From: Sasha Levin Date: Thu, 27 Aug 2020 17:22:52 +0000 (-0400) Subject: Fix up the 4.14 queue X-Git-Tag: v4.4.235~72 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cec8cb49a722ec24963689aef4bf5bb1092960b5;p=thirdparty%2Fkernel%2Fstable-queue.git Fix up the 4.14 queue Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alpha-fix-annotation-of-io-read-write-16-32-be.patch b/queue-4.14/alpha-fix-annotation-of-io-read-write-16-32-be.patch deleted file mode 100644 index 03c856780d8..00000000000 --- a/queue-4.14/alpha-fix-annotation-of-io-read-write-16-32-be.patch +++ /dev/null @@ -1,57 +0,0 @@ -From c9f407da832ea0abb4a57297000756397fd68efe Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 11 Aug 2020 18:33:54 -0700 -Subject: alpha: fix annotation of io{read,write}{16,32}be() - -From: Luc Van Oostenryck - -[ Upstream commit bd72866b8da499e60633ff28f8a4f6e09ca78efe ] - -These accessors must be used to read/write a big-endian bus. The value -returned or written is native-endian. - -However, these accessors are defined using be{16,32}_to_cpu() or -cpu_to_be{16,32}() to make the endian conversion but these expect a -__be{16,32} when none is present. Keeping them would need a force cast -that would solve nothing at all. - -So, do the conversion using swab{16,32}, like done in asm-generic for -similar situations. - -Reported-by: kernel test robot -Signed-off-by: Luc Van Oostenryck -Signed-off-by: Andrew Morton -Cc: Richard Henderson -Cc: Ivan Kokshaysky -Cc: Matt Turner -Cc: Stephen Boyd -Cc: Arnd Bergmann -Link: http://lkml.kernel.org/r/20200622114232.80039-1-luc.vanoostenryck@gmail.com -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - arch/alpha/include/asm/io.h | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h -index d123ff90f7a83..9995bed6e92e2 100644 ---- a/arch/alpha/include/asm/io.h -+++ b/arch/alpha/include/asm/io.h -@@ -493,10 +493,10 @@ extern inline void writeq(u64 b, volatile void __iomem *addr) - } - #endif - --#define ioread16be(p) be16_to_cpu(ioread16(p)) --#define ioread32be(p) be32_to_cpu(ioread32(p)) --#define iowrite16be(v,p) iowrite16(cpu_to_be16(v), (p)) --#define iowrite32be(v,p) iowrite32(cpu_to_be32(v), (p)) -+#define ioread16be(p) swab16(ioread16(p)) -+#define ioread32be(p) swab32(ioread32(p)) -+#define iowrite16be(v,p) iowrite16(swab16(v), (p)) -+#define iowrite32be(v,p) iowrite32(swab32(v), (p)) - - #define inb_p inb - #define inw_p inw --- -2.25.1 - diff --git a/queue-4.14/alsa-pci-delete-repeated-words-in-comments.patch b/queue-4.14/alsa-pci-delete-repeated-words-in-comments.patch index d97918b7e82..04055c041e0 100644 --- a/queue-4.14/alsa-pci-delete-repeated-words-in-comments.patch +++ b/queue-4.14/alsa-pci-delete-repeated-words-in-comments.patch @@ -1,4 +1,4 @@ -From f0c7b0aedc2de6e09c41a1ed9c0c64e57526fb9c Mon Sep 17 00:00:00 2001 +From 2b07e249bf917ae2aaac66a45aa852d7fab7901c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 5 Aug 2020 19:19:26 -0700 Subject: ALSA: pci: delete repeated words in comments diff --git a/queue-4.14/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch b/queue-4.14/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch index 6e8ed4634de..d9647460753 100644 --- a/queue-4.14/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch +++ b/queue-4.14/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch @@ -1,4 +1,4 @@ -From c22c392f3ef72eaaee8ed359a491000326ba3a33 Mon Sep 17 00:00:00 2001 +From 4e54494ad45dfa47230e200725715645971727b4 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 5 Jun 2020 20:59:15 +0200 Subject: arm64: dts: qcom: msm8916: Pull down PDM GPIOs during sleep diff --git a/queue-4.14/asoc-intel-fix-memleak-in-sst_media_open.patch b/queue-4.14/asoc-intel-fix-memleak-in-sst_media_open.patch deleted file mode 100644 index 049a4952c3d..00000000000 --- a/queue-4.14/asoc-intel-fix-memleak-in-sst_media_open.patch +++ /dev/null @@ -1,50 +0,0 @@ -From d09e5cecf689c704506497441a3448531165a41a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Aug 2020 16:41:10 +0800 -Subject: ASoC: intel: Fix memleak in sst_media_open - -From: Dinghao Liu - -[ Upstream commit 062fa09f44f4fb3776a23184d5d296b0c8872eb9 ] - -When power_up_sst() fails, stream needs to be freed -just like when try_module_get() fails. However, current -code is returning directly and ends up leaking memory. - -Fixes: 0121327c1a68b ("ASoC: Intel: mfld-pcm: add control for powering up/down dsp") -Signed-off-by: Dinghao Liu -Acked-by: Pierre-Louis Bossart -Link: https://lore.kernel.org/r/20200813084112.26205-1-dinghao.liu@zju.edu.cn -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/intel/atom/sst-mfld-platform-pcm.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c -index 4558c8b930363..3a645fc425cd4 100644 ---- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c -+++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c -@@ -339,7 +339,7 @@ static int sst_media_open(struct snd_pcm_substream *substream, - - ret_val = power_up_sst(stream); - if (ret_val < 0) -- return ret_val; -+ goto out_power_up; - - /* Make sure, that the period size is always even */ - snd_pcm_hw_constraint_step(substream->runtime, 0, -@@ -348,8 +348,9 @@ static int sst_media_open(struct snd_pcm_substream *substream, - return snd_pcm_hw_constraint_integer(runtime, - SNDRV_PCM_HW_PARAM_PERIODS); - out_ops: -- kfree(stream); - mutex_unlock(&sst_lock); -+out_power_up: -+ kfree(stream); - return ret_val; - } - --- -2.25.1 - diff --git a/queue-4.14/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch b/queue-4.14/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch deleted file mode 100644 index 0491c44e6a7..00000000000 --- a/queue-4.14/asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch +++ /dev/null @@ -1,42 +0,0 @@ -From bd90ef3f3c6c11eaac2014a2e200ac9dc413daf8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 11 Aug 2020 11:34:52 +0100 -Subject: ASoC: msm8916-wcd-analog: fix register Interrupt offset - -From: Srinivas Kandagatla - -[ Upstream commit ff69c97ef84c9f7795adb49e9f07c9adcdd0c288 ] - -For some reason interrupt set and clear register offsets are -not set correctly. -This patch corrects them! - -Fixes: 585e881e5b9e ("ASoC: codecs: Add msm8916-wcd analog codec") -Signed-off-by: Srinivas Kandagatla -Tested-by: Stephan Gerhold -Reviewed-by: Stephan Gerhold -Link: https://lore.kernel.org/r/20200811103452.20448-1-srinivas.kandagatla@linaro.org -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/codecs/msm8916-wcd-analog.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/sound/soc/codecs/msm8916-wcd-analog.c b/sound/soc/codecs/msm8916-wcd-analog.c -index 3633eb30dd135..4f949ad50d6a7 100644 ---- a/sound/soc/codecs/msm8916-wcd-analog.c -+++ b/sound/soc/codecs/msm8916-wcd-analog.c -@@ -16,8 +16,8 @@ - - #define CDC_D_REVISION1 (0xf000) - #define CDC_D_PERPH_SUBTYPE (0xf005) --#define CDC_D_INT_EN_SET (0x015) --#define CDC_D_INT_EN_CLR (0x016) -+#define CDC_D_INT_EN_SET (0xf015) -+#define CDC_D_INT_EN_CLR (0xf016) - #define MBHC_SWITCH_INT BIT(7) - #define MBHC_MIC_ELECTRICAL_INS_REM_DET BIT(6) - #define MBHC_BUTTON_PRESS_DET BIT(5) --- -2.25.1 - diff --git a/queue-4.14/asoc-tegra-fix-reference-count-leaks.patch b/queue-4.14/asoc-tegra-fix-reference-count-leaks.patch index f75e5889029..252a0afab0d 100644 --- a/queue-4.14/asoc-tegra-fix-reference-count-leaks.patch +++ b/queue-4.14/asoc-tegra-fix-reference-count-leaks.patch @@ -1,4 +1,4 @@ -From 7b793b348805e1b61b398d65ded92ad9ab48cf77 Mon Sep 17 00:00:00 2001 +From 0a3fef11e807c51ec43eccea1ac5ab9461a21b9b Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 13 Jun 2020 15:44:19 -0500 Subject: ASoC: tegra: Fix reference count leaks. diff --git a/queue-4.14/blktrace-ensure-our-debugfs-dir-exists.patch b/queue-4.14/blktrace-ensure-our-debugfs-dir-exists.patch index fbd246b595a..a0ceb2a8377 100644 --- a/queue-4.14/blktrace-ensure-our-debugfs-dir-exists.patch +++ b/queue-4.14/blktrace-ensure-our-debugfs-dir-exists.patch @@ -1,4 +1,4 @@ -From 1a7507a949eeb5d763441aebddbf91661ef07960 Mon Sep 17 00:00:00 2001 +From 25667ec8476964c5a43b7ff69122bc99e995cc8b Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 19 Jun 2020 20:47:29 +0000 Subject: blktrace: ensure our debugfs dir exists diff --git a/queue-4.14/bonding-fix-a-potential-double-unregister.patch b/queue-4.14/bonding-fix-a-potential-double-unregister.patch deleted file mode 100644 index d5067d2f3ed..00000000000 --- a/queue-4.14/bonding-fix-a-potential-double-unregister.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 826e04f5e664861265135aa519e283eeb74acd65 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 14 Aug 2020 20:05:58 -0700 -Subject: bonding: fix a potential double-unregister - -From: Cong Wang - -[ Upstream commit 832707021666411d04795c564a4adea5d6b94f17 ] - -When we tear down a network namespace, we unregister all -the netdevices within it. So we may queue a slave device -and a bonding device together in the same unregister queue. - -If the only slave device is non-ethernet, it would -automatically unregister the bonding device as well. Thus, -we may end up unregistering the bonding device twice. - -Workaround this special case by checking reg_state. - -Fixes: 9b5e383c11b0 ("net: Introduce unregister_netdevice_many()") -Reported-by: syzbot+af23e7f3e0a7e10c8b67@syzkaller.appspotmail.com -Cc: Eric Dumazet -Cc: Andy Gospodarek -Cc: Jay Vosburgh -Signed-off-by: Cong Wang -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/bonding/bond_main.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index 9ddbafdca3b05..a6d8d3b3c903d 100644 ---- a/drivers/net/bonding/bond_main.c -+++ b/drivers/net/bonding/bond_main.c -@@ -2010,7 +2010,8 @@ static int bond_release_and_destroy(struct net_device *bond_dev, - int ret; - - ret = __bond_release_one(bond_dev, slave_dev, false, true); -- if (ret == 0 && !bond_has_slaves(bond)) { -+ if (ret == 0 && !bond_has_slaves(bond) && -+ bond_dev->reg_state != NETREG_UNREGISTERING) { - bond_dev->priv_flags |= IFF_DISABLE_NETPOLL; - netdev_info(bond_dev, "Destroying bond %s\n", - bond_dev->name); --- -2.25.1 - diff --git a/queue-4.14/bonding-fix-active-backup-failover-for-current-arp-s.patch b/queue-4.14/bonding-fix-active-backup-failover-for-current-arp-s.patch deleted file mode 100644 index da8bb6cce22..00000000000 --- a/queue-4.14/bonding-fix-active-backup-failover-for-current-arp-s.patch +++ /dev/null @@ -1,90 +0,0 @@ -From d7f87cb29c20358086693b07e1fa1d67dd52309b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 16 Aug 2020 20:52:44 +0200 -Subject: bonding: fix active-backup failover for current ARP slave - -From: Jiri Wiesner - -[ Upstream commit 0410d07190961ac526f05085765a8d04d926545b ] - -When the ARP monitor is used for link detection, ARP replies are -validated for all slaves (arp_validate=3) and fail_over_mac is set to -active, two slaves of an active-backup bond may get stuck in a state -where both of them are active and pass packets that they receive to -the bond. This state makes IPv6 duplicate address detection fail. The -state is reached thus: -1. The current active slave goes down because the ARP target - is not reachable. -2. The current ARP slave is chosen and made active. -3. A new slave is enslaved. This new slave becomes the current active - slave and can reach the ARP target. -As a result, the current ARP slave stays active after the enslave -action has finished and the log is littered with "PROBE BAD" messages: -> bond0: PROBE: c_arp ens10 && cas ens11 BAD -The workaround is to remove the slave with "going back" status from -the bond and re-enslave it. This issue was encountered when DPDK PMD -interfaces were being enslaved to an active-backup bond. - -I would be possible to fix the issue in bond_enslave() or -bond_change_active_slave() but the ARP monitor was fixed instead to -keep most of the actions changing the current ARP slave in the ARP -monitor code. The current ARP slave is set as inactive and backup -during the commit phase. A new state, BOND_LINK_FAIL, has been -introduced for slaves in the context of the ARP monitor. This allows -administrators to see how slaves are rotated for sending ARP requests -and attempts are made to find a new active slave. - -Fixes: b2220cad583c9 ("bonding: refactor ARP active-backup monitor") -Signed-off-by: Jiri Wiesner -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/bonding/bond_main.c | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index a6d8d3b3c903d..861d2c0a521a4 100644 ---- a/drivers/net/bonding/bond_main.c -+++ b/drivers/net/bonding/bond_main.c -@@ -2753,6 +2753,9 @@ static int bond_ab_arp_inspect(struct bonding *bond) - if (bond_time_in_interval(bond, last_rx, 1)) { - bond_propose_link_state(slave, BOND_LINK_UP); - commit++; -+ } else if (slave->link == BOND_LINK_BACK) { -+ bond_propose_link_state(slave, BOND_LINK_FAIL); -+ commit++; - } - continue; - } -@@ -2863,6 +2866,19 @@ static void bond_ab_arp_commit(struct bonding *bond) - - continue; - -+ case BOND_LINK_FAIL: -+ bond_set_slave_link_state(slave, BOND_LINK_FAIL, -+ BOND_SLAVE_NOTIFY_NOW); -+ bond_set_slave_inactive_flags(slave, -+ BOND_SLAVE_NOTIFY_NOW); -+ -+ /* A slave has just been enslaved and has become -+ * the current active slave. -+ */ -+ if (rtnl_dereference(bond->curr_active_slave)) -+ RCU_INIT_POINTER(bond->current_arp_slave, NULL); -+ continue; -+ - default: - netdev_err(bond->dev, "impossible: new_link %d on slave %s\n", - slave->link_new_state, slave->dev->name); -@@ -2912,8 +2928,6 @@ static bool bond_ab_arp_probe(struct bonding *bond) - return should_notify_rtnl; - } - -- bond_set_slave_inactive_flags(curr_arp_slave, BOND_SLAVE_NOTIFY_LATER); -- - bond_for_each_slave_rcu(bond, slave, iter) { - if (!found && !before && bond_slave_is_up(slave)) - before = slave; --- -2.25.1 - diff --git a/queue-4.14/bonding-show-saner-speed-for-broadcast-mode.patch b/queue-4.14/bonding-show-saner-speed-for-broadcast-mode.patch deleted file mode 100644 index 7e9c92341cc..00000000000 --- a/queue-4.14/bonding-show-saner-speed-for-broadcast-mode.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 35cb327b2d8cd278428e5e1bed456bd0fe144775 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Aug 2020 10:09:00 -0400 -Subject: bonding: show saner speed for broadcast mode - -From: Jarod Wilson - -[ Upstream commit 4ca0d9ac3fd8f9f90b72a15d8da2aca3ffb58418 ] - -Broadcast mode bonds transmit a copy of all traffic simultaneously out of -all interfaces, so the "speed" of the bond isn't really the aggregate of -all interfaces, but rather, the speed of the slowest active interface. - -Also, the type of the speed field is u32, not unsigned long, so adjust -that accordingly, as required to make min() function here without -complaining about mismatching types. - -Fixes: bb5b052f751b ("bond: add support to read speed and duplex via ethtool") -CC: Jay Vosburgh -CC: Veaceslav Falico -CC: Andy Gospodarek -CC: "David S. Miller" -CC: netdev@vger.kernel.org -Acked-by: Jay Vosburgh -Signed-off-by: Jarod Wilson -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/bonding/bond_main.c | 21 ++++++++++++++++++--- - 1 file changed, 18 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index 1f867e275408e..9ddbafdca3b05 100644 ---- a/drivers/net/bonding/bond_main.c -+++ b/drivers/net/bonding/bond_main.c -@@ -4156,13 +4156,23 @@ static netdev_tx_t bond_start_xmit(struct sk_buff *skb, struct net_device *dev) - return ret; - } - -+static u32 bond_mode_bcast_speed(struct slave *slave, u32 speed) -+{ -+ if (speed == 0 || speed == SPEED_UNKNOWN) -+ speed = slave->speed; -+ else -+ speed = min(speed, slave->speed); -+ -+ return speed; -+} -+ - static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev, - struct ethtool_link_ksettings *cmd) - { - struct bonding *bond = netdev_priv(bond_dev); -- unsigned long speed = 0; - struct list_head *iter; - struct slave *slave; -+ u32 speed = 0; - - cmd->base.duplex = DUPLEX_UNKNOWN; - cmd->base.port = PORT_OTHER; -@@ -4174,8 +4184,13 @@ static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev, - */ - bond_for_each_slave(bond, slave, iter) { - if (bond_slave_can_tx(slave)) { -- if (slave->speed != SPEED_UNKNOWN) -- speed += slave->speed; -+ if (slave->speed != SPEED_UNKNOWN) { -+ if (BOND_MODE(bond) == BOND_MODE_BROADCAST) -+ speed = bond_mode_bcast_speed(slave, -+ speed); -+ else -+ speed += slave->speed; -+ } - if (cmd->base.duplex == DUPLEX_UNKNOWN && - slave->duplex != DUPLEX_UNKNOWN) - cmd->base.duplex = slave->duplex; --- -2.25.1 - diff --git a/queue-4.14/btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch b/queue-4.14/btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch deleted file mode 100644 index 8502ac0bee3..00000000000 --- a/queue-4.14/btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch +++ /dev/null @@ -1,67 +0,0 @@ -From f218eb25c297457ab9d88c6029a0ea0a448041d6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 22 Jul 2020 11:12:46 -0400 -Subject: btrfs: don't show full path of bind mounts in subvol= - -From: Josef Bacik - -[ Upstream commit 3ef3959b29c4a5bd65526ab310a1a18ae533172a ] - -Chris Murphy reported a problem where rpm ostree will bind mount a bunch -of things for whatever voodoo it's doing. But when it does this -/proc/mounts shows something like - - /dev/sda /mnt/test btrfs rw,relatime,subvolid=256,subvol=/foo 0 0 - /dev/sda /mnt/test/baz btrfs rw,relatime,subvolid=256,subvol=/foo/bar 0 0 - -Despite subvolid=256 being subvol=/foo. This is because we're just -spitting out the dentry of the mount point, which in the case of bind -mounts is the source path for the mountpoint. Instead we should spit -out the path to the actual subvol. Fix this by looking up the name for -the subvolid we have mounted. With this fix the same test looks like -this - - /dev/sda /mnt/test btrfs rw,relatime,subvolid=256,subvol=/foo 0 0 - /dev/sda /mnt/test/baz btrfs rw,relatime,subvolid=256,subvol=/foo 0 0 - -Reported-by: Chris Murphy -CC: stable@vger.kernel.org # 4.4+ -Signed-off-by: Josef Bacik -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/super.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c -index ca95e57b60ee1..eb64d4b159e07 100644 ---- a/fs/btrfs/super.c -+++ b/fs/btrfs/super.c -@@ -1221,6 +1221,7 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry) - { - struct btrfs_fs_info *info = btrfs_sb(dentry->d_sb); - char *compress_type; -+ const char *subvol_name; - - if (btrfs_test_opt(info, DEGRADED)) - seq_puts(seq, ",degraded"); -@@ -1307,8 +1308,13 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry) - #endif - seq_printf(seq, ",subvolid=%llu", - BTRFS_I(d_inode(dentry))->root->root_key.objectid); -- seq_puts(seq, ",subvol="); -- seq_dentry(seq, dentry, " \t\n\\"); -+ subvol_name = btrfs_get_subvol_name_from_objectid(info, -+ BTRFS_I(d_inode(dentry))->root->root_key.objectid); -+ if (!IS_ERR(subvol_name)) { -+ seq_puts(seq, ",subvol="); -+ seq_escape(seq, subvol_name, " \t\n\\"); -+ kfree(subvol_name); -+ } - return 0; - } - --- -2.25.1 - diff --git a/queue-4.14/btrfs-export-helpers-for-subvolume-name-id-resolutio.patch b/queue-4.14/btrfs-export-helpers-for-subvolume-name-id-resolutio.patch deleted file mode 100644 index c37efefb5ea..00000000000 --- a/queue-4.14/btrfs-export-helpers-for-subvolume-name-id-resolutio.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 5b7448789c99c27351cf22996ffd9797be2802b0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 21 Feb 2020 14:56:12 +0100 -Subject: btrfs: export helpers for subvolume name/id resolution - -From: Marcos Paulo de Souza - -[ Upstream commit c0c907a47dccf2cf26251a8fb4a8e7a3bf79ce84 ] - -The functions will be used outside of export.c and super.c to allow -resolving subvolume name from a given id, eg. for subvolume deletion by -id ioctl. - -Signed-off-by: Marcos Paulo de Souza -Reviewed-by: David Sterba -[ split from the next patch ] -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/ctree.h | 2 ++ - fs/btrfs/export.c | 8 ++++---- - fs/btrfs/export.h | 5 +++++ - fs/btrfs/super.c | 8 ++++---- - 4 files changed, 15 insertions(+), 8 deletions(-) - -diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h -index 5412b12491cb8..de951987fd23d 100644 ---- a/fs/btrfs/ctree.h -+++ b/fs/btrfs/ctree.h -@@ -3262,6 +3262,8 @@ ssize_t btrfs_listxattr(struct dentry *dentry, char *buffer, size_t size); - int btrfs_parse_options(struct btrfs_fs_info *info, char *options, - unsigned long new_flags); - int btrfs_sync_fs(struct super_block *sb, int wait); -+char *btrfs_get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, -+ u64 subvol_objectid); - - static inline __printf(2, 3) - void btrfs_no_printk(const struct btrfs_fs_info *fs_info, const char *fmt, ...) -diff --git a/fs/btrfs/export.c b/fs/btrfs/export.c -index 3aeb5770f8965..b6ce765aa7f33 100644 ---- a/fs/btrfs/export.c -+++ b/fs/btrfs/export.c -@@ -56,9 +56,9 @@ static int btrfs_encode_fh(struct inode *inode, u32 *fh, int *max_len, - return type; - } - --static struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, -- u64 root_objectid, u32 generation, -- int check_generation) -+struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, -+ u64 root_objectid, u32 generation, -+ int check_generation) - { - struct btrfs_fs_info *fs_info = btrfs_sb(sb); - struct btrfs_root *root; -@@ -151,7 +151,7 @@ static struct dentry *btrfs_fh_to_dentry(struct super_block *sb, struct fid *fh, - return btrfs_get_dentry(sb, objectid, root_objectid, generation, 1); - } - --static struct dentry *btrfs_get_parent(struct dentry *child) -+struct dentry *btrfs_get_parent(struct dentry *child) - { - struct inode *dir = d_inode(child); - struct btrfs_fs_info *fs_info = btrfs_sb(dir->i_sb); -diff --git a/fs/btrfs/export.h b/fs/btrfs/export.h -index 91b3908e7c549..15db024621414 100644 ---- a/fs/btrfs/export.h -+++ b/fs/btrfs/export.h -@@ -17,4 +17,9 @@ struct btrfs_fid { - u64 parent_root_objectid; - } __attribute__ ((packed)); - -+struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, -+ u64 root_objectid, u32 generation, -+ int check_generation); -+struct dentry *btrfs_get_parent(struct dentry *child); -+ - #endif -diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c -index 17a8463ef35c1..ca95e57b60ee1 100644 ---- a/fs/btrfs/super.c -+++ b/fs/btrfs/super.c -@@ -939,8 +939,8 @@ out: - return error; - } - --static char *get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, -- u64 subvol_objectid) -+char *btrfs_get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, -+ u64 subvol_objectid) - { - struct btrfs_root *root = fs_info->tree_root; - struct btrfs_root *fs_root; -@@ -1427,8 +1427,8 @@ static struct dentry *mount_subvol(const char *subvol_name, u64 subvol_objectid, - goto out; - } - } -- subvol_name = get_subvol_name_from_objectid(btrfs_sb(mnt->mnt_sb), -- subvol_objectid); -+ subvol_name = btrfs_get_subvol_name_from_objectid( -+ btrfs_sb(mnt->mnt_sb), subvol_objectid); - if (IS_ERR(subvol_name)) { - root = ERR_CAST(subvol_name); - subvol_name = NULL; --- -2.25.1 - diff --git a/queue-4.14/btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch b/queue-4.14/btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch deleted file mode 100644 index b750152d191..00000000000 --- a/queue-4.14/btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch +++ /dev/null @@ -1,109 +0,0 @@ -From f562c9635a88bb006ee7503634aa38451adb1e28 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 28 Jul 2020 16:39:26 +0800 -Subject: btrfs: inode: fix NULL pointer dereference if inode doesn't need - compression - -From: Qu Wenruo - -[ Upstream commit 1e6e238c3002ea3611465ce5f32777ddd6a40126 ] - -[BUG] -There is a bug report of NULL pointer dereference caused in -compress_file_extent(): - - Oops: Kernel access of bad area, sig: 11 [#1] - LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries - Workqueue: btrfs-delalloc btrfs_delalloc_helper [btrfs] - NIP [c008000006dd4d34] compress_file_range.constprop.41+0x75c/0x8a0 [btrfs] - LR [c008000006dd4d1c] compress_file_range.constprop.41+0x744/0x8a0 [btrfs] - Call Trace: - [c000000c69093b00] [c008000006dd4d1c] compress_file_range.constprop.41+0x744/0x8a0 [btrfs] (unreliable) - [c000000c69093bd0] [c008000006dd4ebc] async_cow_start+0x44/0xa0 [btrfs] - [c000000c69093c10] [c008000006e14824] normal_work_helper+0xdc/0x598 [btrfs] - [c000000c69093c80] [c0000000001608c0] process_one_work+0x2c0/0x5b0 - [c000000c69093d10] [c000000000160c38] worker_thread+0x88/0x660 - [c000000c69093db0] [c00000000016b55c] kthread+0x1ac/0x1c0 - [c000000c69093e20] [c00000000000b660] ret_from_kernel_thread+0x5c/0x7c - ---[ end trace f16954aa20d822f6 ]--- - -[CAUSE] -For the following execution route of compress_file_range(), it's -possible to hit NULL pointer dereference: - - compress_file_extent() - |- pages = NULL; - |- start = async_chunk->start = 0; - |- end = async_chunk = 4095; - |- nr_pages = 1; - |- inode_need_compress() == false; <<< Possible, see later explanation - | Now, we have nr_pages = 1, pages = NULL - |- cont: - |- ret = cow_file_range_inline(); - |- if (ret <= 0) { - |- for (i = 0; i < nr_pages; i++) { - |- WARN_ON(pages[i]->mapping); <<< Crash - -To enter above call execution branch, we need the following race: - - Thread 1 (chattr) | Thread 2 (writeback) ---------------------------+------------------------------ - | btrfs_run_delalloc_range - | |- inode_need_compress = true - | |- cow_file_range_async() -btrfs_ioctl_set_flag() | -|- binode_flags |= | - BTRFS_INODE_NOCOMPRESS | - | compress_file_range() - | |- inode_need_compress = false - | |- nr_page = 1 while pages = NULL - | | Then hit the crash - -[FIX] -This patch will fix it by checking @pages before doing accessing it. -This patch is only designed as a hot fix and easy to backport. - -More elegant fix may make btrfs only check inode_need_compress() once to -avoid such race, but that would be another story. - -Reported-by: Luciano Chavez -Fixes: 4d3a800ebb12 ("btrfs: merge nr_pages input and output parameter in compress_pages") -CC: stable@vger.kernel.org # 4.14.x: cecc8d9038d16: btrfs: Move free_pages_out label in inline extent handling branch in compress_file_range -CC: stable@vger.kernel.org # 4.14+ -Signed-off-by: Qu Wenruo -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/inode.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c -index dc520749f51db..17856e92b93d1 100644 ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -630,11 +630,18 @@ cont: - start, - end - start + 1); - -- for (i = 0; i < nr_pages; i++) { -- WARN_ON(pages[i]->mapping); -- put_page(pages[i]); -+ /* -+ * Ensure we only free the compressed pages if we have -+ * them allocated, as we can still reach here with -+ * inode_need_compress() == false. -+ */ -+ if (pages) { -+ for (i = 0; i < nr_pages; i++) { -+ WARN_ON(pages[i]->mapping); -+ put_page(pages[i]); -+ } -+ kfree(pages); - } -- kfree(pages); - - return; - } --- -2.25.1 - diff --git a/queue-4.14/btrfs-move-free_pages_out-label-in-inline-extent-han.patch b/queue-4.14/btrfs-move-free_pages_out-label-in-inline-extent-han.patch deleted file mode 100644 index 1e64b0db948..00000000000 --- a/queue-4.14/btrfs-move-free_pages_out-label-in-inline-extent-han.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 265eeefd65a43f0c81d007bd6fb7ed350386fa73 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 17 Jul 2019 14:41:45 +0300 -Subject: btrfs: Move free_pages_out label in inline extent handling branch in - compress_file_range - -From: Nikolay Borisov - -[ Upstream commit cecc8d9038d164eda61fbcd72520975a554ea63e ] - -This label is only executed if compress_file_range fails to create an -inline extent. So move its code in the semantically related inline -extent handling branch. No functional changes. - -Signed-off-by: Nikolay Borisov -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/inode.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c -index 57908ee964a20..dc520749f51db 100644 ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -629,7 +629,14 @@ cont: - btrfs_free_reserved_data_space_noquota(inode, - start, - end - start + 1); -- goto free_pages_out; -+ -+ for (i = 0; i < nr_pages; i++) { -+ WARN_ON(pages[i]->mapping); -+ put_page(pages[i]); -+ } -+ kfree(pages); -+ -+ return; - } - } - -@@ -708,13 +715,6 @@ cleanup_and_bail_uncompressed: - *num_added += 1; - - return; -- --free_pages_out: -- for (i = 0; i < nr_pages; i++) { -- WARN_ON(pages[i]->mapping); -- put_page(pages[i]); -- } -- kfree(pages); - } - - static void free_async_extent_pages(struct async_extent *async_extent) --- -2.25.1 - diff --git a/queue-4.14/btrfs-sysfs-use-nofs-for-device-creation.patch b/queue-4.14/btrfs-sysfs-use-nofs-for-device-creation.patch deleted file mode 100644 index d291e2b6c28..00000000000 --- a/queue-4.14/btrfs-sysfs-use-nofs-for-device-creation.patch +++ /dev/null @@ -1,190 +0,0 @@ -From 800c89a08bd5d15983e5135dd38e222d1f90a9d6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 21 Jul 2020 10:17:50 -0400 -Subject: btrfs: sysfs: use NOFS for device creation - -From: Josef Bacik - -Dave hit this splat during testing btrfs/078: - - ====================================================== - WARNING: possible circular locking dependency detected - 5.8.0-rc6-default+ #1191 Not tainted - ------------------------------------------------------ - kswapd0/75 is trying to acquire lock: - ffffa040e9d04ff8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] - - but task is already holding lock: - ffffffff8b0c8040 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30 - - which lock already depends on the new lock. - - the existing dependency chain (in reverse order) is: - - -> #2 (fs_reclaim){+.+.}-{0:0}: - __lock_acquire+0x56f/0xaa0 - lock_acquire+0xa3/0x440 - fs_reclaim_acquire.part.0+0x25/0x30 - __kmalloc_track_caller+0x49/0x330 - kstrdup+0x2e/0x60 - __kernfs_new_node.constprop.0+0x44/0x250 - kernfs_new_node+0x25/0x50 - kernfs_create_link+0x34/0xa0 - sysfs_do_create_link_sd+0x5e/0xd0 - btrfs_sysfs_add_devices_dir+0x65/0x100 [btrfs] - btrfs_init_new_device+0x44c/0x12b0 [btrfs] - btrfs_ioctl+0xc3c/0x25c0 [btrfs] - ksys_ioctl+0x68/0xa0 - __x64_sys_ioctl+0x16/0x20 - do_syscall_64+0x50/0xe0 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - - -> #1 (&fs_info->chunk_mutex){+.+.}-{3:3}: - __lock_acquire+0x56f/0xaa0 - lock_acquire+0xa3/0x440 - __mutex_lock+0xa0/0xaf0 - btrfs_chunk_alloc+0x137/0x3e0 [btrfs] - find_free_extent+0xb44/0xfb0 [btrfs] - btrfs_reserve_extent+0x9b/0x180 [btrfs] - btrfs_alloc_tree_block+0xc1/0x350 [btrfs] - alloc_tree_block_no_bg_flush+0x4a/0x60 [btrfs] - __btrfs_cow_block+0x143/0x7a0 [btrfs] - btrfs_cow_block+0x15f/0x310 [btrfs] - push_leaf_right+0x150/0x240 [btrfs] - split_leaf+0x3cd/0x6d0 [btrfs] - btrfs_search_slot+0xd14/0xf70 [btrfs] - btrfs_insert_empty_items+0x64/0xc0 [btrfs] - __btrfs_commit_inode_delayed_items+0xb2/0x840 [btrfs] - btrfs_async_run_delayed_root+0x10e/0x1d0 [btrfs] - btrfs_work_helper+0x2f9/0x650 [btrfs] - process_one_work+0x22c/0x600 - worker_thread+0x50/0x3b0 - kthread+0x137/0x150 - ret_from_fork+0x1f/0x30 - - -> #0 (&delayed_node->mutex){+.+.}-{3:3}: - check_prev_add+0x98/0xa20 - validate_chain+0xa8c/0x2a00 - __lock_acquire+0x56f/0xaa0 - lock_acquire+0xa3/0x440 - __mutex_lock+0xa0/0xaf0 - __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] - btrfs_evict_inode+0x3bf/0x560 [btrfs] - evict+0xd6/0x1c0 - dispose_list+0x48/0x70 - prune_icache_sb+0x54/0x80 - super_cache_scan+0x121/0x1a0 - do_shrink_slab+0x175/0x420 - shrink_slab+0xb1/0x2e0 - shrink_node+0x192/0x600 - balance_pgdat+0x31f/0x750 - kswapd+0x206/0x510 - kthread+0x137/0x150 - ret_from_fork+0x1f/0x30 - - other info that might help us debug this: - - Chain exists of: - &delayed_node->mutex --> &fs_info->chunk_mutex --> fs_reclaim - - Possible unsafe locking scenario: - - CPU0 CPU1 - ---- ---- - lock(fs_reclaim); - lock(&fs_info->chunk_mutex); - lock(fs_reclaim); - lock(&delayed_node->mutex); - - *** DEADLOCK *** - - 3 locks held by kswapd0/75: - #0: ffffffff8b0c8040 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30 - #1: ffffffff8b0b50b8 (shrinker_rwsem){++++}-{3:3}, at: shrink_slab+0x54/0x2e0 - #2: ffffa040e057c0e8 (&type->s_umount_key#26){++++}-{3:3}, at: trylock_super+0x16/0x50 - - stack backtrace: - CPU: 2 PID: 75 Comm: kswapd0 Not tainted 5.8.0-rc6-default+ #1191 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014 - Call Trace: - dump_stack+0x78/0xa0 - check_noncircular+0x16f/0x190 - check_prev_add+0x98/0xa20 - validate_chain+0xa8c/0x2a00 - __lock_acquire+0x56f/0xaa0 - lock_acquire+0xa3/0x440 - ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] - __mutex_lock+0xa0/0xaf0 - ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] - ? __lock_acquire+0x56f/0xaa0 - ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] - ? lock_acquire+0xa3/0x440 - ? btrfs_evict_inode+0x138/0x560 [btrfs] - ? btrfs_evict_inode+0x2fe/0x560 [btrfs] - ? __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] - __btrfs_release_delayed_node.part.0+0x3f/0x310 [btrfs] - btrfs_evict_inode+0x3bf/0x560 [btrfs] - evict+0xd6/0x1c0 - dispose_list+0x48/0x70 - prune_icache_sb+0x54/0x80 - super_cache_scan+0x121/0x1a0 - do_shrink_slab+0x175/0x420 - shrink_slab+0xb1/0x2e0 - shrink_node+0x192/0x600 - balance_pgdat+0x31f/0x750 - kswapd+0x206/0x510 - ? _raw_spin_unlock_irqrestore+0x3e/0x50 - ? finish_wait+0x90/0x90 - ? balance_pgdat+0x750/0x750 - kthread+0x137/0x150 - ? kthread_stop+0x2a0/0x2a0 - ret_from_fork+0x1f/0x30 - -This is because we're holding the chunk_mutex while adding this device -and adding its sysfs entries. We actually hold different locks in -different places when calling this function, the dev_replace semaphore -for instance in dev replace, so instead of moving this call around -simply wrap it's operations in NOFS. - -CC: stable@vger.kernel.org # 4.14+ -Reported-by: David Sterba -Signed-off-by: Josef Bacik -Reviewed-by: David Sterba -Signed-off-by: David Sterba ---- - fs/btrfs/sysfs.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c -index f05341bda1d14..383546ff62f04 100644 ---- a/fs/btrfs/sysfs.c -+++ b/fs/btrfs/sysfs.c -@@ -25,6 +25,7 @@ - #include - #include - #include -+#include - - #include "ctree.h" - #include "disk-io.h" -@@ -749,7 +750,9 @@ int btrfs_sysfs_add_device_link(struct btrfs_fs_devices *fs_devices, - { - int error = 0; - struct btrfs_device *dev; -+ unsigned int nofs_flag; - -+ nofs_flag = memalloc_nofs_save(); - list_for_each_entry(dev, &fs_devices->devices, dev_list) { - struct hd_struct *disk; - struct kobject *disk_kobj; -@@ -768,6 +771,7 @@ int btrfs_sysfs_add_device_link(struct btrfs_fs_devices *fs_devices, - if (error) - break; - } -+ memalloc_nofs_restore(nofs_flag); - - return error; - } --- -2.25.1 - diff --git a/queue-4.14/cec-api-prevent-leaking-memory-through-hole-in-struc.patch b/queue-4.14/cec-api-prevent-leaking-memory-through-hole-in-struc.patch index 399c3151e51..1780cc7df50 100644 --- a/queue-4.14/cec-api-prevent-leaking-memory-through-hole-in-struc.patch +++ b/queue-4.14/cec-api-prevent-leaking-memory-through-hole-in-struc.patch @@ -1,4 +1,4 @@ -From 050fde58298a0dbd0198e4c2c1b9f247a10431ea Mon Sep 17 00:00:00 2001 +From 08939158bdd0f2e3f615abaedec30869fc0281ff Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 26 Jun 2020 12:44:26 +0200 Subject: cec-api: prevent leaking memory through hole in structure diff --git a/queue-4.14/ceph-fix-potential-mdsc-use-after-free-crash.patch b/queue-4.14/ceph-fix-potential-mdsc-use-after-free-crash.patch index 51c1a74d830..4a6d1a9a451 100644 --- a/queue-4.14/ceph-fix-potential-mdsc-use-after-free-crash.patch +++ b/queue-4.14/ceph-fix-potential-mdsc-use-after-free-crash.patch @@ -1,4 +1,4 @@ -From 29e54ccc37b1be63cc7ba5939d3de2b510f353ba Mon Sep 17 00:00:00 2001 +From 253aebbb6821508f308db30177494bebc155ffac Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 1 Jul 2020 01:52:48 -0400 Subject: ceph: fix potential mdsc use-after-free crash diff --git a/queue-4.14/clk-evict-unregistered-clks-from-parent-caches.patch b/queue-4.14/clk-evict-unregistered-clks-from-parent-caches.patch deleted file mode 100644 index dc343fcea09..00000000000 --- a/queue-4.14/clk-evict-unregistered-clks-from-parent-caches.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 166f501401faecdc70028c69a303d67b529f3c33 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 28 Aug 2019 11:19:59 -0700 -Subject: clk: Evict unregistered clks from parent caches - -From: Stephen Boyd - -commit bdcf1dc253248542537a742ae1e7ccafdd03f2d3 upstream. - -We leave a dangling pointer in each clk_core::parents array that has an -unregistered clk as a potential parent when that clk_core pointer is -freed by clk{_hw}_unregister(). It is impossible for the true parent of -a clk to be set with clk_set_parent() once the dangling pointer is left -in the cache because we compare parent pointers in -clk_fetch_parent_index() instead of checking for a matching clk name or -clk_hw pointer. - -Before commit ede77858473a ("clk: Remove global clk traversal on fetch -parent index"), we would check clk_hw pointers, which has a higher -chance of being the same between registration and unregistration, but it -can still be allocated and freed by the clk provider. In fact, this has -been a long standing problem since commit da0f0b2c3ad2 ("clk: Correct -lookup logic in clk_fetch_parent_index()") where we stopped trying to -compare clk names and skipped over entries in the cache that weren't -NULL. - -There are good (performance) reasons to not do the global tree lookup in -cases where the cache holds dangling pointers to parents that have been -unregistered. Let's take the performance hit on the uncommon -registration path instead. Loop through all the clk_core::parents arrays -when a clk is unregistered and set the entry to NULL when the parent -cache entry and clk being unregistered are the same pointer. This will -fix this problem and avoid the overhead for the "normal" case. - -Based on a patch by Bjorn Andersson. - -Fixes: da0f0b2c3ad2 ("clk: Correct lookup logic in clk_fetch_parent_index()") -Reviewed-by: Bjorn Andersson -Tested-by: Sai Prakash Ranjan -Signed-off-by: Stephen Boyd -Link: https://lkml.kernel.org/r/20190828181959.204401-1-sboyd@kernel.org -Tested-by: Naresh Kamboju -Signed-off-by: Greg Kroah-Hartman ---- - drivers/clk/clk.c | 52 +++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 41 insertions(+), 11 deletions(-) - -diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c -index 44b6f23cc851d..4289c519af1be 100644 ---- a/drivers/clk/clk.c -+++ b/drivers/clk/clk.c -@@ -39,6 +39,17 @@ static HLIST_HEAD(clk_root_list); - static HLIST_HEAD(clk_orphan_list); - static LIST_HEAD(clk_notifier_list); - -+static struct hlist_head *all_lists[] = { -+ &clk_root_list, -+ &clk_orphan_list, -+ NULL, -+}; -+ -+static struct hlist_head *orphan_list[] = { -+ &clk_orphan_list, -+ NULL, -+}; -+ - /*** private data structures ***/ - - struct clk_core { -@@ -1993,17 +2004,6 @@ static int inited = 0; - static DEFINE_MUTEX(clk_debug_lock); - static HLIST_HEAD(clk_debug_list); - --static struct hlist_head *all_lists[] = { -- &clk_root_list, -- &clk_orphan_list, -- NULL, --}; -- --static struct hlist_head *orphan_list[] = { -- &clk_orphan_list, -- NULL, --}; -- - static void clk_summary_show_one(struct seq_file *s, struct clk_core *c, - int level) - { -@@ -2735,6 +2735,34 @@ static const struct clk_ops clk_nodrv_ops = { - .set_parent = clk_nodrv_set_parent, - }; - -+static void clk_core_evict_parent_cache_subtree(struct clk_core *root, -+ struct clk_core *target) -+{ -+ int i; -+ struct clk_core *child; -+ -+ for (i = 0; i < root->num_parents; i++) -+ if (root->parents[i] == target) -+ root->parents[i] = NULL; -+ -+ hlist_for_each_entry(child, &root->children, child_node) -+ clk_core_evict_parent_cache_subtree(child, target); -+} -+ -+/* Remove this clk from all parent caches */ -+static void clk_core_evict_parent_cache(struct clk_core *core) -+{ -+ struct hlist_head **lists; -+ struct clk_core *root; -+ -+ lockdep_assert_held(&prepare_lock); -+ -+ for (lists = all_lists; *lists; lists++) -+ hlist_for_each_entry(root, *lists, child_node) -+ clk_core_evict_parent_cache_subtree(root, core); -+ -+} -+ - /** - * clk_unregister - unregister a currently registered clock - * @clk: clock to unregister -@@ -2773,6 +2801,8 @@ void clk_unregister(struct clk *clk) - clk_core_set_parent(child, NULL); - } - -+ clk_core_evict_parent_cache(clk->core); -+ - hlist_del_init(&clk->core->child_node); - - if (clk->core->prepare_count) --- -2.25.1 - diff --git a/queue-4.14/cpufreq-intel_pstate-fix-cpuinfo_max_freq-when-msr_t.patch b/queue-4.14/cpufreq-intel_pstate-fix-cpuinfo_max_freq-when-msr_t.patch deleted file mode 100644 index 12ee5623cd5..00000000000 --- a/queue-4.14/cpufreq-intel_pstate-fix-cpuinfo_max_freq-when-msr_t.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 485c4298e720bd40ee378135638980713589adb2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 3 Aug 2020 11:37:20 -0700 -Subject: cpufreq: intel_pstate: Fix cpuinfo_max_freq when - MSR_TURBO_RATIO_LIMIT is 0 - -From: Srinivas Pandruvada - -[ Upstream commit 4daca379c703ff55edc065e8e5173dcfeecf0148 ] - -The MSR_TURBO_RATIO_LIMIT can be 0. This is not an error. User can update -this MSR via BIOS settings on some systems or can use msr tools to update. -Also some systems boot with value = 0. - -This results in display of cpufreq/cpuinfo_max_freq wrong. This value -will be equal to cpufreq/base_frequency, even though turbo is enabled. - -But platform will still function normally in HWP mode as we get max -1-core frequency from the MSR_HWP_CAPABILITIES. This MSR is already used -to calculate cpu->pstate.turbo_freq, which is used for to set -policy->cpuinfo.max_freq. But some other places cpu->pstate.turbo_pstate -is used. For example to set policy->max. - -To fix this, also update cpu->pstate.turbo_pstate when updating -cpu->pstate.turbo_freq. - -Signed-off-by: Srinivas Pandruvada -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/cpufreq/intel_pstate.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c -index 1aa0b05c8cbdf..5c41dc9aaa46d 100644 ---- a/drivers/cpufreq/intel_pstate.c -+++ b/drivers/cpufreq/intel_pstate.c -@@ -1378,6 +1378,7 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) - - intel_pstate_get_hwp_max(cpu->cpu, &phy_max, ¤t_max); - cpu->pstate.turbo_freq = phy_max * cpu->pstate.scaling; -+ cpu->pstate.turbo_pstate = phy_max; - } else { - cpu->pstate.turbo_freq = cpu->pstate.turbo_pstate * cpu->pstate.scaling; - } --- -2.25.1 - diff --git a/queue-4.14/do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch b/queue-4.14/do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch deleted file mode 100644 index 4155f0edfc1..00000000000 --- a/queue-4.14/do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 3e96d14927153e634a5911002d837696baf809eb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 22 Aug 2020 18:25:52 -0400 -Subject: do_epoll_ctl(): clean the failure exits up a bit - -From: Al Viro - -commit 52c479697c9b73f628140dcdfcd39ea302d05482 upstream. - -Signed-off-by: Al Viro -Signed-off-by: Marc Zyngier -Signed-off-by: Greg Kroah-Hartman ---- - fs/eventpoll.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/fs/eventpoll.c b/fs/eventpoll.c -index 94f6c19dcf30a..00f0902e27e88 100644 ---- a/fs/eventpoll.c -+++ b/fs/eventpoll.c -@@ -2099,10 +2099,8 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, - mutex_lock(&epmutex); - if (is_file_epoll(tf.file)) { - error = -ELOOP; -- if (ep_loop_check(ep, tf.file) != 0) { -- clear_tfile_check_list(); -+ if (ep_loop_check(ep, tf.file) != 0) - goto error_tgt_fput; -- } - } else { - get_file(tf.file); - list_add(&tf.file->f_tfile_llink, -@@ -2131,8 +2129,6 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, - error = ep_insert(ep, &epds, tf.file, fd, full_check); - } else - error = -EEXIST; -- if (full_check) -- clear_tfile_check_list(); - break; - case EPOLL_CTL_DEL: - if (epi) -@@ -2155,8 +2151,10 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, - mutex_unlock(&ep->mtx); - - error_tgt_fput: -- if (full_check) -+ if (full_check) { -+ clear_tfile_check_list(); - mutex_unlock(&epmutex); -+ } - - fdput(tf); - error_fput: --- -2.25.1 - diff --git a/queue-4.14/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch b/queue-4.14/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch index 52f2b456d72..71ee131b51b 100644 --- a/queue-4.14/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch +++ b/queue-4.14/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch @@ -1,4 +1,4 @@ -From a81f72e983ab77db7de2c402e0bb22c8541d05e8 Mon Sep 17 00:00:00 2001 +From 869dc611dc21c2167f97d1b1d0c198345c3e559f Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 14 Jun 2020 02:14:50 -0500 Subject: drm/amd/display: fix ref count leak in amdgpu_drm_ioctl diff --git a/queue-4.14/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch b/queue-4.14/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch index a121b1b2ba5..ad06a6f6f6f 100644 --- a/queue-4.14/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch +++ b/queue-4.14/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch @@ -1,4 +1,4 @@ -From bf09e3337114740d249231fc137ab310986ecc5f Mon Sep 17 00:00:00 2001 +From f2b6331b9306c0e6ea5c7e54efa61ba543d63ed9 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 14 Jun 2020 02:05:28 -0500 Subject: drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails diff --git a/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch b/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch index a81dff9a39a..abdce1ec27e 100644 --- a/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch +++ b/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch @@ -1,4 +1,4 @@ -From 25db81a4dfd6cd8aafc03c312c42beddb46add70 Mon Sep 17 00:00:00 2001 +From 7b01f2652c2e45de20d3f634d6130f7bca13d26b Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 14 Jun 2020 02:09:44 -0500 Subject: drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config diff --git a/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch b/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch index 09ea5e8b15d..403f26d66c9 100644 --- a/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch +++ b/queue-4.14/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch @@ -1,4 +1,4 @@ -From 655cb063e26974ee1780dce2c73d913e433b3b71 Mon Sep 17 00:00:00 2001 +From a5e60ff061b67c6999b540f4057db8d84cb91479 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 14 Jun 2020 02:12:29 -0500 Subject: drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms diff --git a/queue-4.14/drm-amdkfd-fix-reference-count-leaks.patch b/queue-4.14/drm-amdkfd-fix-reference-count-leaks.patch index 896fda2bfdf..1be75e6204a 100644 --- a/queue-4.14/drm-amdkfd-fix-reference-count-leaks.patch +++ b/queue-4.14/drm-amdkfd-fix-reference-count-leaks.patch @@ -1,4 +1,4 @@ -From 700cd3179835293104947739a2f1d8d831331836 Mon Sep 17 00:00:00 2001 +From 668c53520376efaf1950ba4176fb636bbc91ed8b Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 13 Jun 2020 14:32:26 -0500 Subject: drm/amdkfd: Fix reference count leaks. diff --git a/queue-4.14/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch b/queue-4.14/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch index c72aa0fca81..5b9e944901b 100644 --- a/queue-4.14/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch +++ b/queue-4.14/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch @@ -1,4 +1,4 @@ -From b429ee21e98e90414b341d7395ed16e952eb37c1 Mon Sep 17 00:00:00 2001 +From 2917636be68387b7c333c83c20615fef9f0e64d0 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 13 Jun 2020 20:33:42 -0500 Subject: drm/nouveau/drm/noveau: fix reference count leak in diff --git a/queue-4.14/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch b/queue-4.14/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch index 514c15f8313..2c18f513148 100644 --- a/queue-4.14/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch +++ b/queue-4.14/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch @@ -1,4 +1,4 @@ -From 1bed3ed68f2bfdd17b2dd3a4bff3e5ec2d9c348d Mon Sep 17 00:00:00 2001 +From 0b8043073b7782767fa7badf9c657499b20d9750 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 13 Jun 2020 20:22:23 -0500 Subject: drm/nouveau: Fix reference count leak in nouveau_connector_detect diff --git a/queue-4.14/drm-radeon-fix-multiple-reference-count-leak.patch b/queue-4.14/drm-radeon-fix-multiple-reference-count-leak.patch index 42fa9fdc461..1d398260342 100644 --- a/queue-4.14/drm-radeon-fix-multiple-reference-count-leak.patch +++ b/queue-4.14/drm-radeon-fix-multiple-reference-count-leak.patch @@ -1,4 +1,4 @@ -From 4475db757621a2f5a62dd972801a44db08329c2b Mon Sep 17 00:00:00 2001 +From 3acd1c5fbd5d0d3e22373cf5fef7876fc16d310f Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 13 Jun 2020 20:55:39 -0500 Subject: drm/radeon: fix multiple reference count leak diff --git a/queue-4.14/drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch b/queue-4.14/drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch deleted file mode 100644 index 8c1e15ed713..00000000000 --- a/queue-4.14/drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 5a7f8bd51e0859ca58088777e4a5ee0db0ba7de7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 8 Jul 2020 16:49:11 +0100 -Subject: drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() - -From: Chris Wilson - -[ Upstream commit 119c53d2d4044c59c450c4f5a568d80b9d861856 ] - -drm_gem_dumb_map_offset() now exists and does everything -vgem_gem_dump_map does and *ought* to do. - -In particular, vgem_gem_dumb_map() was trying to reject mmapping an -imported dmabuf by checking the existence of obj->filp. Unfortunately, -we always allocated an obj->filp, even if unused for an imported dmabuf. -Instead, the drm_gem_dumb_map_offset(), since commit 90378e589192 -("drm/gem: drm_gem_dumb_map_offset(): reject dma-buf"), uses the -obj->import_attach to reject such invalid mmaps. - -This prevents vgem from allowing userspace mmapping the dumb handle and -attempting to incorrectly fault in remote pages belonging to another -device, where there may not even be a struct page. - -v2: Use the default drm_gem_dumb_map_offset() callback - -Fixes: af33a9190d02 ("drm/vgem: Enable dmabuf import interfaces") -Signed-off-by: Chris Wilson -Reviewed-by: Daniel Vetter -Cc: # v4.13+ -Link: https://patchwork.freedesktop.org/patch/msgid/20200708154911.21236-1-chris@chris-wilson.co.uk -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/vgem/vgem_drv.c | 27 --------------------------- - 1 file changed, 27 deletions(-) - -diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c -index aa592277d5108..67037eb9a80ee 100644 ---- a/drivers/gpu/drm/vgem/vgem_drv.c -+++ b/drivers/gpu/drm/vgem/vgem_drv.c -@@ -220,32 +220,6 @@ static int vgem_gem_dumb_create(struct drm_file *file, struct drm_device *dev, - return 0; - } - --static int vgem_gem_dumb_map(struct drm_file *file, struct drm_device *dev, -- uint32_t handle, uint64_t *offset) --{ -- struct drm_gem_object *obj; -- int ret; -- -- obj = drm_gem_object_lookup(file, handle); -- if (!obj) -- return -ENOENT; -- -- if (!obj->filp) { -- ret = -EINVAL; -- goto unref; -- } -- -- ret = drm_gem_create_mmap_offset(obj); -- if (ret) -- goto unref; -- -- *offset = drm_vma_node_offset_addr(&obj->vma_node); --unref: -- drm_gem_object_put_unlocked(obj); -- -- return ret; --} -- - static struct drm_ioctl_desc vgem_ioctls[] = { - DRM_IOCTL_DEF_DRV(VGEM_FENCE_ATTACH, vgem_fence_attach_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), - DRM_IOCTL_DEF_DRV(VGEM_FENCE_SIGNAL, vgem_fence_signal_ioctl, DRM_AUTH|DRM_RENDER_ALLOW), -@@ -439,7 +413,6 @@ static struct drm_driver vgem_driver = { - .fops = &vgem_driver_fops, - - .dumb_create = vgem_gem_dumb_create, -- .dumb_map_offset = vgem_gem_dumb_map, - - .prime_handle_to_fd = drm_gem_prime_handle_to_fd, - .prime_fd_to_handle = drm_gem_prime_fd_to_handle, --- -2.25.1 - diff --git a/queue-4.14/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch b/queue-4.14/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch index 41d74b32f7e..43573b72abc 100644 --- a/queue-4.14/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch +++ b/queue-4.14/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch @@ -1,4 +1,4 @@ -From 30e150b3bfa71a05be40dd3c5e099abd3656e650 Mon Sep 17 00:00:00 2001 +From 9a00572474ead88cc813accecd84ef5ee94d9a58 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 16 Jul 2020 14:25:11 -0400 Subject: EDAC/ie31200: Fallback if host bridge device is already initialized @@ -39,7 +39,7 @@ index aac9b9b360b80..9e4781a807cfa 100644 struct ie31200_priv { void __iomem *window; -@@ -518,12 +520,16 @@ fail_free: +@@ -518,12 +520,16 @@ static int ie31200_probe1(struct pci_dev *pdev, int dev_idx) static int ie31200_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) { diff --git a/queue-4.14/epoll-keep-a-reference-on-files-added-to-the-check-l.patch b/queue-4.14/epoll-keep-a-reference-on-files-added-to-the-check-l.patch deleted file mode 100644 index 860f1515a8c..00000000000 --- a/queue-4.14/epoll-keep-a-reference-on-files-added-to-the-check-l.patch +++ /dev/null @@ -1,70 +0,0 @@ -From d038880a5c13b3dc05c96f534f646873998538d4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Aug 2020 17:12:17 +0100 -Subject: epoll: Keep a reference on files added to the check list - -From: Marc Zyngier - -commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 upstream. - -When adding a new fd to an epoll, and that this new fd is an -epoll fd itself, we recursively scan the fds attached to it -to detect cycles, and add non-epool files to a "check list" -that gets subsequently parsed. - -However, this check list isn't completely safe when deletions -can happen concurrently. To sidestep the issue, make sure that -a struct file placed on the check list sees its f_count increased, -ensuring that a concurrent deletion won't result in the file -disapearing from under our feet. - -Cc: stable@vger.kernel.org -Signed-off-by: Marc Zyngier -Signed-off-by: Al Viro -Signed-off-by: Marc Zyngier -Signed-off-by: Greg Kroah-Hartman ---- - fs/eventpoll.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/fs/eventpoll.c b/fs/eventpoll.c -index c291bf61afb9c..94f6c19dcf30a 100644 ---- a/fs/eventpoll.c -+++ b/fs/eventpoll.c -@@ -1900,9 +1900,11 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests) - * not already there, and calling reverse_path_check() - * during ep_insert(). - */ -- if (list_empty(&epi->ffd.file->f_tfile_llink)) -+ if (list_empty(&epi->ffd.file->f_tfile_llink)) { -+ get_file(epi->ffd.file); - list_add(&epi->ffd.file->f_tfile_llink, - &tfile_check_list); -+ } - } - } - mutex_unlock(&ep->mtx); -@@ -1946,6 +1948,7 @@ static void clear_tfile_check_list(void) - file = list_first_entry(&tfile_check_list, struct file, - f_tfile_llink); - list_del_init(&file->f_tfile_llink); -+ fput(file); - } - INIT_LIST_HEAD(&tfile_check_list); - } -@@ -2100,9 +2103,11 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, - clear_tfile_check_list(); - goto error_tgt_fput; - } -- } else -+ } else { -+ get_file(tf.file); - list_add(&tf.file->f_tfile_llink, - &tfile_check_list); -+ } - mutex_lock_nested(&ep->mtx, 0); - if (is_file_epoll(tf.file)) { - tep = tf.file->private_data; --- -2.25.1 - diff --git a/queue-4.14/ext4-fix-checking-of-directory-entry-validity-for-in.patch b/queue-4.14/ext4-fix-checking-of-directory-entry-validity-for-in.patch deleted file mode 100644 index 5d9d1d5e2d1..00000000000 --- a/queue-4.14/ext4-fix-checking-of-directory-entry-validity-for-in.patch +++ /dev/null @@ -1,60 +0,0 @@ -From c79889720bbb267d42692ad58a7f6a1aea8e4aa8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 31 Jul 2020 18:21:35 +0200 -Subject: ext4: fix checking of directory entry validity for inline directories - -From: Jan Kara - -commit 7303cb5bfe845f7d43cd9b2dbd37dbb266efda9b upstream. - -ext4_search_dir() and ext4_generic_delete_entry() can be called both for -standard director blocks and for inline directories stored inside inode -or inline xattr space. For the second case we didn't call -ext4_check_dir_entry() with proper constraints that could result in -accepting corrupted directory entry as well as false positive filesystem -errors like: - -EXT4-fs error (device dm-0): ext4_search_dir:1395: inode #28320400: -block 113246792: comm dockerd: bad entry in directory: directory entry too -close to block end - offset=0, inode=28320403, rec_len=32, name_len=8, -size=4096 - -Fix the arguments passed to ext4_check_dir_entry(). - -Fixes: 109ba779d6cc ("ext4: check for directory entries too close to block end") -CC: stable@vger.kernel.org -Signed-off-by: Jan Kara -Link: https://lore.kernel.org/r/20200731162135.8080-1-jack@suse.cz -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/namei.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c -index 161099f39ab9c..ed17edb31e22f 100644 ---- a/fs/ext4/namei.c -+++ b/fs/ext4/namei.c -@@ -1308,8 +1308,8 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, - ext4_match(fname, de)) { - /* found a match - just to be sure, do - * a full check */ -- if (ext4_check_dir_entry(dir, NULL, de, bh, bh->b_data, -- bh->b_size, offset)) -+ if (ext4_check_dir_entry(dir, NULL, de, bh, search_buf, -+ buf_size, offset)) - return -1; - *res_dir = de; - return 1; -@@ -2353,7 +2353,7 @@ int ext4_generic_delete_entry(handle_t *handle, - de = (struct ext4_dir_entry_2 *)entry_buf; - while (i < buf_size - csum_size) { - if (ext4_check_dir_entry(dir, NULL, de, bh, -- bh->b_data, bh->b_size, i)) -+ entry_buf, buf_size, i)) - return -EFSCORRUPTED; - if (de == de_del) { - if (pde) --- -2.25.1 - diff --git a/queue-4.14/ext4-fix-potential-negative-array-index-in-do_split.patch b/queue-4.14/ext4-fix-potential-negative-array-index-in-do_split.patch deleted file mode 100644 index 6b30ccacd3c..00000000000 --- a/queue-4.14/ext4-fix-potential-negative-array-index-in-do_split.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 5c4fa6f17a46c4cf2ebb4c9bb0303fccfea753b0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 17 Jun 2020 14:19:04 -0500 -Subject: ext4: fix potential negative array index in do_split() - -From: Eric Sandeen - -[ Upstream commit 5872331b3d91820e14716632ebb56b1399b34fe1 ] - -If for any reason a directory passed to do_split() does not have enough -active entries to exceed half the size of the block, we can end up -iterating over all "count" entries without finding a split point. - -In this case, count == move, and split will be zero, and we will -attempt a negative index into map[]. - -Guard against this by detecting this case, and falling back to -split-to-half-of-count instead; in this case we will still have -plenty of space (> half blocksize) in each split block. - -Fixes: ef2b02d3e617 ("ext34: ensure do_split leaves enough free space in both blocks") -Signed-off-by: Eric Sandeen -Reviewed-by: Andreas Dilger -Reviewed-by: Jan Kara -Link: https://lore.kernel.org/r/f53e246b-647c-64bb-16ec-135383c70ad7@redhat.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Sasha Levin ---- - fs/ext4/namei.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c -index ed17edb31e22f..3f999053457b6 100644 ---- a/fs/ext4/namei.c -+++ b/fs/ext4/namei.c -@@ -1741,7 +1741,7 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, - blocksize, hinfo, map); - map -= count; - dx_sort_map(map, count); -- /* Split the existing block in the middle, size-wise */ -+ /* Ensure that neither split block is over half full */ - size = 0; - move = 0; - for (i = count-1; i >= 0; i--) { -@@ -1751,8 +1751,18 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, - size += map[i].size; - move++; - } -- /* map index at which we will split */ -- split = count - move; -+ /* -+ * map index at which we will split -+ * -+ * If the sum of active entries didn't exceed half the block size, just -+ * split it in half by count; each resulting block will have at least -+ * half the space free. -+ */ -+ if (i > 0) -+ split = count - move; -+ else -+ split = count/2; -+ - hash2 = map[split].hash; - continued = hash2 == map[split - 1].hash; - dxtrace(printk(KERN_INFO "Split block %lu at %x, %i/%i\n", --- -2.25.1 - diff --git a/queue-4.14/f2fs-fix-use-after-free-issue.patch b/queue-4.14/f2fs-fix-use-after-free-issue.patch index 549dbd98902..715a3c3f41e 100644 --- a/queue-4.14/f2fs-fix-use-after-free-issue.patch +++ b/queue-4.14/f2fs-fix-use-after-free-issue.patch @@ -1,4 +1,4 @@ -From c6b647d1593303b2343f64b7423377185b35fb68 Mon Sep 17 00:00:00 2001 +From 10f58f3591d68ce6f3a5d7c739e63ac6c1e3138e Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 24 Jul 2020 09:38:11 +0800 Subject: f2fs: fix use-after-free issue diff --git a/queue-4.14/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch b/queue-4.14/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch deleted file mode 100644 index 1638f831778..00000000000 --- a/queue-4.14/hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 93c9d80475243c8768129d50edd386d2e391302b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Aug 2020 14:53:15 -0700 -Subject: hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Haiyang Zhang - -[ Upstream commit c3d897e01aef8ddc43149e4d661b86f823e3aae7 ] - -netvsc_vf_xmit() / dev_queue_xmit() will call VF NIC’s ndo_select_queue -or netdev_pick_tx() again. They will use skb_get_rx_queue() to get the -queue number, so the “skb->queue_mapping - 1” will be used. This may -cause the last queue of VF not been used. - -Use skb_record_rx_queue() here, so that the skb_get_rx_queue() called -later will get the correct queue number, and VF will be able to use -all queues. - -Fixes: b3bf5666a510 ("hv_netvsc: defer queue selection to VF") -Signed-off-by: Haiyang Zhang -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/hyperv/netvsc_drv.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c -index 10c3480c2da89..dbc6c9ed1c8f8 100644 ---- a/drivers/net/hyperv/netvsc_drv.c -+++ b/drivers/net/hyperv/netvsc_drv.c -@@ -500,7 +500,7 @@ static int netvsc_vf_xmit(struct net_device *net, struct net_device *vf_netdev, - int rc; - - skb->dev = vf_netdev; -- skb->queue_mapping = qdisc_skb_cb(skb)->slave_dev_queue_mapping; -+ skb_record_rx_queue(skb, qdisc_skb_cb(skb)->slave_dev_queue_mapping); - - rc = dev_queue_xmit(skb); - if (likely(rc == NET_XMIT_SUCCESS || rc == NET_XMIT_CN)) { --- -2.25.1 - diff --git a/queue-4.14/i40e-fix-crash-during-removing-i40e-driver.patch b/queue-4.14/i40e-fix-crash-during-removing-i40e-driver.patch deleted file mode 100644 index 3e78edc5a51..00000000000 --- a/queue-4.14/i40e-fix-crash-during-removing-i40e-driver.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 6df595adae5589f6d4e8a68ddba8483985292bbd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 11 Aug 2020 10:56:49 +0000 -Subject: i40e: Fix crash during removing i40e driver - -From: Grzegorz Szczurek - -[ Upstream commit 5b6d4a7f20b09c47ca598760f6dafd554af8b6d5 ] - -Fix the reason of crashing system by add waiting time to finish reset -recovery process before starting remove driver procedure. -Now VSI is releasing if VSI is not in reset recovery mode. -Without this fix it was possible to start remove driver if other -processing command need reset recovery procedure which resulted in -null pointer dereference. VSI used by the ethtool process has been -cleared by remove driver process. - -[ 6731.508665] BUG: kernel NULL pointer dereference, address: 0000000000000000 -[ 6731.508668] #PF: supervisor read access in kernel mode -[ 6731.508670] #PF: error_code(0x0000) - not-present page -[ 6731.508671] PGD 0 P4D 0 -[ 6731.508674] Oops: 0000 [#1] SMP PTI -[ 6731.508679] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0021.032120170601 03/21/2017 -[ 6731.508694] RIP: 0010:i40e_down+0x252/0x310 [i40e] -[ 6731.508696] Code: c7 78 de fa c0 e8 61 02 3a c1 66 83 bb f6 0c 00 00 00 0f 84 bf 00 00 00 45 31 e4 45 31 ff eb 03 41 89 c7 48 8b 83 98 0c 00 00 <4a> 8b 3c 20 e8 a5 79 02 00 48 83 bb d0 0c 00 00 00 74 10 48 8b 83 -[ 6731.508698] RSP: 0018:ffffb75ac7b3faf0 EFLAGS: 00010246 -[ 6731.508700] RAX: 0000000000000000 RBX: ffff9c9874bd5000 RCX: 0000000000000007 -[ 6731.508701] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff9c987f4d9780 -[ 6731.508703] RBP: ffffb75ac7b3fb30 R08: 0000000000005b60 R09: 0000000000000004 -[ 6731.508704] R10: ffffb75ac64fbd90 R11: 0000000000000001 R12: 0000000000000000 -[ 6731.508706] R13: ffff9c97a08e0000 R14: ffff9c97a08e0a68 R15: 0000000000000000 -[ 6731.508708] FS: 00007f2617cd2740(0000) GS:ffff9c987f4c0000(0000) knlGS:0000000000000000 -[ 6731.508710] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 6731.508711] CR2: 0000000000000000 CR3: 0000001e765c4006 CR4: 00000000003606e0 -[ 6731.508713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 6731.508714] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -[ 6731.508715] Call Trace: -[ 6731.508734] i40e_vsi_close+0x84/0x90 [i40e] -[ 6731.508742] i40e_quiesce_vsi.part.98+0x3c/0x40 [i40e] -[ 6731.508749] i40e_pf_quiesce_all_vsi+0x55/0x60 [i40e] -[ 6731.508757] i40e_prep_for_reset+0x59/0x130 [i40e] -[ 6731.508765] i40e_reconfig_rss_queues+0x5a/0x120 [i40e] -[ 6731.508774] i40e_set_channels+0xda/0x170 [i40e] -[ 6731.508778] ethtool_set_channels+0xe9/0x150 -[ 6731.508781] dev_ethtool+0x1b94/0x2920 -[ 6731.508805] dev_ioctl+0xc2/0x590 -[ 6731.508811] sock_do_ioctl+0xae/0x150 -[ 6731.508813] sock_ioctl+0x34f/0x3c0 -[ 6731.508821] ksys_ioctl+0x98/0xb0 -[ 6731.508828] __x64_sys_ioctl+0x1a/0x20 -[ 6731.508831] do_syscall_64+0x57/0x1c0 -[ 6731.508835] entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Fixes: 4b8164467b85 ("i40e: Add common function for finding VSI by type") -Signed-off-by: Grzegorz Szczurek -Signed-off-by: Arkadiusz Kubalewski -Tested-by: Aaron Brown -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c -index aa2b446d6ad0f..f4475cbf8ce86 100644 ---- a/drivers/net/ethernet/intel/i40e/i40e_main.c -+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c -@@ -11822,6 +11822,9 @@ static void i40e_remove(struct pci_dev *pdev) - i40e_write_rx_ctl(hw, I40E_PFQF_HENA(0), 0); - i40e_write_rx_ctl(hw, I40E_PFQF_HENA(1), 0); - -+ while (test_bit(__I40E_RESET_RECOVERY_PENDING, pf->state)) -+ usleep_range(1000, 2000); -+ - /* no more scheduling of any task */ - set_bit(__I40E_SUSPENDED, pf->state); - set_bit(__I40E_DOWN, pf->state); --- -2.25.1 - diff --git a/queue-4.14/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch b/queue-4.14/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch deleted file mode 100644 index a16e9bffd05..00000000000 --- a/queue-4.14/i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch +++ /dev/null @@ -1,114 +0,0 @@ -From a8393d89e49a3dde8afa3b3c89c35b25e3ab6a67 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 6 Aug 2020 13:40:59 +0000 -Subject: i40e: Set RX_ONLY mode for unicast promiscuous on VLAN - -From: Przemyslaw Patynowski - -[ Upstream commit 4bd5e02a2ed1575c2f65bd3c557a077dd399f0e8 ] - -Trusted VF with unicast promiscuous mode set, could listen to TX -traffic of other VFs. -Set unicast promiscuous mode to RX traffic, if VSI has port VLAN -configured. Rename misleading I40E_AQC_SET_VSI_PROMISC_TX bit to -I40E_AQC_SET_VSI_PROMISC_RX_ONLY. Aligned unicast promiscuous with -VLAN to the one without VLAN. - -Fixes: 6c41a7606967 ("i40e: Add promiscuous on VLAN support") -Fixes: 3b1200891b7f ("i40e: When in promisc mode apply promisc mode to Tx Traffic as well") -Signed-off-by: Przemyslaw Patynowski -Signed-off-by: Aleksandr Loktionov -Signed-off-by: Arkadiusz Kubalewski -Tested-by: Andrew Bowers -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - .../net/ethernet/intel/i40e/i40e_adminq_cmd.h | 2 +- - drivers/net/ethernet/intel/i40e/i40e_common.c | 35 ++++++++++++++----- - 2 files changed, 28 insertions(+), 9 deletions(-) - -diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h -index 5d5f422cbae55..f82da2b47d9a5 100644 ---- a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h -+++ b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h -@@ -1175,7 +1175,7 @@ struct i40e_aqc_set_vsi_promiscuous_modes { - #define I40E_AQC_SET_VSI_PROMISC_BROADCAST 0x04 - #define I40E_AQC_SET_VSI_DEFAULT 0x08 - #define I40E_AQC_SET_VSI_PROMISC_VLAN 0x10 --#define I40E_AQC_SET_VSI_PROMISC_TX 0x8000 -+#define I40E_AQC_SET_VSI_PROMISC_RX_ONLY 0x8000 - __le16 seid; - #define I40E_AQC_VSI_PROM_CMD_SEID_MASK 0x3FF - __le16 vlan_tag; -diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c -index 111426ba5fbce..3fd2dfaf2bd53 100644 ---- a/drivers/net/ethernet/intel/i40e/i40e_common.c -+++ b/drivers/net/ethernet/intel/i40e/i40e_common.c -@@ -1914,6 +1914,21 @@ i40e_status i40e_aq_set_phy_debug(struct i40e_hw *hw, u8 cmd_flags, - return status; - } - -+/** -+ * i40e_is_aq_api_ver_ge -+ * @aq: pointer to AdminQ info containing HW API version to compare -+ * @maj: API major value -+ * @min: API minor value -+ * -+ * Assert whether current HW API version is greater/equal than provided. -+ **/ -+static bool i40e_is_aq_api_ver_ge(struct i40e_adminq_info *aq, u16 maj, -+ u16 min) -+{ -+ return (aq->api_maj_ver > maj || -+ (aq->api_maj_ver == maj && aq->api_min_ver >= min)); -+} -+ - /** - * i40e_aq_add_vsi - * @hw: pointer to the hw struct -@@ -2039,18 +2054,16 @@ i40e_status i40e_aq_set_vsi_unicast_promiscuous(struct i40e_hw *hw, - - if (set) { - flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST; -- if (rx_only_promisc && -- (((hw->aq.api_maj_ver == 1) && (hw->aq.api_min_ver >= 5)) || -- (hw->aq.api_maj_ver > 1))) -- flags |= I40E_AQC_SET_VSI_PROMISC_TX; -+ if (rx_only_promisc && i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) -+ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY; - } - - cmd->promiscuous_flags = cpu_to_le16(flags); - - cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST); -- if (((hw->aq.api_maj_ver >= 1) && (hw->aq.api_min_ver >= 5)) || -- (hw->aq.api_maj_ver > 1)) -- cmd->valid_flags |= cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_TX); -+ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) -+ cmd->valid_flags |= -+ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY); - - cmd->seid = cpu_to_le16(seid); - status = i40e_asq_send_command(hw, &desc, NULL, 0, cmd_details); -@@ -2147,11 +2160,17 @@ enum i40e_status_code i40e_aq_set_vsi_uc_promisc_on_vlan(struct i40e_hw *hw, - i40e_fill_default_direct_cmd_desc(&desc, - i40e_aqc_opc_set_vsi_promiscuous_modes); - -- if (enable) -+ if (enable) { - flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST; -+ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) -+ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY; -+ } - - cmd->promiscuous_flags = cpu_to_le16(flags); - cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST); -+ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5)) -+ cmd->valid_flags |= -+ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY); - cmd->seid = cpu_to_le16(seid); - cmd->vlan_tag = cpu_to_le16(vid | I40E_AQC_SET_VSI_VLAN_VALID); - --- -2.25.1 - diff --git a/queue-4.14/input-psmouse-add-a-newline-when-printing-proto-by-s.patch b/queue-4.14/input-psmouse-add-a-newline-when-printing-proto-by-s.patch deleted file mode 100644 index aad4c226994..00000000000 --- a/queue-4.14/input-psmouse-add-a-newline-when-printing-proto-by-s.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e4e836f19bb71e825aa072530c7652ff158dbbbf Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 21 Jul 2020 22:24:07 -0700 -Subject: Input: psmouse - add a newline when printing 'proto' by sysfs - -From: Xiongfeng Wang - -[ Upstream commit 4aec14de3a15cf9789a0e19c847f164776f49473 ] - -When I cat parameter 'proto' by sysfs, it displays as follows. It's -better to add a newline for easy reading. - -root@syzkaller:~# cat /sys/module/psmouse/parameters/proto -autoroot@syzkaller:~# - -Signed-off-by: Xiongfeng Wang -Link: https://lore.kernel.org/r/20200720073846.120724-1-wangxiongfeng2@huawei.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Sasha Levin ---- - drivers/input/mouse/psmouse-base.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c -index 8ac9e03c05b45..ca8f726dab2e7 100644 ---- a/drivers/input/mouse/psmouse-base.c -+++ b/drivers/input/mouse/psmouse-base.c -@@ -2012,7 +2012,7 @@ static int psmouse_get_maxproto(char *buffer, const struct kernel_param *kp) - { - int type = *((unsigned int *)kp->arg); - -- return sprintf(buffer, "%s", psmouse_protocol_by_type(type)->name); -+ return sprintf(buffer, "%s\n", psmouse_protocol_by_type(type)->name); - } - - static int __init psmouse_init(void) --- -2.25.1 - diff --git a/queue-4.14/iommu-iova-don-t-bug-on-invalid-pfns.patch b/queue-4.14/iommu-iova-don-t-bug-on-invalid-pfns.patch index 602a656162e..7f666726806 100644 --- a/queue-4.14/iommu-iova-don-t-bug-on-invalid-pfns.patch +++ b/queue-4.14/iommu-iova-don-t-bug-on-invalid-pfns.patch @@ -1,4 +1,4 @@ -From e0171c8b499fcc36d4a9d34751b47aa026605ab9 Mon Sep 17 00:00:00 2001 +From 000135d3645e9baaa42313e7eec1828393032098 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 2 Jun 2020 14:08:18 +0100 Subject: iommu/iova: Don't BUG on invalid PFNs diff --git a/queue-4.14/jbd2-add-the-missing-unlock_buffer-in-the-error-path.patch b/queue-4.14/jbd2-add-the-missing-unlock_buffer-in-the-error-path.patch deleted file mode 100644 index a3dd8abd932..00000000000 --- a/queue-4.14/jbd2-add-the-missing-unlock_buffer-in-the-error-path.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 98663c355b7b1e2ebc089cb2d88d00244f8803b5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 20 Jun 2020 14:19:48 +0800 -Subject: jbd2: add the missing unlock_buffer() in the error path of - jbd2_write_superblock() - -From: zhangyi (F) - -commit ef3f5830b859604eda8723c26d90ab23edc027a4 upstream. - -jbd2_write_superblock() is under the buffer lock of journal superblock -before ending that superblock write, so add a missing unlock_buffer() in -in the error path before submitting buffer. - -Fixes: 742b06b5628f ("jbd2: check superblock mapped prior to committing") -Signed-off-by: zhangyi (F) -Reviewed-by: Ritesh Harjani -Cc: stable@kernel.org -Link: https://lore.kernel.org/r/20200620061948.2049579-1-yi.zhang@huawei.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/jbd2/journal.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c -index 6e054b368b5fe..93a466cf58ba7 100644 ---- a/fs/jbd2/journal.c -+++ b/fs/jbd2/journal.c -@@ -1356,8 +1356,10 @@ static int jbd2_write_superblock(journal_t *journal, int write_flags) - int ret; - - /* Buffer got discarded which means block device got invalidated */ -- if (!buffer_mapped(bh)) -+ if (!buffer_mapped(bh)) { -+ unlock_buffer(bh); - return -EIO; -+ } - - trace_jbd2_write_superblock(journal, write_flags); - if (!(journal->j_flags & JBD2_BARRIER)) --- -2.25.1 - diff --git a/queue-4.14/jffs2-fix-uaf-problem.patch b/queue-4.14/jffs2-fix-uaf-problem.patch deleted file mode 100644 index be8d499215c..00000000000 --- a/queue-4.14/jffs2-fix-uaf-problem.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 58fe80de72143ab2519d6ebcf8d06c79c6472fdf Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 19 Jun 2020 17:06:35 +0800 -Subject: jffs2: fix UAF problem - -From: Zhe Li - -[ Upstream commit 798b7347e4f29553db4b996393caf12f5b233daf ] - -The log of UAF problem is listed below. -BUG: KASAN: use-after-free in jffs2_rmdir+0xa4/0x1cc [jffs2] at addr c1f165fc -Read of size 4 by task rm/8283 -============================================================================= -BUG kmalloc-32 (Tainted: P B O ): kasan: bad access detected ------------------------------------------------------------------------------ - -INFO: Allocated in 0xbbbbbbbb age=3054364 cpu=0 pid=0 - 0xb0bba6ef - jffs2_write_dirent+0x11c/0x9c8 [jffs2] - __slab_alloc.isra.21.constprop.25+0x2c/0x44 - __kmalloc+0x1dc/0x370 - jffs2_write_dirent+0x11c/0x9c8 [jffs2] - jffs2_do_unlink+0x328/0x5fc [jffs2] - jffs2_rmdir+0x110/0x1cc [jffs2] - vfs_rmdir+0x180/0x268 - do_rmdir+0x2cc/0x300 - ret_from_syscall+0x0/0x3c -INFO: Freed in 0x205b age=3054364 cpu=0 pid=0 - 0x2e9173 - jffs2_add_fd_to_list+0x138/0x1dc [jffs2] - jffs2_add_fd_to_list+0x138/0x1dc [jffs2] - jffs2_garbage_collect_dirent.isra.3+0x21c/0x288 [jffs2] - jffs2_garbage_collect_live+0x16bc/0x1800 [jffs2] - jffs2_garbage_collect_pass+0x678/0x11d4 [jffs2] - jffs2_garbage_collect_thread+0x1e8/0x3b0 [jffs2] - kthread+0x1a8/0x1b0 - ret_from_kernel_thread+0x5c/0x64 -Call Trace: -[c17ddd20] [c02452d4] kasan_report.part.0+0x298/0x72c (unreliable) -[c17ddda0] [d2509680] jffs2_rmdir+0xa4/0x1cc [jffs2] -[c17dddd0] [c026da04] vfs_rmdir+0x180/0x268 -[c17dde00] [c026f4e4] do_rmdir+0x2cc/0x300 -[c17ddf40] [c001a658] ret_from_syscall+0x0/0x3c - -The root cause is that we don't get "jffs2_inode_info.sem" before -we scan list "jffs2_inode_info.dents" in function jffs2_rmdir. -This patch add codes to get "jffs2_inode_info.sem" before we scan -"jffs2_inode_info.dents" to slove the UAF problem. - -Signed-off-by: Zhe Li -Reviewed-by: Hou Tao -Signed-off-by: Richard Weinberger -Signed-off-by: Sasha Levin ---- - fs/jffs2/dir.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/fs/jffs2/dir.c b/fs/jffs2/dir.c -index e5a6deb38e1e1..f4a5ec92f5dc7 100644 ---- a/fs/jffs2/dir.c -+++ b/fs/jffs2/dir.c -@@ -590,10 +590,14 @@ static int jffs2_rmdir (struct inode *dir_i, struct dentry *dentry) - int ret; - uint32_t now = get_seconds(); - -+ mutex_lock(&f->sem); - for (fd = f->dents ; fd; fd = fd->next) { -- if (fd->ino) -+ if (fd->ino) { -+ mutex_unlock(&f->sem); - return -ENOTEMPTY; -+ } - } -+ mutex_unlock(&f->sem); - - ret = jffs2_do_unlink(c, dir_f, dentry->d_name.name, - dentry->d_name.len, f, now); --- -2.25.1 - diff --git a/queue-4.14/kernel-relay.c-fix-memleak-on-destroy-relay-channel.patch b/queue-4.14/kernel-relay.c-fix-memleak-on-destroy-relay-channel.patch deleted file mode 100644 index 08120a901f2..00000000000 --- a/queue-4.14/kernel-relay.c-fix-memleak-on-destroy-relay-channel.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 24bf8b16f00781ebbf369484bb4b0a84a0733ed6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Aug 2020 17:42:14 -0700 -Subject: kernel/relay.c: fix memleak on destroy relay channel - -From: Wei Yongjun - -commit 71e843295c680898959b22dc877ae3839cc22470 upstream. - -kmemleak report memory leak as follows: - - unreferenced object 0x607ee4e5f948 (size 8): - comm "syz-executor.1", pid 2098, jiffies 4295031601 (age 288.468s) - hex dump (first 8 bytes): - 00 00 00 00 00 00 00 00 ........ - backtrace: - relay_open kernel/relay.c:583 [inline] - relay_open+0xb6/0x970 kernel/relay.c:563 - do_blk_trace_setup+0x4a8/0xb20 kernel/trace/blktrace.c:557 - __blk_trace_setup+0xb6/0x150 kernel/trace/blktrace.c:597 - blk_trace_ioctl+0x146/0x280 kernel/trace/blktrace.c:738 - blkdev_ioctl+0xb2/0x6a0 block/ioctl.c:613 - block_ioctl+0xe5/0x120 fs/block_dev.c:1871 - vfs_ioctl fs/ioctl.c:48 [inline] - __do_sys_ioctl fs/ioctl.c:753 [inline] - __se_sys_ioctl fs/ioctl.c:739 [inline] - __x64_sys_ioctl+0x170/0x1ce fs/ioctl.c:739 - do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -'chan->buf' is malloced in relay_open() by alloc_percpu() but not free -while destroy the relay channel. Fix it by adding free_percpu() before -return from relay_destroy_channel(). - -Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") -Reported-by: Hulk Robot -Signed-off-by: Wei Yongjun -Signed-off-by: Andrew Morton -Reviewed-by: Chris Wilson -Cc: Al Viro -Cc: Michael Ellerman -Cc: David Rientjes -Cc: Michel Lespinasse -Cc: Daniel Axtens -Cc: Thomas Gleixner -Cc: Akash Goel -Cc: -Link: http://lkml.kernel.org/r/20200817122826.48518-1-weiyongjun1@huawei.com -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - kernel/relay.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/kernel/relay.c b/kernel/relay.c -index b141ce697679f..53c2a1a4b057f 100644 ---- a/kernel/relay.c -+++ b/kernel/relay.c -@@ -196,6 +196,7 @@ free_buf: - static void relay_destroy_channel(struct kref *kref) - { - struct rchan *chan = container_of(kref, struct rchan, kref); -+ free_percpu(chan->buf); - kfree(chan); - } - --- -2.25.1 - diff --git a/queue-4.14/khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch b/queue-4.14/khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch deleted file mode 100644 index bde799149d9..00000000000 --- a/queue-4.14/khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 8e9dd098b36088c5f349aa17f3fe8136ee249ab1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Aug 2020 17:42:02 -0700 -Subject: khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter() - -From: Hugh Dickins - -[ Upstream commit f3f99d63a8156c7a4a6b20aac22b53c5579c7dc1 ] - -syzbot crashes on the VM_BUG_ON_MM(khugepaged_test_exit(mm), mm) in -__khugepaged_enter(): yes, when one thread is about to dump core, has set -core_state, and is waiting for others, another might do something calling -__khugepaged_enter(), which now crashes because I lumped the core_state -test (known as "mmget_still_valid") into khugepaged_test_exit(). I still -think it's best to lump them together, so just in this exceptional case, -check mm->mm_users directly instead of khugepaged_test_exit(). - -Fixes: bbe98f9cadff ("khugepaged: khugepaged_test_exit() check mmget_still_valid()") -Reported-by: syzbot -Signed-off-by: Hugh Dickins -Signed-off-by: Andrew Morton -Acked-by: Yang Shi -Cc: "Kirill A. Shutemov" -Cc: Andrea Arcangeli -Cc: Song Liu -Cc: Mike Kravetz -Cc: Eric Dumazet -Cc: [4.8+] -Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008141503370.18085@eggly.anvils -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - mm/khugepaged.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/mm/khugepaged.c b/mm/khugepaged.c -index a1b7475c05d04..9dfe364d4c0d1 100644 ---- a/mm/khugepaged.c -+++ b/mm/khugepaged.c -@@ -407,7 +407,7 @@ int __khugepaged_enter(struct mm_struct *mm) - return -ENOMEM; - - /* __khugepaged_exit() must not run from under us */ -- VM_BUG_ON_MM(khugepaged_test_exit(mm), mm); -+ VM_BUG_ON_MM(atomic_read(&mm->mm_users) == 0, mm); - if (unlikely(test_and_set_bit(MMF_VM_HUGEPAGE, &mm->flags))) { - free_mm_slot(mm_slot); - return 0; --- -2.25.1 - diff --git a/queue-4.14/khugepaged-khugepaged_test_exit-check-mmget_still_va.patch b/queue-4.14/khugepaged-khugepaged_test_exit-check-mmget_still_va.patch deleted file mode 100644 index 1ad7167c9b2..00000000000 --- a/queue-4.14/khugepaged-khugepaged_test_exit-check-mmget_still_va.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 1490b4a5fd5b259b68c6fd44a20cea6d0601cb61 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 6 Aug 2020 23:26:25 -0700 -Subject: khugepaged: khugepaged_test_exit() check mmget_still_valid() - -From: Hugh Dickins - -[ Upstream commit bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 ] - -Move collapse_huge_page()'s mmget_still_valid() check into -khugepaged_test_exit() itself. collapse_huge_page() is used for anon THP -only, and earned its mmget_still_valid() check because it inserts a huge -pmd entry in place of the page table's pmd entry; whereas -collapse_file()'s retract_page_tables() or collapse_pte_mapped_thp() -merely clears the page table's pmd entry. But core dumping without mmap -lock must have been as open to mistaking a racily cleared pmd entry for a -page table at physical page 0, as exit_mmap() was. And we certainly have -no interest in mapping as a THP once dumping core. - -Fixes: 59ea6d06cfa9 ("coredump: fix race condition between collapse_huge_page() and core dumping") -Signed-off-by: Hugh Dickins -Signed-off-by: Andrew Morton -Cc: Andrea Arcangeli -Cc: Song Liu -Cc: Mike Kravetz -Cc: Kirill A. Shutemov -Cc: [4.8+] -Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021217020.27773@eggly.anvils -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - mm/khugepaged.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/mm/khugepaged.c b/mm/khugepaged.c -index 04b4c38d0c184..a1b7475c05d04 100644 ---- a/mm/khugepaged.c -+++ b/mm/khugepaged.c -@@ -394,7 +394,7 @@ static void insert_to_mm_slots_hash(struct mm_struct *mm, - - static inline int khugepaged_test_exit(struct mm_struct *mm) - { -- return atomic_read(&mm->mm_users) == 0; -+ return atomic_read(&mm->mm_users) == 0 || !mmget_still_valid(mm); - } - - int __khugepaged_enter(struct mm_struct *mm) -@@ -1006,9 +1006,6 @@ static void collapse_huge_page(struct mm_struct *mm, - * handled by the anon_vma lock + PG_lock. - */ - down_write(&mm->mmap_sem); -- result = SCAN_ANY_PROCESS; -- if (!mmget_still_valid(mm)) -- goto out; - result = hugepage_vma_revalidate(mm, address, &vma); - if (result) - goto out; --- -2.25.1 - diff --git a/queue-4.14/kvm-arm-arm64-don-t-reschedule-in-unmap_stage2_range.patch b/queue-4.14/kvm-arm-arm64-don-t-reschedule-in-unmap_stage2_range.patch deleted file mode 100644 index 0c1d46fa119..00000000000 --- a/queue-4.14/kvm-arm-arm64-don-t-reschedule-in-unmap_stage2_range.patch +++ /dev/null @@ -1,50 +0,0 @@ -From e755100091db3549d3f9d31ed0ba9136d311ac1e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 24 Aug 2020 12:29:54 +0100 -Subject: KVM: arm/arm64: Don't reschedule in unmap_stage2_range() - -From: Will Deacon - -Upstream commits fdfe7cbd5880 ("KVM: Pass MMU notifier range flags to -kvm_unmap_hva_range()") and b5331379bc62 ("KVM: arm64: Only reschedule -if MMU_NOTIFIER_RANGE_BLOCKABLE is not set") fix a "sleeping from invalid -context" BUG caused by unmap_stage2_range() attempting to reschedule when -called on the OOM path. - -Unfortunately, these patches rely on the MMU notifier callback being -passed knowledge about whether or not blocking is permitted, which was -introduced in 4.19. Rather than backport this considerable amount of -infrastructure just for KVM on arm, instead just remove the conditional -reschedule. - -Cc: # v4.14 only -Cc: Marc Zyngier -Cc: Suzuki K Poulose -Cc: James Morse -Signed-off-by: Will Deacon -Acked-by: Marc Zyngier -Signed-off-by: Greg Kroah-Hartman ---- - virt/kvm/arm/mmu.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c -index 3814cdad643a5..7fe673248e984 100644 ---- a/virt/kvm/arm/mmu.c -+++ b/virt/kvm/arm/mmu.c -@@ -307,12 +307,6 @@ static void unmap_stage2_range(struct kvm *kvm, phys_addr_t start, u64 size) - next = stage2_pgd_addr_end(addr, end); - if (!stage2_pgd_none(*pgd)) - unmap_stage2_puds(kvm, pgd, addr, next); -- /* -- * If the range is too large, release the kvm->mmu_lock -- * to prevent starvation and lockup detector warnings. -- */ -- if (next != end) -- cond_resched_lock(&kvm->mmu_lock); - } while (pgd++, addr = next, addr != end); - } - --- -2.25.1 - diff --git a/queue-4.14/locking-lockdep-fix-overflow-in-presentation-of-aver.patch b/queue-4.14/locking-lockdep-fix-overflow-in-presentation-of-aver.patch index 1d69de86a07..7f8ff16b18f 100644 --- a/queue-4.14/locking-lockdep-fix-overflow-in-presentation-of-aver.patch +++ b/queue-4.14/locking-lockdep-fix-overflow-in-presentation-of-aver.patch @@ -1,4 +1,4 @@ -From 787158f092497f74c28b77956405f940a19de0f2 Mon Sep 17 00:00:00 2001 +From 9626f7ab2ff329adb19c31480e15e5294d2d83ab Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 25 Jul 2020 19:51:10 +0100 Subject: locking/lockdep: Fix overflow in presentation of average lock-time diff --git a/queue-4.14/m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch b/queue-4.14/m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch deleted file mode 100644 index d2ec8112b32..00000000000 --- a/queue-4.14/m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch +++ /dev/null @@ -1,52 +0,0 @@ -From dadd1be105bd1393b7e8f3bf9579b20329b88991 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 13 Jun 2020 17:17:52 +1000 -Subject: m68knommu: fix overwriting of bits in ColdFire V3 cache control - -From: Greg Ungerer - -[ Upstream commit bdee0e793cea10c516ff48bf3ebb4ef1820a116b ] - -The Cache Control Register (CACR) of the ColdFire V3 has bits that -control high level caching functions, and also enable/disable the use -of the alternate stack pointer register (the EUSP bit) to provide -separate supervisor and user stack pointer registers. The code as -it is today will blindly clear the EUSP bit on cache actions like -invalidation. So it is broken for this case - and that will result -in failed booting (interrupt entry and exit processing will be -completely hosed). - -This only affects ColdFire V3 parts that support the alternate stack -register (like the 5329 for example) - generally speaking new parts do, -older parts don't. It has no impact on ColdFire V3 parts with the single -stack pointer, like the 5307 for example. - -Fix the cache bit defines used, so they maintain the EUSP bit when -carrying out cache actions through the CACR register. - -Signed-off-by: Greg Ungerer -Signed-off-by: Sasha Levin ---- - arch/m68k/include/asm/m53xxacr.h | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/arch/m68k/include/asm/m53xxacr.h b/arch/m68k/include/asm/m53xxacr.h -index 9138a624c5c81..692f90e7fecc1 100644 ---- a/arch/m68k/include/asm/m53xxacr.h -+++ b/arch/m68k/include/asm/m53xxacr.h -@@ -89,9 +89,9 @@ - * coherency though in all cases. And for copyback caches we will need - * to push cached data as well. - */ --#define CACHE_INIT CACR_CINVA --#define CACHE_INVALIDATE CACR_CINVA --#define CACHE_INVALIDATED CACR_CINVA -+#define CACHE_INIT (CACHE_MODE + CACR_CINVA - CACR_EC) -+#define CACHE_INVALIDATE (CACHE_MODE + CACR_CINVA) -+#define CACHE_INVALIDATED (CACHE_MODE + CACR_CINVA) - - #define ACR0_MODE ((CONFIG_RAMBASE & 0xff000000) + \ - (0x000f0000) + \ --- -2.25.1 - diff --git a/queue-4.14/media-budget-core-improve-exception-handling-in-budg.patch b/queue-4.14/media-budget-core-improve-exception-handling-in-budg.patch deleted file mode 100644 index 682960a4cb6..00000000000 --- a/queue-4.14/media-budget-core-improve-exception-handling-in-budg.patch +++ /dev/null @@ -1,56 +0,0 @@ -From befd30d3e97e880fff30fe9a702b2795fb9624ac Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 5 Jun 2020 18:17:28 +0200 -Subject: media: budget-core: Improve exception handling in budget_register() - -From: Chuhong Yuan - -[ Upstream commit fc0456458df8b3421dba2a5508cd817fbc20ea71 ] - -budget_register() has no error handling after its failure. -Add the missed undo functions for error handling to fix it. - -Signed-off-by: Chuhong Yuan -Signed-off-by: Sean Young -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/pci/ttpci/budget-core.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/drivers/media/pci/ttpci/budget-core.c b/drivers/media/pci/ttpci/budget-core.c -index 97499b2af7144..20524376b83be 100644 ---- a/drivers/media/pci/ttpci/budget-core.c -+++ b/drivers/media/pci/ttpci/budget-core.c -@@ -383,20 +383,25 @@ static int budget_register(struct budget *budget) - ret = dvbdemux->dmx.add_frontend(&dvbdemux->dmx, &budget->hw_frontend); - - if (ret < 0) -- return ret; -+ goto err_release_dmx; - - budget->mem_frontend.source = DMX_MEMORY_FE; - ret = dvbdemux->dmx.add_frontend(&dvbdemux->dmx, &budget->mem_frontend); - if (ret < 0) -- return ret; -+ goto err_release_dmx; - - ret = dvbdemux->dmx.connect_frontend(&dvbdemux->dmx, &budget->hw_frontend); - if (ret < 0) -- return ret; -+ goto err_release_dmx; - - dvb_net_init(&budget->dvb_adapter, &budget->dvb_net, &dvbdemux->dmx); - - return 0; -+ -+err_release_dmx: -+ dvb_dmxdev_release(&budget->dmxdev); -+ dvb_dmx_release(&budget->demux); -+ return ret; - } - - static void budget_unregister(struct budget *budget) --- -2.25.1 - diff --git a/queue-4.14/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch b/queue-4.14/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch index 70816c787c1..b459da8aad5 100644 --- a/queue-4.14/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch +++ b/queue-4.14/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch @@ -1,4 +1,4 @@ -From c2f2be3fac55be24540bde4ba1b111c5cb9ebf37 Mon Sep 17 00:00:00 2001 +From 840dbbe85090e988b7de24c27bece49d0c3698a3 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 30 May 2020 16:42:08 +0200 Subject: media: pci: ttpci: av7110: fix possible buffer overflow caused by bad diff --git a/queue-4.14/media-vpss-clean-up-resources-in-init.patch b/queue-4.14/media-vpss-clean-up-resources-in-init.patch deleted file mode 100644 index 7a722596f81..00000000000 --- a/queue-4.14/media-vpss-clean-up-resources-in-init.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 76760ce137d0541788b5d15e946c6f0299ada6d9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 10 Jul 2020 11:02:23 +0200 -Subject: media: vpss: clean up resources in init - -From: Evgeny Novikov - -[ Upstream commit 9c487b0b0ea7ff22127fe99a7f67657d8730ff94 ] - -If platform_driver_register() fails within vpss_init() resources are not -cleaned up. The patch fixes this issue by introducing the corresponding -error handling. - -Found by Linux Driver Verification project (linuxtesting.org). - -Signed-off-by: Evgeny Novikov -Signed-off-by: Hans Verkuil -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/platform/davinci/vpss.c | 20 ++++++++++++++++---- - 1 file changed, 16 insertions(+), 4 deletions(-) - -diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c -index 2ee4cd9e6d80f..d984f45c03149 100644 ---- a/drivers/media/platform/davinci/vpss.c -+++ b/drivers/media/platform/davinci/vpss.c -@@ -514,19 +514,31 @@ static void vpss_exit(void) - - static int __init vpss_init(void) - { -+ int ret; -+ - if (!request_mem_region(VPSS_CLK_CTRL, 4, "vpss_clock_control")) - return -EBUSY; - - oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4); - if (unlikely(!oper_cfg.vpss_regs_base2)) { -- release_mem_region(VPSS_CLK_CTRL, 4); -- return -ENOMEM; -+ ret = -ENOMEM; -+ goto err_ioremap; - } - - writel(VPSS_CLK_CTRL_VENCCLKEN | -- VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2); -+ VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2); -+ -+ ret = platform_driver_register(&vpss_driver); -+ if (ret) -+ goto err_pd_register; -+ -+ return 0; - -- return platform_driver_register(&vpss_driver); -+err_pd_register: -+ iounmap(oper_cfg.vpss_regs_base2); -+err_ioremap: -+ release_mem_region(VPSS_CLK_CTRL, 4); -+ return ret; - } - subsys_initcall(vpss_init); - module_exit(vpss_exit); --- -2.25.1 - diff --git a/queue-4.14/mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch b/queue-4.14/mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch index 5498cc4362f..f0703e08a1b 100644 --- a/queue-4.14/mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch +++ b/queue-4.14/mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch @@ -1,4 +1,4 @@ -From 732c3438960b0c5e24f4034ea1209725a0647055 Mon Sep 17 00:00:00 2001 +From e153b5cd6c37443ebc1270b38202a23a527cef10 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 15 Jun 2020 19:10:32 +0300 Subject: mfd: intel-lpss: Add Intel Emmitsburg PCH PCI IDs diff --git a/queue-4.14/mips-vdso-fix-resource-leaks-in-genvdso.c.patch b/queue-4.14/mips-vdso-fix-resource-leaks-in-genvdso.c.patch index 213e71ae8f8..e5a28d7a317 100644 --- a/queue-4.14/mips-vdso-fix-resource-leaks-in-genvdso.c.patch +++ b/queue-4.14/mips-vdso-fix-resource-leaks-in-genvdso.c.patch @@ -1,4 +1,4 @@ -From fe2626b53f42698b615f85e338255c3b9a85cc61 Mon Sep 17 00:00:00 2001 +From 34bf70bab490bcfc0d112ef8726e434a6ebb40e2 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 14 Jul 2020 20:30:18 +0800 Subject: mips/vdso: Fix resource leaks in genvdso.c diff --git a/queue-4.14/mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sh.patch b/queue-4.14/mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sh.patch deleted file mode 100644 index 48be0eca389..00000000000 --- a/queue-4.14/mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sh.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 03e6f33ef4c786b8d61fba32d97d62300e3d7c6a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 6 Aug 2020 23:26:11 -0700 -Subject: mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible - -From: Peter Xu - -commit 75802ca66354a39ab8e35822747cd08b3384a99a upstream. - -This is found by code observation only. - -Firstly, the worst case scenario should assume the whole range was covered -by pmd sharing. The old algorithm might not work as expected for ranges -like (1g-2m, 1g+2m), where the adjusted range should be (0, 1g+2m) but the -expected range should be (0, 2g). - -Since at it, remove the loop since it should not be required. With that, -the new code should be faster too when the invalidating range is huge. - -Mike said: - -: With range (1g-2m, 1g+2m) within a vma (0, 2g) the existing code will only -: adjust to (0, 1g+2m) which is incorrect. -: -: We should cc stable. The original reason for adjusting the range was to -: prevent data corruption (getting wrong page). Since the range is not -: always adjusted correctly, the potential for corruption still exists. -: -: However, I am fairly confident that adjust_range_if_pmd_sharing_possible -: is only gong to be called in two cases: -: -: 1) for a single page -: 2) for range == entire vma -: -: In those cases, the current code should produce the correct results. -: -: To be safe, let's just cc stable. - -Fixes: 017b1660df89 ("mm: migration: fix migration of huge PMD shared pages") -Signed-off-by: Peter Xu -Signed-off-by: Andrew Morton -Reviewed-by: Mike Kravetz -Cc: Andrea Arcangeli -Cc: Matthew Wilcox -Cc: -Link: http://lkml.kernel.org/r/20200730201636.74778-1-peterx@redhat.com -Signed-off-by: Linus Torvalds -Signed-off-by: Mike Kravetz -Signed-off-by: Greg Kroah-Hartman ---- - mm/hugetlb.c | 24 ++++++++++-------------- - 1 file changed, 10 insertions(+), 14 deletions(-) - -diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index d6464045d3b97..194125cf2d2b9 100644 ---- a/mm/hugetlb.c -+++ b/mm/hugetlb.c -@@ -4575,25 +4575,21 @@ static bool vma_shareable(struct vm_area_struct *vma, unsigned long addr) - void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma, - unsigned long *start, unsigned long *end) - { -- unsigned long check_addr = *start; -+ unsigned long a_start, a_end; - - if (!(vma->vm_flags & VM_MAYSHARE)) - return; - -- for (check_addr = *start; check_addr < *end; check_addr += PUD_SIZE) { -- unsigned long a_start = check_addr & PUD_MASK; -- unsigned long a_end = a_start + PUD_SIZE; -+ /* Extend the range to be PUD aligned for a worst case scenario */ -+ a_start = ALIGN_DOWN(*start, PUD_SIZE); -+ a_end = ALIGN(*end, PUD_SIZE); - -- /* -- * If sharing is possible, adjust start/end if necessary. -- */ -- if (range_in_vma(vma, a_start, a_end)) { -- if (a_start < *start) -- *start = a_start; -- if (a_end > *end) -- *end = a_end; -- } -- } -+ /* -+ * Intersect the range with the vma range, since pmd sharing won't be -+ * across vma after all -+ */ -+ *start = max(vma->vm_start, a_start); -+ *end = min(vma->vm_end, a_end); - } - - /* --- -2.25.1 - diff --git a/queue-4.14/mm-include-cma-pages-in-lowmem_reserve-at-boot.patch b/queue-4.14/mm-include-cma-pages-in-lowmem_reserve-at-boot.patch deleted file mode 100644 index d4e0ae26f0a..00000000000 --- a/queue-4.14/mm-include-cma-pages-in-lowmem_reserve-at-boot.patch +++ /dev/null @@ -1,89 +0,0 @@ -From ccc38c6201fe825caf53194eff4cee570526250c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Aug 2020 17:42:24 -0700 -Subject: mm: include CMA pages in lowmem_reserve at boot - -From: Doug Berger - -commit e08d3fdfe2dafa0331843f70ce1ff6c1c4900bf4 upstream. - -The lowmem_reserve arrays provide a means of applying pressure against -allocations from lower zones that were targeted at higher zones. Its -values are a function of the number of pages managed by higher zones and -are assigned by a call to the setup_per_zone_lowmem_reserve() function. - -The function is initially called at boot time by the function -init_per_zone_wmark_min() and may be called later by accesses of the -/proc/sys/vm/lowmem_reserve_ratio sysctl file. - -The function init_per_zone_wmark_min() was moved up from a module_init to -a core_initcall to resolve a sequencing issue with khugepaged. -Unfortunately this created a sequencing issue with CMA page accounting. - -The CMA pages are added to the managed page count of a zone when -cma_init_reserved_areas() is called at boot also as a core_initcall. This -makes it uncertain whether the CMA pages will be added to the managed page -counts of their zones before or after the call to -init_per_zone_wmark_min() as it becomes dependent on link order. With the -current link order the pages are added to the managed count after the -lowmem_reserve arrays are initialized at boot. - -This means the lowmem_reserve values at boot may be lower than the values -used later if /proc/sys/vm/lowmem_reserve_ratio is accessed even if the -ratio values are unchanged. - -In many cases the difference is not significant, but for example -an ARM platform with 1GB of memory and the following memory layout - - cma: Reserved 256 MiB at 0x0000000030000000 - Zone ranges: - DMA [mem 0x0000000000000000-0x000000002fffffff] - Normal empty - HighMem [mem 0x0000000030000000-0x000000003fffffff] - -would result in 0 lowmem_reserve for the DMA zone. This would allow -userspace to deplete the DMA zone easily. - -Funnily enough - - $ cat /proc/sys/vm/lowmem_reserve_ratio - -would fix up the situation because as a side effect it forces -setup_per_zone_lowmem_reserve. - -This commit breaks the link order dependency by invoking -init_per_zone_wmark_min() as a postcore_initcall so that the CMA pages -have the chance to be properly accounted in their zone(s) and allowing -the lowmem_reserve arrays to receive consistent values. - -Fixes: bc22af74f271 ("mm: update min_free_kbytes from khugepaged after core initialization") -Signed-off-by: Doug Berger -Signed-off-by: Andrew Morton -Acked-by: Michal Hocko -Cc: Jason Baron -Cc: David Rientjes -Cc: "Kirill A. Shutemov" -Cc: -Link: http://lkml.kernel.org/r/1597423766-27849-1-git-send-email-opendmb@gmail.com -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - mm/page_alloc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index e992afe3a58e9..46ded8d77fb30 100644 ---- a/mm/page_alloc.c -+++ b/mm/page_alloc.c -@@ -7018,7 +7018,7 @@ int __meminit init_per_zone_wmark_min(void) - - return 0; - } --core_initcall(init_per_zone_wmark_min) -+postcore_initcall(init_per_zone_wmark_min) - - /* - * min_free_kbytes_sysctl_handler - just a wrapper around proc_dointvec() so --- -2.25.1 - diff --git a/queue-4.14/mm-page_alloc-fix-core-hung-in-free_pcppages_bulk.patch b/queue-4.14/mm-page_alloc-fix-core-hung-in-free_pcppages_bulk.patch deleted file mode 100644 index ef993f3617e..00000000000 --- a/queue-4.14/mm-page_alloc-fix-core-hung-in-free_pcppages_bulk.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 7749eb87a9c186c195a4ad952fda1c54c99a4da4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Aug 2020 17:42:27 -0700 -Subject: mm, page_alloc: fix core hung in free_pcppages_bulk() - -From: Charan Teja Reddy - -commit 88e8ac11d2ea3acc003cf01bb5a38c8aa76c3cfd upstream. - -The following race is observed with the repeated online, offline and a -delay between two successive online of memory blocks of movable zone. - -P1 P2 - -Online the first memory block in -the movable zone. The pcp struct -values are initialized to default -values,i.e., pcp->high = 0 & -pcp->batch = 1. - - Allocate the pages from the - movable zone. - -Try to Online the second memory -block in the movable zone thus it -entered the online_pages() but yet -to call zone_pcp_update(). - This process is entered into - the exit path thus it tries - to release the order-0 pages - to pcp lists through - free_unref_page_commit(). - As pcp->high = 0, pcp->count = 1 - proceed to call the function - free_pcppages_bulk(). -Update the pcp values thus the -new pcp values are like, say, -pcp->high = 378, pcp->batch = 63. - Read the pcp's batch value using - READ_ONCE() and pass the same to - free_pcppages_bulk(), pcp values - passed here are, batch = 63, - count = 1. - - Since num of pages in the pcp - lists are less than ->batch, - then it will stuck in - while(list_empty(list)) loop - with interrupts disabled thus - a core hung. - -Avoid this by ensuring free_pcppages_bulk() is called with proper count of -pcp list pages. - -The mentioned race is some what easily reproducible without [1] because -pcp's are not updated for the first memory block online and thus there is -a enough race window for P2 between alloc+free and pcp struct values -update through onlining of second memory block. - -With [1], the race still exists but it is very narrow as we update the pcp -struct values for the first memory block online itself. - -This is not limited to the movable zone, it could also happen in cases -with the normal zone (e.g., hotplug to a node that only has DMA memory, or -no other memory yet). - -[1]: https://patchwork.kernel.org/patch/11696389/ - -Fixes: 5f8dcc21211a ("page-allocator: split per-cpu list into one-list-per-migrate-type") -Signed-off-by: Charan Teja Reddy -Signed-off-by: Andrew Morton -Acked-by: David Hildenbrand -Acked-by: David Rientjes -Acked-by: Michal Hocko -Cc: Michal Hocko -Cc: Vlastimil Babka -Cc: Vinayak Menon -Cc: [2.6+] -Link: http://lkml.kernel.org/r/1597150703-19003-1-git-send-email-charante@codeaurora.org -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - mm/page_alloc.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 46ded8d77fb30..a3958b4fec6cb 100644 ---- a/mm/page_alloc.c -+++ b/mm/page_alloc.c -@@ -1114,6 +1114,11 @@ static void free_pcppages_bulk(struct zone *zone, int count, - spin_lock(&zone->lock); - isolated_pageblocks = has_isolate_pageblock(zone); - -+ /* -+ * Ensure proper count is passed which otherwise would stuck in the -+ * below while (list_empty(list)) loop. -+ */ -+ count = min(pcp->count, count); - while (count) { - struct page *page; - struct list_head *list; --- -2.25.1 - diff --git a/queue-4.14/net-dsa-b53-check-for-timeout.patch b/queue-4.14/net-dsa-b53-check-for-timeout.patch deleted file mode 100644 index 3e17338588c..00000000000 --- a/queue-4.14/net-dsa-b53-check-for-timeout.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 0b244d751d551558a6a661a580a007c80799eff4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 21 Aug 2020 06:56:00 -0700 -Subject: net: dsa: b53: check for timeout - -From: Tom Rix - -[ Upstream commit 774d977abfd024e6f73484544b9abe5a5cd62de7 ] - -clang static analysis reports this problem - -b53_common.c:1583:13: warning: The left expression of the compound - assignment is an uninitialized value. The computed value will - also be garbage - ent.port &= ~BIT(port); - ~~~~~~~~ ^ - -ent is set by a successful call to b53_arl_read(). Unsuccessful -calls are caught by an switch statement handling specific returns. -b32_arl_read() calls b53_arl_op_wait() which fails with the -unhandled -ETIMEDOUT. - -So add -ETIMEDOUT to the switch statement. Because -b53_arl_op_wait() already prints out a message, do not add another -one. - -Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") -Signed-off-by: Tom Rix -Acked-by: Florian Fainelli -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/dsa/b53/b53_common.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c -index 274d369151107..5c3fa0be8844e 100644 ---- a/drivers/net/dsa/b53/b53_common.c -+++ b/drivers/net/dsa/b53/b53_common.c -@@ -1160,6 +1160,8 @@ static int b53_arl_op(struct b53_device *dev, int op, int port, - return ret; - - switch (ret) { -+ case -ETIMEDOUT: -+ return ret; - case -ENOSPC: - dev_dbg(dev->dev, "{%pM,%.4d} no space left in ARL\n", - addr, vid); --- -2.25.1 - diff --git a/queue-4.14/net-fec-correct-the-error-path-for-regulator-disable.patch b/queue-4.14/net-fec-correct-the-error-path-for-regulator-disable.patch deleted file mode 100644 index 7fb0ebe131f..00000000000 --- a/queue-4.14/net-fec-correct-the-error-path-for-regulator-disable.patch +++ /dev/null @@ -1,40 +0,0 @@ -From cc85813c51965cc79b1d19dc292d5bb530679d33 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Aug 2020 15:13:14 +0800 -Subject: net: fec: correct the error path for regulator disable in probe - -From: Fugang Duan - -[ Upstream commit c6165cf0dbb82ded90163dce3ac183fc7a913dc4 ] - -Correct the error path for regulator disable. - -Fixes: 9269e5560b26 ("net: fec: add phy-reset-gpios PROBE_DEFER check") -Signed-off-by: Fugang Duan -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/freescale/fec_main.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c -index 8ba915cc4c2e4..22f964ef859e5 100644 ---- a/drivers/net/ethernet/freescale/fec_main.c -+++ b/drivers/net/ethernet/freescale/fec_main.c -@@ -3536,11 +3536,11 @@ failed_mii_init: - failed_irq: - failed_init: - fec_ptp_stop(pdev); -- if (fep->reg_phy) -- regulator_disable(fep->reg_phy); - failed_reset: - pm_runtime_put_noidle(&pdev->dev); - pm_runtime_disable(&pdev->dev); -+ if (fep->reg_phy) -+ regulator_disable(fep->reg_phy); - failed_regulator: - clk_disable_unprepare(fep->clk_ahb); - failed_clk_ahb: --- -2.25.1 - diff --git a/queue-4.14/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch b/queue-4.14/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch index a98f4e72b43..9155ef96354 100644 --- a/queue-4.14/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch +++ b/queue-4.14/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch @@ -1,4 +1,4 @@ -From d151614033086a20e79aac5d7b8b881962daacee Mon Sep 17 00:00:00 2001 +From ee7179adc652a6bb00c6687842ef0236f0eccbf5 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 13 Jun 2020 22:05:18 -0500 Subject: omapfb: fix multiple reference count leaks due to pm_runtime_get_sync diff --git a/queue-4.14/pci-fix-pci_create_slot-reference-count-leak.patch b/queue-4.14/pci-fix-pci_create_slot-reference-count-leak.patch index b701359d4a7..1cda9ac3e42 100644 --- a/queue-4.14/pci-fix-pci_create_slot-reference-count-leak.patch +++ b/queue-4.14/pci-fix-pci_create_slot-reference-count-leak.patch @@ -1,4 +1,4 @@ -From 54974c683578c560058affd4458b2506fa88790c Mon Sep 17 00:00:00 2001 +From aacfd61c13c25c9473e5814a654cefa765c7933b Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 27 May 2020 21:13:22 -0500 Subject: PCI: Fix pci_create_slot() reference count leak @@ -28,7 +28,7 @@ diff --git a/drivers/pci/slot.c b/drivers/pci/slot.c index e42909524deed..379925fc49d4e 100644 --- a/drivers/pci/slot.c +++ b/drivers/pci/slot.c -@@ -303,13 +303,16 @@ placeholder: +@@ -303,13 +303,16 @@ struct pci_slot *pci_create_slot(struct pci_bus *parent, int slot_nr, slot_name = make_slot_name(name); if (!slot_name) { err = -ENOMEM; @@ -46,7 +46,7 @@ index e42909524deed..379925fc49d4e 100644 INIT_LIST_HEAD(&slot->list); list_add(&slot->list, &parent->slots); -@@ -328,7 +331,6 @@ out: +@@ -328,7 +331,6 @@ struct pci_slot *pci_create_slot(struct pci_bus *parent, int slot_nr, mutex_unlock(&pci_slot_mutex); return slot; err: diff --git a/queue-4.14/perf-probe-fix-memory-leakage-when-the-probe-point-i.patch b/queue-4.14/perf-probe-fix-memory-leakage-when-the-probe-point-i.patch deleted file mode 100644 index f4ca7a2ecc7..00000000000 --- a/queue-4.14/perf-probe-fix-memory-leakage-when-the-probe-point-i.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 63f0d1dd7abc9ce105bb186d47cf86e9def18ff6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 10 Jul 2020 22:11:23 +0900 -Subject: perf probe: Fix memory leakage when the probe point is not found - -From: Masami Hiramatsu - -[ Upstream commit 12d572e785b15bc764e956caaa8a4c846fd15694 ] - -Fix the memory leakage in debuginfo__find_trace_events() when the probe -point is not found in the debuginfo. If there is no probe point found in -the debuginfo, debuginfo__find_probes() will NOT return -ENOENT, but 0. - -Thus the caller of debuginfo__find_probes() must check the tf.ntevs and -release the allocated memory for the array of struct probe_trace_event. - -The current code releases the memory only if the debuginfo__find_probes() -hits an error but not checks tf.ntevs. In the result, the memory allocated -on *tevs are not released if tf.ntevs == 0. - -This fixes the memory leakage by checking tf.ntevs == 0 in addition to -ret < 0. - -Fixes: ff741783506c ("perf probe: Introduce debuginfo to encapsulate dwarf information") -Signed-off-by: Masami Hiramatsu -Reviewed-by: Srikar Dronamraju -Cc: Andi Kleen -Cc: Oleg Nesterov -Cc: stable@vger.kernel.org -Link: http://lore.kernel.org/lkml/159438668346.62703.10887420400718492503.stgit@devnote2 -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/util/probe-finder.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c -index 8f7f9d05f38c0..bfa6d9d215569 100644 ---- a/tools/perf/util/probe-finder.c -+++ b/tools/perf/util/probe-finder.c -@@ -1354,7 +1354,7 @@ int debuginfo__find_trace_events(struct debuginfo *dbg, - tf.ntevs = 0; - - ret = debuginfo__find_probes(dbg, &tf.pf); -- if (ret < 0) { -+ if (ret < 0 || tf.ntevs == 0) { - for (i = 0; i < tf.ntevs; i++) - clear_probe_trace_event(&tf.tevs[i]); - zfree(tevs); --- -2.25.1 - diff --git a/queue-4.14/powerpc-allow-4224-bytes-of-stack-expansion-for-the-.patch b/queue-4.14/powerpc-allow-4224-bytes-of-stack-expansion-for-the-.patch deleted file mode 100644 index dd7928baab1..00000000000 --- a/queue-4.14/powerpc-allow-4224-bytes-of-stack-expansion-for-the-.patch +++ /dev/null @@ -1,188 +0,0 @@ -From d9ccf72df055806a6885146df3bf53c88b0b9a15 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 24 Jul 2020 19:25:25 +1000 -Subject: powerpc: Allow 4224 bytes of stack expansion for the signal frame - -From: Michael Ellerman - -[ Upstream commit 63dee5df43a31f3844efabc58972f0a206ca4534 ] - -We have powerpc specific logic in our page fault handling to decide if -an access to an unmapped address below the stack pointer should expand -the stack VMA. - -The code was originally added in 2004 "ported from 2.4". The rough -logic is that the stack is allowed to grow to 1MB with no extra -checking. Over 1MB the access must be within 2048 bytes of the stack -pointer, or be from a user instruction that updates the stack pointer. - -The 2048 byte allowance below the stack pointer is there to cover the -288 byte "red zone" as well as the "about 1.5kB" needed by the signal -delivery code. - -Unfortunately since then the signal frame has expanded, and is now -4224 bytes on 64-bit kernels with transactional memory enabled. This -means if a process has consumed more than 1MB of stack, and its stack -pointer lies less than 4224 bytes from the next page boundary, signal -delivery will fault when trying to expand the stack and the process -will see a SEGV. - -The total size of the signal frame is the size of struct rt_sigframe -(which includes the red zone) plus __SIGNAL_FRAMESIZE (128 bytes on -64-bit). - -The 2048 byte allowance was correct until 2008 as the signal frame -was: - -struct rt_sigframe { - struct ucontext uc; /* 0 1440 */ - /* --- cacheline 11 boundary (1408 bytes) was 32 bytes ago --- */ - long unsigned int _unused[2]; /* 1440 16 */ - unsigned int tramp[6]; /* 1456 24 */ - struct siginfo * pinfo; /* 1480 8 */ - void * puc; /* 1488 8 */ - struct siginfo info; /* 1496 128 */ - /* --- cacheline 12 boundary (1536 bytes) was 88 bytes ago --- */ - char abigap[288]; /* 1624 288 */ - - /* size: 1920, cachelines: 15, members: 7 */ - /* padding: 8 */ -}; - -1920 + 128 = 2048 - -Then in commit ce48b2100785 ("powerpc: Add VSX context save/restore, -ptrace and signal support") (Jul 2008) the signal frame expanded to -2304 bytes: - -struct rt_sigframe { - struct ucontext uc; /* 0 1696 */ <-- - /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */ - long unsigned int _unused[2]; /* 1696 16 */ - unsigned int tramp[6]; /* 1712 24 */ - struct siginfo * pinfo; /* 1736 8 */ - void * puc; /* 1744 8 */ - struct siginfo info; /* 1752 128 */ - /* --- cacheline 14 boundary (1792 bytes) was 88 bytes ago --- */ - char abigap[288]; /* 1880 288 */ - - /* size: 2176, cachelines: 17, members: 7 */ - /* padding: 8 */ -}; - -2176 + 128 = 2304 - -At this point we should have been exposed to the bug, though as far as -I know it was never reported. I no longer have a system old enough to -easily test on. - -Then in 2010 commit 320b2b8de126 ("mm: keep a guard page below a -grow-down stack segment") caused our stack expansion code to never -trigger, as there was always a VMA found for a write up to PAGE_SIZE -below r1. - -That meant the bug was hidden as we continued to expand the signal -frame in commit 2b0a576d15e0 ("powerpc: Add new transactional memory -state to the signal context") (Feb 2013): - -struct rt_sigframe { - struct ucontext uc; /* 0 1696 */ - /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */ - struct ucontext uc_transact; /* 1696 1696 */ <-- - /* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */ - long unsigned int _unused[2]; /* 3392 16 */ - unsigned int tramp[6]; /* 3408 24 */ - struct siginfo * pinfo; /* 3432 8 */ - void * puc; /* 3440 8 */ - struct siginfo info; /* 3448 128 */ - /* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */ - char abigap[288]; /* 3576 288 */ - - /* size: 3872, cachelines: 31, members: 8 */ - /* padding: 8 */ - /* last cacheline: 32 bytes */ -}; - -3872 + 128 = 4000 - -And commit 573ebfa6601f ("powerpc: Increase stack redzone for 64-bit -userspace to 512 bytes") (Feb 2014): - -struct rt_sigframe { - struct ucontext uc; /* 0 1696 */ - /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */ - struct ucontext uc_transact; /* 1696 1696 */ - /* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */ - long unsigned int _unused[2]; /* 3392 16 */ - unsigned int tramp[6]; /* 3408 24 */ - struct siginfo * pinfo; /* 3432 8 */ - void * puc; /* 3440 8 */ - struct siginfo info; /* 3448 128 */ - /* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */ - char abigap[512]; /* 3576 512 */ <-- - - /* size: 4096, cachelines: 32, members: 8 */ - /* padding: 8 */ -}; - -4096 + 128 = 4224 - -Then finally in 2017, commit 1be7107fbe18 ("mm: larger stack guard -gap, between vmas") exposed us to the existing bug, because it changed -the stack VMA to be the correct/real size, meaning our stack expansion -code is now triggered. - -Fix it by increasing the allowance to 4224 bytes. - -Hard-coding 4224 is obviously unsafe against future expansions of the -signal frame in the same way as the existing code. We can't easily use -sizeof() because the signal frame structure is not in a header. We -will either fix that, or rip out all the custom stack expansion -checking logic entirely. - -Fixes: ce48b2100785 ("powerpc: Add VSX context save/restore, ptrace and signal support") -Cc: stable@vger.kernel.org # v2.6.27+ -Reported-by: Tom Lane -Tested-by: Daniel Axtens -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/20200724092528.1578671-2-mpe@ellerman.id.au -Signed-off-by: Sasha Levin ---- - arch/powerpc/mm/fault.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c -index 998c77e600a43..ebe97e5500ee5 100644 ---- a/arch/powerpc/mm/fault.c -+++ b/arch/powerpc/mm/fault.c -@@ -224,6 +224,9 @@ static bool bad_kernel_fault(bool is_exec, unsigned long error_code, - return is_exec || (address >= TASK_SIZE); - } - -+// This comes from 64-bit struct rt_sigframe + __SIGNAL_FRAMESIZE -+#define SIGFRAME_MAX_SIZE (4096 + 128) -+ - static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, - struct vm_area_struct *vma, unsigned int flags, - bool *must_retry) -@@ -231,7 +234,7 @@ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, - /* - * N.B. The POWER/Open ABI allows programs to access up to - * 288 bytes below the stack pointer. -- * The kernel signal delivery code writes up to about 1.5kB -+ * The kernel signal delivery code writes a bit over 4KB - * below the stack pointer (r1) before decrementing it. - * The exec code can write slightly over 640kB to the stack - * before setting the user r1. Thus we allow the stack to -@@ -256,7 +259,7 @@ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, - * between the last mapped region and the stack will - * expand the stack rather than segfaulting. - */ -- if (address + 2048 >= uregs->gpr[1]) -+ if (address + SIGFRAME_MAX_SIZE >= uregs->gpr[1]) - return false; - - if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) && --- -2.25.1 - diff --git a/queue-4.14/powerpc-mm-only-read-faulting-instruction-when-neces.patch b/queue-4.14/powerpc-mm-only-read-faulting-instruction-when-neces.patch deleted file mode 100644 index d121e8903e3..00000000000 --- a/queue-4.14/powerpc-mm-only-read-faulting-instruction-when-neces.patch +++ /dev/null @@ -1,180 +0,0 @@ -From 97bc69821cb47fedda5ad696f9df2e1677284a26 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 23 May 2018 10:53:22 +0200 -Subject: powerpc/mm: Only read faulting instruction when necessary in - do_page_fault() - -From: Christophe Leroy - -[ Upstream commit 0e36b0d12501e278686634712975b785bae11641 ] - -Commit a7a9dcd882a67 ("powerpc: Avoid taking a data miss on every -userspace instruction miss") has shown that limiting the read of -faulting instruction to likely cases improves performance. - -This patch goes further into this direction by limiting the read -of the faulting instruction to the only cases where it is likely -needed. - -On an MPC885, with the same benchmark app as in the commit referred -above, we see a reduction of about 3900 dTLB misses (approx 3%): - -Before the patch: - Performance counter stats for './fault 500' (10 runs): - - 683033312 cpu-cycles ( +- 0.03% ) - 134538 dTLB-load-misses ( +- 0.03% ) - 46099 iTLB-load-misses ( +- 0.02% ) - 19681 faults ( +- 0.02% ) - - 5.389747878 seconds time elapsed ( +- 0.06% ) - -With the patch: - - Performance counter stats for './fault 500' (10 runs): - - 682112862 cpu-cycles ( +- 0.03% ) - 130619 dTLB-load-misses ( +- 0.03% ) - 46073 iTLB-load-misses ( +- 0.05% ) - 19681 faults ( +- 0.01% ) - - 5.381342641 seconds time elapsed ( +- 0.07% ) - -The proper work of the huge stack expansion was tested with the -following app: - -int main(int argc, char **argv) -{ - char buf[1024 * 1025]; - - sprintf(buf, "Hello world !\n"); - printf(buf); - - exit(0); -} - -Signed-off-by: Christophe Leroy -Reviewed-by: Nicholas Piggin -[mpe: Add include of pagemap.h to fix build errors] -Signed-off-by: Michael Ellerman -Signed-off-by: Sasha Levin ---- - arch/powerpc/mm/fault.c | 50 ++++++++++++++++++++++++++++------------- - 1 file changed, 34 insertions(+), 16 deletions(-) - -diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c -index 5fc8a010fdf07..998c77e600a43 100644 ---- a/arch/powerpc/mm/fault.c -+++ b/arch/powerpc/mm/fault.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -66,15 +67,11 @@ static inline bool notify_page_fault(struct pt_regs *regs) - } - - /* -- * Check whether the instruction at regs->nip is a store using -+ * Check whether the instruction inst is a store using - * an update addressing form which will update r1. - */ --static bool store_updates_sp(struct pt_regs *regs) -+static bool store_updates_sp(unsigned int inst) - { -- unsigned int inst; -- -- if (get_user(inst, (unsigned int __user *)regs->nip)) -- return false; - /* check for 1 in the rA field */ - if (((inst >> 16) & 0x1f) != 1) - return false; -@@ -228,8 +225,8 @@ static bool bad_kernel_fault(bool is_exec, unsigned long error_code, - } - - static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, -- struct vm_area_struct *vma, -- bool store_update_sp) -+ struct vm_area_struct *vma, unsigned int flags, -+ bool *must_retry) - { - /* - * N.B. The POWER/Open ABI allows programs to access up to -@@ -241,6 +238,7 @@ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, - * expand to 1MB without further checks. - */ - if (address + 0x100000 < vma->vm_end) { -+ unsigned int __user *nip = (unsigned int __user *)regs->nip; - /* get user regs even if this fault is in kernel mode */ - struct pt_regs *uregs = current->thread.regs; - if (uregs == NULL) -@@ -258,8 +256,22 @@ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, - * between the last mapped region and the stack will - * expand the stack rather than segfaulting. - */ -- if (address + 2048 < uregs->gpr[1] && !store_update_sp) -- return true; -+ if (address + 2048 >= uregs->gpr[1]) -+ return false; -+ -+ if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) && -+ access_ok(VERIFY_READ, nip, sizeof(*nip))) { -+ unsigned int inst; -+ int res; -+ -+ pagefault_disable(); -+ res = __get_user_inatomic(inst, nip); -+ pagefault_enable(); -+ if (!res) -+ return !store_updates_sp(inst); -+ *must_retry = true; -+ } -+ return true; - } - return false; - } -@@ -392,7 +404,7 @@ static int __do_page_fault(struct pt_regs *regs, unsigned long address, - int is_user = user_mode(regs); - int is_write = page_fault_is_write(error_code); - int fault, major = 0; -- bool store_update_sp = false; -+ bool must_retry = false; - - if (notify_page_fault(regs)) - return 0; -@@ -439,9 +451,6 @@ static int __do_page_fault(struct pt_regs *regs, unsigned long address, - * can result in fault, which will cause a deadlock when called with - * mmap_sem held - */ -- if (is_write && is_user) -- store_update_sp = store_updates_sp(regs); -- - if (is_user) - flags |= FAULT_FLAG_USER; - if (is_write) -@@ -488,8 +497,17 @@ retry: - return bad_area(regs, address); - - /* The stack is being expanded, check if it's valid */ -- if (unlikely(bad_stack_expansion(regs, address, vma, store_update_sp))) -- return bad_area(regs, address); -+ if (unlikely(bad_stack_expansion(regs, address, vma, flags, -+ &must_retry))) { -+ if (!must_retry) -+ return bad_area(regs, address); -+ -+ up_read(&mm->mmap_sem); -+ if (fault_in_pages_readable((const char __user *)regs->nip, -+ sizeof(unsigned int))) -+ return bad_area_nosemaphore(regs, address); -+ goto retry; -+ } - - /* Try to expand it */ - if (unlikely(expand_stack(vma, address))) --- -2.25.1 - diff --git a/queue-4.14/powerpc-pseries-do-not-initiate-shutdown-when-system.patch b/queue-4.14/powerpc-pseries-do-not-initiate-shutdown-when-system.patch deleted file mode 100644 index 3565a08719f..00000000000 --- a/queue-4.14/powerpc-pseries-do-not-initiate-shutdown-when-system.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 1d416946e66a28c77f806baab4fd1a60b82f76e6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Aug 2020 11:48:44 +0530 -Subject: powerpc/pseries: Do not initiate shutdown when system is running on - UPS - -From: Vasant Hegde - -commit 90a9b102eddf6a3f987d15f4454e26a2532c1c98 upstream. - -As per PAPR we have to look for both EPOW sensor value and event -modifier to identify the type of event and take appropriate action. - -In LoPAPR v1.1 section 10.2.2 includes table 136 "EPOW Action Codes": - - SYSTEM_SHUTDOWN 3 - - The system must be shut down. An EPOW-aware OS logs the EPOW error - log information, then schedules the system to be shut down to begin - after an OS defined delay internal (default is 10 minutes.) - -Then in section 10.3.2.2.8 there is table 146 "Platform Event Log -Format, Version 6, EPOW Section", which includes the "EPOW Event -Modifier": - - For EPOW sensor value = 3 - 0x01 = Normal system shutdown with no additional delay - 0x02 = Loss of utility power, system is running on UPS/Battery - 0x03 = Loss of system critical functions, system should be shutdown - 0x04 = Ambient temperature too high - All other values = reserved - -We have a user space tool (rtas_errd) on LPAR to monitor for -EPOW_SHUTDOWN_ON_UPS. Once it gets an event it initiates shutdown -after predefined time. It also starts monitoring for any new EPOW -events. If it receives "Power restored" event before predefined time -it will cancel the shutdown. Otherwise after predefined time it will -shutdown the system. - -Commit 79872e35469b ("powerpc/pseries: All events of -EPOW_SYSTEM_SHUTDOWN must initiate shutdown") changed our handling of -the "on UPS/Battery" case, to immediately shutdown the system. This -breaks existing setups that rely on the userspace tool to delay -shutdown and let the system run on the UPS. - -Fixes: 79872e35469b ("powerpc/pseries: All events of EPOW_SYSTEM_SHUTDOWN must initiate shutdown") -Cc: stable@vger.kernel.org # v4.0+ -Signed-off-by: Vasant Hegde -[mpe: Massage change log and add PAPR references] -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/20200820061844.306460-1-hegdevasant@linux.vnet.ibm.com -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/platforms/pseries/ras.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c -index 5ec935521204a..8d20d49b252a0 100644 ---- a/arch/powerpc/platforms/pseries/ras.c -+++ b/arch/powerpc/platforms/pseries/ras.c -@@ -115,7 +115,6 @@ static void handle_system_shutdown(char event_modifier) - case EPOW_SHUTDOWN_ON_UPS: - pr_emerg("Loss of system power detected. System is running on" - " UPS/battery. Check RTAS error log for details\n"); -- orderly_poweroff(true); - break; - - case EPOW_SHUTDOWN_LOSS_OF_CRITICAL_FUNCTIONS: --- -2.25.1 - diff --git a/queue-4.14/powerpc-xive-ignore-kmemleak-false-positives.patch b/queue-4.14/powerpc-xive-ignore-kmemleak-false-positives.patch index 5499ae92e2c..c9cfc407040 100644 --- a/queue-4.14/powerpc-xive-ignore-kmemleak-false-positives.patch +++ b/queue-4.14/powerpc-xive-ignore-kmemleak-false-positives.patch @@ -1,4 +1,4 @@ -From d5c37299d5921037fb0509ce39229684db512471 Mon Sep 17 00:00:00 2001 +From bc52b94c2119cdc4f74766e72e2df707aed71151 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 12 Jun 2020 14:33:03 +1000 Subject: powerpc/xive: Ignore kmemleak false positives diff --git a/queue-4.14/romfs-fix-uninitialized-memory-leak-in-romfs_dev_rea.patch b/queue-4.14/romfs-fix-uninitialized-memory-leak-in-romfs_dev_rea.patch deleted file mode 100644 index 0d11f81308b..00000000000 --- a/queue-4.14/romfs-fix-uninitialized-memory-leak-in-romfs_dev_rea.patch +++ /dev/null @@ -1,59 +0,0 @@ -From af364329998e3757517e7c5f01314b5ef61cd0c9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Aug 2020 17:42:11 -0700 -Subject: romfs: fix uninitialized memory leak in romfs_dev_read() - -From: Jann Horn - -commit bcf85fcedfdd17911982a3e3564fcfec7b01eebd upstream. - -romfs has a superblock field that limits the size of the filesystem; data -beyond that limit is never accessed. - -romfs_dev_read() fetches a caller-supplied number of bytes from the -backing device. It returns 0 on success or an error code on failure; -therefore, its API can't represent short reads, it's all-or-nothing. - -However, when romfs_dev_read() detects that the requested operation would -cross the filesystem size limit, it currently silently truncates the -requested number of bytes. This e.g. means that when the content of a -file with size 0x1000 starts one byte before the filesystem size limit, -->readpage() will only fill a single byte of the supplied page while -leaving the rest uninitialized, leaking that uninitialized memory to -userspace. - -Fix it by returning an error code instead of truncating the read when the -requested read operation would go beyond the end of the filesystem. - -Fixes: da4458bda237 ("NOMMU: Make it possible for RomFS to use MTD devices directly") -Signed-off-by: Jann Horn -Signed-off-by: Andrew Morton -Reviewed-by: Greg Kroah-Hartman -Cc: David Howells -Cc: -Link: http://lkml.kernel.org/r/20200818013202.2246365-1-jannh@google.com -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - fs/romfs/storage.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/fs/romfs/storage.c b/fs/romfs/storage.c -index f86f51f99aceb..1dcadd22b440d 100644 ---- a/fs/romfs/storage.c -+++ b/fs/romfs/storage.c -@@ -221,10 +221,8 @@ int romfs_dev_read(struct super_block *sb, unsigned long pos, - size_t limit; - - limit = romfs_maxsize(sb); -- if (pos >= limit) -+ if (pos >= limit || buflen > limit - pos) - return -EIO; -- if (buflen > limit - pos) -- buflen = limit - pos; - - #ifdef CONFIG_ROMFS_ON_MTD - if (sb->s_mtd) --- -2.25.1 - diff --git a/queue-4.14/rtc-goldfish-enable-interrupt-in-set_alarm-when-nece.patch b/queue-4.14/rtc-goldfish-enable-interrupt-in-set_alarm-when-nece.patch deleted file mode 100644 index a017ed3ac7a..00000000000 --- a/queue-4.14/rtc-goldfish-enable-interrupt-in-set_alarm-when-nece.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b193921e3d278603b0fd31f755a53e9a7cb82007 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 20 Jun 2020 20:04:43 +0800 -Subject: rtc: goldfish: Enable interrupt in set_alarm() when necessary - -From: Huacai Chen - -[ Upstream commit 22f8d5a1bf230cf8567a4121fc3789babb46336d ] - -When use goldfish rtc, the "hwclock" command fails with "select() to -/dev/rtc to wait for clock tick timed out". This is because "hwclock" -need the set_alarm() hook to enable interrupt when alrm->enabled is -true. This operation is missing in goldfish rtc (but other rtc drivers, -such as cmos rtc, enable interrupt here), so add it. - -Signed-off-by: Huacai Chen -Signed-off-by: Jiaxun Yang -Signed-off-by: Alexandre Belloni -Link: https://lore.kernel.org/r/1592654683-31314-1-git-send-email-chenhc@lemote.com -Signed-off-by: Sasha Levin ---- - drivers/rtc/rtc-goldfish.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/rtc/rtc-goldfish.c b/drivers/rtc/rtc-goldfish.c -index a1c44d0c85578..30cbe22c57a8e 100644 ---- a/drivers/rtc/rtc-goldfish.c -+++ b/drivers/rtc/rtc-goldfish.c -@@ -87,6 +87,7 @@ static int goldfish_rtc_set_alarm(struct device *dev, - rtc_alarm64 = rtc_alarm * NSEC_PER_SEC; - writel((rtc_alarm64 >> 32), base + TIMER_ALARM_HIGH); - writel(rtc_alarm64, base + TIMER_ALARM_LOW); -+ writel(1, base + TIMER_IRQ_ENABLED); - } else { - /* - * if this function was called with enabled=0 --- -2.25.1 - diff --git a/queue-4.14/rtlwifi-rtl8192cu-prevent-leaking-urb.patch b/queue-4.14/rtlwifi-rtl8192cu-prevent-leaking-urb.patch index 44c59c1c722..6b56eaab282 100644 --- a/queue-4.14/rtlwifi-rtl8192cu-prevent-leaking-urb.patch +++ b/queue-4.14/rtlwifi-rtl8192cu-prevent-leaking-urb.patch @@ -1,4 +1,4 @@ -From 033e75da45598d82cea3f88a32e862d545fa7170 Mon Sep 17 00:00:00 2001 +From d339347a93bfd4d4625315466674bd5a8bd4f1b4 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 22 Jun 2020 15:21:12 +0200 Subject: rtlwifi: rtl8192cu: Prevent leaking urb diff --git a/queue-4.14/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch b/queue-4.14/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch index 09e9ffa6487..6ed7b25bf4b 100644 --- a/queue-4.14/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch +++ b/queue-4.14/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch @@ -1,4 +1,4 @@ -From dcf3758e12834d7a1fc58ffbdf9e0c2244427236 Mon Sep 17 00:00:00 2001 +From b4b9ebb09cd37616b5cc5305ff00acffb653dacc Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 29 Jul 2020 01:18:24 -0700 Subject: scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del() diff --git a/queue-4.14/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch b/queue-4.14/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch index ba67143f72c..4c653588619 100644 --- a/queue-4.14/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch +++ b/queue-4.14/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch @@ -1,4 +1,4 @@ -From 3ad7edaa250ea2a84107de913d3cfe447917077b Mon Sep 17 00:00:00 2001 +From b9ed26097270264ec1cf6fbaed2980f648676bb7 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 15 Jun 2020 16:12:26 +0800 Subject: scsi: iscsi: Do not put host in iscsi_set_flashnode_param() diff --git a/queue-4.14/scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch b/queue-4.14/scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch deleted file mode 100644 index f857ae705fb..00000000000 --- a/queue-4.14/scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 651df0aef8219edc4706cefc976e67b03c253001 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 29 Jul 2020 01:18:23 -0700 -Subject: scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases - -From: Javed Hasan - -[ Upstream commit ec007ef40abb6a164d148b0dc19789a7a2de2cc8 ] - -In fc_disc_gpn_id_resp(), skb is supposed to get freed in all cases except -for PTR_ERR. However, in some cases it didn't. - -This fix is to call fc_frame_free(fp) before function returns. - -Link: https://lore.kernel.org/r/20200729081824.30996-2-jhasan@marvell.com -Reviewed-by: Girish Basrur -Reviewed-by: Santosh Vernekar -Reviewed-by: Saurav Kashyap -Reviewed-by: Shyam Sundar -Signed-off-by: Javed Hasan -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/libfc/fc_disc.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/drivers/scsi/libfc/fc_disc.c b/drivers/scsi/libfc/fc_disc.c -index 28b50ab2fbb01..62f83cc151b22 100644 ---- a/drivers/scsi/libfc/fc_disc.c -+++ b/drivers/scsi/libfc/fc_disc.c -@@ -605,8 +605,12 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp, - - if (PTR_ERR(fp) == -FC_EX_CLOSED) - goto out; -- if (IS_ERR(fp)) -- goto redisc; -+ if (IS_ERR(fp)) { -+ mutex_lock(&disc->disc_mutex); -+ fc_disc_restart(disc); -+ mutex_unlock(&disc->disc_mutex); -+ goto out; -+ } - - cp = fc_frame_payload_get(fp, sizeof(*cp)); - if (!cp) -@@ -633,7 +637,7 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp, - new_rdata->disc_id = disc->disc_id; - fc_rport_login(new_rdata); - } -- goto out; -+ goto free_fp; - } - rdata->disc_id = disc->disc_id; - mutex_unlock(&rdata->rp_mutex); -@@ -650,6 +654,8 @@ redisc: - fc_disc_restart(disc); - mutex_unlock(&disc->disc_mutex); - } -+free_fp: -+ fc_frame_free(fp); - out: - kref_put(&rdata->kref, fc_rport_destroy); - if (!IS_ERR(fp)) --- -2.25.1 - diff --git a/queue-4.14/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch b/queue-4.14/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch index b1bb39524e6..7c950fc73ad 100644 --- a/queue-4.14/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch +++ b/queue-4.14/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch @@ -1,4 +1,4 @@ -From 9166fa31987107b2d523e43f58f66158fa1963d2 Mon Sep 17 00:00:00 2001 +From 432852c6e9f43ce91c0790cadc8806522697502c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 30 Jun 2020 14:49:54 -0700 Subject: scsi: lpfc: Fix shost refcount mismatch when deleting vport @@ -70,7 +70,7 @@ index c714482bf4c55..9c738e201f462 100644 lpfc_free_sysfs_attr(vport); lpfc_debugfs_terminate(vport); -@@ -811,8 +800,9 @@ skip_logo: +@@ -811,8 +800,9 @@ lpfc_vport_delete(struct fc_vport *fc_vport) if (!(vport->vpi_state & LPFC_VPI_REGISTERED) || lpfc_mbx_unreg_vpi(vport)) scsi_host_put(shost); diff --git a/queue-4.14/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch b/queue-4.14/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch index 253088ad774..cd66a2fb9ce 100644 --- a/queue-4.14/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch +++ b/queue-4.14/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch @@ -1,4 +1,4 @@ -From fc2c3a19b9f6aae193c47a44a77db9bd8f2dfb28 Mon Sep 17 00:00:00 2001 +From 9263f7ff3a8c67caffd43c6dffe52f9298381ae6 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 29 Jun 2020 11:37:56 +0200 Subject: scsi: target: tcmu: Fix crash on ARM during cmd completion diff --git a/queue-4.14/scsi-ufs-add-delay_before_lpm-quirk-for-micron-devic.patch b/queue-4.14/scsi-ufs-add-delay_before_lpm-quirk-for-micron-devic.patch deleted file mode 100644 index 1e71b2f0afd..00000000000 --- a/queue-4.14/scsi-ufs-add-delay_before_lpm-quirk-for-micron-devic.patch +++ /dev/null @@ -1,52 +0,0 @@ -From b8ffc0d259c1109b12071cb2a8a94433801d4278 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 12 Jun 2020 09:26:24 +0800 -Subject: scsi: ufs: Add DELAY_BEFORE_LPM quirk for Micron devices - -From: Stanley Chu - -[ Upstream commit c0a18ee0ce78d7957ec1a53be35b1b3beba80668 ] - -It is confirmed that Micron device needs DELAY_BEFORE_LPM quirk to have a -delay before VCC is powered off. Sdd Micron vendor ID and this quirk for -Micron devices. - -Link: https://lore.kernel.org/r/20200612012625.6615-2-stanley.chu@mediatek.com -Reviewed-by: Bean Huo -Reviewed-by: Alim Akhtar -Signed-off-by: Stanley Chu -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/ufs/ufs_quirks.h | 1 + - drivers/scsi/ufs/ufshcd.c | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/drivers/scsi/ufs/ufs_quirks.h b/drivers/scsi/ufs/ufs_quirks.h -index 71f73d1d1ad1f..6c944fbefd40a 100644 ---- a/drivers/scsi/ufs/ufs_quirks.h -+++ b/drivers/scsi/ufs/ufs_quirks.h -@@ -21,6 +21,7 @@ - #define UFS_ANY_VENDOR 0xFFFF - #define UFS_ANY_MODEL "ANY_MODEL" - -+#define UFS_VENDOR_MICRON 0x12C - #define UFS_VENDOR_TOSHIBA 0x198 - #define UFS_VENDOR_SAMSUNG 0x1CE - #define UFS_VENDOR_SKHYNIX 0x1AD -diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c -index 1e2a97a10033b..11e917b44a0f1 100644 ---- a/drivers/scsi/ufs/ufshcd.c -+++ b/drivers/scsi/ufs/ufshcd.c -@@ -189,6 +189,8 @@ ufs_get_desired_pm_lvl_for_dev_link_state(enum ufs_dev_pwr_mode dev_state, - - static struct ufs_dev_fix ufs_fixups[] = { - /* UFS cards deviations table */ -+ UFS_FIX(UFS_VENDOR_MICRON, UFS_ANY_MODEL, -+ UFS_DEVICE_QUIRK_DELAY_BEFORE_LPM), - UFS_FIX(UFS_VENDOR_SAMSUNG, UFS_ANY_MODEL, - UFS_DEVICE_QUIRK_DELAY_BEFORE_LPM), - UFS_FIX(UFS_VENDOR_SAMSUNG, UFS_ANY_MODEL, UFS_DEVICE_NO_VCCQ), --- -2.25.1 - diff --git a/queue-4.14/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch b/queue-4.14/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch index 339e844bc90..a1c2059e733 100644 --- a/queue-4.14/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch +++ b/queue-4.14/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch @@ -1,4 +1,4 @@ -From 966a58855d804b1e9408f97a2689046fcf582df0 Mon Sep 17 00:00:00 2001 +From c94c421f8435ea1d97fa9f93a7cd2ef3ac97cb21 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 26 Jun 2020 13:47:37 -0300 Subject: selftests/powerpc: Purge extra count_pmc() calls of ebb selftests diff --git a/queue-4.14/series b/queue-4.14/series index 189797333fe..c56f9d2e194 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -3,56 +3,6 @@ net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch ipvlan-fix-device-features.patch gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch -drm-vgem-replace-opencoded-version-of-drm_gem_dumb_m.patch -perf-probe-fix-memory-leakage-when-the-probe-point-i.patch -khugepaged-khugepaged_test_exit-check-mmget_still_va.patch -khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch -powerpc-mm-only-read-faulting-instruction-when-neces.patch -powerpc-allow-4224-bytes-of-stack-expansion-for-the-.patch -btrfs-export-helpers-for-subvolume-name-id-resolutio.patch -btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch -btrfs-move-free_pages_out-label-in-inline-extent-han.patch -btrfs-inode-fix-null-pointer-dereference-if-inode-do.patch -btrfs-sysfs-use-nofs-for-device-creation.patch -romfs-fix-uninitialized-memory-leak-in-romfs_dev_rea.patch -kernel-relay.c-fix-memleak-on-destroy-relay-channel.patch -mm-include-cma-pages-in-lowmem_reserve-at-boot.patch -mm-page_alloc-fix-core-hung-in-free_pcppages_bulk.patch -ext4-fix-checking-of-directory-entry-validity-for-in.patch -jbd2-add-the-missing-unlock_buffer-in-the-error-path.patch -spi-prevent-adding-devices-below-an-unregistering-co.patch -scsi-ufs-add-delay_before_lpm-quirk-for-micron-devic.patch -media-budget-core-improve-exception-handling-in-budg.patch -rtc-goldfish-enable-interrupt-in-set_alarm-when-nece.patch -media-vpss-clean-up-resources-in-init.patch -input-psmouse-add-a-newline-when-printing-proto-by-s.patch -m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch -xfs-fix-inode-quota-reservation-checks.patch -jffs2-fix-uaf-problem.patch -cpufreq-intel_pstate-fix-cpuinfo_max_freq-when-msr_t.patch -scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch -virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch -xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch -alpha-fix-annotation-of-io-read-write-16-32-be.patch -ext4-fix-potential-negative-array-index-in-do_split.patch -i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch -i40e-fix-crash-during-removing-i40e-driver.patch -net-fec-correct-the-error-path-for-regulator-disable.patch -bonding-show-saner-speed-for-broadcast-mode.patch -bonding-fix-a-potential-double-unregister.patch -asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch -asoc-intel-fix-memleak-in-sst_media_open.patch -vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch -bonding-fix-active-backup-failover-for-current-arp-s.patch -hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch -net-dsa-b53-check-for-timeout.patch -powerpc-pseries-do-not-initiate-shutdown-when-system.patch -epoll-keep-a-reference-on-files-added-to-the-check-l.patch -do_epoll_ctl-clean-the-failure-exits-up-a-bit.patch -mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sh.patch -xen-don-t-reschedule-in-preemption-off-sections.patch -clk-evict-unregistered-clks-from-parent-caches.patch -kvm-arm-arm64-don-t-reschedule-in-unmap_stage2_range.patch alsa-pci-delete-repeated-words-in-comments.patch asoc-tegra-fix-reference-count-leaks.patch mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch diff --git a/queue-4.14/spi-prevent-adding-devices-below-an-unregistering-co.patch b/queue-4.14/spi-prevent-adding-devices-below-an-unregistering-co.patch deleted file mode 100644 index 05502600476..00000000000 --- a/queue-4.14/spi-prevent-adding-devices-below-an-unregistering-co.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 96c244e7d55ffba7c7ec24497eab720dda33edd6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 3 Aug 2020 13:09:01 +0200 -Subject: spi: Prevent adding devices below an unregistering controller - -From: Lukas Wunner - -[ Upstream commit ddf75be47ca748f8b12d28ac64d624354fddf189 ] - -CONFIG_OF_DYNAMIC and CONFIG_ACPI allow adding SPI devices at runtime -using a DeviceTree overlay or DSDT patch. CONFIG_SPI_SLAVE allows the -same via sysfs. - -But there are no precautions to prevent adding a device below a -controller that's being removed. Such a device is unusable and may not -even be able to unbind cleanly as it becomes inaccessible once the -controller has been torn down. E.g. it is then impossible to quiesce -the device's interrupt. - -of_spi_notify() and acpi_spi_notify() do hold a ref on the controller, -but otherwise run lockless against spi_unregister_controller(). - -Fix by holding the spi_add_lock in spi_unregister_controller() and -bailing out of spi_add_device() if the controller has been unregistered -concurrently. - -Fixes: ce79d54ae447 ("spi/of: Add OF notifier handler") -Signed-off-by: Lukas Wunner -Cc: stable@vger.kernel.org # v3.19+ -Cc: Geert Uytterhoeven -Cc: Octavian Purdila -Cc: Pantelis Antoniou -Link: https://lore.kernel.org/r/a8c3205088a969dc8410eec1eba9aface60f36af.1596451035.git.lukas@wunner.de -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/spi/Kconfig | 3 +++ - drivers/spi/spi.c | 21 ++++++++++++++++++++- - 2 files changed, 23 insertions(+), 1 deletion(-) - -diff --git a/drivers/spi/Kconfig b/drivers/spi/Kconfig -index a75f2a2cf7805..4b6a1629969f3 100644 ---- a/drivers/spi/Kconfig -+++ b/drivers/spi/Kconfig -@@ -827,4 +827,7 @@ config SPI_SLAVE_SYSTEM_CONTROL - - endif # SPI_SLAVE - -+config SPI_DYNAMIC -+ def_bool ACPI || OF_DYNAMIC || SPI_SLAVE -+ - endif # SPI -diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c -index 49eee894f51d4..ab6a4f85bcde7 100644 ---- a/drivers/spi/spi.c -+++ b/drivers/spi/spi.c -@@ -428,6 +428,12 @@ static LIST_HEAD(spi_controller_list); - */ - static DEFINE_MUTEX(board_lock); - -+/* -+ * Prevents addition of devices with same chip select and -+ * addition of devices below an unregistering controller. -+ */ -+static DEFINE_MUTEX(spi_add_lock); -+ - /** - * spi_alloc_device - Allocate a new SPI device - * @ctlr: Controller to which device is connected -@@ -506,7 +512,6 @@ static int spi_dev_check(struct device *dev, void *data) - */ - int spi_add_device(struct spi_device *spi) - { -- static DEFINE_MUTEX(spi_add_lock); - struct spi_controller *ctlr = spi->controller; - struct device *dev = ctlr->dev.parent; - int status; -@@ -534,6 +539,13 @@ int spi_add_device(struct spi_device *spi) - goto done; - } - -+ /* Controller may unregister concurrently */ -+ if (IS_ENABLED(CONFIG_SPI_DYNAMIC) && -+ !device_is_registered(&ctlr->dev)) { -+ status = -ENODEV; -+ goto done; -+ } -+ - if (ctlr->cs_gpios) - spi->cs_gpio = ctlr->cs_gpios[spi->chip_select]; - -@@ -2265,6 +2277,10 @@ void spi_unregister_controller(struct spi_controller *ctlr) - struct spi_controller *found; - int id = ctlr->bus_num; - -+ /* Prevent addition of new devices, unregister existing ones */ -+ if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) -+ mutex_lock(&spi_add_lock); -+ - device_for_each_child(&ctlr->dev, NULL, __unregister); - - /* First make sure that this controller was ever added */ -@@ -2285,6 +2301,9 @@ void spi_unregister_controller(struct spi_controller *ctlr) - if (found == ctlr) - idr_remove(&spi_master_idr, id); - mutex_unlock(&board_lock); -+ -+ if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) -+ mutex_unlock(&spi_add_lock); - } - EXPORT_SYMBOL_GPL(spi_unregister_controller); - --- -2.25.1 - diff --git a/queue-4.14/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch b/queue-4.14/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch deleted file mode 100644 index f7feda42599..00000000000 --- a/queue-4.14/vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch +++ /dev/null @@ -1,164 +0,0 @@ -From d5c04cb64e98ccf201d33b50b53648861b73aac4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Aug 2020 11:09:13 -0600 -Subject: vfio/type1: Add proper error unwind for vfio_iommu_replay() - -From: Alex Williamson - -[ Upstream commit aae7a75a821a793ed6b8ad502a5890fb8e8f172d ] - -The vfio_iommu_replay() function does not currently unwind on error, -yet it does pin pages, perform IOMMU mapping, and modify the vfio_dma -structure to indicate IOMMU mapping. The IOMMU mappings are torn down -when the domain is destroyed, but the other actions go on to cause -trouble later. For example, the iommu->domain_list can be empty if we -only have a non-IOMMU backed mdev attached. We don't currently check -if the list is empty before getting the first entry in the list, which -leads to a bogus domain pointer. If a vfio_dma entry is erroneously -marked as iommu_mapped, we'll attempt to use that bogus pointer to -retrieve the existing physical page addresses. - -This is the scenario that uncovered this issue, attempting to hot-add -a vfio-pci device to a container with an existing mdev device and DMA -mappings, one of which could not be pinned, causing a failure adding -the new group to the existing container and setting the conditions -for a subsequent attempt to explode. - -To resolve this, we can first check if the domain_list is empty so -that we can reject replay of a bogus domain, should we ever encounter -this inconsistent state again in the future. The real fix though is -to add the necessary unwind support, which means cleaning up the -current pinning if an IOMMU mapping fails, then walking back through -the r-b tree of DMA entries, reading from the IOMMU which ranges are -mapped, and unmapping and unpinning those ranges. To be able to do -this, we also defer marking the DMA entry as IOMMU mapped until all -entries are processed, in order to allow the unwind to know the -disposition of each entry. - -Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices") -Reported-by: Zhiyi Guo -Tested-by: Zhiyi Guo -Reviewed-by: Cornelia Huck -Signed-off-by: Alex Williamson -Signed-off-by: Sasha Levin ---- - drivers/vfio/vfio_iommu_type1.c | 71 ++++++++++++++++++++++++++++++--- - 1 file changed, 66 insertions(+), 5 deletions(-) - -diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c -index 35a3750a6ddd3..f22425501bc16 100644 ---- a/drivers/vfio/vfio_iommu_type1.c -+++ b/drivers/vfio/vfio_iommu_type1.c -@@ -1086,13 +1086,16 @@ static int vfio_bus_type(struct device *dev, void *data) - static int vfio_iommu_replay(struct vfio_iommu *iommu, - struct vfio_domain *domain) - { -- struct vfio_domain *d; -+ struct vfio_domain *d = NULL; - struct rb_node *n; - unsigned long limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; - int ret; - - /* Arbitrarily pick the first domain in the list for lookups */ -- d = list_first_entry(&iommu->domain_list, struct vfio_domain, next); -+ if (!list_empty(&iommu->domain_list)) -+ d = list_first_entry(&iommu->domain_list, -+ struct vfio_domain, next); -+ - n = rb_first(&iommu->dma_list); - - for (; n; n = rb_next(n)) { -@@ -1110,6 +1113,11 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, - phys_addr_t p; - dma_addr_t i; - -+ if (WARN_ON(!d)) { /* mapped w/o a domain?! */ -+ ret = -EINVAL; -+ goto unwind; -+ } -+ - phys = iommu_iova_to_phys(d->domain, iova); - - if (WARN_ON(!phys)) { -@@ -1139,7 +1147,7 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, - if (npage <= 0) { - WARN_ON(!npage); - ret = (int)npage; -- return ret; -+ goto unwind; - } - - phys = pfn << PAGE_SHIFT; -@@ -1148,14 +1156,67 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu, - - ret = iommu_map(domain->domain, iova, phys, - size, dma->prot | domain->prot); -- if (ret) -- return ret; -+ if (ret) { -+ if (!dma->iommu_mapped) -+ vfio_unpin_pages_remote(dma, iova, -+ phys >> PAGE_SHIFT, -+ size >> PAGE_SHIFT, -+ true); -+ goto unwind; -+ } - - iova += size; - } -+ } -+ -+ /* All dmas are now mapped, defer to second tree walk for unwind */ -+ for (n = rb_first(&iommu->dma_list); n; n = rb_next(n)) { -+ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node); -+ - dma->iommu_mapped = true; - } -+ - return 0; -+ -+unwind: -+ for (; n; n = rb_prev(n)) { -+ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node); -+ dma_addr_t iova; -+ -+ if (dma->iommu_mapped) { -+ iommu_unmap(domain->domain, dma->iova, dma->size); -+ continue; -+ } -+ -+ iova = dma->iova; -+ while (iova < dma->iova + dma->size) { -+ phys_addr_t phys, p; -+ size_t size; -+ dma_addr_t i; -+ -+ phys = iommu_iova_to_phys(domain->domain, iova); -+ if (!phys) { -+ iova += PAGE_SIZE; -+ continue; -+ } -+ -+ size = PAGE_SIZE; -+ p = phys + size; -+ i = iova + size; -+ while (i < dma->iova + dma->size && -+ p == iommu_iova_to_phys(domain->domain, i)) { -+ size += PAGE_SIZE; -+ p += PAGE_SIZE; -+ i += PAGE_SIZE; -+ } -+ -+ iommu_unmap(domain->domain, iova, size); -+ vfio_unpin_pages_remote(dma, iova, phys >> PAGE_SHIFT, -+ size >> PAGE_SHIFT, true); -+ } -+ } -+ -+ return ret; - } - - /* --- -2.25.1 - diff --git a/queue-4.14/virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch b/queue-4.14/virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch deleted file mode 100644 index 4b735f3d2ce..00000000000 --- a/queue-4.14/virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 33d240f531b4774c51a39877edbcbebb3d8f86bb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 2 Aug 2020 15:44:09 +0800 -Subject: virtio_ring: Avoid loop when vq is broken in virtqueue_poll - -From: Mao Wenan - -[ Upstream commit 481a0d7422db26fb63e2d64f0652667a5c6d0f3e ] - -The loop may exist if vq->broken is true, -virtqueue_get_buf_ctx_packed or virtqueue_get_buf_ctx_split -will return NULL, so virtnet_poll will reschedule napi to -receive packet, it will lead cpu usage(si) to 100%. - -call trace as below: -virtnet_poll - virtnet_receive - virtqueue_get_buf_ctx - virtqueue_get_buf_ctx_packed - virtqueue_get_buf_ctx_split - virtqueue_napi_complete - virtqueue_poll //return true - virtqueue_napi_schedule //it will reschedule napi - -to fix this, return false if vq is broken in virtqueue_poll. - -Signed-off-by: Mao Wenan -Acked-by: Michael S. Tsirkin -Link: https://lore.kernel.org/r/1596354249-96204-1-git-send-email-wenan.mao@linux.alibaba.com -Signed-off-by: Michael S. Tsirkin -Acked-by: Jason Wang -Signed-off-by: Sasha Levin ---- - drivers/virtio/virtio_ring.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c -index b82bb0b081615..51278f8bd3ab3 100644 ---- a/drivers/virtio/virtio_ring.c -+++ b/drivers/virtio/virtio_ring.c -@@ -829,6 +829,9 @@ bool virtqueue_poll(struct virtqueue *_vq, unsigned last_used_idx) - { - struct vring_virtqueue *vq = to_vvq(_vq); - -+ if (unlikely(vq->broken)) -+ return false; -+ - virtio_mb(vq->weak_barriers); - return (u16)last_used_idx != virtio16_to_cpu(_vq->vdev, vq->vring.used->idx); - } --- -2.25.1 - diff --git a/queue-4.14/xen-don-t-reschedule-in-preemption-off-sections.patch b/queue-4.14/xen-don-t-reschedule-in-preemption-off-sections.patch deleted file mode 100644 index 7c75fc37750..00000000000 --- a/queue-4.14/xen-don-t-reschedule-in-preemption-off-sections.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 616164b647a6eb135ead0b874234582ce38569c2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Aug 2020 08:59:08 +0200 -Subject: xen: don't reschedule in preemption off sections - -From: Juergen Gross - -For support of long running hypercalls xen_maybe_preempt_hcall() is -calling cond_resched() in case a hypercall marked as preemptible has -been interrupted. - -Normally this is no problem, as only hypercalls done via some ioctl()s -are marked to be preemptible. In rare cases when during such a -preemptible hypercall an interrupt occurs and any softirq action is -started from irq_exit(), a further hypercall issued by the softirq -handler will be regarded to be preemptible, too. This might lead to -rescheduling in spite of the softirq handler potentially having set -preempt_disable(), leading to splats like: - -BUG: sleeping function called from invalid context at drivers/xen/preempt.c:37 -in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 20775, name: xl -INFO: lockdep is turned off. -CPU: 1 PID: 20775 Comm: xl Tainted: G D W 5.4.46-1_prgmr_debug.el7.x86_64 #1 -Call Trace: - -dump_stack+0x8f/0xd0 -___might_sleep.cold.76+0xb2/0x103 -xen_maybe_preempt_hcall+0x48/0x70 -xen_do_hypervisor_callback+0x37/0x40 -RIP: e030:xen_hypercall_xen_version+0xa/0x20 -Code: ... -RSP: e02b:ffffc900400dcc30 EFLAGS: 00000246 -RAX: 000000000004000d RBX: 0000000000000200 RCX: ffffffff8100122a -RDX: ffff88812e788000 RSI: 0000000000000000 RDI: 0000000000000000 -RBP: ffffffff83ee3ad0 R08: 0000000000000001 R09: 0000000000000001 -R10: 0000000000000000 R11: 0000000000000246 R12: ffff8881824aa0b0 -R13: 0000000865496000 R14: 0000000865496000 R15: ffff88815d040000 -? xen_hypercall_xen_version+0xa/0x20 -? xen_force_evtchn_callback+0x9/0x10 -? check_events+0x12/0x20 -? xen_restore_fl_direct+0x1f/0x20 -? _raw_spin_unlock_irqrestore+0x53/0x60 -? debug_dma_sync_single_for_cpu+0x91/0xc0 -? _raw_spin_unlock_irqrestore+0x53/0x60 -? xen_swiotlb_sync_single_for_cpu+0x3d/0x140 -? mlx4_en_process_rx_cq+0x6b6/0x1110 [mlx4_en] -? mlx4_en_poll_rx_cq+0x64/0x100 [mlx4_en] -? net_rx_action+0x151/0x4a0 -? __do_softirq+0xed/0x55b -? irq_exit+0xea/0x100 -? xen_evtchn_do_upcall+0x2c/0x40 -? xen_do_hypervisor_callback+0x29/0x40 - -? xen_hypercall_domctl+0xa/0x20 -? xen_hypercall_domctl+0x8/0x20 -? privcmd_ioctl+0x221/0x990 [xen_privcmd] -? do_vfs_ioctl+0xa5/0x6f0 -? ksys_ioctl+0x60/0x90 -? trace_hardirqs_off_thunk+0x1a/0x20 -? __x64_sys_ioctl+0x16/0x20 -? do_syscall_64+0x62/0x250 -? entry_SYSCALL_64_after_hwframe+0x49/0xbe - -Fix that by testing preempt_count() before calling cond_resched(). - -In kernel 5.8 this can't happen any more due to the entry code rework -(more than 100 patches, so not a candidate for backporting). - -The issue was introduced in kernel 4.3, so this patch should go into -all stable kernels in [4.3 ... 5.7]. - -Reported-by: Sarah Newman -Fixes: 0fa2f5cb2b0ecd8 ("sched/preempt, xen: Use need_resched() instead of should_resched()") -Cc: Sarah Newman -Cc: stable@vger.kernel.org -Signed-off-by: Juergen Gross -Tested-by: Chris Brannon -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/preempt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/xen/preempt.c b/drivers/xen/preempt.c -index 5f6b77ea34fb5..128375ff80b8c 100644 ---- a/drivers/xen/preempt.c -+++ b/drivers/xen/preempt.c -@@ -31,7 +31,7 @@ EXPORT_SYMBOL_GPL(xen_in_preemptible_hcall); - asmlinkage __visible void xen_maybe_preempt_hcall(void) - { - if (unlikely(__this_cpu_read(xen_in_preemptible_hcall) -- && need_resched())) { -+ && need_resched() && !preempt_count())) { - /* - * Clear flag as we may be rescheduled on a different - * cpu. --- -2.25.1 - diff --git a/queue-4.14/xfs-fix-inode-quota-reservation-checks.patch b/queue-4.14/xfs-fix-inode-quota-reservation-checks.patch deleted file mode 100644 index 8e1828972b9..00000000000 --- a/queue-4.14/xfs-fix-inode-quota-reservation-checks.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 5d63365bb77f37631aa5171c58295a2cbe007347 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Jul 2020 10:36:09 -0700 -Subject: xfs: fix inode quota reservation checks - -From: Darrick J. Wong - -[ Upstream commit f959b5d037e71a4d69b5bf71faffa065d9269b4a ] - -xfs_trans_dqresv is the function that we use to make reservations -against resource quotas. Each resource contains two counters: the -q_core counter, which tracks resources allocated on disk; and the dquot -reservation counter, which tracks how much of that resource has either -been allocated or reserved by threads that are working on metadata -updates. - -For disk blocks, we compare the proposed reservation counter against the -hard and soft limits to decide if we're going to fail the operation. -However, for inodes we inexplicably compare against the q_core counter, -not the incore reservation count. - -Since the q_core counter is always lower than the reservation count and -we unlock the dquot between reservation and transaction commit, this -means that multiple threads can reserve the last inode count before we -hit the hard limit, and when they commit, we'll be well over the hard -limit. - -Fix this by checking against the incore inode reservation counter, since -we would appear to maintain that correctly (and that's what we report in -GETQUOTA). - -Signed-off-by: Darrick J. Wong -Reviewed-by: Allison Collins -Reviewed-by: Chandan Babu R -Reviewed-by: Christoph Hellwig -Signed-off-by: Sasha Levin ---- - fs/xfs/xfs_trans_dquot.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/xfs/xfs_trans_dquot.c b/fs/xfs/xfs_trans_dquot.c -index c3d547211d160..9c42e50a5cb7e 100644 ---- a/fs/xfs/xfs_trans_dquot.c -+++ b/fs/xfs/xfs_trans_dquot.c -@@ -669,7 +669,7 @@ xfs_trans_dqresv( - } - } - if (ninos > 0) { -- total_count = be64_to_cpu(dqp->q_core.d_icount) + ninos; -+ total_count = dqp->q_res_icount + ninos; - timer = be32_to_cpu(dqp->q_core.d_itimer); - warns = be16_to_cpu(dqp->q_core.d_iwarns); - warnlimit = dqp->q_mount->m_quotainfo->qi_iwarnlimit; --- -2.25.1 - diff --git a/queue-4.14/xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch b/queue-4.14/xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch deleted file mode 100644 index c725668d671..00000000000 --- a/queue-4.14/xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 9e6b5b95176f9966d09bf760665b91d92026ae53 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 6 Aug 2020 15:18:48 -0700 -Subject: xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init - -From: Eiichi Tsukata - -[ Upstream commit 96cf2a2c75567ff56195fe3126d497a2e7e4379f ] - -If xfs_sysfs_init is called with parent_kobj == NULL, UBSAN -shows the following warning: - - UBSAN: null-ptr-deref in ./fs/xfs/xfs_sysfs.h:37:23 - member access within null pointer of type 'struct xfs_kobj' - Call Trace: - dump_stack+0x10e/0x195 - ubsan_type_mismatch_common+0x241/0x280 - __ubsan_handle_type_mismatch_v1+0x32/0x40 - init_xfs_fs+0x12b/0x28f - do_one_initcall+0xdd/0x1d0 - do_initcall_level+0x151/0x1b6 - do_initcalls+0x50/0x8f - do_basic_setup+0x29/0x2b - kernel_init_freeable+0x19f/0x20b - kernel_init+0x11/0x1e0 - ret_from_fork+0x22/0x30 - -Fix it by checking parent_kobj before the code accesses its member. - -Signed-off-by: Eiichi Tsukata -Reviewed-by: Darrick J. Wong -[darrick: minor whitespace edits] -Signed-off-by: Darrick J. Wong -Signed-off-by: Sasha Levin ---- - fs/xfs/xfs_sysfs.h | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/fs/xfs/xfs_sysfs.h b/fs/xfs/xfs_sysfs.h -index d04637181ef21..980c9429abec5 100644 ---- a/fs/xfs/xfs_sysfs.h -+++ b/fs/xfs/xfs_sysfs.h -@@ -44,9 +44,11 @@ xfs_sysfs_init( - struct xfs_kobj *parent_kobj, - const char *name) - { -+ struct kobject *parent; -+ -+ parent = parent_kobj ? &parent_kobj->kobject : NULL; - init_completion(&kobj->complete); -- return kobject_init_and_add(&kobj->kobject, ktype, -- &parent_kobj->kobject, "%s", name); -+ return kobject_init_and_add(&kobj->kobject, ktype, parent, "%s", name); - } - - static inline void --- -2.25.1 -