From: Sasha Levin Date: Sun, 4 Aug 2019 15:43:03 +0000 (-0400) Subject: fixes for 4.19 X-Git-Tag: v4.4.188~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cf2552db6aba41b18b650266ef6d2182d8ac189a;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch b/queue-4.19/acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch new file mode 100644 index 00000000000..1343f396592 --- /dev/null +++ b/queue-4.19/acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch @@ -0,0 +1,51 @@ +From f277dbaa8daa0a245e1419a97e342d694e0754b5 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 10 Jul 2019 15:05:43 +0200 +Subject: ACPI: blacklist: fix clang warning for unused DMI table + +[ Upstream commit b80d6a42bdc97bdb6139107d6034222e9843c6e2 ] + +When CONFIG_DMI is disabled, we only have a tentative declaration, +which causes a warning from clang: + +drivers/acpi/blacklist.c:20:35: error: tentative array definition assumed to have one element [-Werror] +static const struct dmi_system_id acpi_rev_dmi_table[] __initconst; + +As the variable is not actually used here, hide it entirely +in an #ifdef to shut up the warning. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/blacklist.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c +index 995c4d8922b12..761f0c19a4512 100644 +--- a/drivers/acpi/blacklist.c ++++ b/drivers/acpi/blacklist.c +@@ -30,7 +30,9 @@ + + #include "internal.h" + ++#ifdef CONFIG_DMI + static const struct dmi_system_id acpi_rev_dmi_table[] __initconst; ++#endif + + /* + * POLICY: If *anything* doesn't work, put it on the blacklist. +@@ -74,7 +76,9 @@ int __init acpi_blacklisted(void) + } + + (void)early_acpi_osi_init(); ++#ifdef CONFIG_DMI + dmi_check_system(acpi_rev_dmi_table); ++#endif + + return blacklisted; + } +-- +2.20.1 + diff --git a/queue-4.19/acpi-fix-false-positive-wuninitialized-warning.patch b/queue-4.19/acpi-fix-false-positive-wuninitialized-warning.patch new file mode 100644 index 00000000000..fabbe428ec4 --- /dev/null +++ b/queue-4.19/acpi-fix-false-positive-wuninitialized-warning.patch @@ -0,0 +1,58 @@ +From 08f2f540f634aec1e7beed6e6b0d0b899c3f44c6 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:01:21 +0200 +Subject: ACPI: fix false-positive -Wuninitialized warning + +[ Upstream commit dfd6f9ad36368b8dbd5f5a2b2f0a4705ae69a323 ] + +clang gets confused by an uninitialized variable in what looks +to it like a never executed code path: + +arch/x86/kernel/acpi/boot.c:618:13: error: variable 'polarity' is uninitialized when used here [-Werror,-Wuninitialized] + polarity = polarity ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH; + ^~~~~~~~ +arch/x86/kernel/acpi/boot.c:606:32: note: initialize the variable 'polarity' to silence this warning + int rc, irq, trigger, polarity; + ^ + = 0 +arch/x86/kernel/acpi/boot.c:617:12: error: variable 'trigger' is uninitialized when used here [-Werror,-Wuninitialized] + trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE; + ^~~~~~~ +arch/x86/kernel/acpi/boot.c:606:22: note: initialize the variable 'trigger' to silence this warning + int rc, irq, trigger, polarity; + ^ + = 0 + +This is unfortunately a design decision in clang and won't be fixed. + +Changing the acpi_get_override_irq() macro to an inline function +reliably avoids the issue. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Andy Shevchenko +Reviewed-by: Nathan Chancellor +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + include/linux/acpi.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index de8d3d3fa6512..b4d23b3a2ef2d 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -326,7 +326,10 @@ void acpi_set_irq_model(enum acpi_irq_model_id model, + #ifdef CONFIG_X86_IO_APIC + extern int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity); + #else +-#define acpi_get_override_irq(gsi, trigger, polarity) (-1) ++static inline int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity) ++{ ++ return -1; ++} + #endif + /* + * This function undoes the effect of one call to acpi_register_gsi(). +-- +2.20.1 + diff --git a/queue-4.19/arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch b/queue-4.19/arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch new file mode 100644 index 00000000000..eb56c1176da --- /dev/null +++ b/queue-4.19/arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch @@ -0,0 +1,66 @@ +From 6d373d5ee1d1c89918718d9b5a92aad8d11cf68f Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 3 May 2019 16:45:37 -0700 +Subject: ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again + +[ Upstream commit 99fa066710f75f18f4d9a5bc5f6a711968a581d5 ] + +When I try to boot rk3288-veyron-mickey I totally fail to make the +eMMC work. Specifically my logs (on Chrome OS 4.19): + + mmc_host mmc1: card is non-removable. + mmc_host mmc1: Bus speed (slot 0) = 400000Hz (slot req 400000Hz, actual 400000HZ div = 0) + mmc_host mmc1: Bus speed (slot 0) = 50000000Hz (slot req 52000000Hz, actual 50000000HZ div = 0) + mmc1: switch to bus width 8 failed + mmc1: switch to bus width 4 failed + mmc1: new high speed MMC card at address 0001 + mmcblk1: mmc1:0001 HAG2e 14.7 GiB + mmcblk1boot0: mmc1:0001 HAG2e partition 1 4.00 MiB + mmcblk1boot1: mmc1:0001 HAG2e partition 2 4.00 MiB + mmcblk1rpmb: mmc1:0001 HAG2e partition 3 4.00 MiB, chardev (243:0) + mmc_host mmc1: Bus speed (slot 0) = 400000Hz (slot req 400000Hz, actual 400000HZ div = 0) + mmc_host mmc1: Bus speed (slot 0) = 50000000Hz (slot req 52000000Hz, actual 50000000HZ div = 0) + mmc1: switch to bus width 8 failed + mmc1: switch to bus width 4 failed + mmc1: tried to HW reset card, got error -110 + mmcblk1: error -110 requesting status + mmcblk1: recovery failed! + print_req_error: I/O error, dev mmcblk1, sector 0 + ... + +When I remove the '/delete-property/mmc-hs200-1_8v' then everything is +hunky dory. + +That line comes from the original submission of the mickey dts +upstream, so presumably at the time the HS200 was failing and just +enumerating things as a high speed device was fine. ...or maybe it's +just that some mickey devices work when enumerating at "high speed", +just not mine? + +In any case, hs200 seems good now. Let's turn it on. + +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288-veyron-mickey.dts | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/arm/boot/dts/rk3288-veyron-mickey.dts b/arch/arm/boot/dts/rk3288-veyron-mickey.dts +index 1e0158acf895d..a593d0a998fc8 100644 +--- a/arch/arm/boot/dts/rk3288-veyron-mickey.dts ++++ b/arch/arm/boot/dts/rk3288-veyron-mickey.dts +@@ -124,10 +124,6 @@ + }; + }; + +-&emmc { +- /delete-property/mmc-hs200-1_8v; +-}; +- + &i2c2 { + status = "disabled"; + }; +-- +2.20.1 + diff --git a/queue-4.19/arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch b/queue-4.19/arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch new file mode 100644 index 00000000000..4ff565aef27 --- /dev/null +++ b/queue-4.19/arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch @@ -0,0 +1,57 @@ +From c8040b9f3339e0a3230fed9b54cb352f2134d1af Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 3 May 2019 16:41:42 -0700 +Subject: ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200 + +[ Upstream commit 1c0479023412ab7834f2e98b796eb0d8c627cd62 ] + +As some point hs200 was failing on rk3288-veyron-minnie. See commit +984926781122 ("ARM: dts: rockchip: temporarily remove emmc hs200 speed +from rk3288 minnie"). Although I didn't track down exactly when it +started working, it seems to work OK now, so let's turn it back on. + +To test this, I booted from SD card and then used this script to +stress the enumeration process after fixing a memory leak [1]: + cd /sys/bus/platform/drivers/dwmmc_rockchip + for i in $(seq 1 3000); do + echo "========================" $i + echo ff0f0000.dwmmc > unbind + sleep .5 + echo ff0f0000.dwmmc > bind + while true; do + if [ -e /dev/mmcblk2 ]; then + break; + fi + sleep .1 + done + done + +It worked fine. + +[1] https://lkml.kernel.org/r/20190503233526.226272-1-dianders@chromium.org + +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288-veyron-minnie.dts | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/arm/boot/dts/rk3288-veyron-minnie.dts b/arch/arm/boot/dts/rk3288-veyron-minnie.dts +index f95d0c5fcf712..6e8946052c78b 100644 +--- a/arch/arm/boot/dts/rk3288-veyron-minnie.dts ++++ b/arch/arm/boot/dts/rk3288-veyron-minnie.dts +@@ -90,10 +90,6 @@ + pwm-off-delay-ms = <200>; + }; + +-&emmc { +- /delete-property/mmc-hs200-1_8v; +-}; +- + &gpio_keys { + pinctrl-0 = <&pwr_key_l &ap_lid_int_l &volum_down_l &volum_up_l>; + +-- +2.20.1 + diff --git a/queue-4.19/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch b/queue-4.19/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch new file mode 100644 index 00000000000..2f33d27edd9 --- /dev/null +++ b/queue-4.19/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch @@ -0,0 +1,48 @@ +From 1d2a545845293077e757b9b2399ec0eee73e19d3 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 21 May 2019 16:49:33 -0700 +Subject: ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend + +[ Upstream commit 8ef1ba39a9fa53d2205e633bc9b21840a275908e ] + +This is similar to commit e6186820a745 ("arm64: dts: rockchip: Arch +counter doesn't tick in system suspend"). Specifically on the rk3288 +it can be seen that the timer stops ticking in suspend if we end up +running through the "osc_disable" path in rk3288_slp_mode_set(). In +that path the 24 MHz clock will turn off and the timer stops. + +To test this, I ran this on a Chrome OS filesystem: + before=$(date); \ + suspend_stress_test -c1 --suspend_min=30 --suspend_max=31; \ + echo ${before}; date + +...and I found that unless I plug in a device that requests USB wakeup +to be active that the two calls to "date" would show that fewer than +30 seconds passed. + +NOTE: deep suspend (where the 24 MHz clock gets disabled) isn't +supported yet on upstream Linux so this was tested on a downstream +kernel. + +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi +index c706adf4aed2f..440d6783faca5 100644 +--- a/arch/arm/boot/dts/rk3288.dtsi ++++ b/arch/arm/boot/dts/rk3288.dtsi +@@ -227,6 +227,7 @@ + , + ; + clock-frequency = <24000000>; ++ arm,no-tick-in-suspend; + }; + + timer: timer@ff810000 { +-- +2.20.1 + diff --git a/queue-4.19/arm-riscpc-fix-dma.patch b/queue-4.19/arm-riscpc-fix-dma.patch new file mode 100644 index 00000000000..2787283d234 --- /dev/null +++ b/queue-4.19/arm-riscpc-fix-dma.patch @@ -0,0 +1,48 @@ +From 4bb7f148bbeb05375ecba05338a9eca687551fa5 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Thu, 2 May 2019 17:19:18 +0100 +Subject: ARM: riscpc: fix DMA + +[ Upstream commit ffd9a1ba9fdb7f2bd1d1ad9b9243d34e96756ba2 ] + +DMA got broken a while back in two different ways: +1) a change in the behaviour of disable_irq() to wait for the interrupt + to finish executing causes us to deadlock at the end of DMA. +2) a change to avoid modifying the scatterlist left the first transfer + uninitialised. + +DMA is only used with expansion cards, so has gone unnoticed. + +Fixes: fa4e99899932 ("[ARM] dma: RiscPC: don't modify DMA SG entries") +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mach-rpc/dma.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-rpc/dma.c b/arch/arm/mach-rpc/dma.c +index fb48f3141fb4d..c4c96661eb89a 100644 +--- a/arch/arm/mach-rpc/dma.c ++++ b/arch/arm/mach-rpc/dma.c +@@ -131,7 +131,7 @@ static irqreturn_t iomd_dma_handle(int irq, void *dev_id) + } while (1); + + idma->state = ~DMA_ST_AB; +- disable_irq(irq); ++ disable_irq_nosync(irq); + + return IRQ_HANDLED; + } +@@ -174,6 +174,9 @@ static void iomd_enable_dma(unsigned int chan, dma_t *dma) + DMA_FROM_DEVICE : DMA_TO_DEVICE); + } + ++ idma->dma_addr = idma->dma.sg->dma_address; ++ idma->dma_len = idma->dma.sg->length; ++ + iomd_writeb(DMA_CR_C, dma_base + CR); + idma->state = DMA_ST_AB; + } +-- +2.20.1 + diff --git a/queue-4.19/arm64-dts-rockchip-fix-isp-iommu-clocks-and-power-do.patch b/queue-4.19/arm64-dts-rockchip-fix-isp-iommu-clocks-and-power-do.patch new file mode 100644 index 00000000000..b16ccc79936 --- /dev/null +++ b/queue-4.19/arm64-dts-rockchip-fix-isp-iommu-clocks-and-power-do.patch @@ -0,0 +1,63 @@ +From 5e65d110f7c22f2fd484e8720ab7dff7979621aa Mon Sep 17 00:00:00 2001 +From: Helen Koike +Date: Mon, 3 Jun 2019 11:22:15 -0300 +Subject: arm64: dts: rockchip: fix isp iommu clocks and power domain + +[ Upstream commit c432a29d3fc9ee928caeca2f5cf68b3aebfa6817 ] + +isp iommu requires wrapper variants of the clocks. +noc variants are always on and using the wrapper variants will activate +{A,H}CLK_ISP{0,1} due to the hierarchy. + +Tested using the pending isp patch set (which is not upstream +yet). Without this patch, streaming from the isp stalls. + +Also add the respective power domain and remove the "disabled" status. + +Refer: + RK3399 TRM v1.4 Fig. 2-4 RK3399 Clock Architecture Diagram + RK3399 TRM v1.4 Fig. 8-1 RK3399 Power Domain Partition + +Signed-off-by: Helen Koike +Tested-by: Manivannan Sadhasivam +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +index df7e62d9a6708..cea44a7c7cf99 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +@@ -1643,11 +1643,11 @@ + reg = <0x0 0xff914000 0x0 0x100>, <0x0 0xff915000 0x0 0x100>; + interrupts = ; + interrupt-names = "isp0_mmu"; +- clocks = <&cru ACLK_ISP0_NOC>, <&cru HCLK_ISP0_NOC>; ++ clocks = <&cru ACLK_ISP0_WRAPPER>, <&cru HCLK_ISP0_WRAPPER>; + clock-names = "aclk", "iface"; + #iommu-cells = <0>; ++ power-domains = <&power RK3399_PD_ISP0>; + rockchip,disable-mmu-reset; +- status = "disabled"; + }; + + isp1_mmu: iommu@ff924000 { +@@ -1655,11 +1655,11 @@ + reg = <0x0 0xff924000 0x0 0x100>, <0x0 0xff925000 0x0 0x100>; + interrupts = ; + interrupt-names = "isp1_mmu"; +- clocks = <&cru ACLK_ISP1_NOC>, <&cru HCLK_ISP1_NOC>; ++ clocks = <&cru ACLK_ISP1_WRAPPER>, <&cru HCLK_ISP1_WRAPPER>; + clock-names = "aclk", "iface"; + #iommu-cells = <0>; ++ power-domains = <&power RK3399_PD_ISP1>; + rockchip,disable-mmu-reset; +- status = "disabled"; + }; + + hdmi_sound: hdmi-sound { +-- +2.20.1 + diff --git a/queue-4.19/be2net-signal-that-the-device-cannot-transmit-during.patch b/queue-4.19/be2net-signal-that-the-device-cannot-transmit-during.patch new file mode 100644 index 00000000000..000a3ded619 --- /dev/null +++ b/queue-4.19/be2net-signal-that-the-device-cannot-transmit-during.patch @@ -0,0 +1,44 @@ +From 299af7c6c966153e015a5a94e2dc703d1e03a083 Mon Sep 17 00:00:00 2001 +From: Benjamin Poirier +Date: Tue, 16 Jul 2019 17:16:55 +0900 +Subject: be2net: Signal that the device cannot transmit during reconfiguration + +[ Upstream commit 7429c6c0d9cb086d8e79f0d2a48ae14851d2115e ] + +While changing the number of interrupt channels, be2net stops adapter +operation (including netif_tx_disable()) but it doesn't signal that it +cannot transmit. This may lead dev_watchdog() to falsely trigger during +that time. + +Add the missing call to netif_carrier_off(), following the pattern used in +many other drivers. netif_carrier_on() is already taken care of in +be_open(). + +Signed-off-by: Benjamin Poirier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index bff74752cef16..3fe6a28027fe1 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -4700,8 +4700,12 @@ int be_update_queues(struct be_adapter *adapter) + struct net_device *netdev = adapter->netdev; + int status; + +- if (netif_running(netdev)) ++ if (netif_running(netdev)) { ++ /* device cannot transmit now, avoid dev_watchdog timeouts */ ++ netif_carrier_off(netdev); ++ + be_close(netdev); ++ } + + be_cancel_worker(adapter); + +-- +2.20.1 + diff --git a/queue-4.19/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch b/queue-4.19/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch new file mode 100644 index 00000000000..64cb387796e --- /dev/null +++ b/queue-4.19/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch @@ -0,0 +1,48 @@ +From 1263d238060c49e05fc0345e58e720a9cc20f675 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Fri, 17 May 2019 11:43:13 +0200 +Subject: btrfs: fix minimum number of chunk errors for DUP + +[ Upstream commit 0ee5f8ae082e1f675a2fb6db601c31ac9958a134 ] + +The list of profiles in btrfs_chunk_max_errors lists DUP as a profile +DUP able to tolerate 1 device missing. Though this profile is special +with 2 copies, it still needs the device, unlike the others. + +Looking at the history of changes, thre's no clear reason why DUP is +there, functions were refactored and blocks of code merged to one +helper. + +d20983b40e828 Btrfs: fix writing data into the seed filesystem + - factor code to a helper + +de11cc12df173 Btrfs: don't pre-allocate btrfs bio + - unrelated change, DUP still in the list with max errors 1 + +a236aed14ccb0 Btrfs: Deal with failed writes in mirrored configurations + - introduced the max errors, leaves DUP and RAID1 in the same group + +Reviewed-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 2fd000308be76..6e008bd5c8cd1 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -5040,8 +5040,7 @@ static inline int btrfs_chunk_max_errors(struct map_lookup *map) + + if (map->type & (BTRFS_BLOCK_GROUP_RAID1 | + BTRFS_BLOCK_GROUP_RAID10 | +- BTRFS_BLOCK_GROUP_RAID5 | +- BTRFS_BLOCK_GROUP_DUP)) { ++ BTRFS_BLOCK_GROUP_RAID5)) { + max_errors = 1; + } else if (map->type & BTRFS_BLOCK_GROUP_RAID6) { + max_errors = 2; +-- +2.20.1 + diff --git a/queue-4.19/btrfs-qgroup-don-t-hold-qgroup_ioctl_lock-in-btrfs_q.patch b/queue-4.19/btrfs-qgroup-don-t-hold-qgroup_ioctl_lock-in-btrfs_q.patch new file mode 100644 index 00000000000..a3f5cdff6c2 --- /dev/null +++ b/queue-4.19/btrfs-qgroup-don-t-hold-qgroup_ioctl_lock-in-btrfs_q.patch @@ -0,0 +1,192 @@ +From c85c2de19e5362ea085106327adb7bd66fd00181 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Thu, 13 Jun 2019 17:31:24 +0800 +Subject: btrfs: qgroup: Don't hold qgroup_ioctl_lock in btrfs_qgroup_inherit() + +[ Upstream commit e88439debd0a7f969b3ddba6f147152cd0732676 ] + +[BUG] +Lockdep will report the following circular locking dependency: + + WARNING: possible circular locking dependency detected + 5.2.0-rc2-custom #24 Tainted: G O + ------------------------------------------------------ + btrfs/8631 is trying to acquire lock: + 000000002536438c (&fs_info->qgroup_ioctl_lock#2){+.+.}, at: btrfs_qgroup_inherit+0x40/0x620 [btrfs] + + but task is already holding lock: + 000000003d52cc23 (&fs_info->tree_log_mutex){+.+.}, at: create_pending_snapshot+0x8b6/0xe60 [btrfs] + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #2 (&fs_info->tree_log_mutex){+.+.}: + __mutex_lock+0x76/0x940 + mutex_lock_nested+0x1b/0x20 + btrfs_commit_transaction+0x475/0xa00 [btrfs] + btrfs_commit_super+0x71/0x80 [btrfs] + close_ctree+0x2bd/0x320 [btrfs] + btrfs_put_super+0x15/0x20 [btrfs] + generic_shutdown_super+0x72/0x110 + kill_anon_super+0x18/0x30 + btrfs_kill_super+0x16/0xa0 [btrfs] + deactivate_locked_super+0x3a/0x80 + deactivate_super+0x51/0x60 + cleanup_mnt+0x3f/0x80 + __cleanup_mnt+0x12/0x20 + task_work_run+0x94/0xb0 + exit_to_usermode_loop+0xd8/0xe0 + do_syscall_64+0x210/0x240 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + -> #1 (&fs_info->reloc_mutex){+.+.}: + __mutex_lock+0x76/0x940 + mutex_lock_nested+0x1b/0x20 + btrfs_commit_transaction+0x40d/0xa00 [btrfs] + btrfs_quota_enable+0x2da/0x730 [btrfs] + btrfs_ioctl+0x2691/0x2b40 [btrfs] + do_vfs_ioctl+0xa9/0x6d0 + ksys_ioctl+0x67/0x90 + __x64_sys_ioctl+0x1a/0x20 + do_syscall_64+0x65/0x240 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + -> #0 (&fs_info->qgroup_ioctl_lock#2){+.+.}: + lock_acquire+0xa7/0x190 + __mutex_lock+0x76/0x940 + mutex_lock_nested+0x1b/0x20 + btrfs_qgroup_inherit+0x40/0x620 [btrfs] + create_pending_snapshot+0x9d7/0xe60 [btrfs] + create_pending_snapshots+0x94/0xb0 [btrfs] + btrfs_commit_transaction+0x415/0xa00 [btrfs] + btrfs_mksubvol+0x496/0x4e0 [btrfs] + btrfs_ioctl_snap_create_transid+0x174/0x180 [btrfs] + btrfs_ioctl_snap_create_v2+0x11c/0x180 [btrfs] + btrfs_ioctl+0xa90/0x2b40 [btrfs] + do_vfs_ioctl+0xa9/0x6d0 + ksys_ioctl+0x67/0x90 + __x64_sys_ioctl+0x1a/0x20 + do_syscall_64+0x65/0x240 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + other info that might help us debug this: + + Chain exists of: + &fs_info->qgroup_ioctl_lock#2 --> &fs_info->reloc_mutex --> &fs_info->tree_log_mutex + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&fs_info->tree_log_mutex); + lock(&fs_info->reloc_mutex); + lock(&fs_info->tree_log_mutex); + lock(&fs_info->qgroup_ioctl_lock#2); + + *** DEADLOCK *** + + 6 locks held by btrfs/8631: + #0: 00000000ed8f23f6 (sb_writers#12){.+.+}, at: mnt_want_write_file+0x28/0x60 + #1: 000000009fb1597a (&type->i_mutex_dir_key#10/1){+.+.}, at: btrfs_mksubvol+0x70/0x4e0 [btrfs] + #2: 0000000088c5ad88 (&fs_info->subvol_sem){++++}, at: btrfs_mksubvol+0x128/0x4e0 [btrfs] + #3: 000000009606fc3e (sb_internal#2){.+.+}, at: start_transaction+0x37a/0x520 [btrfs] + #4: 00000000f82bbdf5 (&fs_info->reloc_mutex){+.+.}, at: btrfs_commit_transaction+0x40d/0xa00 [btrfs] + #5: 000000003d52cc23 (&fs_info->tree_log_mutex){+.+.}, at: create_pending_snapshot+0x8b6/0xe60 [btrfs] + +[CAUSE] +Due to the delayed subvolume creation, we need to call +btrfs_qgroup_inherit() inside commit transaction code, with a lot of +other mutex hold. +This hell of lock chain can lead to above problem. + +[FIX] +On the other hand, we don't really need to hold qgroup_ioctl_lock if +we're in the context of create_pending_snapshot(). +As in that context, we're the only one being able to modify qgroup. + +All other qgroup functions which needs qgroup_ioctl_lock are either +holding a transaction handle, or will start a new transaction: + Functions will start a new transaction(): + * btrfs_quota_enable() + * btrfs_quota_disable() + Functions hold a transaction handler: + * btrfs_add_qgroup_relation() + * btrfs_del_qgroup_relation() + * btrfs_create_qgroup() + * btrfs_remove_qgroup() + * btrfs_limit_qgroup() + * btrfs_qgroup_inherit() call inside create_subvol() + +So we have a higher level protection provided by transaction, thus we +don't need to always hold qgroup_ioctl_lock in btrfs_qgroup_inherit(). + +Only the btrfs_qgroup_inherit() call in create_subvol() needs to hold +qgroup_ioctl_lock, while the btrfs_qgroup_inherit() call in +create_pending_snapshot() is already protected by transaction. + +So the fix is to detect the context by checking +trans->transaction->state. +If we're at TRANS_STATE_COMMIT_DOING, then we're in commit transaction +context and no need to get the mutex. + +Reported-by: Nikolay Borisov +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index e46e83e876001..734866ab51941 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2249,6 +2249,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + int ret = 0; + int i; + u64 *i_qgroups; ++ bool committing = false; + struct btrfs_fs_info *fs_info = trans->fs_info; + struct btrfs_root *quota_root; + struct btrfs_qgroup *srcgroup; +@@ -2256,7 +2257,25 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + u32 level_size = 0; + u64 nums; + +- mutex_lock(&fs_info->qgroup_ioctl_lock); ++ /* ++ * There are only two callers of this function. ++ * ++ * One in create_subvol() in the ioctl context, which needs to hold ++ * the qgroup_ioctl_lock. ++ * ++ * The other one in create_pending_snapshot() where no other qgroup ++ * code can modify the fs as they all need to either start a new trans ++ * or hold a trans handler, thus we don't need to hold ++ * qgroup_ioctl_lock. ++ * This would avoid long and complex lock chain and make lockdep happy. ++ */ ++ spin_lock(&fs_info->trans_lock); ++ if (trans->transaction->state == TRANS_STATE_COMMIT_DOING) ++ committing = true; ++ spin_unlock(&fs_info->trans_lock); ++ ++ if (!committing) ++ mutex_lock(&fs_info->qgroup_ioctl_lock); + if (!test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags)) + goto out; + +@@ -2420,7 +2439,8 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + unlock: + spin_unlock(&fs_info->qgroup_lock); + out: +- mutex_unlock(&fs_info->qgroup_ioctl_lock); ++ if (!committing) ++ mutex_unlock(&fs_info->qgroup_ioctl_lock); + return ret; + } + +-- +2.20.1 + diff --git a/queue-4.19/ceph-fix-improper-use-of-smp_mb__before_atomic.patch b/queue-4.19/ceph-fix-improper-use-of-smp_mb__before_atomic.patch new file mode 100644 index 00000000000..53804ff8e07 --- /dev/null +++ b/queue-4.19/ceph-fix-improper-use-of-smp_mb__before_atomic.patch @@ -0,0 +1,44 @@ +From 891a27a000f3544b4187015a79bb43be9592129d Mon Sep 17 00:00:00 2001 +From: Andrea Parri +Date: Mon, 20 May 2019 19:23:58 +0200 +Subject: ceph: fix improper use of smp_mb__before_atomic() + +[ Upstream commit 749607731e26dfb2558118038c40e9c0c80d23b5 ] + +This barrier only applies to the read-modify-write operations; in +particular, it does not apply to the atomic64_set() primitive. + +Replace the barrier with an smp_mb(). + +Fixes: fdd4e15838e59 ("ceph: rework dcache readdir") +Reported-by: "Paul E. McKenney" +Reported-by: Peter Zijlstra +Signed-off-by: Andrea Parri +Reviewed-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/super.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/super.h b/fs/ceph/super.h +index 582e28fd1b7bf..d8579a56e5dc2 100644 +--- a/fs/ceph/super.h ++++ b/fs/ceph/super.h +@@ -526,7 +526,12 @@ static inline void __ceph_dir_set_complete(struct ceph_inode_info *ci, + long long release_count, + long long ordered_count) + { +- smp_mb__before_atomic(); ++ /* ++ * Makes sure operations that setup readdir cache (update page ++ * cache and i_size) are strongly ordered w.r.t. the following ++ * atomic64_set() operations. ++ */ ++ smp_mb(); + atomic64_set(&ci->i_complete_seq[0], release_count); + atomic64_set(&ci->i_complete_seq[1], ordered_count); + } +-- +2.20.1 + diff --git a/queue-4.19/ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch b/queue-4.19/ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch new file mode 100644 index 00000000000..091d75eeacd --- /dev/null +++ b/queue-4.19/ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch @@ -0,0 +1,69 @@ +From 388ea7b4569edcb246cbd311909c21773e79c96d Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Thu, 13 Jun 2019 15:17:00 -0400 +Subject: ceph: return -ERANGE if virtual xattr value didn't fit in buffer + +[ Upstream commit 3b421018f48c482bdc9650f894aa1747cf90e51d ] + +The getxattr manpage states that we should return ERANGE if the +destination buffer size is too small to hold the value. +ceph_vxattrcb_layout does this internally, but we should be doing +this for all vxattrs. + +Fix the only caller of getxattr_cb to check the returned size +against the buffer length and return -ERANGE if it doesn't fit. +Drop the same check in ceph_vxattrcb_layout and just rely on the +caller to handle it. + +Signed-off-by: Jeff Layton +Reviewed-by: "Yan, Zheng" +Acked-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/xattr.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c +index 5cc8b94f82069..0a2d4898ee163 100644 +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -79,7 +79,7 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val, + const char *ns_field = " pool_namespace="; + char buf[128]; + size_t len, total_len = 0; +- int ret; ++ ssize_t ret; + + pool_ns = ceph_try_get_string(ci->i_layout.pool_ns); + +@@ -103,11 +103,8 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val, + if (pool_ns) + total_len += strlen(ns_field) + pool_ns->len; + +- if (!size) { +- ret = total_len; +- } else if (total_len > size) { +- ret = -ERANGE; +- } else { ++ ret = total_len; ++ if (size >= total_len) { + memcpy(val, buf, len); + ret = len; + if (pool_name) { +@@ -817,8 +814,11 @@ ssize_t __ceph_getxattr(struct inode *inode, const char *name, void *value, + if (err) + return err; + err = -ENODATA; +- if (!(vxattr->exists_cb && !vxattr->exists_cb(ci))) ++ if (!(vxattr->exists_cb && !vxattr->exists_cb(ci))) { + err = vxattr->getxattr_cb(ci, value, size); ++ if (size && size < err) ++ err = -ERANGE; ++ } + return err; + } + +-- +2.20.1 + diff --git a/queue-4.19/cifs-fix-a-race-condition-with-cifs_echo_request.patch b/queue-4.19/cifs-fix-a-race-condition-with-cifs_echo_request.patch new file mode 100644 index 00000000000..275475cc735 --- /dev/null +++ b/queue-4.19/cifs-fix-a-race-condition-with-cifs_echo_request.patch @@ -0,0 +1,63 @@ +From e80662f36efdcfe2df799ccdb6ef09a2460b2795 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Sat, 6 Jul 2019 06:52:46 +1000 +Subject: cifs: Fix a race condition with cifs_echo_request + +[ Upstream commit f2caf901c1b7ce65f9e6aef4217e3241039db768 ] + +There is a race condition with how we send (or supress and don't send) +smb echos that will cause the client to incorrectly think the +server is unresponsive and thus needs to be reconnected. + +Summary of the race condition: + 1) Daisy chaining scheduling creates a gap. + 2) If traffic comes unfortunate shortly after + the last echo, the planned echo is suppressed. + 3) Due to the gap, the next echo transmission is delayed + until after the timeout, which is set hard to twice + the echo interval. + +This is fixed by changing the timeouts from 2 to three times the echo interval. + +Detailed description of the bug: https://lutz.donnerhacke.de/eng/Blog/Groundhog-Day-with-SMB-remount + +Signed-off-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index f31339db45fdb..c53a2e86ed544 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -563,10 +563,10 @@ static bool + server_unresponsive(struct TCP_Server_Info *server) + { + /* +- * We need to wait 2 echo intervals to make sure we handle such ++ * We need to wait 3 echo intervals to make sure we handle such + * situations right: + * 1s client sends a normal SMB request +- * 2s client gets a response ++ * 3s client gets a response + * 30s echo workqueue job pops, and decides we got a response recently + * and don't need to send another + * ... +@@ -575,9 +575,9 @@ server_unresponsive(struct TCP_Server_Info *server) + */ + if ((server->tcpStatus == CifsGood || + server->tcpStatus == CifsNeedNegotiate) && +- time_after(jiffies, server->lstrp + 2 * server->echo_interval)) { ++ time_after(jiffies, server->lstrp + 3 * server->echo_interval)) { + cifs_dbg(VFS, "Server %s has not responded in %lu seconds. Reconnecting...\n", +- server->hostname, (2 * server->echo_interval) / HZ); ++ server->hostname, (3 * server->echo_interval) / HZ); + cifs_reconnect(server); + wake_up(&server->response_q); + return true; +-- +2.20.1 + diff --git a/queue-4.19/clk-sprd-add-check-for-return-value-of-sprd_clk_regm.patch b/queue-4.19/clk-sprd-add-check-for-return-value-of-sprd_clk_regm.patch new file mode 100644 index 00000000000..342ee36fa31 --- /dev/null +++ b/queue-4.19/clk-sprd-add-check-for-return-value-of-sprd_clk_regm.patch @@ -0,0 +1,45 @@ +From daff339fac6b0eb661dd9f7791a2c318b0d6c5dd Mon Sep 17 00:00:00 2001 +From: Chunyan Zhang +Date: Wed, 22 May 2019 09:15:03 +0800 +Subject: clk: sprd: Add check for return value of sprd_clk_regmap_init() + +[ Upstream commit c974c48deeb969c5e4250e4f06af91edd84b1f10 ] + +sprd_clk_regmap_init() doesn't always return success, adding check +for its return value should make the code more strong. + +Signed-off-by: Chunyan Zhang +Reviewed-by: Baolin Wang +[sboyd@kernel.org: Add a missing int ret] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/sprd/sc9860-clk.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/sprd/sc9860-clk.c b/drivers/clk/sprd/sc9860-clk.c +index 9980ab55271ba..f76305b4bc8df 100644 +--- a/drivers/clk/sprd/sc9860-clk.c ++++ b/drivers/clk/sprd/sc9860-clk.c +@@ -2023,6 +2023,7 @@ static int sc9860_clk_probe(struct platform_device *pdev) + { + const struct of_device_id *match; + const struct sprd_clk_desc *desc; ++ int ret; + + match = of_match_node(sprd_sc9860_clk_ids, pdev->dev.of_node); + if (!match) { +@@ -2031,7 +2032,9 @@ static int sc9860_clk_probe(struct platform_device *pdev) + } + + desc = match->data; +- sprd_clk_regmap_init(pdev, desc); ++ ret = sprd_clk_regmap_init(pdev, desc); ++ if (ret) ++ return ret; + + return sprd_clk_probe(&pdev->dev, desc->hw_clks); + } +-- +2.20.1 + diff --git a/queue-4.19/clk-tegra210-fix-pllu-and-pllu_out1.patch b/queue-4.19/clk-tegra210-fix-pllu-and-pllu_out1.patch new file mode 100644 index 00000000000..72eb0d6b49f --- /dev/null +++ b/queue-4.19/clk-tegra210-fix-pllu-and-pllu_out1.patch @@ -0,0 +1,75 @@ +From 675bc9c809fd09a1fb2e58b5cf0e9596e7cba209 Mon Sep 17 00:00:00 2001 +From: JC Kuo +Date: Wed, 12 Jun 2019 11:14:34 +0800 +Subject: clk: tegra210: fix PLLU and PLLU_OUT1 + +[ Upstream commit 0d34dfbf3023cf119b83f6470692c0b10c832495 ] + +Full-speed and low-speed USB devices do not work with Tegra210 +platforms because of incorrect PLLU/PLLU_OUT1 clock settings. + +When full-speed device is connected: +[ 14.059886] usb 1-3: new full-speed USB device number 2 using tegra-xusb +[ 14.196295] usb 1-3: device descriptor read/64, error -71 +[ 14.436311] usb 1-3: device descriptor read/64, error -71 +[ 14.675749] usb 1-3: new full-speed USB device number 3 using tegra-xusb +[ 14.812335] usb 1-3: device descriptor read/64, error -71 +[ 15.052316] usb 1-3: device descriptor read/64, error -71 +[ 15.164799] usb usb1-port3: attempt power cycle + +When low-speed device is connected: +[ 37.610949] usb usb1-port3: Cannot enable. Maybe the USB cable is bad? +[ 38.557376] usb usb1-port3: Cannot enable. Maybe the USB cable is bad? +[ 38.564977] usb usb1-port3: attempt power cycle + +This commit fixes the issue by: + 1. initializing PLLU_OUT1 before initializing XUSB_FS_SRC clock + because PLLU_OUT1 is parent of XUSB_FS_SRC. + 2. changing PLLU post-divider to /2 (DIVP=1) according to Technical + Reference Manual. + +Fixes: e745f992cf4b ("clk: tegra: Rework pll_u") +Signed-off-by: JC Kuo +Acked-By: Peter De Schrijver +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra210.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c +index 9eb1cb14fce11..4e1bc23c98655 100644 +--- a/drivers/clk/tegra/clk-tegra210.c ++++ b/drivers/clk/tegra/clk-tegra210.c +@@ -2214,9 +2214,9 @@ static struct div_nmp pllu_nmp = { + }; + + static struct tegra_clk_pll_freq_table pll_u_freq_table[] = { +- { 12000000, 480000000, 40, 1, 0, 0 }, +- { 13000000, 480000000, 36, 1, 0, 0 }, /* actual: 468.0 MHz */ +- { 38400000, 480000000, 25, 2, 0, 0 }, ++ { 12000000, 480000000, 40, 1, 1, 0 }, ++ { 13000000, 480000000, 36, 1, 1, 0 }, /* actual: 468.0 MHz */ ++ { 38400000, 480000000, 25, 2, 1, 0 }, + { 0, 0, 0, 0, 0, 0 }, + }; + +@@ -3343,6 +3343,7 @@ static struct tegra_clk_init_table init_table[] __initdata = { + { TEGRA210_CLK_DFLL_REF, TEGRA210_CLK_PLL_P, 51000000, 1 }, + { TEGRA210_CLK_SBC4, TEGRA210_CLK_PLL_P, 12000000, 1 }, + { TEGRA210_CLK_PLL_RE_VCO, TEGRA210_CLK_CLK_MAX, 672000000, 1 }, ++ { TEGRA210_CLK_PLL_U_OUT1, TEGRA210_CLK_CLK_MAX, 48000000, 1 }, + { TEGRA210_CLK_XUSB_GATE, TEGRA210_CLK_CLK_MAX, 0, 1 }, + { TEGRA210_CLK_XUSB_SS_SRC, TEGRA210_CLK_PLL_U_480M, 120000000, 0 }, + { TEGRA210_CLK_XUSB_FS_SRC, TEGRA210_CLK_PLL_U_48M, 48000000, 0 }, +@@ -3367,7 +3368,6 @@ static struct tegra_clk_init_table init_table[] __initdata = { + { TEGRA210_CLK_PLL_DP, TEGRA210_CLK_CLK_MAX, 270000000, 0 }, + { TEGRA210_CLK_SOC_THERM, TEGRA210_CLK_PLL_P, 51000000, 0 }, + { TEGRA210_CLK_CCLK_G, TEGRA210_CLK_CLK_MAX, 0, 1 }, +- { TEGRA210_CLK_PLL_U_OUT1, TEGRA210_CLK_CLK_MAX, 48000000, 1 }, + { TEGRA210_CLK_PLL_U_OUT2, TEGRA210_CLK_CLK_MAX, 60000000, 1 }, + /* This MUST be the last entry. */ + { TEGRA210_CLK_CLK_MAX, TEGRA210_CLK_CLK_MAX, 0, 0 }, +-- +2.20.1 + diff --git a/queue-4.19/coda-add-error-handling-for-fget.patch b/queue-4.19/coda-add-error-handling-for-fget.patch new file mode 100644 index 00000000000..6bc1d12c139 --- /dev/null +++ b/queue-4.19/coda-add-error-handling-for-fget.patch @@ -0,0 +1,50 @@ +From 6d94da3ac9670bd56c02ac4774fdd30cf5ae477a Mon Sep 17 00:00:00 2001 +From: Zhouyang Jia +Date: Tue, 16 Jul 2019 16:28:13 -0700 +Subject: coda: add error handling for fget + +[ Upstream commit 02551c23bcd85f0c68a8259c7b953d49d44f86af ] + +When fget fails, the lack of error-handling code may cause unexpected +results. + +This patch adds error-handling code after calling fget. + +Link: http://lkml.kernel.org/r/2514ec03df9c33b86e56748513267a80dd8004d9.1558117389.git.jaharkes@cs.cmu.edu +Signed-off-by: Zhouyang Jia +Signed-off-by: Jan Harkes +Cc: Arnd Bergmann +Cc: Colin Ian King +Cc: Dan Carpenter +Cc: David Howells +Cc: Fabian Frederick +Cc: Mikko Rapeli +Cc: Sam Protsenko +Cc: Yann Droneaud +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/coda/psdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c +index c5234c21b5394..55824cba32453 100644 +--- a/fs/coda/psdev.c ++++ b/fs/coda/psdev.c +@@ -187,8 +187,11 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf, + if (req->uc_opcode == CODA_OPEN_BY_FD) { + struct coda_open_by_fd_out *outp = + (struct coda_open_by_fd_out *)req->uc_data; +- if (!outp->oh.result) ++ if (!outp->oh.result) { + outp->fh = fget(outp->fd); ++ if (!outp->fh) ++ return -EBADF; ++ } + } + + wake_up(&req->uc_sleep); +-- +2.20.1 + diff --git a/queue-4.19/coda-fix-build-using-bare-metal-toolchain.patch b/queue-4.19/coda-fix-build-using-bare-metal-toolchain.patch new file mode 100644 index 00000000000..1ab6331b010 --- /dev/null +++ b/queue-4.19/coda-fix-build-using-bare-metal-toolchain.patch @@ -0,0 +1,48 @@ +From 62c8a0f0ada062ee5ec7d97012e0e5774a9766f1 Mon Sep 17 00:00:00 2001 +From: Sam Protsenko +Date: Tue, 16 Jul 2019 16:28:20 -0700 +Subject: coda: fix build using bare-metal toolchain + +[ Upstream commit b2a57e334086602be56b74958d9f29b955cd157f ] + +The kernel is self-contained project and can be built with bare-metal +toolchain. But bare-metal toolchain doesn't define __linux__. Because +of this u_quad_t type is not defined when using bare-metal toolchain and +codafs build fails. This patch fixes it by defining u_quad_t type +unconditionally. + +Link: http://lkml.kernel.org/r/3cbb40b0a57b6f9923a9d67b53473c0b691a3eaa.1558117389.git.jaharkes@cs.cmu.edu +Signed-off-by: Sam Protsenko +Signed-off-by: Jan Harkes +Cc: Arnd Bergmann +Cc: Colin Ian King +Cc: Dan Carpenter +Cc: David Howells +Cc: Fabian Frederick +Cc: Mikko Rapeli +Cc: Yann Droneaud +Cc: Zhouyang Jia +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/coda.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/include/linux/coda.h b/include/linux/coda.h +index d30209b9cef81..0ca0c83fdb1c4 100644 +--- a/include/linux/coda.h ++++ b/include/linux/coda.h +@@ -58,8 +58,7 @@ Mellon the rights to redistribute these changes without encumbrance. + #ifndef _CODA_HEADER_ + #define _CODA_HEADER_ + +-#if defined(__linux__) + typedef unsigned long long u_quad_t; +-#endif ++ + #include + #endif +-- +2.20.1 + diff --git a/queue-4.19/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch b/queue-4.19/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch new file mode 100644 index 00000000000..694edba2212 --- /dev/null +++ b/queue-4.19/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch @@ -0,0 +1,46 @@ +From 0cb1e691103cd66480598dd153948f31253c287b Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 24 Jun 2019 14:38:18 +0200 +Subject: dmaengine: rcar-dmac: Reject zero-length slave DMA requests + +[ Upstream commit 78efb76ab4dfb8f74f290ae743f34162cd627f19 ] + +While the .device_prep_slave_sg() callback rejects empty scatterlists, +it still accepts single-entry scatterlists with a zero-length segment. +These may happen if a driver calls dmaengine_prep_slave_single() with a +zero len parameter. The corresponding DMA request will never complete, +leading to messages like: + + rcar-dmac e7300000.dma-controller: Channel Address Error happen + +and DMA timeouts. + +Although requesting a zero-length DMA request is a driver bug, rejecting +it early eases debugging. Note that the .device_prep_dma_memcpy() +callback already rejects requests to copy zero bytes. + +Reported-by: Eugeniu Rosca +Analyzed-by: Yoshihiro Shimoda +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sh/rcar-dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c +index 0b05a1e08d213..041ce864097e4 100644 +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1164,7 +1164,7 @@ rcar_dmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, + struct rcar_dmac_chan *rchan = to_rcar_dmac_chan(chan); + + /* Someone calling slave DMA on a generic channel? */ +- if (rchan->mid_rid < 0 || !sg_len) { ++ if (rchan->mid_rid < 0 || !sg_len || !sg_dma_len(sgl)) { + dev_warn(chan->device->dev, + "%s: bad parameter: len=%d, id=%d\n", + __func__, sg_len, rchan->mid_rid); +-- +2.20.1 + diff --git a/queue-4.19/dmaengine-tegra-apb-error-out-if-dma_prep_interrupt-.patch b/queue-4.19/dmaengine-tegra-apb-error-out-if-dma_prep_interrupt-.patch new file mode 100644 index 00000000000..bc3beb355e0 --- /dev/null +++ b/queue-4.19/dmaengine-tegra-apb-error-out-if-dma_prep_interrupt-.patch @@ -0,0 +1,58 @@ +From 995207fd40ef971de56bebc8ce7fb1c215e38287 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 30 May 2019 00:43:55 +0300 +Subject: dmaengine: tegra-apb: Error out if DMA_PREP_INTERRUPT flag is unset + +[ Upstream commit dc161064beb83c668e0f85766b92b1e7ed186e58 ] + +Apparently driver was never tested with DMA_PREP_INTERRUPT flag being +unset since it completely disables interrupt handling instead of skipping +the callbacks invocations, hence putting channel into unusable state. + +The flag is always set by all of kernel drivers that use APB DMA, so let's +error out in otherwise case for consistency. It won't be difficult to +support that case properly if ever will be needed. + +Signed-off-by: Dmitry Osipenko +Acked-by: Jon Hunter +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra20-apb-dma.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c +index 8219ab88a507c..fb23993430d31 100644 +--- a/drivers/dma/tegra20-apb-dma.c ++++ b/drivers/dma/tegra20-apb-dma.c +@@ -981,8 +981,12 @@ static struct dma_async_tx_descriptor *tegra_dma_prep_slave_sg( + csr |= tdc->slave_id << TEGRA_APBDMA_CSR_REQ_SEL_SHIFT; + } + +- if (flags & DMA_PREP_INTERRUPT) ++ if (flags & DMA_PREP_INTERRUPT) { + csr |= TEGRA_APBDMA_CSR_IE_EOC; ++ } else { ++ WARN_ON_ONCE(1); ++ return NULL; ++ } + + apb_seq |= TEGRA_APBDMA_APBSEQ_WRAP_WORD_1; + +@@ -1124,8 +1128,12 @@ static struct dma_async_tx_descriptor *tegra_dma_prep_dma_cyclic( + csr |= tdc->slave_id << TEGRA_APBDMA_CSR_REQ_SEL_SHIFT; + } + +- if (flags & DMA_PREP_INTERRUPT) ++ if (flags & DMA_PREP_INTERRUPT) { + csr |= TEGRA_APBDMA_CSR_IE_EOC; ++ } else { ++ WARN_ON_ONCE(1); ++ return NULL; ++ } + + apb_seq |= TEGRA_APBDMA_APBSEQ_WRAP_WORD_1; + +-- +2.20.1 + diff --git a/queue-4.19/drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch b/queue-4.19/drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch new file mode 100644 index 00000000000..a97ed13a8d2 --- /dev/null +++ b/queue-4.19/drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch @@ -0,0 +1,47 @@ +From 3d8d4ee1a46fdfedc4b68dfa8a5899761139f88e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 16 Jul 2019 16:30:03 -0700 +Subject: drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings + +[ Upstream commit 156e0b1a8112b76e351684ac948c59757037ac36 ] + +The dev_info.name[] array has space for RIO_MAX_DEVNAME_SZ + 1 +characters. But the problem here is that we don't ensure that the user +put a NUL terminator on the end of the string. It could lead to an out +of bounds read. + +Link: http://lkml.kernel.org/r/20190529110601.GB19119@mwanda +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Signed-off-by: Dan Carpenter +Acked-by: Alexandre Bounine +Cc: Ira Weiny +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index cbe467ff1aba9..fa0bbda4b3f2e 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1688,6 +1688,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, + + if (copy_from_user(&dev_info, arg, sizeof(dev_info))) + return -EFAULT; ++ dev_info.name[sizeof(dev_info.name) - 1] = '\0'; + + rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name, + dev_info.comptag, dev_info.destid, dev_info.hopcount); +@@ -1819,6 +1820,7 @@ static int rio_mport_del_riodev(struct mport_cdev_priv *priv, void __user *arg) + + if (copy_from_user(&dev_info, arg, sizeof(dev_info))) + return -EFAULT; ++ dev_info.name[sizeof(dev_info.name) - 1] = '\0'; + + mport = priv->md->mport; + +-- +2.20.1 + diff --git a/queue-4.19/drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch b/queue-4.19/drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch new file mode 100644 index 00000000000..d1b754f4b17 --- /dev/null +++ b/queue-4.19/drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch @@ -0,0 +1,61 @@ +From d920cf32227e235ce4a01417ac1aa49af7f28e48 Mon Sep 17 00:00:00 2001 +From: Yongxin Liu +Date: Mon, 1 Jul 2019 09:46:22 +0800 +Subject: drm/nouveau: fix memory leak in nouveau_conn_reset() + +[ Upstream commit 09b90e2fe35faeace2488234e2a7728f2ea8ba26 ] + +In nouveau_conn_reset(), if connector->state is true, +__drm_atomic_helper_connector_destroy_state() will be called, +but the memory pointed by asyc isn't freed. Memory leak happens +in the following function __drm_atomic_helper_connector_reset(), +where newly allocated asyc->state will be assigned to connector->state. + +So using nouveau_conn_atomic_destroy_state() instead of +__drm_atomic_helper_connector_destroy_state to free the "old" asyc. + +Here the is the log showing memory leak. + +unreferenced object 0xffff8c5480483c80 (size 192): + comm "kworker/0:2", pid 188, jiffies 4294695279 (age 53.179s) + hex dump (first 32 bytes): + 00 f0 ba 7b 54 8c ff ff 00 00 00 00 00 00 00 00 ...{T........... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000005005c0d0>] kmem_cache_alloc_trace+0x195/0x2c0 + [<00000000a122baed>] nouveau_conn_reset+0x25/0xc0 [nouveau] + [<000000004fd189a2>] nouveau_connector_create+0x3a7/0x610 [nouveau] + [<00000000c73343a8>] nv50_display_create+0x343/0x980 [nouveau] + [<000000002e2b03c3>] nouveau_display_create+0x51f/0x660 [nouveau] + [<00000000c924699b>] nouveau_drm_device_init+0x182/0x7f0 [nouveau] + [<00000000cc029436>] nouveau_drm_probe+0x20c/0x2c0 [nouveau] + [<000000007e961c3e>] local_pci_probe+0x47/0xa0 + [<00000000da14d569>] work_for_cpu_fn+0x1a/0x30 + [<0000000028da4805>] process_one_work+0x27c/0x660 + [<000000001d415b04>] worker_thread+0x22b/0x3f0 + [<0000000003b69f1f>] kthread+0x12f/0x150 + [<00000000c94c29b7>] ret_from_fork+0x3a/0x50 + +Signed-off-by: Yongxin Liu +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c +index 247f72cc4d10a..fb0094fc55834 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -251,7 +251,7 @@ nouveau_conn_reset(struct drm_connector *connector) + return; + + if (connector->state) +- __drm_atomic_helper_connector_destroy_state(connector->state); ++ nouveau_conn_atomic_destroy_state(connector, connector->state); + __drm_atomic_helper_connector_reset(connector, &asyc->state); + asyc->dither.mode = DITHERING_MODE_AUTO; + asyc->dither.depth = DITHERING_DEPTH_AUTO; +-- +2.20.1 + diff --git a/queue-4.19/firmware-psci-psci_checker-park-kthreads-before-stop.patch b/queue-4.19/firmware-psci-psci_checker-park-kthreads-before-stop.patch new file mode 100644 index 00000000000..b8c376b111b --- /dev/null +++ b/queue-4.19/firmware-psci-psci_checker-park-kthreads-before-stop.patch @@ -0,0 +1,79 @@ +From 50ab445340120699ee575c424fa4d20c7120c0c2 Mon Sep 17 00:00:00 2001 +From: Jean-Philippe Brucker +Date: Mon, 10 Jun 2019 18:38:29 +0100 +Subject: firmware/psci: psci_checker: Park kthreads before stopping them + +[ Upstream commit 92e074acf6f7694e96204265eb18ac113f546e80 ] + +Since commit 85f1abe0019f ("kthread, sched/wait: Fix kthread_parkme() +completion issue"), kthreads that are bound to a CPU must be parked +before being stopped. At the moment the PSCI checker calls +kthread_stop() directly on the suspend kthread, which triggers the +following warning: + +[ 6.068288] WARNING: CPU: 1 PID: 1 at kernel/kthread.c:398 __kthread_bind_mask+0x20/0x78 + ... +[ 6.190151] Call trace: +[ 6.192566] __kthread_bind_mask+0x20/0x78 +[ 6.196615] kthread_unpark+0x74/0x80 +[ 6.200235] kthread_stop+0x44/0x1d8 +[ 6.203769] psci_checker+0x3bc/0x484 +[ 6.207389] do_one_initcall+0x48/0x260 +[ 6.211180] kernel_init_freeable+0x2c8/0x368 +[ 6.215488] kernel_init+0x10/0x100 +[ 6.218935] ret_from_fork+0x10/0x1c +[ 6.222467] ---[ end trace e05e22863d043cd3 ]--- + +kthread_unpark() tries to bind the thread to its CPU and aborts with a +WARN() if the thread wasn't in TASK_PARKED state. Park the kthreads +before stopping them. + +Fixes: 85f1abe0019f ("kthread, sched/wait: Fix kthread_parkme() completion issue") +Signed-off-by: Jean-Philippe Brucker +Reviewed-by: Sudeep Holla +Acked-by: Lorenzo Pieralisi +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + drivers/firmware/psci_checker.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/firmware/psci_checker.c b/drivers/firmware/psci_checker.c +index 3469436579622..cbd53cb1b2d47 100644 +--- a/drivers/firmware/psci_checker.c ++++ b/drivers/firmware/psci_checker.c +@@ -366,16 +366,16 @@ static int suspend_test_thread(void *arg) + for (;;) { + /* Needs to be set first to avoid missing a wakeup. */ + set_current_state(TASK_INTERRUPTIBLE); +- if (kthread_should_stop()) { +- __set_current_state(TASK_RUNNING); ++ if (kthread_should_park()) + break; +- } + schedule(); + } + + pr_info("CPU %d suspend test results: success %d, shallow states %d, errors %d\n", + cpu, nb_suspend, nb_shallow_sleep, nb_err); + ++ kthread_parkme(); ++ + return nb_err; + } + +@@ -440,8 +440,10 @@ static int suspend_tests(void) + + + /* Stop and destroy all threads, get return status. */ +- for (i = 0; i < nb_threads; ++i) ++ for (i = 0; i < nb_threads; ++i) { ++ err += kthread_park(threads[i]); + err += kthread_stop(threads[i]); ++ } + out: + cpuidle_resume_and_unlock(); + kfree(threads); +-- +2.20.1 + diff --git a/queue-4.19/fs-adfs-super-fix-use-after-free-bug.patch b/queue-4.19/fs-adfs-super-fix-use-after-free-bug.patch new file mode 100644 index 00000000000..889b4f5e501 --- /dev/null +++ b/queue-4.19/fs-adfs-super-fix-use-after-free-bug.patch @@ -0,0 +1,45 @@ +From c6a4ecd10eb0fd4078cd0541fa96695375d78358 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 4 Jun 2019 14:50:14 +0100 +Subject: fs/adfs: super: fix use-after-free bug + +[ Upstream commit 5808b14a1f52554de612fee85ef517199855e310 ] + +Fix a use-after-free bug during filesystem initialisation, where we +access the disc record (which is stored in a buffer) after we have +released the buffer. + +Signed-off-by: Russell King +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/adfs/super.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/adfs/super.c b/fs/adfs/super.c +index 7e099a7a4eb1e..4dc15b2634894 100644 +--- a/fs/adfs/super.c ++++ b/fs/adfs/super.c +@@ -369,6 +369,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) + struct buffer_head *bh; + struct object_info root_obj; + unsigned char *b_data; ++ unsigned int blocksize; + struct adfs_sb_info *asb; + struct inode *root; + int ret = -EINVAL; +@@ -420,8 +421,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) + goto error_free_bh; + } + ++ blocksize = 1 << dr->log2secsize; + brelse(bh); +- if (sb_set_blocksize(sb, 1 << dr->log2secsize)) { ++ ++ if (sb_set_blocksize(sb, blocksize)) { + bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize); + if (!bh) { + adfs_error(sb, "couldn't read superblock on " +-- +2.20.1 + diff --git a/queue-4.19/ftrace-enable-trampoline-when-rec-count-returns-back.patch b/queue-4.19/ftrace-enable-trampoline-when-rec-count-returns-back.patch new file mode 100644 index 00000000000..6646fd02711 --- /dev/null +++ b/queue-4.19/ftrace-enable-trampoline-when-rec-count-returns-back.patch @@ -0,0 +1,105 @@ +From 37c98ffea1b8ebc4860a6dadb2f70b8a3deb737b Mon Sep 17 00:00:00 2001 +From: Cheng Jian +Date: Sat, 4 May 2019 19:39:39 +0800 +Subject: ftrace: Enable trampoline when rec count returns back to one + +[ Upstream commit a124692b698b00026a58d89831ceda2331b2e1d0 ] + +Custom trampolines can only be enabled if there is only a single ops +attached to it. If there's only a single callback registered to a function, +and the ops has a trampoline registered for it, then we can call the +trampoline directly. This is very useful for improving the performance of +ftrace and livepatch. + +If more than one callback is registered to a function, the general +trampoline is used, and the custom trampoline is not restored back to the +direct call even if all the other callbacks were unregistered and we are +back to one callback for the function. + +To fix this, set FTRACE_FL_TRAMP flag if rec count is decremented +to one, and the ops that left has a trampoline. + +Testing After this patch : + +insmod livepatch_unshare_files.ko +cat /sys/kernel/debug/tracing/enabled_functions + + unshare_files (1) R I tramp: 0xffffffffc0000000(klp_ftrace_handler+0x0/0xa0) ->ftrace_ops_assist_func+0x0/0xf0 + +echo unshare_files > /sys/kernel/debug/tracing/set_ftrace_filter +echo function > /sys/kernel/debug/tracing/current_tracer +cat /sys/kernel/debug/tracing/enabled_functions + + unshare_files (2) R I ->ftrace_ops_list_func+0x0/0x150 + +echo nop > /sys/kernel/debug/tracing/current_tracer +cat /sys/kernel/debug/tracing/enabled_functions + + unshare_files (1) R I tramp: 0xffffffffc0000000(klp_ftrace_handler+0x0/0xa0) ->ftrace_ops_assist_func+0x0/0xf0 + +Link: http://lkml.kernel.org/r/1556969979-111047-1-git-send-email-cj.chengjian@huawei.com + +Signed-off-by: Cheng Jian +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/ftrace.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 118ecce143866..d9dd709b3c12f 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1647,6 +1647,11 @@ static bool test_rec_ops_needs_regs(struct dyn_ftrace *rec) + return keep_regs; + } + ++static struct ftrace_ops * ++ftrace_find_tramp_ops_any(struct dyn_ftrace *rec); ++static struct ftrace_ops * ++ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops); ++ + static bool __ftrace_hash_rec_update(struct ftrace_ops *ops, + int filter_hash, + bool inc) +@@ -1775,15 +1780,17 @@ static bool __ftrace_hash_rec_update(struct ftrace_ops *ops, + } + + /* +- * If the rec had TRAMP enabled, then it needs to +- * be cleared. As TRAMP can only be enabled iff +- * there is only a single ops attached to it. +- * In otherwords, always disable it on decrementing. +- * In the future, we may set it if rec count is +- * decremented to one, and the ops that is left +- * has a trampoline. ++ * The TRAMP needs to be set only if rec count ++ * is decremented to one, and the ops that is ++ * left has a trampoline. As TRAMP can only be ++ * enabled if there is only a single ops attached ++ * to it. + */ +- rec->flags &= ~FTRACE_FL_TRAMP; ++ if (ftrace_rec_count(rec) == 1 && ++ ftrace_find_tramp_ops_any(rec)) ++ rec->flags |= FTRACE_FL_TRAMP; ++ else ++ rec->flags &= ~FTRACE_FL_TRAMP; + + /* + * flags will be cleared in ftrace_check_record() +@@ -1976,11 +1983,6 @@ static void print_ip_ins(const char *fmt, const unsigned char *p) + printk(KERN_CONT "%s%02x", i ? ":" : "", p[i]); + } + +-static struct ftrace_ops * +-ftrace_find_tramp_ops_any(struct dyn_ftrace *rec); +-static struct ftrace_ops * +-ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops); +- + enum ftrace_bug_type ftrace_bug_type; + const void *ftrace_expected; + +-- +2.20.1 + diff --git a/queue-4.19/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch b/queue-4.19/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch new file mode 100644 index 00000000000..6b3fda19928 --- /dev/null +++ b/queue-4.19/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch @@ -0,0 +1,103 @@ +From 6ddee23cfdaf53212fb2aecaf1b6d0b03339b83e Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 16 Jul 2019 16:30:21 -0700 +Subject: ipc/mqueue.c: only perform resource calculation if user valid + +[ Upstream commit a318f12ed8843cfac53198390c74a565c632f417 ] + +Andreas Christoforou reported: + + UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow: + 9 * 2305843009213693951 cannot be represented in type 'long int' + ... + Call Trace: + mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414 + evict+0x472/0x8c0 fs/inode.c:558 + iput_final fs/inode.c:1547 [inline] + iput+0x51d/0x8c0 fs/inode.c:1573 + mqueue_get_inode+0x8eb/0x1070 ipc/mqueue.c:320 + mqueue_create_attr+0x198/0x440 ipc/mqueue.c:459 + vfs_mkobj+0x39e/0x580 fs/namei.c:2892 + prepare_open ipc/mqueue.c:731 [inline] + do_mq_open+0x6da/0x8e0 ipc/mqueue.c:771 + +Which could be triggered by: + + struct mq_attr attr = { + .mq_flags = 0, + .mq_maxmsg = 9, + .mq_msgsize = 0x1fffffffffffffff, + .mq_curmsgs = 0, + }; + + if (mq_open("/testing", 0x40, 3, &attr) == (mqd_t) -1) + perror("mq_open"); + +mqueue_get_inode() was correctly rejecting the giant mq_msgsize, and +preparing to return -EINVAL. During the cleanup, it calls +mqueue_evict_inode() which performed resource usage tracking math for +updating "user", before checking if there was a valid "user" at all +(which would indicate that the calculations would be sane). Instead, +delay this check to after seeing a valid "user". + +The overflow was real, but the results went unused, so while the flaw is +harmless, it's noisy for kernel fuzzers, so just fix it by moving the +calculation under the non-NULL "user" where it actually gets used. + +Link: http://lkml.kernel.org/r/201906072207.ECB65450@keescook +Signed-off-by: Kees Cook +Reported-by: Andreas Christoforou +Acked-by: "Eric W. Biederman" +Cc: Al Viro +Cc: Arnd Bergmann +Cc: Davidlohr Bueso +Cc: Manfred Spraul +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + ipc/mqueue.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/ipc/mqueue.c b/ipc/mqueue.c +index bce7af1546d9c..de4070d5472f2 100644 +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -389,7 +389,6 @@ static void mqueue_evict_inode(struct inode *inode) + { + struct mqueue_inode_info *info; + struct user_struct *user; +- unsigned long mq_bytes, mq_treesize; + struct ipc_namespace *ipc_ns; + struct msg_msg *msg, *nmsg; + LIST_HEAD(tmp_msg); +@@ -412,16 +411,18 @@ static void mqueue_evict_inode(struct inode *inode) + free_msg(msg); + } + +- /* Total amount of bytes accounted for the mqueue */ +- mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + +- min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * +- sizeof(struct posix_msg_tree_node); +- +- mq_bytes = mq_treesize + (info->attr.mq_maxmsg * +- info->attr.mq_msgsize); +- + user = info->user; + if (user) { ++ unsigned long mq_bytes, mq_treesize; ++ ++ /* Total amount of bytes accounted for the mqueue */ ++ mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + ++ min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * ++ sizeof(struct posix_msg_tree_node); ++ ++ mq_bytes = mq_treesize + (info->attr.mq_maxmsg * ++ info->attr.mq_msgsize); ++ + spin_lock(&mq_lock); + user->mq_bytes -= mq_bytes; + /* +-- +2.20.1 + diff --git a/queue-4.19/kernel-module.c-only-return-eexist-for-modules-that-.patch b/queue-4.19/kernel-module.c-only-return-eexist-for-modules-that-.patch new file mode 100644 index 00000000000..d39f1fbc1dc --- /dev/null +++ b/queue-4.19/kernel-module.c-only-return-eexist-for-modules-that-.patch @@ -0,0 +1,74 @@ +From 26ecb4ef1b594ebd938c532c6b8a36e825ab46ff Mon Sep 17 00:00:00 2001 +From: Prarit Bhargava +Date: Wed, 29 May 2019 07:26:25 -0400 +Subject: kernel/module.c: Only return -EEXIST for modules that have finished + loading + +[ Upstream commit 6e6de3dee51a439f76eb73c22ae2ffd2c9384712 ] + +Microsoft HyperV disables the X86_FEATURE_SMCA bit on AMD systems, and +linux guests boot with repeated errors: + +amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2) +amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2) + +The warnings occur because the module code erroneously returns -EEXIST +for modules that have failed to load and are in the process of being +removed from the module list. + +module amd64_edac_mod has a dependency on module edac_mce_amd. Using +modules.dep, systemd will load edac_mce_amd for every request of +amd64_edac_mod. When the edac_mce_amd module loads, the module has +state MODULE_STATE_UNFORMED and once the module load fails and the state +becomes MODULE_STATE_GOING. Another request for edac_mce_amd module +executes and add_unformed_module() will erroneously return -EEXIST even +though the previous instance of edac_mce_amd has MODULE_STATE_GOING. +Upon receiving -EEXIST, systemd attempts to load amd64_edac_mod, which +fails because of unknown symbols from edac_mce_amd. + +add_unformed_module() must wait to return for any case other than +MODULE_STATE_LIVE to prevent a race between multiple loads of +dependent modules. + +Signed-off-by: Prarit Bhargava +Signed-off-by: Barret Rhoden +Cc: David Arcari +Cc: Jessica Yu +Cc: Heiko Carstens +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +--- + kernel/module.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/kernel/module.c b/kernel/module.c +index b8f37376856bd..3fda10c549a25 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3388,8 +3388,7 @@ static bool finished_loading(const char *name) + sched_annotate_sleep(); + mutex_lock(&module_mutex); + mod = find_module_all(name, strlen(name), true); +- ret = !mod || mod->state == MODULE_STATE_LIVE +- || mod->state == MODULE_STATE_GOING; ++ ret = !mod || mod->state == MODULE_STATE_LIVE; + mutex_unlock(&module_mutex); + + return ret; +@@ -3559,8 +3558,7 @@ again: + mutex_lock(&module_mutex); + old = find_module_all(mod->name, strlen(mod->name), true); + if (old != NULL) { +- if (old->state == MODULE_STATE_COMING +- || old->state == MODULE_STATE_UNFORMED) { ++ if (old->state != MODULE_STATE_LIVE) { + /* Wait in case it fails to load. */ + mutex_unlock(&module_mutex); + err = wait_event_interruptible(module_wq, +-- +2.20.1 + diff --git a/queue-4.19/lib-test_overflow.c-avoid-tainting-the-kernel-and-fi.patch b/queue-4.19/lib-test_overflow.c-avoid-tainting-the-kernel-and-fi.patch new file mode 100644 index 00000000000..849b9fa6f6f --- /dev/null +++ b/queue-4.19/lib-test_overflow.c-avoid-tainting-the-kernel-and-fi.patch @@ -0,0 +1,54 @@ +From ddebaaa09d5cfe2962431d16ab06295ad780fe63 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 16 Jul 2019 16:27:24 -0700 +Subject: lib/test_overflow.c: avoid tainting the kernel and fix wrap size + +[ Upstream commit 8e060c21ae2c265a2b596e9e7f9f97ec274151a4 ] + +This adds __GFP_NOWARN to the kmalloc()-portions of the overflow test to +avoid tainting the kernel. Additionally fixes up the math on wrap size +to be architecture and page size agnostic. + +Link: http://lkml.kernel.org/r/201905282012.0A8767E24@keescook +Fixes: ca90800a91ba ("test_overflow: Add memory allocation overflow tests") +Signed-off-by: Kees Cook +Reported-by: Randy Dunlap +Suggested-by: Rasmus Villemoes +Cc: Joe Perches +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/test_overflow.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/test_overflow.c b/lib/test_overflow.c +index fc680562d8b69..7a4b6f6c5473c 100644 +--- a/lib/test_overflow.c ++++ b/lib/test_overflow.c +@@ -486,16 +486,17 @@ static int __init test_overflow_shift(void) + * Deal with the various forms of allocator arguments. See comments above + * the DEFINE_TEST_ALLOC() instances for mapping of the "bits". + */ +-#define alloc010(alloc, arg, sz) alloc(sz, GFP_KERNEL) +-#define alloc011(alloc, arg, sz) alloc(sz, GFP_KERNEL, NUMA_NO_NODE) ++#define alloc_GFP (GFP_KERNEL | __GFP_NOWARN) ++#define alloc010(alloc, arg, sz) alloc(sz, alloc_GFP) ++#define alloc011(alloc, arg, sz) alloc(sz, alloc_GFP, NUMA_NO_NODE) + #define alloc000(alloc, arg, sz) alloc(sz) + #define alloc001(alloc, arg, sz) alloc(sz, NUMA_NO_NODE) +-#define alloc110(alloc, arg, sz) alloc(arg, sz, GFP_KERNEL) ++#define alloc110(alloc, arg, sz) alloc(arg, sz, alloc_GFP) + #define free0(free, arg, ptr) free(ptr) + #define free1(free, arg, ptr) free(arg, ptr) + +-/* Wrap around to 8K */ +-#define TEST_SIZE (9 << PAGE_SHIFT) ++/* Wrap around to 16K */ ++#define TEST_SIZE (5 * 4096) + + #define DEFINE_TEST_ALLOC(func, free_func, want_arg, want_gfp, want_node)\ + static int __init test_ ## func (void *arg) \ +-- +2.20.1 + diff --git a/queue-4.19/lib-test_string.c-avoid-masking-memset16-32-64-failu.patch b/queue-4.19/lib-test_string.c-avoid-masking-memset16-32-64-failu.patch new file mode 100644 index 00000000000..983c6354b90 --- /dev/null +++ b/queue-4.19/lib-test_string.c-avoid-masking-memset16-32-64-failu.patch @@ -0,0 +1,58 @@ +From 517c4a34a9eac6d8a3bcbe6992a748aaa9c06284 Mon Sep 17 00:00:00 2001 +From: Peter Rosin +Date: Tue, 16 Jul 2019 16:27:18 -0700 +Subject: lib/test_string.c: avoid masking memset16/32/64 failures + +[ Upstream commit 33d6e0ff68af74be0c846c8e042e84a9a1a0561e ] + +If a memsetXX implementation is completely broken and fails in the first +iteration, when i, j, and k are all zero, the failure is masked as zero +is returned. Failing in the first iteration is perhaps the most likely +failure, so this makes the tests pretty much useless. Avoid the +situation by always setting a random unused bit in the result on +failure. + +Link: http://lkml.kernel.org/r/20190506124634.6807-3-peda@axentia.se +Fixes: 03270c13c5ff ("lib/string.c: add testcases for memset16/32/64") +Signed-off-by: Peter Rosin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/test_string.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/test_string.c b/lib/test_string.c +index 0fcdb82dca866..98a787e7a1fd6 100644 +--- a/lib/test_string.c ++++ b/lib/test_string.c +@@ -35,7 +35,7 @@ static __init int memset16_selftest(void) + fail: + kfree(p); + if (i < 256) +- return (i << 24) | (j << 16) | k; ++ return (i << 24) | (j << 16) | k | 0x8000; + return 0; + } + +@@ -71,7 +71,7 @@ static __init int memset32_selftest(void) + fail: + kfree(p); + if (i < 256) +- return (i << 24) | (j << 16) | k; ++ return (i << 24) | (j << 16) | k | 0x8000; + return 0; + } + +@@ -107,7 +107,7 @@ static __init int memset64_selftest(void) + fail: + kfree(p); + if (i < 256) +- return (i << 24) | (j << 16) | k; ++ return (i << 24) | (j << 16) | k | 0x8000; + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.19/mips-lantiq-fix-bitfield-masking.patch b/queue-4.19/mips-lantiq-fix-bitfield-masking.patch new file mode 100644 index 00000000000..6392e628cdb --- /dev/null +++ b/queue-4.19/mips-lantiq-fix-bitfield-masking.patch @@ -0,0 +1,42 @@ +From 00f4228232f28696a0c48db433954768c5703fe2 Mon Sep 17 00:00:00 2001 +From: Petr Cvek +Date: Thu, 20 Jun 2019 23:39:37 +0200 +Subject: MIPS: lantiq: Fix bitfield masking + +[ Upstream commit ba1bc0fcdeaf3bf583c1517bd2e3e29cf223c969 ] + +The modification of EXIN register doesn't clean the bitfield before +the writing of a new value. After a few modifications the bitfield would +accumulate only '1's. + +Signed-off-by: Petr Cvek +Signed-off-by: Paul Burton +Cc: hauke@hauke-m.de +Cc: john@phrozen.org +Cc: linux-mips@vger.kernel.org +Cc: openwrt-devel@lists.openwrt.org +Cc: pakahmar@hotmail.com +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/irq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c +index c4ef1c31e0c4f..37caeadb2964c 100644 +--- a/arch/mips/lantiq/irq.c ++++ b/arch/mips/lantiq/irq.c +@@ -156,8 +156,9 @@ static int ltq_eiu_settype(struct irq_data *d, unsigned int type) + if (edge) + irq_set_handler(d->hwirq, handle_edge_irq); + +- ltq_eiu_w32(ltq_eiu_r32(LTQ_EIU_EXIN_C) | +- (val << (i * 4)), LTQ_EIU_EXIN_C); ++ ltq_eiu_w32((ltq_eiu_r32(LTQ_EIU_EXIN_C) & ++ (~(7 << (i * 4)))) | (val << (i * 4)), ++ LTQ_EIU_EXIN_C); + } + } + +-- +2.20.1 + diff --git a/queue-4.19/mlxsw-spectrum_dcb-configure-dscp-map-as-the-last-ru.patch b/queue-4.19/mlxsw-spectrum_dcb-configure-dscp-map-as-the-last-ru.patch new file mode 100644 index 00000000000..0d82fda0804 --- /dev/null +++ b/queue-4.19/mlxsw-spectrum_dcb-configure-dscp-map-as-the-last-ru.patch @@ -0,0 +1,77 @@ +From 8a8414fc594e136e2f47b5db3e9e461b37f665ab Mon Sep 17 00:00:00 2001 +From: Petr Machata +Date: Wed, 17 Jul 2019 23:29:07 +0300 +Subject: mlxsw: spectrum_dcb: Configure DSCP map as the last rule is removed + +[ Upstream commit dedfde2fe1c4ccf27179fcb234e2112d065c39bb ] + +Spectrum systems use DSCP rewrite map to update DSCP field in egressing +packets to correspond to priority that the packet has. Whether rewriting +will take place is determined at the point when the packet ingresses the +switch: if the port is in Trust L3 mode, packet priority is determined from +the DSCP map at the port, and DSCP rewrite will happen. If the port is in +Trust L2 mode, 802.1p is used for packet prioritization, and no DSCP +rewrite will happen. + +The driver determines the port trust mode based on whether any DSCP +prioritization rules are in effect at given port. If there are any, trust +level is L3, otherwise it's L2. When the last DSCP rule is removed, the +port is switched to trust L2. Under that scenario, if DSCP of a packet +should be rewritten, it should be rewritten to 0. + +However, when switching to Trust L2, the driver neglects to also update the +DSCP rewrite map. The last DSCP rule thus remains in effect, and packets +egressing through this port, if they have the right priority, will have +their DSCP set according to this rule. + +Fix by first configuring the rewrite map, and only then switching to trust +L2 and bailing out. + +Fixes: b2b1dab6884e ("mlxsw: spectrum: Support ieee_setapp, ieee_delapp") +Signed-off-by: Petr Machata +Reported-by: Alex Veber +Tested-by: Alex Veber +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlxsw/spectrum_dcb.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_dcb.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_dcb.c +index b25048c6c7618..21296fa7f7fbf 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_dcb.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_dcb.c +@@ -408,14 +408,6 @@ static int mlxsw_sp_port_dcb_app_update(struct mlxsw_sp_port *mlxsw_sp_port) + have_dscp = mlxsw_sp_port_dcb_app_prio_dscp_map(mlxsw_sp_port, + &prio_map); + +- if (!have_dscp) { +- err = mlxsw_sp_port_dcb_toggle_trust(mlxsw_sp_port, +- MLXSW_REG_QPTS_TRUST_STATE_PCP); +- if (err) +- netdev_err(mlxsw_sp_port->dev, "Couldn't switch to trust L2\n"); +- return err; +- } +- + mlxsw_sp_port_dcb_app_dscp_prio_map(mlxsw_sp_port, default_prio, + &dscp_map); + err = mlxsw_sp_port_dcb_app_update_qpdpm(mlxsw_sp_port, +@@ -432,6 +424,14 @@ static int mlxsw_sp_port_dcb_app_update(struct mlxsw_sp_port *mlxsw_sp_port) + return err; + } + ++ if (!have_dscp) { ++ err = mlxsw_sp_port_dcb_toggle_trust(mlxsw_sp_port, ++ MLXSW_REG_QPTS_TRUST_STATE_PCP); ++ if (err) ++ netdev_err(mlxsw_sp_port->dev, "Couldn't switch to trust L2\n"); ++ return err; ++ } ++ + err = mlxsw_sp_port_dcb_toggle_trust(mlxsw_sp_port, + MLXSW_REG_QPTS_TRUST_STATE_DSCP); + if (err) { +-- +2.20.1 + diff --git a/queue-4.19/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch b/queue-4.19/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch new file mode 100644 index 00000000000..933573bf8ce --- /dev/null +++ b/queue-4.19/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch @@ -0,0 +1,68 @@ +From 460d37446708b86135422e8b88d98e4bb1d3cc9d Mon Sep 17 00:00:00 2001 +From: Doug Berger +Date: Tue, 16 Jul 2019 16:26:24 -0700 +Subject: mm/cma.c: fail if fixed declaration can't be honored + +[ Upstream commit c633324e311243586675e732249339685e5d6faa ] + +The description of cma_declare_contiguous() indicates that if the +'fixed' argument is true the reserved contiguous area must be exactly at +the address of the 'base' argument. + +However, the function currently allows the 'base', 'size', and 'limit' +arguments to be silently adjusted to meet alignment constraints. This +commit enforces the documented behavior through explicit checks that +return an error if the region does not fit within a specified region. + +Link: http://lkml.kernel.org/r/1561422051-16142-1-git-send-email-opendmb@gmail.com +Fixes: 5ea3b1b2f8ad ("cma: add placement specifier for "cma=" kernel parameter") +Signed-off-by: Doug Berger +Acked-by: Michal Nazarewicz +Cc: Yue Hu +Cc: Mike Rapoport +Cc: Laura Abbott +Cc: Peng Fan +Cc: Thomas Gleixner +Cc: Marek Szyprowski +Cc: Andrey Konovalov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/cma.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/mm/cma.c b/mm/cma.c +index 476dfe13a701f..4c2864270a39b 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -282,6 +282,12 @@ int __init cma_declare_contiguous(phys_addr_t base, + */ + alignment = max(alignment, (phys_addr_t)PAGE_SIZE << + max_t(unsigned long, MAX_ORDER - 1, pageblock_order)); ++ if (fixed && base & (alignment - 1)) { ++ ret = -EINVAL; ++ pr_err("Region at %pa must be aligned to %pa bytes\n", ++ &base, &alignment); ++ goto err; ++ } + base = ALIGN(base, alignment); + size = ALIGN(size, alignment); + limit &= ~(alignment - 1); +@@ -312,6 +318,13 @@ int __init cma_declare_contiguous(phys_addr_t base, + if (limit == 0 || limit > memblock_end) + limit = memblock_end; + ++ if (base + size > limit) { ++ ret = -EINVAL; ++ pr_err("Size (%pa) of region at %pa exceeds limit (%pa)\n", ++ &size, &base, &limit); ++ goto err; ++ } ++ + /* Reserve memory */ + if (fixed) { + if (memblock_is_region_reserved(base, size) || +-- +2.20.1 + diff --git a/queue-4.19/perf-version-fix-segfault-due-to-missing-opt_end.patch b/queue-4.19/perf-version-fix-segfault-due-to-missing-opt_end.patch new file mode 100644 index 00000000000..af74eb79674 --- /dev/null +++ b/queue-4.19/perf-version-fix-segfault-due-to-missing-opt_end.patch @@ -0,0 +1,41 @@ +From ad149a6e8eb27de52948eef60554d959e60d6595 Mon Sep 17 00:00:00 2001 +From: Ravi Bangoria +Date: Tue, 11 Jun 2019 08:31:09 +0530 +Subject: perf version: Fix segfault due to missing OPT_END() + +[ Upstream commit 916c31fff946fae0e05862f9b2435fdb29fd5090 ] + +'perf version' on powerpc segfaults when used with non-supported +option: + # perf version -a + Segmentation fault (core dumped) + +Fix this. + +Signed-off-by: Ravi Bangoria +Reviewed-by: Kamalesh Babulal +Tested-by: Mamatha Inamdar +Cc: Jiri Olsa +Cc: Kamalesh Babulal +Link: http://lkml.kernel.org/r/20190611030109.20228-1-ravi.bangoria@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-version.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/builtin-version.c b/tools/perf/builtin-version.c +index 50df168be326d..b02c961046403 100644 +--- a/tools/perf/builtin-version.c ++++ b/tools/perf/builtin-version.c +@@ -19,6 +19,7 @@ static struct version version; + static struct option version_options[] = { + OPT_BOOLEAN(0, "build-options", &version.build_options, + "display the build options"), ++ OPT_END(), + }; + + static const char * const version_usage[] = { +-- +2.20.1 + diff --git a/queue-4.19/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch b/queue-4.19/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch new file mode 100644 index 00000000000..e0d28db735e --- /dev/null +++ b/queue-4.19/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch @@ -0,0 +1,117 @@ +From f73ef82826bedbe47f051480d6969a392e692d69 Mon Sep 17 00:00:00 2001 +From: Benjamin Block +Date: Tue, 2 Jul 2019 23:02:02 +0200 +Subject: scsi: zfcp: fix GCC compiler warning emitted with + -Wmaybe-uninitialized + +[ Upstream commit 484647088826f2f651acbda6bcf9536b8a466703 ] + +GCC v9 emits this warning: + CC drivers/s390/scsi/zfcp_erp.o + drivers/s390/scsi/zfcp_erp.c: In function 'zfcp_erp_action_enqueue': + drivers/s390/scsi/zfcp_erp.c:217:26: warning: 'erp_action' may be used uninitialized in this function [-Wmaybe-uninitialized] + 217 | struct zfcp_erp_action *erp_action; + | ^~~~~~~~~~ + +This is a possible false positive case, as also documented in the GCC +documentations: + https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wmaybe-uninitialized + +The actual code-sequence is like this: + Various callers can invoke the function below with the argument "want" + being one of: + ZFCP_ERP_ACTION_REOPEN_ADAPTER, + ZFCP_ERP_ACTION_REOPEN_PORT_FORCED, + ZFCP_ERP_ACTION_REOPEN_PORT, or + ZFCP_ERP_ACTION_REOPEN_LUN. + + zfcp_erp_action_enqueue(want, ...) + ... + need = zfcp_erp_required_act(want, ...) + need = want + ... + maybe: need = ZFCP_ERP_ACTION_REOPEN_PORT + maybe: need = ZFCP_ERP_ACTION_REOPEN_ADAPTER + ... + return need + ... + zfcp_erp_setup_act(need, ...) + struct zfcp_erp_action *erp_action; // <== line 217 + ... + switch(need) { + case ZFCP_ERP_ACTION_REOPEN_LUN: + ... + erp_action = &zfcp_sdev->erp_action; + WARN_ON_ONCE(erp_action->port != port); // <== access + ... + break; + case ZFCP_ERP_ACTION_REOPEN_PORT: + case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: + ... + erp_action = &port->erp_action; + WARN_ON_ONCE(erp_action->port != port); // <== access + ... + break; + case ZFCP_ERP_ACTION_REOPEN_ADAPTER: + ... + erp_action = &adapter->erp_action; + WARN_ON_ONCE(erp_action->port != NULL); // <== access + ... + break; + } + ... + WARN_ON_ONCE(erp_action->adapter != adapter); // <== access + +When zfcp_erp_setup_act() is called, 'need' will never be anything else +than one of the 4 possible enumeration-names that are used in the +switch-case, and 'erp_action' is initialized for every one of them, before +it is used. Thus the warning is a false positive, as documented. + +We introduce the extra if{} in the beginning to create an extra code-flow, +so the compiler can be convinced that the switch-case will never see any +other value. + +BUG_ON()/BUG() is intentionally not used to not crash anything, should +this ever happen anyway - right now it's impossible, as argued above; and +it doesn't introduce a 'default:' switch-case to retain warnings should +'enum zfcp_erp_act_type' ever be extended and no explicit case be +introduced. See also v5.0 commit 399b6c8bc9f7 ("scsi: zfcp: drop old +default switch case which might paper over missing case"). + +Signed-off-by: Benjamin Block +Reviewed-by: Jens Remus +Reviewed-by: Steffen Maier +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/s390/scsi/zfcp_erp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c +index ebdbc457003fe..332701db7379d 100644 +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -11,6 +11,7 @@ + #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt + + #include ++#include + #include "zfcp_ext.h" + #include "zfcp_reqlist.h" + +@@ -238,6 +239,12 @@ static struct zfcp_erp_action *zfcp_erp_setup_act(int need, u32 act_status, + struct zfcp_erp_action *erp_action; + struct zfcp_scsi_dev *zfcp_sdev; + ++ if (WARN_ON_ONCE(need != ZFCP_ERP_ACTION_REOPEN_LUN && ++ need != ZFCP_ERP_ACTION_REOPEN_PORT && ++ need != ZFCP_ERP_ACTION_REOPEN_PORT_FORCED && ++ need != ZFCP_ERP_ACTION_REOPEN_ADAPTER)) ++ return NULL; ++ + switch (need) { + case ZFCP_ERP_ACTION_REOPEN_LUN: + zfcp_sdev = sdev_to_zfcp(sdev); +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..61a4dd03683 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,41 @@ +arm-riscpc-fix-dma.patch +arm-dts-rockchip-make-rk3288-veyron-minnie-run-at-hs.patch +arm-dts-rockchip-make-rk3288-veyron-mickey-s-emmc-wo.patch +arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch +ftrace-enable-trampoline-when-rec-count-returns-back.patch +dmaengine-tegra-apb-error-out-if-dma_prep_interrupt-.patch +arm64-dts-rockchip-fix-isp-iommu-clocks-and-power-do.patch +kernel-module.c-only-return-eexist-for-modules-that-.patch +firmware-psci-psci_checker-park-kthreads-before-stop.patch +mips-lantiq-fix-bitfield-masking.patch +dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch +clk-tegra210-fix-pllu-and-pllu_out1.patch +fs-adfs-super-fix-use-after-free-bug.patch +clk-sprd-add-check-for-return-value-of-sprd_clk_regm.patch +btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch +btrfs-qgroup-don-t-hold-qgroup_ioctl_lock-in-btrfs_q.patch +cifs-fix-a-race-condition-with-cifs_echo_request.patch +ceph-fix-improper-use-of-smp_mb__before_atomic.patch +ceph-return-erange-if-virtual-xattr-value-didn-t-fit.patch +acpi-blacklist-fix-clang-warning-for-unused-dmi-tabl.patch +scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch +perf-version-fix-segfault-due-to-missing-opt_end.patch +x86-kvm-avoid-constant-conversion-warning.patch +acpi-fix-false-positive-wuninitialized-warning.patch +be2net-signal-that-the-device-cannot-transmit-during.patch +x86-apic-silence-wtype-limits-compiler-warnings.patch +x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch +mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch +lib-test_overflow.c-avoid-tainting-the-kernel-and-fi.patch +lib-test_string.c-avoid-masking-memset16-32-64-failu.patch +coda-add-error-handling-for-fget.patch +coda-fix-build-using-bare-metal-toolchain.patch +uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch +drivers-rapidio-devices-rio_mport_cdev.c-nul-termina.patch +ipc-mqueue.c-only-perform-resource-calculation-if-us.patch +mlxsw-spectrum_dcb-configure-dscp-map-as-the-last-ru.patch +xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch +x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch +x86-paravirt-fix-callee-saved-function-elf-sizes.patch +x86-boot-remove-multiple-copy-of-static-function-san.patch +drm-nouveau-fix-memory-leak-in-nouveau_conn_reset.patch diff --git a/queue-4.19/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch b/queue-4.19/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch new file mode 100644 index 00000000000..b36088994d8 --- /dev/null +++ b/queue-4.19/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch @@ -0,0 +1,106 @@ +From 615d6d2492dff4eea4f9d3c7a53f14ccbcbc66ae Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli +Date: Tue, 16 Jul 2019 16:28:10 -0700 +Subject: uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel + side headers + +[ Upstream commit f90fb3c7e2c13ae829db2274b88b845a75038b8a ] + +Only users of upc_req in kernel side fs/coda/psdev.c and +fs/coda/upcall.c already include linux/coda_psdev.h. + +Suggested by Jan Harkes in + https://lore.kernel.org/lkml/20150531111913.GA23377@cs.cmu.edu/ + +Fixes these include/uapi/linux/coda_psdev.h compilation errors in userspace: + + linux/coda_psdev.h:12:19: error: field `uc_chain' has incomplete type + struct list_head uc_chain; + ^ + linux/coda_psdev.h:13:2: error: unknown type name `caddr_t' + caddr_t uc_data; + ^ + linux/coda_psdev.h:14:2: error: unknown type name `u_short' + u_short uc_flags; + ^ + linux/coda_psdev.h:15:2: error: unknown type name `u_short' + u_short uc_inSize; /* Size is at most 5000 bytes */ + ^ + linux/coda_psdev.h:16:2: error: unknown type name `u_short' + u_short uc_outSize; + ^ + linux/coda_psdev.h:17:2: error: unknown type name `u_short' + u_short uc_opcode; /* copied from data to save lookup */ + ^ + linux/coda_psdev.h:19:2: error: unknown type name `wait_queue_head_t' + wait_queue_head_t uc_sleep; /* process' wait queue */ + ^ + +Link: http://lkml.kernel.org/r/9f99f5ce6a0563d5266e6cf7aa9585aac2cae971.1558117389.git.jaharkes@cs.cmu.edu +Signed-off-by: Mikko Rapeli +Signed-off-by: Jan Harkes +Cc: Arnd Bergmann +Cc: Colin Ian King +Cc: Dan Carpenter +Cc: David Howells +Cc: Fabian Frederick +Cc: Sam Protsenko +Cc: Yann Droneaud +Cc: Zhouyang Jia +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/coda_psdev.h | 11 +++++++++++ + include/uapi/linux/coda_psdev.h | 13 ------------- + 2 files changed, 11 insertions(+), 13 deletions(-) + +diff --git a/include/linux/coda_psdev.h b/include/linux/coda_psdev.h +index 15170954aa2b3..57d2b2faf6a3e 100644 +--- a/include/linux/coda_psdev.h ++++ b/include/linux/coda_psdev.h +@@ -19,6 +19,17 @@ struct venus_comm { + struct mutex vc_mutex; + }; + ++/* messages between coda filesystem in kernel and Venus */ ++struct upc_req { ++ struct list_head uc_chain; ++ caddr_t uc_data; ++ u_short uc_flags; ++ u_short uc_inSize; /* Size is at most 5000 bytes */ ++ u_short uc_outSize; ++ u_short uc_opcode; /* copied from data to save lookup */ ++ int uc_unique; ++ wait_queue_head_t uc_sleep; /* process' wait queue */ ++}; + + static inline struct venus_comm *coda_vcp(struct super_block *sb) + { +diff --git a/include/uapi/linux/coda_psdev.h b/include/uapi/linux/coda_psdev.h +index aa6623efd2dd0..d50d51a57fe4e 100644 +--- a/include/uapi/linux/coda_psdev.h ++++ b/include/uapi/linux/coda_psdev.h +@@ -7,19 +7,6 @@ + #define CODA_PSDEV_MAJOR 67 + #define MAX_CODADEVS 5 /* how many do we allow */ + +- +-/* messages between coda filesystem in kernel and Venus */ +-struct upc_req { +- struct list_head uc_chain; +- caddr_t uc_data; +- u_short uc_flags; +- u_short uc_inSize; /* Size is at most 5000 bytes */ +- u_short uc_outSize; +- u_short uc_opcode; /* copied from data to save lookup */ +- int uc_unique; +- wait_queue_head_t uc_sleep; /* process' wait queue */ +-}; +- + #define CODA_REQ_ASYNC 0x1 + #define CODA_REQ_READ 0x2 + #define CODA_REQ_WRITE 0x4 +-- +2.20.1 + diff --git a/queue-4.19/x86-apic-silence-wtype-limits-compiler-warnings.patch b/queue-4.19/x86-apic-silence-wtype-limits-compiler-warnings.patch new file mode 100644 index 00000000000..fd9a0c22502 --- /dev/null +++ b/queue-4.19/x86-apic-silence-wtype-limits-compiler-warnings.patch @@ -0,0 +1,74 @@ +From 2c010f87ddf2ad650210ae1b245b6657208b1049 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Mon, 8 Jul 2019 17:36:45 -0400 +Subject: x86/apic: Silence -Wtype-limits compiler warnings + +[ Upstream commit ec6335586953b0df32f83ef696002063090c7aef ] + +There are many compiler warnings like this, + +In file included from ./arch/x86/include/asm/smp.h:13, + from ./arch/x86/include/asm/mmzone_64.h:11, + from ./arch/x86/include/asm/mmzone.h:5, + from ./include/linux/mmzone.h:969, + from ./include/linux/gfp.h:6, + from ./include/linux/mm.h:10, + from arch/x86/kernel/apic/io_apic.c:34: +arch/x86/kernel/apic/io_apic.c: In function 'check_timer': +./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned +expression >= 0 is always true [-Wtype-limits] + if ((v) <= apic_verbosity) \ + ^~ +arch/x86/kernel/apic/io_apic.c:2160:2: note: in expansion of macro +'apic_printk' + apic_printk(APIC_QUIET, KERN_INFO "..TIMER: vector=0x%02X " + ^~~~~~~~~~~ +./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned +expression >= 0 is always true [-Wtype-limits] + if ((v) <= apic_verbosity) \ + ^~ +arch/x86/kernel/apic/io_apic.c:2207:4: note: in expansion of macro +'apic_printk' + apic_printk(APIC_QUIET, KERN_ERR "..MP-BIOS bug: " + ^~~~~~~~~~~ + +APIC_QUIET is 0, so silence them by making apic_verbosity type int. + +Signed-off-by: Qian Cai +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/1562621805-24789-1-git-send-email-cai@lca.pw +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/kernel/apic/apic.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h +index 130e81e10fc7c..050368db9d357 100644 +--- a/arch/x86/include/asm/apic.h ++++ b/arch/x86/include/asm/apic.h +@@ -48,7 +48,7 @@ static inline void generic_apic_probe(void) + + #ifdef CONFIG_X86_LOCAL_APIC + +-extern unsigned int apic_verbosity; ++extern int apic_verbosity; + extern int local_apic_timer_c2_ok; + + extern int disable_apic; +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 02020f2e00809..272a12865b2aa 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -181,7 +181,7 @@ EXPORT_SYMBOL_GPL(local_apic_timer_c2_ok); + /* + * Debug level, exported for io_apic.c + */ +-unsigned int apic_verbosity; ++int apic_verbosity; + + int pic_mode; + +-- +2.20.1 + diff --git a/queue-4.19/x86-boot-remove-multiple-copy-of-static-function-san.patch b/queue-4.19/x86-boot-remove-multiple-copy-of-static-function-san.patch new file mode 100644 index 00000000000..d145f9fe110 --- /dev/null +++ b/queue-4.19/x86-boot-remove-multiple-copy-of-static-function-san.patch @@ -0,0 +1,59 @@ +From 292ea7c8e297b66a7d2a634c2945819bed1cf4c8 Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan +Date: Tue, 16 Jul 2019 21:18:12 +0800 +Subject: x86, boot: Remove multiple copy of static function + sanitize_boot_params() + +[ Upstream commit 8c5477e8046ca139bac250386c08453da37ec1ae ] + +Kernel build warns: + 'sanitize_boot_params' defined but not used [-Wunused-function] + +at below files: + arch/x86/boot/compressed/cmdline.c + arch/x86/boot/compressed/error.c + arch/x86/boot/compressed/early_serial_console.c + arch/x86/boot/compressed/acpi.c + +That's becausethey each include misc.h which includes a definition of +sanitize_boot_params() via bootparam_utils.h. + +Remove the inclusion from misc.h and have the c file including +bootparam_utils.h directly. + +Signed-off-by: Zhenzhong Duan +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/1563283092-1189-1-git-send-email-zhenzhong.duan@oracle.com +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/misc.c | 1 + + arch/x86/boot/compressed/misc.h | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c +index 8dd1d5ccae580..0387d7a96c842 100644 +--- a/arch/x86/boot/compressed/misc.c ++++ b/arch/x86/boot/compressed/misc.c +@@ -17,6 +17,7 @@ + #include "pgtable.h" + #include "../string.h" + #include "../voffset.h" ++#include + + /* + * WARNING!! +diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h +index a423bdb426862..47fd18db6b3bf 100644 +--- a/arch/x86/boot/compressed/misc.h ++++ b/arch/x86/boot/compressed/misc.h +@@ -22,7 +22,6 @@ + #include + #include + #include +-#include + + #define BOOT_BOOT_H + #include "../ctype.h" +-- +2.20.1 + diff --git a/queue-4.19/x86-kvm-avoid-constant-conversion-warning.patch b/queue-4.19/x86-kvm-avoid-constant-conversion-warning.patch new file mode 100644 index 00000000000..d5a31142bdd --- /dev/null +++ b/queue-4.19/x86-kvm-avoid-constant-conversion-warning.patch @@ -0,0 +1,53 @@ +From 017206a418313f4cf4b9edfb195b1fdda4e57520 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:12:30 +0200 +Subject: x86: kvm: avoid constant-conversion warning + +[ Upstream commit a6a6d3b1f867d34ba5bd61aa7bb056b48ca67cff ] + +clang finds a contruct suspicious that converts an unsigned +character to a signed integer and back, causing an overflow: + +arch/x86/kvm/mmu.c:4605:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -205 to 51 [-Werror,-Wconstant-conversion] + u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0; + ~~ ^~ +arch/x86/kvm/mmu.c:4607:38: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -241 to 15 [-Werror,-Wconstant-conversion] + u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0; + ~~ ^~ +arch/x86/kvm/mmu.c:4609:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -171 to 85 [-Werror,-Wconstant-conversion] + u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0; + ~~ ^~ + +Add an explicit cast to tell clang that everything works as +intended here. + +Signed-off-by: Arnd Bergmann +Link: https://github.com/ClangBuiltLinux/linux/issues/95 +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/mmu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c +index e0f982e35c96b..cdc0c460950f3 100644 +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4532,11 +4532,11 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu, + */ + + /* Faults from writes to non-writable pages */ +- u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0; ++ u8 wf = (pfec & PFERR_WRITE_MASK) ? (u8)~w : 0; + /* Faults from user mode accesses to supervisor pages */ +- u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0; ++ u8 uf = (pfec & PFERR_USER_MASK) ? (u8)~u : 0; + /* Faults from fetches of non-executable pages*/ +- u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0; ++ u8 ff = (pfec & PFERR_FETCH_MASK) ? (u8)~x : 0; + /* Faults from kernel mode fetches of user pages */ + u8 smepf = 0; + /* Faults from kernel mode accesses of user pages */ +-- +2.20.1 + diff --git a/queue-4.19/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch b/queue-4.19/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch new file mode 100644 index 00000000000..a581af79745 --- /dev/null +++ b/queue-4.19/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch @@ -0,0 +1,122 @@ +From f5f97fb992fbb37b4edee66c13b3350836053e1a Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Wed, 17 Jul 2019 20:36:39 -0500 +Subject: x86/kvm: Don't call kvm_spurious_fault() from .fixup + +[ Upstream commit 3901336ed9887b075531bffaeef7742ba614058b ] + +After making a change to improve objtool's sibling call detection, it +started showing the following warning: + + arch/x86/kvm/vmx/nested.o: warning: objtool: .fixup+0x15: sibling call from callable instruction with modified stack frame + +The problem is the ____kvm_handle_fault_on_reboot() macro. It does a +fake call by pushing a fake RIP and doing a jump. That tricks the +unwinder into printing the function which triggered the exception, +rather than the .fixup code. + +Instead of the hack to make it look like the original function made the +call, just change the macro so that the original function actually does +make the call. This allows removal of the hack, and also makes objtool +happy. + +I triggered a vmx instruction exception and verified that the stack +trace is still sane: + + kernel BUG at arch/x86/kvm/x86.c:358! + invalid opcode: 0000 [#1] SMP PTI + CPU: 28 PID: 4096 Comm: qemu-kvm Not tainted 5.2.0+ #16 + Hardware name: Lenovo THINKSYSTEM SD530 -[7X2106Z000]-/-[7X2106Z000]-, BIOS -[TEE113Z-1.00]- 07/17/2017 + RIP: 0010:kvm_spurious_fault+0x5/0x10 + Code: 00 00 00 00 00 8b 44 24 10 89 d2 45 89 c9 48 89 44 24 10 8b 44 24 08 48 89 44 24 08 e9 d4 40 22 00 0f 1f 40 00 0f 1f 44 00 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41 + RSP: 0018:ffffbf91c683bd00 EFLAGS: 00010246 + RAX: 000061f040000000 RBX: ffff9e159c77bba0 RCX: ffff9e15a5c87000 + RDX: 0000000665c87000 RSI: ffff9e15a5c87000 RDI: ffff9e159c77bba0 + RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9e15a5c87000 + R10: 0000000000000000 R11: fffff8f2d99721c0 R12: ffff9e159c77bba0 + R13: ffffbf91c671d960 R14: ffff9e159c778000 R15: 0000000000000000 + FS: 00007fa341cbe700(0000) GS:ffff9e15b7400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fdd38356804 CR3: 00000006759de003 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + loaded_vmcs_init+0x4f/0xe0 + alloc_loaded_vmcs+0x38/0xd0 + vmx_create_vcpu+0xf7/0x600 + kvm_vm_ioctl+0x5e9/0x980 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? free_one_page+0x13f/0x4e0 + do_vfs_ioctl+0xa4/0x630 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x55/0x1c0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7fa349b1ee5b + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Acked-by: Paolo Bonzini +Acked-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/64a9b64d127e87b6920a97afde8e96ea76f6524e.1563413318.git.jpoimboe@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/kvm_host.h | 34 ++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index 7014dba23d20c..2877e1fbadd86 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1427,25 +1427,29 @@ enum { + #define kvm_arch_vcpu_memslots_id(vcpu) ((vcpu)->arch.hflags & HF_SMM_MASK ? 1 : 0) + #define kvm_memslots_for_spte_role(kvm, role) __kvm_memslots(kvm, (role).smm) + ++asmlinkage void __noreturn kvm_spurious_fault(void); ++ + /* + * Hardware virtualization extension instructions may fault if a + * reboot turns off virtualization while processes are running. +- * Trap the fault and ignore the instruction if that happens. ++ * Usually after catching the fault we just panic; during reboot ++ * instead the instruction is ignored. + */ +-asmlinkage void kvm_spurious_fault(void); +- +-#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ +- "666: " insn "\n\t" \ +- "668: \n\t" \ +- ".pushsection .fixup, \"ax\" \n" \ +- "667: \n\t" \ +- cleanup_insn "\n\t" \ +- "cmpb $0, kvm_rebooting \n\t" \ +- "jne 668b \n\t" \ +- __ASM_SIZE(push) " $666b \n\t" \ +- "jmp kvm_spurious_fault \n\t" \ +- ".popsection \n\t" \ +- _ASM_EXTABLE(666b, 667b) ++#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ ++ "666: \n\t" \ ++ insn "\n\t" \ ++ "jmp 668f \n\t" \ ++ "667: \n\t" \ ++ "call kvm_spurious_fault \n\t" \ ++ "668: \n\t" \ ++ ".pushsection .fixup, \"ax\" \n\t" \ ++ "700: \n\t" \ ++ cleanup_insn "\n\t" \ ++ "cmpb $0, kvm_rebooting\n\t" \ ++ "je 667b \n\t" \ ++ "jmp 668b \n\t" \ ++ ".popsection \n\t" \ ++ _ASM_EXTABLE(666b, 700b) + + #define __kvm_handle_fault_on_reboot(insn) \ + ____kvm_handle_fault_on_reboot(insn, "") +-- +2.20.1 + diff --git a/queue-4.19/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch b/queue-4.19/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch new file mode 100644 index 00000000000..b34bdd0842b --- /dev/null +++ b/queue-4.19/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch @@ -0,0 +1,69 @@ +From f19b95fa44ae1aa10e184c51539be9937a520038 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:08:05 +0200 +Subject: x86: math-emu: Hide clang warnings for 16-bit overflow + +[ Upstream commit 29e7e9664aec17b94a9c8c5a75f8d216a206aa3a ] + +clang warns about a few parts of the math-emu implementation +where a 16-bit integer becomes negative during assignment: + +arch/x86/math-emu/poly_tan.c:88:35: error: implicit conversion from 'int' to 'short' changes value from 49216 to -16320 [-Werror,-Wconstant-conversion] + (0x41 + EXTENDED_Ebias) | SIGN_Negative); + ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~ +arch/x86/math-emu/fpu_emu.h:180:58: note: expanded from macro 'setexponent16' + #define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); } + ~ ^ +arch/x86/math-emu/reg_constant.c:37:32: error: implicit conversion from 'int' to 'short' changes value from 49085 to -16451 [-Werror,-Wconstant-conversion] +FPU_REG const CONST_PI2extra = MAKE_REG(NEG, -66, + ^~~~~~~~~~~~~~~~~~ +arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG' + ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } + ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/x86/math-emu/reg_constant.c:48:28: error: implicit conversion from 'int' to 'short' changes value from 65535 to -1 [-Werror,-Wconstant-conversion] +FPU_REG const CONST_QNaN = MAKE_REG(NEG, EXP_OVER, 0x00000000, 0xC0000000); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG' + ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } + ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ + +The code is correct as is, so add a typecast to shut up the warnings. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190712090816.350668-1-arnd@arndb.de +Signed-off-by: Sasha Levin +--- + arch/x86/math-emu/fpu_emu.h | 2 +- + arch/x86/math-emu/reg_constant.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/math-emu/fpu_emu.h b/arch/x86/math-emu/fpu_emu.h +index a5a41ec580721..0c122226ca56f 100644 +--- a/arch/x86/math-emu/fpu_emu.h ++++ b/arch/x86/math-emu/fpu_emu.h +@@ -177,7 +177,7 @@ static inline void reg_copy(FPU_REG const *x, FPU_REG *y) + #define setexponentpos(x,y) { (*(short *)&((x)->exp)) = \ + ((y) + EXTENDED_Ebias) & 0x7fff; } + #define exponent16(x) (*(short *)&((x)->exp)) +-#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); } ++#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (u16)(y); } + #define addexponent(x,y) { (*(short *)&((x)->exp)) += (y); } + #define stdexp(x) { (*(short *)&((x)->exp)) += EXTENDED_Ebias; } + +diff --git a/arch/x86/math-emu/reg_constant.c b/arch/x86/math-emu/reg_constant.c +index 8dc9095bab224..742619e94bdf2 100644 +--- a/arch/x86/math-emu/reg_constant.c ++++ b/arch/x86/math-emu/reg_constant.c +@@ -18,7 +18,7 @@ + #include "control_w.h" + + #define MAKE_REG(s, e, l, h) { l, h, \ +- ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } ++ (u16)((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } + + FPU_REG const CONST_1 = MAKE_REG(POS, 0, 0x00000000, 0x80000000); + #if 0 +-- +2.20.1 + diff --git a/queue-4.19/x86-paravirt-fix-callee-saved-function-elf-sizes.patch b/queue-4.19/x86-paravirt-fix-callee-saved-function-elf-sizes.patch new file mode 100644 index 00000000000..b838d6eab36 --- /dev/null +++ b/queue-4.19/x86-paravirt-fix-callee-saved-function-elf-sizes.patch @@ -0,0 +1,55 @@ +From 491a1d148d4595105f9a95a657ab1c64e01764d5 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Wed, 17 Jul 2019 20:36:36 -0500 +Subject: x86/paravirt: Fix callee-saved function ELF sizes + +[ Upstream commit 083db6764821996526970e42d09c1ab2f4155dd4 ] + +The __raw_callee_save_*() functions have an ELF symbol size of zero, +which confuses objtool and other tools. + +Fixes a bunch of warnings like the following: + + arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_pte_val() is missing an ELF size annotation + arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_pgd_val() is missing an ELF size annotation + arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_make_pte() is missing an ELF size annotation + arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_make_pgd() is missing an ELF size annotation + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Reviewed-by: Juergen Gross +Acked-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/afa6d49bb07497ca62e4fc3b27a2d0cece545b4e.1563413318.git.jpoimboe@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/paravirt.h | 1 + + arch/x86/kernel/kvm.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h +index e375d4266b53e..a04677038872c 100644 +--- a/arch/x86/include/asm/paravirt.h ++++ b/arch/x86/include/asm/paravirt.h +@@ -768,6 +768,7 @@ static __always_inline bool pv_vcpu_is_preempted(long cpu) + PV_RESTORE_ALL_CALLER_REGS \ + FRAME_END \ + "ret;" \ ++ ".size " PV_THUNK_NAME(func) ", .-" PV_THUNK_NAME(func) ";" \ + ".popsection") + + /* Get a reference to a callee-save function */ +diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c +index 7f89d609095ac..cee45d46e67dc 100644 +--- a/arch/x86/kernel/kvm.c ++++ b/arch/x86/kernel/kvm.c +@@ -830,6 +830,7 @@ asm( + "cmpb $0, " __stringify(KVM_STEAL_TIME_preempted) "+steal_time(%rax);" + "setne %al;" + "ret;" ++".size __raw_callee_save___kvm_vcpu_is_preempted, .-__raw_callee_save___kvm_vcpu_is_preempted;" + ".popsection"); + + #endif +-- +2.20.1 + diff --git a/queue-4.19/xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch b/queue-4.19/xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch new file mode 100644 index 00000000000..deb122e7f7e --- /dev/null +++ b/queue-4.19/xen-pv-fix-a-boot-up-hang-revealed-by-int3-self-test.patch @@ -0,0 +1,117 @@ +From 1440c591cc271f01dc9a57b07556eb083636e095 Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan +Date: Sun, 14 Jul 2019 17:15:32 +0800 +Subject: xen/pv: Fix a boot up hang revealed by int3 self test + +[ Upstream commit b23e5844dfe78a80ba672793187d3f52e4b528d7 ] + +Commit 7457c0da024b ("x86/alternatives: Add int3_emulate_call() +selftest") is used to ensure there is a gap setup in int3 exception stack +which could be used for inserting call return address. + +This gap is missed in XEN PV int3 exception entry path, then below panic +triggered: + +[ 0.772876] general protection fault: 0000 [#1] SMP NOPTI +[ 0.772886] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.2.0+ #11 +[ 0.772893] RIP: e030:int3_magic+0x0/0x7 +[ 0.772905] RSP: 3507:ffffffff82203e98 EFLAGS: 00000246 +[ 0.773334] Call Trace: +[ 0.773334] alternative_instructions+0x3d/0x12e +[ 0.773334] check_bugs+0x7c9/0x887 +[ 0.773334] ? __get_locked_pte+0x178/0x1f0 +[ 0.773334] start_kernel+0x4ff/0x535 +[ 0.773334] ? set_init_arg+0x55/0x55 +[ 0.773334] xen_start_kernel+0x571/0x57a + +For 64bit PV guests, Xen's ABI enters the kernel with using SYSRET, with +%rcx/%r11 on the stack. To convert back to "normal" looking exceptions, +the xen thunks do 'xen_*: pop %rcx; pop %r11; jmp *'. + +E.g. Extracting 'xen_pv_trap xenint3' we have: +xen_xenint3: + pop %rcx; + pop %r11; + jmp xenint3 + +As xenint3 and int3 entry code are same except xenint3 doesn't generate +a gap, we can fix it by using int3 and drop useless xenint3. + +Signed-off-by: Zhenzhong Duan +Reviewed-by: Juergen Gross +Cc: Boris Ostrovsky +Cc: Juergen Gross +Cc: Stefano Stabellini +Cc: Andy Lutomirski +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: Andrew Cooper +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/entry/entry_64.S | 1 - + arch/x86/include/asm/traps.h | 2 +- + arch/x86/xen/enlighten_pv.c | 2 +- + arch/x86/xen/xen-asm_64.S | 1 - + 4 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S +index 206df099950ea..e7572a209fbe7 100644 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -1196,7 +1196,6 @@ idtentry stack_segment do_stack_segment has_error_code=1 + #ifdef CONFIG_XEN + idtentry xennmi do_nmi has_error_code=0 + idtentry xendebug do_debug has_error_code=0 +-idtentry xenint3 do_int3 has_error_code=0 + #endif + + idtentry general_protection do_general_protection has_error_code=1 +diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h +index afbc87206886e..b771bb3d159bc 100644 +--- a/arch/x86/include/asm/traps.h ++++ b/arch/x86/include/asm/traps.h +@@ -40,7 +40,7 @@ asmlinkage void simd_coprocessor_error(void); + asmlinkage void xen_divide_error(void); + asmlinkage void xen_xennmi(void); + asmlinkage void xen_xendebug(void); +-asmlinkage void xen_xenint3(void); ++asmlinkage void xen_int3(void); + asmlinkage void xen_overflow(void); + asmlinkage void xen_bounds(void); + asmlinkage void xen_invalid_op(void); +diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c +index 782f98b332f05..1730a26ff6abc 100644 +--- a/arch/x86/xen/enlighten_pv.c ++++ b/arch/x86/xen/enlighten_pv.c +@@ -597,12 +597,12 @@ struct trap_array_entry { + + static struct trap_array_entry trap_array[] = { + { debug, xen_xendebug, true }, +- { int3, xen_xenint3, true }, + { double_fault, xen_double_fault, true }, + #ifdef CONFIG_X86_MCE + { machine_check, xen_machine_check, true }, + #endif + { nmi, xen_xennmi, true }, ++ { int3, xen_int3, false }, + { overflow, xen_overflow, false }, + #ifdef CONFIG_IA32_EMULATION + { entry_INT80_compat, xen_entry_INT80_compat, false }, +diff --git a/arch/x86/xen/xen-asm_64.S b/arch/x86/xen/xen-asm_64.S +index 417b339e5c8e1..3a6feed76dfc1 100644 +--- a/arch/x86/xen/xen-asm_64.S ++++ b/arch/x86/xen/xen-asm_64.S +@@ -30,7 +30,6 @@ xen_pv_trap divide_error + xen_pv_trap debug + xen_pv_trap xendebug + xen_pv_trap int3 +-xen_pv_trap xenint3 + xen_pv_trap xennmi + xen_pv_trap overflow + xen_pv_trap bounds +-- +2.20.1 +