00 00 01 00 00 00 00 .z.W............ + 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000c5d3be64>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<00000000c5d3be64>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<00000000c5d3be64>] slab_alloc mm/slab.c:3326 [inline] + [<00000000c5d3be64>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 + [<0000000023865be2>] kmalloc include/linux/slab.h:547 [inline] + [<0000000023865be2>] kzalloc include/linux/slab.h:742 [inline] + [<0000000023865be2>] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline] + [<0000000023865be2>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085 + [<000000003029a9d4>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475 + [<00000000ccd0a87c>] do_ip_setsockopt.isra.0+0x19fe/0x1c00 net/ipv4/ip_sockglue.c:957 + [<00000000a85a3785>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246 + [<00000000ec13c18d>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616 + [<0000000052d748e3>] sock_common_setsockopt+0x3e/0x50 net/core/sock.c:3130 + [<00000000512f1014>] __sys_setsockopt+0x9e/0x120 net/socket.c:2078 + [<00000000181758bc>] __do_sys_setsockopt net/socket.c:2089 [inline] + [<00000000181758bc>] __se_sys_setsockopt net/socket.c:2086 [inline] + [<00000000181758bc>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086 + [<00000000d4b73623>] do_syscall_64+0x7c/0x1a0 arch/x86/entry/common.c:301 + [<00000000c1098bec>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Link: http://lkml.kernel.org/r/20190517171507.96046-1-dvyukov@gmail.com +Signed-off-by: Dmitry Vyukov +Acked-by: Catalin Marinas +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/kmemleak.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/kmemleak.c b/mm/kmemleak.c +index 84c93879aa5d..4d675318754e 100644 +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -566,7 +566,7 @@ static struct kmemleak_object *create_object(unsigned long ptr, size_t size, + if (in_irq()) { + object->pid = 0; + strncpy(object->comm, "hardirq", sizeof(object->comm)); +- } else if (in_softirq()) { ++ } else if (in_serving_softirq()) { + object->pid = 0; + strncpy(object->comm, "softirq", sizeof(object->comm)); + } else { +-- +2.20.1 + diff --git a/queue-4.4/mm-mmu_notifier-use-hlist_add_head_rcu.patch b/queue-4.4/mm-mmu_notifier-use-hlist_add_head_rcu.patch new file mode 100644 index 00000000000..d770fee7820 --- /dev/null +++ b/queue-4.4/mm-mmu_notifier-use-hlist_add_head_rcu.patch @@ -0,0 +1,69 @@ +From 13517ce91877e027459121c4e35815db467fc0d0 Mon Sep 17 00:00:00 2001 +From: Jean-Philippe Brucker +Date: Thu, 11 Jul 2019 20:58:50 -0700 +Subject: mm/mmu_notifier: use hlist_add_head_rcu() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 543bdb2d825fe2400d6e951f1786d92139a16931 ] + +Make mmu_notifier_register() safer by issuing a memory barrier before +registering a new notifier. This fixes a theoretical bug on weakly +ordered CPUs. For example, take this simplified use of notifiers by a +driver: + + my_struct->mn.ops = &my_ops; /* (1) */ + mmu_notifier_register(&my_struct->mn, mm) + ... + hlist_add_head(&mn->hlist, &mm->mmu_notifiers); /* (2) */ + ... + +Once mmu_notifier_register() releases the mm locks, another thread can +invalidate a range: + + mmu_notifier_invalidate_range() + ... + hlist_for_each_entry_rcu(mn, &mm->mmu_notifiers, hlist) { + if (mn->ops->invalidate_range) + +The read side relies on the data dependency between mn and ops to ensure +that the pointer is properly initialized. But the write side doesn't have +any dependency between (1) and (2), so they could be reordered and the +readers could dereference an invalid mn->ops. mmu_notifier_register() +does take all the mm locks before adding to the hlist, but those have +acquire semantics which isn't sufficient. + +By calling hlist_add_head_rcu() instead of hlist_add_head() we update the +hlist using a store-release, ensuring that readers see prior +initialization of my_struct. This situation is better illustated by +litmus test MP+onceassign+derefonce. + +Link: http://lkml.kernel.org/r/20190502133532.24981-1-jean-philippe.brucker@arm.com +Fixes: cddb8a5c14aa ("mmu-notifiers: core") +Signed-off-by: Jean-Philippe Brucker +Cc: Jérôme Glisse +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/mmu_notifier.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c +index 5fbdd367bbed..ad90b8f85223 100644 +--- a/mm/mmu_notifier.c ++++ b/mm/mmu_notifier.c +@@ -286,7 +286,7 @@ static int do_mmu_notifier_register(struct mmu_notifier *mn, + * thanks to mm_take_all_locks(). + */ + spin_lock(&mm->mmu_notifier_mm->lock); +- hlist_add_head(&mn->hlist, &mm->mmu_notifier_mm->list); ++ hlist_add_head_rcu(&mn->hlist, &mm->mmu_notifier_mm->list); + spin_unlock(&mm->mmu_notifier_mm->lock); + + mm_drop_all_locks(mm); +-- +2.20.1 + diff --git a/queue-4.4/nfsd-fix-overflow-causing-non-working-mounts-on-1-tb.patch b/queue-4.4/nfsd-fix-overflow-causing-non-working-mounts-on-1-tb.patch new file mode 100644 index 00000000000..f6964bd3933 --- /dev/null +++ b/queue-4.4/nfsd-fix-overflow-causing-non-working-mounts-on-1-tb.patch @@ -0,0 +1,70 @@ +From 697160c2bdc6149bcd30d1c6b4bf9818de6517b9 Mon Sep 17 00:00:00 2001 +From: Paul Menzel +Date: Wed, 3 Jul 2019 13:28:15 +0200 +Subject: nfsd: Fix overflow causing non-working mounts on 1 TB machines +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3b2d4dcf71c4a91b420f835e52ddea8192300a3b ] + +Since commit 10a68cdf10 (nfsd: fix performance-limiting session +calculation) (Linux 5.1-rc1 and 4.19.31), shares from NFS servers with +1 TB of memory cannot be mounted anymore. The mount just hangs on the +client. + +The gist of commit 10a68cdf10 is the change below. + + -avail = clamp_t(int, avail, slotsize, avail/3); + +avail = clamp_t(int, avail, slotsize, total_avail/3); + +Here are the macros. + + #define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <) + #define clamp_t(type, val, lo, hi) min_t(type, max_t(type, val, lo), hi) + +`total_avail` is 8,434,659,328 on the 1 TB machine. `clamp_t()` casts +the values to `int`, which for 32-bit integers can only hold values +−2,147,483,648 (−2^31) through 2,147,483,647 (2^31 − 1). + +`avail` (in the function signature) is just 65536, so that no overflow +was happening. Before the commit the assignment would result in 21845, +and `num = 4`. + +When using `total_avail`, it is causing the assignment to be +18446744072226137429 (printed as %lu), and `num` is then 4164608182. + +My next guess is, that `nfsd_drc_mem_used` is then exceeded, and the +server thinks there is no memory available any more for this client. + +Updating the arguments of `clamp_t()` and `min_t()` to `unsigned long` +fixes the issue. + +Now, `avail = 65536` (before commit 10a68cdf10 `avail = 21845`), but +`num = 4` remains the same. + +Fixes: c54f24e338ed (nfsd: fix performance-limiting session calculation) +Cc: stable@vger.kernel.org +Signed-off-by: Paul Menzel +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 1e1abf1d5769..ea5cb1ba282f 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1400,7 +1400,7 @@ static u32 nfsd4_get_drc_mem(struct nfsd4_channel_attrs *ca) + * Never use more than a third of the remaining memory, + * unless it's the only way to give this client a slot: + */ +- avail = clamp_t(int, avail, slotsize, total_avail/3); ++ avail = clamp_t(unsigned long, avail, slotsize, total_avail/3); + num = min_t(int, num, avail / slotsize); + nfsd_drc_mem_used += num * slotsize; + spin_unlock(&nfsd_drc_lock); +-- +2.20.1 + diff --git a/queue-4.4/nfsd-fix-performance-limiting-session-calculation.patch b/queue-4.4/nfsd-fix-performance-limiting-session-calculation.patch new file mode 100644 index 00000000000..ff7f0c4b502 --- /dev/null +++ b/queue-4.4/nfsd-fix-performance-limiting-session-calculation.patch @@ -0,0 +1,55 @@ +From c186e9d8b23749400f6c3107b4085d0ae3d1bbe4 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 21 Feb 2019 10:47:00 -0500 +Subject: nfsd: fix performance-limiting session calculation + +[ Upstream commit c54f24e338ed2a35218f117a4a1afb5f9e2b4e64 ] + +We're unintentionally limiting the number of slots per nfsv4.1 session +to 10. Often more than 10 simultaneous RPCs are needed for the best +performance. + +This calculation was meant to prevent any one client from using up more +than a third of the limit we set for total memory use across all clients +and sessions. Instead, it's limiting the client to a third of the +maximum for a single session. + +Fix this. + +Reported-by: Chris Tracy +Cc: stable@vger.kernel.org +Fixes: de766e570413 "nfsd: give out fewer session slots as limit approaches" +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4state.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index eb0f8af5203a..1e1abf1d5769 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1391,16 +1391,16 @@ static u32 nfsd4_get_drc_mem(struct nfsd4_channel_attrs *ca) + { + u32 slotsize = slot_bytes(ca); + u32 num = ca->maxreqs; +- int avail; ++ unsigned long avail, total_avail; + + spin_lock(&nfsd_drc_lock); +- avail = min((unsigned long)NFSD_MAX_MEM_PER_SESSION, +- nfsd_drc_max_mem - nfsd_drc_mem_used); ++ total_avail = nfsd_drc_max_mem - nfsd_drc_mem_used; ++ avail = min((unsigned long)NFSD_MAX_MEM_PER_SESSION, total_avail); + /* + * Never use more than a third of the remaining memory, + * unless it's the only way to give this client a slot: + */ +- avail = clamp_t(int, avail, slotsize, avail/3); ++ avail = clamp_t(int, avail, slotsize, total_avail/3); + num = min_t(int, num, avail / slotsize); + nfsd_drc_mem_used += num * slotsize; + spin_unlock(&nfsd_drc_lock); +-- +2.20.1 + diff --git a/queue-4.4/nfsd-give-out-fewer-session-slots-as-limit-approache.patch b/queue-4.4/nfsd-give-out-fewer-session-slots-as-limit-approache.patch new file mode 100644 index 00000000000..51d8bdbf7af --- /dev/null +++ b/queue-4.4/nfsd-give-out-fewer-session-slots-as-limit-approache.patch @@ -0,0 +1,38 @@ +From c6959b0e77c144d483d10c6cb64240dd8ee03e11 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Tue, 19 Sep 2017 19:25:41 -0400 +Subject: nfsd: give out fewer session slots as limit approaches + +[ Upstream commit de766e570413bd0484af0b580299b495ada625c3 ] + +Instead of granting client's full requests until we hit our DRC size +limit and then failing CREATE_SESSIONs (and hence mounts) completely, +start granting clients smaller slot tables as we approach the limit. + +The factor chosen here is pretty much arbitrary. + +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4state.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index ba27a5ff8677..eb0f8af5203a 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1396,6 +1396,11 @@ static u32 nfsd4_get_drc_mem(struct nfsd4_channel_attrs *ca) + spin_lock(&nfsd_drc_lock); + avail = min((unsigned long)NFSD_MAX_MEM_PER_SESSION, + nfsd_drc_max_mem - nfsd_drc_mem_used); ++ /* ++ * Never use more than a third of the remaining memory, ++ * unless it's the only way to give this client a slot: ++ */ ++ avail = clamp_t(int, avail, slotsize, avail/3); + num = min_t(int, num, avail / slotsize); + nfsd_drc_mem_used += num * slotsize; + spin_unlock(&nfsd_drc_lock); +-- +2.20.1 + diff --git a/queue-4.4/nfsd-increase-drc-cache-limit.patch b/queue-4.4/nfsd-increase-drc-cache-limit.patch new file mode 100644 index 00000000000..d4d09d7b781 --- /dev/null +++ b/queue-4.4/nfsd-increase-drc-cache-limit.patch @@ -0,0 +1,38 @@ +From 295a577347cac27045c92449070e4efa5a1586bc Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Tue, 19 Sep 2017 20:51:31 -0400 +Subject: nfsd: increase DRC cache limit + +[ Upstream commit 44d8660d3bb0a1c8363ebcb906af2343ea8e15f6 ] + +An NFSv4.1+ client negotiates the size of its duplicate reply cache size +in the initial CREATE_SESSION request. The server preallocates the +memory for the duplicate reply cache to ensure that we'll never fail to +record the response to a nonidempotent operation. + +To prevent a few CREATE_SESSIONs from consuming all of memory we set an +upper limit based on nr_free_buffer_pages(). 1/2^10 has been too +limiting in practice; 1/2^7 is still less than one percent. + +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfssvc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c +index b6eb56d18568..0fa990f08daf 100644 +--- a/fs/nfsd/nfssvc.c ++++ b/fs/nfsd/nfssvc.c +@@ -360,7 +360,7 @@ void nfsd_reset_versions(void) + */ + static void set_max_drc(void) + { +- #define NFSD_DRC_SIZE_SHIFT 10 ++ #define NFSD_DRC_SIZE_SHIFT 7 + nfsd_drc_max_mem = (nr_free_buffer_pages() + >> NFSD_DRC_SIZE_SHIFT) * PAGE_SIZE; + nfsd_drc_mem_used = 0; +-- +2.20.1 + diff --git a/queue-4.4/nfsv4-fix-open-create-exclusive-when-the-server-rebo.patch b/queue-4.4/nfsv4-fix-open-create-exclusive-when-the-server-rebo.patch new file mode 100644 index 00000000000..943987378dc --- /dev/null +++ b/queue-4.4/nfsv4-fix-open-create-exclusive-when-the-server-rebo.patch @@ -0,0 +1,141 @@ +From d70a29c4876629d388df5f24e3fcc298fad09334 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 6 Nov 2017 15:28:03 -0500 +Subject: NFSv4: Fix open create exclusive when the server reboots + +[ Upstream commit 8fd1ab747d2b1ec7ec663ad0b41a32eaa35117a8 ] + +If the server that does not implement NFSv4.1 persistent session +semantics reboots while we are performing an exclusive create, +then the return value of NFS4ERR_DELAY when we replay the open +during the grace period causes us to lose the verifier. +When the grace period expires, and we present a new verifier, +the server will then correctly reply NFS4ERR_EXIST. + +This commit ensures that we always present the same verifier when +replaying the OPEN. + +Reported-by: Tigran Mkrtchyan +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 41 ++++++++++++++++++++++++++--------------- + 1 file changed, 26 insertions(+), 15 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 41c8ddbc80dc..d1816ee0c11b 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -997,6 +997,12 @@ struct nfs4_opendata { + int cancelled; + }; + ++struct nfs4_open_createattrs { ++ struct nfs4_label *label; ++ struct iattr *sattr; ++ const __u32 verf[2]; ++}; ++ + static bool nfs4_clear_cap_atomic_open_v1(struct nfs_server *server, + int err, struct nfs4_exception *exception) + { +@@ -1066,8 +1072,7 @@ static void nfs4_init_opendata_res(struct nfs4_opendata *p) + + static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry, + struct nfs4_state_owner *sp, fmode_t fmode, int flags, +- const struct iattr *attrs, +- struct nfs4_label *label, ++ const struct nfs4_open_createattrs *c, + enum open_claim_type4 claim, + gfp_t gfp_mask) + { +@@ -1075,6 +1080,7 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry, + struct inode *dir = d_inode(parent); + struct nfs_server *server = NFS_SERVER(dir); + struct nfs_seqid *(*alloc_seqid)(struct nfs_seqid_counter *, gfp_t); ++ struct nfs4_label *label = (c != NULL) ? c->label : NULL; + struct nfs4_opendata *p; + + p = kzalloc(sizeof(*p), gfp_mask); +@@ -1131,15 +1137,11 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry, + case NFS4_OPEN_CLAIM_DELEG_PREV_FH: + p->o_arg.fh = NFS_FH(d_inode(dentry)); + } +- if (attrs != NULL && attrs->ia_valid != 0) { +- __u32 verf[2]; +- ++ if (c != NULL && c->sattr != NULL && c->sattr->ia_valid != 0) { + p->o_arg.u.attrs = &p->attrs; +- memcpy(&p->attrs, attrs, sizeof(p->attrs)); ++ memcpy(&p->attrs, c->sattr, sizeof(p->attrs)); + +- verf[0] = jiffies; +- verf[1] = current->pid; +- memcpy(p->o_arg.u.verifier.data, verf, ++ memcpy(p->o_arg.u.verifier.data, c->verf, + sizeof(p->o_arg.u.verifier.data)); + } + p->c_arg.fh = &p->o_res.fh; +@@ -1653,7 +1655,7 @@ static struct nfs4_opendata *nfs4_open_recoverdata_alloc(struct nfs_open_context + struct nfs4_opendata *opendata; + + opendata = nfs4_opendata_alloc(ctx->dentry, state->owner, 0, 0, +- NULL, NULL, claim, GFP_NOFS); ++ NULL, claim, GFP_NOFS); + if (opendata == NULL) + return ERR_PTR(-ENOMEM); + opendata->state = state; +@@ -2488,8 +2490,7 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata, + static int _nfs4_do_open(struct inode *dir, + struct nfs_open_context *ctx, + int flags, +- struct iattr *sattr, +- struct nfs4_label *label, ++ const struct nfs4_open_createattrs *c, + int *opened) + { + struct nfs4_state_owner *sp; +@@ -2501,6 +2502,8 @@ static int _nfs4_do_open(struct inode *dir, + struct nfs4_threshold **ctx_th = &ctx->mdsthreshold; + fmode_t fmode = ctx->mode & (FMODE_READ|FMODE_WRITE|FMODE_EXEC); + enum open_claim_type4 claim = NFS4_OPEN_CLAIM_NULL; ++ struct iattr *sattr = c->sattr; ++ struct nfs4_label *label = c->label; + struct nfs4_label *olabel = NULL; + int status; + +@@ -2519,8 +2522,8 @@ static int _nfs4_do_open(struct inode *dir, + status = -ENOMEM; + if (d_really_is_positive(dentry)) + claim = NFS4_OPEN_CLAIM_FH; +- opendata = nfs4_opendata_alloc(dentry, sp, fmode, flags, sattr, +- label, claim, GFP_KERNEL); ++ opendata = nfs4_opendata_alloc(dentry, sp, fmode, flags, ++ c, claim, GFP_KERNEL); + if (opendata == NULL) + goto err_put_state_owner; + +@@ -2596,10 +2599,18 @@ static struct nfs4_state *nfs4_do_open(struct inode *dir, + struct nfs_server *server = NFS_SERVER(dir); + struct nfs4_exception exception = { }; + struct nfs4_state *res; ++ struct nfs4_open_createattrs c = { ++ .label = label, ++ .sattr = sattr, ++ .verf = { ++ [0] = (__u32)jiffies, ++ [1] = (__u32)current->pid, ++ }, ++ }; + int status; + + do { +- status = _nfs4_do_open(dir, ctx, flags, sattr, label, opened); ++ status = _nfs4_do_open(dir, ctx, flags, &c, opened); + res = ctx->state; + trace_nfs4_open_file(ctx, flags, status); + if (status == 0) +-- +2.20.1 + diff --git a/queue-4.4/pci-sysfs-ignore-lockdep-for-remove-attribute.patch b/queue-4.4/pci-sysfs-ignore-lockdep-for-remove-attribute.patch new file mode 100644 index 00000000000..f09b40f406a --- /dev/null +++ b/queue-4.4/pci-sysfs-ignore-lockdep-for-remove-attribute.patch @@ -0,0 +1,61 @@ +From b494e3949b2b3a9d93d020031c0a57aea716f89b Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Mon, 27 May 2019 00:51:51 +0200 +Subject: PCI: sysfs: Ignore lockdep for remove attribute + +[ Upstream commit dc6b698a86fe40a50525433eb8e92a267847f6f9 ] + +With CONFIG_PROVE_LOCKING=y, using sysfs to remove a bridge with a device +below it causes a lockdep warning, e.g., + + # echo 1 > /sys/class/pci_bus/0000:00/device/0000:00:00.0/remove + ============================================ + WARNING: possible recursive locking detected + ... + pci_bus 0000:01: busn_res: [bus 01] is released + +The remove recursively removes the subtree below the bridge. Each call +uses a different lock so there's no deadlock, but the locks were all +created with the same lockdep key so the lockdep checker can't tell them +apart. + +Mark the "remove" sysfs attribute with __ATTR_IGNORE_LOCKDEP() as it is +safe to ignore the lockdep check between different "remove" kernfs +instances. + +There's discussion about a similar issue in USB at [1], which resulted in +356c05d58af0 ("sysfs: get rid of some lockdep false positives") and +e9b526fe7048 ("i2c: suppress lockdep warning on delete_device"), which do +basically the same thing for USB "remove" and i2c "delete_device" files. + +[1] https://lore.kernel.org/r/Pine.LNX.4.44L0.1204251436140.1206-100000@iolanthe.rowland.org +Link: https://lore.kernel.org/r/20190526225151.3865-1-marek.vasut@gmail.com +Signed-off-by: Marek Vasut +[bhelgaas: trim commit log, details at above links] +Signed-off-by: Bjorn Helgaas +Cc: Geert Uytterhoeven +Cc: Phil Edworthy +Cc: Simon Horman +Cc: Tejun Heo +Cc: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/pci/pci-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 5fb4ed6ea322..6ac6618c1c10 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -371,7 +371,7 @@ static ssize_t remove_store(struct device *dev, struct device_attribute *attr, + pci_stop_and_remove_bus_device_locked(to_pci_dev(dev)); + return count; + } +-static struct device_attribute dev_remove_attr = __ATTR(remove, ++static struct device_attribute dev_remove_attr = __ATTR_IGNORE_LOCKDEP(remove, + (S_IWUSR|S_IWGRP), + NULL, remove_store); + +-- +2.20.1 + diff --git a/queue-4.4/perf-test-mmap-thread-lookup-initialize-variable-to-.patch b/queue-4.4/perf-test-mmap-thread-lookup-initialize-variable-to-.patch new file mode 100644 index 00000000000..cce49043e03 --- /dev/null +++ b/queue-4.4/perf-test-mmap-thread-lookup-initialize-variable-to-.patch @@ -0,0 +1,54 @@ +From e6c7e78ecac3d9c8c2dab15dc1c08a76c97567b2 Mon Sep 17 00:00:00 2001 +From: Numfor Mbiziwo-Tiapo +Date: Tue, 2 Jul 2019 10:37:15 -0700 +Subject: perf test mmap-thread-lookup: Initialize variable to suppress memory + sanitizer warning + +[ Upstream commit 4e4cf62b37da5ff45c904a3acf242ab29ed5881d ] + +Running the 'perf test' command after building perf with a memory +sanitizer causes a warning that says: + + WARNING: MemorySanitizer: use-of-uninitialized-value... in mmap-thread-lookup.c + +Initializing the go variable to 0 silences this harmless warning. + +Committer warning: + +This was harmless, just a simple test writing whatever was at that +sizeof(int) memory area just to signal another thread blocked reading +that file created with pipe(). Initialize it tho so that we don't get +this warning. + +Signed-off-by: Numfor Mbiziwo-Tiapo +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Drayton +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Stephane Eranian +Link: http://lkml.kernel.org/r/20190702173716.181223-1-nums@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/mmap-thread-lookup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/mmap-thread-lookup.c b/tools/perf/tests/mmap-thread-lookup.c +index 145050e2e544..195ba31e2f35 100644 +--- a/tools/perf/tests/mmap-thread-lookup.c ++++ b/tools/perf/tests/mmap-thread-lookup.c +@@ -49,7 +49,7 @@ static void *thread_fn(void *arg) + { + struct thread_data *td = arg; + ssize_t ret; +- int go; ++ int go = 0; + + if (thread_init(td)) + return NULL; +-- +2.20.1 + diff --git a/queue-4.4/phy-renesas-rcar-gen2-fix-memory-leak-at-error-paths.patch b/queue-4.4/phy-renesas-rcar-gen2-fix-memory-leak-at-error-paths.patch new file mode 100644 index 00000000000..ae9ca91b849 --- /dev/null +++ b/queue-4.4/phy-renesas-rcar-gen2-fix-memory-leak-at-error-paths.patch @@ -0,0 +1,44 @@ +From 7521df618099feb30025b692dedf0990b3c3a72a Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 28 May 2019 14:04:02 +0900 +Subject: phy: renesas: rcar-gen2: Fix memory leak at error paths + +[ Upstream commit d4a36e82924d3305a17ac987a510f3902df5a4b2 ] + +This patch fixes memory leak at error paths of the probe function. +In for_each_child_of_node, if the loop returns, the driver should +call of_put_node() before returns. + +Reported-by: Julia Lawall +Fixes: 1233f59f745b237 ("phy: Renesas R-Car Gen2 PHY driver") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/phy/phy-rcar-gen2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/phy/phy-rcar-gen2.c b/drivers/phy/phy-rcar-gen2.c +index c7a05996d5c1..99d2b73654f4 100644 +--- a/drivers/phy/phy-rcar-gen2.c ++++ b/drivers/phy/phy-rcar-gen2.c +@@ -287,6 +287,7 @@ static int rcar_gen2_phy_probe(struct platform_device *pdev) + error = of_property_read_u32(np, "reg", &channel_num); + if (error || channel_num > 2) { + dev_err(dev, "Invalid \"reg\" property\n"); ++ of_node_put(np); + return error; + } + channel->select_mask = select_mask[channel_num]; +@@ -302,6 +303,7 @@ static int rcar_gen2_phy_probe(struct platform_device *pdev) + &rcar_gen2_phy_ops); + if (IS_ERR(phy->phy)) { + dev_err(dev, "Failed to create PHY\n"); ++ of_node_put(np); + return PTR_ERR(phy->phy); + } + phy_set_drvdata(phy->phy, phy); +-- +2.20.1 + diff --git a/queue-4.4/pinctrl-rockchip-fix-leaked-of_node-references.patch b/queue-4.4/pinctrl-rockchip-fix-leaked-of_node-references.patch new file mode 100644 index 00000000000..b59ae1566e1 --- /dev/null +++ b/queue-4.4/pinctrl-rockchip-fix-leaked-of_node-references.patch @@ -0,0 +1,42 @@ +From f8611d7e97e675fb0689a436d40138973fcb09be Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Mon, 15 Apr 2019 14:24:02 +0800 +Subject: pinctrl: rockchip: fix leaked of_node references + +[ Upstream commit 3c89c70634bb0b6f48512de873e7a45c7e1fbaa5 ] + +The call to of_parse_phandle returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/pinctrl/pinctrl-rockchip.c:3221:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3196, but without a corresponding object release within this function. +./drivers/pinctrl/pinctrl-rockchip.c:3223:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3196, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Linus Walleij +Cc: Heiko Stuebner +Cc: linux-gpio@vger.kernel.org +Cc: linux-rockchip@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-rockchip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c +index a0651128e23a..616055b5e996 100644 +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -1837,6 +1837,7 @@ static int rockchip_get_bank_data(struct rockchip_pin_bank *bank, + base, + &rockchip_regmap_config); + } ++ of_node_put(node); + } + + bank->irq = irq_of_parse_and_map(bank->of_node, 0); +-- +2.20.1 + diff --git a/queue-4.4/powerpc-4xx-uic-clear-pending-interrupt-after-irq-ty.patch b/queue-4.4/powerpc-4xx-uic-clear-pending-interrupt-after-irq-ty.patch new file mode 100644 index 00000000000..d6da6332db9 --- /dev/null +++ b/queue-4.4/powerpc-4xx-uic-clear-pending-interrupt-after-irq-ty.patch @@ -0,0 +1,38 @@ +From da23a533373f843d9b6a2e485491e9851201387e Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Sat, 15 Jun 2019 17:23:13 +0200 +Subject: powerpc/4xx/uic: clear pending interrupt after irq type/pol change + +[ Upstream commit 3ab3a0689e74e6aa5b41360bc18861040ddef5b1 ] + +When testing out gpio-keys with a button, a spurious +interrupt (and therefore a key press or release event) +gets triggered as soon as the driver enables the irq +line for the first time. + +This patch clears any potential bogus generated interrupt +that was caused by the switching of the associated irq's +type and polarity. + +Signed-off-by: Christian Lamparter +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/uic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/sysdev/uic.c b/arch/powerpc/sysdev/uic.c +index 6893d8f236df..225346dda151 100644 +--- a/arch/powerpc/sysdev/uic.c ++++ b/arch/powerpc/sysdev/uic.c +@@ -158,6 +158,7 @@ static int uic_set_irq_type(struct irq_data *d, unsigned int flow_type) + + mtdcr(uic->dcrbase + UIC_PR, pr); + mtdcr(uic->dcrbase + UIC_TR, tr); ++ mtdcr(uic->dcrbase + UIC_SR, ~mask); + + raw_spin_unlock_irqrestore(&uic->lock, flags); + +-- +2.20.1 + diff --git a/queue-4.4/powerpc-eeh-handle-hugepages-in-ioremap-space.patch b/queue-4.4/powerpc-eeh-handle-hugepages-in-ioremap-space.patch new file mode 100644 index 00000000000..bcd7f0b0cf1 --- /dev/null +++ b/queue-4.4/powerpc-eeh-handle-hugepages-in-ioremap-space.patch @@ -0,0 +1,68 @@ +From 3cc09ea9bb2c3620d6d0ce4262f2a645707ffcb7 Mon Sep 17 00:00:00 2001 +From: Oliver O'Halloran +Date: Thu, 11 Jul 2019 01:05:17 +1000 +Subject: powerpc/eeh: Handle hugepages in ioremap space + +[ Upstream commit 33439620680be5225c1b8806579a291e0d761ca0 ] + +In commit 4a7b06c157a2 ("powerpc/eeh: Handle hugepages in ioremap +space") support for using hugepages in the vmalloc and ioremap areas was +enabled for radix. Unfortunately this broke EEH MMIO error checking. + +Detection works by inserting a hook which checks the results of the +ioreadXX() set of functions. When a read returns a 0xFFs response we +need to check for an error which we do by mapping the (virtual) MMIO +address back to a physical address, then mapping physical address to a +PCI device via an interval tree. + +When translating virt -> phys we currently assume the ioremap space is +only populated by PAGE_SIZE mappings. If a hugepage mapping is found we +emit a WARN_ON(), but otherwise handles the check as though a normal +page was found. In pathalogical cases such as copying a buffer +containing a lot of 0xFFs from BAR memory this can result in the system +not booting because it's too busy printing WARN_ON()s. + +There's no real reason to assume huge pages can't be present and we're +prefectly capable of handling them, so do that. + +Fixes: 4a7b06c157a2 ("powerpc/eeh: Handle hugepages in ioremap space") +Reported-by: Sachin Sant +Signed-off-by: Oliver O'Halloran +Tested-by: Sachin Sant +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190710150517.27114-1-oohall@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c +index 6696c1986844..16193d7b0635 100644 +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -363,10 +363,19 @@ static inline unsigned long eeh_token_to_phys(unsigned long token) + NULL, &hugepage_shift); + if (!ptep) + return token; +- WARN_ON(hugepage_shift); +- pa = pte_pfn(*ptep) << PAGE_SHIFT; + +- return pa | (token & (PAGE_SIZE-1)); ++ pa = pte_pfn(*ptep); ++ ++ /* On radix we can do hugepage mappings for io, so handle that */ ++ if (hugepage_shift) { ++ pa <<= hugepage_shift; ++ pa |= token & ((1ul << hugepage_shift) - 1); ++ } else { ++ pa <<= PAGE_SHIFT; ++ pa |= token & (PAGE_SIZE - 1); ++ } ++ ++ return pa; + } + + /* +-- +2.20.1 + diff --git a/queue-4.4/powerpc-pci-of-fix-of-flags-parsing-for-64bit-bars.patch b/queue-4.4/powerpc-pci-of-fix-of-flags-parsing-for-64bit-bars.patch new file mode 100644 index 00000000000..1a0d1742a4c --- /dev/null +++ b/queue-4.4/powerpc-pci-of-fix-of-flags-parsing-for-64bit-bars.patch @@ -0,0 +1,65 @@ +From 61b1abc08694c1121217b23cfe0be7b548f999cc Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Wed, 5 Jun 2019 13:38:14 +1000 +Subject: powerpc/pci/of: Fix OF flags parsing for 64bit BARs + +[ Upstream commit df5be5be8735ef2ae80d5ae1f2453cd81a035c4b ] + +When the firmware does PCI BAR resource allocation, it passes the assigned +addresses and flags (prefetch/64bit/...) via the "reg" property of +a PCI device device tree node so the kernel does not need to do +resource allocation. + +The flags are stored in resource::flags - the lower byte stores +PCI_BASE_ADDRESS_SPACE/etc bits and the other bytes are IORESOURCE_IO/etc. +Some flags from PCI_BASE_ADDRESS_xxx and IORESOURCE_xxx are duplicated, +such as PCI_BASE_ADDRESS_MEM_PREFETCH/PCI_BASE_ADDRESS_MEM_TYPE_64/etc. +When parsing the "reg" property, we copy the prefetch flag but we skip +on PCI_BASE_ADDRESS_MEM_TYPE_64 which leaves the flags out of sync. + +The missing IORESOURCE_MEM_64 flag comes into play under 2 conditions: +1. we remove PCI_PROBE_ONLY for pseries (by hacking pSeries_setup_arch() +or by passing "/chosen/linux,pci-probe-only"); +2. we request resource alignment (by passing pci=resource_alignment= +via the kernel cmd line to request PAGE_SIZE alignment or defining +ppc_md.pcibios_default_alignment which returns anything but 0). Note that +the alignment requests are ignored if PCI_PROBE_ONLY is enabled. + +With 1) and 2), the generic PCI code in the kernel unconditionally +decides to: +- reassign the BARs in pci_specified_resource_alignment() (works fine) +- write new BARs to the device - this fails for 64bit BARs as the generic +code looks at IORESOURCE_MEM_64 (not set) and writes only lower 32bits +of the BAR and leaves the upper 32bit unmodified which breaks BAR mapping +in the hypervisor. + +This fixes the issue by copying the flag. This is useful if we want to +enforce certain BAR alignment per platform as handling subpage sized BARs +is proven to cause problems with hotplug (SLOF already aligns BARs to 64k). + +Signed-off-by: Alexey Kardashevskiy +Reviewed-by: Sam Bobroff +Reviewed-by: Oliver O'Halloran +Reviewed-by: Shawn Anastasio +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/pci_of_scan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kernel/pci_of_scan.c b/arch/powerpc/kernel/pci_of_scan.c +index 2e710c15893f..a38d7293460d 100644 +--- a/arch/powerpc/kernel/pci_of_scan.c ++++ b/arch/powerpc/kernel/pci_of_scan.c +@@ -45,6 +45,8 @@ static unsigned int pci_parse_of_flags(u32 addr0, int bridge) + if (addr0 & 0x02000000) { + flags = IORESOURCE_MEM | PCI_BASE_ADDRESS_SPACE_MEMORY; + flags |= (addr0 >> 22) & PCI_BASE_ADDRESS_MEM_TYPE_64; ++ if (flags & PCI_BASE_ADDRESS_MEM_TYPE_64) ++ flags |= IORESOURCE_MEM_64; + flags |= (addr0 >> 28) & PCI_BASE_ADDRESS_MEM_TYPE_1M; + if (addr0 & 0x40000000) + flags |= IORESOURCE_PREFETCH +-- +2.20.1 + diff --git a/queue-4.4/powerpc-pseries-mobility-prevent-cpu-hotplug-during-.patch b/queue-4.4/powerpc-pseries-mobility-prevent-cpu-hotplug-during-.patch new file mode 100644 index 00000000000..1789656e711 --- /dev/null +++ b/queue-4.4/powerpc-pseries-mobility-prevent-cpu-hotplug-during-.patch @@ -0,0 +1,57 @@ +From a9e859f937dab6d5940159d4166c2a1ef85d0c35 Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Tue, 11 Jun 2019 23:45:05 -0500 +Subject: powerpc/pseries/mobility: prevent cpu hotplug during DT update + +[ Upstream commit e59a175faa8df9d674247946f2a5a9c29c835725 ] + +CPU online/offline code paths are sensitive to parts of the device +tree (various cpu node properties, cache nodes) that can be changed as +a result of a migration. + +Prevent CPU hotplug while the device tree potentially is inconsistent. + +Fixes: 410bccf97881 ("powerpc/pseries: Partition migration in the kernel") +Signed-off-by: Nathan Lynch +Reviewed-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/mobility.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c +index c773396d0969..fcd1a32267c4 100644 +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -9,6 +9,7 @@ + * 2 as published by the Free Software Foundation. + */ + ++#include + #include + #include + #include +@@ -309,11 +310,19 @@ void post_mobility_fixup(void) + if (rc) + printk(KERN_ERR "Post-mobility activate-fw failed: %d\n", rc); + ++ /* ++ * We don't want CPUs to go online/offline while the device ++ * tree is being updated. ++ */ ++ cpus_read_lock(); ++ + rc = pseries_devicetree_update(MIGRATION_SCOPE); + if (rc) + printk(KERN_ERR "Post-mobility device tree update " + "failed: %d\n", rc); + ++ cpus_read_unlock(); ++ + /* Possibly switch to a new RFI flush type */ + pseries_setup_rfi_flush(); + +-- +2.20.1 + diff --git a/queue-4.4/powerpc-pseries-mobility-rebuild-cacheinfo-hierarchy.patch b/queue-4.4/powerpc-pseries-mobility-rebuild-cacheinfo-hierarchy.patch new file mode 100644 index 00000000000..cfc0f0f1d72 --- /dev/null +++ b/queue-4.4/powerpc-pseries-mobility-rebuild-cacheinfo-hierarchy.patch @@ -0,0 +1,79 @@ +From e8a9c33c60901afec4ebabf63ea05ff7d18f1f4d Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Tue, 11 Jun 2019 23:45:06 -0500 +Subject: powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration + +[ Upstream commit e610a466d16a086e321f0bd421e2fc75cff28605 ] + +It's common for the platform to replace the cache device nodes after a +migration. Since the cacheinfo code is never informed about this, it +never drops its references to the source system's cache nodes, causing +it to wind up in an inconsistent state resulting in warnings and oopses +as soon as CPU online/offline occurs after the migration, e.g. + + cache for /cpus/l3-cache@3113(Unified) refers to cache for /cpus/l2-cache@200d(Unified) + WARNING: CPU: 15 PID: 86 at arch/powerpc/kernel/cacheinfo.c:176 release_cache+0x1bc/0x1d0 + [...] + NIP release_cache+0x1bc/0x1d0 + LR release_cache+0x1b8/0x1d0 + Call Trace: + release_cache+0x1b8/0x1d0 (unreliable) + cacheinfo_cpu_offline+0x1c4/0x2c0 + unregister_cpu_online+0x1b8/0x260 + cpuhp_invoke_callback+0x114/0xf40 + cpuhp_thread_fun+0x270/0x310 + smpboot_thread_fn+0x2c8/0x390 + kthread+0x1b8/0x1c0 + ret_from_kernel_thread+0x5c/0x68 + +Using device tree notifiers won't work since we want to rebuild the +hierarchy only after all the removals and additions have occurred and +the device tree is in a consistent state. Call cacheinfo_teardown() +before processing device tree updates, and rebuild the hierarchy +afterward. + +Fixes: 410bccf97881 ("powerpc/pseries: Partition migration in the kernel") +Signed-off-by: Nathan Lynch +Reviewed-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/mobility.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c +index fcd1a32267c4..e85767c74e81 100644 +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -22,6 +22,7 @@ + #include + #include + #include "pseries.h" ++#include "../../kernel/cacheinfo.h" + + static struct kobject *mobility_kobj; + +@@ -316,11 +317,20 @@ void post_mobility_fixup(void) + */ + cpus_read_lock(); + ++ /* ++ * It's common for the destination firmware to replace cache ++ * nodes. Release all of the cacheinfo hierarchy's references ++ * before updating the device tree. ++ */ ++ cacheinfo_teardown(); ++ + rc = pseries_devicetree_update(MIGRATION_SCOPE); + if (rc) + printk(KERN_ERR "Post-mobility device tree update " + "failed: %d\n", rc); + ++ cacheinfo_rebuild(); ++ + cpus_read_unlock(); + + /* Possibly switch to a new RFI flush type */ +-- +2.20.1 + diff --git a/queue-4.4/recordmcount-fix-spurious-mcount-entries-on-powerpc.patch b/queue-4.4/recordmcount-fix-spurious-mcount-entries-on-powerpc.patch new file mode 100644 index 00000000000..79dfec11961 --- /dev/null +++ b/queue-4.4/recordmcount-fix-spurious-mcount-entries-on-powerpc.patch @@ -0,0 +1,94 @@ +From b3b95acf646c0d0c10af96c1eeb3aad31f29fcee Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Thu, 27 Jun 2019 00:08:01 +0530 +Subject: recordmcount: Fix spurious mcount entries on powerpc + +[ Upstream commit 80e5302e4bc85a6b685b7668c36c6487b5f90e9a ] + +An impending change to enable HAVE_C_RECORDMCOUNT on powerpc leads to +warnings such as the following: + + # modprobe kprobe_example + ftrace-powerpc: Not expected bl: opcode is 3c4c0001 + WARNING: CPU: 0 PID: 227 at kernel/trace/ftrace.c:2001 ftrace_bug+0x90/0x318 + Modules linked in: + CPU: 0 PID: 227 Comm: modprobe Not tainted 5.2.0-rc6-00678-g1c329100b942 #2 + NIP: c000000000264318 LR: c00000000025d694 CTR: c000000000f5cd30 + REGS: c000000001f2b7b0 TRAP: 0700 Not tainted (5.2.0-rc6-00678-g1c329100b942) + MSR: 900000010282b033 CR: 28228222 XER: 00000000 + CFAR: c0000000002642fc IRQMASK: 0 + + NIP [c000000000264318] ftrace_bug+0x90/0x318 + LR [c00000000025d694] ftrace_process_locs+0x4f4/0x5e0 + Call Trace: + [c000000001f2ba40] [0000000000000004] 0x4 (unreliable) + [c000000001f2bad0] [c00000000025d694] ftrace_process_locs+0x4f4/0x5e0 + [c000000001f2bb90] [c00000000020ff10] load_module+0x25b0/0x30c0 + [c000000001f2bd00] [c000000000210cb0] sys_finit_module+0xc0/0x130 + [c000000001f2be20] [c00000000000bda4] system_call+0x5c/0x70 + Instruction dump: + 419e0018 2f83ffff 419e00bc 2f83ffea 409e00cc 4800001c 0fe00000 3c62ff96 + 39000001 39400000 386386d0 480000c4 <0fe00000> 3ce20003 39000001 3c62ff96 + ---[ end trace 4c438d5cebf78381 ]--- + ftrace failed to modify + [] 0xc0080000012a0008 + actual: 01:00:4c:3c + Initializing ftrace call sites + ftrace record flags: 2000000 + (0) + expected tramp: c00000000006af4c + +Looking at the relocation records in __mcount_loc shows a few spurious +entries: + + RELOCATION RECORDS FOR [__mcount_loc]: + OFFSET TYPE VALUE + 0000000000000000 R_PPC64_ADDR64 .text.unlikely+0x0000000000000008 + 0000000000000008 R_PPC64_ADDR64 .text.unlikely+0x0000000000000014 + 0000000000000010 R_PPC64_ADDR64 .text.unlikely+0x0000000000000060 + 0000000000000018 R_PPC64_ADDR64 .text.unlikely+0x00000000000000b4 + 0000000000000020 R_PPC64_ADDR64 .init.text+0x0000000000000008 + 0000000000000028 R_PPC64_ADDR64 .init.text+0x0000000000000014 + +The first entry in each section is incorrect. Looking at the +relocation records, the spurious entries correspond to the +R_PPC64_ENTRY records: + + RELOCATION RECORDS FOR [.text.unlikely]: + OFFSET TYPE VALUE + 0000000000000000 R_PPC64_REL64 .TOC.-0x0000000000000008 + 0000000000000008 R_PPC64_ENTRY *ABS* + 0000000000000014 R_PPC64_REL24 _mcount + + +The problem is that we are not validating the return value from +get_mcountsym() in sift_rel_mcount(). With this entry, mcountsym is 0, +but Elf_r_sym(relp) also ends up being 0. Fix this by ensuring +mcountsym is valid before processing the entry. + +Signed-off-by: Naveen N. Rao +Acked-by: Steven Rostedt (VMware) +Tested-by: Satheesh Rajendran +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + scripts/recordmcount.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h +index b9897e2be404..04151ede8043 100644 +--- a/scripts/recordmcount.h ++++ b/scripts/recordmcount.h +@@ -326,7 +326,8 @@ static uint_t *sift_rel_mcount(uint_t *mlocp, + if (!mcountsym) + mcountsym = get_mcountsym(sym0, relp, str0); + +- if (mcountsym == Elf_r_sym(relp) && !is_fake_mcount(relp)) { ++ if (mcountsym && mcountsym == Elf_r_sym(relp) && ++ !is_fake_mcount(relp)) { + uint_t const addend = + _w(_w(relp->r_offset) - recval + mcount_adjust); + mrelp->r_offset = _w(offbase +-- +2.20.1 + diff --git a/queue-4.4/serial-sh-sci-fix-tx-dma-buffer-flushing-and-workque.patch b/queue-4.4/serial-sh-sci-fix-tx-dma-buffer-flushing-and-workque.patch new file mode 100644 index 00000000000..981dcb0e01d --- /dev/null +++ b/queue-4.4/serial-sh-sci-fix-tx-dma-buffer-flushing-and-workque.patch @@ -0,0 +1,116 @@ +From 4e664fbc965c69f408df1ad6a836669ed0e55ab8 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 24 Jun 2019 14:35:39 +0200 +Subject: serial: sh-sci: Fix TX DMA buffer flushing and workqueue races + +[ Upstream commit 8493eab02608b0e82f67b892aa72882e510c31d0 ] + +When uart_flush_buffer() is called, the .flush_buffer() callback zeroes +the tx_dma_len field. This may race with the work queue function +handling transmit DMA requests: + + 1. If the buffer is flushed before the first DMA API call, + dmaengine_prep_slave_single() may be called with a zero length, + causing the DMA request to never complete, leading to messages + like: + + rcar-dmac e7300000.dma-controller: Channel Address Error happen + + and, with debug enabled: + + sh-sci e6e88000.serial: sci_dma_tx_work_fn: ffff800639b55000: 0...0, cookie 126 + + and DMA timeouts. + + 2. If the buffer is flushed after the first DMA API call, but before + the second, dma_sync_single_for_device() may be called with a zero + length, causing the transmit data not to be flushed to RAM, and + leading to stale data being output. + +Fix this by: + 1. Letting sci_dma_tx_work_fn() return immediately if the transmit + buffer is empty, + 2. Extending the critical section to cover all DMA preparational work, + so tx_dma_len stays consistent for all of it, + 3. Using local copies of circ_buf.head and circ_buf.tail, to make sure + they match the actual operation above. + +Reported-by: Eugeniu Rosca +Suggested-by: Yoshihiro Shimoda +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Eugeniu Rosca +Tested-by: Eugeniu Rosca +Link: https://lore.kernel.org/r/20190624123540.20629-2-geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sh-sci.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index 669134e27ed9..c450e32c153d 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -1203,6 +1203,7 @@ static void work_fn_tx(struct work_struct *work) + struct uart_port *port = &s->port; + struct circ_buf *xmit = &port->state->xmit; + dma_addr_t buf; ++ int head, tail; + + /* + * DMA is idle now. +@@ -1212,16 +1213,23 @@ static void work_fn_tx(struct work_struct *work) + * consistent xmit buffer state. + */ + spin_lock_irq(&port->lock); +- buf = s->tx_dma_addr + (xmit->tail & (UART_XMIT_SIZE - 1)); ++ head = xmit->head; ++ tail = xmit->tail; ++ buf = s->tx_dma_addr + (tail & (UART_XMIT_SIZE - 1)); + s->tx_dma_len = min_t(unsigned int, +- CIRC_CNT(xmit->head, xmit->tail, UART_XMIT_SIZE), +- CIRC_CNT_TO_END(xmit->head, xmit->tail, UART_XMIT_SIZE)); +- spin_unlock_irq(&port->lock); ++ CIRC_CNT(head, tail, UART_XMIT_SIZE), ++ CIRC_CNT_TO_END(head, tail, UART_XMIT_SIZE)); ++ if (!s->tx_dma_len) { ++ /* Transmit buffer has been flushed */ ++ spin_unlock_irq(&port->lock); ++ return; ++ } + + desc = dmaengine_prep_slave_single(chan, buf, s->tx_dma_len, + DMA_MEM_TO_DEV, + DMA_PREP_INTERRUPT | DMA_CTRL_ACK); + if (!desc) { ++ spin_unlock_irq(&port->lock); + dev_warn(port->dev, "Failed preparing Tx DMA descriptor\n"); + /* switch to PIO */ + sci_tx_dma_release(s, true); +@@ -1231,20 +1239,20 @@ static void work_fn_tx(struct work_struct *work) + dma_sync_single_for_device(chan->device->dev, buf, s->tx_dma_len, + DMA_TO_DEVICE); + +- spin_lock_irq(&port->lock); + desc->callback = sci_dma_tx_complete; + desc->callback_param = s; +- spin_unlock_irq(&port->lock); + s->cookie_tx = dmaengine_submit(desc); + if (dma_submit_error(s->cookie_tx)) { ++ spin_unlock_irq(&port->lock); + dev_warn(port->dev, "Failed submitting Tx DMA descriptor\n"); + /* switch to PIO */ + sci_tx_dma_release(s, true); + return; + } + ++ spin_unlock_irq(&port->lock); + dev_dbg(port->dev, "%s: %p: %d...%d, cookie %d\n", +- __func__, xmit->buf, xmit->tail, xmit->head, s->cookie_tx); ++ __func__, xmit->buf, tail, head, s->cookie_tx); + + dma_async_issue_pending(chan); + } +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series index d387284fddd..137dd157724 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -98,3 +98,41 @@ net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch elevator-fix-truncation-of-icq_cache_name.patch +nfsv4-fix-open-create-exclusive-when-the-server-rebo.patch +nfsd-increase-drc-cache-limit.patch +nfsd-give-out-fewer-session-slots-as-limit-approache.patch +nfsd-fix-performance-limiting-session-calculation.patch +nfsd-fix-overflow-causing-non-working-mounts-on-1-tb.patch +drm-panel-simple-fix-panel_simple_dsi_probe.patch +usb-core-hub-disable-hub-initiated-u1-u2.patch +tty-max310x-fix-invalid-baudrate-divisors-calculator.patch +pinctrl-rockchip-fix-leaked-of_node-references.patch +tty-serial-cpm_uart-fix-init-when-smc-is-relocated.patch +memstick-fix-error-cleanup-path-of-memstick_init.patch +tty-serial-digicolor-fix-digicolor-usart-already-reg.patch +tty-serial-msm_serial-avoid-system-lockup-condition.patch +drm-virtio-add-memory-barriers-for-capset-cache.patch +phy-renesas-rcar-gen2-fix-memory-leak-at-error-paths.patch +powerpc-pseries-mobility-prevent-cpu-hotplug-during-.patch +powerpc-pseries-mobility-rebuild-cacheinfo-hierarchy.patch +usb-gadget-zero-ffs_io_data.patch +powerpc-pci-of-fix-of-flags-parsing-for-64bit-bars.patch +pci-sysfs-ignore-lockdep-for-remove-attribute.patch +iio-iio-utils-fix-possible-incorrect-mask-calculatio.patch +recordmcount-fix-spurious-mcount-entries-on-powerpc.patch +mfd-core-set-fwnode-for-created-devices.patch +mfd-arizona-fix-undefined-behavior.patch +um-silence-lockdep-complaint-about-mmap_sem.patch +powerpc-4xx-uic-clear-pending-interrupt-after-irq-ty.patch +serial-sh-sci-fix-tx-dma-buffer-flushing-and-workque.patch +kallsyms-exclude-kasan-local-symbols-on-s390.patch +perf-test-mmap-thread-lookup-initialize-variable-to-.patch +f2fs-avoid-out-of-range-memory-access.patch +mailbox-handle-failed-named-mailbox-channel-request.patch +powerpc-eeh-handle-hugepages-in-ioremap-space.patch +sh-prevent-warnings-when-using-iounmap.patch +mm-kmemleak.c-fix-check-for-softirq-context.patch +9p-pass-the-correct-prototype-to-read_cache_page.patch +mm-mmu_notifier-use-hlist_add_head_rcu.patch +locking-lockdep-fix-lock-used-or-unused-stats-error.patch +locking-lockdep-hide-unused-class-variable.patch diff --git a/queue-4.4/sh-prevent-warnings-when-using-iounmap.patch b/queue-4.4/sh-prevent-warnings-when-using-iounmap.patch new file mode 100644 index 00000000000..15a23b19a43 --- /dev/null +++ b/queue-4.4/sh-prevent-warnings-when-using-iounmap.patch @@ -0,0 +1,62 @@ +From 04fad413a7ee0d0023c285a8b32168d834e86839 Mon Sep 17 00:00:00 2001 +From: Sam Ravnborg +Date: Thu, 11 Jul 2019 20:52:52 -0700 +Subject: sh: prevent warnings when using iounmap + +[ Upstream commit 733f0025f0fb43e382b84db0930ae502099b7e62 ] + +When building drm/exynos for sh, as part of an allmodconfig build, the +following warning triggered: + + exynos7_drm_decon.c: In function `decon_remove': + exynos7_drm_decon.c:769:24: warning: unused variable `ctx' + struct decon_context *ctx = dev_get_drvdata(&pdev->dev); + +The ctx variable is only used as argument to iounmap(). + +In sh - allmodconfig CONFIG_MMU is not defined +so it ended up in: + +\#define __iounmap(addr) do { } while (0) +\#define iounmap __iounmap + +Fix the warning by introducing a static inline function for iounmap. + +This is similar to several other architectures. + +Link: http://lkml.kernel.org/r/20190622114208.24427-1-sam@ravnborg.org +Signed-off-by: Sam Ravnborg +Reviewed-by: Geert Uytterhoeven +Cc: Yoshinori Sato +Cc: Rich Felker +Cc: Will Deacon +Cc: Mark Brown +Cc: Inki Dae +Cc: Krzysztof Kozlowski +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/sh/include/asm/io.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/sh/include/asm/io.h b/arch/sh/include/asm/io.h +index 3280a6bfa503..b2592c3864ad 100644 +--- a/arch/sh/include/asm/io.h ++++ b/arch/sh/include/asm/io.h +@@ -370,7 +370,11 @@ static inline int iounmap_fixed(void __iomem *addr) { return -EINVAL; } + + #define ioremap_nocache ioremap + #define ioremap_uc ioremap +-#define iounmap __iounmap ++ ++static inline void iounmap(void __iomem *addr) ++{ ++ __iounmap(addr); ++} + + /* + * Convert a physical pointer to a virtual kernel pointer for /dev/mem +-- +2.20.1 + diff --git a/queue-4.4/tty-max310x-fix-invalid-baudrate-divisors-calculator.patch b/queue-4.4/tty-max310x-fix-invalid-baudrate-divisors-calculator.patch new file mode 100644 index 00000000000..2cf361eca7c --- /dev/null +++ b/queue-4.4/tty-max310x-fix-invalid-baudrate-divisors-calculator.patch @@ -0,0 +1,112 @@ +From fae18487a67f61dc8252b81f1391a6de78e7c313 Mon Sep 17 00:00:00 2001 +From: Serge Semin +Date: Tue, 14 May 2019 13:14:12 +0300 +Subject: tty: max310x: Fix invalid baudrate divisors calculator + +[ Upstream commit 35240ba26a932b279a513f66fa4cabfd7af55221 ] + +Current calculator doesn't do it' job quite correct. First of all the +max310x baud-rates generator supports the divisor being less than 16. +In this case the x2/x4 modes can be used to double or quadruple +the reference frequency. But the current baud-rate setter function +just filters all these modes out by the first condition and setups +these modes only if there is a clocks-baud division remainder. The former +doesn't seem right at all, since enabling the x2/x4 modes causes the line +noise tolerance reduction and should be only used as a last resort to +enable a requested too high baud-rate. + +Finally the fraction is supposed to be calculated from D = Fref/(c*baud) +formulae, but not from D % 16, which causes the precision loss. So to speak +the current baud-rate calculator code works well only if the baud perfectly +fits to the uart reference input frequency. + +Lets fix the calculator by implementing the algo fully compliant with +the fractional baud-rate generator described in the datasheet: +D = Fref / (c*baud), where c={16,8,4} is the x1/x2/x4 rate mode +respectively, Fref - reference input frequency. The divisor fraction is +calculated from the same formulae, but making sure it is found with a +resolution of 0.0625 (four bits). + +Signed-off-by: Serge Semin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/max310x.c | 51 ++++++++++++++++++++++-------------- + 1 file changed, 31 insertions(+), 20 deletions(-) + +diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c +index 0ac0c618954e..a66fb7afecc7 100644 +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -486,37 +486,48 @@ static bool max310x_reg_precious(struct device *dev, unsigned int reg) + + static int max310x_set_baud(struct uart_port *port, int baud) + { +- unsigned int mode = 0, clk = port->uartclk, div = clk / baud; ++ unsigned int mode = 0, div = 0, frac = 0, c = 0, F = 0; + +- /* Check for minimal value for divider */ +- if (div < 16) +- div = 16; +- +- if (clk % baud && (div / 16) < 0x8000) { ++ /* ++ * Calculate the integer divisor first. Select a proper mode ++ * in case if the requested baud is too high for the pre-defined ++ * clocks frequency. ++ */ ++ div = port->uartclk / baud; ++ if (div < 8) { ++ /* Mode x4 */ ++ c = 4; ++ mode = MAX310X_BRGCFG_4XMODE_BIT; ++ } else if (div < 16) { + /* Mode x2 */ ++ c = 8; + mode = MAX310X_BRGCFG_2XMODE_BIT; +- clk = port->uartclk * 2; +- div = clk / baud; +- +- if (clk % baud && (div / 16) < 0x8000) { +- /* Mode x4 */ +- mode = MAX310X_BRGCFG_4XMODE_BIT; +- clk = port->uartclk * 4; +- div = clk / baud; +- } ++ } else { ++ c = 16; + } + +- max310x_port_write(port, MAX310X_BRGDIVMSB_REG, (div / 16) >> 8); +- max310x_port_write(port, MAX310X_BRGDIVLSB_REG, div / 16); +- max310x_port_write(port, MAX310X_BRGCFG_REG, (div % 16) | mode); ++ /* Calculate the divisor in accordance with the fraction coefficient */ ++ div /= c; ++ F = c*baud; ++ ++ /* Calculate the baud rate fraction */ ++ if (div > 0) ++ frac = (16*(port->uartclk % F)) / F; ++ else ++ div = 1; ++ ++ max310x_port_write(port, MAX310X_BRGDIVMSB_REG, div >> 8); ++ max310x_port_write(port, MAX310X_BRGDIVLSB_REG, div); ++ max310x_port_write(port, MAX310X_BRGCFG_REG, frac | mode); + +- return DIV_ROUND_CLOSEST(clk, div); ++ /* Return the actual baud rate we just programmed */ ++ return (16*port->uartclk) / (c*(16*div + frac)); + } + + static int max310x_update_best_err(unsigned long f, long *besterr) + { + /* Use baudrate 115200 for calculate error */ +- long err = f % (115200 * 16); ++ long err = f % (460800 * 16); + + if ((*besterr < 0) || (*besterr > err)) { + *besterr = err; +-- +2.20.1 + diff --git a/queue-4.4/tty-serial-cpm_uart-fix-init-when-smc-is-relocated.patch b/queue-4.4/tty-serial-cpm_uart-fix-init-when-smc-is-relocated.patch new file mode 100644 index 00000000000..acd156a3adc --- /dev/null +++ b/queue-4.4/tty-serial-cpm_uart-fix-init-when-smc-is-relocated.patch @@ -0,0 +1,76 @@ +From 8985d5a01c811917b1189c5db5cbf320c03f0a40 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Wed, 22 May 2019 12:17:11 +0000 +Subject: tty: serial: cpm_uart - fix init when SMC is relocated + +[ Upstream commit 06aaa3d066db87e8478522d910285141d44b1e58 ] + +SMC relocation can also be activated earlier by the bootloader, +so the driver's behaviour cannot rely on selected kernel config. + +When the SMC is relocated, CPM_CR_INIT_TRX cannot be used. + +But the only thing CPM_CR_INIT_TRX does is to clear the +rstate and tstate registers, so this can be done manually, +even when SMC is not relocated. + +Signed-off-by: Christophe Leroy +Fixes: 9ab921201444 ("cpm_uart: fix non-console port startup bug") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/cpm_uart/cpm_uart_core.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/tty/serial/cpm_uart/cpm_uart_core.c b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +index 0040c29f651a..b9e137c03fe3 100644 +--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c ++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +@@ -421,7 +421,16 @@ static int cpm_uart_startup(struct uart_port *port) + clrbits16(&pinfo->sccp->scc_sccm, UART_SCCM_RX); + } + cpm_uart_initbd(pinfo); +- cpm_line_cr_cmd(pinfo, CPM_CR_INIT_TRX); ++ if (IS_SMC(pinfo)) { ++ out_be32(&pinfo->smcup->smc_rstate, 0); ++ out_be32(&pinfo->smcup->smc_tstate, 0); ++ out_be16(&pinfo->smcup->smc_rbptr, ++ in_be16(&pinfo->smcup->smc_rbase)); ++ out_be16(&pinfo->smcup->smc_tbptr, ++ in_be16(&pinfo->smcup->smc_tbase)); ++ } else { ++ cpm_line_cr_cmd(pinfo, CPM_CR_INIT_TRX); ++ } + } + /* Install interrupt handler. */ + retval = request_irq(port->irq, cpm_uart_int, 0, "cpm_uart", port); +@@ -875,16 +884,14 @@ static void cpm_uart_init_smc(struct uart_cpm_port *pinfo) + (u8 __iomem *)pinfo->tx_bd_base - DPRAM_BASE); + + /* +- * In case SMC1 is being relocated... ++ * In case SMC is being relocated... + */ +-#if defined (CONFIG_I2C_SPI_SMC1_UCODE_PATCH) + out_be16(&up->smc_rbptr, in_be16(&pinfo->smcup->smc_rbase)); + out_be16(&up->smc_tbptr, in_be16(&pinfo->smcup->smc_tbase)); + out_be32(&up->smc_rstate, 0); + out_be32(&up->smc_tstate, 0); + out_be16(&up->smc_brkcr, 1); /* number of break chars */ + out_be16(&up->smc_brkec, 0); +-#endif + + /* Set up the uart parameters in the + * parameter ram. +@@ -898,8 +905,6 @@ static void cpm_uart_init_smc(struct uart_cpm_port *pinfo) + out_be16(&up->smc_brkec, 0); + out_be16(&up->smc_brkcr, 1); + +- cpm_line_cr_cmd(pinfo, CPM_CR_INIT_TRX); +- + /* Set UART mode, 8 bit, no parity, one stop. + * Enable receive and transmit. + */ +-- +2.20.1 + diff --git a/queue-4.4/tty-serial-digicolor-fix-digicolor-usart-already-reg.patch b/queue-4.4/tty-serial-digicolor-fix-digicolor-usart-already-reg.patch new file mode 100644 index 00000000000..781c281fe7b --- /dev/null +++ b/queue-4.4/tty-serial-digicolor-fix-digicolor-usart-already-reg.patch @@ -0,0 +1,44 @@ +From c4365eccc2205231902a57f9a4ccb60ceb84e4a9 Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Fri, 31 May 2019 21:37:33 +0800 +Subject: tty/serial: digicolor: Fix digicolor-usart already registered warning + +[ Upstream commit c7ad9ba0611c53cfe194223db02e3bca015f0674 ] + +When modprobe/rmmod/modprobe module, if platform_driver_register() fails, +the kernel complained, + + proc_dir_entry 'driver/digicolor-usart' already registered + WARNING: CPU: 1 PID: 5636 at fs/proc/generic.c:360 proc_register+0x19d/0x270 + +Fix this by adding uart_unregister_driver() when platform_driver_register() fails. + +Reported-by: Hulk Robot +Signed-off-by: Kefeng Wang +Acked-by: Baruch Siach +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/digicolor-usart.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/digicolor-usart.c b/drivers/tty/serial/digicolor-usart.c +index a80cdad114f3..d8cb94997487 100644 +--- a/drivers/tty/serial/digicolor-usart.c ++++ b/drivers/tty/serial/digicolor-usart.c +@@ -544,7 +544,11 @@ static int __init digicolor_uart_init(void) + if (ret) + return ret; + +- return platform_driver_register(&digicolor_uart_platform); ++ ret = platform_driver_register(&digicolor_uart_platform); ++ if (ret) ++ uart_unregister_driver(&digicolor_uart); ++ ++ return ret; + } + module_init(digicolor_uart_init); + +-- +2.20.1 + diff --git a/queue-4.4/tty-serial-msm_serial-avoid-system-lockup-condition.patch b/queue-4.4/tty-serial-msm_serial-avoid-system-lockup-condition.patch new file mode 100644 index 00000000000..6f8113d4766 --- /dev/null +++ b/queue-4.4/tty-serial-msm_serial-avoid-system-lockup-condition.patch @@ -0,0 +1,43 @@ +From 4d09a6da16c9ba7f29974280129f04db4c252f32 Mon Sep 17 00:00:00 2001 +From: Jorge Ramirez-Ortiz +Date: Mon, 10 Jun 2019 19:23:08 +0200 +Subject: tty: serial: msm_serial: avoid system lockup condition + +[ Upstream commit ba3684f99f1b25d2a30b6956d02d339d7acb9799 ] + +The function msm_wait_for_xmitr can be taken with interrupts +disabled. In order to avoid a potential system lockup - demonstrated +under stress testing conditions on SoC QCS404/5 - make sure we wait +for a bounded amount of time. + +Tested on SoC QCS404. + +Signed-off-by: Jorge Ramirez-Ortiz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/msm_serial.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c +index 5f0ded6fc4e9..eaeb098b5d6a 100644 +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -222,10 +222,14 @@ static void msm_request_rx_dma(struct msm_port *msm_port, resource_size_t base) + + static inline void msm_wait_for_xmitr(struct uart_port *port) + { ++ unsigned int timeout = 500000; ++ + while (!(msm_read(port, UART_SR) & UART_SR_TX_EMPTY)) { + if (msm_read(port, UART_ISR) & UART_ISR_TX_READY) + break; + udelay(1); ++ if (!timeout--) ++ break; + } + msm_write(port, UART_CR_CMD_RESET_TX_READY, UART_CR); + } +-- +2.20.1 + diff --git a/queue-4.4/um-silence-lockdep-complaint-about-mmap_sem.patch b/queue-4.4/um-silence-lockdep-complaint-about-mmap_sem.patch new file mode 100644 index 00000000000..5ed35643722 --- /dev/null +++ b/queue-4.4/um-silence-lockdep-complaint-about-mmap_sem.patch @@ -0,0 +1,111 @@ +From cdbd4b84cbacdf63e6bfab72729dac102b93eee9 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 24 May 2019 21:54:14 +0200 +Subject: um: Silence lockdep complaint about mmap_sem + +[ Upstream commit 80bf6ceaf9310b3f61934c69b382d4912deee049 ] + +When we get into activate_mm(), lockdep complains that we're doing +something strange: + + WARNING: possible circular locking dependency detected + 5.1.0-10252-gb00152307319-dirty #121 Not tainted + ------------------------------------------------------ + inside.sh/366 is trying to acquire lock: + (____ptrval____) (&(&p->alloc_lock)->rlock){+.+.}, at: flush_old_exec+0x703/0x8d7 + + but task is already holding lock: + (____ptrval____) (&mm->mmap_sem){++++}, at: flush_old_exec+0x6c5/0x8d7 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (&mm->mmap_sem){++++}: + [...] + __lock_acquire+0x12ab/0x139f + lock_acquire+0x155/0x18e + down_write+0x3f/0x98 + flush_old_exec+0x748/0x8d7 + load_elf_binary+0x2ca/0xddb + [...] + + -> #0 (&(&p->alloc_lock)->rlock){+.+.}: + [...] + __lock_acquire+0x12ab/0x139f + lock_acquire+0x155/0x18e + _raw_spin_lock+0x30/0x83 + flush_old_exec+0x703/0x8d7 + load_elf_binary+0x2ca/0xddb + [...] + + other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&mm->mmap_sem); + lock(&(&p->alloc_lock)->rlock); + lock(&mm->mmap_sem); + lock(&(&p->alloc_lock)->rlock); + + *** DEADLOCK *** + + 2 locks held by inside.sh/366: + #0: (____ptrval____) (&sig->cred_guard_mutex){+.+.}, at: __do_execve_file+0x12d/0x869 + #1: (____ptrval____) (&mm->mmap_sem){++++}, at: flush_old_exec+0x6c5/0x8d7 + + stack backtrace: + CPU: 0 PID: 366 Comm: inside.sh Not tainted 5.1.0-10252-gb00152307319-dirty #121 + Stack: + [...] + Call Trace: + [<600420de>] show_stack+0x13b/0x155 + [<6048906b>] dump_stack+0x2a/0x2c + [<6009ae64>] print_circular_bug+0x332/0x343 + [<6009c5c6>] check_prev_add+0x669/0xdad + [<600a06b4>] __lock_acquire+0x12ab/0x139f + [<6009f3d0>] lock_acquire+0x155/0x18e + [<604a07e0>] _raw_spin_lock+0x30/0x83 + [<60151e6a>] flush_old_exec+0x703/0x8d7 + [<601a8eb8>] load_elf_binary+0x2ca/0xddb + [...] + +I think it's because in exec_mmap() we have + + down_read(&old_mm->mmap_sem); +... + task_lock(tsk); +... + activate_mm(active_mm, mm); + (which does down_write(&mm->mmap_sem)) + +I'm not really sure why lockdep throws in the whole knowledge +about the task lock, but it seems that old_mm and mm shouldn't +ever be the same (and it doesn't deadlock) so tell lockdep that +they're different. + +Signed-off-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/include/asm/mmu_context.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/include/asm/mmu_context.h b/arch/um/include/asm/mmu_context.h +index 941527e507f7..f618f45fc8e9 100644 +--- a/arch/um/include/asm/mmu_context.h ++++ b/arch/um/include/asm/mmu_context.h +@@ -42,7 +42,7 @@ static inline void activate_mm(struct mm_struct *old, struct mm_struct *new) + * when the new ->mm is used for the first time. + */ + __switch_mm(&new->context.id); +- down_write(&new->mmap_sem); ++ down_write_nested(&new->mmap_sem, 1); + uml_setup_stubs(new); + up_write(&new->mmap_sem); + } +-- +2.20.1 + diff --git a/queue-4.4/usb-core-hub-disable-hub-initiated-u1-u2.patch b/queue-4.4/usb-core-hub-disable-hub-initiated-u1-u2.patch new file mode 100644 index 00000000000..872417bec84 --- /dev/null +++ b/queue-4.4/usb-core-hub-disable-hub-initiated-u1-u2.patch @@ -0,0 +1,81 @@ +From 82987b1fab3b9f04099a7b1706d732ff9fd6bfef Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Tue, 14 May 2019 14:38:38 -0700 +Subject: usb: core: hub: Disable hub-initiated U1/U2 + +[ Upstream commit 561759292774707b71ee61aecc07724905bb7ef1 ] + +If the device rejects the control transfer to enable device-initiated +U1/U2 entry, then the device will not initiate U1/U2 transition. To +improve the performance, the downstream port should not initate +transition to U1/U2 to avoid the delay from the device link command +response (no packet can be transmitted while waiting for a response from +the device). If the device has some quirks and does not implement U1/U2, +it may reject all the link state change requests, and the downstream +port may resend and flood the bus with more requests. This will affect +the device performance even further. This patch disables the +hub-initated U1/U2 if the device-initiated U1/U2 entry fails. + +Reference: USB 3.2 spec 7.2.4.2.3 + +Signed-off-by: Thinh Nguyen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 28 ++++++++++++++++------------ + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 3d714da96ce1..5c274c5440da 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3823,6 +3823,9 @@ static int usb_set_lpm_timeout(struct usb_device *udev, + * control transfers to set the hub timeout or enable device-initiated U1/U2 + * will be successful. + * ++ * If the control transfer to enable device-initiated U1/U2 entry fails, then ++ * hub-initiated U1/U2 will be disabled. ++ * + * If we cannot set the parent hub U1/U2 timeout, we attempt to let the xHCI + * driver know about it. If that call fails, it should be harmless, and just + * take up more slightly more bus bandwidth for unnecessary U1/U2 exit latency. +@@ -3877,23 +3880,24 @@ static void usb_enable_link_state(struct usb_hcd *hcd, struct usb_device *udev, + * host know that this link state won't be enabled. + */ + hcd->driver->disable_usb3_lpm_timeout(hcd, udev, state); +- } else { +- /* Only a configured device will accept the Set Feature +- * U1/U2_ENABLE +- */ +- if (udev->actconfig) +- usb_set_device_initiated_lpm(udev, state, true); ++ return; ++ } + +- /* As soon as usb_set_lpm_timeout(timeout) returns 0, the +- * hub-initiated LPM is enabled. Thus, LPM is enabled no +- * matter the result of usb_set_device_initiated_lpm(). +- * The only difference is whether device is able to initiate +- * LPM. +- */ ++ /* Only a configured device will accept the Set Feature ++ * U1/U2_ENABLE ++ */ ++ if (udev->actconfig && ++ usb_set_device_initiated_lpm(udev, state, true) == 0) { + if (state == USB3_LPM_U1) + udev->usb3_lpm_u1_enabled = 1; + else if (state == USB3_LPM_U2) + udev->usb3_lpm_u2_enabled = 1; ++ } else { ++ /* Don't request U1/U2 entry if the device ++ * cannot transition to U1/U2. ++ */ ++ usb_set_lpm_timeout(udev, state, 0); ++ hcd->driver->disable_usb3_lpm_timeout(hcd, udev, state); + } + } + +-- +2.20.1 + diff --git a/queue-4.4/usb-gadget-zero-ffs_io_data.patch b/queue-4.4/usb-gadget-zero-ffs_io_data.patch new file mode 100644 index 00000000000..9482b3a08b0 --- /dev/null +++ b/queue-4.4/usb-gadget-zero-ffs_io_data.patch @@ -0,0 +1,57 @@ +From 16ae58f6bd5055434fbbbad1d0e0abe62dd148d4 Mon Sep 17 00:00:00 2001 +From: Andrzej Pietrasiewicz +Date: Mon, 3 Jun 2019 19:05:28 +0200 +Subject: usb: gadget: Zero ffs_io_data + +[ Upstream commit 508595515f4bcfe36246e4a565cf280937aeaade ] + +In some cases the "Allocate & copy" block in ffs_epfile_io() is not +executed. Consequently, in such a case ffs_alloc_buffer() is never called +and struct ffs_io_data is not initialized properly. This in turn leads to +problems when ffs_free_buffer() is called at the end of ffs_epfile_io(). + +This patch uses kzalloc() instead of kmalloc() in the aio case and memset() +in non-aio case to properly initialize struct ffs_io_data. + +Signed-off-by: Andrzej Pietrasiewicz +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 4800bb22cdd6..4cb1355271ec 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -912,11 +912,12 @@ static ssize_t ffs_epfile_write_iter(struct kiocb *kiocb, struct iov_iter *from) + ENTER(); + + if (!is_sync_kiocb(kiocb)) { +- p = kmalloc(sizeof(io_data), GFP_KERNEL); ++ p = kzalloc(sizeof(io_data), GFP_KERNEL); + if (unlikely(!p)) + return -ENOMEM; + p->aio = true; + } else { ++ memset(p, 0, sizeof(*p)); + p->aio = false; + } + +@@ -948,11 +949,12 @@ static ssize_t ffs_epfile_read_iter(struct kiocb *kiocb, struct iov_iter *to) + ENTER(); + + if (!is_sync_kiocb(kiocb)) { +- p = kmalloc(sizeof(io_data), GFP_KERNEL); ++ p = kzalloc(sizeof(io_data), GFP_KERNEL); + if (unlikely(!p)) + return -ENOMEM; + p->aio = true; + } else { ++ memset(p, 0, sizeof(*p)); + p->aio = false; + } + +-- +2.20.1 +